I am writing this on a plane to Vancouver for a meeting that cryptographer, computer security and privacy specialist Bruce Schneier has called to ‘save the Internet’.
Our task in Vancouver is to render as much of the NSA’s intercept capability inoperable as possible. To replace pervasive surveillance with pervasive cryptography.
We don’t know what the cryptanalytic capabilities of the NSA are, but we can have a pretty good guess. None of the disclosures so far have been a major surprise. The NSA prefers to circumvent cryptography rather than use computers to break it. The point of that infamous Google/Yahoo diagram with ‘SSL added and removed here‘ is that the NSA was reaching into the internal networks of the major Web service providers to read unencrypted traffic in the clear.
For whatever reason, Google was looking for ways to encrypt those links before the Snowden document dump occurred. But pre-Snowden, the means to encrypt the very fastest Internet links only became available some time after the routers to support those links. And network managers whose data centers are already operating at capacity are always looking to move to the fastest device.
Over the next week we will be taking apart the Internet protocols, and performing what amounts to a protocol security audit to determine what leverage we have to prevent pervasive surveillance. But we will be doing that work without the (open) assistance of the NSA. Which is a real problem, because the original mission of the NSA was to protect the US and allies against attack. Spying on the whole US population only happened due to ‘mission creep’. Where did ‘deliberately introducing vulnerabilities into Internet standards so that they could be exploited’ enter the picture? Whose side is the NSA actually on?
The lack of an NSA presence is actually going to be a problem because the Snowden documents will have caused foreign governments to do a lot more than just make diplomatic protests. Many of those governments will be trying to play the NSA game as well or better. And many of the governments likely to be playing the game of ‘catch up’ are pretty brutal affairs. Those of us assembling in Vancouver have a lot of expertise in the civilian field, but we don’t spend our time examining the foreign governments trying to attack our systems. The US military, in the form of the NSA, does.
There is no clearer demonstration of the need for a new approach to information security in the US government than the fact that Edward Snowden was able to access so much information without attracting notice. Snowden was a 29 year old systems administrator, and not that high up on the NSA totem pole. Yet he was somehow able to access the organization’s crown jewels, which were sitting unencrypted on the systems he was administering.
Senior people in the US foreign policy penumbra looked shocked when I suggested that it was a scandal that a second major breach had occurred in two years without any top level accountability. Eventually we learned that Gen. Keith Alexander, Director of the NSA, is retiring, and I have been privately assured that Director of National Intelligence Clapper has been told he is leaving as well.
But firing a general who will take a plum consulting job on top of his plump military pension is hardly the same level of accountability being meted out to Chelsea (formerly “Bradley”) Manning. And one can only imagine what the US authorities would do to Snowden if they got their hands on him.