The NSA Isn’t Just Spying on Us, It’s Also Undermining Internet Security

As part of its push for mass surveillance, the spy agency has taken steps to sabotage one of Obama’s top priorities.

National Journal
Add to Briefcase
Brendan Sasso
April 29, 2014, 5:09 p.m.

Bol­ster­ing the na­tion’s de­fenses against hack­ers has been one of the Obama ad­min­is­tra­tion’s top goals.

Of­fi­cials have warned for years that a soph­ist­ic­ated cy­ber­at­tack could cripple crit­ic­al in­fra­struc­ture or al­low thieves to make off with the fin­an­cial in­form­a­tion of mil­lions of Amer­ic­ans. Pres­id­ent Obama pushed Con­gress to en­act cy­ber­se­cur­ity le­gis­la­tion, and when it didn’t, he is­sued his own ex­ec­ut­ive or­der in 2013.

“The cy­ber threat to our na­tion is one of the most ser­i­ous eco­nom­ic and na­tion­al se­cur­ity chal­lenges we face,” Obama wrote in a 2012 op-ed in The Wall Street Journ­al.

But crit­ics ar­gue that the Na­tion­al Se­cur­ity Agency has ac­tu­ally un­der­mined cy­ber­se­cur­ity and made the United States more vul­ner­able to hack­ers.

At its core, the prob­lem is the NSA’s dual mis­sion. On one hand, the agency is tasked with se­cur­ing U.S. net­works and in­form­a­tion. On the oth­er hand, the agency must gath­er in­tel­li­gence on for­eign threats to na­tion­al se­cur­ity.

Col­lect­ing in­tel­li­gence of­ten means hack­ing en­cryp­ted com­mu­nic­a­tions. That’s noth­ing new for the NSA; the agency traces its roots back to code-break­ers de­ci­pher­ing Nazi mes­sages dur­ing World War II.

So in many ways, strong In­ter­net se­cur­ity ac­tu­ally makes the NSA’s job harder.

“This is an ad­min­is­tra­tion that is a vig­or­ous de­fend­er of sur­veil­lance,” said Chris­toph­er Sog­hoi­an, the head tech­no­lo­gist for the Amer­ic­an Civil Liber­ties Uni­on. “Sur­veil­lance at the scale they want re­quires in­sec­ur­ity.”

The leaks from Ed­ward Snowden have re­vealed a vari­ety of ef­forts by the NSA to weak­en cy­ber­se­cur­ity and hack in­to net­works. Crit­ics say those pro­grams, while help­ing NSA spy­ing, have made U.S. net­works less se­cure.

Ac­cord­ing to the leaked doc­u­ments, the NSA in­ser­ted a so-called back door in­to at least one en­cryp­tion stand­ard that was de­veloped by the Na­tion­al In­sti­tute of Stand­ards and Tech­no­logy. The NSA could use that back door to spy on sus­pec­ted ter­ror­ists, but the vul­ner­ab­il­ity was also avail­able to any oth­er hack­er who dis­covered it.

NIST, a Com­merce De­part­ment agency, sets sci­entif­ic and tech­nic­al stand­ards that are widely used by both the gov­ern­ment and the private sec­tor. The agency has said it would nev­er “de­lib­er­ately weak­en a cryp­to­graph­ic stand­ard,” but it re­mains un­clear wheth­er the agency was aware of the back door or wheth­er the NSA tricked NIST in­to ad­opt­ing the com­prom­ised stand­ard. NIST is re­quired by law to con­sult with the NSA for its tech­nic­al ex­pert­ise on cy­ber­se­cur­ity.

The rev­el­a­tion that NSA some­how got NIST to build a back door in­to an en­cryp­tion stand­ard has ser­i­ously dam­aged NIST’s repu­ta­tion with se­cur­ity ex­perts.

“NIST is op­er­at­ing with a trust de­fi­cit right now,” Sog­hoi­an said. “Any­thing that NIST has touched is now tain­ted.”

It’s a par­tic­u­larly bad time for NIST to have lost the sup­port of the cy­ber­se­cur­ity com­munity. In his ex­ec­ut­ive or­der, Obama tasked NIST with draft­ing the cy­ber­se­cur­ity guidelines for crit­ic­al in­fra­struc­ture such as power plants and phone com­pan­ies. Be­cause it’s an ex­ec­ut­ive or­der in­stead of a law, the cy­ber­se­cur­ity stand­ards are en­tirely vol­un­tary, and the U.S. gov­ern­ment will have to con­vince the private sec­tor to com­ply.

The Snowden leaks wer­en’t the first to in­dic­ate that the NSA is in­volved in ex­ploit­ing com­mer­cial se­cur­ity. Ac­cord­ing to a 2012 New York Times re­port, the NSA de­veloped a worm, dubbed “Stuxnet,” to cripple Ir­a­ni­an nuc­le­ar cent­ri­fuges. But the worm, which ex­ploited four pre­vi­ously un­known flaws in Mi­crosoft Win­dows, es­caped the Ir­a­ni­an nuc­le­ar plant and quickly began dam­aging com­puters around the world. The NSA and Is­raeli of­fi­cials have also been tied to “Flame,” a vir­us that im­per­son­ated a Mi­crosoft up­date to spy on Ir­a­ni­an com­puters.

Vanee Vines, an NSA spokes­wo­man, said the U.S. gov­ern­ment “is as con­cerned as the pub­lic is with the se­cur­ity of these products.”

“The United States pur­sues its in­tel­li­gence mis­sion with care to en­sure that in­no­cent users of those same tech­no­lo­gies are not af­fected,” she said.

Ac­cord­ing to Vines, the NSA re­lies on the same en­cryp­tion stand­ards it re­com­mends to the pub­lic to pro­tect its own clas­si­fied net­works. “We do not make re­com­mend­a­tions that we can­not stand be­hind for pro­tect­ing na­tion­al se­cur­ity sys­tems and data,” she said. “The activ­ity of NSA in set­ting stand­ards has made the In­ter­net a far safer place to com­mu­nic­ate and do busi­ness.”

But due to con­cern over the NSA dam­aging In­ter­net se­cur­ity, the pres­id­ent’s re­view group on sur­veil­lance is­sues re­com­men­ded that the U.S. gov­ern­ment prom­ise not to “in any way sub­vert, un­der­mine, weak­en, or make vul­ner­able gen­er­ally avail­able com­mer­cial en­cryp­tion.”

“En­cryp­tion is an es­sen­tial basis for trust on the In­ter­net; without such trust, valu­able com­mu­nic­a­tions would not be pos­sible,” the group wrote in its re­port, which was re­leased in Decem­ber. “For the en­tire sys­tem to work, en­cryp­tion soft­ware it­self must be trust­worthy.”

In re­sponse to the re­port, the ad­min­is­tra­tion ad­op­ted a new policy on wheth­er the NSA can ex­ploit “zero-days” — vul­ner­ab­il­it­ies that haven’t been dis­covered by any­one else yet. Ac­cord­ing to the White House, there is a “bi­as” to­ward pub­licly dis­clos­ing flaws in se­cur­ity un­less “there is a clear na­tion­al se­cur­ity or law en­force­ment need.”

In a blog post Monday, Mi­chael Daniel, the White House’s cy­ber­se­cur­ity co­ordin­at­or, said that dis­clos­ing se­cur­ity flaws “usu­ally makes sense.”

“Build­ing up a huge stock­pile of un­dis­closed vul­ner­ab­il­it­ies while leav­ing the In­ter­net vul­ner­able and the Amer­ic­an people un­pro­tec­ted would not be in our na­tion­al se­cur­ity in­terest,” he said.

But Daniel ad­ded that, in some cases, dis­clos­ing a vul­ner­ab­il­ity means that the U.S. would “fore­go an op­por­tun­ity to col­lect cru­cial in­tel­li­gence that could thwart a ter­ror­ist at­tack, stop the theft of our na­tion’s in­tel­lec­tu­al prop­erty, or even dis­cov­er more dan­ger­ous vul­ner­ab­il­it­ies.”

He said that the gov­ern­ment weighs a vari­ety of factors, such as the risk of leav­ing the vul­ner­ab­il­ity un-patched, the like­li­hood that any­one else would dis­cov­er it, and how im­port­ant the po­ten­tial in­tel­li­gence is.

But pri­vacy ad­voc­ates and many busi­ness groups are still un­com­fort­able with the U.S. keep­ing se­cur­ity flaws secret. And many don’t trust that the NSA will only ex­ploit the vul­ner­ab­il­it­ies with the most po­ten­tial for in­tel­li­gence and least op­por­tun­ity for oth­er hack­ers.

“The sur­veil­lance bur­eau­cracy really doesn’t have a lot of self-im­posed lim­its. They want to get everything,” said Ed Black, the CEO of the Com­puter & Com­mu­nic­a­tions In­dustry As­so­ci­ation, which rep­res­ents com­pan­ies in­clud­ing Google, Mi­crosoft, Ya­hoo, and Sprint. “Now I think people deal­ing with that bur­eau­cracy have to un­der­stand they can’t take any­thing for gran­ted.”

The National Security Agency (NSA) headquarters at Fort Meade, Maryland (AFP/Getty Images) National Journal

Most com­puter net­works are run by private com­pan­ies, and the gov­ern­ment must work closely with the private sec­tor to im­prove cy­ber­se­cur­ity. But com­pan­ies have be­come re­luct­ant to share se­cur­ity in­form­a­tion with the U.S. gov­ern­ment, fear­ing the NSA could use any in­form­a­tion to hack in­to their sys­tems. The Na­tion­al Se­cur­ity Agency (NSA) headquar­ters at Fort Meade, Mary­land (AFP/Getty Im­ages)

“When you want to go in­to part­ner­ship with some­body and work on ser­i­ous is­sues — such as cy­ber­se­cur­ity — you want to know you’re be­ing told the truth,” Black said.

Google and one oth­er cy­ber­se­cur­ity firm dis­covered “Heart­bleed” — a crit­ic­al flaw in a widely used In­ter­net en­cryp­tion tool — in March. The com­pan­ies no­ti­fied a few oth­er private-sec­tor groups about the prob­lem, but no one told the U.S. gov­ern­ment un­til April.

“In­form­a­tion you share with the NSA might be used to hurt you as a com­pany,” warned Ashkan Soltani, a tech­nic­al con­sult­ant who has worked with tech com­pan­ies and helped The Wash­ing­ton Post with its cov­er­age of the Snowden doc­u­ments.

He said that com­pany of­fi­cials have his­tor­ic­ally dis­cussed cy­ber­se­cur­ity is­sues with the NSA, but that he wouldn’t be sur­prised if those re­la­tion­ships are now strained. He poin­ted to news that the NSA posed as Face­book to in­fect com­puters with mal­ware.

“That does a lot of harm to com­pan­ies’ brands,” Soltani said.

The NSA’s ac­tions have also made it dif­fi­cult for the U.S. to set in­ter­na­tion­al norms for cy­ber­con­flict. For sev­er­al years, the U.S. has tried to pres­sure China to scale back its cy­ber­spy­ing op­er­a­tions, which al­legedly steal trade secrets from U.S. busi­nesses.

Jason Healey, the dir­ect­or of the Cy­ber State­craft Ini­ti­at­ive at the At­lantic Coun­cil, said the U.S. has “mil­it­ar­ized cy­ber policy.”

“The United States has been say­ing that the world needs to op­er­ate ac­cord­ing to cer­tain norms,” he said. “It is dif­fi­cult to get the norms that we want be­cause it ap­pears to the rest of the world that we only want to fol­low the norms that we think are im­port­ant.”

Vines, the NSA spokes­wo­man, em­phas­ized that the NSA would nev­er hack in­to for­eign net­works to give do­mest­ic com­pan­ies a com­pet­it­ive edge (as China is ac­cused of do­ing).

“We do not use for­eign in­tel­li­gence cap­ab­il­it­ies to steal the trade secrets of for­eign com­pan­ies on be­half of — or give in­tel­li­gence we col­lect to — U.S. com­pan­ies to en­hance their in­ter­na­tion­al com­pet­it­ive­ness or in­crease their bot­tom line,” she said.

Jim Lewis, a seni­or fel­low with the Cen­ter for Stra­tegic and In­ter­na­tion­al Stud­ies, agreed that NSA spy­ing to stop ter­ror­ist at­tacks is fun­da­ment­ally dif­fer­ent from China steal­ing busi­ness secrets to boost its own eco­nomy.

He also said there is wide­spread mis­un­der­stand­ing of how the NSA works, but he ac­know­ledged that there is a “trust prob­lem — jus­ti­fied or not.”

He pre­dicted that re­build­ing trust with the tech com­munity will be one of the top chal­lenges for Mike Ro­gers, who was sworn in as the new NSA dir­ect­or earli­er this month.

“All the tech com­pan­ies are in vary­ing de­grees un­happy and not eager to have a close re­la­tion­ship with NSA,” Lewis said.


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.