Wednesday, October 23, 2013

NSA: security through insecurity?

For the last few months now, I've been reading headlines and articles about how the National Security Agency has been working hard to compromise common security standards. They have been demanding private keys for SSL certificates. They have been participating in standards development communities in an attempt to insert backdoors in our encryption algorithms. They seem to have been working with electronics manufacturers to get backdoors in our phones, our routers, and our computers.

I don't worry about China now so much as I do about the NSA. The NSA seems to be insisting that national security rests on individual insecurity. This is a problem not just for us, but for American businesses, too. Service providers like Google, Apple, Yahoo and Microsoft are going to feel a lot of heat and scrutiny for any collaboration with the NSA. They're losing foreign customers as a result of a bullheaded effort to compromise everyone - all in the name of the war on terrorism.

There is even pushback from technology providers. The Snowden Effect is well under way, with more and more people buying or otherwise acquiring encryption software to make their communications more secure. Secure email, secure browsers and soon, secure hardware, all from vendors who will not cooperate with the NSA. Technology leaders like Bruce Schneier and the Electronic Frontier Foundation are recommending that we all just make the NSA's job harder. If everyone uses encryption, then we cannot be guilty simply for using encryption.

While employees and policy directors at the NSA may believe they are fighting the good fight by relegating all of us to compromised security tools, they seem to be forgetting a few things. First, if you compromise something really important like SSL, you don't just make it easier for you to see what I'm doing. You are also making it easier for criminal entities to do the same thing. Is the NSA willing to accept liability for damages due to compromised security? I doubt it, the war on terrorism reigns supreme and trumps all other concerns.

How to fight back? As a technical matter, what really works is open standards. Using encryption based on open standards and open source software like PGP creates more overhead for the NSA. You can, if you want to, become a bitter pill. Any major standard implemented with open source software will have enough eyes looking at it to ensure that there are no back doors.

Abuses of the surveillance authority within the NSA have been well publicized. Employees have been checking in on their ex-boyfriend/girlfriend/spouse. They have been looking up celebrities to see what they're up to. And they're collecting all of it under the guise of national security.

Some of you may remember Nixon. You might even remember how he had managed to publicize the tax returns of his political opponents. After that experiment in forced exposure, Congress created the Privacy Act, an act designed to make agency records transparent to citizens. I've spent many years studying it and know the value of accountability in government as a result of that work. Don't worry, though, the NSA considers itself exempt from the Privacy Act.

The NSA seems to think that because they are acting in the name of the war on terrorism, that there are no limits to their power and that any abuses can be summarily excused. It is a holy-er-than-thou attitude that is unsustainable. If they can stop just one bomb from going off, their action is justified, at least in their own minds.

But, if one person dies because the security measures used to protect the data held by the NSA have been compromised, where does that leave them? Remember Edward Snowden? He's demonstrated one way to get at the data held by the NSA. There must be others. A well-connected deep pocket, determined to get the dirt on his adversary will find a way to the data held by the NSA. No defense can be prepared for all attacks.

Just imagine what Nixon could have done with the NSA today. He could be exposing political opponents left and right. Or he could use the NSA to clear the way for his designated successor. This is the real power of the NSA that so few are willing to discuss in public discourse.

Let's not forget why we even have the NSA - and I don't think it's to fight terrorism. The common man didn't invent the NSA - he's too busy working for a paycheck to even have time to dream up a problem like the NSA. No, the NSA exists purely for the protection of the interests of the elite. The people who run Lesterland - a land where 0.05% of the population are calling the shots in every national and state election. That is one massive perversion of a democratic republic that we affectionately call The United States of America.
Post a Comment