How the NSA Undermines Cybersecurity to Protect You

Patrick Semansky/AP

As part of its push for mass surveillance, the spy agency has taken steps to sabotage cybersecurity.

Bolstering the nation’s defenses against hackers has been one of the Obama administration’s top goals.

Officials have warned for years that a sophisticated cyberattack could cripple critical infrastructure or allow thieves to make off with the financial information of millions of Americans. President Obama pushed Congress to enact cybersecurity legislation, and when it didn’t, he issued his own executive order in 2013.

“The cyber threat to our nation is one of the most serious economic and national security challenges we face,” Obama wrote in a 2012 op-ed in The Wall Street Journal.

But critics argue that the National Security Agency has actually undermined cybersecurity and made the United States more vulnerable to hackers.

At its core, the problem is the NSA’s dual mission. On one hand, the agency is tasked with securing U.S. networks and information. On the other hand, the agency must gather intelligence on foreign threats to national security.

Collecting intelligence often means hacking encrypted communications. That’s nothing new for the NSA; the agency traces its roots back to code-breakers deciphering Nazi messages during World War II.

So in many ways, strong Internet security actually makes the NSA’s job harder.

“This is an administration that is a vigorous defender of surveillance,” said Christopher Soghoian, the head technologist for the American Civil Liberties Union. “Surveillance at the scale they want requires insecurity.”

The leaks from Edward Snowden have revealed a variety of efforts by the NSA to weaken cybersecurity and hack into networks. Critics say those programs, while helping NSA spying, have made U.S. networks less secure.

According to the leaked documents, the NSA inserted a so-called back door into at least one encryption standard that was developed by the National Institute of Standards and Technology. The NSA could use that back door to spy on suspected terrorists, but the vulnerability was also available to any other hacker who discovered it.

NIST, a Commerce Department agency, sets scientific and technical standards that are widely used by both the government and the private sector. The agency has said it would never “deliberately weaken a cryptographic standard,” but it remains unclear whether the agency was aware of the back door or whether the NSA tricked NIST into adopting the compromised standard. NIST is required by law to consult with the NSA for its technical expertise on cybersecurity.

The revelation that NSA somehow got NIST to build a back door into an encryption standard has seriously damaged NIST’s reputation with security experts.

“NIST is operating with a trust deficit right now,” Soghoian said. “Anything that NIST has touched is now tainted.”

It’s a particularly bad time for NIST to have lost the support of the cybersecurity community. In his executive order, Obama tasked NIST with drafting the cybersecurity guidelines for critical infrastructure such as power plants and phone companies. Because it’s an executive order instead of a law, the cybersecurity standards are entirely voluntary, and the U.S. government will have to convince the private sector to comply.

The Snowden leaks weren’t the first to indicate that the NSA is involved in exploiting commercial security. According to a 2012 New York Times report, the NSA developed a worm, dubbed “Stuxnet,” to cripple Iranian nuclear centrifuges. But the worm, which exploited four previously unknown flaws in Microsoft Windows, escaped the Iranian nuclear plant and quickly began damaging computers around the world. The NSA and Israeli officials have also been tied to “Flame,” a virus that impersonated a Microsoft update to spy on Iranian computers.

Vanee Vines, an NSA spokeswoman, said the U.S. government “is as concerned as the public is with the security of these products.”

“The United States pursues its intelligence mission with care to ensure that innocent users of those same technologies are not affected,” she said.

According to Vines, the NSA relies on the same encryption standards it recommends to the public to protect its own classified networks. “We do not make recommendations that we cannot stand behind for protecting national security systems and data,” she said. “The activity of NSA in setting standards has made the Internet a far safer place to communicate and do business.”

But due to concern over the NSA damaging Internet security, the president’s review group on surveillance issues recommended that the U.S. government promise not to “in any way subvert, undermine, weaken, or make vulnerable generally available commercial encryption.”

“Encryption is an essential basis for trust on the Internet; without such trust, valuable communications would not be possible,” the group wrote in its report, which was released in December. “For the entire system to work, encryption software itself must be trustworthy.”

In response to the report, the administration adopted a new policy on whether the NSA can exploit “zero-days”—vulnerabilities that haven’t been discovered by anyone else yet. According to the White House, there is a “bias” toward publicly disclosing flaws in security unless “there is a clear national security or law enforcement need.”

In a blog post Monday, Michael Daniel, the White House’s cybersecurity coordinator, said that disclosing security flaws “usually makes sense.”

“Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest,” he said.

But Daniel added that, in some cases, disclosing a vulnerability means that the U.S. would “forego an opportunity to collect crucial intelligence that could thwart a terrorist attack, stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities.”

He said that the government weighs a variety of factors, such as the risk of leaving the vulnerability un-patched, the likelihood that anyone else would discover it, and how important the potential intelligence is.

But privacy advocates and many business groups are still uncomfortable with the U.S. keeping security flaws secret. And many don’t trust that the NSA will only exploit the vulnerabilities with the most potential for intelligence and least opportunity for other hackers.

“The surveillance bureaucracy really doesn’t have a lot of self-imposed limits. They want to get everything,” said Ed Black, the CEO of the Computer & Communications Industry Association, which represents companies including Google, Microsoft, Yahoo, and Sprint. “Now I think people dealing with that bureaucracy have to understand they can’t take anything for granted.”

Most computer networks are run by private companies, and the government must work closely with the private sector to improve cybersecurity. But companies have become reluctant to share security information with the U.S. government, fearing the NSA could use any information to hack into their systems.

“When you want to go into partnership with somebody and work on serious issues—such as cybersecurity—you want to know you’re being told the truth,” Black said.

Google and one other cybersecurity firm discovered “Heartbleed”—a critical flaw in a widely used Internet encryption tool—in March. The companies notified a few other private-sector groups about the problem, but no one told the U.S. government until April.

“Information you share with the NSA might be used to hurt you as a company,” warned Ashkan Soltani, a technical consultant who has worked with tech companies and helped The Washington Post with its coverage of the Snowden documents.

He said that company officials have historically discussed cybersecurity issues with the NSA, but that he wouldn’t be surprised if those relationships are now strained. He pointed to news that the NSA posed as Facebook to infect computers with malware.

“That does a lot of harm to companies’ brands,” Soltani said.

The NSA’s actions have also made it difficult for the U.S. to set international norms for cyberconflict. For several years, the U.S. has tried to pressure China to scale back its cyberspying operations, which allegedly steal trade secrets from U.S. businesses.

Jason Healey, the director of the Cyber Statecraft Initiative at the Atlantic Council, said the U.S. has “militarized cyber policy.”

“The United States has been saying that the world needs to operate according to certain norms,” he said. “It is difficult to get the norms that we want because it appears to the rest of the world that we only want to follow the norms that we think are important.”

Vines, the NSA spokeswoman, emphasized that the NSA would never hack into foreign networks to give domestic companies a competitive edge (as China is accused of doing).

“We do not use foreign intelligence capabilities to steal the trade secrets of foreign companies on behalf of—or give intelligence we collect to—U.S. companies to enhance their international competitiveness or increase their bottom line,” she said.

Jim Lewis, a senior fellow with the Center for Strategic and International Studies, agreed that NSA spying to stop terrorist attacks is fundamentally different from China stealing business secrets to boost its own economy.

He also said there is widespread misunderstanding of how the NSA works, but he acknowledged that there is a “trust problem—justified or not.”

He predicted that rebuilding trust with the tech community will be one of the top challenges for Mike Rogers, who was sworn in as the new NSA director earlier this month.

“All the tech companies are in varying degrees unhappy and not eager to have a close relationship with NSA,” Lewis said.

This article appears in the April 30, 2014 edition of NJ Daily.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.