How the NSA Undermines Cybersecurity to Protect You

Bolstering the nation’s defenses against hackers has been one of the Obama administration’s top goals.

Officials have warned for years that a sophisticated cyberattack could cripple critical infrastructure or allow thieves to make off with the financial information of millions of Americans. President Obama pushed Congress to enact cybersecurity legislation, and when it didn’t, he issued his own executive order in 2013.

“The cyber threat to our nation is one of the most serious economic and national security challenges we face,” Obama wrote in a 2012 op-ed in The Wall Street Journal.

But critics argue that the National Security Agency has actually undermined cybersecurity and made the United States more vulnerable to hackers.

At its core, the problem is the NSA’s dual mission. On one hand, the agency is tasked with securing U.S. networks and information. On the other hand, the agency must gather intelligence on foreign threats to national security.

Collecting intelligence often means hacking encrypted communications. That’s nothing new for the NSA; the agency traces its roots back to code-breakers deciphering Nazi messages during World War II.

So in many ways, strong Internet security actually makes the NSA’s job harder.

“This is an administration that is a vigorous defender of surveillance,” said Christopher Soghoian, the head technologist for the American Civil Liberties Union. “Surveillance at the scale they want requires insecurity.”

The leaks from Edward Snowden have revealed a variety of efforts by the NSA to weaken cybersecurity and hack into networks. Critics say those programs, while helping NSA spying, have made U.S. networks less secure.

According to the leaked documents, the NSA inserted a so-called back door into at least one encryption standard that was developed by the National Institute of Standards and Technology. The NSA could use that back door to spy on suspected terrorists, but the vulnerability was also available to any other hacker who discovered it.

NIST, a Commerce Department agency, sets scientific and technical standards that are widely used by both the government and the private sector. The agency has said it would never “deliberately weaken a cryptographic standard,” but it remains unclear whether the agency was aware of the back door or whether the NSA tricked NIST into adopting the compromised standard. NIST is required by law to consult with the NSA for its technical expertise on cybersecurity.

The revelation that NSA somehow got NIST to build a back door into an encryption standard has seriously damaged NIST’s reputation with security experts.

“NIST is operating with a trust deficit right now,” Soghoian said. “Anything that NIST has touched is now tainted.”

It’s a particularly bad time for NIST to have lost the support of the cybersecurity community. In his executive order, Obama tasked NIST with drafting the cybersecurity guidelines for critical infrastructure such as power plants and phone companies. Because it’s an executive order instead of a law, the cybersecurity standards are entirely voluntary, and the U.S. government will have to convince the private sector to comply.

The Snowden leaks weren’t the first to indicate that the NSA is involved in exploiting commercial security. According to a 2012 New York Times report, the NSA developed a worm, dubbed “Stuxnet,” to cripple Iranian nuclear centrifuges. But the worm, which exploited four previously unknown flaws in Microsoft Windows, escaped the Iranian nuclear plant and quickly began damaging computers around the world. The NSA and Israeli officials have also been tied to “Flame,” a virus that impersonated a Microsoft update to spy on Iranian computers.

Vanee Vines, an NSA spokeswoman, said the U.S. government “is as concerned as the public is with the security of these products.”

“The United States pursues its intelligence mission with care to ensure that innocent users of those same technologies are not affected,” she said.

According to Vines, the NSA relies on the same encryption standards it recommends to the public to protect its own classified networks. “We do not make recommendations that we cannot stand behind for protecting national security systems and data,” she said. “The activity of NSA in setting standards has made the Internet a far safer place to communicate and do business.”

But due to concern over the NSA damaging Internet security, the president’s review group on surveillance issues recommended that the U.S. government promise not to “in any way subvert, undermine, weaken, or make vulnerable generally available commercial encryption.”

“Encryption is an essential basis for trust on the Internet; without such trust, valuable communications would not be possible,” the group wrote in its report, which was released in December. “For the entire system to work, encryption software itself must be trustworthy.”

In response to the report, the administration adopted a new policy on whether the NSA can exploit “zero-days”—vulnerabilities that haven’t been discovered by anyone else yet. According to the White House, there is a “bias” toward publicly disclosing flaws in security unless “there is a clear national security or law enforcement need.”

In a blog post Monday, Michael Daniel, the White House’s cybersecurity coordinator, said that disclosing security flaws “usually makes sense.”

“Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest,” he said.

But Daniel added that, in some cases, disclosing a vulnerability means that the U.S. would “forego an opportunity to collect crucial intelligence that could thwart a terrorist attack, stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities.”

He said that the government weighs a variety of factors, such as the risk of leaving the vulnerability un-patched, the likelihood that anyone else would discover it, and how important the potential intelligence is.

But privacy advocates and many business groups are still uncomfortable with the U.S. keeping security flaws secret. And many don’t trust that the NSA will only exploit the vulnerabilities with the most potential for intelligence and least opportunity for other hackers.

“The surveillance bureaucracy really doesn’t have a lot of self-imposed limits. They want to get everything,” said Ed Black, the CEO of the Computer & Communications Industry Association, which represents companies including Google, Microsoft, Yahoo, and Sprint. “Now I think people dealing with that bureaucracy have to understand they can’t take anything for granted.”

Most computer networks are run by private companies, and the government must work closely with the private sector to improve cybersecurity. But companies have become reluctant to share security information with the U.S. government, fearing the NSA could use any information to hack into their systems.

“When you want to go into partnership with somebody and work on serious issues—such as cybersecurity—you want to know you’re being told the truth,” Black said.

Google and one other cybersecurity firm discovered “Heartbleed”—a critical flaw in a widely used Internet encryption tool—in March. The companies notified a few other private-sector groups about the problem, but no one told the U.S. government until April.

“Information you share with the NSA might be used to hurt you as a company,” warned Ashkan Soltani, a technical consultant who has worked with tech companies and helped The Washington Post with its coverage of the Snowden documents.

He said that company officials have historically discussed cybersecurity issues with the NSA, but that he wouldn’t be surprised if those relationships are now strained. He pointed to news that the NSA posed as Facebook to infect computers with malware.

“That does a lot of harm to companies’ brands,” Soltani said.

The NSA’s actions have also made it difficult for the U.S. to set international norms for cyberconflict. For several years, the U.S. has tried to pressure China to scale back its cyberspying operations, which allegedly steal trade secrets from U.S. businesses.

Jason Healey, the director of the Cyber Statecraft Initiative at the Atlantic Council, said the U.S. has “militarized cyber policy.”

“The United States has been saying that the world needs to operate according to certain norms,” he said. “It is difficult to get the norms that we want because it appears to the rest of the world that we only want to follow the norms that we think are important.”

Vines, the NSA spokeswoman, emphasized that the NSA would never hack into foreign networks to give domestic companies a competitive edge (as China is accused of doing).

“We do not use foreign intelligence capabilities to steal the trade secrets of foreign companies on behalf of—or give intelligence we collect to—U.S. companies to enhance their international competitiveness or increase their bottom line,” she said.

Jim Lewis, a senior fellow with the Center for Strategic and International Studies, agreed that NSA spying to stop terrorist attacks is fundamentally different from China stealing business secrets to boost its own economy.

He also said there is widespread misunderstanding of how the NSA works, but he acknowledged that there is a “trust problem—justified or not.”

He predicted that rebuilding trust with the tech community will be one of the top challenges for Mike Rogers, who was sworn in as the new NSA director earlier this month.

“All the tech companies are in varying degrees unhappy and not eager to have a close relationship with NSA,” Lewis said.