BLOOMINGTON, Ind. -- U.S. National Security Agency efforts to overcome encryption of online data weaken American security, undermine the government's duty to protect its own cyberinfrastructure and suggest intelligence agencies may not be cooperating at nearly the levels they promised to in a post-9/11 world, says Indiana University legal and cybersecurity expert Fred H. Cate.
Secret documents provided by Edward Snowden and disclosed by The New York Times confirm that the NSA -- through a top-secret program code-named Bullrun -- has not merely cracked most encryption, but compelled system operators and equipment manufacturers to install backdoors to facilitate surveillance; broken into corporate networks; and even introduced compromised encryption tools into the market so it could later exploit those vulnerabilities.
The Times on Thursday reported that the NSA has "circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records and automatically secures the emails, Web searches, Internet chats and phone calls of Americans and others around the world."
According to Cate, of IU's Center for Applied Cybersecurity Research and Maurer School of Law, this disclosure raises significant challenges, including:
-- Under what legal authority was the NSA acting? "The Clinton administration tried to introduce a legal requirement that creators of strong encryption algorithms provide the keys to the government 'in escrow,'" Cate said. "This approach was soundly rejected by the market and lawmakers, so what authorized the NSA to achieve by stealth what it had been unable to accomplish legally?"
-- Contrary to reports, the Internet isn't 'dark.' Americans are just being kept in it. "The FBI has been publicly and vociferously complaining about the problem of the Internet 'going dark,' in large part because of encryption," Cate said. "The FBI has repeatedly asked Congress for legislation making encryption difficult, but the Snowden disclosures suggest that the problem isn't real. Apparently, very little of the Internet is 'dark' to the NSA, so either law enforcement isn't telling the truth -- a possibility lent credence by the director of national intelligence's false statement to Congress last March that the NSA was not conducting surveillance on U.S. citizens -- or the NSA isn't sharing its tools with the FBI, a frightening prospect given the attention that the government has supposedly focused on better cooperation among agencies after the 9/11 attacks."
-- The China problem. "The Obama administration has focused significant attention this year on China and its alleged cyberspying," Cate said. "In fact, Congress has gone so far as to prohibit federal funds from being spent by some agencies on computing equipment made in China without special authorization, arguing the equipment might be compromised. Yet these documents provided by Snowden suggest the NSA has been introducing vulnerabilities into products and services bought and sold in the U.S. and abroad to facilitate spying. We can't admonish the Chinese for doing something that we've been doing -- presumably better and longer -- than they have."
-- A spy agency divided can't stand on its own. "Security experts have argued for decades that the NSA has a fundamental conflict between its two missions: one to infiltrate foreign -- and now, it turns out, domestic -- networks and the other to protect America's networks," Cate said. "The long-expressed fear is that the agency would prioritize the first mission over the second and rather than patch known vulnerabilities, would exploit them to collect intelligence. These most recent revelations make clear that the NSA went even one step further and actually introduced its own vulnerabilities (and apparently forced private-sector vendors to introduce them as well), thus weakening our nation's security overall and undermining its responsibility to enhance the security of our cyberinfrastructure.
Cate is an internationally recognized expert on cybersecurity law and policy and personal privacy. He is a member of the inaugural U.S. Department of Homeland Security Data Privacy and Integrity Committee Cybersecurity Subcommittee and one of the founding editors of the Oxford University Press journal International Data Privacy Law. He can be reached at 812-855-1161 or [email protected].