Why you can’t decide (And what to do about it)
May 27, 2016
Commentary: The rapidly changing digital world can leave tech executives feeling overwhelmed when they're faced with charting the course of their company's cybersecurity strategy.
Daniel Castro is a senior analyst with the Information Technology and Innovation Foundation and a FedScoop contributor.
Last week, articles from the Guardian and The New York Times revealed the National Security Agency has circumvented or cracked much of the cryptography used to secure online communications. The fact NSA has spent billions of dollars per year to intercept and decrypt secure communications is not surprising — signals intelligence is the bread and butter of the agency.
However, the allegation NSA has covertly weakened the design of cryptographic standards and introduced vulnerabilities in commercial products is a disturbing claim with severe implications Congress should thoroughly investigate.
One of the most troubling aspects of this story is that the United States has already had a public debate about whether national security interests should dictate the cryptographic standards used commercially, and NSA decisively lost this debate. In the mid-'90s, powerful new cryptography threatened the ability of NSA to access private communications. In response, NSA proposed the private sector voluntary adopt the Clipper Chip—a cryptographic system for securing voice communications (and eventually, data communications).
The basic concept of the Clipper Chip was that any communications could be decrypted with a unique private key. The government proposed these private keys would be split, and each half escrowed with the National Institute of Standards and Technology and the Treasury Department. Only by obtaining a lawful court order would the government be able to decrypt these encrypted communications.
At the time, the Clipper Chip proposal was widely panned for multiple reasons. First, SkipJack, the algorithm used to encrypt communications on the Clipper Chip, was classified. Users did not trust an algorithm that had not been publicly vetted, and many preferred alternative protocols such as RSA. Second, domestic users did not trust the government would not abuse the key escrow policies or that these backdoors would not be exploited by adversaries. Third, foreign users did not trust the government would not access their communications as they would have no Fourth Amendment protections. Fourth, and perhaps most importantly, the private sector understood it could not sell its products overseas if they came with a built-in backdoor for NSA.
In the end, not only did the Clinton administration abandon the Clipper Chip proposal, it also rolled back the export restrictions on strong encryption products when it realized that such restrictions would simply cede market share to foreign tech companies not subject to these restrictions. But now, it appears that rather than respecting the opinion of the American public and its elected officials to foster more secure communications, NSA has been subverting this goal by covertly introducing weaknesses into commercial hardware and software.
The implications of NSA’s spying continue to worsen for the tech industry. The initial revelations about PRISM may encourage foreign customers to turn their backs on U.S. cloud computing providers. As I estimated earlier this summer, the impact of even a small loss of business could cost U.S. providers between $22 and $35 billion over the next three years.
The newer revelations that NSA may have worked to implement backdoors into U.S. hardware and software could have an even greater impact on the U.S. tech industry. Foreign customers will become increasingly distrustful of U.S. technology until NSA comes clean on exactly what it has done. After all, the United States would do the same. Last year, the House intelligence committee issued a report calling for the Chinese technology firms Huawei and ZTE to be blocked from the U.S. market because of concerns over potential espionage and government backdoors in their products. Will foreign companies think twice before buying their employees the next iPhone or U.S.-made router?
More broadly, if NSA has weakened encryption, this may lead to decreased trust in the security of online transactions. As the White House has noted in the past, “Trust is essential to maintaining the social and economic benefits that networked technologies bring to the United States and the rest of the world.” What is a bigger threat to consumer trust than to learn that the cryptography on which the Internet has been built is routinely subverted by the government? And what happens if these weaknesses are exploited by other governments or criminal organizations? As Edward Snowden has shown, even NSA’s secrets are not safe.
These most recent revelations have also had a negative impact on cybersecurity from a policy perspective. First, the cybersecurity legislation Congress has worked on for the past few years has been delayed indefinitely because of the NSA leaks. The issue is simply too toxic for Congress to touch. Second, the NSA scandal has severely impacted the ability of the federal government to successfully lead the development of international security standards in the future. The federal government has a critical role to play in improving cybersecurity, not only by providing capabilities to deter and combat attacks, but also by developing leading standards development and promoting adoption of secure technologies. For example, NIST writes the widely used Federal Information Processing Standards and runs major projects like the National Strategy for Trusted Identities in Cyberspace. The ability of the federal government to pursue these activities has been compromised by NSA’s reckless pursuit of access to communications at any cost. (Already sensing the furious backlash, NIST has reopened public comment on certain security standards.)
While many companies are already working to increase the security of their products in light of this news (for example, Google announced it was accelerating plans to encrypt data sent between its data centers), the private sector cannot be expected to resolve this on its own. If these most recent allegations about NSA are true—if it has systematically introduced vulnerabilities in commercial products for its own ends—then this is a clear perversion of democracy that merits a swift response. Congress should investigate the extent to which these allegations have occurred and provide additional oversight of NSA to prevent it from manipulating technical standards in the future.
In addition, Congress should send a clear message that the policy of the U.S. government is to improve online security, not weaken it, by notifying companies of vulnerabilities it has discovered in this process. The interests of one government agency should not outweigh the economic interests of an entire U.S. industry or the security interests of Internet users worldwide.
Perhaps counterintuitively, taking these steps now will also serve the United States’ long-term strategic national security interests. For all the fear about NSA’s capabilities, the reality is that when implemented correctly, cryptography works. Therefore, NSA’s current strategy is not sustainable in the long term. The sooner NSA admits this, the sooner it can start focusing on how to protect national security in a world where private communications stay private and the better off we all will be.