NSA online cracking could endanger businesses
(MoneyWatch) U.S. and U.K. intelligence agencies can crack online encryption used for secure data communications, according to more documents leaked by Edward Snowden, as reported by the Guardian, the New York Times, and ProPublica.
According to the report, the NSA and its British equivalent, GCHQ, "broadly compromised the guarantees that internet companies have given consumers." Virtually any sort of sensitive data, from healthcare records to online banking, is open for inspection. As the New York Times put it, the NSA is "winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion."
This is a problem for businesses. Other countries may have their own access, and governments have been known to indulge in economic espionage to aid domestic industries and hinder outside competitors. Furthermore, some of the approaches used may also be available to criminal gangs that would be interested in decrypting communications for financial gain.
- NSA snooping could cost tech companies big bucks
- NSA-style spying has been around for years
- NSA picks locks of Internet encryption
Economic espionage has long been of interest to many governments. The U.S. government is allegedly no stranger to this, as the Guardian reported in June (hat tip to TechDirt):
[Edward Snowden] described as formative an incident in which he claimed CIA operatives were attempting to recruit a Swiss banker to obtain secret banking information. Snowden said they achieved this by purposely getting the banker drunk and encouraging him to drive home in his car. When the banker was arrested for drunk driving, the undercover agent seeking to befriend him offered to help, and a bond was formed that led to successful recruitment.
In the diplomatic cables leaked by Bradley Manning, the head of a German satellite company called France "the evil empire" of stealing technology and using its influence to kill projects that might compete with French companies. According to a 1994 research paper from the National Defense University, governments have been involved in industrial espionage for many years. At the time, there allegedly was extensive debate in the U.S. government about whether the country "should conduct offensive industrial espionage."
Not only do the U.S. and U.K. have spying operations, but France allegedly uses NSA-style methods to run a large-scale electronic spying operation. And when technology becomes widely spread, the ability to keep it completely secret vanishes.
An additionally disturbing possibility is that private parties -- whether corporations or criminal gangs -- might eventually be able to use the same techniques. According to the Guardian's report, these have included:
--covert measures to control international encryption standards
--using supercomputers for brute-force encryption cracking
--collaboration with unnamed technology companies
If the NSA has managed to weaken encryption standards, then anyone trying to break the codes would benefit. Supercomputers have become so cheap that they start at about $10,000 in boxes that can sit on a desktop. Furthermore, researchers have found that networks of millions of PCs (like what might be found in a criminal so-called botnet of compromised computers) can help quickly crack tough encryption standards.
The collaboration with companies, taking the form of planned vulnerabilities known as backdoors or trapdoors, has received the most attention. But hackers regularly find vulnerabilities in systems. To assume that they would be unable to do so with security software bucks history.
Furthermore, if someone like Snowden -- who claims to be motivated by conscience -- can make details of NSA activities public, then chances are someone with lesser motives could do the same for financial gain. Given that there are 850,000 people with top-secret clearance in the U.S. alone, expecting that none of them could be subverted or bribed is unrealistic.