According to stories posted on Thursday from the New York Times, The Guardian, and ProPublica (based on documents leaked by former NSA contractor Edward Snowden), the National Security Agency (NSA), with the help of supercomputers, court orders, vulnerabilities, and persuasion, have managed to strip away most of the protection offered by modern encryption. They're not alone, as the news agencies also report that and Britain's GCHQ is in on the act as well.
"The [NSA] has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show," the story from the New York Times explained.
The Times' coverage added that some of the agency's most intensive efforts have focused on "the encryption in universal use in the United States," including HTTPS, Secure Sockets Layer (SSL), virtual private networks (VPNs), and the protection used on 4G smartphones.
"I'm not surprised at this news. Given the NSA's determination to ensure that nothing is hidden from them, cracking encryption on the Internet would certainly be a big focus for them. Furthermore, with increases in computing power, virtualization, and hive-like shared computing models, the NSA has a lot of horsepower to apply to this problem," said Tripwire CTO, Dwayne Melancon, in a statement to CSO.
The news on Thursday comes at a time when many major internet companies have spent an entire summer attempting to assure their users that the data they are being entrusted with is safe. Yet, according to the documents leaked by Snowden, the agency treats its success in undermining the Web's encryption as one of its most closely guarded secrets, "restricted to those cleared for a highly classified program..."
The ability to crack much of the Web's encryption comes to the NSA via several channels. In some cases the agency has pressured vendors to install backdoors, or allow access to encryption keys. In other cases, the agency has simply broken into systems and stolen said keys. There's also the fact that the NSA has outright purchased private software vulnerabilities, in order to compromise a remote system and capture data before it is encrypted.
"These revelations demonstrate a fundamental attack on the way the Internet works. In an era in which businesses, as well as the average consumer, trust secure networks and technologies for sensitive transactions and private communications online, it's incredibly destructive for the NSA to add flaws to such critical infrastructure," said Joseph Lorenzo Hall, Senior Staff Technologist for the Center for Democracy & Technology.
Moreover, the Washington Post exposed details about GENIE, a program that includes specialists who implant malware in order to control a remote system.
Under GENIE, the Post reported, computer specialists break into foreign networks in order to place them under U.S. control. The $652 million project "has placed 'covert implants,' sophisticated malware transmitted from far away, in computers, routers and firewalls on tens of thousands of machines every year." The NSA plans to grow that number into the millions.
However, the topic that has most of the Internet in arms is the claim that the NSA worked to undermine the standards for encryption that developers rely on to build products. The ACLU called the NSA's actions recklessly shortsighted. The watchdog added that the agency's efforts to secretly defeat encryption, will further erode the United States' reputation as a global champion of civil liberties and privacy, and the economic competitiveness of its largest companies.
"We know the NSA has people who discover vulnerabilities in hardware and software and also purchases this information from 3rd parties. We know they have access to trusted vendor code signing keys. Information like this was used to create Stuxnet, Duqu, and Flame," Chris Wysopal, the CTO of Veracode, told CSO.
"This same information is used for offensive computer actions and recently we have seen the details about the implants NSA is doing worldwide to have command and control on networks around the world. It really shouldn't be surprising that they are using the same vulnerabilities and key for interception also."
What's the impact on businesses?
With the latest developments in mind, what will the NSA's abilities mean for businesses across the globe, but especially here in the U.S.? Should there be concern?
"Concern? Perhaps not. Scrutiny? Absolutely. Businesses that are concerned about the government decrypting their secret communications and data need to take a hard look at how they are securing sensitive data, and consider some changes," said Melancon.
For example, businesses could start dealing with sensitive information in a manner that makes it difficult for outsiders to tell the difference between high-value and low-value data, thus increasing the amount of data others must sort through to find things of value, he added.
"It's also important to remember that brute force decryption is still not simple, and takes a lot of time and deliberate effort. Furthermore, moving to stronger levels of encryption — using longer bit lengths for encryption keys and more processor-intensive crypto algorithms, for example — will slow down any efforts to decrypt your data; you may not prevent decryption, but you'll certainly make them work harder and longer to get to it."
Another mitigating factor Melancon mentioned, assuming the law is being obeyed, is the fact that there are still some legal protections, which limit how private communications can be used against the parties communicating. With that said, there's still the risk that corporate secrets and other sensitive data collected by the government could be exposed by a rogue NSA / GCHQ employee, but that's a given no matter who has the information.
"Any time humans have access to information of value, there is a risk of inappropriate exposure, and even with all the safeguards in place, this is no different," he said.
"Large organizations of any kind are more like dynamic organisms than rigid structures, and as things change it's easy to inadvertently make it possible for individuals to act inappropriately or irresponsibly with data. It's true that intentional, malicious disclosure of data can occur - as we've seen first-hand in recent times. However, I think the bigger risk is from inadvertent or ill-informed disclosure of data."
Security technologist and cryptology expert, Bruce Schneier, offered his thoughts on the latest NSA-based news cycle, by way of two different essays on Thursday. In one, he accuses the government and industry of betraying the Internet, and the people who use it. In the other he offers his advice on remaining secure against the NSA. Both are worth a read, but it is his comments in the first essay that best sums-up the entire ordeal.
"By subverting the internet at every level to make it a vast, multi-layered and robust surveillance platform, the NSA has undermined a fundamental social contract. The companies that build and manage our internet infrastructure, the companies that create and sell us our hardware and software, or the companies that host our data: we can no longer trust them to be ethical internet stewards.This is not the internet the world needs, or the internet its creators envisioned. We need to take it back. And by we, I mean the engineering community," he wrote.