Revelations that the National Security Agency may be pressuring vendors to put hidden backdoors in their software and hardware for espionage purposes casts a huge shadow over many programs run by the NSA to interact with the high-tech industry for purposes of evaluating, testing and accrediting products.
The NSA’s actions, revealed in documents leaked by former contractor Edward Snowden and made public by The Guardian and The New York Times, raise questions about NSA-run programs such as the Commercial Solutions for Classified Components (CSfC), National Information Assurance Partnership, and DoD Information Assurance, Certification and Accreditation Process, as well as protocols promulgated by the NSA, such as Suite B cryptography. Virtually every U.S.-based network and security product provider of any significance participates in some way in these product evaluation programs because through them, they can sell to federal agency customers and the military.
To date, news sources such as The Guardian, which has worked closely with Snowden, haven’t put forward any names of companies that may have agreed to compromise their products for the NSA’s behalf nor have they mentioned these NSA-run product-evaluation programs.
[TRUST NO ONE: Schneier on NSA’s encryption defeating efforts]
But last Friday, the Obama Administration appeared to verify assertions made in the media the day before that the NSA works through partnership programs with industry to undermine network and security products for espionage purposes.
The Office of the Director of National Intelligence (ODNI) didn’t refute the notion that the NSA spends millions of dollars each year to subvert software and hardware by pressuring the high-tech industry to put in backdoors for the NSA’s benefit. In its official statement, ODNI said the stories published “reveal specific and classified details about how we conduct this critical intelligence activity.”
Leaked documents posted by the Times and Guardian included NSA statements such as the NSA SIGINT division “actively engages the U.S. and foreign IT industries to covertly influence and overtly leverage their commercial products' designs. These design changes make the systems exploitable through SIGINT collection (.e.g., Endpoint, Midpoint, etc.) with foreknowledge of the modification. To the consumer and other adversaries, however, the systems’ security remains intact.” One goal is said to be to ”insert vulnerabilities into commercial encryption systems, IT systems, networks and endpoint communication devices used by targets.” That the NSA manages to somehow make these modifications is considered “top secret,” according to Snowden documents posted online. In its numerous product evaluation programs with industry, the NSA would have ample opportunity to pursue these goals.
Bruce Schneier, crypto expert and author of several books, including the recent “Liars and Outliers,” maintains that the revelations about the NSA constitute a fundamental betrayal of the Internet and the people that use it. He advocates that anyone, especially engineers, with knowledge of how the NSA is subverting software and hardware should go public with what they know. He adds that’s as long as they’re not bound by specific legal or confidentiality restrictions, such as a National Security Letter.
“If you have been contacted by the NSA to subvert a product or protocol, you need to come forward with your story,” said Schneier in a recent Guardian article. “Your employer obligations don’t cover illegal or unethical activity. If you work with classified data and are truly brave, expose what you know. We need whistleblowers.”
When yesterday asked whether China and Russia might also be working with any of their homegrown industries to also subvert products for espionage purpose, Schneier said he had no direct knowledge about this. But having read a slew of documents that Snowden has released, Schneier said he’s convinced that the NSA is doing “everything possible” to ensure complete access to everything it can. The influence of the U.S. and the United Kingdom on software, hardware and the Internet gives them “a very privileged position on the Internet,” he said.
The NSA readily acknowledges it is always seeking to “break” security of adversaries and encryption — that after all, is part of its mission as America’s cyber-espionage agency, which also maintains a Cyber Command to attack adversaries via cyberspace. But the revelation that the NSA is spending millions each year to try and get software and hardware vendors to modify their products to include backdoors for intelligence-collection purposes and weakening of cryptographic and security systems raises the prospect of what legal ramification this will all have when more becomes known.
It’s possible lawsuits from both businesses and consumers may arise if it becomes known specific products and services were designed with backdoors for the NSA without disclosure of that to the buyer in what would be seen as a deceptive practice. Some revelations in June from Snowden about the NSA’s so-called PRISM program for intelligence collection are starting to have legal impacts.
Under PRISM, the NSA can collect e-mail, chat, videos, stored data, VoIP, file transfer and other material from Microsoft, Google, Yahoo, Facebook, PalTalk, YouTube, Skype, AOL and Yahoo. Microsoft and Google say they provide this data to the NSA under the Foreign Intelligence Surveillance Act order and want to disclose how many of those are received each year, but say so far the U.S. Department of Justice is not agreeing to that.
At the end of August, Microsoft General Counsel and Executive Vice President Brad Smith said his company and Google would “move forward with litigation in the hopes the courts will uphold our right to speak more freely.” They did that yesterday in legal filings at the Foreign Intelligence Surveillance Court, joined by Yahoo.
Public prosecutors in France are said to be starting to build a case against the NSA and the FBI for PRISM-related spying on French citizens.
Overall, there’s a kind of gloom in the high-tech industry and wariness among business customers about the implications of what the NSA is said to be doing in its zeal to be able to conduct intelligence gathering for purposes of national defense.
Like many well-intentioned government efforts, the NSA has singlehandedly done more damage to the reputation of U.S. technology companies than any other event in the brief, meteoric rise of U.S. dominance.
— Richard Stiennon
Richard Stiennon, chief research analyst at consultancy IT-Harvest, says given how badly the NSA’s purported actions have hurt U.S. industry, lawsuits should fly. He adds, “Like many well-intentioned government efforts, the NSA has singlehandedly done more damage to the reputation of U.S. technology companies than any other event in the brief, meteoric rise of U.S. dominance. The implication that the most powerful and well-funded intelligence service can leverage its relationship with U.S. companies such as Microsoft, Google, Yahoo, and even Apple, to get foreknowledge of vulnerabilities or backdoors into their information systems, is going to kick off a new era of tech mercantilism. All U.S. tech companies are going to be asked tough questions by their global clients. I am already hearing from tech giants that they are being asked to attest to the absence of an NSA presence in their data centers. Competing cloud services and security products from European and Nordic states are going to see rapid growth.”
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: firstname.lastname@example.org