ITIF Pushes For NSA Transparency Amid New 'Crypto War'5:19 PM EST Thu. Oct. 10, 2013
The Information Technology and Innovation Foundation (ITIF) is pushing for more transparency with NSA surveillance and encryption standards organizations, arguing that the U.S. government should heed the lessons of the first "crypto wars" in the 1990s.
Recent revelations allege that the NSA has introduced vulnerabilities and backdoors into commercial security products and national security standards. In an ITIF webinar last week, Daniel Castro, senior analyst at the Washington, D.C.-based research establishment, and others discussed and compared the current situation to the "crypto wars" in the mid-1990s, when a debate raged over the government's influence over private IT security companies and their cryptography technology.
"This is very disheartening in the perspective of what the U.S government's role should be in security, which is to make systems more secure and not to make them insecure," said Castro.
Typically organizations that implement standards for rules and regulations, like the National Institute of Standards and Technology (NIST), are established to set and raise the bar for innovation, competitiveness and security. However, the NSA's covert influence over NIST's IT security standards eludes trust, Castro said.
"This standard creating process is supposed to create the common good," said Castro. "However, the problem is that it is seen as the bidding of the NSA and potentially introduces weaknesses, which reduces their ability to be trustworthy in the future. If NIST can't play that role, then somebody else will have to."
Amie Stepanovich, director of the Electronic Privacy Information Center's (EPIC's) Domestic Surveillance Project, said during the webinar that the public's concerns during the first crypto wars are very much pertinent today.
"I think they're incredibly relevant, if not more relevant today," she said. "This is relevant because when we saw recently that NIST was consulting with the NSA to lower their security standards and make us all a little bit less secure, NIST's response was that they were doing it because they were statutorily required to consult with the NSA."
Alan B. Davidson, currently a visiting scholar at the Massachusetts Institute of Technology and a former director of public policy at Google, said the allegations of backdoors in commercial security products are debilitating for the IT industry.
"I think that is going to have a very damaging long-term effect on our industry here and on faith in the systems we build," he said. "And that is not good. It's not good for our economy, it's not good liberty, and it's not good for the very security interests that want to have access to those systems."
NEXT: The First Crypto Wars
Brian Kingsley, director of technical services for Brooklyn, N.Y.-based Marathon Consulting, said the public doesn't seem as outraged about the NSA revelations and their impact as it should be.
"The general public doesn't really seem to understand the possible impact, mainly because it's pretty complicated," said Kingsley. "There isn't as much of an outcry as you would think there would be, and while consumers are purchasing and doing business [online and in the cloud], some business are being more cautious."
Currently there are many unanswered questions about the NSA's influence on NIST's standard developments for cryptographic algorithm. While the public trusts encryption to protect private information and communications, the NSA has successfully cracked the random number generators.
According to leaked documents, the changes made to standards have allowed encryptions to be less powerful and more vulnerable. These backdoors have allowed the NSA to exclusively and easily decrypt random number-generated encryptions, said ITIF's Castro.
"NIST came out and said they strongly recommend that other users, specifically the companies that implement draft standards, no longer use random number generator," said Castro. "The standard that NIST recommends everyone to adopt likely had a 'built-in backdoor' that only the NSA knew about. It basically makes it much easier for them to break into a system that uses a number generator as a basis for the encryption."
The first crypto wars in the 1990s also involved government pressure on communications companies to deploy broken encryption and back doors to enable spying from the government. At one point, the NSA developed its own chipset, dubbed the Clipper Chip, for telecommunications companies that would give generate an encryption key for each phone and then allow the government to hold the key in escrow. The chip, however, was widely criticized and discontinued after a few years with minimal adoption.
"We traced through the public debate that happened in the 90s on the crypto wars -- where do we draw the line between the need of law enforcement and the intelligence community versus the other equally legitimate needs of users having secure communication and individual privacy?" Castro said. "The overwhelming consensus of the panel had most people thinking that there needs to be this balance."
According to Castro, the NSA's acts can bring debilitating consequences to tech companies; he compared it to the blacklisting of Chinese networking company Huawei for being involved with the Chinese government. However, as companies are blacklisted there will be budding opportunities for new players in the security market, said Castro.
"The first clear impact for every company is that they now have to take a second look at the security they use on their systems. We are likely to see U.S. companies face blacklisting, where there are too many un-answered questions about initial ties," said Castro. "But beyond that, we're going to be seeing emerging markets for more security, which is a good thing."
NEXT: A Case For Public Outcry
Still, ITIF's Castro believes that policymakers should have learned from past debates, as there is an impending detrimental effect on the tech industry, consumers and businesses today. The ITIF recently issued a study that predicted the NSA's surveillance activities could end up costing the U.S. cloud computing industry between $22 and $25 billion over the next three years.
"There is the potential for a significant impact on the tech sector overall and policy makers [aren't paying nearly] enough attention to this problem; it can't be resolved just by companies," said Castro.
Marathon Consulting's Kingsley agreed, saying the public needs to pay more attention to the issue. And as a solution provider, he said, his company is doing its best to help answer some of the questions that clients have about the NSA leaks.
"Public education and people raising awareness and making an outcry will really change things. Some companies are doing that too, but it's a long, hard battle," he said. "Each person has to question things, do their own research and not take things for granted. That's partly why we are there [as a solution provider] in the first place. You cannot only listen to market speak; people need to question everything."
With so many moving parts, from the steady stream of leaks to the media to new calls for government oversight and fresh cybersecurity legislation, it appears the NSA controversy won't be resolved any time soon. Castro said ultimately the NIST and NSA must be transparent and clear the air by addressing the vulnerabilities introduced in the past and setting standards that will actually be followed so companies aren't selling vulnerable products.
"It's really hard to see where we were going to go from here," said Castro. "We really need to rethink the way these types of decisions are being made. We can't just leave it for the intelligence community to make that decision; there are so many broad impacts for the economy that it needs to become part of public discussion."
PUBLISHED OCT. 10, 2013