ITIF Pushes For NSA Transparency Amid New 'Crypto War'

Printer-friendly version Email this CRN article

Brian Kingsley, director of technical services for Brooklyn, N.Y.-based Marathon Consulting, said the public doesn't seem as outraged about the NSA revelations and their impact as it should be.

"The general public doesn't really seem to understand the possible impact, mainly because it's pretty complicated," said Kingsley. "There isn't as much of an outcry as you would think there would be, and while consumers are purchasing and doing business [online and in the cloud], some business are being more cautious."

Currently there are many unanswered questions about the NSA's influence on NIST's standard developments for cryptographic algorithm. While the public trusts encryption to protect private information and communications, the NSA has successfully cracked the random number generators.

According to leaked documents, the changes made to standards have allowed encryptions to be less powerful and more vulnerable. These backdoors have allowed the NSA to exclusively and easily decrypt random number-generated encryptions, said ITIF's Castro.

"NIST came out and said they strongly recommend that other users, specifically the companies that implement draft standards, no longer use random number generator," said Castro. "The standard that NIST recommends everyone to adopt likely had a 'built-in backdoor' that only the NSA knew about. It basically makes it much easier for them to break into a system that uses a number generator as a basis for the encryption."

The first crypto wars in the 1990s also involved government pressure on communications companies to deploy broken encryption and back doors to enable spying from the government. At one point, the NSA developed its own chipset, dubbed the Clipper Chip, for telecommunications companies that would give generate an encryption key for each phone and then allow the government to hold the key in escrow. The chip, however, was widely criticized and discontinued after a few years with minimal adoption.

"We traced through the public debate that happened in the 90s on the crypto wars -- where do we draw the line between the need of law enforcement and the intelligence community versus the other equally legitimate needs of users having secure communication and individual privacy?" Castro said. "The overwhelming consensus of the panel had most people thinking that there needs to be this balance."

According to Castro, the NSA's acts can bring debilitating consequences to tech companies; he compared it to the blacklisting of Chinese networking company Huawei for being involved with the Chinese government. However, as companies are blacklisted there will be budding opportunities for new players in the security market, said Castro.

"The first clear impact for every company is that they now have to take a second look at the security they use on their systems. We are likely to see U.S. companies face blacklisting, where there are too many un-answered questions about initial ties," said Castro. "But beyond that, we're going to be seeing emerging markets for more security, which is a good thing."

NEXT: A Case For Public Outcry

Printer-friendly version Email this CRN article