Today, National Security Agency director Admiral Mike Rogers spoke to the Atlantic Council, a Washington D.C. think tank, about the on-going encryption debate.
During his speech, Admiral Rogers dubbed encryption as “foundational to the future” and even went so far as to say the entire argument is a waste of time.
If that comes as a surprise to you, it should.
It was the NSA, after all, that was exposed nearly three years earlier by contractor Edward Snowden for spying on US citizens through use of warrantless wire taps, bulk collection of phone metadata and a wide-reaching tool capable of searching huge amounts of collected online data to accurately profile citizens, called XKeyscore.
Now the agency is saying it isn’t seeking Silicon Valley tech companies to weaken encryption or to provide backdoors?
Could it be because it has already broken common encryption protocols?
It seems doubtful, but the question isn’t without merit. The NSA did, after all, achieve a “computing breakthrough” in 2012 that allowed them to “crack current public encryption.” That is, if you believe the unnamed former NSA officials in James Bamford’s 2012 Wired piece, or Bradford himself for that matter.
A 2015 paper co-authored by researchers from Microsoft, University of Pennsylvania, Johns Hopkins University, Michigan University and others, details reasons that cracking encryption, even strong encryption, is at least plausible. It even identifies some weaknesses and ways that it could be done, such as active attacks on export ciphers in TLS, basically attacking one “end” of end-to-end encryption.
Snowden also revealed, in 2013, the the NSA was investing in such a technology designed to do just that, break encryption.
Part of the document cache that Snowden leaked detailed a “black budget” request to prioritize “investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit internet traffic.”
The Snowden documents also revealed the budget of this operation, $10 billion. $1 billion of that was devoted solely to computer network exploitation and several similar programs each received hundreds of millions a year in government funding.
Breaking encryption with modern technology is doubtful.
If the NSA can access encrypted communication, the answer probably lies within the humans at either end of the device. While encryption remains one of the strongest ways to maintain secure communications online, it’s only as strong as the OpSec (operational security) of the person at the keyboard, and historically, we’ve seen some major failures there.
That doesn’t mean that the NSA can’t access our encrypted data, it just means that logical thought dictates that it’s probably happening through an exploit or malware that targets end users rather than the cryptography itself.
We may never know why the NSA switched its stance on privacy and security, but the fact that it did should make you at least consider the possibility that weakened encryption and backdoors aren’t needed because the agency already knows how to access your information.
➤ NSA Chief Stakes Out Pro-Encryption Position, in Contrast to FBI [The Intercept]