How the NSA Intentionally Weakened Our National Security

Posted on September 19, 2013


Maybe you are in the camp that reasons, “Hey, I’m not doing anything wrong, so it’s no big deal if the NSA tracks my information.”  Even if you don’t care about your privacy, it is a big deal, it does impact you personally, and here’s why.

First:  Your financial institutions, your water company, electric company, 911 call center, grocer, and hospital all use electronic communications, controls, and transfers.  The same goes for the control of air, rail, sea and ground traffic.  Pretty much everything these days – finance, safety, business, infrastructure, food supply – runs on orders, transactions, and controls that move through electronic communications systems.

Second:  The threat to electronic systems is not just some pimply geek with no social life trying to hack into NORAD.  Global cyber-warfare is real, it impacts just about everything with even the most obscure connection to some computer somewhere,  and it’s happening right now.  The name of the game is to get into your adversary’s systems while keeping him out of yours.  Why?  Because the cyber-scape, which is made up of information and processes, is every bit as important as — maybe even more important than — physical terrain.  Infiltrate your adversary’s information and processes, and you can create panic or shut him down… maybe even gain control of some pretty important things.  US vs. Iran (target: nuclear systems).  Iran vs. US (target: banks).  Russia and China vs. US (target: economic and technological data).  Syria vs. US (target: media).  North Korea vs. South Korea (target: ATMs and TV networks).  The list goes on and on, with many players and many targets.  This is not science fiction or paranoia.  It is real, and it has been going on for years.

So, obviously, we have to protect ourselves with the best systems encryption we can come up with.  The National Institute of Standards and Technology  (NIST) are the guys who (among a whole lot of other things) set the electronic security standards that “protect information systems against threats to the confidentiality, integrity, and availability of information and services”… not only Federal systems, but most public and commercial services like your bank, your water supply, your local nuclear power plant, and so on.   The NIST encryption standards were generally perceived as so high-quality that they are voluntarily used by private industry and were even (with some persuasion) adopted by the International Organization of Standardization (IOS), which has 163 member nations.  Were perceived as high-quality.  Maybe not so much any more.

Maybe not so much since 2006, actually.  Back then, when one particular NIST cryptographic algorithm was still brand-new, researchers found  that it is insecure and can be compromised using “an ordinary PC.”  As Larry Greenemeier writes in Scientific American, many private companies include the algorithm in their cryptographic libraries (although some so do only in order to qualify for government contracts).

Now it turns out that we have the NSA to thank for this weak, easily compromised algorithm.  Gee, thanks, NSA!  I just love weak security on critical systems that the Chinese are constantly trying to break into.  It seems that the NSA’s myopic focus on grabbing as much data as they can on everyone and everything has led them to prioritize ease of access for themselves, instead of promoting strong encryption to keep our nation’s various cyber systems safe from infiltration or attack.  That is bad national security policy.  Writes Larry Greenemeier :  “The NSA orchestrated essentially a ‘kleptographic’ attack on anyone entrusting their data to the Dual_EC_DRBG algorithm, which would intentionally leak data through a cryptographic backdoor.”  For anyone still using this algorithm, imagine the resulting stampede away from it.

NIST has denied deliberately weakening the cryptographic standard in cooperation with NSA and is now calling for transparency and public input to the revision of the faulty standards.  If you love random bit generators, entropy sources, and such, you can check ’em out on the NIST site and give them your comments.  But I don’t know if NIST’s damage-control measures will be enough to restore global trust or confidence in much of anything the US says or does anytime soon, at least as far as electronic security is concerned.