The NSA's actions create distrust
Chris Cronin, principal security consultant, Halock Security Labs
Over the past few weeks, we've seen news coming out of the Edward Snowden leaks that we've been able to either shrug off or become perturbed by, depending on the details of each leak. But this past week, new information was revealed regarding a serious violation of trust. This time, reactions from security professionals are anything but middle of the road. ProPublica and The Guardian have reported that the National Security Agency (NSA) used its influence among U.S. and international standards bodies to create a purposefully weak encryption standard that it could compromise as needed. You read that right.
This is not only troublesome in that it introduced a weaker-than-needed security standard that real-world technologies rely on, but the worst part of this event is that it undermines our fundamental trust in the security controls that we work so hard to implement and use.
U.S. and international security communities have established standards not only to provide us with baselines to help us get secure, but also to give us confidence that we are in a community that can predictably safeguard the information that we share. If we commonly use a decent security standard, then our risks for technical or data breaches is lowered – much like predictable drivers on the road making road travel a mutually safe activity.
But, if those security standards are suspect, then we have a problem of confidence. It does not surprise us that the NSA decrypts things. That is key among their purposes and we should be grateful for it. We create a lock, they figure out how to unlock it. And this is, after all, what information security professionals do anyway – break a lock to see if we need stronger locks. But the NSA purposefully built a vulnerable encryption standard and caused the National Institute of Standards and Technology to publish that standard as something that was predictably, reliably secure.
Later, this standard was adopted by the International Organization for Standardization (ISO). Security researchers found the flaw in the standard two years after it was published and adopted by many technologies (this goes to show you how critically important a community of the competent is in challenging what the authorities tell us is true). The standard is just one among many encryption standards that we use in the world. But aside from whether this is a pervasive vulnerability, our attention should be turned to the reputational damage that the NSA has inflicted on security itself.
The NSA has done something severely damaging (or at least hazardous) by creating a purposefully weak standard and disguising it as sound. It undermined our reason to feel confident in security standards. I hate to think of the fallout. Will the public and professionals who rely on security technologies now start doubting security? Will they see security efforts as futile or shallow, an act of expensive security theater? While I think such a reaction does not have merit in most cases, shouldn't we expect that the public and the business managers who purchase, configure and maintain secure technologies just throw their hands up in the air and say, “Why does it matter? All of this stuff is rigged anyway?” Will some portion of the populace give up on security because they believe it is a sham?
Again, if we knew the NSA cracked an encryption algorithm it shouldn't surprise us, even if it might make us feel a little less easy about our secrets. But rigging the standards in the first place – let alone creating a weaker-than-necessary standard – has resulted in our not being able to feel as if there is a normal security posture. And keep in mind I'm not talking about hoping for a Zen-like, naive security state of mind. I'm talking about a basic ability to rely on a standard that does what it claims to do.
Information security is not only in place to make ourselves more resilient to threats. It is in place to create a mutually established trust with which we can communicate and engage each other with reasonably expected results. The NSA broke that trust when it gave us a false reason to feel confident. And now that we know, in what unpredictable and harmful ways will we react?