In this month’s debate, we received a number of responses to our debate topic this month, which covers the NSA’s attempts to crack encryption methods.
John Johnson, John Deere
I would be disappointed if the NSA didn’t try to crack encryption. They should have a reasonable budget to compete with our adversaries in that regard. They should not weaken, subvert or introduce vulnerabilities and backdoors in technologies that American citizens use for telecommunications. U.S. government agencies should uphold the U.S. Constitution, which means protecting the civil liberties and privacy of American citizens, as well as protecting us from those who would do us harm. This is a difficult balancing act.
I believe General Alexander when he says he wants to leverage Big Data without becoming Big Brother. The mission of the NSA is to gather as much signals intelligence as they can, and to analyze it and provide actionable intelligence to our leaders. As Alexander says, they need to be able to connect the dots. They need to do this ethically, transparently and with greater safeguards and oversight, because of the risk of abuse with such an extensive data set. If they cannot achieve their objectives without abusing the rights of American citizens, they need to back off. If the security community can help here, we should.
Alex Messes, senior developer, Envision Pharma Group
Decrypting of hostile communications was and is a matter of the national security. However, encryption, once a domain of the few, is now ubiquitous. Decrypting, while more necessary than ever, could bring the end of privacy – financial, medical, and social privacy. Technology cannot solve this problem – as we simultaneously have a vested interest in creating an unbreakable encryption and in breaking it by any means possible.
Demanding that the intelligence services do not break the encryption is akin to insisting on surgeons with blindfolds out of fear that they otherwise could see our private parts.
The solution could only be legal in nature. Somewhat along the lines of the limits placed on use of information in courts. Not any data or documents could be admitted. Information obtained outside of supervised channels is legally invalid. Similar approach would allow for national security needs to be satisfied, while giving the citizenry the means to fight and punish the abuse of intelligence gathering.
Craig Spiezle, executive director/president, Online Trust Alliance
As cyber criminals and state-sponsored terrorism operate without rules, we need to insure we do not tie the hands of our government, providing such access and usage has oversight and limitations. It is essential to consider how other countries operate without such constraints. While one may think this pertains to such counties as China and the Russia, look no further than the practice of Germany and others.
The real questions are how do we limit access, and is the risk on our privacy worth the price we pay for security. Such spying is not new and goes back to the birth of our nation. From the interception of coded letters in the Revolutionary War to undersea cables and cellphones, it is safe to assume there is no guarantee of security.
As companies and individuals are increasingly putting their personal and confidential data in the cloud, they need assurances their data will be secure. The real question is how do we maintain oversight and steps to make sure such tools and techniques do not fall into the hands of cyber criminals. If we must have one or another, I vote for enabling the government. The alternative is not acceptable.
Chris Cronin, principal consultant, HALOCK Security Labs
The NSA violated its mission statement to use cryptology “in order to gain a decision advantage for the Nation” when they created their vulnerable encryption standard, Dual_EC_DRBG. The violation wasn’t that the NSA reduced the “decision advantage” of the nation, but that it transferred that advantage to itself. The main vulnerability of the Dual_EC_DRBG random number generator is that it can be “unlocked” with a secret set of numbers that (purportedly) only the NSA has. The holder of this set of numbers can decrypt anything that was encrypted with Dual_EC_DRBG. But because this standard can be used by law-abiding U.S. citizens, government agencies and companies as well as by enemies, the only group that has the “decision advantage” is the NSA.
Now add to this unique advantage the facts that 1) The NSA resists accountability and transparency, and 2) It can apparently lose a significant amount of secret documents without knowing it. Now we’ve got reason to be concerned that anyone using this rigged encryption method has no reason to feel protected. The NSA’s reputation is justifiably stained and can only recover with increased accountability.
Avner Levin, associate professor and director, Privacy and Cyber Crime Institute, Ryerson University
Taken to its logical conclusion, the argument that the NSA’s mission to crack encryption strengthens national security, equates national security with unfettered government access to information that businesses and individuals went to great trouble to protect. But national security is NOT equal to total information awareness. National security agencies argue that they need more and more information in order to do “their job.” The more “they” know about us, the easier it is for them to determine whether we are terrorists. But a country in which the dominant conception of national security serves the operational needs of various agencies is a poor one indeed.
Their job would no doubt be easier without encryption, or the freedoms of association, expression and mobility for that matter. How convenient would it be for these agencies if we were only allowed to move about for pre-approved purposes, for example. Fortunately, the rule of law stands independently of its purported agents. At troubling times such as these, it is worth remembering that our security and strength stem not from totalitarian programs, but from human rights and civil liberties that we all hold dear.
Bradley Anstis, product manager – security, federal government & security, Macquarie Telecom
While there has been much debate about what the NSA has actually been breaking, that discussion is mostly irrelevant. The biggest victim in this whole saga is trust, and all this coming from an agency whose motto is “Defending Our Nation. Securing the Future.” So much for securing the future. Security is all about trust. It takes years to build up trust and only seconds to lose it, as the NSA has so effectively demonstrated.
The U.S. has historically been a leader in technology, particularly in the areas of IT security and encryption – with the majority of vendors in the market being U.S. based. The emergence of cloud computing is typically being led around the world by U.S. vendors. These vendors have invested much time and effort to build trust in overseas markets – purchasing decisions come down to trust. The Patriot Act was a big blow to this trust, now the NSA revelations are quite definitely another blow. This latest saga will just insert a question in the mind of potential buyers: Is it really worth it to pay a premium for U.S. manufactured kit, or can I really trust that my critical data is safe, even encrypted in a U.S. vendor’s cloud solution? The U.S. is already running a trade deficit in this area, how much can it really afford to lose?