The National Security Agency has gone to extraordinary lengths to foil encryption used in commercial technology. A new report in Sunday's Der Spiegel revealed that the agency's elite hacker group, known as Tailored Access Operations, infiltrated networks of European telecommunications companies and accessed and read emails that "were believed to be securely encrypted." From the NSA's perspective, counter-encryption efforts have led to important intelligence breakthroughs.
That's why of the 46 recommendations offered by a presidential review panel on government surveillance activities, the one that suggests that the NSA ramp down its efforts against encryption may be met by with a mixture of outrage and laughter in the halls of the agency.
"The US Government should take additional steps to promote security, by... fully supporting and not undermining efforts to create encryption standards," the report's authors recommend.
Undermining encryption, of course, is precisely what the NSA does. It's a code-breaking organization. It develops methods and techniques to "subvert, undermine, weaken, or make vulnerable" -- to borrow from the list of things the panel said the agency should stop doing -- the codes that governments, terrorist networks, criminal organizations, businesses, and everyday people use to shield their communications from prying eyes.
"Encryption is an essential basis for trust on the Internet; without such trust, valuable communications would not be possible," the review panel writes. "For the entire system to work, encryption software itself must be trustworthy."
That may be. But the NSA doesn't want the entire system to work -- at least not all the time. Part of its mission is to capture, read, and analyze information. A trustworthy, reliable encryption system can be an obstacle to global surveillance.
The NSA has tried to obscure the lengths to which it goes to undermine encryption standards, a good indication that it won't abandon that work without a fight. In September, when the New York Times and ProPublica were preparing to report on the NSA's counter-encryption efforts, the Obama administration tried to persuade the news organizations not to publish their articles, arguing that the revelations might prompt NSA's targets to switch to new methods of encryption that would be harder to crack. Surely officials have and will continue to make the same argument to President Obama, who has already disregarded one of the panel's recommendations that the director of the NSA no longer be "dual-hatted" as the commander of U.S. Cyber Command, which oversees computer warfare operations. Those operations, by the way, rely on breaking encryption.
In some respects, the NSA is torn between two competing missions. It breaks codes. But it also makes them, mostly for the purpose of protecting the government's information. In a recent interview with the national security blog Lawfare, Anne Neuberger, the senior official who manages the NSA's relationships with technology companies, was asked about news reports that the agency had secretly included a vulnerability into an encryption standard that was developed by the National Institute of Standards and Technology and then adopted by more than 160 countries.
Neuberger didn't confirm or deny the reports. She called NIST an "incredibly respected close partner on many things," including setting encryption standards, some of which the agency itself uses. But, she added, NIST "is not a member of the intelligence community."
"All work that they do is...pure white hat," Neuberger said, meaning not malicious and oriented solely around defending encryption. "Their only responsibility is to set standards" and "to make them as strong as they possibly can be." That left out the work that NSA does to defeat those standards, which has included buying privileged access into encryption products sold commercially. On Friday, Reuters reported that the agency paid RSA, a major computer security vendor, $10 million to promulgate an encryption weakness that the NSA had developed.
Security experts who were cautiously optimistic about other recommendations from the surveillance panel may find themselves less sanguine about the possibility of NSA halting its counter-encryption practices.
"I think that as long as both encryption development and encryption hacking are housed within the same agency, it creates an obvious conflict of interest," Sascha Meinrath, the director of the Open Technology Institute, told Foreign Policy. "The NSA has done tremendously good work helping secure communications over the years; unfortunately, their use of exploits and other tactics to undermine encryption put all of this work under a cloud of suspicion, thus undermining the overall goal of the NSA to help ensure the integrity of communications."
Joel Brenner, the NSA's former inspector general, compared the panel's report to "a fruitcake. It's chock full of tasty cherries -- and other bits that are nuts. You have to pick out what's what."
"These recommendations will not be adopted in bulk," Brenner wrote in a post for Lawfare. He didn't specifically address encryption, but Brenner predicted that some compromises suggested in the report would go too far for the NSA and the Obama administration, particularly if they gave U.S. adversaries an edge in intelligence operations.
"What would make sense," he wrote, "would be negotiated, mutual arrangements [about intelligence operations] with several close allies outside the ‘Five Eyes' group, chiefly Germany and France."
But on encryption, that would require those countries not to make their own attempts to break encryption used in the communications they intercept. And there's almost no chance that would happen.