The Complex

NSA Will Keep Breaking Encryption, No Matter What a White House Panel Says

The National Security Agency has gone to extraordinary lengths to foil encryption used in commercial technology. A new report in Sunday's Der Spiegel revealed that the agency's elite hacker group, known as Tailored Access Operations, infiltrated networks of European telecommunications companies and accessed and read emails that "were believed to be securely encrypted." From the NSA's perspective, counter-encryption efforts have led to important intelligence breakthroughs.

That's why of the 46 recommendations offered by a presidential review panel on government surveillance activities, the one that suggests that the NSA ramp down its efforts against encryption may be met by with a mixture of outrage and laughter in the halls of the agency.

"The US Government should take additional steps to promote security, by... fully supporting and not undermining efforts to create encryption standards," the report's authors recommend.

Undermining encryption, of course, is precisely what the NSA does. It's a code-breaking organization. It develops methods and techniques to "subvert, undermine, weaken, or make vulnerable" -- to borrow from the list of things the panel said the agency should stop doing -- the codes that governments, terrorist networks, criminal organizations, businesses, and everyday people use to shield their communications from prying eyes.

"Encryption is an essential basis for trust on the Internet; without such trust, valuable communications would not be possible," the review panel writes. "For the entire system to work, encryption software itself must be trustworthy."

That may be. But the NSA doesn't want the entire system to work -- at least not all the time. Part of its mission is to capture, read, and analyze information. A trustworthy, reliable encryption system can be an obstacle to global surveillance.

The NSA has tried to obscure the lengths to which it goes to undermine encryption standards, a good indication that it won't abandon that work without a fight. In September, when the New York Times and ProPublica were preparing to report on the NSA's counter-encryption efforts, the Obama administration tried to persuade the news organizations not to publish their articles, arguing that the revelations might prompt NSA's targets to switch to new methods of encryption that would be harder to crack. Surely officials have and will continue to make the same argument to President Obama, who has already disregarded one of the panel's recommendations that the director of the NSA no longer be "dual-hatted" as the commander of U.S. Cyber Command, which oversees computer warfare operations. Those operations, by the way, rely on breaking encryption.

In some respects, the NSA is torn between two competing missions. It breaks codes. But it also makes them, mostly for the purpose of protecting the government's information. In a recent interview with the national security blog Lawfare, Anne Neuberger, the senior official who manages the NSA's relationships with technology companies, was asked about news reports that the agency had secretly included a vulnerability into an encryption standard that was developed by the National Institute of Standards and Technology and then adopted by more than 160 countries.

Neuberger didn't confirm or deny the reports. She called NIST an "incredibly respected close partner on many things," including setting encryption standards, some of which the agency itself uses. But, she added, NIST "is not a member of the intelligence community."

"All work that they do is...pure white hat," Neuberger said, meaning not malicious and oriented solely around defending encryption. "Their only responsibility is to set standards" and "to make them as strong as they possibly can be." That left out the work that NSA does to defeat those standards, which has included buying privileged access into encryption products sold commercially. On Friday, Reuters reported that the agency paid RSA, a major computer security vendor, $10 million to promulgate an encryption weakness that the NSA had developed.

Security experts who were cautiously optimistic about other recommendations from the surveillance panel may find themselves less sanguine about the possibility of NSA halting its counter-encryption practices.

"I think that as long as both encryption development and encryption hacking are housed within the same agency, it creates an obvious conflict of interest," Sascha Meinrath, the director of the Open Technology Institute, told Foreign Policy. "The NSA has done tremendously good work helping secure communications over the years; unfortunately, their use of exploits and other tactics to undermine encryption put all of this work under a cloud of suspicion, thus undermining the overall goal of the NSA to help ensure the integrity of communications."

Joel Brenner, the NSA's former inspector general, compared the panel's report to "a fruitcake. It's chock full of tasty cherries -- and other bits that are nuts. You have to pick out what's what."

"These recommendations will not be adopted in bulk," Brenner wrote in a post for Lawfare. He didn't specifically address encryption, but Brenner predicted that some compromises suggested in the report would go too far for the NSA and the Obama administration, particularly if they gave U.S. adversaries an edge in intelligence operations.

"What would make sense," he wrote, "would be negotiated, mutual arrangements [about intelligence operations] with several close allies outside the ‘Five Eyes' group, chiefly Germany and France."

But on encryption, that would require those countries not to make their own attempts to break encryption used in the communications they intercept. And there's almost no chance that would happen.

National Security

'Military-Style' Raid on California Power Station Spooks U.S.

When U.S. officials warn about "attacks" on electric power facilities these days, the first thing that comes to mind is probably a computer hacker trying to shut the lights off in a city with malware. But a more traditional attack on a power station in California has U.S. officials puzzled and worried about the physical security of the the electrical grid--from attackers who come in with guns blazing.

Around 1:00 AM on April 16, at least one individual (possibly two) entered two different manholes at the PG&E Metcalf power substation, southeast of San Jose, and cut fiber cables in the area around the substation. That knocked out some local 911 services, landline service to the substation, and cell phone service in the area, a senior U.S. intelligence official told Foreign Policy. The intruder(s) then fired more than 100 rounds from what two officials described as a high-powered rifle at several transformers in the facility. Ten transformers were damaged in one area of the facility, and three transformer banks -- or groups of transformers -- were hit in another, according to a PG&E spokesman.

Cooling oil then leaked from a transformer bank, causing the transformers to overheat and shut down. State regulators urged customers in the area to conserve energy over the following days, but there was no long-term damage reported at the facility and there were no major power outages. There were no injuries reported. That was the good news. The bad news is that officials don't know who the shooter(s) were, and most importantly, whether further attacks are planned.

"Initially, the attack was being treated as vandalism and handled by local law enforcement," the senior intelligence official said. "However, investigators have been quoted in the press expressing opinions that there are indications that the timing of the attacks and target selection indicate a higher level of planning and sophistication."

The FBI has taken over the case. There appears to have been some initial concern, or at least interest, in the fact that the shooting happened one day after the Boston Marathon bombing. But the FBI has no evidence that the attack is related to terrorism, and it appears to be an isolated incident, said Peter Lee, a spokesman for the FBI field office in San Francisco, which is leading the investigation. Lee said the FBI has "a couple of leads we're still following up on," which he wouldn't discuss in detail.  There has not been any published motive or intent for the attack, the intelligence official said, and no one has claimed credit.

Local investigators seemed to hit a dead end in June, so they released surveillance footage of the shooting. But that apparently produced no new information. The FBI says there have been no tips from the public about who the shooter might be and what he was doing there.

The incident might have stayed a local news story, but this month, Rep. Henry Waxman, the California Democrat and ranking member of the Energy and Commerce Committee, mentioned it at a hearing on regulatory issues. "It is clear that the electric grid is not adequately protected from physical or cyber attacks," Waxman said. He called the shooting at the the San Jose facility "an unprecedented and sophisticated attack on an electric grid substation with  military-style weapons. Communications were disrupted. The attack inflicted substantial damage. It took weeks to replace the damaged parts. Under slightly different conditions, there  could have been serious power outages or worse."

The U.S. official said the incident "did not involve a cyber attack," but that's about all investigators seem to know right now. AT&T, which operates the phone network that was affected, has offered a $250,000 reward for information leading to the arrest and conviction of the perpetrator or perpetrators.

"These were not amateurs taking potshots," Mark Johnson, a former vice president for transmission operations at PG&E, said last month at a conference on grid security held in Philadelphia. "My personal view is that this was a dress rehearsal" for future attacks.

At the very least, the attack points to an arguably overlooked physical threat to power facilities at a time when much of the U.S. intelligence community, Congress, and the electrical power industry is focused on the risk of cyber attacks. There has never been a confirmed power outage caused by a cyber attack in the United States. But the Obama administration has sought to promulgate cyber security standards that power facilities could use to minimize the risk of one.

At least one senior official thinks the government is focusing too heavily on cyber attacks. Jon Wellinghoff, the chairman of the Federal Energy Regulatory Commission, said last month that an attack by intruders with guns and rifles could be just as devastating as a cyber attack.

A shooter "could get 200 yards away with a .22 rifle and take the whole thing out," Wellinghoff said last month at a conference sponsored by Bloomberg. His proposed defense: A metal sheet that would block the transformer from view. "If you can't see through the fence, you can't figure out where to shoot anymore," Wellinghoff said. Price tag? A "couple hundred bucks." A lot cheaper than the billions the administration has spent in the past four years beefing up cyber security of critical infrastructure in the United States and on government computer networks.

"There are ways that a very few number of actors with very rudimentary equipment could take down large portions of our grid," Wellinghoff said. "I don't think we have the level of physical security we need."