NSA bribed Encryption Companies to Install Back Doors: Was the Law Broken? Did Obama Know?
(By Juan Cole)
Reuters gets the scoop: the National Security Agency gave internet security firm RSA some $10 million to use an NSA encryption formula in its BSafe software. RSA is now a subsidiary of the EMC corporation, and they have urged customers not to use BSafe since the revelations by Edward Snowden made clear that the NSA’s formula in fact allowed the agency access to all the information supposedly encrypted with it.
This story should be a huge scandal, but I fear it won’t be. This is like the FDA paying a pharmaceutical company to carry a drug that does not work and could therefore leave patients open to dying from an untreated illness after taking medication they are assured will cure it. If the NSA could exploit weaknesses in the encryption formula, so could hackers. The NSA subverted the will of millions of customers around the world who used RSA software precisely in a quest to be safe from the prying eyes of government officials and other peeping Toms.
Moreover, the $10 million has to be seen as a bribe (it was a third of that RSA’s income that year). Isn’t it illegal for government officials to bribe private companies? Isn’t it moreover illegal for intelligence officials to give out money like candy to a private company in order to spy on Americans on American soil?
I’d like to know what NSA official or officials were involved in this sting operation on the American people. I’d like to know if Barack Obama knew about it. I’d like to know if the corporate officials who accepted the “contract” with these strings attached knew they were screwing us all over.
This Reuters story makes sense of the allegation emerging from the Snowden leaks three months ago that the NSA had spent $250 million on keeping access to encrypted data by working with firms that provided encryption services. Presumably they have just been ensuring that no one’s encryption formula actually shields things from them.
Increasingly, firms and governments abroad would be crazy to buy encryption products from American companies. Likewise, getting cloud services from US corporations is a way to ensure that the US government can steal your trade secrets.
German politician Hans-Peter Uhl, from the ruling conservative coalition of Chancellor Angela Merkel, has urged that Germany boycott American firms such as Cisco because their security is compromised. Under the so-called PATRIOT Act, government agencies can demand information from companies without a warrant via a National Security Letter. In addition, the NSA routine demands access to company servers, and can compel compliance without having to go to a judge. Not to mention that the NSA has just arrogantly exploited its deep pockets and profound expertise to find weaknesses in corporate encryption and so to insert itself into server-to-server information transfers, without the knowledge of the corporations.
The NSA practices go so far as to endanger the internet itself, since most people don’t want creepy G-Men peeping in on their privacy, and many may simply disengage from the internet to regain their privacy.
In a previous posting, I wrote of three complicating factors in the US search for a more viable balance between security and economic/diplomatic strategic goals; (1) the impact of cybersecurity policies on the competitiveness of US global firms; (2) the danger of “balkanization” of the internet; and (3) challenges to trade and diplomatic relations with key allies. The plan was to describe competitiveness issues in that posting and then move on to the other two challenges. Since that essay, however, a cascading series of events and decisions have raised the stakes in the debate over the role of the government security surveillance and the impact on leading US telecommunications and IT firms. The result has been a widening of the gulf between supporters the NSA, and those who hold that the agency’s tactics must be brought under closer control. Thus, this post will further analyze the challenges to US competitiveness and the corresponding debate over the proper balance between national security and privacy rights,I will return to issues of balkanization and diplomatic complications in later postings.
Three events this week highlighted the uneasy juxtaposition of US high-tech competitiveness, privacy, and national security imperatives:
A White House meeting – not a showdown but certainly a “show me” occasion – between the President and 15 top executives from America’s leading high tech firms.
The hasty publication, in the response to widespread leaks, of a report by a White House panel (the Presidential Review Group on Intelligence and Communications Technologies) that recommended sweeping changes in the organization and practices of the NSA.
And a widely publicized decision by a US federal district judge holding that the NSA’s collection of metadata was “Orwellian” in scope and “almost certainly unconstitutional.”
The White House meetingThe White House gathering was the culmination of a period of increasingly fraught relations between President Obama and Silicon Valley executives; the executives had overwhelmingly supported the President when he ran for the office in 2008, but have since June 2013 found their multinational operations increasingly threatened by allegations that the companies had – willingly or even unknowingly – provided the means for the NSA to collect huge amounts of data from their customers As noted in my earlier posting, the Snowden documents show that, through cooperation, coercion, or stealth, the NSA has tapped into millions of phone and online communications; forced US companies to build entry points for spyware; and cracked encryption codes that protect global banking and consumer records, trade secrets, and medical data. The international backlash has been swift, providing openings for foreign corporate competitors and national governments to argue that the products and services of US high-tech firms are tainted and untrustworthy. As James Lewis of CSIS noted: “You’ve got German, Chinese even Russian companies saying ‘Hey, buy from us, that way you won’t be at risk…that’s what this has become – an opportunity for commercial advantage as well as an uproar over privacy.”
Prior to the White House meeting, on December 9, a coalition of eight internet firms – AOL, Apple, Facebook Google, LinkedIn, Microsoft, Twitter and Yahoo – had penned an open letter to the President and congressional leaders calling for significant reforms in the NSA intelligence gathering process. The companies set out six principles for NSA reform, but within that framework, two recommendations stand out: first, prefiguring the White House panel, they pushed for more independence and an adversarial process before the FISA courts; and second, they recommended that the government limit its surveillance to specific circumstances and cease bulk data collection of internet communications.
The White House PanelWhen it was created last August, the 5-member White House panel was widely viewed as tied closely to the administration and merely a vehicle to give cover for its views. Recent media reports – and the proof in the final recommendations themselves – show that, whether one agrees with the report or not, its members acted independently and, in some instances, made recommendations counter to developing administration positions. In the end, the report makes some 46 recommendations, of which 5 stand out as particularly pertinent for the issues discussed here:
The report found that the most controversial NSA program – the collection of bulk telephone data – was not justified by the results and should be terminated in its present form: “In our view, the current storage by the government of bulk metadata creates a potential risk to public trust, personal privacy and civil liberty.” In its place, the panel recommended a system in which such data be retained either by private telephone companies or by an independent body – and only for two years, not 5, which is the current policy. NSA would be required to obtain an order from a national security court in order to search such phone records.
The panel argued that a “public interest advocate” be established to represent the “interests of privacy and civil liberties” before national security courts in order for the judicial process to have the benefit of adversarial viewpoints.
The panel pushes for the NSA to terminate all programs and efforts to buy or create software that seeks out flaws in computer programs to use for intercepting unsecure domestic connections or for counterintelligence attacks. Flaws so discovered should be turned over the software companies for fixing.
It is suggested that privacy protections granted to US citizens under the Privacy Act of 1974 be extended to foreigners, adding to protection against the disclosure of person information. Further, the panel recommends that decisions regarding spying on foreign national leaders be taken out of the hands of the security agencies and lodged in the White House.
The White House has committed to presenting its own policies for the NSA and broader cybersecurity challenges early in 2014, taking into account the panel’s recommendations. On that front, it has already knocked down two recommendations: one, that the NSA be headed by a civilian appointee; and two, that the agency be split, with the US Cyber Command which conducts cyberwarfare, attaining a separate status. Still, in a number of interviews, President Obama has committed to propose “some self-restraints on the NSA and to initiate some reforms to give people more confidence.”
The Federal District Court Decision This posting is not the place for a detailed examination of the legal implications of Judge Richard Leon’s sharply (even heatedly) written decision challenging the constitutionality of the NSA metadata sweeps. Even legal scholars sympathetic to the judge’s findings generally think there is a strong chance that his decision will not stand. Whatever the final outcome, however, in the short term the decision represents half of a one-two punch against the NSA and its current operations; the other half being the recommendations of the White House panel. Opponents of the agency, both among civil liberties groups and, more important, in Congress have been pumped up and are now boisterously challenging the prior claim that until now no US court has found fault with existing NSA operations and practices. A leading antagonist, Sen. Ron Wyden (D.-Ore) stated exuberantly: “Judge Leon’s ruling hits the nail on the head,” and he vowed to press on with legislation curbing the NSA.
NSA Defenders The NSA itself and its many supporters in the defense and security establishment have not been idle throughout all of this. In the boldest move to date, NSA Director General Keith Alexander went on CBS’s 60 Minutes to mount a strong defense of the agency and its current operations. He vigorously rebutted claims that the NSA was out of control and acting beyond the law, pointing back to the legal framework within which it works and to the fact that it constantly reviews its own operations – and seeks legal counsel in carrying out its statutory responsibilities. Alexander, who is retiring in 2014, could speak bluntly in answering critics. He urgently argued that the current tools for ferreting out terrorist – including mining metadata – should not be curtailed: “Well, my concern on that is specially (with) what’s going on in the Middle East…the probability that a terrorist attack will occur is going up. And this is precisely the time that we should not step back from the tools we’ve given our analysts to detect these types of attacks.” He severely criticized proposals to hive off the telephone data to individual telephone companies or an independent agency, arguing that the resulting system would be hopelessly clumsy, inefficient and greatly lessen the ability to act quickly once a potential threat had been identified. His main message in summary: “And to put it simply, we are doing two things. We are defending the country from future terrorist attacks, and we’re defending our civil liberties and privacy. There’s no reason we would listen to the phone calls of Americans. There’s no intelligence value in that.”
Where is all of this heading? At this point we are likely months away from any definitive actions to change NSA’s modus operandi. It must be remembered that, though some reforms could be put in place by executive order, major revisions would need congressional approval – and Congress, like the rest of the country, remains uncertain and divided over the correct balance between national security imperatives and bedrock privacy rights.
Still, here are my hunches about potential outcomes:
NSA metadata mining programs will not, in the end, be eliminated, though the agency may have to live with some restrictions. The key battle will be over the nature of any restrictions on data gathering. Due to opposition from both the NSA and phone companies, metadata traffic will not be parked in the private sector. While possible, creation of an independent body to store such data presents complicated issues of organization and authority.
More likely, some form of an adversarial system will be constructed within the legal framework that includes the NSA and the federal security courts. Again, the powers of such a “public advocate” will pose the strongest challenges.
The NSA will not be ordered to cease attempting to crack encryption codes of both American and foreign firms; and it won’t stop placing malware where it deems necessary for security reasons along the global internet supply chain.
The White House will take greater control of decisions to spy on individual world leaders, though the practice will not stop entirely.
Congress will not go along with extending privacy rights under the 1974 Privacy Act to foreigners.
I have no idea how the appellate courts and the Supremes will deal with Judge Leon’s decision – though I suspect that, despite admonitions from some of my colleagues here at AEI that the balance between national security and privacy should be determined by the Congress and the Executive, judicial actions may well intervene.
- See more at: http://www.techpolicydaily.com/technology/gulf-widens-nsa-supporters-opponents/#sthash.MsvvE66I.dpuf