Cryptographers are fighting back against efforts by spy agencies to secretly weaken the encryption standards designed to keep the Internet secure.
In an open letter posted online Monday, security experts from universities in the United Kingdom and Luxemburg blasted the National Security Agency and its British counterpart GCHQ for what they describe as the “systematic undermining of cryptographic solutions and standards.” The letter was written in response to a jointly reported scoop by the New York Times, ProPublica, and the Guardian that revealed earlier this month how the NSA and GCHQ were working to break and in some cases covertly subvert common forms of encryption. In at least one case, for instance, the NSA apparently planted vulnerabilities in an encryption standard adopted by the National Institute of Standards and Technology, the federal agency responsible for recommending cybersecurity standards, presumably so that it could exploit it for spying.
The academics’ strongly worded letter demands that the U.K. Parliament’s intelligence and security committee—which is tasked with conducting oversight of the country’s spy agencies—open an urgent investigation into the encryption subversion. They write:
By weakening cryptographic standards, in as yet undisclosed ways, and by inserting weaknesses into products which we all rely on to secure critical infrastructure, we believe that the agencies have been acting against the interests of the public that they are meant to serve. We find it shocking that agencies of both the U.S. and U.K. governments now stand accused of undermining the systems which protect us. By weakening all our security so that they can listen in to the communications of our enemies, they also weaken our security against our potential enemies.
In United States, too, there is also mounting anger over the spy agencies’ covert attempts to break encryption. The NSA’s clandestine conduct appears to be causing tension between government agencies, with the National Institute of Standards and Technology last week distancing itself from the NSA. NIST put out a statement that included a footnote recommending that people steer clear of an encryption standard reportedly targeted by the NSA, and it attempted to reassure people that it “would not deliberately weaken a cryptographic standard.” Johns Hopkins University cryptography researcher Matthew Green told the New York Times that he knew “from firsthand communications that a number of people at NIST feel betrayed by their colleagues at the NSA.”
Spy agencies have historically devoted significant resources to analyzing and attempting to break forms of encryption so that they can read secret messages passed between countries. In June, leaked documents from former NSA contractor Edward Snowden showed how the agency had been granted authority to intercept and indefinitely store any encrypted communications for “cryptanalytic, traffic analysis, or signal exploitation purposes.” However, deliberately attempting to weaken encryption standards before they are used is a particularly controversial tactic because there is no guarantee that adversarial countries or criminal hackers could not also find and exploit these vulnerabilities.
On the flipside, it’s not all bad news. The revelation that the NSA and GCHQ have had to resort in some cases to sabotage and circumvention of encryption illustrate that uncompromised encryption tools still have a crucial role to play in helping thwart mass surveillance. As Snowden said during a June Q&A session: “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.”