By Anna Giles
Software security holes used by the National Security Agency to conduct broad surveillance can expose consumers to attacks from hackers, technology experts say.
NSA whistleblower Edward Snowden revealed that the NSA has purposely allowed vulnerabilities, or security gaps, in digital devices consumers use every day. These gaps allow broad surveillance, Bruce Schneier, a fellow at Harvard University’s Berkman Center for Internet and Society, said. The gaps disrupt encryption, opening the door for criminals who want to infect devices with malware or steal consumer information, Schneier said.
“The NSA goes in and deliberately weakens the security of things we use so they can eavesdrop on particular targets,” Schneier said. “Security is one of the ways we protect ourselves from criminal threats. What the NSA is saying is their mission trumps that. They want access to a single target so badly that they compromise the rest of us.”
Schneier was one of five Internet security experts who spoke Monday at an event hosted by the New America Foundation. They discussed how NSA surveillance programs undermine Internet security. The experts criticized the NSA for “lying to the American public” by weakening technology security standards established by the National Institute of Standards and Technology, a federal technology agency that works with industry to develop and apply technology standards.
“Consumer products are built on security standards established by the NIST, and those standards are supposed to be as strong as possible,” Danielle Kehl, a policy analyst at the New America Foundation Open Technology Institute, said. “But the NSA has exerted a lot of influence on the NIST, and as a result the NSA has been able to develop standards, or security tools, that contain vulnerabilities they know about and can exploit.”
The NSA defends its participation in standards development as strengthening the encryption technology that underpins the Internet.
“We do not make recommendations that we cannot stand behind for protecting national security systems and data. The activity of NSA in setting standards has made the Internet a far safer place to communicate and do business,” an NSA spokeswoman said in an email. “We focus on using our limited and fragile cryptanalytic capabilities against our nation’s valid foreign intelligence targets.”
Popular digital video services, such as Skype, are believed to contain vulnerabilities that the NSA can taps, Kehl said. Instead of maintaining vulnerabilities that allow the NSA to listen to private conversations, the NSA should notify technology businesses about these security holes to keep consumers safe.
The event was held a day after the Washington Post revealed that ordinary Americans far outnumber targeted foreigners in communications intercepted by the NSA.
Schneier said that as this NSA strategy of maintaining vulnerabilities becomes more publicly known, Americans and businesses abroad will have much less faith in U.S. products, which could damage businesses.
“So this very act of undermining not only damages our security, but it undermines our fundamental trust in the things we use to achieve security. It’s very toxic,” Schneier said. “Other countries are saying, why should we buy this U.S. thing? The NSA has probably dinked with it.”
In August 2013, President Barack Obama created a Review Group on Intelligence and Communications Technologies headed by the director of national intelligence to investigate “how the U.S. can employ its technical collection capabilities in a manner that optimally protects national security and advances foreign policy while respecting our commitment to privacy and civil liberties.”
Reach reporter Anna Giles at email@example.com or 202-326-9861.