Intelligence Services Disclosures and the Impact on Information Security
The Washington Post and other media outlets have provided extensive coverage of allegations made by Edward Snowden concerning some of the NSA’s surveillance programs. The allegations include:
- The NSA has unrestricted direct access into U.S.-based cloud services operated by Microsoft, Google, Apple and others.
- The NSA’s Tailored Access Operations subvert the security of endpoint computers and network devices .
- Commercial products, including encryption products, contain backdoors that allow access by the NSA .
- The NSA has secretly subverted the security of standard encryption algorithms.
While none of these allegations is new or surprising to those who follow the information security industry, the documents provided by Snowden do contain a level of detail that hasn’t previously been seen by the general public.
The existence of unrestricted direct access to the servers of North American cloud service providers is strongly denied by the companies concerned. They are, however, clear that law enforcement agencies are granted limited access on presentation of a properly executed warrant. It seems likely that the companies provide an air-gapped data room into which U.S. law enforcement agencies have direct access and into which the companies place specific information in accordance with thoroughly scrutinized warrants.
The Tailored Access Operations program researches and exploits the kinds of product vulnerabilities commonly used by the criminal community. It does seem likely that the NSA employs some of the most accomplished hackers in the world.
There are reported instances of backdoors in commercial products. However, Entrust has been crystal clear on this topic; neither its products nor its services contain backdoors.
Accusations that NSA has “crippled” standard encryption algorithms have dogged the industry since the ‘70s. But, with the obvious exception of the DES key size, no such vulnerabilities have been discovered.
Clearly, the NSA and its counterparts in other advanced countries have extraordinary computing power at their disposal. And they may direct this computing power at their highest-value military targets. Random-number generation based on elliptic curve cryptography (ECC) has been singled out as suspicious because of the NSA’s role in the standard-setting process and because of its potential to impact a broad range of security services. And while elliptic curve cryptography is not yet in widespread use, Entrust’s products support a wide range of curves from a variety of standard-setting organizations.
The information security industry is familiar with innuendo and conspiracy theory — as well as genuine advances in cryptanalytic capability — yet it has managed to protect users of all types of information systems from harm for many decades. It has done this by continuously advancing the security of its products and systems while minimizing the possibility for misconfiguration. We expect this approach to continue to work for many years to come.