I have decided to pick out one specific, very disturbing tactic used by the NSA in recent years to facilitate surveillance and make a Federal issue of it. As I detailed last week, back in 2007 the NSA submitted an algorithm for random number generation to NIST (the National Institute of Standards and Technology) which contained a "back door" to allow them to crack encrypted communications which employed the standard.
This is disturbing in many ways and I suspect that very few people would defend it out in the open. I have sent the letter below to the members of Congress named in it, explaining what happened and why they must pass a law clearly and unambiguously barring such activities. Perhaps it's not just government agencies which should be so prohibited, but anyone, anywhere.
House Permanent Select Committee on Intelligence
Chair Mike Rogers
Ranking Member C.A. Dutch Ruppersberger
House Committee on Science, Space, and Technology
Chair Lamar Smith
Ranking Member Eddie Bernice Johnson
Senate Committee on Commerce, Science and Transportation
Chair Jay Rockefeller
Ranking Member John Thune
Senate Select Committee on Intelligence
Chair Diane Feinstein
Ranking Member Saxby Chambliss
Subject: The subversion of standards by the NSA
I write this letter to call on Congress to outlaw one specific, especially disturbing technique used by the National Security Agency in their efforts at surveillance on the Internet: the subversion of standards established by other government bodies.
In 2007, NIST (the National Institute of Standards and Technology) approved an algorithm promoted by the NSA (Dual_EC_DRBG or Dual Elliptic Curve Deterministic Random Bit Generator) as part of a standard (SP 800-90) for random number generation. Random number generation is an important part of secure cryptography and a difficult problem, so established and reliable standards are to the benefit of all. Due to their renowned expertise in the field, NSA had participated extensively in standards processes and gained a great deal of respect for it.
Unfortunately, before too long, researchers at Microsoft found and published details on a vulnerability in the algorithm that could function as a "back door" to allow a third party to predict values and use the fact to compromise encrypted data. Many concluded at the time that the NSA had put the back door in deliberately to facilitate surveillance. The latest revelations from NSA documents leaked by Edward Snowden confirm this suspicion: the NSA intentionally introduced a weakness into a government-published standard in order to exploit it.
Standards such as SP 800-90 are relied upon by parties the world over, not least of which are other agencies of the US government, many of them involved in defense and intelligence, as well as protecting the privacy of innocent citizens.
The role of NIST is pursuant to a clear and uncontroversial exercise of authority granted Congress in Article I section 8 of the US Constitution: "The Congress shall have Power To … fix the Standard of Weights and Measures". In this role, NIST and other US bodies have led the world in the establishment of standards which facilitate the development and interoperability of technology. It is a function that has been to the benefit of the whole world.
The role of the US government should be to protect the integrity of those standards rather than to weaken them. Certainly NSA is not the only organization attempting to subvert important standards like Dual_EC_DRBG. But it's hard to get outraged by foreign powers working to compromise our technology when our own government is doing it too. The argument I've heard that such a ban would be “unilateral disarmament” doesn't stand up to scrutiny; our own abuses of Internet standards do not, in any meaningful way, combat the same abuses by other parties. They just compound the problem of a loss of trust in basic technological areas in which the US has long been the world leader.
I therefore respectfully suggest that a law be passed which clearly and unambiguously prohibits such actions by agencies of the US government. It may be worth banning such actions by anyone, private or public, foreign or domestic.
Contributing Editor, ZDNet
- New York Times, September 5, 2013; "N.S.A. Able to Foil Basic Safeguards of Privacy on Web" - http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html
- Seltzer, Larry; ZDNet, September 6, 2013; "Has the NSA broken our encryption?" - http://www.zdnet.com/has-the-nsa-broken-our-encryption-7000020307/
- Schneier, Bruce; Wired, November 15, 2007; "Did NSA Put a Secret Backdoor in New Encryption Standard?" - http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115
- Dan Shumow and Niels Ferguson, Microsoft; "On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng" - http://rump2007.cr.yp.to/15-shumow.pdf
cc: Dr. Patrick Gallagher (Director, NIST)