In cyber security, there are white hats and black hats.
Can hats be gray, too?
That's the question in my mind as new reports from The Guardian, The New York Times and ProPublica reveal that the National Security Agency of the United States "has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world."
To say this news is troubling is a massive understatement, regardless of one's personal politics. (If there is any coffee left in your morning pot, now's the time to have another pour.)
This weekend, The New Yorker's Matt Buchanan brought it home:
The most damning aspect of the new disclosures is that the N.S.A. has worked to make widely used technology less secure. The Times reports that in 2006, the N.S.A. intentionally introduced a vulnerability into an encryption standard adopted by both the National Institute of Standards and Technology and the International Organization for Standardization. This is deeply problematic, [researcher Matthew] Green writes, because the cryptographic industry is "highly dependent on NIST standards." The N.S.A. also uses its Commercial Solutions Center, which invites companies, including start-ups, to show their technology to the agency under the guise of improving security, in order to "leverage sensitive, cooperative relationships with specific industry partners" and covertly make those products more susceptible to N.S.A.'s surveillance.
If you've ever traveled in the U.S. and used Transportation Security Administration-approved luggage locks while reading a newspaper detailing how TSA agents sometimes rifle through personal items for things to steal, you know the feeling brought on by the disclosures above. Private companies comply with a government's demands in the name of security, then watch as that government becomes their worst enemy under the guise of good intentions.
How far can a white hat hacker go before it gets too much dirt on its hands? That's the sizeable gray area in these latest revelations.