Encryption blow-up: Snowden’s latest revelations a wake-up call for the internet

6 Sep 2013

Leading voices in the internet and IT security industry have said they are not surprised at former CIA contractor Edward Snowden’s latest revelations about US spy agencies investing heavily to break apart encryption systems, in some cases allegedly with the help of technology companies. The key lesson is the internet is just not a secure environment.

Both the New York Times and The Guardian were given top-secret files by Snowden that claim security agencies can decipher hundreds of millions of people’s email, medical records, online transactions and more.

The documents allege that covert partnerships exist between ISPs and software companies, and that secret vulnerabilities have been inserted into commercial encryption software with these companies’ collusion.

It is understood the US’ National Security Agency (NSA) spends US$250m a year on deciphering encryption technologies to give the US “unrestricted access to and use of cyberspace.”

No surprises

“The revelations come as no major surprise, the surprise, though, is the extent to which it is alleged to be happening,” said Brian Honan of BH Consulting. Earlier this year, Honan was named Information Security Person of the Year by influential IT security publication SC Magazine. “It has been well known in the past that government agencies have wanted to be able to intercept secure communications in their fight against criminals and terrorists. The Clipper program from the 1990s is one of many examples of this,” Honan said.

Dermot Williams, managing director of Threatscape, was equally unsurprised at the revelations and sees a lot of historical resonance to the whole story. He said SigInt (signals intelligence) is as old as warfare itself in terms of ciphers, attempts to break codes. In fact, taking in the history of warfare over millennia, Bletchley Park and Alan Turing, he makes the point that the computer was invented to break codes in the first place.

Williams believes the directors of the NSA and the UK’s Government Communications Headquarters (GCHQ) are more than likely seething at how much information Snowden has released. “The fact that these modern agencies are deploying massive resources to the interception and decryption of communications traffic should surprise nobody.

“SigInt is a large part of the NSA’s mission and decrypting protected messages is a vital part of that,” he said, pointing to stories such as the alleged NSA decryption key in Windows, the clipper chip and overseas governments refusing to allow BlackBerrys to be used by government agencies because of eavesdropping concerns.

The Irish Internet Association’s Joan Mulvihill says the latest revelations aren’t news. “I can see no logical reason why government security agencies would not be interested in cracking encryption. It is inevitable and actually as old a story as Bletchley Park during World War II.  Why would anyone think otherwise? The fact that it is even considered revelationary is strange.”

The CEO of hosting and internet registrar company Blacknight Michele Neylon also believes the revelations on account of the US government’s track record with respect to cryptography. “Earlier versions of some of the technology being used commonly today was restricted by the US government.

“They lost that battle, but they’ve always wanted to be able to see everything that was going on.”

NSA and tech-sector collusion

Asked if he thinks there is any truth to the allegation that telecos and software companies have been complicit in creating ‘back doors’ into encryption for the NSA, Neylon said: “Unfortunately, yes. A lot of people forget how big the contracts with government are for software companies and telcos and while many of the big software companies are happy to deny any collusion with the US government you’d have to wonder.

“It’s quite common for a software vendor to inform their bigger customers of a security issue before going public with it. In fact, several companies have clauses in their contracts with us that oblige us to disclose the issues to them without making them public.”

But the issue may even go deeper than that. According to Honan, there is evidence the relationship works both ways – that the NSA used intercepted traffic to support US companies in commercial bids against EU companies.

Honan added: “The allegations relating to the extent and the level of complicity by these unnamed companies is a cause for concern. Anyone working in the security arena is well aware of similar allegations made by US and other western governments against technology vendors from countries such as China. It’s a logical assumption that similar activity has been happening in many other countries, too.”

Mulvihill said it is important, however, not to tar all companies with the same brush. “I’m really not entirely sure how devastating it is. It depends. Would you be more crushed by a betrayal of trust by your government or a betrayal of trust by your service provider (internet, telco or software)? The answer to that question is likely to be more revealing in terms of where we are as a society and how the hierarchies in society have changed, if at all.”

Keep on surfing in the free world

The truth is, said Neylon, the internet has become a part of the fabric of our society and it is a fire that just cannot be put out.

“I trust the internet. I don’t, however, trust that governments are the best organisations to decide how the internet should be used or how it should evolve. The internet has made our lives considerably better in so many respects.

However, you cannot ‘control’ the internet and allow it to flourish at the same time. And if we cannot trust the internet then its ongoing growth is at risk.

“The revelations over the last few months have sent shock waves through the internet industry and more and more people who aren’t involved regularly are beginning to take interest.

“If we, the public, don’t make it clear to our governments how we feel then the governments will try to control the internet more and more and use whatever they can to watch us all. However, most governments are elected, and you can’t get elected without the support of the public. So if public opinion is brought to bear against them one could hope that they’d listen.”

Williams urges that rather than getting caught up in the hysteria surrounding the revelations, people need to be pragmatic and look at the problem from a variety of perspectives.

“This comes down to one of the classic dilemmas of a free world: which do you really prefer, a spy-state world where governments can spy on anybody at will (great for investigating terrorists and progressing shadowy state agendas, horrible for civil liberties and personal privacy), or one where everyone has access to covert communication, unbreakable encryption and absolute online anonymity (at the price of such tools being available to ALL – whether it is your online banking or private medical records being protected, or the dark whispers between terrorists, paedophiles, etc)?”

Honan agrees and points out that a balance needs to be struck between what is genuine privacy and what the world’s security apparatus need to do to protect and save lives.

Redrawing the boundaries between security and freedom

“The world has not changed.Criminals, terrorists, and spies still continue to do what they do. The internet simply allows them to scale their operations, in the very same way the many businesses can scale their operations and global reach. The key issue that many do not appreciate is the internet was never designed or built to be a secure environment. In addition, many of the operating systems and software packages we use were not designed to be secure, particularly for the way they are being used now. It is possible to make your online activity more secure, but it requires sacrificing usability and functionality to achieve that which many people have been unwilling to do.

“What I hope will happen is that this will be a wake-up call to many to realise the internet is inherently not a secure environment and that this is not just a technology problem. It is also a people problem in that we need to accept more responsibility for securing our online lives and protecting our privacy.

“We also need to demand better transparency from governments, telcos, ISPs, and vendors to make the internet a secure environment where we can conduct our personal and business lives.”

Only time will tell whether history will be kind to Snowden – is he a traitor who betrayed his country, is he a freedom fighter who woke the world from sleep walking into a globalised police state after becoming indignant at what he perceived as attacks on civil liberties and decency?

Whatever he has done, in the relatively short history of the internet as we know it, he has provoked a debate that may just save the internet, the world and our values from being lost in the fog of war.

Explosion image via Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com