Obama's Difficult Choice on Encryption60-Day Review Under Way on NSA's Exploitation of Encryption
President Obama faces a dilemma in deciding whether to prohibit the National Security Agency from tinkering with encryption as one way to collect intelligence data from adversaries who threaten to harm America.
See Also: Passwords Alone Aren't Enough
The origins of the NSA date back to World War I, when the Army created a unit to decipher enemy code. In the 21st century, the NSA still breaks secret codes used by our adversaries to identify threats, and that could mean tampering with encryption. Don't we want the NSA to break encryption to find out how our enemies seek to harm us?
What's different today than nearly 100 years ago is that our enemies don't necessarily write the code that protects their secrets.
But at the same time, as a panel of experts last month told President Obama: "Encryption is an essential basis for trust on the Internet; without such trust, valuable communications would not be possible. For the entire system to work, encryption software itself must be trustworthy. Users of encryption must be confident, and justifiably confident, that only those people they designate can decrypt their data."
What's different today than nearly 100 years ago is that our enemies don't necessarily write the code that protects their secrets. Here's how Eugene Spafford, executive director of the Center for Education and Research in Information Assurance and Security at Purdue University, explains the predicament the White House faces on deciding how far to limit the NSA's ability to exploit encryption: The good guys and bad guys use the same technologies and Internet sites protected by commercial encryption.
Balancing Safety with Rights
"The fundamental hard problem behind all of this is how do we show respect for the privacy rights of all the people and organizations using things appropriately while at the same time giving ourselves reasonable opportunities to know about and possibly counter moves by bad actors who are using the same things?" Spafford asks. "That's a tough, policy-type of issue that's been debated back and forth for as long as there's been intelligence agency and as long as there are parties with different goals."
In a speech Obama delivered Jan. 17 revealing new limits on the way intelligence agencies collect telephone metadata (see Obama Orders Review on Use of Big Data), the president did not tackle most of the 46 recommendations submitted last month by the panel of experts, including one to prevent the NSA from subverting initiatives to create secure encryption to safeguard confidential communications and data (see Panel Recommends Limits on NSA Surveillance).
Though the president didn't mention encryption is his speech, an administration spokeswoman - Caitlin Hayden - said the president has asked Cybersecurity Coordinator Michael Daniel and the Office of Science and Technology Policy to jointly lead a study on encryption safeguards and report the results within 60 days. "We support the recommendation's aim to protect the integrity of standards for commercial encryption," Hayden said after the president's speech.
Where did the NSA possibly go too far?
NSA's critics, including noted cryptographer Bruce Schneier, suggest that a cryptographic random-number standard promoted in guidance from the National Institute of Standards and Technology might contain a backdoor to allow the NSA to spy on organizations employing the random bit generator. NIST has withdrawn the standard pending further review (see NIST Review Won't Disrupt Work with NSA).
In December, reports surfaced that security vendor RSA received $10 million to set an NSA formula as the default method for number generation in RSA's BSAfe software. But RSA denied allowing NSA to provide a backdoor to compromise its security software (see NSA Reports Sullying Vendors' Standings?).
Allan Friedman, co-author of the just-published book "Cybersecurity and Cyberwar," says it's the NSA's job to break encryption for the intelligence community but the agency pushed organizational boundaries "a little bit further than most people are comfortable with."
Friedman says no one at the NSA took the responsibility for balancing its actions on encryption with the risks it posed of portraying the United States government as insensitive to the economic impact of those actions. "If someone [else] had been in the room when some of these programs had been proposed, at least the NSA leadership would have been forced to deal with the observations of how it is injuring the other American interests and would have had to justify why it was in America's interests [to do what it did]," he says.
Purdue's Spafford says there are times when it could be appropriate to tamper with IT products, such as wares known to be used only by our adversaries. But, he sees tampering as inappropriate if it would impede with standards, such as those published by NIST.
"We have to decide on those things that are so important - so fundamental, foundational to international communication, trade and trust - that we don't mess with them," Spafford says.
Yet, at the same time, we need to allow the NSA to use its know-how to crack secret coding our enemies use to keep their nefarious plots hidden without jeopardizing individuals' privacy, civil liberties and the economic vitality the Internet offers. I don't envy Daniel and his White House colleagues who are working on coming up with a balanced plan, but no one said their jobs would be easy.
What would you do?