Sample Research Paper on Encryption NSA vs. The private sector

Encryption NSA vs. The private sector

Introduction

Data encryption is becoming increasingly important given the sensitivity and value of information passed between corporations and individuals, as well as information stored in data banks. The advancement in technology and the rise of cases of data theft even more than ever requires that data in transit and in storage is kept safe from hackers and any other individuals who may have sinister motives in disseminating sensitive data. The issue of unlawful dissemination of information brings into mind the recent release of sensitive information by Edward Snowden, a system administrator at N.S.A. Many have reiterated the need for encryption, with some claiming that proper encryption of the N.S.A file, with a requirement for a decryption key, would have exposed Snowden in his attempt to disseminate the information. With the Snowden revelations, however, the safety of private, corporate, and financial data has been put in question given details that the N.S.A. and other foreign intelligence agencies (Government Communications Headquarters of Britain) have circumvented encryption over the web, and can now easily access this information without knowledge of the users (Larson, Perlroth & Shane, 2013).

Snowden’s revelations have thus raised the question of the safety of data, given that the government has had sinister motives in the design and implementation of cryptography standards. By arm-twisting NIST (National Institute for Standards and Technology) to allow for backdoors in encryption software, NSA would gain access to the encryption software and therefore access to any encrypted data. Since the law that guides the creation of encryption software as stipulated by NIST has NSA input, both the private sector and individuals are at the mercy of the NSA, as the law allows for stronger NSA manipulation and access to the software.

The use of encryption on data and other systems has its roots in government suspicion of adversaries and the protection of citizens. Most governments have seen the need to spy on other governments to preempt any moves that may jeopardize their position or interests in the given country or other countries. While it was customary for government to use cryptography and cryptanalysis, the only other entities that made wide use of cryptography were huge corporations, which could easily be influenced by the government. With citizens’ protection and spying in mind, the  US government, through NSA ” imposed export restrictions on cryptographic technologies, to try to prevent them getting to countries with hostile interests”(Farrell, 2014). Through such restrictions, therefore, it was possible for NSA to spy on other countries and corporations as well as protect the system from alien cryptanalysis, with no clash between the two functions that it was performing.

Onwards into the 80s however, hurdles and intricacies developed for NSA in the two roles it had been performing as the private sector began the use of cryptography as well as pushed for more secure codes (Farrell, 2014). The private sector’s clamor for more secure codes presented a problem for the NSA since these were difficult to crack, and could also find their way to foreign markets, given that they were in the private sector, therefore impeding NSA’s goal of securing its system while eavesdropping on foreign jurisdictions.

The solution to this, according to NSA, was to expand its authority over the private and public sector (Diffie & Landaus, 2010). The intention of this extension of power was to allow the NSA to influence the standards in cryptography in the private sector. Disappointingly for the NSA however, “the U.S. Congress was suspicious of the NSA, and put a different body, the National Institute for Standards and Technology (NIST), in charge of private sector cryptography standards” (Farrell, 2014). This, naturally, did not sit well with the NSA; even though its authority would still be felt since it had informational control over the software-making process. NSA’s original intention had been the insertion of a back door into encryption software developed by the private sector, given the more capable levels of encryption, and therefore their inability to crack such systems as developed by the private sector.

Given the poor funding of the NIST and the lack of technical experts, it became necessary for NIST to seek advice from NSA over technical matters and the development of cryptographic policy and standards. With technical expertise and resources at its disposal, therefore, “the NSA was better able to shape NIST standards much more than Congress had ever envisaged” (Farrell, 2014). This marked the beginning of NSA’s inroads into cryptography since any software developed afterward was required to meet the standards provided by NIST, under the guidance of the NSA.

With the loss of the “Crypto Wars” even after the investment of billions in their desire to continue surveillance, the NSA had to look for new ways of continued hold on their ability to eavesdrop (Larson, Perlroth & Shane, 2013). The loss of the public inquest for the NSA followed the development of Pretty Good Privacy by Zimmerman, a program that brought access to novel and influential cryptographic capabilities to a majority of computer users. As a result of the software development, “U.S. authorities investigated Zimmerman for breach of export controls law but had to give up when privacy activists pulled a series of clever stunts that made the law effectively unenforceable”(Farrell, 2014).

The home front war however is at war given the pressure from the public and private sector for better cryptography. Attempts to resolve the problem and the demand had been the creation of a law-enforcement-friendly way in which the government would be allowed entrance to encrypted communication. These efforts by the NSA failed to yield any fruit as the government lost “to an alliance of civil liberties activists (who wanted strong cryptography for individuals) and businesses (which wanted to get rid of export control rules that they saw as hampering U.S. competitiveness)” (Farrell, 2014).

Yet the NSA did not stop at that even after such loss to the private sector and liberal activists. According to documents released by the Snowden dossier, the government, through the NSA “deployed custom-built, superfast computers to break codes, and began collaborating with technology companies in the United States and abroad to build entry points into their products” (Larson, Perlroth & Shane, 2013). The collaboration was however much of pressure on the part of the NSA to the technology companies such as Google, Yahoo!, Microsoft and Facebook. With threats of jail terms and treason branding, most of these tech giants had no choice but to budge under the mounting pressure by NSA for user data on the corporation’s websites. This was in addition to well-executed man-in-the-middle attacks on sites such as Google, through a technique that circumvented encryption, thus redirecting users to a fabricated website, which would relay user information entered in the site to its data banks. Much of this feat was made possible through the NSA’s authority over NIST standards and a push for the adoption of a newly developed cryptography approach.

Known as the Elliptic Curve Cryptography, NSA had recommended this in-house cryptographic standard, given that the NIST had previously indicated that the 1024-bit parameters used in the public key systems would be insufficient for use after 2010 (NSA, 2009). NSA had therefore claimed that its new encryption approach offered “more security per bit increase in key size than either RSA or Diffie-Hellman public key systems” as well as being more “computationally efficient than the first-generation public-key systems, RSA and Diffie-Hellman. Although elliptic curve arithmetic is slightly more complex per bit than either RSA or DH arithmetic, the added strength per bit more than makes up for any extra compute time” (NSA, 2009).

The development of this key was in essence, however, an attempt by the agency to give it a free ride into any person who used these standards. Additionally, the NSA also entered a deal with RSA, one of the biggest security firms in the computer industry, to use the elliptic curve arithmetic standard claimed to generate random numbers for the provision of security, as well as the creation of a back door in RSA’s security products (Menn, 2013). Much of these revelations became apparent following Snowden’s leaks, making RSA the distributor of the flawed security software that allowed the agency to eavesdrop on communication and access encrypted files. The code within the software allowed NSA to snare communication and file before the encryption process (Larson, Perlroth & Shane, 2013).

Although NIST withdrew the NSA-supported standard and began a review of its previous encryption standards for assessment of their subversion (Farrell, 2014), it goes without saying that it is apparent that NSA would go to the extreme ends to ensure that it has access to personal and corporate information and communication. NIST and the International Organization for Standardization had promulgated, in 2006, the Dual Elliptic Curve Deterministic Random Bit Generator standard developed by the NSA, and was embedded in software used by both the government and private sector since then. Although RSA has so far instructed its customers to cease the use of the algorithm, following the revelations by the Snowden documents (Menn, 2013), one can only imagine the amount of information NSA has tapped from both individuals and corporations from the algorithm promulgation in 2006 to the revelations in 2013.

The Dual Elliptic Curve Deterministic Random Bit Generator has not been the only attempt by the NSA to infiltrate private networks, hardware, and the IT sector. Clipper Chip had been a hardware proposal by the Clinton administration for the private sector to adopt (Menn, 2013). The hardware had an encryption key with freeways for the NSA to access through key escrows. This had been a rejoinder to Zimmerman’s PGP, which had made it difficult for the NSA to crack and tap. The hope had been that Clipper Chip would be widely adopted. However, “A key argument against the chip was that overseas buyers would shun U.S. technology products if they were ready-made for spying” (Menn, 2013). This consequently led to the abandonment of the technology with a focus on export control laws, as prevention of access to cryptography across US borders.

On the eve of the revelations by the media, the NSA had appealed against the publication of the revelations (Larson, Perlroth & Shane, 2013). The claim for such an appeal was that the revelations would expose precise and top-secret aspects of the agency’s process of intelligence gathering. Additionally, the NSA claimed that such revelations, while adding to the public debate on the issue of privacy and government surveillance, would hand out techniques used by the agency to its adversaries. The publication of the revelations had however followed the line of the value that such revelations would contribute to the public debate, especially the claim that the government’s actions were in fact undermining some of the most critical privacy tools.

NSA’s desire to continue its clandestine spying activities stems from its claim national security standpoint. Specifically, the agency is “trying to deal with a situation in which it either accepts that everyone will use strong cryptography (which provide ordinary people with great security, but which it has great difficulty in cracking for its own purposes). Or try to secretly weaken this cryptography (which may weaken everyone’s security, but allows it to crack codes that would otherwise be very hard or very cumbersome to break)” (Farrell, 2014). While it did not have to make the choices in its previous position given the export laws and the minimal use of cryptography by the private sector, the changing information communication landscape is not giving it much of a choice. Today, the agency is faced with the dilemma of trying to break code it helped build through standardization. Its desire to weaken the very standards that have made the internet and data encryption safe and possible is potentially detrimental. The move will therefore mean “weakening cryptographic protections for U.S. businesses and individuals, so as to allow it access to encrypted communications that are relevant to its mission, and that it would otherwise have found too hard (or too labor-intensive) to break” (Farrell, 2014).

Such feelings also pervade the agency’s released cryptographic suites A and B. According to NSA, Suite A cryptography, which does not expose its algorithms is trained towards national security agencies. The suite is intended for extremely sensitive communication and critical authentication systems. The idea behind hiding the algorithms, according to NSA is to provide better security, particularly for the government (NSA, 2009). This suite is not released to other organizations making it less available to the public. Suite B on the other hand has its algorithms publicly available and establishes cryptographic benchmarks for software encryption. Suite (B) includes components such as advanced encryption standards, secure hash algorithms, elliptic Diffie-Hellman, and elliptic curve digital signature algorithms. NSA licenses the suite and the agency licenses to any vendor creating components or products employed in the protection of national security information.

Most private-sector cryptography software is based on NSA’s Suite B cryptography given the aforementioned fact of suite A’s availability to government agencies and communication of extreme sensitivity. For the private sector, therefore, the purpose for having cryptography is likely for the prevention of crime. Given the vast amounts of sensitive data and confidential information sent over the electronic avenue, high-quality encryption from their own generated software becomes the only possible way of preventing eavesdropping and criminal activity (Farrell, 2014). Under such circumstances, it is only sensible therefore that the private sector deploys large-scale encryption for their inbound and outbound communication, both at home and abroad.

Additionally, as a business industry, domestic-made encryption software needs to use cutting-edge technology given that other companies in other continents are already developing encryption software. To compete competitively with the other continents, therefore, it is necessary that the private sector encryption software be free of bugs and backdoors that would allow manipulations by governments and other malicious non-state actors who would explore such vulnerabilities. Thus, while the basic point of NSA’s encryption software is to create encryption that they can easily manipulate the private sector’s software look into the provision of high-quality encryption to their clients. In its very self, such a move is a basic betrayal of trust put on the agency by the private sector and other private individuals.

The general outcry of the public, as well as security experts from the Snowden revelations, is that NSA’s contribution was supposed to be towards the creation of a strong and secure standards platform for both businesses and individuals. Everyone in the industry is therefore disillusioned since NSA “gimmicked the process so that it produces deliberately flawed standards. Cryptographers worry that not only the NSA, but other actors too, might be able to get access to encrypted communications if they are able to discover the backdoor” (Farrell, 2014).

The idea of backdoors built into systems is of much concern given the gravity of its discovery by malicious individuals. Security experts are especially concerned that apart from undermining encryption efficacy, backdoors make the whole system vulnerable (Farrell, 2014). Moreover, it is possible that other individuals can probe, find and utilize these backdoors, much as the NSA would use them for its clandestine purposes. Evidence of the use of backdoors for malicious purposes is visible through the famous manipulation of a backdoor in Vodafone’s Greece mobile network, which was manipulated to tap into top government executives’ telephone conversations including the Greek Prime Minister.

NSA’s manipulation of security standards is all deemed at making private-sector encryption weaker for their own manipulation and eavesdropping. Therefore, given that the standards provided by NIST are all NSA engineered, reliance on NSA-provided standards not only leaves companies vulnerable to NSA decryption and eavesdropping but other actors as well. In essence, while NSA secures its data and communications by using other standards, such as the Suite A protocol, it leaves corporations and individuals vulnerable to its own manipulations. Because the internet has become a virtually indispensable part of everyday life from business to communication as well as socialization, many internet and software security experts have reiterated the need to rebuild the internet from scratch in a move that would ensure the incorporation of authentic cryptography for even the simplest of communication within the network. Notable is that the NSA has remained quiet in this ongoing debate over the need for remaking of the internet and software protocols. This is probably suggestive of the difficult position that the agency has found itself from the Snowden revelations and the changing tide of its role in internet security and cryptography. While the private sector struggles to make even better encryption software to guard its valuable data and communications, it is necessary that the NSA also works to be more receptive to these changes to ensure the security of both the citizens and the businesses that operate within its jurisdiction.

References

Diffie, W. & Landau, S., (2010). Privacy on the Line: The Politics of Wiretapping and Encryption. New York: The MIT Press

Farrel, H., (2014, February 12). The Political Science of Cybersecurity II: Why cryptography is so important. The Washington Post. Retrieved from http://www.washingtonpost.com/blogs/monkey-cage/wp/2014/02/12/the-political-science-of-cybersecurity-ii-why-cryptography-is-so-important/

Larson, J., Perlroth, N., & Shane, S., (2013). Revealed: The NSA’s Secret Campaign to Crack, Undermine Internet Security. Pro Republica, The New York Times & The Guardian. Retrieved from http://www.propublica.org/article/the-nsas-secret-campaign-to-crack-undermine-internet-encryption

Menn, J. (2013, December 20). Exclusive: Secret Contract Ties NSA and Security Industry Pioneer. Reuters. Retrieved from http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220

NSA, (2009).The Case for Elliptic Curve Cryptography. NSA. Retrieved from http://www.nsa.gov/business/programs/elliptic_curve.shtml