At a time when politicians are exploiting the recent tragic events in France in order to push through legislation banning or backdooring strong encryption, the release of a new batch of documents, courtesy of Mr Edward Snowden, could hardly have been timelier.
‘Will make sure that it is a comprehensive piece of legislation that makes sure we do not allow terrorists safe space to communicate with each other… That is the key principle: do we allow safe spaces for them to talk to each other? I say no, we don’t, and we should legislate accordingly.’
The documents reveal some quite shocking information, but perhaps the most pertinent to the current heated debate is a document addressed to the National Intelligence Council, and shared with GCHQ, which describes encryption as the ‘best defence’ for computer users when protecting private data. According to the Guardian,
‘An unclassified table accompanying the report states that encryption is the “[b]est defense to protect data”, especially if made particularly strong through “multi-factor authentication” – similar to two-step verification used by Google and others for email – or biometrics. These measures remain all but impossible to crack, even for GCHQ and the NSA.’
The report also notes that ‘due to the slower than expected adoption … of encryption and other technologies,’ hacking attempts cost the global economy up to $400bn a year.
It is well understood within security circles that a backdoor or deliberate weakness introduced to allow a government access to encrypted data is also a backdoor for criminals and hackers from rival governments. As the recently released documents acknowledge,
‘Almost all current and potential adversaries – nations, criminal groups, terrorists, and individual hackers – now have the capability to exploit, and in some cases attack, unclassified access-controlled US and allied information systems…[The] scale of detected compromises indicates organisations should assume that any controlled but unclassified networks of intelligence, operational or commercial value directly accessible from the internet are already potentially compromised by foreign adversaries’
In sharp contrast to recent government panics about encryption being too strong for them to access, the report praises Google and other US tech giants for their increased use of encryption,
‘We assess with high confidence that security best practices applied to target networks would prevent the vast majority of intrusions.’
Despite this recognition of the value of encryption, the NSA and GCHQ have run a long term campaign aimed at breaking, weakening, or backdooring all major international encryption standards (fortunately not with 100 percent success).
The new batch of documents includes a classified memo to then UK foreign secretary, David Miliband, requesting the renewal of warrant allowing GCHQ to ‘modify’ various commercial software applications, including programs used widely throughout the world to run web forums, and website administration tools.
The same document also mentions that GCHQ has been working to ‘exploit’ Kaspersky Labs’ anti-virus software, and has,
‘Capability against Cisco routers, allow[ing] us to re-route selected traffic across international links towards GCHQ’s passive collection systems.’
Faced with a collapse in consumer confidence with their products which is costing the technology industry billions of dollars, tech companies are beginning to push back. Christopher Soghoian, principal technologist for the American Civil Liberties Union stated that ‘it’s either secure or it’s insecure,’ and Michael Beckerman, president and CEO of the Internet Association (a lobby group whose members include technology companies such as Facebook, Google, Reddit, Twitter, and Yahoo, said,
‘Just as governments have a duty to protect to the public from threats, internet services have a duty to our users to ensure the security and privacy of their data. That’s why internet services have been increasing encryption security.’