The US National Security Agency has been rebuffing efforts by a leading Congressional critic to ascertain whether it is continuing to place so-called back doors to commercial technology goods, in a controversial practice that critics say compensation both American industry and national safety.
The NSA has long sought agreements with technology companies where they would build special access for the spy service into their products, based on disclosures by former NSA contractor Edward Snowden.
These so-called back doors empower the NSA and other agencies to scan considerable amounts of traffic without a warrant. Agency advocates say the practice has eased assortment of vital intelligence in other nations, such as interception of terrorist communications.
The bureau developed new guidelines for such clinics following the Snowden leaks so as to reduce the chances of exposure and compromise, three former intelligence officers told Reuters. But aides to Senator Ron Wyden, a leading Democrat on the Senate Intelligence Committee, say the NSA has stonewalled on providing the gist of the guidelines.
“Secret encryption back doors are a threat to national security and the safety of our families — it’s only a matter of time before foreign hackers or criminals exploit them in ways that undermine American national security,” Wyden told Reuters.
The agency declined to say how it had updated its policies on getting special access to commercial products. NSA officials said the bureau was rebuilding trust with the private sector through such steps as offering warnings about software flaws.
“At NSA, it’s common practice to constantly assess processes to identify and determine best practices,” explained Anne Neuberger, that heads NSA’s year-old Cybersecurity Directorate. “We don’t share specific processes and procedures.”
Three former senior intelligence bureau statistics told journalists that the NSA now requires that before a rear door is sought, the agency must weigh the potential fallout and arrange for some kind of warning if the back door gets detected and controlled by adversaries.
The ongoing quest for hidden access comes as governments in the US, the UK and elsewhere seek laws that would require technology companies to let governments view unencrypted traffic. Defenders of powerful encryption state the NSA’s sometimes-botched attempts to put in back doors in commercial products show the dangers of such conditions.
Critics of the NSA’s practices state they create goals for adversaries, undermine faith in American engineering and undermine efforts to convince allies to reject Chinese technologies that could be used for espionage, since US equipment can also be turned to these functions.
In a minimum of one instance, a foreign adversary managed to make the most of a back door invented by US intelligence, based on Juniper Networks Inc, which stated in 2015 its equipment was endangered. In a previously unreported statement to members of Congress in July, Juniper reported an unnamed federal government had transformed the mechanism created by the NSA. The NSA told Wyden staffers in 2018 that there was a “lessons learned” report regarding the Juniper episode and many others, according to Wyden spokesman Keith Chu.
“NSA now asserts that it cannot locate this document,” Chu told journalists at our partner news agency Reuters.
The NSA has chased many means for getting inside equipment, sometimes striking industrial prices to induce organizations to fit back doors, and in other cases manipulating standards – namely by placing procedures so that companies unknowingly adopt software that NSA experts can break, according to reports from our content partners at Reuters.
The tactics drew widespread attention starting in 2013, when Snowden leaked files referencing these practices.
Tech companies which were later exposed for having cut deals that enabled backdoor access, such as security leader RSA, lost credibility and customers. Other US companies lost business overseas as customers grew cautious of the NSA’s reach.
All that prompted a White House coverage inspection.
“There were all sorts of ‘lessons learned’ processes,” said former White House cybersecurity coordinator Michael Daniel, that was advising then-president Barack Obama if the Snowden files erupted. A special commission appointed by Obama said the government should never “subvert” or “weaken” tech products or compromise standards.
The White House failed to publicly espouse that recommendation, rather beefing up review procedures for if to utilize newly discovered software defects for offensive cyber operations or have them fixed to enhance protection, Daniel and many others stated.
The secret government contracts for special access remained outside of the formal review.
“The NSA had contracts with companies across the board to help them out, but that’s extremely protected,” said an intelligence community attorney.
The starkest example of the dangers inherent in the NSA’s approach involved an encryption-system element called Dual Elliptic Curve, or Dual EC. The intelligence bureau worked with the Commerce Department to get the tech accepted as a worldwide standard, but cryptographers later showed that the NSA could exploit Dual EC to get encrypted data.
RSA accepted a $10 million contract to incorporate Dual EC into a widely used web safety program, as reported back in 2013. RSA said openly it wouldn’t have knowingly set up a rear door, but its reputation was tarnished and the business was sold.
Juniper Networks got into hot water on Dual EC 2 years later. In the end of 2015, the manufacturer of internet switches revealed it had discovered malicious code in some firewall solutions. Researchers later determined that hackers had turned the firewalls in their very own spy tool by altering Juniper’s version of Dual EC.
Juniper said little about the incident. However, the company acknowledged to security researcher Andy Isaacson in 2016 that it had set up Dual EC as part of a “customer requirement,” according to a previously undisclosed contemporaneous message found by journalists at Reuters. Isaacson and other investigators think that customer was a US government service, since the US is known to have insisted on Dual EC elsewhere.
Juniper hasn’t identified the client, and declined to comment for this story.
Likewise, the provider never recognized the hackers. But two individuals familiar with the case said that investigators concluded the Chinese government was behind it. They declined to detail the signs they used.
The Chinese government has denied participation in hacking of any kind. In a statement, the Chinese foreign ministry stated that cyberspace is “highly virtual and difficult to trace. It is extremely irresponsible to make accusations of hacker attacks without complete and conclusive evidence. At the same time, we also noticed that the report mentioned that it was the US intelligence agency – the National Security Agency – that created this backdoor technology.”
Wyden remains decided to learn exactly what happened at Juniper and what has changed because the encryption wars heat up.
This July, in previously unreported answers to queries from Wyden and allies in Congress, Juniper said that an unidentified state was thought to be supporting the hack to its firewall code but that it had never investigated why it installed Dual EC at the first place.
“We understand that there is a vigorous policy debate about whether and how to provide government access to encrypted content,” it stated in a July letter. “Juniper does not and will not insert back doors into its products and we oppose any legislation mandating back doors”
A former senior NSA official told journalists that many technology companies remain worried about working covertly with the government. However, the agencies’ efforts continue, the person said, because particular access is regarded as too precious to give up.
The team at Platform Executive hope you have enjoyed this news article. Initial reporting via our official content partners at Thomson Reuters. Reporting by Joseph Menn. Editing by Jonathan Weber and Edward Tobin.
To stay on top of the latest developments across the platform economy and gain access to our problem-solving tools, databases and comprehensive content sets, you can become a member for just $7 per month.