Have the NSA and GCHQ been building vulnerabilities into commercial encryption products?

If this is true, another argument for open source software has been made. Articles in the New York Times and the Guardian  alleged that  the N.S.A. has been deliberately weakening the international encryption standards adopted by developers. One goal in the agency’s 2013 budget request was to “influence policies, standards and specifications for commercial public key technologies,” .

The problem with this approach is that the NSA and GCHQ have two roles and it would seem that they have failed to balance them. This is the question of intelligence equities. These organisations are charged to reveal the secrets of their enemies, but also to protect the information of their countries. By building back doors into software and hardware being sold to unsuspecting customers, they are doing what they have accused the Chinese of doing.

Moreover the fact that these backdoor vulnerabilities exist, mean that others can find and use them, not just NSA and GCHQ but also other cyber criminals.

It is the ultimate hubris to think that NSA and GCHQ are the only ones capable of discovering and exploiting these vulnerabilities. “If you want to keep a secret, you must also hide it from yourself.”  George Orwell1984 . No organisation as large as the NSA can do this forever.

The USA tried under President Clinton to make all manufacturers insert a hardware ‘clipper’ chip  into their devices, but the backlash was such that the US government withdrew support for the idea. What this information is telling us is that the NSA didn’t give up and found alternative means to realise the  concept.

The only logical conclusion from this revelation is that the signals intelligence agencies are unable to both reveal the enemies’ secrets and protect those of their citizens at the same time. They should be split. The information assurance role should come under the control of the trade, infrastructure and industry portfolios.

 

You can find the NYT article here – http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=all 

You can find the Guardian article here – http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security