Internet Encryption Guru on NSA Codebreak Revelations: We’re Outmatched

The National Security Agency has managed to defeat the powerful commercial encryption technology that, for nearly two decades, individuals, corporations, activists, and governments around the world have used to keep their communications safe from the prying eyes of digital spies and intelligence organizations.

In short, this means that the NSA, the largest intelligence agency in the U.S. government, has the power to read huge troves of email and other encrypted communications that once would have appeared as a digital scramble, useless to government spies.

Citing classified documents provided by former NSA contractor Edward Snowden, the New York Times reported on Thursday that the agency has used "supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age."

In what amounts to a multi-front campaign against encryption technology and the people who develop and use it, "The NSA hacked into target computers to snare messages before they were encrypted. And the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world," the Times reported.

Developers and experts had long assumed that the NSA was attempting to foil the strong encryption technology that has proliferated on the web in recent years. But some were still stunned by the scale and scope of the effort.

"All the things we thought were worst-case scenario are actually happening," said Nadim Kobeissi, the developer of Cryptocat, a web-based encrypted chat program. "There’s no way it could get worse than this."

He was particularly alarmed to learn that, according to documents reported by the Times, the NSA is spending $250 million on a "Sigint Enabling Project," which "actively engages the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs" to make them "exploitable."

Kobeissi said that experts had believed that governments were working covertly to insert back doors and holes into systems to make them crackable by intelligence agencies. The Times revelations appear to confirm this is true.

Kobeissi also noted that, according to classified budget information recently leaked by Snowden, the U.S. government employs 35,000 people focused on cryptology, and spends $11 billion a year making and breaking codes.

On the other side of that effort are people like Kobeissi and a few dozen experts and researchers who comprise a community of coders trying to build open-source, open-access technology to protect private communications. Kobeissi admitted that they are outmatched by the NSA.

Mike Janke, the CEO and co-founder of the encrypted communications firm Silent Circle, said the new revelations show that the NSA has been successful at cracking "lower-level, low-hanging fruit" encryption like virtual private networks and Secure Socket Layer, two ubiquitous technologies. Janke said that stronger encryption systems, like the one his company uses, are still safe.

But this doesn’t mean that stronger encryption can foil the NSA, Janke cautioned. The agency "has moved more to compromising platforms and hardware, instead of trying to break more sophisticated encryption schemes," he said. "That is why it is so important that we inform people that their platforms are the weakest link."

Documents previously released by Snowden show that the NSA has the authority to keep all the encrypted messages it collects for five years, until the agency can determine if the sender was an American citizen (and therefore afforded greater privacy protection under law), and until analysts can figure out whether the content of the message has any intelligence value.

The NSA has had to build a huge new facility in the Utah desert to store all the information it is collecting. What this latest revelation shows is a comparably massive effort to decrypt what’s coming into the NSA’s systems.

Intelligence officials asked the Times and ProPublica, which also received the documents, not to publish their stores because it could alert foreign governments to switch to new forms of encryption that are harder to collect and read, the Times reported.

This shows that while the NSA may have the upper hand in terms of money and manpower, the encryption battle is not entirely one-sided. Developers can always make stronger codes and more secure systems — and they will.

"It is a constant race," Janke said. "Always improve the crypto and implementation of it to stay ahead of their billions of dollars of resources."