Dear stupid, stupid NSA

Dear stupid, stupid NSA,

I’ve got to hand it to you: as an agency set up with the task of breaking codes and spying on people, you seem to be doing a pretty sterling job.

You and your counterparts in the UK, Australia, Canada and New Zealand (and possibly elsewhere) are able to monitor most of the communications flowing around the world. You appear to have successfully subverted the American web services that everyone uses, and you’ve used the value and size of the U.S. market to bring all manner of internet backbone providers and hardware vendors on-side too.

Now we also know that you have – in your own words — “some capabilities against the encryption in TLS/SSL, HTTPS, SSH, VPNs, VoIP, WEBMAIL, and other network communication technologies.” So even if it takes a fair amount of effort (unlike your indiscriminate data-trawling techniques), that’s basic internet security out the window then. Nicely done.

We’re still pretty sure that strong encryption is safe (Edward Snowden said so, and he’s yet to be proven wrong on this stuff), but even there it’s not unreasonable to suspect you can muscle your way in if the situation merits it.

Again, well played, maybe.

Subversive insecurity

However, you’ve not stopped at codebreaking – you have also made sure that vulnerabilities have been inserted into “commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets.”

Here’s where the stupidity creeps in: you actively work to “influence policies, standards and specifications for commercial public key technologies” and “shape the worldwide commercial cryptography marketplace to make it more tractable to advanced cryptanalytic capabilities being developed by” yourselves.

In other words, instead of just building a better lockpick, you are trying to make sure that all locks are faulty by design.

What is so jaw-droppingly idiotic about your actions is that you have not only subverted key elements of modern cryptography, but you have also appointed yourself as the guardian of the knowledge that the resulting vulnerabilities exist. And if your own security systems were up to the task, then those secrets wouldn’t be sitting in the offices of The New York Times and ProPublica.

One must possess a panglossian view on things to assume that Edward Snowden was the first person out of the many thousands in his position to make away with such material. He brought it to the public, and without that move there’s a good chance you wouldn’t have even known he took it. So who else has it? Bet you have no idea. So well done; you’ve probably put your own citizens at risk.

But let’s ignore that distinct likelihood for a moment, and concentrate on the aftermath of Snowden’s revelations.

One must have standards

If the first tranche of those revelations will hit the U.S. web services and cloud economy hard — estimates vary as to how hard, and only time will tell – then the crypto scandal is going to do the same to the U.S. security industry. In fact, it’s probably going to hurt more. Most people have too much invested in American web services to pull out on short notice; it’s relatively trivial in many cases to switch security services.

Of course, the implications aren’t only glum for U.S. firms. There are enough hints in your leaked documents to suggest that you got to some foreign firms too. And as you seem to have influenced the standards-setting process (sometimes cack-handedly) the global security industry must now think about starting from scratch.

Sadly for you, this time round your influence will be vastly diminished: it’s going to be much harder to insert your demands into the finished product. As far as the rest of the world is concerned, the forum provided by the U.S. National Institute of Standards and Technology will now carry less weight. And because the security industry will now shift to open source – there is no other option if the new standards are to be trusted – installing hidden backdoors will be nearly impossible.

But what’s really going to hurt is the U.S.’s slow loss of control over the internet itself. As crypto guru Bruce Schneier wrote on Thursday:

“I have resisted saying this up to now, and I am saddened to say it, but the US has proved to be an unethical steward of the internet. The UK is no better. The NSA’s actions are legitimizing the internet abuses by China, Russia, Iran and others. We need to figure out new means of internet governance, ones that makes it harder for powerful tech countries to monitor everything. For example, we need to demand transparency, oversight, and accountability from our governments and corporations.

“Unfortunately, this is going play directly into the hands of totalitarian governments that want to control their country’s internet for even more extreme forms of surveillance. We need to figure out how to prevent that, too. We need to avoid the mistakes of the International Telecommunications Union, which has become a forum to legitimize bad government behavior, and create truly international governance that can’t be dominated or abused by any one country.”

Just because the U.S. invented the internet doesn’t mean it gets to maintain the level of control it now exercises forever. Particularly when you’ve now forced everyone to think about re-engineering it.

Oh, and by the way, whether or not you do succeed in cracking the encryption protecting 4G communications by the end of this financial year, as you have predicted, you can probably expect U.S. influence in international telecommunications standards-setting to take a knock too.

So in summary, you’ve blown it – and not just for yourselves. Good luck readjusting in the coming years!

Yours etc,