Spy agency ducks questions about 'back doors' in tech
products
Send a link to a friend
 [October 28, 2020] By
Joseph Menn
SAN FRANCISCO (Reuters) - The U.S. National
Security Agency is rebuffing efforts by a leading Congressional critic
to determine whether it is continuing to place so-called back doors into
commercial technology products, in a controversial practice that critics
say damages both U.S. industry and national security.
The NSA has long sought agreements with technology companies under which
they would build special access for the spy agency into their products,
according to disclosures by former NSA contractor Edward Snowden and
reporting by Reuters and others.
These so-called back doors enable the NSA and other agencies to scan
large amounts of traffic without a warrant. Agency advocates say the
practice has eased collection of vital intelligence in other countries,
including interception of terrorist communications.
The agency developed new rules for such practices after the Snowden
leaks in order to reduce the chances of exposure and compromise, three
former intelligence officials told Reuters. But aides to Senator Ron
Wyden, a leading Democrat on the Senate Intelligence Committee, say the
NSA has stonewalled on providing even the gist of the new guidelines.
“Secret encryption back doors are a threat to national security and the
safety of our families – it’s only a matter of time before foreign
hackers or criminals exploit them in ways that undermine American
national security,” Wyden told Reuters. “The government shouldn’t have
any role in planting secret back doors in encryption technology used by
Americans.”
The agency declined to say how it had updated its policies on obtaining
special access to commercial products. NSA officials said the agency has
been rebuilding trust with the private sector through such measures as
offering warnings about software flaws.
“At NSA, it's common practice to constantly assess processes to identify
and determine best practices,” said Anne Neuberger, who heads NSA’s
year-old Cybersecurity Directorate. “We don’t share specific processes
and procedures.”
Three former senior intelligence agency figures told Reuters that the
NSA now requires that before a back door is sought, the agency must
weigh the potential fallout and arrange for some kind of warning if the
back door gets discovered and manipulated by adversaries.
The continuing quest for hidden access comes as governments in the
United States, the United Kingdom and elsewhere seek laws that would
require tech companies to let governments see unencrypted traffic.
Defenders of strong encryption say the NSA’s sometimes-botched efforts
to install back doors in commercial products show the dangers of such
requirements.
Critics of the NSA’s practices say they create targets for adversaries,
undermine trust in U.S. technology and compromise efforts to persuade
allies to reject Chinese technology that could be used for espionage,
since U.S. gear can also be turned to such purposes.
In at least one instance, a foreign adversary was able to take advantage
of a back door invented by U.S. intelligence, according to Juniper
Networks Inc, which said in 2015 its equipment had been compromised. In
a previously unreported statement to members of Congress in July seen by
Reuters, Juniper said an unnamed national government had converted the
mechanism first created by the NSA. The NSA told Wyden staffers in 2018
that there was a "lessons learned" report about the Juniper incident and
others, according to Wyden spokesman Keith Chu.
“NSA now asserts that it cannot locate this document,” Chu told Reuters.
NSA and Juniper declined to comment on the matter.
JUNIPER’S COMPROMISE
The NSA has pursued many means for getting inside equipment, sometimes
striking commercial deals to induce companies to insert back doors, and
in other cases manipulating standards - namely by setting processes so
that companies unknowingly adopt software that NSA experts can break,
according to reports from Reuters and other media outlets.
The tactics drew widespread attention starting in 2013, when Snowden
leaked documents referencing these practices.
Tech companies that were later exposed for having cut deals that allowed
backdoor access, including security pioneer RSA, lost credibility and
customers. Other U.S. firms lost business overseas as customers grew
wary of the NSA’s reach.
All of that prompted a White House policy review.
[to top of second column] |
U.S. Senator Ron Wyden
(D-OR) speaks during a Senate Finance Committee hearing on the role
of unemployment insurance during the coronavirus disease (COVID-19)
pandemic on Capitol Hill in Washington, U.S., June 9, 2020.
REUTERS/Leah Millis/Pool/File Photo
“There were all sorts of 'lessons learned' processes,” said former White
House cybersecurity coordinator Michael Daniel, who was advising
then-president Barack Obama when the Snowden files erupted. A special
commission appointed by Obama said the government should never “subvert”
or “weaken” tech products or compromise standards.
The White House did not publicly embrace that recommendation, instead
beefing up review procedures for whether to use newly discovered
software flaws for offensive cyber operations or get them fixed to
improve defense, Daniel and others said.
The secret government contracts for special access remained outside of
the formal review.
“The NSA had contracts with companies across the board to help them out,
but that’s extremely protected,” said an intelligence community lawyer.
The starkest example of the risks inherent in the NSA’s approach
involved an encryption-system component known as Dual Elliptic Curve, or
Dual EC. The intelligence agency worked with the Commerce Department to
get the technology accepted as a global standard, but cryptographers
later showed that the NSA could exploit Dual EC to access encrypted
data.
RSA accepted a $10 million contract to incorporate Dual EC into a widely
used web security system, Reuters reported https://www.reuters.com/article/us-usa-security-rsa-idUSBRE9BJ1C220131220
in 2013. RSA said publicly that it would not have knowingly installed a
back door, but its reputation was tarnished and the company was sold.
Juniper Networks got into hot water over Dual EC two years later. At the
end of 2015, the maker of internet switches disclosed that it had
detected malicious code in some firewall products. Researchers later
determined that hackers had turned the firewalls into their own spy tool
https://www.reuters.com/article/
idUSKBN0UN07520160109 by altering Juniper’s version of Dual EC.
Juniper said little about the incident. But the company acknowledged to
security researcher Andy Isaacson in 2016 that it had installed Dual EC
as part of a “customer requirement,” according to a previously
undisclosed contemporaneous message seen by Reuters. Isaacson and other
researchers believe that customer was a U.S. government agency, since
only the U.S. is known to have insisted on Dual EC elsewhere.
Juniper has never identified the customer, and declined to comment for
this story.
Likewise, the company never identified the hackers. But two people
familiar with the case told Reuters that investigators concluded the
Chinese government was behind it. They declined to detail the evidence
they used.
The Chinese government has long denied involvement in hacking of any
kind. In a statement to Reuters, the Chinese foreign ministry said that
cyberspace is "highly virtual and difficult to trace. It is extremely
irresponsible to make accusations of hacker attacks without complete and
conclusive evidence. At the same time, we also noticed that the report
mentioned that it was the U.S. intelligence agency -
the National Security Agency - that created this backdoor technology."
NERVOUS COMPANIES
Wyden remains determined to find out exactly what happened at Juniper
and what has changed since as the encryption wars heat up.
This July, in previously unreported responses to questions from Wyden
and allies in Congress
https://www.reuters.com/
article/idUSKBN23H2C9, Juniper said that an unidentified nation was
believed to be behind the hack into its firewall code but that it had
never investigated why it installed Dual EC in the first place.
“We understand that there is a vigorous policy debate about whether and
how to provide government access to encrypted content,” it said in a
July letter. “Juniper does not and will not insert back doors into its
products and we oppose any legislation mandating back doors.”
A former senior NSA official told Reuters that many tech companies
remain nervous about working covertly with the government. But the
agencies’ efforts continue, the person said, because special access is
seen as too valuable to give up.
(Reporting by Joseph Menn; editing by Jonathan Weber and Edward Tobin)
[© 2020 Thomson Reuters. All rights
reserved.] Copyright 2020 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content. |
