Revelations that the National Security Agency may be pressuring vendors to put hidden backdoors in their software and hardware for espionage purposes casts a huge shadow over many programs run by the NSA to interact with the high-tech industry for purposes of evaluating, testing and accrediting products that use encryption.
The NSA's actions, revealed in documents leaked by former contractor Edward Snowden and made public by The Guardian and The New York Times, raise questions about NSA-run programs such as the Commercial Solutions for Classified Components (CSfC), National Information Assurance Partnership, and DoD Information Assurance, Certification and Accreditation Process, as well as protocols promulgated by the NSA, such as Suite B cryptography. Virtually every U.S.-based network and security product provider of any significance participates in some way in these product evaluation programs because through them, they can sell to federal agency customers and the military.
To date, news sources such as The Guardian, which has worked closely with Snowden, haven't put forward any names of companies that may have agreed to compromise their products for the NSA's behalf nor have they mentioned these NSA-run product-evaluation programs.
But last Friday, the Obama Administration appeared to verify assertions made in the media the day before that the NSA works through partnership programs with industry to undermine network and security products for espionage purposes.
The Office of the Director of National Intelligence (ODNI) didn't refute the notion that the NSA spends millions of dollars each year to subvert software and hardware by pressuring the high-tech industry to put in backdoors for the NSA's benefit. In its official statement, ODNI said the stories published "reveal specific and classified details about how we conduct this critical intelligence activity."
Leaked documents posted by the Times and Guardian included NSA statements such as the NSA SIGINT division "actively engages the U.S. and foreign IT industries to covertly influence and overtly leverage their commercial products' designs. These design changes make the systems exploitable through SIGINT collection (.e.g., Endpoint, Midpoint, etc.) with foreknowledge of the modification. To the consumer and other adversaries, however, the systems' security remains intact." One goal is said to be to "insert vulnerabilities into commercial encryption systems, IT systems, networks and endpoint communication devices used by targets." That the NSA manages to somehow make these modifications is considered "top secret," according to Snowden documents posted online. In its numerous product evaluation programs with industry, the NSA would have ample opportunity to pursue these goals.
Bruce Schneier, crypto expert and author of several books, including the recent "Liars and Outliers," maintains that the revelations about the NSA constitute a fundamental betrayal of the Internet and the people that use it. He advocates that anyone, especially engineers, with knowledge of how the NSA is subverting software and hardware should go public with what they know. He adds that's as long as they're not bound by specific legal or confidentiality restrictions, such as a National Security Letter.
Sign up for CIO Asia eNewsletters.