During the last 11 months of mounting leaks and revelations about the government’s surveillance operations and the lengths it will go to gain intelligence on foreign threats, perhaps the most disturbing revelation was the intentional subversion of widely used cryptographic standards.

It’s also been a topic the White House and National Security Agency have largely steered clear of.

Former NSA Director Gen. Keith Alexander, in a candid and wide-ranging interview with Australian Financial Review, admitted that the agency will do what it takes in that regard to accomplish its mission.

“NSA is a cryptographic agency that has had responsibility for both making and breaking codes since WWII. This is what NSA does,” Alexander said.

Unlike World War II when breaking Germany’s Enigma encryption was critical to the Allies’ victory, cryptography is no longer just the domain of the military and spies. Today, technologies such as SSL protect online commerce and communication between businesses and consumers. Terrorists, Alexander said as an example, use those same channels to draft plots.

“When the government asks NSA to collect intelligence on terrorist X, and he uses publicly available tools to encode his messages, it is not acceptable for a foreign intelligence agency like NSA to respond, ‘Sorry we cannot understand what he is saying.’ Our job is to break the codes—to strip out the signal in the noise,” Alexander said. “But the same rules apply to NSA’s code-breaking program as they do to NSA’s signals intelligence missions. All activities are conducted against a valid, specific foreign intelligence purpose. We focus on the communications our adversaries use that we must break to accomplish our missions.”

Alexander also addressed the NSA’s hunt for vulnerabilities in software and the government’s procurement of zero-day vulnerabilities. Last September, MuckRock publicized a NSA contract with vulnerability and exploit vendor VUPEN of France wherein the agency bought a subscription to VUPEN’s binary analysis and exploits service.

In the spirit of NSA’s dual offensive and defensive role, Alexander said the agency requires a fundamental understanding of vulnerabilities, from coding errors, backdoors to zero-days.

Alexander said the agency requires a fundamental understanding of vulnerabilities, from coding errors, backdoors to zero-days.

“To ask NSA not to look for weaknesses in the technology that we use, and to not seek to break the codes our adversaries employ to encrypt their messages is, I think, misguided. I would love to have all the terrorists just use that one little sandbox over there so that we could focus on them. But they don’t,” Alexander said. “They use the same technology products and the same web services that we’ve all got. So what the Courts, Congress and Administration say is, ‘Okay, if you’re going to go there, here are the rules that you have to follow.’ And we follow those rules closely.”

While Alexander may have tip-toed around specific details of NSA practices, he was much more candid about Edward Snowden, the Booz Allen contractor working for the NSA who last June blew the whistle on the government’s metadata collection program and began months of detailed leaks about the NSA’s surveillance activities.

Alexander said what Snowden did was illegal and questioned the sincerity of his motives, which Snowden said were to shed light on the infringement of Americans’ civil liberties and privacy via these practices.

The former director added that Snowden, who currently has asylum in Russia, should be tried in the U.S. He also stands by statements that the Snowden leaks have caused the greatest damage ever to the intelligence system as well as to the country’s ability to defend itself.

“At the end of the day, I believe peoples’ lives will be lost because of the Snowden leaks because we will not be able to protect them with capabilities that were once effective but are now being rendered ineffective because of these revelations,” Alexander said.

“When I found out the full scope of what he had stolen, I couldn’t believe it. I thought, ‘Why would any person do something like this?’ Alexander said. “And I have not been able to come up with a good answer. It clearly goes far beyond what he claims are his motives.”

Categories: Cryptography, Government, Privacy

Comments (5)

  1. ha
    1

    A lot of people have stolen information about major organizations…ready to use as weaponry or for power when necessary.

  2. TimmyK
    2

    “To ask NSA not to look for weaknesses in the technology that we use, and to not seek to break the codes our adversaries employ to encrypt their messages is, I think, misguided.” This is a straw man argument. No serious commentator is complaining about that. What they *are* complaining about is when the NSA finds an exploit, and uses it for months or years rather than reporting it to the developers so it can be fixed. Most of what the NSA does is economic intel anyway, and not looking for terrorists (contrary to their B.S. propaganda), so if economic security is such a big part of their mission, then leaving millions of Americans and allies vulnerable to identity theft and other huge economic threats is a major failure. Policymakers have to more intelligently weigh the costs to the public of sitting on zero-days for very long periods of time, against the benefits of being able to exploit them for very long periods of time. I have no confidence that they are doing this intelligently. Further, to those who say that it is impossible to keep the public in the loop regarding these policies, I say that it can be done simply by defining different levels of severity of security holes and having open policies about how long the NSA may use a hole of a given severity, without disclosing to the public the actual holes themselves.
    It’s not, as some would have us believe, a paradox. There are plenty of ways they can do this democratically and with open public oversight, without compromising the NSA’s mission. We just have to want to, and many solutions will emerge.

    • xpci09832lksoiu4
      3

      Actually, what people are arguing against is the NSA sabatoging cryptographic protocols, algorithms and software – “crypto standard subversion”.

      It has nothing to do with the NSA “reporting” vulnerabilities – most sane people don’t expect an intel agency to care. Their job should be to collect and analyze signal intelligence.

      They create algorithms and code with holes, or bribe and extort anyone using cryptography.

      This creates systems that are vulnerable to more attacks than people understand, and threatens to make the United States akin to a third world country (banking, medicine, logistics, communications…it’s much deeper than SSL).

  3. Collateral Damaged Civilian
    4

    “To ask NSA not to look for weaknesses in the technology that we use, and to not seek to break the codes our adversaries employ to encrypt their messages is, I think, misguided. I would love to have all the terrorists just use that one little sandbox over there so that we could focus on them. But they don’t,” Alexander said. “They use the same technology products and the same web services that we’ve all got. So what the Courts, Congress and Administration say is, ‘Okay, if you’re going to go there, here are the rules that you have to follow.’ And we follow those rules closely.”

    So, what does that really mean… the NSA is violating international law and secretly declared war against everyone, as they are unable to separate the benign civilian from the malicious terrorist? Mind you, he is talking about US Courts, US Congress and US Administration – and none of them have ANY legal position in ANY other country. My point of view: there is a small line between “intelligence” and “espionage”. That line has been crossed… again.

  4. Grant
    5

    Intelligence and espionage are basically the same thing, and they are NSA’s job. End of story.

    It really bugs me when people assume that NSA doing it’s job is a bad thing. If you or I hacks computers or listens in on something it is a crime, but that is in NSA’s job description and they shouldn’t get in trouble when they do it.

    The things Snowden leaked that are of questionable contstitutionality are few and not very serious. He leaked lots of completely valid NSA activities, though, in the interest of harming the US. He’s clearly a criminal and a traitor.

    I’m glad to hear some comments from and NSA insider about it. I can’t see anything wrong with any of his arguments.

Comments are closed.