Former NSA Director Alexander Addresses Crypto Standard Subversion

Gen. Keith Alexander

Former NSA Director Keith Alexander told an Australian publication that the agency’s subversion of crypto standards and stockpiling of zero days is part and parcel of its mission.

During the last 11 months of mounting leaks and revelations about the government’s surveillance operations and the lengths it will go to gain intelligence on foreign threats, perhaps the most disturbing revelation was the intentional subversion of widely used cryptographic standards.

It’s also been a topic the White House and National Security Agency have largely steered clear of.

Former NSA Director Gen. Keith Alexander, in a candid and wide-ranging interview with Australian Financial Review, admitted that the agency will do what it takes in that regard to accomplish its mission.

“NSA is a cryptographic agency that has had responsibility for both making and breaking codes since WWII. This is what NSA does,” Alexander said.

Unlike World War II when breaking Germany’s Enigma encryption was critical to the Allies’ victory, cryptography is no longer just the domain of the military and spies. Today, technologies such as SSL protect online commerce and communication between businesses and consumers. Terrorists, Alexander said as an example, use those same channels to draft plots.

“When the government asks NSA to collect intelligence on terrorist X, and he uses publicly available tools to encode his messages, it is not acceptable for a foreign intelligence agency like NSA to respond, ‘Sorry we cannot understand what he is saying.’ Our job is to break the codes—to strip out the signal in the noise,” Alexander said. “But the same rules apply to NSA’s code-breaking program as they do to NSA’s signals intelligence missions. All activities are conducted against a valid, specific foreign intelligence purpose. We focus on the communications our adversaries use that we must break to accomplish our missions.”

Alexander also addressed the NSA’s hunt for vulnerabilities in software and the government’s procurement of zero-day vulnerabilities. Last September, MuckRock publicized a NSA contract with vulnerability and exploit vendor VUPEN of France wherein the agency bought a subscription to VUPEN’s binary analysis and exploits service.

In the spirit of NSA’s dual offensive and defensive role, Alexander said the agency requires a fundamental understanding of vulnerabilities, from coding errors, backdoors to zero-days.

Alexander said the agency requires a fundamental understanding of vulnerabilities, from coding errors, backdoors to zero-days.

“To ask NSA not to look for weaknesses in the technology that we use, and to not seek to break the codes our adversaries employ to encrypt their messages is, I think, misguided. I would love to have all the terrorists just use that one little sandbox over there so that we could focus on them. But they don’t,” Alexander said. “They use the same technology products and the same web services that we’ve all got. So what the Courts, Congress and Administration say is, ‘Okay, if you’re going to go there, here are the rules that you have to follow.’ And we follow those rules closely.”

While Alexander may have tip-toed around specific details of NSA practices, he was much more candid about Edward Snowden, the Booz Allen contractor working for the NSA who last June blew the whistle on the government’s metadata collection program and began months of detailed leaks about the NSA’s surveillance activities.

Alexander said what Snowden did was illegal and questioned the sincerity of his motives, which Snowden said were to shed light on the infringement of Americans’ civil liberties and privacy via these practices.

The former director added that Snowden, who currently has asylum in Russia, should be tried in the U.S. He also stands by statements that the Snowden leaks have caused the greatest damage ever to the intelligence system as well as to the country’s ability to defend itself.

“At the end of the day, I believe peoples’ lives will be lost because of the Snowden leaks because we will not be able to protect them with capabilities that were once effective but are now being rendered ineffective because of these revelations,” Alexander said.

“When I found out the full scope of what he had stolen, I couldn’t believe it. I thought, ‘Why would any person do something like this?’ Alexander said. “And I have not been able to come up with a good answer. It clearly goes far beyond what he claims are his motives.”

Suggested articles

Cybersecurity for your growing business
Cybersecurity for your growing business