It was an absurd scene. Keith Alexander, the director of the NSA and a four-star general in the Army, stood alone on the stage, squinting through the floodlights as members of the standing-room-only crowd shouted insults and accusations. Armed men in dark suits roamed the area in front of the stage, eyeing the restless crowd. Nearby, a man sat with a carton of eggs at his feet, waiting for a chance to let fly.
This was perhaps the height of the outrage surrounding the Edward Snowden NSA leaks, and the crowd, assembled for Alexander’s opening keynote at Black Hat last year, was buzzing with tension. It had only been about six weeks since the first stolen information had leaked out, and the most outrageous and controversial NSA documents wouldn’t be seen for several months yet, but the security community was up in arms over the revelations of the agency’s ability to collect and store millions of cell phone records every month, as well as the existence of the XKeyscore capability. The leaks were coming at a furious pace and it was difficult for even the most sympathetic reader of the documents to argue that the NSA, as described in the public information, hadn’t overreached. This was not a soft landing spot for Alexander, who, for many people, had come to represent not just the NSA, but the seemingly unlimited power and reach of the U.S. intelligence apparatus.
There were loud calls for Alexander’s resignation throughout the summer, and previous whistleblowers, security experts and some lawmakers said that there was a clear need for reform at Fort Meade. Critics said the agency had taken the expanded powers granted it after 9/11 and run with them. Concurrent advancements in technology gave the NSA a deep bag of tricks for conducting offensive operations and as the details of the TAO toy catalog and other capabilities emerged, the anger and outrage in the security and privacy communities festered. Something had to be done. Things needed to change.
And then, oddly enough, things began to change.
Some of the larger Internet companies, who found themselves in the middle of many of the NSA stories about PRISM and other capabilities, started to respond. Following revelations that the agency was tapping undersea cables to gobble up unencrypted traffic, Google engineers publicly called out the agency and soon thereafter Google accelerated plans to encrypt the links among its data centers, taking a major piece off the board. A few months later, the company encrypted all Gmail traffic, securing those vital connections. Later, Yahoo took similar steps, securing their data center connections. The use of strong encryption for these connections provides a serious defense for the users who count on those services to be free from surveillance and advanced attackers.
As the implications of the NSA’s deep penetration of the Internet began to sink in, small groups of smart technologists and engineers began looking for ways to help users secure their communications. Some of the folks from Silent Circle started a new venture, Blackphone, to produce secure, surveillance-resistant phones for consumer use. Another group of executives from Silent Circle, along with Ladar Levison, the founder of Lavabit, established the Dark Mail Alliance to create a new secure email service. And just last week, Moxie Marlinspike’s Open Whisper Systems released Signal, a new iPhone app that provides secure, encrypted phone calls for free.
There’s no way of knowing whether all of these technologies and changes would’ve come to pass without the Snowden leaks; some of them almost certainly would have. Google was on the path to encrypting its data center links, and Yahoo would likely have followed suit eventually. But there’s no question that the leaked documents, the avalanche of news stories and the massive backlash that followed contributed to the innovation that has followed.
The security community does outrage and indignation very well. But it also can be quite good at rising to challenges, especially when there is a difficult problem to solve and a tangible adversary to defeat. The NSA has provided both. And a year on from the absurdity in that conference room at Caesars Palace, much of the community has moved past the outrage and shock and egg-throwing stages and has reached the point of figuring out how to attack the problem. Anger can be a productive emotion sometimes, and the early returns on last year’s outrage are promising.