The NSA has a new director, a slew of new challenges and any number of new capabilities at its disposal. But it seems that the agency is intent on fighting the same old battles.
Even as fresh revelations about the extent of the NSA’s efforts to get access to encryption keys for mobile communications continue to unspool, the agency’s director is advocating for some form of legal, direct access to encrypted communications. Mike Rogers, director of the NSA and head of the U.S. Cyber Command, said at an event yesterday that it’s important for a legal framework to be put in place to govern how intelligence agencies can access secure communications.
The revelations about NSA operations against American technology companies have prompted concerns about the integrity of those companies’ products.
“Thats why we need a framework,” Rogers replied. “This is a legitimate question. ‘What is the economic impact?’ With policy and laws we can get to a better place.”
Bruce Schneier, cryptographer and CTO of Resilient Systems, asked Rogers directly about that problem during the event held by the New America Foundation and was unsatisfied by the answer. For Schneier, the rhetoric and the lack of technical understanding coming from the government are eerily reminiscent of the crypto wars of the 1990s.
“I asked him how we deal with the problem that US stuff isn’t trusted? That framework idea isn’t going to work overseas,” Schneier said. “He seems to be asking for Clipper. Can’t there be a way that we can get access under some rules? The problem is nobody wants it. Nobody in the government even wants it. We know how this story ends.”
The Clipper chip was a notorious concept forwarded by the NSA in the 1990s that implemented a chipset in new communications devices that included a cryptographic key that was also known to the government. This concept, known as key escrow, was highly controversial and ripped by security experts and cryptographers as insecure.
“If someone sat Rogers down and described Clipper to him, I think he would say, ‘I want that,'” Schneier said. “He says we need a legal rule, but that can’t solve the technical problems. This is a place where policy and technology collide in a way that it limits the solution space. There’s a belief that this is just a technical problem and we can solve it.”
Responding to a question from Yahoo CISO Alex Stamos at the New America Foundation event, Rogers said he believes there is a technological answer to the problem.
“I think that we’re lying that this isn’t technically feasible. Now, it needs to be done within a framework. I’m the first to acknowledge that. You don’t want the FBI and you don’t want the NSA unilaterally deciding, so, what are we going to access and what are we not going to access? That shouldn’t be for us. I just believe that this is achievable. We’ll have to work our way through it. And I’m the first to acknowledge there are international implications. I think we can work our way through this,” Rogers said.
In the absence of a legal process for accessing encrypted communications, the NSA has been going about solving that problem in other ways. Recent reports have linked the agency to an attack against Gemalto, a major manufacturer of SIM cards, that resulted in the compromise of millions of encryption keys for mobile devices. That kind of operation likely isn’t unique, Schneier said.
“Don’t think they haven’t grabbed SSL keys in bulk too,” he said.