Senator Wyden Wants To Know If The NSA Is Still Demanding Tech Companies Build Backdoors Into Their Products
from the build-them-or-we'll-just-build-our-own dept
It’s been more than a half-decade since it made headlines, but the NSA’s hardware manipulation programs never went away. These programs — exposed by the Snowden leaks — involved the NSA compromising network hardware, either through interception of physical shipments or by the injection of malicious code.
One major manufacturer — Cisco — was righteously angered when leaked documents showed some of its hardware being “interdicted” by NSA personnel. It went directly to Congress to complain. The complaint changed nothing. (Cisco, however, changed its shipping processes.) But even though the furor has died down, these programs continue pretty much unhindered by Congressional oversight or public outcry.
One legislator hasn’t forgotten about the NSA’s hardware-focused efforts. Senator Ron Wyden is still demanding the NSA answer questions about these programs and give him details about “backdoors” in private companies’ computer equipment. The DOJ and FBI may be making a lot of noise about encryption backdoor mandates, but one federal agency is doing something about it. And it has been for years.
Not only has the NSA installed its own backdoors in intercepted devices, it has been working with tech companies to develop special access options in networking equipment. This allows the agency to more easily slurp up communications and internet traffic in bulk. Senator Wyden wants answers.
The agency developed new rules for such practices after the Snowden leaks in order to reduce the chances of exposure and compromise, three former intelligence officials told Reuters. But aides to Senator Ron Wyden, a leading Democrat on the Senate Intelligence Committee, say the NSA has stonewalled on providing even the gist of the new guidelines.
“Secret encryption back doors are a threat to national security and the safety of our families – it’s only a matter of time before foreign hackers or criminals exploit them in ways that undermine American national security,” Wyden told Reuters. “The government shouldn’t have any role in planting secret back doors in encryption technology used by Americans.”
No one knows what’s in the guidelines and whether they forbid the NSA from backdooring hardware or software sold to US buyers. All the NSA is willing to say is it’s trying to patch things up with domestic tech vendors by, um, giving them more stuff to patch up.
The agency declined to say how it had updated its policies on obtaining special access to commercial products. NSA officials said the agency has been rebuilding trust with the private sector through such measures as offering warnings about software flaws.
This is a welcome change after years of exploit hoarding. But there’s no reason to believe the NSA isn’t holding useful flaws back until they’ve outlived their exploitability. As for the built-in backdoors, the NSA refuses to provide any details. It won’t even answer to its oversight. And if it won’t do that, it really needs to stop saying things about “robust oversight” every time more surveillance abuses by the agency are exposed.
There’s more to this than potential domestic surveillance. Any flaw deliberately introduced in hardware and software can be exploited by anyone who discovers it, not just the agency that requested it. The threat isn’t theoretical. It’s already happened. In 2015, it was discovered that malicious hackers had exploited what appeared to be a built-in flaw to intercept and decrypt VPN traffic running through Juniper routers. This appeared to be a byproduct of the NSA’s “Tailored Access Operations.” While Juniper has never acknowledged building a backdoor for the NSA, the circumstantial evidence points in No Such Agency’s direction.
[Juniper] acknowledged to security researcher Andy Isaacson in 2016 that it had installed Dual EC [Dual Elliptic Curve] as part of a “customer requirement,” according to a previously undisclosed contemporaneous message seen by Reuters. Isaacson and other researchers believe that customer was a U.S. government agency, since only the U.S. is known to have insisted on Dual EC elsewhere.
This is the danger of relying on deliberately introduced flaws to gather intelligence or obtain evidence. Broken is broken and broken tools are toys for malicious individuals, which includes state-sponsored hackers deployed by this nation’s enemies. It’s kind of shitty to claim you’re in the national security business when you’re out there asking companies to add more attack vectors to their products.