Thursday, September 12, 2013

Internet Betrayal

On 5 September Bruce Schneier wrote in the Guardian "The US government has betrayed the internet. We need to take it back." 

This article was based upon access to information made available to the Guardian by Edward Snowden about signals intelligence activities of the NSA.   The information suggested that the NSA has systematically compromised cryptographic methods, keys, products, vendors, and systems on which the integrity of the infrastructure and the liberty of our citizens rely.  I was glad to have a reading of these papers by a trusted and eminently qualified colleague. 

While the activities reported were those that I had always expected the Agency to engage in, I was surprised by the extent and scope.  I was not surprised by the secrecy so much as by the deceit.  I was not surprised at what the Agency was doing but I was outraged at the permanent damage to the infrastructure that they were prepared to inflict in pursuit of their goals.  Along with Bruce, I felt betrayed by my government.  I was so angry, I sent a link to Bruce's article to a list of my colleagues.  Since the conclusions seemed obvious, I did not comment.

When one of my colleagues asked me for my thoughts, I sent him my most negative ones.  However, I did include the caveat that I was still ruminating on it and that these comments were still preliminary. 

Now It is great fun, indeed great sport, to affect righteous anger at the perfidy of our government.  For a day I nursed my anger, in fact, I delighted in it.  However, I woke up in the middle of the night to a realization that I would like to share with you.

While it may be true that, as Bruce has said, “the government has betrayed the Internet,” for every system that the government has compromised, there are a hundred compromised by rogue hackers, and a thousand compromised by their users.  While crypto is our strongest security mechanism, the only one we have that is stronger than we need for it to be, the best that it can do is to bring the security of the middle to the level of the end points.  Crypto will never be stronger than the systems that protect the keys.

The government has not “broken crypto.”  While it may have deceived us, broken faith, it has, in the words of Adi Shamir, only “bypassed” crypto.   While it may have corrupted industry, that corruption has relied upon the silent cooperation of industry.  We have known since the disclosure of the warrant-less surveillance program that government had compromised the major carriers.  The motives of industry seem to include patriotism, greed, apathy, and fear.  Whatever the motives, they are sufficient to the day.

Whatever one may think about the activities of the government(s), it is we, the users and the corporations that we own and run, that have betrayed the Internet.  We do “need to take it back.”

One likes to think that we can expect better behavior of our government than of our adversaries.  (The US Congress has warned us against doing business with Huawei because Chinese PLA has subverted them.)  However, governments do what governments do; we cannot expect better of our government than of ourselves. 

We have compromised industry, government, and the Internet.  It is time to stop whining and “take back” all. 

This is all about transparency and accountability.  To the extent that NSA's activities are seen now as a "betrayal," it is because they have been cloaked in secrecy.  Secrecy is what government wants for itself; accountability is what government demands of c
itizens.  However, the inevitable result is a government of men.  A government of law can only exist in the light. 

We must demand increased transparency at all levels of the society, government,  infrastructure, and industry.  Where the use of important controls is obscured by complexity, we must compensate by instrumentation and independent verification.  We must express the requirements for transparency and accountability at least as well as we do those for confidentiality, integrity, and availability and design and operate to satisfy them.  Not easy, not cheap, only necessary, necessary to economic efficiency and freedom.  Stop whining and get on with it. 

1 comment:

  1. Bill,

    I always enjoy reading your blogs. Thank you for continuing to give perspective to so many of the security issues that arise every day. It is comforting to know you are engaged and engaging others to make a stand.

    Thomas Reardon, former colleague on the GAISP effort