Recent revelations that the NSA has been infiltrating Yahoo! and Google point to two important lessons: encryption key management is essential when it comes to cyber security, and just because an intelligence program is legal does not make it valuable.
Under a project codenamed “MUSCULAR,” the NSA sought to work around the restrictions of PRISM, another NSA info-sharing program that required cloud providers to pass select information onto the intelligence community.
Both Google and Yahoo! pass bits of data onto data centers. In each of these exchanges, such as when a user conducts a web search, these centers communicate with and protect the user using Secure Socket Layer encrypted sessions—standard means of transmitting personal data which, in turn, could be connected to other sensitive information, such as credit card numbers.
MUSCULAR was much more robust than Prism in that the NSA penetrated Google and Yahoo! networks on the perimeter of their security defenses. The NSA then used this access to infiltrate the data centers and disable the Secure Socket Layer encryption. This in effect enabled the NSA to collect large amounts of data, including millions of user accounts containing downloadable email attachments.
Edward Snowden revealed the details of MUSCULAR, but his leaks urge us to go further and ask: what do programs like “MUSCULAR” teach us about cyber security?
There are two lessons that come to mind. First and foremost, encrypted key management cannot be underestimated. That is, in addition to encrypting a piece of data before it leaves your cloud, it’s essential to also maintain control of the encryption keys. Without this information, any attempt to crack the encryption algorithm—even by the NSA—would prove useless. You would have to give your consent and hand over your keys to have your data read.
Second, legality and value are not the same when it comes to government programs. In a very elastic sense, MUSCULAR is technically legal under Executive Order 12333. This holds true if one labels all the information the program has collected as “foreign intelligence.” But this assumption is just rhetoric. Under this skewed logic, anything from the weather to Angela Merkel’s private phone records can be construed as “foreign intelligence.” That does not make it any more true.
Apparently, the American public agrees. In a recent U.S. public survey, more than a majority of respondents said that they would support the NSA if they could be shown how its programs have thwarted terrorist plots. Also, in a question asking Americans whether they feel confident with the information the intelligence community is providing President Obama, the share of “not at all confident” respondents rose from 8 to 11 percent in the year since the survey was last administered.
The American people are tired. Going forward, this popular dissatisfaction will hopefully make for smarter cyber security all around: better management of encryption keys on the part of businesses, and more necessary and palatable programs on the part of the NSA.
Name: David Bisson
Twitter Handle: @DMBisson
Area of Expertise:
David specializes in cyber security as it relates to U.S. national security and to American military and strategic culture.
Professional Biography:
David is currently a senior at Bard College, where he is studying Political Studies and writing his senior thesis on cyberwar and cross-domain escalation. He also works at the Hannah Arendt Center for Politics and Humanities at Bard College as an Outreach intern. Post-graduation, David would like to leverage his extensive journalism experience as well as his interest in computer coding and social media to pursue a career in cyber security, both its practice and policy.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.