Computer Security Industry Rocked By NSA Revelations
The NSA can easily bypass many commonly used forms of encryption. This is terrible news for the people who sell it.
The latest National Security Agency scoop, published jointly by The Guardian, The New York Times, and ProPublica yesterday, paints an astonishingly dismal picture of the current online security industry. The primary revelation — that your encrypted data may be unsafe from the hands of the NSA — could have the potential to erode the precious framework of trust at the center of the security and encryption industries.
The documents, provided by Edward Snowden, allege that the NSA has spearheaded a $250 million-a-year campaign to target and crack much of the encryption infrastructure that protects sensitive information on the web, such as emails, banking systems, and web searches. At first glance, the revelations appear to destroy the very premise of secure encryption — a notion that stands to cripple not only security companies, but also any hardware and software company with ties to the internet.
"Of course this changes the perception of the security industry and fundamental use of many products you thought might have been completely secure, like VPN," Harvey Boulter, founder of Seecrypt, a popular encrypted voice and texting app, said of the newest NSA revelations.
According to Chester Wisniewski, a senior security advisor at Sophos Canada, the greatest risk posed by the Snowden news is an economic one. "Our entire global economy relies on transactions being safe and secure," he told BuzzFeed.
"The whole idea of my mom buying me a present on Amazon is founded on the idea of a safe browser padlock," Wisniewski said. "Knowing that can be compromised affects everything from governments and banking all the way down to my mother. This could have an impact on American software, internet, and hardware companies. Foreign corporations and governments simply won't want to do business with the U.S. anymore if they know there's a quick back door, and that's when things go off the rails."
"It is guaranteed that this is hurting the internet industry," Boulter agrees. "Just here in the Middle East, we've come across many corporations that are moving away from Gmail because they no longer believe it to be trustworthy. We're seeing a shift away from trusting these applications coming from U.S. and U.K. providers as no one quite knows who to trust."
But for all the uncertainty, those BuzzFeed spoke with don't see the security industry as beyond saving. "Encryption versus surveillance is a cat-and-mouse game," Boulter said. "There's never a status quo. You do something, and they invent a way to get into your systems."
For those deeply invested in the security game, yesterday's scoops only confirmed a common belief. "As somebody involved in cryptography for a long time, there weren't all that many revelations here," Wisniewski said. A lot of it sounded to me to be weaknesses in our systems that we knew about but decided to ignore and proceed anyway."
For Wisniewski, the Snowden documents provide a silver lining: Given the NSA's budget and scale, many encryption systems have stood up to the test. "These reports show that it's not trivial for the NSA to break these encryption systems. It takes billions of dollars to put a dent in them. If you're targeted by the NSA because you're a foreign government or a terrorist, then nothing will be unbreakable. But if you're just trying to send secure emails across your company, there's less reason to worry. To target costs hundreds of millions of dollars, and this isn't something you can do in your garage with a stack of PS3s." (Ed note: PlayStation 3 consoles are sometimes clustered together for large-scale computing tasks, providing cheap alternatives to traditional supercomputers.)
However damaging the revelations are to public perception, there's reason to believe that these newest revelations could wipe away the false notions of security many still have when it comes to online security. "In all, I think there's a chance this could be a positive awakening," Boulter said. In other words, no one with a product to sell can say, definitively, that your data is safe.