RSA 2014: Bruce Schneier Champions Encryption in 'Golden Age' of Government Surveillance

Cryptography expert Bruce Schneier, now CTO of Co3 Systems, continued his criticism of the National Security Agency's surveillance during his well-attended talk at the RSA Conference in San Francisco today.

Schneier has been a fierce critic of the National Security Agency (NSA) ever since the details of this surveillance were first revealed by former CIA contractor Edward Snowden last summer. And following on from an interview with CNN this week where he argued for the NSA to be split up, he took the opportunity to champion for stronger encryption in front of a packed audience at the RSA Conference.

Schneier, who left BT—also reportedly offering back doors in products—to join Co3 Systems in December, mused from the beginning that the talk was going to be a prickly and hotly-contested subject. "This will be a fun topic."

His talk was entitled "NSA Surveillance: What we know and what to do about it" and he first ran into the attack techniques—sometimes obscured by odd code names—being used by the NSA and GCHQ to carry out mass surveillance. Some of the attacks, he said, included DNS injection, while other NSA programs were able to deanonymise  cookies and identify users and their internet browsing habits. He continued that the NSA revelations show that AirGap—where PCs are disconnected from the Internet—"doesn't work" and paid particular attention to ‘Project Bullrun', the clandestine, highly-classified decryption NSA program.

He even joked—perhaps with an element of seriousness -  that the NSA is probably making malware too, something other analysts have hinted at recently: "They're not doing malware, but it's a really good idea—they're probably going to do that right now."

"Fundamentally the NSA's mission is to collect everything, it's that collect everything mentally that was born out of a voyeuristic interest in the Soviet Union in the Cold War," he said, adding that the agency's surveillance became significantly ‘unbalanced' after the 9/11 attacks.

"NSA is continuing to lie about its capabilities, and that's something we have got to get used to. This is the golden age of surveillance and it's not just metadata.

"Encryption works"

But Schneier didn't just direct his ire at the NSA, pointing to activity in China, Russia and other well-funded countries.

"It's not just about the US or NSA. What the Snowden documents are really about is what any well-funded nation can do. The same technologies are spreading in Syria and Iran and there's the 3-5 year window of what cyber criminals are next going to do. [They're] next day hacker tools.

Part of this problem, says the cryptography expert, is that the internet is now not secure and that encryption has been undermined. That said, Schneier was keen to stress continually that "encryption works", something Snowden himself mentioned when he first revealed his leaks.

"We have built an insecure internet for everyone. When you think of the NSA surveillance, it breaks political systems, legal systems, commercial systems—and the technology protocols we rely on are now not trusted."

"Encryption works. Most cryptography gives the NSA trouble, and that's important. Most are broken by exploiting bad implementation, bad keys or by deliberately inserting back door on products. We need to look at redesigning protocols, and redesigning products and services."

"But most products rely on streams of unencrypted data—cell phone data, metadata, and third party data."

Schneier added that, in cases like these, users should be looking to use encryption formats like PGP, OTR (off-the-record)—"great for chat", and the Leap program, and also urged attendees to encrypt their hard disk drives, and use anonymity tools like Tor.

The industry veteran's comments echo Christopher Soghoian of the American Civil Liberties Union's presentation at the B-sides event condemning the undermining of encryption by the NSA.

Categories: Articles, Text

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.