RSAC: Defeating NSA Surveillance Isn't the Real Problem
When Bruce Schneier went on to a different stage at the RSA Conference, resplendent in a purple floral shirt, he gave a very different presentation than an earlier panel from Washington intelligence insiders. Schneier, the CTO of Co3 Systems and author, gave the security-geek view. He also gave his answer to the question everyone has been asking: how do we keep from being spied on?
Schneier laid out the situation as he sees it today: that the NSA has turned the Internet into a giant surveillance platform that is both technically and legally robust. "Fundamentally, the NSA's mission is to collect everything," said Schneier, tracing this view to the US's "voyeuristic" interest in the USSR during the Cold War.
After the Soviet Union's collapse, the idea of ubiquitous surveillance was dormant until 9/11. "Intelligence was given an impossible mission: never again," said Schneier. "If you're given the quixotic goal to keep something from ever happening the only way to achieve that is to know everything."
Of course, the NSA wasn't operating in a vacuum. Schneier pointed to two key changes that aided the creation of the massive spying operation we know today. The first was the cost of search and storage, which Schneier said had dropped to the point where it was feasible to store and search huge amounts of data.
Second was a philosophical shift in both user behavior and technology companies. "We build systems that spy on people in exchange for services," said Schneier. "Surveillance is the business model of the Internet." Think of this in terms of Facebook's ravenous appetite for personal information, or mobile apps that sell user information in order to monetize a free game. "This is a golden age of surveillance, simply because there's so much information out there," he said.
Crypto is Still the Key
Despite some of the doom and gloom you may read about the Snowden leaks, Schneier was unequivocal in asserting that companies and individuals can protect themselves from surveillance. "Cryptography works," he said. "The NSA can't break it and it pisses them off."
As an example, he pointed to leaked information that indicated the NSA drew ten times the data from Yahoo! than from Google, despite Google having many more users. Schneier explained that, at the time, Google was using SSL by default and Yahoo! wasn't. The NSA relies mostly on unencrypted data, of which there is plenty. "We have made bulk collection too easy, and the NSA is taking advantage of that."
The key, Schneier insisted, was to use cryptography to make bulk collection harder. "The NSA might have a huge budget, but they're not made of magic," he said. "Our goal should be to leverage the economics, the physics, and the math to make eavesdropping more expensive." He conceded that targeted collection would probably always be an option for intelligence gathering, but that bulk collection posed a far greater threat.
Of course, it's not all chocolate and roses. Schneier also shared his belief, based on his readings of leaked documents, that the NSA must have some powerful piece of cryptanalysis technology. He said that the NSA appears to have worked out the math portion, but was frustrated by the engineering problem of making it work for lots and lots of information. "Most crypto drives the NSA batty, at least at scale," he said.
As far as what the NSA has in cryptocracking, Schneier could only offer his conjecture. They NSA might have cracked some class of elliptic curves used in elliptic-curve cryptography, or found a way to subvert random-number generation, among other methods.
Fix the NSA, Protect Individuals in Bulk Data
Like other presenters at RSA, Schneier said that the NSA could be improved with domestic and international norms defining how surveillance should function. He also called for laws that were bigger than particular forms of surveillance or agencies. Discussing legislation in terms of fundamental rights, he said, was the correct way to frame the discussion.
However, Schneier said that there was a larger issue at work within the debate around the NSA's programs: bulk-data analysis. "The general question here is how do we design data systems that benefit society but protect people individually," he said. As an example, Schneier presented a hypothetical database with medical information from every human on Earth. This would be enormously valuable to doctors as a research tool, but it would reveal the personal information of the individuals in the database.
"I think this is the fundamental issue of the information age," said Schneier. "The NSA may not be the best place to start but it's the place we have."