The NSA is "Not Made of Magic"

Of the small pool of people who have seen the Snowden documents, few, if any, are as technically savvy and knowledgeable about security and surveillance as Bruce Schneier. And after reading through stacks and stacks of them, Schneier says that yes, the NSA is extremely capable and full of smart people but "they are not made of magic".

A cryptographer by training and a security thinker by trade, Schneier has spent many hours reading the Snowden documents and thinking about what they mean, both in terms of the NSA's actual capabilities and their effect on data security and privacy. Much of the news, clearly, is not good on that front. The NSA has a dual mission: to protect the communications infrastructure of the United States and to eavesdrop on the communications of foreign nations The agency, Schneier said, is very, very good at both of those missions, but it's the eavesdropping piece that has grown exponentially in recent years as the Internet and mobile devices have became pervasive.

"The NSA has turned the Internet into a giant surveillance platform, one that is robust politically and technologically," Schneier said during a talk at the RSA Conference here Tuesday. "When you have the budget of the NSA and you have the choice to get the data this way or get it that way, the correct answer is both. Fundamentally the NSA's mission is to collect everything, and that's how you have to think about it."

That collect-everything mentality is enabled by the vast budget, reach and computing power that the NSA has at its disposal. Those advantages allow the agency to not just collect, but store, virtually any amount of data it chooses. But one of the NSA's other key assets—and perhaps its largest advantage over other intelligence agencies—is its brain power. The agency employs an untold number of top mathematicians and cryptographers and computer scientists, and they all work on solving difficult problems. One of their tasks is overcoming a key obstacle for NSA data collection: encryption.

The NSA is known to be working on an unspecified capability to defeat SSL, and Schneier said that while he hasn't seen any direct evidence of what that capability might be, there are a number of possibilities.

"My favorite idea right now is elliptic curves. If they know that certain curves are weak they could then try to get algorithms using those curves," he said.

Other possibilities are some kind of factoring breakthrough, a successful attack on the RC4 cipher, which is known to have some problems already, or a method for exploiting weak random-number generators. But even with all of the resources at its disposal, the NSA currently has a difficult time dealing with encrypted traffic, Schneier said, and that's something that users should use to their advantage.

"The NSA can't break Tor and it [ticks] them off. Most crypto drives the NSA batty," he said. "Encryption works and it works at scale. The NSA may have a large budget than all of the other intelligence agencies combined, but they are not made of magic. Our goal should be to make eavesdropping more expensive. We should have the goal of limiting bulk collection and forcing targeted collection."

Schneier added that now that many of the NSA's methods and tools are out in the open, it's reasonable to expect other agencies, as well as other classes of attackers, to adopt some of them.

"These techniques are spreading. Figure that this is a three to five-year window for cybercriminals to use them," he said. "Today's NSA programs are tomorrow's PhD theses and the next day's hacker tools. Surveillance is the business model of the Internet."

Categories: Articles, Text

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.