Reported NSA actions raise serious questions about tech industry partnerships

Revelations that the National Security Agency may be pressuring vendors to put hidden backdoors in their software and hardware for espionage purposes casts a huge shadow over many programs run by the NSA to interact with the high-tech industry for purposes of evaluating, testing and accrediting products that use encryption.

The NSA's actions, revealed in documents leaked by former contractor Edward Snowden and made public by The Guardian and The New York Times, raise questions about NSA-run programs such as the Commercial Solutions for Classified Components (CSfC), National  Information Assurance Partnership, and DoD Information Assurance, Certification and Accreditation Process, as well as protocols promulgated by the NSA, such as Suite B cryptography. Virtually every U.S.-based  network and security product provider of any significance participates in some way in these product evaluation programs because through them, they can sell to federal agency customers and the military.

To date, news sources such as The Guardian, which has worked closely with Snowden, haven't  put forward any names of companies that may have agreed to compromise their products for the NSA's behalf nor have they mentioned these NSA-run product-evaluation programs.

[TRUST NO ONE:Schneier on NSA's encryption defeating efforts

But last Friday, the Obama Administration appeared to verify assertions made in the media the day before that the NSA works through partnership programs with industry to undermine network and security products for espionage purposes.

The Office of the Director of National Intelligence (ODNI) didn't refute the notion that the NSA spends millions of dollars each year to subvert software and hardware by pressuring the high-tech industry to put in backdoors for the NSA's benefit. In its official statement, ODNI said the stories published "reveal specific and classified details about how we conduct this critical intelligence activity."

Leaked documents posted by the Times and Guardian included NSA statements such as the NSA SIGINT division "actively engages the U.S. and foreign IT industries to covertly influence and overtly leverage their commercial products' designs. These design changes make the systems exploitable through SIGINT collection (.e.g., Endpoint, Midpoint, etc.) with foreknowledge of the modification. To the consumer and other adversaries, however, the systems' security remains intact." One goal is said to be to "insert vulnerabilities into commercial encryption systems, IT systems, networks and endpoint communication devices used by targets." That the NSA manages to somehow make these modifications is considered "top secret," according to Snowden documents posted online. In its numerous product evaluation programs with industry, the NSA would have ample opportunity to pursue these goals.

Bruce Schneier, crypto expert and author of several books, including the recent "Liars and Outliers," maintains that the revelations about the NSA constitute a fundamental betrayal of the Internet and the people that use it. He advocates that  anyone, especially engineers, with knowledge of how the NSA is subverting software and hardware should go public with what they know. He adds that's as long as they're not bound by specific legal or confidentiality restrictions, such as a National Security Letter.

"If you have been contacted by the NSA to subvert a product or protocol, you need to come forward with your story," said Schneier in a recent Guardian article. "Your employer obligations don't cover illegal or unethical activity. If you work with classified data and are truly brave, expose what you know. We need whistleblowers."

When yesterday asked whether China and Russia might also be working with any of their homegrown industries to also subvert products for espionage purpose, Schneier said he had no direct knowledge about this. But having read a slew of documents that Snowden has released, Schneier said he's convinced that the NSA is doing "everything possible" to ensure complete access to everything it can. The influence of the U.S. and the United Kingdom on software, hardware and the Internet gives them "a very privileged position on the Internet," he said.

The NSA readily acknowledges it is always seeking to "break" security of adversaries and encryption -- that after all, is part of its mission as America's cyber-espionage agency, which also maintains a Cyber Command to attack adversaries via cyberspace. But the revelation that the NSA is spending millions each year to try and get software and hardware vendors to modify their products to include backdoors for intelligence-collection purposes and weakening of cryptographic and security systems raises the prospect of what legal ramification this will all have when more becomes known.

It's possible lawsuits from both businesses and consumers may arise if it becomes known specific products and services were designed with backdoors for the NSA without disclosure of that to the buyer in what would be seen as a deceptive practice. Some revelations in June from Snowden about the NSA's so-called PRISM program for intelligence collection are starting to have legal impacts.

Under PRISM, the NSA can collect e-mail, chat, videos, stored data, VoIP, file transfer and other material from Microsoft, Google, Yahoo, Facebook, PalTalk, YouTube, Skype, AOL and Yahoo. Microsoft and Google say they provide this data to the NSA under the  Foreign Intelligence Surveillance Act order and want to disclose how many of those are received each year, but say so far the U.S. Department of Justice is not agreeing to that.

At the end of August, Microsoft General Counsel and Executive Vice President Brad Smith said his company and Google would "move forward with litigation in the hopes the courts will uphold our right to speak more freely." They did that yesterday in legal filings at the Foreign Intelligence Surveillance Court, joined by Yahoo.

Public prosecutors in France are said to be starting to build a case against the NSA and the FBI for PRISM-related spying on French citizens.

Overall, there's a kind of gloom in the high-tech industry and wariness among business customers about the  implications of what the NSA is said to be doing in its zeal to be able to conduct intelligence gathering for purposes of national defense.

Richard Stiennon, chief research analyst at consultancy IT-Harvest, says given how badly the NSA's purported actions have hurt U.S. industry, lawsuits should fly. He adds, "Like many well-intentioned government efforts, the NSA has singlehandedly done more damage to the reputation of U.S. technology companies than any other event in the brief, meteoric rise of U.S. dominance. The implication that the most powerful and well-funded intelligence service can leverage its relationship with U.S. companies such as Microsoft, Google, Yahoo, and even Apple, to get foreknowledge of vulnerabilities or backdoors into their information systems, is going to kick off a new era of tech mercantilism. All U.S. tech companies are going to be asked tough questions by their global clients. I am already hearing from tech giants that they are being asked to attest to the absence of an NSA presence in their data centers. Competing cloud services and security products from European and Nordic states are going to see rapid growth."

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags National Security AgencyThe New York TimessecurityAssurancensaendpoint securitygovernmentindustry verticalsWide Area Networknew york times

More about AOLAppleCommercial SolutionsCounselDepartment of JusticeFacebookFBIGoogleIDGMicrosoftNational Security AgencyNSAPalTalkSkypeYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place