(Photo : Wikipedia: Iainf)
The National Security Agency essentially bribed an important industry computer and network security firm to put a secret backdoor in their encryption formulas, according to a new report.
In September, a report by The Guardian sourced top-secret documents leaked by ex-NSA contractor Edward Snowden to reveal that the National Security Agency intentionally compromised security standards for a wide range of technology products, with the intention of accessing information from so-called "backdoors" in those systems.
On Friday, a Reuters exclusive showed, in one case, how the NSA managed to implement this program: Money.
According to the Reuters report, the NSA paid a $10 million contract to RSA Security, described as "one of the most influential firms in the computer security industry," to intentionally include an NSA-friendly code in a key part of the encryption of one of RSA's popular security tools. The report was based on "two sources familiar with the contract."
RSA had already been named in an NSA leak as one of the companies with software that appeared to intentionally flawed. In September, RSA itself warned customers that they should stop using the NSA-tied encryption program called BSafe - which Reuters now reports included an NSA-preferred formula for number generation.
"Now we know that RSA was bribed," said Bruce Schneier, cryptographer, computer security expert, and NSA critic, to CNET. "I sure as hell wouldn't trust them. And then they made the statement that they put customer security first." Schneier was referring to the statement given in response to the Reuters report by RSA and its parent company EMC Corp.: "RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products. Decisions about the features and functionality of RSA products are our own." The NSA declined to comment for the Reuters article.
The NSA and its British counterpart, the GCHQ, was described in the Snowden documents as working covertly to obtain access to encrypted data through several means, including so-called "brute force" - applying time and processing power to crack security codes - and by "covert influence" over the design of some encryption standards, in order to "insert vulnerabilities into commercial encryption systems." For example, the NSA would covertly work to introduce certain security standards issued by the U.S. National Institute of Standards and Technology, which the NSA "became the sole editor," according to reports.
Simply paying companies for access is now yet another method, and though $10 million is a paltry sum for a major U.S. government intelligence agency, Reuters reports that it "represented more than a third of the revenue that the relevant division at RSA had taken during the entire previous year."
The RSA revelation may be just one detail that points towards more revelations to come, according to Schneier. "You think they only bribed one company in the history of their operations? What's at play here is that we don't know who's involved," said Schneier to CNET. "You have no idea who else was bribed, so you don't know who else you can trust."