(Reuters) – US National Security Agency rejects efforts by a leading congressman to determine whether it continues to place so-called backdoors in commercial technology products, in a controversial practice that critics say harms both US industry and
the NSA has long sought agreements with technology companies under which they would build special access for the spy agency to their products, according to information from former NSA entrepreneur Edward Snowden and reports from Reuters and others.
These so-called backdoors allow the NSA and other agencies to scan large amounts of traffic without a warranty. Agency advocates say that practice has facilitated the collection of vital intelligence in other countries, including the interception of terrorist communications.
The agency developed new rules for such practices after Snowden leaked to reduce the risk of exposure and compromise, three previous intelligence services. said officials to Reuters. But Oregon Sen.'s aide Ron Wyden, a senior Democrat in the Senate intelligence service, says the NSA has stonewalled in providing even the core of the new guidelines.
"Secret encryption backdoors are a threat to national security and the security of our families ̵
The agency declined to say how it had updated its policy to gain special access to commercial products. NSA officials said the agency has rebuilt trust in the private sector.
"At the NSA, it is common to constantly evaluate processes to identify and identify best practices," said Anne Neuberger, who heads the NSA's year-old directorate of cybersecurity. does not share specific processes and procedures. "
Three former intelligence officials told Reuters that the NSA now requires the agency to weigh the potential fallout and arrange some form of warning before seeking a backdoor. if the back door is detected and manipulated by opponents.
The continued pursuit of hidden access comes as governments in the United States, the United Kingdom and elsewhere seek laws that would require technology companies to allow governments to see unencrypted traffic. Proponents of strong encryption say the NSA's sometimes-lost efforts to install backdoors in commercial products show the dangers of such requirements.
Critics of the NSA's practice say they create targets for opponents, undermine confidence in American technology, and compromise efforts to persuade allies to reject Chinese technology that could be used for espionage, as American tools can also be turned to such purposes.
In at least one case, a foreign opponent could take advantage of a back door invented by the U.S. intelligence service, according to Juniper Networks Inc, which said its equipment had been compromised in 2015. In a previously re-reported statement to congressmen in July seen by Reuters, Juniper said an unnamed national government had converted the mechanism first created by the NSA.
The NSA told Senator Widen's staff in 2018 that there was a "lessons learned" report on the Juniper incident and others, according to Sen Widen's spokesman Keith Chu.
"The NSA now claims it cannot find this document," Chu told Reuters.
NSA and Juniper Refuse to Comment
Juniper & # 39 ;s Compromise
The NSA has sought many means of getting into equipment, sometimes striking commercial deals to get companies to deploy backdoors and in other cases manipulate standards – namely by setting processes. so that companies unknowingly adopt software that NSA experts can break, according to reports from Reuters and other media.
The tactic got a lot of attention from 2013, when Snowden leaked doc.
Technology companies that were later exposed to having cut open stores that allowed backdoor access, including security pioneer RSA, lost credibility and customers. Other US companies lost business abroad when customers became wary of the NSA's reach.
All of this prompted a review of the White House policy.
"There were all sorts of 'learning' processes," says former White House cyber security coordinator Michael Daniel, who advised then-President Barack Obama when the Snowden files broke out. A special commission appointed by President Obama said the government should never "undermine" or "weaken" technical products or compromise standards.
The White House did not publicly adopt that recommendation, but instead reinforces the review procedures for whether to use newly discovered software. shortcomings for offensive cyber operations or get them fixed to improve defense, said Daniel and others.
The secret government contracts for special assets remained outside the formal scrutiny.
"The NSA had contracts with companies across the board to help them, but it is extremely protected," said a lawyer from the intelligence service.
The strongest example of the risks inherent in the NSA's strategy involved an encryption system component that The intelligence service worked with the Commerce Department to get the technology accepted as a global standard, but cryptographers later showed that the NSA could use the Dual EC to access encrypted data.
The RSA accepted a contract on $ 10 million to incorporate Dual EC into a widely used web security system, Reuters reported in 2013. RSA publicly stated that it would not have deliberately installed a back door, but its reputation deteriorated and the company was sold.
Juniper Networks came in hot water over Dual EC two years later, at the end of 2015, the manufacturer of internet switches revealed that it had detected malicious code in certain fires wall products. Researchers later decided that hackers had made the firewalls their own spyware by modifying Juniper's version of Dual EC.
Juniper said little about the incident. But the company admitted to security researcher Andy Isaacson in 2016 that it had installed Dual EC as part of a "customer requirement", according to a previously undisclosed contemporary message from Reuters. Isaacson and other researchers believe that the customer was a US authority, as only the US is known to have insisted on Dual EC elsewhere.
Juniper never identified the customer and declined to comment for this story.
Likewise, the company never identified the hackers. But two people familiar with the matter told Reuters that investigators concluded that the Chinese government was behind it. They refused to disclose the evidence they used.
The Chinese government has long denied involvement in any kind of hacking. In a statement to Reuters, the Chinese Foreign Ministry said that cyberspace is "very virtual and difficult to track. It is extremely irresponsible to make allegations of hacker attacks without complete and conclusive evidence. At the same time, we also noticed that the report mentioned that it was the US intelligence service – National Security Agency – Who Created This Backdoor Technology. "
Sen. Wyden is still determined to find out exactly what happened at Juniper and what has changed since the encryption war heated up.
In July, in previously unreported responses to questions from Wyden and allies in Congress, Juniper said an unidentified nation believed. to be behind the hack in its firewall code but that it had never investigated why it installed Dual EC in the first place.
"We understand that there is a strong political debate on whether and how to give the government access to encrypted content," it said in a letter in July. "Juniper does not install and will not install rear doors in its products and we oppose legislation that prescribes rear doors."
A former senior NSA official told Reuters that many technology companies are still nervous about working secretly with the government. But the agencies' efforts continue, the person said, because special access is seen as too valuable to give up.