Why The Latest NSA Revelations May Truly Be Groundbreaking
Recently, the latest Edward Snowden disclosures came to light in a joint article by ProPublica, The Guardian and The New York Times. These newest revelations, if true, are startling.
I should note here that I’m among those who regard Edward Snowden to be traitor rather than a hero. As someone who has spent the bulk of my adult life in some rough places, I believe his actions have put us in danger and that he should go to jail.
Also, as I’ve written before, I believe that the NSA has acted responsibly and that in some ways their methods reflect the least intrusive possible way to keep us safe. There is every indication that the NSA has followed the laws under which it operates. However, this new disclosure is notable not for what it says about the NSA’s actions, but about it’s capabilities.
Why This Time Is Different
The NSA works with technology companies in order to make spying easier for them. While many find this shocking, it is nothing new and the truth is that attentive observers assumed that most of this stuff was happening. You know what’s possible, you read the news and you have a pretty good idea what’s going on.
However, the article hinted that the NSA is not only doing what’s possible, but they very well may be doing what we thought was still impossible. Buried in the middle of the article was this quote from a confidential 2010 memo from the NSA to its British counterpart.
Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.
The British analysts were apparently “gobsmacked,” which would seem to indicate something more than strong-arming private companies into revealing keys or inserting minuscule vulnerabilities into encryption standards. If that were the case, the British would surely have known about it before 2010.
So what the NSA revealed to the British must have been truly groundbreaking. Some are inferring that it means that the agency has cracked a decades old problem and, if true, it would be a genuine game changer.
A Simple Guide to How Encryption Works
Imagine an Indiana Jones movie where the hero needs to find a key broken into two parts. That, in essence, is how most public key encryption works except the two parts of the key are prime numbers. If the numbers are small, say 5 and 7, the resulting product (i.e. 35) would not be hard to factor down.
However, if the numbers are a hundred digits long, then the math becomes very, very difficult. So difficult, in fact, that the keys are routinely made public because it would take decades, if not centuries, to factor them down even using a supercomputer.
It has long been known that this method of encryption would not last forever. If someone proved the Riemann hypothesis, for example, prime numbers could be predicted and public encryption would be useless. Further, once we fully enter the age of quantum computing, public key encryption can be broken using a technique called Shor’s algorithm.
So, if the implication that the NSA has really found a way to thwart public key encryption is true, then the agency is roughly a decade ahead of schedule.
How Encryption Affects Our Everyday Lives
Most people are unaffected by NSA surveilance. There are laws against spying on Americans and protocols for destroying the information if it is obtained inadvertently. If there really was widespread abuse, we would surely find out about it. Secrets that affect the American public don’t stay secret for long.
However, public key encryption affects us all. Every time we do a transaction online, whether that be a bank transfer, a bill payment or a purchase from an retail site, we are using public key encryption. Whenever you see the little padlock symbol in your browser, these methods are at work. They make up the very fabric of the commercial web.
And that’s what’s disturbing. If the NSA can break public key encryption, then others are probably not far behind. Once that happens, all of global electronic commerce is essential at risk. That’s scary.
Before I go any further, it’s important to note that most cybercrime is relatively low-tech. In the vast majority of cases, security breaches are the result of social engineering (effectively, obtaining information through a ruse) rather than the work of criminal masterminds capable of amazing feats of mathematical code-breaking.
It should also be mentioned that this is a problem that we’ve known was coming for some time—decades, in fact. So there are solutions, such as the quantum internet that we know the US government has been operating for over two years.
Still, this latest disclosure reveals just how fragile the digital world really is. We are increasingly living in a world built not on bricks and mortar, but on math problems which, no matter how difficult, will all be solved one day.
Eventually, we’ll have to learn to live with the fact that our privacy will never be fully secure, but instead is subject to an eternal arms race between codes and codebreakers.