NSA Allegedly Able To Crack Most Data Encryption
According to a report released yesterday by The Guardian newspaper, the U.S. National Security Agency (NSA) and the British Government Communications Headquarters (GCHQ) are able to circumvent most encryption.
The agencies can break encryption used to secure private data, such as protections for e-mails, bank records and medical records, per the report, which is based on leaked secret documents by NSA whistleblower Edward Snowden. The documents describe an NSA project code-named "Bullrun," which has focused billions of dollars on cracking encryption technology since 2000. It wasn't until 2010 that the project had reached its goal.
"For the past decade, NSA has lead [sic] an aggressive, multi-pronged effort to break widely used internet encryption technologies," states the 2010 GCHQ document reported on by The Guardian. "Vast amounts of encrypted internet data which have up till now been discarded are now exploitable."
The actual logistics on NSA's ability to crack encrypted data has been a closely held secret and analysts working for the GCHQ were told, "Do not ask about or speculate on sources or methods underpinning Bullrun," according to a British internal document.
However, in vague terms, the documents allege that along with using supercomputers to break encryption, the NSA covertly inserted code to weaken encryption standards and to provide a window for access for the security agency. Also, in a supporting operation to Bullrun called the "Sigint Enabling Project," the NSA spent more than $250 million a year to persuade tech firms to make their commercial software and services exploitable.
While specific companies weren't named as participating in the Sigint Enabling Project, earlier reports on the NSA RISM surveillance program have alleged that firms such as Microsoft, Google, Facebook and Apple have all worked closely with the intelligence agency in the name of national security.
Commenting on the recent The Guardian report, Dave Anderson, a senior director with Voltage Security said that the main way that the NSA can gain access to encrypted data is when security protocols are lax, whether that be from IT firms working closely with federal law enforcement or relaxed user security habits.
"In the light of this, it seems likely that any possible way that the NSA might have bypassed encryption was almost certainly due to a flaw in the key management processes that support the use of encryption, rather than through the cryptography itself," said Anderson in an e-mailed comment. "So, is it possible that the NSA can decrypt financial and shopping accounts? Perhaps, but only if the cryptography that was used to protect the sensitive transactions was improperly implemented through faulty, incomplete or invalid key management processes or simple human error."