Nature | Editorial

Spooked

Researchers and lawmakers must work to rebuild trust in secure Internet standards.

Article tools

When John Hopkins University ordered cryptography researcher Matthew Green to take down a blog post last week, it found that its action only made the material more visible. The university quickly backed down, but the global media began to pay attention to the post, which discussed revelations that the US National Security Agency (NSA) has compromised or got around the encryption techniques on which the security of Internet communications, electronic health records, e-commerce and banking are based.

The allegations — the latest in a series of disclosures about NSA activities — and Green’s analysis of them should make one sit up and listen. “Not only does the worst possible hypothetical I discussed appear to be true, but it’s true on a scale I couldn’t even imagine,” he wrote.

NSA mathematicians have been among the leading contributors to encryption research and the development of standards meant to protect the security of the Internet, often working closely with academic researchers and key bodies such as the respected US National Institute of Standards and Technology (NIST). But according to allegations made by The New York Times, The Guardian and public-interest-journalism website ProPublica in early September, based on documents provided by NSA whistle-blower Edward Snowden, the agency has also worked to weaken or create vulnerabilities in encryption standards.

Other allegations include collaborating with technology companies to provide entry points into their products, as well as forcing Internet companies to hand over encryption keys or hacking these from servers to defeat security.

On 9 September, NIST took the unprecedented step of opening a review of two of the suspect standards, and went so far as to warn users not to apply one of the standards until vulnerabilities had been double-checked by cryptographers. The Internet Engineering Task Force (IETF), an open international body that develops the core standards of the Internet, is now looking at how it can harden Internet protocols to reinforce security and privacy against NSA-type attacks, and will take up the issue at its next meeting, in Vancouver, Canada, in November. This week, cryptographers at the University of Bristol, UK, published an open letter that called for a parliamentary enquiry into how security has been compromised.

Just as toxic subprime loans in the mid-2000s poisoned trust among financial institutions, leading to the financial crisis, the NSA’s actions have poisoned people’s trust in all the groups that make up the Internet ecosystem, from the giants of Google and Yahoo to telecoms companies, cloud-computing providers and the makers of chips and routers. US technology companies are likely to be the first to suffer, but the NSA’s actions have corrupted the very fabric of the Internet.

“Mathematicians in the NSA, and external academics working with the agency, should examine their consciences.”

Writing in The Guardian, cryptography researcher and security expert Bruce Schneier has called for scientists and engineers to take back the Internet, and for more whistle-blowers to come forward to detail how the NSA and authoritarian states are sabotaging electronic freedoms.

Certainly, mathematicians in the NSA, and external academics working with the agency, should examine their consciences. Mathematical associations and universities with links to the NSA should be more public and vocal about the revelations.

Like the IETF, Schneier wants scientists to re-engineer the Internet to make it more secure. Some technical improvements can be made — open-source code, which can be reviewed by anyone, is likely to be a major benefactor and facilitator — and the trust and security paradigms of developing Internet protocols have without doubt been irreversibly changed. But the Internet was not designed to be secure, and as the IETF points out on its blog, the scale of the NSA attacks was “not envisaged during the design of many Internet protocols”.

As Schneier and the IETF acknowledge, technology is only part of the solution. Regulation of surveillance on the Internet and attacks on civil liberties are as much, or more, a question of policies. It has become abundantly clear over the past few months that there is but a fig leaf of oversight to protect against abuse of civil liberties by the NSA. The balance between security and civil liberties has gone off the charts in the wrong direction.

Journal name:
Nature
Volume:
501,
Pages:
282
Date published:
()
DOI:
doi:10.1038/501282a

For the best commenting experience, please login or register as a user and agree to our Community Guidelines. You will be re-directed back to this page where you will see comments updating in real-time and have the ability to recommend comments to other users.

Comments

Commenting is currently unavailable.

sign up to Nature briefing

What matters in science — and why — free in your inbox every weekday.

Sign up

Listen

new-pod-red

Nature Podcast

Our award-winning show features highlights from the week's edition of Nature, interviews with the people behind the science, and in-depth commentary and analysis from journalists around the world.