SAN FRANCISCO: The U.S. National Security Agency is rebuffing efforts by a leading Congressional critic to determine whether it is continuing to place so-called back doors into commercial technology products, in a controversial practice that critics say damages both U.S. industry and national security.
The NSA has long sought agreements with technology companies under which they would build special access for the spy agency into their products, according to disclosures by former NSA contractor Edward Snowden and reporting by Reuters and others. These so-called back doors enable the NSA and other agencies to scan large amounts of traffic without a warrant. Agency advocates say the practice has eased collection of vital intelligence in other countries, including interception of terrorist communications. The agency developed new rules for such practices after the Snowden leaks in order to reduce the chances of exposure and compromise, three former intelligence officials told Reuters. But aides to Senator Ron Wyden, a leading Democrat on the Senate Intelligence Committee, say the NSA has stonewalled on providing even the gist of the new guidelines.
“Secret encryption back doors are a threat to national security and the safety of our families – it’s only a matter of time before foreign hackers or criminals exploit them in ways that undermine American national security,” Wyden told Reuters. “The government shouldn’t have any role in planting secret back doors in encryption technology used by Americans.”
The agency declined to say how it had updated its policies on obtaining special access to commercial products. NSA officials said the agency has been rebuilding trust with the private sector through such measures as offering warnings about software flaws. “At NSA, it’s common practice to constantly assess processes to identify and determine best practices,” said Anne Neuberger, who heads NSA’s year-old Cybersecurity Directorate. “We don’t share specific processes and procedures.”
Three former senior intelligence agency figures told Reuters that the NSA now requires that before a back door is sought, the agency must weigh the potential fallout and arrange for some kind of warning if the back door gets discovered and manipulated by adversaries. The continuing quest for hidden access comes as governments in the United States, the United Kingdom and elsewhere seek laws that would require tech companies to let governments see unencrypted traffic. Defenders of strong encryption say the NSA’s sometimes-botched efforts to install back doors in commercial products show the dangers of such requirements.
Critics of the NSA’s practices say they create targets for adversaries, undermine trust in U.S. technology and compromise efforts to persuade allies to reject Chinese technology that could be used for espionage, since U.S. gear can also be turned to such purposes.
In at least one instance, a foreign adversary was able to take advantage of a back door invented by U.S. intelligence, according to Juniper Networks Inc, which said in 2015 its equipment had been compromised. In a previously unreported statement to members of Congress in July seen by Reuters, Juniper said an unnamed national government had converted the mechanism first created by the NSA. The NSA told Wyden staffers in 2018 that there was a “lessons learned” report about the Juniper incident and others, according to Wyden spokesman Keith Chu.
“NSA now asserts that it cannot locate this document,” Chu told Reuters.
NSA and Juniper declined to comment on the matter.
The NSA has pursued many means for getting inside equipment, sometimes striking commercial deals to induce companies to insert back doors, and in other cases manipulating standards – namely by setting processes so that companies unknowingly adopt software that NSA experts can break, according to reports from Reuters and other media outlets. The tactics drew widespread attention starting in 2013, when Snowden leaked documents referencing these practices.
Tech companies that were later exposed for having cut deals that allowed backdoor access, including security pioneer RSA, lost credibility and customers. Other U.S. firms lost business overseas as customers grew wary of the NSA’s reach.