Chances are that whatever technology you're using, the NSA has already cracked it. The agency's elite Tailored Access Operations (TAO) unit offers an extensive catalogue of hardware, software and firmware exploits that can be deployed against commercial products, including switches, firewalls, servers, storage products and telecoms equipment. Some of these can be exploited remotely, some are designed to be installed covertly, including during shipping.
More worrying are revelations that IT equipment, particularly security products, may have been deliberately sabotaged at the behest of intelligence agencies, leaving them not only open to the agencies themselves, but open to attack from malicious outsiders.
This has taken security concerns to a new level. Most observers were grudgingly accepting of the fact that security agencies hoard knowledge of vulnerabilities. The ability to compromise a system is valuable, and the main downside is that non-disclosure of flaws is a calculated risk: hoping that the NSA's hackers are smarter than the rest of the security research community, some of whom may use the flaws for nefarious purposes.
One example of this is Dual_EC_DRBG, a random-number generator used in encryption algorithms. The NSA introduced a backdoor into the standard, allowing crypto to be more easily attacked. The agency then allegedly paid security vendor RSA $10 million to use the standard in its products, which it continued to do for several years after the backdoor was independently discovered and revealed by security researchers.
That the NSA weakened Dual_EC_DRBG is unquestioned; RSA for its part has denied complicity, but it almost doesn't matter whether RSA is telling the truth or not: the fact is that products, which customers rely on for security, were weakened and potentially exposed to attack by third parties, not just the US government. This is not helping RSA's reputation one bit, and the company is clearly hoping the damage will be short term. Some speakers and exhibitors at its annual RSA Conference have withdrawn their participation, citing this incident as the catalyst. RSA is not the only vendor under the microscope though: Cisco has blamed the spy fiasco for its poor sales performance in China, and several other IT firms are under investigation by Chinese authorities.
Elsewhere, businesses are also starting to question whether US partnerships are wise. A lucrative satellite deal in the UAE may fall through after suspicions that some components may harbour intelligence backdoors. Boeing lost a multibillion-dollar deal to Saab, in Brazil, in the wake of Edward Snowden's revelations. Cloud computing as an industry is particular vulnerable, with analysts suggesting $35 billion could be lost, and some services already shut down over privacy concerns.
Spooked by the groundswell of anger about privacy, the industry is calling for sweeping reform of surveillance and transparency to avoid further damage. The NSA and its partner agencies are fighting this, and so far no progress has been made, leaving the balance of power firmly in the hands of the government, though the White House has declared that it is actively considering options.
However, the reality is that what most would have considered the wildest tinfoil hat conspiracy theories have in fact been borne out to at least some degree. Intelligence agencies not only possess backdoor access to the IT equipment we use every day, they have also acted to introduce vulnerabilities and reduce the security of products sold in the market, possibly with the collusion, or at least co-operation, of the vendors we trusted. And even if you trust those agencies, the flaws they have introduced may be exploited by attackers.
Share
