In their filing the technical experts are asking many questions, including whether the NSA hacks into remote servers, perhaps by "obtaining keying material surreptitiously or covertly without authorization or notice of the key holder." Another question is, "Does the NSA place operatives, analysts or agents inside U.S. companies to facilitate surreptitious or covert access to keying material? Does it do so outside the United States? Does it cooperate with the UK's GCHQ in doing this?"
The roughly 50 technical experts also said the Review Group appointed by President Obama should inquire how the NSA keeps the vast quantity of information it collects secure to minimize the chance of a data breach. The experts indicated more should be known about the NSA's PRISM program revealed by Snowden and how it collects the content of targets.
Regarding the RSA BSAFE issue, the group says, "NIST and RSA have initiated public recalls of the standard and the products that rely on BSAFE and have advised users that they more than likely contain a backdoor. This has not only worked to undermine NIST's credibility but also it has made it easier for those that would spy on business communications that rely on U.S. security tools."
The experts' filing says, "The reality is that backdoors and covert access mechanisms are fragile and often exploited by organized criminals, hackers and the military and intelligence services of other governments, and they can be easily bypassed by using non-vulnerable communications methods. The revelation of these backdoors has already had a negative effect on commerce in the United States, as businesses and users worldwide with a need for secure communications are likely to look outside of the United States for products and services."
The high-tech industry is increasingly wary about what the next Snowden revelations — whether proven true or false over time — may bring.
A primary fear, one company representative said privately, is one day we'll see screaming headlines that his company had an executive that years ago made some kind of secret deal with the NSA to embed a backdoor in a product. How would a vendor survive that?
And the question of putting a tech-savvy insider into a high-tech firm who could compromise products or services on behalf of an intelligence agency would be fairly simple, thinks Kocher of Cryptography Research." There's no doubt in my mind that's being done."
Kocher says the NSA revelations have created a "loss of innocence in the security world." The NSA has been given billions of dollars by the U.S. government to attack commercial systems. But the bugs in them don't need to be planted so much as simply exploited based on weaknesses already there, Kocher notes. He concludes that now that the U.S. knows more about the NSA, maybe it's time to learn a little about what happens in intelligence agencies in far more repressive countries around the world.
Sign up for Computerworld eNewsletters.