NSA Bullrun, 9/11 and Why Enterprises Should Walk Before They Run
In recent years, nearly every time I've seen the National Security Agency at a security event (they're usually out in a recruiting capacity), they bring an Enigma machine. The Enigma is a code generating machine built by the German military that was cracked by the U.S military, and it played an important role in helping the Allies win World War II. That's what the NSA does—it cracks codes—and that has always been its mission.
Last week, reports emerged that the NSA is in fact still pursuing its mission of cracking codes; this time, however, it's not German code machines, but rather the core cryptographic tools that secure the Internet.
While there has been a lot of reaction to the disclosure, in my opinion it's important for enterprises to remember and understand a few key facts.
Edward Snowden Never Had Access to Bullrun
Though Mr. Snowden (the man who has been disclosing information about the NSA's programs) clearly has information on what the NSA is (or was) doing, he didn't have full access. The full operational details and complete capabilities of the program, code-named "Bullrun," that the NSA has for cracking/influencing Internet cryptography are still shrouded in lots of secrecy. Over the weekend, Nicole Perloth, one of the New York Times reporters who helped write the Snowden Bullrun story, tweeted that her publication didn't publish full details because it didn't have them. Perloth tweeted, "... Snowden was not cleared for Bullrun."
The NSA Isn't Interested in You
The goal of the NSA is national security to help prevent another 9/11-type attack. With the anniversary of that terrible day coming up this week, it's critical to remember that fact. If a known terrorist organization sends an encrypted message that could have operational details about an act of violence, shouldn't we all want the "good guys" to know about it, so they can stop it?
The 9/11 Commission said that there was a failure in the U.S. intelligence community because they failed "to connect the dots" about the attack. Being able to defeat crypto is a necessary tool. Now don't get me wrong, in a free and democratic society we need privacy and individual freedom. The government should not be allowed to invade individual privacy. But it is a balancing act here. If the NSA stays true to its intended national security purpose, the only people's privacy they should be invading is of those who would do us harm.
Your SSL Is Probably Misconfigured
The other truth that enterprises need to consider is how they are using cryptography today. One of the big items in the Snowden Bullrun disclosure is the allegation that Secure Sockets Layer (SSL) has been breached by the government. SSL is used by all of us everyday to secure our Web transactions and is a foundational element of Internet security.
The truth is that the NSA doesn't really need any crazy tools to actually hack SSL, since in the majority of cases today, SSL is not properly deployed anyway.
According to the latest stats from SSL Pulse, just under 25 percent of SSL sites are actually secure. That's right—most enterprises and Websites are not properly using SSL security to begin with.
So my suggestion is a simple one. Yes, as people who want to live in a free society and not a police state, we should always be wary of "Big Brother" snooping on us. But we should also tie our own shoes too and learn to walk before we run.
Properly configuring SSL is only one (small) piece of the Internet cryptography puzzle, but it's an important one. The reality that I see everyday is that hackers target the low-hanging fruit and system misconfigurations more so than the exotic zero-day flaws. So fix what you can and configure your own SSL and crypto properly, and then you'll be more secure, regardless of what NSA Bullrun might be able to do.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.