Two very different technology offerings were dropped on Thursday because of fears that the US and China might be trying to spy on the customers using them.
In Baltimore, Maryland—just down the road from the headquarters of the National Security Agency in Ft. Meade—a US company called CyberPoint International lost a contract to provide a videoconferencing system to the federal government after US Customs determined that CyberPoint’s offering was in fact Chinese, substantially made by telecom equipment maker ZTE. A US House Intelligence panel has recommended that government agencies and contractors should avoid using equipment made by ZTE and its larger Chinese counterpart Huawei, because of fears that they might have ties to the Chinese military that could compromise the security of federal computer networks. ZTE and Huawei have strenuously denied the claims.
Meanwhile, another US company called RSA Security—a unit of computer storage giant EMC—quietly told its customers to stop using a software encryption algorithm that it had long recommended. According to documents leaked by whistleblower Edward Snowden, the NSA, which helped create the Dual Elliptic Curve Deterministic Random Bit Generator (or Dual EC DRBG for short), had secretly introduced vulnerabilities into the algorithm so it could exploit them later.
Experts have long suspected that Dual EC DRBG, which generates a quasi-random string of numbers to be used in encryption, was intentionally flawed. According to an article by cryptologist Bruce Schneier back in 2007, it is several orders of magnitude slower than competing algorithms, and contains a glaring weakness that makes it susceptible to attack: Whoever possesses a secret set of numbers essentially has a “skeleton key.”
The New York Times, the Guardian, and ProPublica reported at the beginning of the month that after the NSA “lost a public battle in the 1990s to insert its own ‘back door’ in all encryption, it set out to accomplish the same goal by stealth.” RSA’s tacit admission that it has been recommending a compromised algorithm is unlikely to be the last of these revelations.
Schneier, who is now working with the Guardian on its NSA reporting, noted on his blog this week that it is also possible to surreptitiously tamper with computer chips to modify a random number generator, making it drastically easier to crack an encryption scheme. “I have no idea if the NSA convinced Intel to do this with the hardware random number generator it embedded into its CPU chips, but I do know that it could,” he wrote. “Yes, this is a conspiracy theory. But I’m not willing to discount such things anymore. That’s the worst thing about the NSA’s actions. We have no idea whom we can trust.”
China is already planning to probe EMC, IBM, and Oracle over “security issues,” according to the state-run Shanghai Securities News. Trade groups have projected that the NSA hacking could end up costing US technology firms billions in lost sales if their foreign clients suspect that the NSA will have surreptitious access to their systems.
Meanwhile, the allegations against ZTE and Huawei have not been backed up with any evidence that their products have any intentional vulnerabilities that hackers from China or elsewhere could exploit. But it is becoming very clear why American intelligence officials, knowing what their own spy agency has been up to, are so worried about China doing the same thing.