The Electronic Frontier Foundation's Cindy Cohn and Trevor Timm look at the NSA's Bullrun program, through which the US and UK governments have spent $250M/year sabotaging computer security. Cindy is the lawyer who argued the Bernstein case, which legalized civilian access to strong cryptography — in other words, it's her work that gave us all the ability to communicate securely online. And so she's very well-situated to comment on what it means to learn that the NSA has deliberately weakened the security that ensures the integrity of the banking system, aviation control, embedded systems in everything from cars to implanted defibrillators, as well as network infrastructure, desktop computers, cloud servers, laptops, phones, tablets, TVs, and other devices.
Thankfully, the recent disclosures have led to at least some change. The National Institute of Standards and Technology (NIST), the government agency in charge of one of the cryptographic standards the NSA has alleged to have secretly weakened, has reopened public comment on its standard and has even gone as far as to recommend people do not use it anymore.
And we're beginning to see the international computer security community come to grips with this disturbing news.
But we must do more.
* We must rebuild the broad coalition that fought the first crypto wars, including investors, businesses, civil liberties groups, scientists and ordinary people.
* We must expose the vulnerabilities that have been secreted into our technologies. We must expose them and we must demand that they be fixed.
* We must ask standards bodies, companies and individual developers to pledge, publicly and unequivocally, to reject efforts to build backdoors or insert known vulnerabilities into their products—and create transparency so that they can't secretly cooperate with these efforts in the future.
* We must build our own tools, and support the tools that already exist that are independently verifiable as secure (most prominently, open source tools).
* We must support efforts in Congress to rein in the NSA and bring it back under the rule of law, and we must make sure those efforts ensure that our technologies are safe.
* And we must not succumb to privacy nihilism.
But the public debate must start from a fundamental principle: The NSA has been making us less safe and it must stop. Now.