UPDATE: a response from CSEC appended.
Revelations from the Edward Snowden leaks continue, and we finally have some idea of the role that Canada’s Communications Security Establishment (CSEC) has played in the largest surveillance effort in human history.
Prior reporting has established that the NSA broke some of the Internet’s most widely used cryptography: the Dual
EC DRBG encryption standard created by the International Organization for Standardization, which includes 163 member countries. Millions have protected their data with the standard since it was established in 2006, unaware that the NSA had back-door access to unscramble their information the whole time.
A story posted last night by The New York Times, based on yet more leaked NSA memos from Edward Snowden, documents how the NSA seized control of the crypto standard from CSEC, which at the time was entrusted with overseeing the encryption standards process for the International Organization for Standardization.
According to the Times, the classified NSA memos read as follows:
“The road to developing this standard was smooth once the journey began… However, beginning the journey was a challenge in finesse … After some behind-the-scenes finessing with the head of the Canadian national delegation and with C.S.E., the stage was set for N.S.A. to submit a rewrite of the draft … Eventually, N.S.A. became the sole editor.”
If the memos are accurate, then Canada betrayed its obligation to its partner countries around the world, handing the U.S. keys with which it could (and reportedly did) unlock and spy on foreign companies and governments, many of them supposed allies.
I’ve asked CSEC for comment on the revelations. I’ll let you know what they say.
UPDATE: Here’s CSEC’s response.
To the question: did CSEC allow the NSA to ‘seize control’ of the draft for the Dual EC DRBG encryption standard in 2006, as the NSA reportedly claims in their memos? CSEC’s Director of Public Affairs and Communications Andy McLaughlin says:
“International Organization for Standardization (ISO) cryptographic standards are developed in an open and transparent way, with input from various international experts and stakeholders. As experts in IT security and cryptography, CSE participates in these processes and advises the Canadian ISO delegation. Development of the 2006 standard (Dual EC DRBG) was performed by a working group that included CSE, NSA, and other international members from academia and industry as equal participants.”
To the question: what was the exact nature of the relationship between the NSA and
CSEC at this time with regards to the drafting of encryption standards? McLaughlin says:
“CSE is committed to developing the most secure cryptographic standards so that we can best support the Government of Canada in protecting its Information Technology infrastructure and information.”
For me the takeaway here is that I gave CSEC a chance to definitively deny what the NSA memos say happened, and they declined to do so.
Follow Jesse on Twitter @JesseBrown