The long-form piece I have been writing for nine months is finally out. It is approximately fourteen thousand words and is, by some considerable margin, the longest piece of single-topic writing I have done in this notebook. The version on the blog is the abridged eight-thousand-word version; the full version has been circulated through peer-CISO channels with appropriate editing for the engagement specifics. The argument can be summarised in a paragraph; the body of evidence and the engineering implications take rather longer.
The argument is that the commercial security infrastructure and the state-level surveillance infrastructure are, in many places, the same infrastructure, and that the security-engineering response to that fact has not been adequate. This is an argument that the security-research community has been gesturing towards for at least a decade. The Snowden disclosures over the past eleven months have provided the documentary evidence to substantiate the argument with primary sources. The piece works through what the documents show, what they imply, and what the operational response should be at the engagement level. It is the most sustained piece of integrated thinking on this question that I have done.
The structural points the piece makes are five.
First, that the major US platform vendors — through PRISM and the Section 702 process — sit inside the threat model for any non-US data subject whose data they hold. This is the PRISM-related argument I have been making since June 2013. The piece develops the engineering implications: data-residency, end-to-end encryption, supplier-trust calibration, what to do when the platform is the threat.
Second, that the US-led standards bodies have been compromised at the cryptographic-primitive level. This is the BULLRUN-related argument. Dual_EC_DRBG is the example everyone cites; the piece develops the wider argument that any cryptographic primitive standardised through the NIST process with NSA participation needs to be evaluated on the basis of public cryptographic-community consensus rather than on the basis of standards-body endorsement. This is uncomfortable for clients who have been using FIPS-validated products for compliance reasons.
Third, that the CA-trust infrastructure that underlies TLS is fragile in ways that the controls frameworks have been pretending it is not. This is the Comodo-and-DigiNotar argument extended through to the Heartbleed observation that even the implementations underneath the trust infrastructure are under-resourced. The piece develops the engineering response: certificate-pinning where deployable, certificate-transparency monitoring, multi-CA strategies, and explicit architectural acceptance that the trust chain is contested.
Fourth, that the carrier-level interception capabilities (Tempora, MUSCULAR, Optic Nerve) extend the threat model to anything that transits relevant fibre infrastructure. This is the Tempora argument. The engineering response is end-to-end encryption of any sensitive content regardless of where the endpoints sit, and operational acceptance that metadata leaks even when content is encrypted.
Fifth, that the dedicated-encrypted-service category is operationally non-viable against state-level compulsion. This is the Lavabit argument. The engineering response is that privacy guarantees have to be at the cryptographic-architecture level — keys held outside the service-provider's control, content encrypted before leaving the user's device — rather than at the service-provider-promise level.
The piece develops each of these points with what is in the public documents and what the engineering implications are. There is a substantial section on what defenders can actually do in 2014 — the practical answer is "less than the controls frameworks pretend, more than the post-Snowden despair pretends" — and a section on what the wider sector should be working on through 2015 and beyond. The conclusion is that the structural position of commercial security infrastructure is materially worse than the controls frameworks have been treating it as, and that the engineering response has to acknowledge this rather than continue with the pre-Snowden assumptions.
For Hedgehog, the piece is going into the engagement-team material as the framing document for client conversations through the rest of 2014 and into 2015. Several of the secondment clients have already received the long version through the peer-CISO channels and have started the architectural-review work the piece recommends. The advisory work over the rest of the year is going to be substantially shaped by the piece's framework, and I expect to spend most of the summer doing the operational follow-through at the engagement level. Bruce Schneier's continued blog and Greenwald's No Place to Hide, which lands next week, are the two reference points I expect to be pointing engagement-clients at as they work through the implications.
The reaction so far — the piece went out yesterday morning to the peer-CISO list and the blog posted simultaneously — has been substantively engaged. Several of the responses I have received have been from people who have been thinking about these questions for years and who have been waiting for someone to write the piece up coherently; several have been from people who are new to the argument and are working through the implications. The mix is roughly what I expected. The pushback has been on two points: whether the BULLRUN argument actually establishes that the major vendors are subverted, or whether it just establishes that NSA tried to subvert them; and whether the architectural recommendations are deployable in commercial environments where ease-of-use trade-offs are real. Both pushbacks are reasonable; I will write follow-up posts addressing each as the conversations develop.
The next post is probably the TrueCrypt situation, which has been quietly developing through the past fortnight and which is shaping up to be either a substantial security disclosure or a substantial security-community puzzle, depending on which interpretation of the recent commits and announcements turns out to be right. Or whatever surfaces from the post-Heartbleed OpenSSL-funding conversation, which has produced the Linux Foundation's Core Infrastructure Initiative over the past fortnight and which may produce more concrete commitments through May.