‘We Can Trust GCHQ On Encryption’

Alan-woodward lead

Professor Alan Woodward doesn’t think GCHQ or the NSA would have meddled with encryption, given they use it so much

After the chiefs of GCHQ, MI5 and MI6 faced questions from the Intelligence and Security Committee on their snooping efforts last week, voices from the more cantankerous anti-establishment communities said it was a farce. Weak lines of inquiry, from MPs who had already declared the mass surveillance revealed by the Snowden leaks legal, allowed the agency chiefs to come back strongly with their argument that breaking encryption is needed to fight terrorists and paedophiles, and paint those responsible for the leaks as the bad guys.

Not that the papers have stopped publishing. Further revelations today have indicated GCHQ hacked oil price control body Organisation of the Petroleum Exporting Countries (OPEC), gaining access to an HQ network in Austria and actually infecting nine workers’ machines with malware. The NSA is said to have targeted OPEC too.

Brits love snoops?

GCHQ doughnutDespite continued reports of aggressive intelligence tactics, the opprobrium GCHQ and its partners have faced appears to have waned. The public outcry has not been particularly vociferous, particularly here in the UK. In mid-October, a YouGov survey found only 19 percent of the British public believed agents should have their powers cut back. Almost a quarter said they didn’t have enough power, whilst 43 percent said the leaks were a bad thing that would aid Britain’s enemies.

Members of the academic community are also now stepping forward to defend GCHQ. One of the most heated issues is that of encryption. Heavyweights of the cryptography community, led by the legendary Bruce Schneier, have derided efforts by intelligence services to crack or bug commonly-used encryption, from SSL to popular random number generators, claiming it weakened the security of the Internet as a whole.

But there is another train of thought that has had little public airing: there’s no reason why GCHQ or the NSA would make encryption less secure, given that they use it themselves.

Professor Alan Woodward, from the University of Surrey, noted that one of the missions of GCHQ (via CESG) is to ensure that government communications are as secure as possible.

GCHQ loves encryption?

“I find the encryption argument really quite strange, as the allegation is that the standards themselves have been somehow downgraded to make encryption less secure,” he told me.

“Personally I would be very surprised if this had happened for two simple reasons. First, there are many experts in encryption who can study the maths behind the encryption standards and they would be able to see if  it had been degraded in some way…  In essence, let the maths speak for itself.

“Second, the very standards that have been allegedly tampered with are those used to create systems for use by the governments and armed forces of the countries that are supposed to be weakening the encryption.  That would mean they are weakening their own defences.  I find that highly unlikely.

“If it were me I would have a team working in parallel looking to see what weaknesses might arise in the encryption standard as it is being developed.  That isn’t the same as deliberately weakening it.”

It would be easy for someone to label Woodward’s assertions as naive. In the security world, he is going against the tide of opinion. But are the detractors being naive in believing the largely negative spin the papers have put on the leaks?

The debate points to two things happening. First, altruistic  members of the security community will build more secure communications tools. As Silent Circle and Lavabit have shown with their own effort to improve email privacy, this is already happening.

Second, intelligence agencies in the UK will keep their powers and the level of data scooping will only continue to rise. That might not mean more communications are being snooped on, however.  “These agencies have an enormous job to do and whilst we have mass data gathering we don’t have mass surveillance – the two are not synonymous,” Woodward added.

Shhh! Don’t look at our whistleblowers quiz!