Why does US Cyber Security Fail? Hackers Wakefulness Defeats Establishment Inertia
It was a huge NSA led cyber investment to massively scan world-wide communication to zero in on encrypted traffic to be further looked at. The great achievement of this massive deployment was the desired focus on communication of interest, ignoring the ocean of babbling on the Internet. Soon enough it was noticed that the people the NSA is trying to catch, are using rather simple technique to hide ciphertext in a plain language format. The most dangerous plans concocted against the US, foreign or domestic, are freely exchanged through social networks and email, appearing as the very babbly text the NSA so "smartly" ignored.
In a symmetric warfare, this would not have been extraordinary, just another move in the fair and open cyber chess game. Alas, the war is asymmetric. The NSA built its crypoto focus capability over many years. Countless of position papers, internal proposals, conference, committees, discussions, and then expensive and wide-spread rollout. It is hard for those good, hard working government officials, to overnight say -- well, this won't work, we need something else.
The knee jerk reaction is to first dismiss the intelligence that the bad guys hide their evil plans in plain sight. But this does not last long. Google openly says: we have artificial intelligence readers that read all the gmail traffic world wide. To their chagrin, they serve to reliably communicate and share criminal and political plots that flow in their servers unrecognized because the appearance is so innocent.
I will take a moment to explain how simple it is. You write down your evil plan to harm the United States. First you encrypt your plan normally. You get a string of binary bits: 1001101.... You feed this string to an AI unit that is tasked with expanding this string 10x by adding 9 decoy bits between any two bits in the string. The identities of these nine bits is arbitrary. The AI unit will choose these extra bits such that the 10x size string will say something legible, and innocent in normal English (or any other spoken language). It is this 10x string that becomes the content of the email which Google's servers scan and mistakenly believe they learn from it something about the writer and the recipient. They learn nothing because the text was artificially generated. The recipient though reads the delivered text as a string of bits, removes the decoy bits, and ends up with the original encrypted string which they now normally decrypt. The multi billion dollar AI "deducator", and the super billion dollars NSA "evil-spotter" become blind - and they don't even realize it!
This is just an example. I describe another situation in BitMintalk.com/weak-keys: The crypto establishment chooses to ignore the fact that all its recommended ciphers are vulnerable to unwittingly using crypto keys that expose the protected secret. So much was invested in the prevailing ciphers that it would be a shame to delist them. Think about it: it takes years to propose a cipher for the status of being "NSA blessed": years of commissioned studies, conferences, meetings, discussions, evaluations, analysis, testing -- an exhaustive effort. It will not be dismissed as long as it would be possible to have an excuse why not: "The challenging point is not clear". When it is made clear the argument is that "it is clearly stupid". When this fails they say: "insufficient evidence", then "more examination is needed", and on it goes. These recommended ciphers are the product of long and hard work, they will be held on to. But this is exactly why we fail. Bound by our huge bureaucratic inertia we 'stay the course'. This predictability is what our adversaries home onto. They rely on our addiction to 'streamlining'; they count on our embrace of the orthodoxy, and they run circles around us, leveraging their nimbleness and their fast reaction; exploit their freedom and absence of slow moving bureaucratic cogwheels.
The United States has the means to change the balance in its favor, and hopefully with new leadership at the helm, this is a good time to make the case. Creativity and great innovative ideas are not limited to the NSA basements, not even to leading academic institutions. The math is an open book, people everywhere teach themselves the craft and emerge with creative ideas. We need to harvest them, sift through them, to spot the golden nuggets in the ore of stupid ideas.
How do I know that the crypto establishment in this country is incurious and not alert? I have published a series of scholarly articles, was granted 19 patents (so far), all pointing to fundamental crypto vulnerabilities in the official stance on the subject. Highly credentialed sources in foreign countries have shown great interest, but here the incuriosity has the upper hand. There are thousands of very smart crypto proposals originating outside the closed knit community of the crypto club. Their intellectual fruits are picked up by others.
When the head of our family, Ya'acov Samid, celebrated his one hundred year's birthday we have asked him for the secret of longevity. He answered one word: curiosity. The secret for life. So what is incuriosity leading to? The NSA should read, regard, evaluate, and develop the all-over-the-place out-of-the-blue ideas without which the US leadership in cyberspace will be slipping away.
Comments