In the upcoming February 2015 edition of Notices, Michael Wertheimer, director of research at the NSA, consumed approximately 2000 words expressing that it was “regrettable” that they did not choose to withdraw their support for Dual_EC_DRBG. Dual_EC_DRBG is one of the computer security standards where a paper trail demonstrates that the NSA influenced the standard under suspicious circumstances.
If he really wanted to rebuild trust, he could actually address the elephant in the room by finding the courage to answer the question on everybody’s mind: Why did the NSA support a standard which may have been purposefully designed to be insecure? The taxpayers supporting the agency deserve to know what they get for their money. Here are some examples of answers which could help re-build trust:
- “Yes, for selfish reasons, we purposefully weakened everybody’s security. We understand that it was a mistake and that the nation was recklessly exposed to risk by making it easier for foreign state-supported industrial spies to compromise the security of American companies.”
- “No, we were actually trying to improve everybody’s security just like we did many years ago with the DES standard – here’s what we were doing, here is what we were thinking, and here are the reasons those seemed like secure choices. Here are the security concerns we’ve identified which are not yet a matter of public record.”
The NSA does not stand a chance of repairing their reputation until they explain themselves – every single standard they have influenced, the actions they took, and why they took those actions. Their word ought to be beyond reproach.
They can’t help secure their nation if every security professional desiring to keep their professional reputation intact feels the need to avoid having dealings with them – and that’s a tragedy, because maintaining the security of the nation is an important job.