- * The Intelligence communities are much better at creating problems than fixing them. They can easily destroy individuals, communities, governments and trust. They don't create anything of lasting value. Nor do they clean up the messes that they create.
- * Secrecy really REALLY isn't security. Secrecy creates and maintains private agendas. Secrecy creates and fosters waste. Secrecy destroys trust. Secrecy interferes with almost all aspects of security and good governance.
- * A large, complex intelligence organization can't keep secrets. They can't keep secrets from hostile governments. They can't keep secrets from organized crime.
- * Finally, we have learned that cryptanalysis can be surprisingly effective, but a full frontal assault on an encryption algorithm is the hardest way to break a crypto-system. There are many easier ways to break or bypass crypto.
There is a huge gap between crypto theory (https://www.cs.princeton.edu/~felten/encryption_primer.pdf) and expressed and implemented crypto reality. This gap provides many opportunities for anybody who wishes to favor attack over defense.
Traffic Analysis/meta data collection provides cheap, effective attack against virtually all current communication channels. Once you know who, when, where, how, and approximately what they are saying, you usually don't need to break their crypto.
The easiest way to weaken crypto implementation is to simply withdraw support for updates and improvements. Good crypto is hard. Defense is expensive. Without constant support, defenses fail. If you wish to weaken crypto defenses, it is usually sufficient to withhold support for good standards and good processes, and fail to eliminate mistakes.
The next most cost effective ways to weaken crypto implementation is to focus on degrading or hindering:
- 1) Transparency and disclosure;
- 2) Purchasing standards;
- 3) Vetting or approval standards;
- 4) Programming environments and standards.
- 5) Crypto standard processes;
- 6) Crypto implementation projects;
- 7) And crypto standards;
Good crypto implementations are almost indistinguishable from bad crypto implementations. The market will cheerfully purchase poor crypto if it is available, cheap, and the consequences are not immediate.
If an attacker ever needs to access info that is protected by a robust crypto implementation, it is usually faster and cheaper to subvert it's surrounding environment, people, hardware or software.
Reform of the Intelligence agencies should begin by greatly reducing their budget. Currently, they are huge, bloated, unmanageable monsters. They twist government to their whim. They distort the civilian economy. They cause massive incidental damage. A slim, tightly focused agency can be more carefully controlled and managed. A small, efficient CIA or NSA would achieve almost all of OUR important goals with a tiny fraction of the collateral damage.