THE BLOG

Featuring fresh takes and real-time analysis from HuffPost's signature lineup of contributors

Susan Landau Headshot

Getting Communications Security Right

Posted: Updated:

Between the mid 1970s and the late 1990s, the government fought industry and academia over cryptography. The National Security Agency (NSA) had been accustomed to being the only one in the ring designing cryptographic systems and decoding messages, and it didn't take nicely to the competition. First NSA attempted to stop researchers from publishing. That stopped quickly though "reviews" were still requested. Then government export controls prevented industry from building cryptography into products. The limitation was on products intended for export, but the government controls effectively prevented domestic use of encryption as well. The latter finally ended in 2000. The good news is that when the government changed its stance -- and it really is the NSA that had to be on board -- the agency made sure the shift was no halfway step.

  • In 2001, the National Institute of Standards and Technology approved the Advanced Encryption Standard (AES), a Belgian-designed cryptosystem, for encrypting data by civilian agencies. In 2002, NSA approved AES for protecting TOP SECRET communications. This policy, a very public vote of approval, increased AES use everywhere.

  • In 2005, the NSA went a step farther, approving a set of public algorithms that would protect not just communications, but a whole communications network, the so-called "Suite B" set.

  • Recently the NSA Information Assurance Directorate, the side of NSA responsible for securing government information, has pressed for secure interoperable land-mobile radios to be available for sale cheap -- "We've got to have straight commercial Suite B systems that are available at the mall, at Radio Shack, for first responders."

Each of these steps makes it easier for civilians -- businesses, journalists, human-rights groups, first responders -- to communicate securely. They also make it easier for the bad guys -- organized crime, drug dealers, terrorists -- to do so, but the calculation is that on balance, the U.S. is better off with the deployment of strong cryptography than not.

This doesn't mean that the U.S. is doing everything it could to secure private-sector communication networks. There's no strong government push to do so, and there are many instances of insecurity, from unsecured cell towers to small ISPs that lack any real security. Indeed, until the Google brouhaha with China last year, gmail communications traveled unprotected between the user and the gmail server (there was an option to encrypt, but it was not the default). But the fact is that tools for securing are available and the NSA is even subtly encouraging their use. That's a critical first step.

From Our Partners