NSA and FBI make a Bullrun to resurrect vulnerable encryption

Edward Snowden was not cleared for the details of this program. He revealed it's existence nonetheless. The program is called BULLRUN and it appears to have been going on for a very long time. Snowden's 2013 revelation of it in the New York Times does not appear to have slowed it down. In fact, it appears that the NSA and FBI have retreated to a more comfortable controversy from the Clinton Era, complete with technology from the time period. Remember the Clipper Chip? Like Vanilla Ice, it endlessly returns from the 1990s, growing worse each time. However, the Director of the FBI never suggested the American public should be forced to listen to “Ice, Ice Baby” over and over again.

Nostalgia for the secret programs of the 1990s apparently is not confined to X-Files re-runs. During the Clinton Administration, the NSA was greatly concerned that the average person or company might soon be able to have government grade encryption not easily breakable by them. The SKIPJACK algorithm, codenamed and commonly known as CLIPPER for audio and CAPSTONE for data, was their solution. The method, and it's patent, were classified as secret but not top-secret, until 1998.

The encryption method, and the protocols that governed it's use were subject to wide criticism. In 1994, before CLIPPER was even implemented for semi-forced public consumption, AT & T researcher Matt Blaze found a weakness in the key escrow system. This escrow system would allow law enforcement to access communications through an automatic back door called the LEAF, for law-enforcement access field. This key escrow system was called key-surrender by the Electronic Frontier Foundation, who opposed it along with the Electronic Privacy Information Center. Despite strong advocacy by then Attorney General Janet Reno, and extensive lobbying in Congress, CLIPPER was not adopted as a government encryption standard. The Clinton Administration's hope was that forcing government-wide adoption of Clipper would cause it to become the de-facto commercial standard and thus all communications would be vulnerable to government eavesdropping. Public opposition was widespread and the initiative died.

The BULLRUN program, as partially revealed by Edward Snowden, is a long standing effort to force the public to use encryption that is vulnerable to the NSA. The NSA has always had the statutory power to classify any encryption developed anywhere in the United States as secret and seize it, even from it's inventors on the basis that they are not cleared for the secrets they thought of in the first place. BULLRUN uses this power, along with releasing weak encryption methods for public use and quietly influencing research in the area, to keep the NSA's edge over the publicly available encryption well-honed. It appears that BULLRUN has brought the return of CLIPPER.

The NSA recently released a sales brochure of patents and technologies that it was willing to license for commercial development and private profit. One of those patents, patent number 6724893, called “Method of passing a cryptographic key that allows third party access to the key”, is clearly SKIPJACK. Prior research by the science faculty of the University of Ljubljana in Slovenia confirms this. It also recommends that the government of Slovenia not adopt the weak and compromised standard. Nowhere in the NSA sales brochure does it mention that patent 6724893 is SKIPJACK. It simply says “This invention is a method of passing a cryptographic key between users so an authorized third party (i.e. law enforcement) can access the key. This method is called key escrow.” Thus the NSA is re-packaging an idea the thinking public rejected in the 1990s the just like TV is repackaging Vanilla Ice into a reality TV-Star – trying again with a bad idea.

While CLIPPER is back, BULLRUN never went away. In recent remarks reported by the New York Times, FBI director James B. Comey during a speech given at the Brookings institution on Oct. 10 said “the 'post-Snowden pendulum' that has driven Apple and Google to offer fully encrypted cellphones had 'gone too far.' He hinted that as a result, the administration might seek regulations and laws forcing companies to create a way for the government to unlock the photos, emails and contacts stored on the phones.” In short, since companies and the public did not voluntarily adopt the SKIPJACK algorithm as the encryption standard in the 1990s under Clinton, the FBI will now try to have it mandatory under Obama twenty years later.

The timing of a NSA sales offensive against the public having strong encryption does not seem coincidental nor does the backing by a FBI PR offensive. Both Apple and Google now offer encryption for data at rest on a cellphone as well as data in transit. Law Enforcement was not amused by the expanded corporate support for customer privacy, and in PR pronouncements immediately began invoking child pornography as a reason why law enforcement should be able to access any phone. As reported in the Washington Post “'Apple will become the phone of choice for the pedophile,' said John J. Escalante, chief of detectives for Chicago’s police department. 'The average pedophile at this point is probably thinking, I’ve got to get an Apple phone.'”

BULLRUN has weakened other encryption standards, and may have been operational as far back as the 1970s, when the NSA foisted the first standard method, Data Encryption Standard (or DES) on the public. DES was criticized for perceived but publicly unproven weaknesses.

Invoking terrorists and pedophiles as the reason for government controlled encryption for all may be the new PR tactic applied to an old program to resurrect old encryption for use not on foreign governments, but on the American public.

Date Originally Published: 
Friday, October 24, 2014
Article originally published at: