US and UK security agencies' attempts to weaken encryption of online communications such as emails and social media are "shocking" and could work against the public interest by weakening critical infrastructure, a team of UK academics specialising in cryptography has warned.
The group of 10 researchers warn that "by weakening all our security so that they can listen in to the communications of our enemies, [the agencies] also weaken our security against our potential enemies".
The researchers, all specialists in cryptography, come from a number of universities and comment in an open letter on the revelations published by the Guardian, New York Times and ProPublica based on information from documents provided by Edward Snowden.
These showed years-long efforts by the US National Security Agency (NSA) and Britain's GCHQ spy agency to weaken encryption systems so that they could tap emails and internet communications. There is also suspicion that the NSA has undermined the strength of encryption protocols developed by NIST, the US National Institute for Standards and Technology.
Professor Ross Anderson, a security researcher at Cambridge University who is not one of the signatories, said that the publication had shocked some in academia who had thought that their work on encryption was of no interest to security services. "Ten days ago when the Guardian published its revelations about the NSA's skullduggery, it was a wake-up call for a lot of people. It's very, very creditable that Bristol's people have signed this letter," he told the Guardian. "This has been a 9/11 moment for the community, and it's great that some people are beginning to wake up."
Last week NIST took the unusual – and unprecedented – step of "strongly" recommending against the use of one of its own encryption standards "pending the resolution of the security concerns" that had been raised by the publication.
The UK researchers called on "relevant parties" – which would include GCHQ – "to reveal what systems have been weakened so that they can be repaired, and to create a proper system of oversight".
The biggest risk, they imply, is that civilian systems and infrastructure – perhaps including physical systems such as the power grid – could become vulnerable to attack by state-sponsored hackers who are capable of exploiting the same "backdoors" in software that have been planted there by the western agencies.
"In the modern age we all need to have complete trust in the basic infrastructure that we all use," note the researchers.
The US and UK have already demonstrated that they can attack computer systems needed for physical infrastructure through their work on the Stuxnet virus, which took control of centrifuges used in Iran's nuclear refinement plant to make them run out of control. That is reckoned to have put Iran's plan to build an atomic bomb many months behind schedule. But variants of Stuxnet have been spotted being used to try to attack other physical infrastructure in other countries.