The evidence is mounting that Edward Snowden and his journalist allies have helped al Qaeda improve their security against NSA surveillance. In May, Recorded Future, a
predictive analytics web intelligence firm, published a persuasive timeline showing that Snowden’s revelations about NSA’s capabilities were followed quickly by a burst of new, robust encryption tools from al-Qaeda and its affiliates:
This is hardly a surprise for those who live in the real world. But it was an affront to Snowden’s defenders, who’ve long insisted that journalists handled the NSA leaks so responsibly that no one can identify any damage that they have caused.
In damage control mode, Snowden’s defenders first responded to the Recorded Future analysis by pooh-poohing the terrorists’ push for new encryption tools. Bruce Schneier declared that the change might actually hurt al Qaeda: “I think this will help US intelligence efforts. Cryptography is hard, and the odds that a home-brew encryption product is better than a well-studied open-source tool is slight.”
Schneier is usually smarter than this. In fact, the product al Qaeda had been recommending until the leaks, Mujahidin Secrets, probably did qualify as “home-brew encryption.” Indeed, Bruce Schneier dissed Mujahidin Secrets in 2008 on precisely that ground, saying “No one has explained why a terrorist would use this instead of PGP.”
But as a second Recorded Future post showed, the products that replaced Mujahidin Secrets relied heavily on open-source and proven encryption software. Indeed, one of them uses Schneier’s own, well-tested encryption algorithm, Twofish.
Faced with facts that contradicted his original defense of Snowden, Schneier was quick to offer a new reason why Snowden’s leaks and al Qaeda’s response to them still wouldn’t make any difference:
Whatever the reason, Schneier says, al-Qaida’s new encryption program won’t necessarily keep communications secret, and the only way to ensure that nothing gets picked up is to not send anything electronically. Osama bin Laden understood that. That’s why he ended up resorting to couriers. Upgrading encryption software might mask communications for al-Qaida temporarily, but probably not for long, Schneier said….”It is relatively easy to find vulnerabilities in software,” he added. “This is why cybercriminals do so well stealing our credit cards. And it is also going to be why intelligence agencies are going to be able to break whatever software these al-Qaida operatives are using.”
So, if you were starting to think that Snowden and his band of journalist allies might actually be helping the terrorists, there’s no need to worry, according to Schneier, because all encryption software is so bad that NSA will still be able to break the terrorists’ communications and protect us. Oddly, though, that’s not what he says when he isn’t on the front lines with the Snowden Defense Corps. In a 2013 Guardian article entitled “NSA surveillance: A guide to staying secure,“ for example, he offers very different advice, quoting Snowden:
“Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.”
Scheier acknowledges that hacking of communication endpoints can defeat even good encryption, but he’s got an answer for that, too:
Try to use public-domain encryption that has to be compatible with other implementations. …Since I started working with Snowden’s documents, I have been using GPG, Silent Circle, Tails, OTR, TrueCrypt, BleachBit, and a few other things I’m not going to write about.… The NSA has turned the fabric of the internet into a vast surveillance platform, but they are not magical. They’re limited by the same economic realities as the rest of us, and our best defense is to make surveillance of us as expensive as possible. Trust the math. Encryption is your friend. Use it well, and do your best to ensure that nothing can compromise it. That’s how you can remain secure even in the face of the NSA.
It sounds as though al Qaeda took Bruce Schneier’s advice to heart, thanks to leaks from Edward Snowden — even if Schneier is still doing everything he can to avoid admitting it.
UPDATE: The description of Recorded Future was changed at the request of the company, which said, “While this may seem like splitting hairs, in the world of data analysis software “predictive analytics” has specific technical meaning which implies something different. We use the term web intelligence to reduce this confusion.”