I applied for a job at the National Security Agency in 2006.
I was about to finish my undergrad degree in Mathematics. My favorite classes were abstract algebra, a subject whose only footing in reality is cryptography. I also felt some amount of national pride: my high school was a boarding school in Connecticut, so I experienced September 11, 2001, with many friends from New York City.
There’s an inscription in the marble floor of the building at my alma mater that houses the Mathematics department: "Reality favors symmetries and slight anachronisms". Only now do I appreciate that quote, since I received my full-time offer from Google while I was in the interview process with NSA.
I e-mailed my NSA recruiter and said thanks but no thanks.
I’ve still got that memory of what it feels like to have nationalistic pride in an organization that’s on the forefront of mathematics, computer science, and engineering. Sadly, that power has now been turned inward, but I think it’s possible to fix NSA’s image, and use it to make America a better place.
It should go without saying that NSA needs real oversight, and needs to stop spying on Americans. After that, though, I think there are some concrete things that NSA could do to redeem itself, and maybe even attract talent.
Open Source Code
For 99.9% of developers, cryptography is very easy to get wrong. Even in well respected open source packages, there are obscure issues, like the OpenSSL Pseudo-random Number Generator bug that broke SSH badly. It was caused by a developer removing some seemingly do-nothing code at Valgrind’s recommendation.
Recommendation 1: NSA could provide open source reference implementations of cryptographic and other security-sensitive code.
Open source, and thus peer-reviewed code provided by the largest body of elite mathematicians and cryptographers in the world? Yes, please. One less thing to worry about it.
Public Key Signing for American Citizens
NSA seems to have a problem identifying the communications of American citizens. If you think about it from a machine intelligence perspective, that’s pretty hard indeed.
Furthermore, PGP users have a difficult time with key exchanges. How do I know the public key you sent me is really your public key? Ideally, it’s been signed by somebody I trust.
This is a place to kill two birds with one bureaucratic stone.
Recommendation 2: NSA could provide an optional service to sign PGP keys as belonging to American citizens.
I already have federally-issued documentation of my citizenship, my US Passport. There ought to be a way to get my PGP key signed by the government, so I can sign my messages as an American citizen, having the government be the trusted authority on that matter.
This is interesting because it doesn’t compromise my privacy. My private key is still private, but the government, through a verification process similar to the passport process, has declared they trust me to be an American citizen.
This could be added as a signal for NSA collection systems, since the NSA ought to trust its own key-signing authority, it can be absolutely sure that an encrypted communication it intercepts is from an American citizen, and thus discard it.
This is a less-terrible-more-useful version of a National ID card, since it doesn’t expose my secrets, but allows me to assert my identity to other parties. Nothing would force me to use NSA’s key-signing service, just as nothing forces me to get a passport or a Facebook account.
Security Training for American Developers
Like I said, cryptography is very hard to get right. Not just algorithms, but protocols as well. What if NSA could help us Americans get it right?
Recommendation 3: NSA could provide a training program for American software and IT professionals on security best practices. For bonus points, the cost of this program could be tax-deductible.
American developers have a security responsibility to keep our trade secrets within our borders, and NSA can help us with that. It’s not reasonable to allow NSA to patrol our electronic borders itself, but it could help on-the-ground implementers do it right.
I think it’s possible, with the right amount of congressional and judicial oversight, for the NSA to genuinely make America a better place.
We rely on government services for things that ought to be essential to a productive society, like a court system, a military, and infrastructure. Security is becoming one of those fundamental things, as we rely more and more on computers.
China is hacking us. Russia probably is, too. The NSA could be a point of pride and utility for us Americans to keep our economy strong, and safe from foreign invasion.
Until then, though, I’m done using Google products, e-mail, and unencrypted text messaging.