BERLIN, Germany — When news broke last year that the US National Security Agency had snooped on Chancellor Angela Merkel’s phone calls, Germans were outraged.
Then Germany’s BND intelligence service was caught having spied on US Secretary of State John Kerry and his predecessor Hillary Clinton.
By the time it emerged in September that the two agencies were sharing information each had collected about the other country’s leaders, the convoluted spy-versus-spy game between the two allies seemed to verge on the absurd.
That led German lawmaker Patrick Sensburg, chair of a parliamentary inquiry into the alleged NSA spying, to propose officials use typewriters in order to avoid digital surveillance.
The suggestion prompted amusement and disdain, but it came as no surprise to tech analyst Avivah Litan.
“When my clients ask me how to really secure their systems, I tell them to get off of the internet,” she says. “Nuclear reactors are not connected to the internet.”
Now the German government is scrambling to find new ways of keeping sensitive information from prying eyes.
“Hackers and national security services operate in the same ways,” Litan says. “The techniques cyber criminals use to steal money, spies use to steal intellectual property and governments use to steal whatever they need — they’re very similar.”
In the quest to avoid future security breaches, officials here are drawing inspiration from the past as well as investing in cutting-edge research.
Although the BND wouldn’t confirm or deny using typewriters for sensitive communiques, the idea is gaining currency.
German typewriter manufacturer Truimph-Adler boasted in a recent advertisement that it had manufactured “NSA-proof” machines for Russian Federal Security Service operatives — the successors to the KGB — who wanted to communicate without leaving electronic traces.
But not everyone has confidence in the typewriter’s efficacy.
“We just have to go back to the techniques we’ve used in the 1960s and 1970s to gather the information,” says Vincent Houghton, a historian at the International Spy Museum in Washington.
There’s an entire field of typewriter forensics dedicated to stealing information from the antiquated machines. Well-placed listening devices enable spies to remotely determine writers’ keystrokes by the sound of their tapping. If typewriters fall into adversaries’ hands, spies can determine who typed what judging by the wear on the machines.
Houghton believes only one analog technology is worth resurrecting.
“If you are sending incredibly important diplomatic information, like ‘Hey we’re about to declare war,’ you use a one-time pad,” he says. “There are times in history where people should have used the one-time pad and didn’t, like the Zimmerman telegram, which dragged the US into World War I.”
In that coded telegram, German Foreign Minister Zimmerman asked Mexico to reconquer US territory. The British decrypted the message, putting pressure on America to declare war on Germany.
The system requires that two people have pads containing pages of the same random codes. They agree on unwritten signals — whether messages are sent on even or odd-numbered days, for example, or in the morning or afternoon — to settle on which code to use. That specific code and signal can be used only once. With no repetition, no one but the two contacts can decipher messages.
When that method was used during World War I, random codes were often written in such small script that spies needed magnifying glasses to read them. In the 1980s and ’90s, spies began using computer-generated codes on CD-ROMs to exchange one-time pad communications.
While they are completely secure, one-time pads require effort to use, making them inconvenient for digital natives who have grown up using instant communication.
“You use it for the most top secret information because it is so cumbersome and so difficult,” Houghton says. “If you have to send a message that no one can ever read except for your recipient, that’s when you use the one-time pad.”
Merkel appears to be taking simpler steps. Last year, after the NSA spying revelations broke, the chancellor ordered 5,000 encrypted Z10 phones from Blackberry to keep confidential chats away from prying intelligence services.
The phones are outfitted with Secusmart crypto-chips that protect conversations from unwanted eavesdroppers by encrypting the calls. They also use a notification service that alerts users to possible security threats from apps that aggregate more data than necessary.
Michael Brown, Blackberry vice president of security product management and research, says although voice protection is a key part of the solution, it doesn’t address malware, which is one of the main concerns for government clients.
“The concern about malware on devices is the risk of it accessing your contact information, email, and information about websites you visited,” he says.
Even the most sophisticated devices are only as secure as their users, however.
Brown says the biggest challenge in his 14 years at Blackberry is lost devices. “The most important thing is to put a password on your device, whether you are an individual or an organization,” he says. “Always have passwords on your devices. That is the first line of defense.”
But MIT cybersecurity expert John Williams cautions that no phone is entirely secure.
“They may think that they can’t get attacked, but I’m pretty sure they can be compromised,” he says. “As far as I know all phones can be compromised — Android, iPhone and Blackberry.”
Houghton believes the future of intergovernmental information security lies not in the latest technology, but in the hands of physicists who are using quantum physics to develop a new form of communication as secure as the one-time pad.
“You are essentially beaming information, turning it into quanta, and sending it at the speed of light,” he says, referring to subatomic particles that display contradictory properties. “The only way to intercept the information would be to literally grab it out of the air, but it is designed to disappear if you try that.”
Houghton says although most developed countries are investing in advanced technologies such as quantum cryptography, it’s not clear whether that will mean more secure communication or more insidious surveillance methods in the future.
“Quantum cryptography could be the next wave in security developments, but this technology could be ten years away,” he says. “Or someone could figure it out tomorrow.”