A collective of eminent cryptographers and computer scientists have come together to lay down a technical report to question whether governments should be allowed access to encrypted communications channels and networks.
The group, assembled under the auspices of the Massachusetts Institute of Technology in the US, has warned that backdoor access to encrypted data by law enforcement agencies simply creates a larger attack surface for cyber-criminals to target.
“Political and law enforcement leaders in the United States and the United Kingdom have called for Internet systems to be redesigned to ensure government access to information - even encrypted information,” states the group.
In the paper, Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications, the group states that it finds that the damage that could be caused by what it calls ‘law enforcement's exceptional access requirements' would be even greater today than it would have been 20 years ago when law enforcement agencies first started lobbying for such powers.
The suggestion is that this type of access is simply a route to creating vulnerabilities that are going to be exploited. The direct result of which would be to make enterprise infrastructure itself less secure.
In cyber-security, backdoors are still doors
The recommendation here is that whether it's a backdoor or a front door, it's still an additional door and that means there is an inherent additional security risk created.
“Exceptional access would force Internet system developers to reverse ‘forward secrecy' design practices that seek to minimise the impact on user privacy when systems are breached. The complexity of today's Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws,” states the group.
As computer scientists with extensive security and systems experience, the group believes that law enforcement has failed to account for the risks inherent in exceptional access systems.
Two sides to the encryption coin
FBI Director James Brien Comey Jr has explained the situation from his side. On the one hand, he asserts that the existence of encryption forces criminal investigators to ‘work in the dark', due to the existence of data streams that they cannot tap into.
Conversely, although the FBI does not appear to exhibit too much sympathy for the shortcomings here, access to the type of infrastructure in question here does mean that sensitive (and perfectly legal) company information could be accessed.
Speaking to SCMagazineUK.com on this story this week, Dan Holden, director of ASERT at Arbor Networks says that this situation is “not a surprise” given the people involved.
“With the expertise and voice those cryptographers and computer scientists have, hopefully this report gets some needed attention. However, while the private sector can discuss and wave a banner of hope and concern, I don't see the US or the many governments who have followed it changing their position or behaviour. In fact, post Snowden it's been quite the opposite,” said Holden.
Stu Sjouwerman, the CEO of KnowBe4 and author of Cyberheist : ‘The biggest financial threat facing American businesses since the meltdown of 2008', spoke to SCMagazineUK.com to say, “Backdoor access to encrypted communications, apart from defeating the whole purpose, is an invitation for even more spear-phishing attacks on the people that have that access, and we all know the government's record on that point.”
What could happen, worst case?
Gavin Millard, technical director of Tenable Network Security spoke to SCMagazineUK.com today to say that, “Unfortunately, as we are seeing more and more of late, exploit kit and malware authors are weaponising these vulnerabilities as they are disclosed, sometimes quicker than the vendor can release the patch and certainly more rapidly than organisations can apply fixes once available.”
Prior to release of the paper, SCMagazineUK.com spoke to Andrew Rogoyski, VP Cyber Security Services at CGI, chair of TechUK's Cyber Security Group and formerly seconded to OCSIA at the Cabinet Office who said: “Back doors are always exploitable –the Clipper chip nailed that ...Much of our digital life depends on encryption and to allow it to be deliberately flawed is itself a flawed idea, and unworkable. How do you apply it outside your domain (jurisdiction)?”
And former Anonymous hacktivist Mustafa Al-Bassam, speaking at a Secure Trading Forum in London last week, noted that, while law abiding companies would be obliged to use encryption with back-doors, criminals would not, and would choose alternatives because, "Criminals break the law."
The above report referenced in the story sets out to examine whether it is “technically and operationally feasible” to meet law enforcement's call for exceptional access without causing large-scale security vulnerabilities. The author's confirm that they “take no issue” with law enforcement's desire to execute lawful surveillance orders when they meet the requirements of human rights and the rule of law.
Looking ahead, the report's “strong recommendation” is that anyone proposing regulations should first present concrete technical requirements, which industry, academics, and the public can analyse for technical weaknesses and for hidden costs.