A collective of eminent cryptographers and computer scientists have come together to lay down a technical report to question whether governments should be allowed access to encrypted communications channels and networks.
The group, assembled under the auspices of the Massachusetts Institute of Technology in the US, has warned that backdoor access to encrypted data by law enforcement agencies simply creates a larger attack surface for cyber-criminals to target.
“Political and law enforcement leaders in the United States and the United Kingdom have called for Internet systems to be redesigned to ensure government access to information - even encrypted information,” states the group.
In the paper, Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications, the group states that it finds that the damage that could be caused by what it calls ‘law enforcement's exceptional access requirements' would be even greater today than it would have been 20 years ago when law enforcement agencies first started lobbying for such powers.
The suggestion is that this type of access is simply a route to creating vulnerabilities that are going to be exploited. The direct result of which would be to make enterprise infrastructure itself less secure.
In cyber-security, backdoors are still doors
The recommendation here is that whether it's a backdoor or a front door, it's still an additional door and that means there is an inherent additional security risk created.
“Exceptional access would force Internet system developers to reverse ‘forward secrecy' design practices that seek to minimise the impact on user privacy when systems are breached. The complexity of today's Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws,” states the group.
As computer scientists with extensive security and systems experience, the group believes that law enforcement has failed to account for the risks inherent in exceptional access systems.
Two sides to the encryption coin
FBI Director James Brien Comey Jr has explained the situation from his side. On the one hand, he asserts that the existence of encryption forces criminal investigators to ‘work in the dark', due to the existence of data streams that they cannot tap into.
Conversely, although the FBI does not appear to exhibit too much sympathy for the shortcomings here, access to the type of infrastructure in question here does mean that sensitive (and perfectly legal) company information could be accessed.
Speaking to SCMagazineUK.com on this story this week, Dan Holden, director of ASERT at Arbor Networks says that this situation is “not a surprise” given the people involved.
“With the expertise and voice those cryptographers and computer scientists have, hopefully this report gets some needed attention. However, while the private sector can discuss and wave a banner of hope and concern, I don't see the US or the many governments who have followed it changing their position or behaviour. In fact, post Snowden it's been quite the opposite,” said Holden.
Stu Sjouwerman, the CEO of KnowBe4 and author of Cyberheist : ‘The biggest financial threat facing American businesses since the meltdown of 2008', spoke to SCMagazineUK.com to say, “Backdoor access to encrypted communications, apart from defeating the whole purpose, is an invitation for even more spear-phishing attacks on the people that have that access, and we all know the government's record on that point.”
“Both sophisticated criminal gangs and state-sponsored attackers will not rest until they have the keys to the kingdom, mainly using social engineering to achieve their goals,” he added.