Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

3/17/2016
10:45 AM
John B. Dickson
John B. Dickson
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Beyond Back Doors: Recalibrating The Encryption Policy Debate

Three compelling reasons why access to back doors should not be the intelligence and law enforcement community's main policy thrust in the fight against terrorism.

A strange confluence of events has brought encryption to the center of public policy debate in spite of the heated presidential election cycle and other geopolitical current events. Terrorism, Edward Snowden’s NSA leaks, and a constant stream of high-profile breaches that have put citizens’ private data at risk have elevated the discussion that previously existed solely in technical circles. Recent calls by the United States government to gain access to backdoors on  software and sites in order to intercept terrorist communications has increased the emotional volume of the debate, pitting the Administration, intelligence community, and law enforcement against technology companies and privacy advocates.

When focusing on the upside that backdoors provide, government leaders have downplayed the damage to US technology leadership in the world and the economic impact to US technology companies. At the same time, many US technology companies view themselves “above the fray” with international markets key to their businesses. In spite of being US-based companies, they feel that close alignment with the American government puts them at an economic disadvantage. 

This is occurring in what many observers characterize as a policy vacuum surrounding the encryption debate - a victim perhaps of other political issues facing our elected officials. Post-Snowden, Congress has yet to provide clarity to its citizens on the security vs. privacy debate, leaving the Executive Branch unchecked in matters of cybersecurity. In practice, the White House has pushed the policy envelope with regard to citizen privacy. Its engagement with technology companies at the end of 2015 is one example of its attempt to do the right thing, using perceived leverage from heavyweight solutions like backdoors to gain the attention of Silicon Valley.

There is sore need to recalibrate here. I say this from a unique perspective as I come from the intelligence world. But my most recent experiences are with cybersecurity companies that protect United States companies from sophisticated attacks emanating from every corner of the world. I am neither a privacy activist nor corporate executive with vested interests outside the US. I understand that the world is full of bad people who want to do horrible things to our country. Terrorism is a real threat, and the United States needs to maintain its vigilance against future attacks. However, it is imperative that we do so with the understanding of the full set of consequences, both intentended and not.

To put it bluntly, access to backdoors (through escrowed encryption keys or any other technical mechanism) is simply not a viable strategy in the fight against terrorism and should not be our main policy thrust. As tempting as it may be to seak out an “easy” button for this problem, we need more deliberation and more creative options. There are three compelling reasons that we need to eschew backdoors when fighting terrorism:

Reason 1: Providing backdoors to governments – any government – is a bad idea. Engineering students learn early on to avoid single points of failure in their designs. A backdoor provides the most elevated access to any system or software, and can provide that same access to unintended parties, including attackers. Two axioms hold true when dealing with designed backdoors. First, common entry points always get discovered. Once available on the public Internet, systems will be subjected to the constant onslaught from all manner of attackers, including nation-states. Second, the security of systems degrades over time. Once they exist, backdoors will be used, and inevitably someone will make a mistake leading to the (potentially unknown) use of backdoor access by others. This argument doomed the Clipper Chip in the 90’s and highlights the current worry abour the recent Juniper router backdoor disclosure.

Furthermore, what’s to stop other countries from demanding access to these same backdoors? Virtually all the discourse to this point has been in the context of the US government accessing US companies, but imagine the Chinese or Russian government demanding access to the backdoors of Google, Apple, and Facebook as a precondition of these companies selling in their markets? The idea is not far-fetched: in fact, China’s New Network Law is already blurring the line between competition and national security.

Reason 2: Governments have struggled to protect their own data – why give them the keys to all kingdoms? The US Governement currently has a large “trust” problem with its citizens. If we citizens are doubtful that the government can protect its own secrets, why should we entrust them with backdoor access to all of our secrets too? The 21.5 million government workers whose highly sensitive, and damaging, data was lost by OPM are sufficient proof of a crisis in confidence. Even more disconcerting is NSA’s data loss via Snowden. Imagine that rather than publishing gigabytes of NSA memos and presentations, Snowden revealed the private information, collected by NSA, on the Internet. This crisis of confidence in governments is most pronounced in adults below thirty years-old. Any further concentration of government power to access information via backdoors would exacerbate the situation.

Reason 3: Don’t kill the technology goose that lays the golden egg.  US technology product and cloud companies are the economic engine that fills US Treasury coffers. By mandating backdoor access, the US government would put US technology companies at a severe competitive disadvantage, which ultimately weakens their worldwide position of leadership and damages our economy in ways we will never be able to fully quantify. Already, suspicion exists with many international technology buyers. For example, many US companies selling overseas are asked by their prospects to fill out questionnaires that detail how they cooperate with American law enforcement and intelligence agencies. Suffice it to say, it’s doubtful non-US-based companies face the same scrutiny. Eventually, the market will provide more viable alternatives to existing US-based hosting and technology products, but until then much damage can be done.

Backdoors and their many different iterations are not a long-term or viable policy option to fight terrorism. Their intended and unintended consequences far outweigh their benefits. The sooner we move away from any discussion of this approach, the better we will be served. No doubt, we need more creative options from our intelligence and law enforcement community. It’s the implementation of encryption, at either end of the conversation, where opportunities exist for exploitation. This, and other examples, is where our government should focus its efforts – not on the (seemingly) “easy” button. 

Related Content: 

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

John Dickson is an internationally recognized security leader, entrepreneur, and Principal at Denim Group Ltd. He has nearly 20 years of hands-on experience in intrusion detection, network security, and application security in the commercial, public, and military sectors. As ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17098
PUBLISHED: 2020-09-30
Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior version...
CVE-2020-15731
PUBLISHED: 2020-09-30
An improper Input Validation vulnerability in the code handling file renaming and recovery in Bitdefender Engines allows an attacker to write an arbitrary file in a location hardcoded in a specially-crafted malicious file name. This issue affects: Bitdefender Engines versions prior to 7.85448.
CVE-2020-5132
PUBLISHED: 2020-09-30
SonicWall SSL-VPN products and SonicWall firewall SSL-VPN feature misconfiguration leads to possible DNS flaw known as domain name collision vulnerability. When the users publicly display their organization’s internal domain names in the SSL-VPN au...
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.