Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

3/17/2016
10:45 AM
John B. Dickson
John B. Dickson
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Beyond Back Doors: Recalibrating The Encryption Policy Debate

Three compelling reasons why access to back doors should not be the intelligence and law enforcement community's main policy thrust in the fight against terrorism.

A strange confluence of events has brought encryption to the center of public policy debate in spite of the heated presidential election cycle and other geopolitical current events. Terrorism, Edward Snowden’s NSA leaks, and a constant stream of high-profile breaches that have put citizens’ private data at risk have elevated the discussion that previously existed solely in technical circles. Recent calls by the United States government to gain access to backdoors on  software and sites in order to intercept terrorist communications has increased the emotional volume of the debate, pitting the Administration, intelligence community, and law enforcement against technology companies and privacy advocates.

When focusing on the upside that backdoors provide, government leaders have downplayed the damage to US technology leadership in the world and the economic impact to US technology companies. At the same time, many US technology companies view themselves “above the fray” with international markets key to their businesses. In spite of being US-based companies, they feel that close alignment with the American government puts them at an economic disadvantage. 

This is occurring in what many observers characterize as a policy vacuum surrounding the encryption debate - a victim perhaps of other political issues facing our elected officials. Post-Snowden, Congress has yet to provide clarity to its citizens on the security vs. privacy debate, leaving the Executive Branch unchecked in matters of cybersecurity. In practice, the White House has pushed the policy envelope with regard to citizen privacy. Its engagement with technology companies at the end of 2015 is one example of its attempt to do the right thing, using perceived leverage from heavyweight solutions like backdoors to gain the attention of Silicon Valley.

There is sore need to recalibrate here. I say this from a unique perspective as I come from the intelligence world. But my most recent experiences are with cybersecurity companies that protect United States companies from sophisticated attacks emanating from every corner of the world. I am neither a privacy activist nor corporate executive with vested interests outside the US. I understand that the world is full of bad people who want to do horrible things to our country. Terrorism is a real threat, and the United States needs to maintain its vigilance against future attacks. However, it is imperative that we do so with the understanding of the full set of consequences, both intentended and not.

To put it bluntly, access to backdoors (through escrowed encryption keys or any other technical mechanism) is simply not a viable strategy in the fight against terrorism and should not be our main policy thrust. As tempting as it may be to seak out an “easy” button for this problem, we need more deliberation and more creative options. There are three compelling reasons that we need to eschew backdoors when fighting terrorism:

Reason 1: Providing backdoors to governments – any government – is a bad idea. Engineering students learn early on to avoid single points of failure in their designs. A backdoor provides the most elevated access to any system or software, and can provide that same access to unintended parties, including attackers. Two axioms hold true when dealing with designed backdoors. First, common entry points always get discovered. Once available on the public Internet, systems will be subjected to the constant onslaught from all manner of attackers, including nation-states. Second, the security of systems degrades over time. Once they exist, backdoors will be used, and inevitably someone will make a mistake leading to the (potentially unknown) use of backdoor access by others. This argument doomed the Clipper Chip in the 90’s and highlights the current worry abour the recent Juniper router backdoor disclosure.

Furthermore, what’s to stop other countries from demanding access to these same backdoors? Virtually all the discourse to this point has been in the context of the US government accessing US companies, but imagine the Chinese or Russian government demanding access to the backdoors of Google, Apple, and Facebook as a precondition of these companies selling in their markets? The idea is not far-fetched: in fact, China’s New Network Law is already blurring the line between competition and national security.

Reason 2: Governments have struggled to protect their own data – why give them the keys to all kingdoms? The US Governement currently has a large “trust” problem with its citizens. If we citizens are doubtful that the government can protect its own secrets, why should we entrust them with backdoor access to all of our secrets too? The 21.5 million government workers whose highly sensitive, and damaging, data was lost by OPM are sufficient proof of a crisis in confidence. Even more disconcerting is NSA’s data loss via Snowden. Imagine that rather than publishing gigabytes of NSA memos and presentations, Snowden revealed the private information, collected by NSA, on the Internet. This crisis of confidence in governments is most pronounced in adults below thirty years-old. Any further concentration of government power to access information via backdoors would exacerbate the situation.

Reason 3: Don’t kill the technology goose that lays the golden egg.  US technology product and cloud companies are the economic engine that fills US Treasury coffers. By mandating backdoor access, the US government would put US technology companies at a severe competitive disadvantage, which ultimately weakens their worldwide position of leadership and damages our economy in ways we will never be able to fully quantify. Already, suspicion exists with many international technology buyers. For example, many US companies selling overseas are asked by their prospects to fill out questionnaires that detail how they cooperate with American law enforcement and intelligence agencies. Suffice it to say, it’s doubtful non-US-based companies face the same scrutiny. Eventually, the market will provide more viable alternatives to existing US-based hosting and technology products, but until then much damage can be done.

Backdoors and their many different iterations are not a long-term or viable policy option to fight terrorism. Their intended and unintended consequences far outweigh their benefits. The sooner we move away from any discussion of this approach, the better we will be served. No doubt, we need more creative options from our intelligence and law enforcement community. It’s the implementation of encryption, at either end of the conversation, where opportunities exist for exploitation. This, and other examples, is where our government should focus its efforts – not on the (seemingly) “easy” button. 

Related Content: 

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

John Dickson is an internationally recognized security leader, entrepreneur, and Principal at Denim Group Ltd. He has nearly 20 years of hands-on experience in intrusion detection, network security, and application security in the commercial, public, and military sectors. As ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...