Government v Tech: The question of encryption is a battle to infinity
27 June 2017 |
Postmortem of almost every terror attack leads to a catalogue of YouTube channels, online guides on making explosives and a veritable smorgasbord of information for budding terrorists. After the London Bridge attack, it even emerged that the perpetrators tried to rent a 7.5 ton truck online, failing only when their card payment didn't go through.
In the aftermath of the Westminster Bridge attack, it was revealed how the attacker used the messaging service WhatsApp until moments before ploughing into tourists. This, of course, led to 'words' between the Government and technology companies, who each tried to place the blame squarely at the other's door. UK's Home Secretary Amber Rudd insisted it was the tech companies who were at fault for not building in backdoors into their management systems, providing access for law enforcement officials when the need arose. Sir Tim Berners-Lee on the other hand insisted that no such backdoors be built into systems. "If encryption were not a thing then huge amounts of modern life would be impossible. If you put a hole in encryption – if you decide WhatsApp shouldn't be secure – then you do that to everything else that is equivalent to WhatsApp you'd have a battle in which you would have a huge number of disasters," Berners-Lee told WIRED.
I spoke to a range of CXOs at cybersecurity companies and all of them were adamant that software backdoors have no place in the modern world.
For Gidi Cohen at SkyBox, the demands from Governments is never ending. "It is the struggle to infinity and has always existed between state and technology. For good reasons, governments want to tap into communications channels, and technology vendors who want to sell advanced cryptology solutions and cryptology algorithms don't want that! After all, it is their claim to fame- that their systems cannot be broken into. This struggle has been in existence for around 40 years, and so looks like a new debate. The government claims to represent the public's interest and listen to chatter and so the argument will will be around for a long time.
Perhaps because as a Cloud Security Provider, Brian Kelly, Chief Security Officer at Rackspace doesn't have to deal with subpoenas and breach of client confidentiality, he is all for encryption as solid as possible. "I think it is a great mistake [to ask for backdoors]. If you can rely on encryption, great things can come out of it like BlockChain and Crypto currency. They have their cons as well, but more good comes from it than bad. In terms of key management, as a cloud provider, I would love nothing more than for every client to encrypt their data and never give me their key. I don't need to know what their data is! I would love to ask customers to only bring us their data once it has been encrypted so it is just them that have the key to the data and we have nothing to do with it.
That way, even if I was breached or subpoenaed by the government or law enforcement agencies, I could turn the data over to abide by the law but it wouldn't mean anything because the data would be encrypted! I want all of them to encrypt their data. If we could get to that position with all our customers, our liability would go down to nothing."
To demand encryption from clients to lower liability is definitely a novel approach and one that needs to be explored properly but Oliver Tavakoli, CTO of Vectra Networks doesn't have a very high opinion of all the governments of the world, also what about solidly encrypted apps? "So, if I am a bad guy and want the data off a device that [hypothetically] Apple has built a backdoor to, the problem is, if I use a messaging app like Telegram , no backdoor will solve that problem. So there is device encryption and app encryption. There are privacy issues with backdoor. The mere fact is that can you cannot keep control of it so only governments can have access to it. And there is also the question of which governments? Clearly, if Apple is operating in Russia, then the Russian government will want access by Russian law! Similarly in China and Zimbabwe. What makes the British or American government special in that case? They are not super-national. They still have to abide by country laws. So this is not tenable solution because once 180 governments have the backdoor, the likelihood of the backdoor leaking and bad guys getting hold of it are imminent.
"Terrorist will either use Telegram or write their own application. Crypto is naff and you cannot embargo people to give up keys. You may be able to do that to Apple or Google, but it is a spurious argument from my opinion. From policy perspective, the government will rail for it. I personally think backdoors don't exist but flaws do and there will be difficult situations if governments get hold of them.
Matt Dircks, CEO, Bomgar agrees with this argument too. "In all honesty, this is a tough question, because it is a slippery slope. When there is terrorism, the question is, would it [having a backdoor to devices] have prevented the attack? To me it is what would constitute legal reason. Because the other argument is- you will have regimes that are not great on human rights that will demand access too. We look at these issues and in the States when the San Bernardino attacks happened and the reaction to the question of encryption is very mixed.
"I read that FBI spent money to get into the San Bernardino attackers iPhone. Then we saw the stuff about NSA and WikiLeaks and the Zero Day stuff and then you think who's responsibility is it? Raises the question of- what's the responsibility of the technology vendors?"
The encryption vs openness argument and debate will carry on for a long time and is more to do with social legislation than strong arming technology companies. And while tempers will run high in the aftermath of attacks, we would think proactive policing would have more effect on would-be attackers than of the Government looking through our messages dissing colleagues.
Latest posts by Sunetra Chakravarti (see all)
- Should a music degree stop you from a career in cyber security? - 19th September 2017
- Building a threat sharing network can help prevent future attacks - 13th September 2017
- Breached firms stunned by 5% stock decline: What CISOs need to do differently - 13th September 2017
- Will PSD2 prove to be a cyber security nightmare for banks? - 11th September 2017
- Skills shortage & malaise cited for low PCI DSS compliance in businesses - 31st August 2017