Some surprising conclusions from the RSA’s debate on encryption security & privacy
At the security industry’s main annual event- the RSA conference in San Francisco – one of the keynotes stood out from the crowd; a panel debate on “Beyond Encryption: Why we can’t come together on Security & Privacy”.
This session addressed some of the issues swirling around the supposed dichotomy of sacrificing privacy for security and asked the question “Are western governments right to try to ban end-to-end encryption in the name of fighting terror?”
Of course, everyone was talking about the battle between Apple’s CEO, Tim Cook, and the FBI. The issue at hand is whether the FBI could, or should, force Apple to write a special bit of code that would allow them to unlock the mobile phone of Syed Rizwan Farook. Farook was one of the terrorists responsible for the attack in San Bernadino, California that saw 14 people killed and another 22 seriously injured.
The FBI clearly wanted to access the phone to see if they can track down useful information on Farook’s contacts. Apple argued that writing such a code would introduce a back door into their phones which could be exploited by hackers in the future.
The argument turned out to be moot as, within days of the conference’s end, the FBI paused proceedings in the six week trial. This was followed shortly by the announcement that a third party organisation had successfully accessed the data on Farook’s iPhone. In an ironic twist, lawyers for Apple are now likely to pressure the FBI to reveal how the device encryption was cracked.
In an earlier keynote, Adi Shamir (the S in RSA) argued that Apple had chosen the battlefield poorly. Firstly, because the issue was so emotive. Secondly, because the rights of the individual were clearly not being trampled on since Farook admitted his guilt and was dead. What rights could he have?
But it seems that this misses the point. If the FBI wins, it would potentially set a dangerous legal precedent. Should a government agency be able to force a commercial organisation to write a dedicated piece of code that a. they do not want to and b. would potentially weaken the company’s own products.
This is reminiscent of a previous incident in the 1990s – the age of the Clipper Chip – when the NSA tried to force key escrow on companies so that government, by holding the master key, could decrypt data at will.
One of the participants of the “Beyond Encryption” session was the ex-director of the NSA and National Intelligence agency, Mike McConnell. McConnell was one of the chief supporters of the Clipper Chip during his time at NSA; so perhaps his was the most surprising conclusion of all…
McConnell now admits he is a strong supporter of end-to-end encryption; in direct contradiction to his previous views. His reasons were clear & pithy: “Military power comes from economic power and you can’t have economic power unless you protect the intellectual property of the country”.
Inserting a backdoor into cryptographic devices to enable government control will inevitably weaken these devices, as such back doors will inevitably also be discovered by, and exploited by, hackers. Data will be under threat from systematic attacks by other nation states as they attempt to “rape the intellectual property of the United States of America”.
Other participants in the session also came out in favour of encryption; though these were more expected. Nuala O’Connor of the Center for Democracy & Technology said that to limit the debate to “privacy vs security” was false and maybe it makes more sense to frame it as “individual security versus national security”.
In her view, these were clearly aligned. A backdoor into one phone, however much you might want it, is a back door into all phones and therefore jeopardised national security.
Michael Chertoff, ex Secretary of Homeland Security, expressed fears for the SCADA networks that underpin most utilities. Without encryption, hackers could send false information to power stations, dams, transport networks and other utilities and cause serious harm. Virtual attacks now have physical consequences.
On a final note, all members of the panel called for an expert commission to advise Congress in the belief that many government members did not yet understand the full implications of data encryption, or its lack. Definitely a step in the right direction for a more informed decision making process.