Cybersecurity is a massive challenge affecting everyone –- startups, government, corporate systems and consumers, costing the global economy billions of dollars annually.
Tragically, the one solution we are seriously considering — mandating encryption backdoors — will undermine the integrity of our networks, as confirmed by information security experts and the government’s own defense and intelligence officials.
For the tech industry to become more effective in making its case for strong security to the public and US policy-makers, we all need to understand and rebut two critical misconceptions currently dominating the policy debate.
“Going dark” or blinded by too much data?
The first key assumption is that law enforcement does not have enough data to combat crime and must therefore boost its capability to intercept and decrypt web communications. Let’s look into what data the government already has access to and whether it is being utilized effectively.
The majority of global networks – including Facebook, Google, Twitter and Skype – operate with full visibility into user accounts and often their activities, rendering this data available to law enforcement with a warrant request. That includes metadata, a rich unencrypted layer in our expanding profiles – who we talk to, where and how often, where we spend time and with whom, and what our interests are.
Widespread visual surveillance — from cameras on public utility polls and transport to commercial data collectors time-stamping and geo-tagging billions of photos of license plates – supplies an exhaustive picture of ourphysical activity. Law enforcement has access to a historically unprecedented amount of information, capable of mapping out countless connections between people, businesses, locations, and things – sometimes with and sometimes without a warrant.
Current trends in technology are only adding to the pool of data that law enforcement can draw from. When vulnerability is injected into technology used worldwide, it becomes everyone’s liability.
By 2020, the IoT industry will add as many as 50 billion new connected devices – from smart TVs capable of listening to ambient noise to cars equipped with GPS and voice-activated systems to toys and baby monitors with recording features.
Many of these technologies operate with minimal data safeguards, expanding not only the attack surface for criminals but also real-time surveillance opportunities for law enforcement.
“Big data” is a buzz term for a reason — the majority of tech businesses are built around collecting and analyzing data that people around the globe generate while using services. This trend is unlikely to substantially change in the near future as we add more products feeding data into global systems.
Thus, the quantity of data and information channels available to law enforcement provides ample opportunities to obtain lawful intelligence.
However, as investigations following the Paris attacks have demonstrated, governments have yet to establish data analytics capabilities allowing the massive amount of data already collected to be timely and effectively analyzed in order to extract actionable intelligence.
Backdoor for only exceptional circumstances
With its access to countless data streams and targeted information sources, the government is now faced with an urgent need to secure public and corporate information systems.
Both are now a high target for foreign state actors and criminals alike. Following OPM and other major breaches of national networks, it became clear to many within the defense sector thatmaintaining the integrity of encryption is key to securing data in transit and at rest and it must become a national security priority.
However, no matter how many expert voices loudly and adamantly confirm that it is technologically impossible to limit backdoor privileges to one party without making the whole system vulnerable, some officials continue to dismiss the tech industry as uncooperative and uninventive — completely rejecting the mathematics behind strong crypto.
Unfortunately, the result of this misunderstanding is a demand to force the private sector to work against public interests, which may cost us all a gravely compromised national cyber defense.
Due to the lack of security awareness, for many non-technical folks this argument remains too abstract – simply an obstacle to providing law enforcement with a backdoor access it wants. Meanwhile, a case where an intentionally built-in backdoor was possibly repurposed against US government systems is currently under investigation by the House Oversight Committee.
A severe vulnerability discovered last December in Screen OS by Juniper Networks – employed across government agencies and global corporations – may have allowed foreign hackers to infiltrate networks and decrypt traffic. As with many cyber intrusions, especially of this magnitude, it is hardly a trivial task to determine when the breach occurred, what information has been compromised and whether hackers still retain a persistent presence within the network.
A changing cyber space: Security for all or for no one
When vulnerability is injected into technology used worldwide, it becomes everyone’s liability.
If mandated, today’s crypto backdoor is likely to become a “ticking time bomb,” open to exploitation by foreign intelligence and criminals harvesting data and communications. With the Web being a borderless global space, intelligence needs to be targeted, expensive and therefore accessible to only the most sophisticated state actors. Otherwise, we risk weakening everyone’ security to harvest data without a cause to the detriment of our own rights, economic freedoms, and political stability.
The demand for compelled cooperation to alter technology against public interests has a powerful negative impact on the relationship between the industry and the government. It not only limits the possibility for every-day open and effective collaboration, but also creates a deep distrust at a time when cyber threats are rising, requiring all of us to work together to strengthen the security of our critical information systems.
Unless we are prepared to live with the consequences of inadvertently enabling foreign nations and hackers to exploit a government-mandated backdoor, we must shift the national dialogue to examining how law enforcement can effectively use and secure the data it already has access to. The government and the tech industry can work together to enhance national security by applying innovative technologies and data safeguards to critical networks, rather than battling over access to data which most likely will not assist lawful investigations, but will guarantee weaker security for all.