A group of 11 computer scientists and encryption experts breathed a little easier in January 2015 when the National Institute of Standards and Technology (NIST) proposed the retirement of six Federal Information Processing Standards (FIPS), including FIPS-185. The 11 experts were instrumental in this standard’s demise.
More commonly known as the Clipper Chip, FIPS-185 is an encryption implementation created by the NSA that included a backdoor to allow electronic surveillance by law-enforcement agencies. Soon after FIPS-185 was announced in 1997, the 11 experts coauthored a report detailing the issues and lack of transparency with FIPS-185 (PDF). “The deployment of key-recovery-based encryption infrastructures to meet law enforcement’s stated specifications will result in substantial sacrifices in security and greatly increased costs to the end user.”
Déjà vu strikes the group of scientists
With a sense of déjà vu, the same group plus four new and also highly-regarded computer scientists published a paper in July 2015 under the auspices of MIT’s Computer Science and Artificial Intelligence Lab titled Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications (PDF).
The authors write: “Today we are again hearing calls for regulation to mandate the provision of exceptional access mechanisms. In this report, a group of computer scientists and security experts, many of whom participated in a 1997 study of these same topics, has convened to explore the likely effects of imposing extraordinary access mandates.”
Next, the coauthors issue a stern warning, “We have found that the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago. In the wake of the growing economic and social cost of the fundamental insecurity of today’s internet environment, any proposals that alter the security dynamics online should be approached with caution.”
The coauthors do not mince words, ending the paper’s executive summary with, “Many of us worked together in 1997 in response to a similar but narrower and better defined proposal called the Clipper Chip.”
What are exceptional access mechanisms?
The term backdoor is normally used, but as academics will do, they chose a new one: exceptional access mechanisms. Susan Landau, professor of cybersecurity policy at Worcester Polytechnic Institute and one of the paper’s authors, in this Lawfare Institute blog defines exceptional access mechanisms as, “Some form of technology that will enable government access to content even if the content is encrypted.”
Three problems with the government’s request
The scientists state they analyzed the government’s request for exceptional access to communications, and they feel there are three challenges.
- The first issue is providing exceptional access to communications would negate many best practices now being deployed to make the internet more secure, including forward secrecy, where decryption keys are deleted right after being used.
- The second issue is adding exceptional access would increase the complexity of already complex security systems, which in turn increases the likelihood of vulnerabilities. The authors make the point, “Features to permit law enforcement exceptional access across a wide range of internet and mobile computing applications could be particularly problematic because their typical use would be surreptitious — making security testing difficult and less effective.”
- The third issue is, just as databases of credit-card information interest digital criminals more so than the information from one individual’s credit card, exceptional access will allow bad actors to focus on fewer targets to get the same results.
The third problem is especially troubling. “Recent attacks on the United States Government Office of Personnel Management (OPM) show how much harm can arise when many organizations rely on a single institution that itself has security vulnerabilities,” write the coauthors. “In the case of OPM, numerous federal agencies lost sensitive data because OPM had insecure infrastructure. If service providers implement exceptional access requirements incorrectly, the security of all of their users will be at risk.”
Cory Doctorow speaks to this in his book Information Doesn’t Want to Be Free (page 126):
“If you weaken the world’s computer security — the security of our planes and nuclear reactors, our artificial hearts and our thermostats, and, yes, our phones and our laptops, devices that are privy to our every secret — then no amount of gains in the War on Terror will balance out the costs we’ll all pay in vulnerability to crooks, creeps, spooks, thugs, perverts, voyeurs, and anyone else who independently discovers these deliberate flaws and turns them against targets of opportunity.”
How would exceptional access affect US businesses?
For insight on the impact to businesses, I talked to Benjamin Dean, fellow in cybersecurity and internet governance staff associate at Columbia University.
“US companies will lose out from a policy that involves exceptional access,” mentions Dean. “Think about the customer whose goal is to purchase a product that will secure their information. Would that customer buy or use the weakened encryption product from a US company or would that customer instead purchase a security product from a company residing in a country where robust encryption is allowed?”
Dean then adds, “Demand for information security will remain with or without the policy. It’s just that US companies will be unable to service this demand, which translates into lost revenue for US tech businesses.”
Next I asked Dean if exceptional access might have an effect similar to the Snowden releases.
“The NSA’s activities, disclosed by Snowden, involved undermining key information security standards and technologies,” states Dean. “The severe erosion of user trust in technologies sold by US companies has translated into revenue losses for US technology companies. Depending on what you measure and how you measure it, loss estimates vary from $21.5-35 billion (from ITIF) through to $180 billion (from Forrester).”
Dean continues, “FBI Director Comey is proposing encryption, an important measure for information security, should be weakened. This would trigger a further erosion of trust in technologies developed and sold by US companies. Estimating the exact losses is difficult. However, it is safe to say that this proposal would not benefit US technology companies.”
As for all other businesses, exceptional access would complicate how they meet international regulations and liability clauses. For example, assuming the paper’s authors are right, if a criminal element figures out exceptional access for an encryption product, who is liable for the damages accrued by companies using the compromised product?
To put it simply
Bruce Schneier, well-known security expert and one of the paper’s authors, always has interesting comments on his blog. And his post on this topic is no exception. David C comments, “I doubt the bad guys, the FBI want, are going to use broken encryption. They’ll go find good encryption and use it.”
An obvious point, and one, I hope, not overlooked.
Note: TechRepublic, ZDNet, and Tech Pro Research are CBS Interactive properties.
Subscribe to the Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays