The topic of cryptographic backdoors has come up multiple times in the past six months, as the NSA and the Obama Administration have pushed for the adoption of such technologies, while other researchers and white hats have disputed both the need and the efficacy of such solutions. Today, several dozen companies and organizations sent a letter directly to President Obama, explaining
their position and the vital importance of not compromising cryptography in the name of national security.
The letter asks that the President reject any proposal that US companies weaken product security and act instead to foster the wide adoption of encryption and strong security. The companies and organizations note: “Whether you call them “front doors” or “back doors”, introducing intentional vulnerabilities into secure products for the government’s use will make those products less secure against other attackers. Every computer security expert that has spoken publicly on this issue agrees on this point, including the government’s own experts.”
The NSA believes that public “front doors” can be safely constructed.
The letter goes on to note that US companies are already struggling in foreign markets due to the perception that they function as effective arms of the NSA already. While the actual financial damage varies from company to company, it’s no exaggeration to say that foreign firms are deeply concerned about this issue. This is particularly true where sensitive data is concerned — EU countries have strict data access and retention laws that could conceivably prohibit them from making business deals with US companies if they suspect the NSA might be allowed to gain access to certain information without due process of law. The secrecy with which the US government has sought to shroud some of these activities works against it in some situations.
The backdoor dilemma
The problem with backdoors, in a nutshell, is this: It’s almost impossible to hide them from detailed inspection. When the NSA developed the Dual_EC_DRBG standard for implementing elliptic curve cryptography, it didn’t take researchers very long to realize that the standard was deliberately compromised. True, the NSA could’ve done a better job of hiding its work — but only to a point.
It’s become downright common for major institutions (including some military sites) to report intrusions from Chinese or Russian hackers likely working under the auspices of their respective governments. All it takes is an errant email, a casual mention of the possibility of a backdoor in a current standard or product, and the game’s begun. It’s arrogant in the extreme to think that the United States is so far ahead of other countries as to be able to permanently outwit them. Adding weaknesses on purpose given the scope of the existing problem is insane.
Once the United States government codifies its own ability to force companies to adopt insecure standards, other countries with less robust civil rights protections will inevitably follow suit. The Internet can already be used for unprecedented citizen tracking, but giving in to demands for code backdoors and deliberate security vulnerabilities will only exacerbate this trend.
You can call it a cynical move to protect bottom lines or a principled stand for good security, but either way, the tech industry isn’t backing down on this issue. That means it’ll fall to Congress and the President to introduce legislation if they want to force the tech industry to adopt backdoored software. The deeply dysfunctional US political system means such legislation would almost certainly fail, but dysfunctional legislatures should not be the linchpin of good national security policy.
No comments:
Post a Comment
Leave a comment