In recent months, government officials in the United States, the United Kingdom and other countries have made repeated calls for law-enforcement agencies to be able to access, upon due authorization, encrypted data to help them solve crimes. Beyond the ethical and political implications of such an approach, though, is a more practical question: If we want to maintain the security of user information, is this sort of access even technically possible?
That was the impetus for a report — titled “Keys under doormats: Mandating insecurity by requiring government access to all data and communications” — published July 7, 2015, by security experts from MIT’s Computer Science and Artificial Intelligence Lab (CSAIL), alongside other leading researchers from the U.S. and the U.K.
The report argues that such mechanisms “pose far more grave security risks, imperil innovation on which the world’s economies depend, and raise more thorny policy issues than we could have imagined when the Internet was in its infancy.”
The team warns that rushing to create a legislative proposal is dangerous until security specialists are able to evaluate a comprehensive technical solution that has been carefully analyzed for vulnerabilities.
CSAIL contributors to the report include professors Hal Abelson and Ron Rivest, Ph.D. student Michael Specter, Information Services and Technology network manager Jeff Schiller, and principal research scientist Daniel Weitzner, who spearheaded the work as director of MIT’s Cybersecurity and Internet Policy Research Initiative, an interdisciplinary program funded by a $15 million grant from the Hewlett Foundation.
The group also includes cryptography expert Bruce Schneier and researchers from Stanford University, Columbia University, Cambridge University, Johns Hopkins University, Microsoft Research, SRI International, and Worcester Polytechnic Institute.
In October, FBI Director James Comey called for what is often described as “exceptional access” — namely, that computer systems should be able to provide access to the plain text of encrypted information, in transit or stored on a device, at the request of authorized law enforcement agencies.
The research team outlines three reasons why this approach would worsen the already-shaky current state of cybersecurity.
First, it would require preserving private keys that could be compromised not only by law enforcement, but by anyone who is able to hack into them. This represents a 180-degree reversal from state-of-the-art security practices like “forward secrecy,” in which decryption keys are deleted immediately after use.
“It would be the equivalent of taking already-read, highly sensitive messages, and, rather than putting them through a shredder, leaving them in the file cabinet of an unlocked office,” Weitzner says. “Keeping keys around makes them more susceptible to compromise.”
Second, exceptional access would make systems much more complex, introducing new features that require independent testing and are sources of potential vulnerabilities.
The Latest on: Cybersecurity
via Google News
The Latest on: Cybersecurity
- Application Logging Challenges in Cybersecurity on April 17, 2019 at 11:09 am
Logging events from applications is an important process in cybersecurity. Whether it’s a custom-built application, or one hosted by a third-party company, logging and monitoring these applications is ... […]
- Army researchers identify new way to improve cybersecurity on April 17, 2019 at 6:53 am
With cybersecurity one of the nation's top security concerns and billions of people affected by breaches last year, government and businesses are spending more time and money defending against it. […]
- The Cybersecurity 202: Why a hacking operation by a proto-state in Ukraine could spell trouble for the U.S. on April 17, 2019 at 4:39 am
The Luhansk People’s Republic, a region that has claimed independence from Ukraine with the backing of Russia’s military, isn’t recognized by the United States, the European Union or NATO. But it has ... […]
- Cybersecurity Advisory Committee will strengthen national security through a stronger public-private partnership on April 16, 2019 at 6:40 am
The views expressed by contributors are their own and not the view of The Hill Global cyber capabilities are proliferating at an unprecedented rate and posing additional strategic risk to the ... […]
- The Cybersecurity 202: Nielsen’s departure will hurt DHS cybersecurity mission, experts say on April 16, 2019 at 5:47 am
Kirstjen Nielsen’s departure this month will hurt the Homeland Security department’s cybersecurity efforts, according to a majority of experts surveyed by The Cybersecurity 202. “We’re in the middle ... […]
- Last year healthcare had more cybersecurity breaches than any other industry — and it will likely intensify on April 15, 2019 at 8:46 am
Globally, healthcare was racked with more cybersecurity breaches than any other industry in 2018, accounting for 25% of 750 reported incidents, per law firm BakerHostetler's latest report. Hackers ... […]
- How to improve cybersecurity for your business: 6 tips on April 15, 2019 at 7:58 am
Business cyber risks rates are holding steady for US companies, according to the US Chamber of Commerce and FICO. Here's how to stay safe. Cybersecurity risk faced by US businesses held steady in Q1 ... […]
- The Single Cybersecurity Question Every CISO Should Ask on April 15, 2019 at 7:40 am
The answer can lead to a scalable enterprise security solution for years to come. In early December 2018, several major corporate breaches were made public. As the news was shared and discussed around ... […]
- RMIT partners with NAB and Palo Alto Networks for new cybersecurity course on April 15, 2019 at 7:00 am
The smartest companies now approach cybersecurity with a risk management strategy. Learn how to make policies to protect your most important digital assets. Read More The Royal Melbourne Institute of ... […]
- Four Elements Of An Effective Cybersecurity Platform For Small Business Owners on April 15, 2019 at 5:37 am
Has your small or midsize business finally decided to bite the bullet on cybersecurity preparedness by adopting software to protect the firm’s sensitive information? If so, the key task for you now is ... […]
via Bing News