In recent months, government officials in the United States, the United Kingdom and other countries have made repeated calls for law-enforcement agencies to be able to access, upon due authorization, encrypted data to help them solve crimes. Beyond the ethical and political implications of such an approach, though, is a more practical question: If we want to maintain the security of user information, is this sort of access even technically possible?
That was the impetus for a report — titled “Keys under doormats: Mandating insecurity by requiring government access to all data and communications” — published July 7, 2015, by security experts from MIT’s Computer Science and Artificial Intelligence Lab (CSAIL), alongside other leading researchers from the U.S. and the U.K.
The report argues that such mechanisms “pose far more grave security risks, imperil innovation on which the world’s economies depend, and raise more thorny policy issues than we could have imagined when the Internet was in its infancy.”
The team warns that rushing to create a legislative proposal is dangerous until security specialists are able to evaluate a comprehensive technical solution that has been carefully analyzed for vulnerabilities.
CSAIL contributors to the report include professors Hal Abelson and Ron Rivest, Ph.D. student Michael Specter, Information Services and Technology network manager Jeff Schiller, and principal research scientist Daniel Weitzner, who spearheaded the work as director of MIT’s Cybersecurity and Internet Policy Research Initiative, an interdisciplinary program funded by a $15 million grant from the Hewlett Foundation.
The group also includes cryptography expert Bruce Schneier and researchers from Stanford University, Columbia University, Cambridge University, Johns Hopkins University, Microsoft Research, SRI International, and Worcester Polytechnic Institute.
In October, FBI Director James Comey called for what is often described as “exceptional access” — namely, that computer systems should be able to provide access to the plain text of encrypted information, in transit or stored on a device, at the request of authorized law enforcement agencies.
The research team outlines three reasons why this approach would worsen the already-shaky current state of cybersecurity.
First, it would require preserving private keys that could be compromised not only by law enforcement, but by anyone who is able to hack into them. This represents a 180-degree reversal from state-of-the-art security practices like “forward secrecy,” in which decryption keys are deleted immediately after use.
“It would be the equivalent of taking already-read, highly sensitive messages, and, rather than putting them through a shredder, leaving them in the file cabinet of an unlocked office,” Weitzner says. “Keeping keys around makes them more susceptible to compromise.”
Second, exceptional access would make systems much more complex, introducing new features that require independent testing and are sources of potential vulnerabilities.
The Latest on: Cybersecurity
via Google News
The Latest on: Cybersecurity
- Australian CEOs are too overoptimistic for cybersecurity, out of touch on privacyon October 15, 2019 at 8:11 pm
Australian bosses have far more confidence in the cybersecurity of their organisations than their own cyberdefenders, according to newly-released research from Unisys. "What the study found is pretty ...
- ThreatConnect Wins SOAR Platform of the Year Award in 2019 CyberSecurity Breakthrough Awards Programon October 15, 2019 at 11:14 am
CyberSecurity Breakthrough Awards recognizes the innovation, hard work, and success in a range of information security categories, including Cloud Security, Threat Detection, Risk Management, Fraud ...
- Cybersecurity officials like Tennessee's chief information officer play a low-key but important role | Opinionon October 15, 2019 at 9:44 am
This year the conference focused on areas like cybersecurity and malware, two issues vital to citizens of Tennessee and the greater United States. Tennessee CIO Stephanie Dedmon understands that ...
- Hollywood hack job: How cybersecurity consultant for hit TV show "Mr. Robot" brought authenticity to actor Rami Malek's characteron October 15, 2019 at 8:52 am
James Plouffe, cybersecurity consultant for "Mr. Robot" reveals how he helped make hacking a reality on the USA-Network drama series starring Rami Malek and Christian Slater. As the taut plot of USA ...
- Andrew Yang, Joe Biden Come Up Short on Cybersecurity Despite Campaign Promises, Analysis Showson October 15, 2019 at 7:34 am
The company, SiteLock, looked at the online practices of a dozen Democratic and Republican candidates in the 2020 presidential race—including President Donald Trump—and found that Yang and Biden trail ...
- It's Time For Small Businesses To Prioritize Cybersecurityon October 15, 2019 at 6:59 am
This is especially important as cybersecurity threats continue to escalate; 43 % of cyber breaches claimed small businesses as victims, according to a 2019 Verizon Study. Small businesses house both ...
- The Cybersecurity 202: Lawmakers head to ground zero for election securityon October 15, 2019 at 4:53 am
The state is also getting weekly cybersecurity hygiene scans from the Department of Homeland Security and has prepped cybersecurity experts with the Illinois National Guard to deploy to polling places ...
- Cybersecurity Awareness Month: Increasing our self-awareness so we can improve securityon October 15, 2019 at 4:28 am
With the increased prominence of cybersecurity in organizations due to many crippling cyberattacks, the emphasis is now on continual engagement, as it should be. It’s also important to address the ...
- The Role Of Blockchain In Cybersecurityon October 15, 2019 at 4:23 am
There has been a lot of hype around blockchain technology, including predictions for how it can make communications and data sharing more secure. There are exciting possibilities for blockchain as a ...
- The Importance of Training: Cybersecurity Awareness like a Human Firewallon October 15, 2019 at 3:31 am
There is an epidemic of cybersecurity threats and no one’s data is safe anymore. Enterprises can therefore not afford to overlook the primary significance of training its employees of the threats and ...
via Bing News