In recent months, government officials in the United States, the United Kingdom and other countries have made repeated calls for law-enforcement agencies to be able to access, upon due authorization, encrypted data to help them solve crimes. Beyond the ethical and political implications of such an approach, though, is a more practical question: If we want to maintain the security of user information, is this sort of access even technically possible?
That was the impetus for a report — titled “Keys under doormats: Mandating insecurity by requiring government access to all data and communications” — published July 7, 2015, by security experts from MIT’s Computer Science and Artificial Intelligence Lab (CSAIL), alongside other leading researchers from the U.S. and the U.K.
The report argues that such mechanisms “pose far more grave security risks, imperil innovation on which the world’s economies depend, and raise more thorny policy issues than we could have imagined when the Internet was in its infancy.”
The team warns that rushing to create a legislative proposal is dangerous until security specialists are able to evaluate a comprehensive technical solution that has been carefully analyzed for vulnerabilities.
CSAIL contributors to the report include professors Hal Abelson and Ron Rivest, Ph.D. student Michael Specter, Information Services and Technology network manager Jeff Schiller, and principal research scientist Daniel Weitzner, who spearheaded the work as director of MIT’s Cybersecurity and Internet Policy Research Initiative, an interdisciplinary program funded by a $15 million grant from the Hewlett Foundation.
The group also includes cryptography expert Bruce Schneier and researchers from Stanford University, Columbia University, Cambridge University, Johns Hopkins University, Microsoft Research, SRI International, and Worcester Polytechnic Institute.
In October, FBI Director James Comey called for what is often described as “exceptional access” — namely, that computer systems should be able to provide access to the plain text of encrypted information, in transit or stored on a device, at the request of authorized law enforcement agencies.
The research team outlines three reasons why this approach would worsen the already-shaky current state of cybersecurity.
First, it would require preserving private keys that could be compromised not only by law enforcement, but by anyone who is able to hack into them. This represents a 180-degree reversal from state-of-the-art security practices like “forward secrecy,” in which decryption keys are deleted immediately after use.
“It would be the equivalent of taking already-read, highly sensitive messages, and, rather than putting them through a shredder, leaving them in the file cabinet of an unlocked office,” Weitzner says. “Keeping keys around makes them more susceptible to compromise.”
Second, exceptional access would make systems much more complex, introducing new features that require independent testing and are sources of potential vulnerabilities.
The Latest on: Cybersecurity
via Google News
The Latest on: Cybersecurity
- 15 Effective Cybersecurity Strategies For Your Remote Workforceon May 12, 2020 at 10:23 am
You need to help your remote workforce adapt to and comply with cybersecurity measures that are designed to protect sensitive company data.
- BlackBerry Bootcamp boosts university applied computing with cybersecurity programon May 12, 2020 at 8:32 am
Canadian-based BlackBerry partnered with the University of Windsor to create a cybersecurity "camp" for students to matriculate online during the COVID-19 crisis.
- Government cybersecurity commission calls for international cooperation, resilience and retaliationon May 12, 2020 at 5:59 am
The global commons are under assault in cyberspace. Ransomware attacks, including North Korea’s WannaCry and Russia’s NotPetya, have disrupted vital medical services and global transportation systems, ...
- The Cybersecurity 202: Florida becomes hot spot in the election security warson May 12, 2020 at 5:13 am
The money is Florida’s share of $400 million in election security funding Congress included in the coronavirus stimulus bill in March. But Congress also mandated states match that money with 20 ...
- 6 Free Cybersecurity Training and Awareness Courseson May 12, 2020 at 4:35 am
In response, numerous security vendors and others have recently announced free products and services to help organizations address the new threats. These offerings include endpoint threat detection ...
- Cloud Computing, Cybersecurity and Programming Feature as ICT Training Trends During Lockdownon May 12, 2020 at 3:07 am
Technologies related to Cloud Computing, cyber security and website programming, together with artificial intelligence and Big Data, are the focus of training trends in ICT skills for professionals ...
- Pentagon official says industry shouldn’t wait on cybersecurity requirementson May 11, 2020 at 12:56 pm
As contractors continue to navigate the ongoing coronavirus pandemic, Pentagon officials are urging them to upgrade their cybersecurity postures.
- Time for a new job? Check out 16 cybersecurity courses on the basics, SOC skills, and new privacy ruleson May 11, 2020 at 10:04 am
CFO Pulse survey, only 2% of chief financial officers said they'll cut planned investments in cybersecurity and data privacy. People who can defend corporate networks from bad actors are always in ...
- Cybersecurity expert discusses efforts by foreign countries to influence the public's understanding of COVID-19on May 11, 2020 at 6:25 am
The ongoing worldwide coronavirus pandemic hasn't been immune to the problem of rampant disinformation—intentionally misleading information or propaganda. In fact, the European External Action Service ...
- The Cybersecurity 202: Internet-based voting is the new front in the election security warson May 11, 2020 at 5:06 am
Voting systems that rely on the Internet are fast becoming a major conflict zone in the battle to secure the 2020 election against hacking. The development comes as states are scrambling to revamp ...
via Bing News