In recent months, government officials in the United States, the United Kingdom and other countries have made repeated calls for law-enforcement agencies to be able to access, upon due authorization, encrypted data to help them solve crimes. Beyond the ethical and political implications of such an approach, though, is a more practical question: If we want to maintain the security of user information, is this sort of access even technically possible?
That was the impetus for a report — titled “Keys under doormats: Mandating insecurity by requiring government access to all data and communications” — published July 7, 2015, by security experts from MIT’s Computer Science and Artificial Intelligence Lab (CSAIL), alongside other leading researchers from the U.S. and the U.K.
The report argues that such mechanisms “pose far more grave security risks, imperil innovation on which the world’s economies depend, and raise more thorny policy issues than we could have imagined when the Internet was in its infancy.”
The team warns that rushing to create a legislative proposal is dangerous until security specialists are able to evaluate a comprehensive technical solution that has been carefully analyzed for vulnerabilities.
CSAIL contributors to the report include professors Hal Abelson and Ron Rivest, Ph.D. student Michael Specter, Information Services and Technology network manager Jeff Schiller, and principal research scientist Daniel Weitzner, who spearheaded the work as director of MIT’s Cybersecurity and Internet Policy Research Initiative, an interdisciplinary program funded by a $15 million grant from the Hewlett Foundation.
The group also includes cryptography expert Bruce Schneier and researchers from Stanford University, Columbia University, Cambridge University, Johns Hopkins University, Microsoft Research, SRI International, and Worcester Polytechnic Institute.
In October, FBI Director James Comey called for what is often described as “exceptional access” — namely, that computer systems should be able to provide access to the plain text of encrypted information, in transit or stored on a device, at the request of authorized law enforcement agencies.
The research team outlines three reasons why this approach would worsen the already-shaky current state of cybersecurity.
First, it would require preserving private keys that could be compromised not only by law enforcement, but by anyone who is able to hack into them. This represents a 180-degree reversal from state-of-the-art security practices like “forward secrecy,” in which decryption keys are deleted immediately after use.
“It would be the equivalent of taking already-read, highly sensitive messages, and, rather than putting them through a shredder, leaving them in the file cabinet of an unlocked office,” Weitzner says. “Keeping keys around makes them more susceptible to compromise.”
Second, exceptional access would make systems much more complex, introducing new features that require independent testing and are sources of potential vulnerabilities.
The Latest on: Cybersecurity
via Google News
The Latest on: Cybersecurity
- UAE government to set up new cybersecurity council: Prime Ministeron November 29, 2020 at 10:27 am
The government of the United Arab Emirates has decided to establish a new national cybersecurity council, UAE Prime Minister and Vice President Mohammed bin Rashid Al Maktoum said on Sunday following ...
- Meet the 50 CEOs, investors, and hackers who helped lead the cybersecurity industry through an unprecedented and tumultuous yearon November 29, 2020 at 7:46 am
A leading-edge research firm focused on digital transformation. Good Subscriber Account active since In February, San Francisco hosted the cybersecurity industry's longtime conference RSA, and it ...
- The Top 20 Cybersecurity Startups To Watch In 2021 Based On Crunchbaseon November 29, 2020 at 5:00 am
797 cybersecurity, privacy and security startups have received a total of $10.73 billion so far this year, with $4.6 million being the median funding round.
- UAE cabinet approves new cybersecurity body, climate change envoyon November 29, 2020 at 4:49 am
The United Arab Emirates on Sunday approved the establishment of a new national cybersecurity council, Sheikh Mohammed bin Rashid Al Maktoum, UAE Prime Minister and Vice-President and ruler of Dubai, ...
- Former Cybersecurity Chief Shoots Down ‘Farcical Claims’ of Election Fraud by Trump Campaign in 60 Minutes Previewon November 28, 2020 at 2:38 pm
Former DHS cybersecurity chief Chris Krebs shoots down, one by one, 'farcical claims' of election fraud by Trump campaign in '60 Minutes' preview ...
- Former cybersecurity official says Trump firing by tweet ‘not how I wanted to go out’on November 28, 2020 at 11:17 am
Christopher Krebs, the former top cybersecurity official, said President Donald Trump’s decision to unceremoniously fire him via tweet last week was “not how I wanted to go out.” ...
- Q&A: Securing the 'next normal' through improved cybersecurityon November 28, 2020 at 7:10 am
What will the 'new normal' look like in 2021 and how can these be secured? Understanding this will enable businesses to set their cybersecurity priorities and spending plans for for 2021.
- University of Tulsa helping lead project to build up nation's cybersecurity workforceon November 27, 2020 at 9:30 pm
The effort, under the oversight of the federal Department of Homeland Security’s Critical Infrastructure Resilience Institute, is being funded with a $2 million grant from the DHS science and technolo ...
- Top cybersecurity official fired by Trump says he was most upset he didn't get to say goodbye to teamon November 27, 2020 at 9:06 am
Christopher Krebs, the ex-director of the Cybersecurity and Infrastructure Security Agency, said he regrets not being able to say goodbye to his team prior to his dismissal on Nov. 17.
- Top cybersecurity official fired by Trump says presidential vote count was legit and Twitter dismissal was ‘not how I wanted to go out’on November 27, 2020 at 7:02 am
Trump canned Krebs in a Nov. 17 tweet filled with claims about the election in which he was defeated by Biden in both the popular and electoral votes.
via Bing News