In recent months, government officials in the United States, the United Kingdom and other countries have made repeated calls for law-enforcement agencies to be able to access, upon due authorization, encrypted data to help them solve crimes. Beyond the ethical and political implications of such an approach, though, is a more practical question: If we want to maintain the security of user information, is this sort of access even technically possible?
That was the impetus for a report — titled “Keys under doormats: Mandating insecurity by requiring government access to all data and communications” — published July 7, 2015, by security experts from MIT’s Computer Science and Artificial Intelligence Lab (CSAIL), alongside other leading researchers from the U.S. and the U.K.
The report argues that such mechanisms “pose far more grave security risks, imperil innovation on which the world’s economies depend, and raise more thorny policy issues than we could have imagined when the Internet was in its infancy.”
The team warns that rushing to create a legislative proposal is dangerous until security specialists are able to evaluate a comprehensive technical solution that has been carefully analyzed for vulnerabilities.
CSAIL contributors to the report include professors Hal Abelson and Ron Rivest, Ph.D. student Michael Specter, Information Services and Technology network manager Jeff Schiller, and principal research scientist Daniel Weitzner, who spearheaded the work as director of MIT’s Cybersecurity and Internet Policy Research Initiative, an interdisciplinary program funded by a $15 million grant from the Hewlett Foundation.
The group also includes cryptography expert Bruce Schneier and researchers from Stanford University, Columbia University, Cambridge University, Johns Hopkins University, Microsoft Research, SRI International, and Worcester Polytechnic Institute.
In October, FBI Director James Comey called for what is often described as “exceptional access” — namely, that computer systems should be able to provide access to the plain text of encrypted information, in transit or stored on a device, at the request of authorized law enforcement agencies.
The research team outlines three reasons why this approach would worsen the already-shaky current state of cybersecurity.
First, it would require preserving private keys that could be compromised not only by law enforcement, but by anyone who is able to hack into them. This represents a 180-degree reversal from state-of-the-art security practices like “forward secrecy,” in which decryption keys are deleted immediately after use.
“It would be the equivalent of taking already-read, highly sensitive messages, and, rather than putting them through a shredder, leaving them in the file cabinet of an unlocked office,” Weitzner says. “Keeping keys around makes them more susceptible to compromise.”
Second, exceptional access would make systems much more complex, introducing new features that require independent testing and are sources of potential vulnerabilities.
The Latest on: Cybersecurity
via Google News
The Latest on: Cybersecurity
- Boulder-based firm creates program to “gamify” cybersecurity learningon June 25, 2019 at 12:25 pm
There are more than 300,000 job openings in the cybersecurity industry nationwide right now, and more than 10,000 openings in Colorado alone. This is one reason why Circadence, a Boulder-based firm ... […]
- Fidelis Cybersecurity Announces Support for Amazon Virtual Private Cloud Traffic Mirroringon June 25, 2019 at 10:07 am
Fidelis extends detection of threats and data loss, network traffic analysis and visibility capabilities to hosted applications on Amazon Web Services Fidelis Cybersecurity, a leading provider of ... […]
- Cybersecurity News: Chinese Hackers Attack Global Telecom Companieson June 25, 2019 at 9:20 am
Chinese hackers have been stealing information from major international telecommunications companies in order to spy on high-profile people, according to a report Tuesday from Cybersecurity firm ... […]
- Senate probe damns federal agency cybersecurityon June 25, 2019 at 8:00 am
Editor's Note: This edition of Morning Cybersecurity is published weekdays at 10 a.m. POLITICO Pro Cybersecurity subscribers hold exclusive early access to the newsletter each morning at 6 a.m. To ... […]
- The Cybersecurity 202: Here's how Iran disrupted U.S. businesses the last time it launched major cyberattackson June 25, 2019 at 4:43 am
Cyber pros are looking to history for guidance as they brace for retaliation following a U.S. cyberattack against Iran’s military command and control systems last week. Iran has been one of the United ... […]
- Hackers have been breaking into telecom companies to spy on VIPs’ phone records, cybersecurity firm warnson June 24, 2019 at 11:28 pm
An ambitious group of suspected state-backed hackers has been burrowing into telecommunications companies in order to spy on high-profile targets across the world, a U.S. cybersecurity firm said in a ... […]
- Cybersecurity staff burnout risks leaving organisations vulnerable to cyberattackson June 24, 2019 at 10:01 pm
Cybersecurity professionals are overworked and stressed out to such an extent that it threatens to provide hackers and cybercriminals with a better chance of conducting cyberattacks against the ... […]
- Scottsdale cybersecurity company hires first female CEOon June 24, 2019 at 5:00 pm
CyberScout, a Scottsdale-based cybersecurity company, has hired its first female CEO to help with global expansion. Jennifer Leuer, who started her new job Monday, is a first-time CEO with 15 years ... […]
- The Cybersecurity 202: U.S. businesses are preparing for Iranian hacks after American cyberattackon June 24, 2019 at 5:20 am
Want more news like this? Sign up here. U.S. businesses should get ready for a barrage of digital retaliation from Iran after the Trump administration launched a cyberattack against the Islamic ... […]
- Above The Hype: Harnessing The Power Of AI For Your Cybersecurity Programon June 24, 2019 at 4:05 am
As the President, CTO and Co-Founder of SafeGuard Cyber, Otavio Freire oversees development and innovation within its enterprise platform. Security professionals who have seen artificial intelligence ... […]
via Bing News