In recent months, government officials in the United States, the United Kingdom and other countries have made repeated calls for law-enforcement agencies to be able to access, upon due authorization, encrypted data to help them solve crimes. Beyond the ethical and political implications of such an approach, though, is a more practical question: If we want to maintain the security of user information, is this sort of access even technically possible?
That was the impetus for a report — titled “Keys under doormats: Mandating insecurity by requiring government access to all data and communications” — published July 7, 2015, by security experts from MIT’s Computer Science and Artificial Intelligence Lab (CSAIL), alongside other leading researchers from the U.S. and the U.K.
The report argues that such mechanisms “pose far more grave security risks, imperil innovation on which the world’s economies depend, and raise more thorny policy issues than we could have imagined when the Internet was in its infancy.”
The team warns that rushing to create a legislative proposal is dangerous until security specialists are able to evaluate a comprehensive technical solution that has been carefully analyzed for vulnerabilities.
CSAIL contributors to the report include professors Hal Abelson and Ron Rivest, Ph.D. student Michael Specter, Information Services and Technology network manager Jeff Schiller, and principal research scientist Daniel Weitzner, who spearheaded the work as director of MIT’s Cybersecurity and Internet Policy Research Initiative, an interdisciplinary program funded by a $15 million grant from the Hewlett Foundation.
The group also includes cryptography expert Bruce Schneier and researchers from Stanford University, Columbia University, Cambridge University, Johns Hopkins University, Microsoft Research, SRI International, and Worcester Polytechnic Institute.
In October, FBI Director James Comey called for what is often described as “exceptional access” — namely, that computer systems should be able to provide access to the plain text of encrypted information, in transit or stored on a device, at the request of authorized law enforcement agencies.
The research team outlines three reasons why this approach would worsen the already-shaky current state of cybersecurity.
First, it would require preserving private keys that could be compromised not only by law enforcement, but by anyone who is able to hack into them. This represents a 180-degree reversal from state-of-the-art security practices like “forward secrecy,” in which decryption keys are deleted immediately after use.
“It would be the equivalent of taking already-read, highly sensitive messages, and, rather than putting them through a shredder, leaving them in the file cabinet of an unlocked office,” Weitzner says. “Keeping keys around makes them more susceptible to compromise.”
Second, exceptional access would make systems much more complex, introducing new features that require independent testing and are sources of potential vulnerabilities.
The Latest on: Cybersecurity
via Google News
The Latest on: Cybersecurity
- Effective Cybersecurity Needs Quantum Computingon March 7, 2021 at 2:35 pm
Without it, hacking is faster and cheaper than protecting networks or patching them afterward.
- With Australian cybersecurity standards in their ‘infancy’, industry seeks clarityon March 7, 2021 at 11:06 am
There are more cybersecurity standards and resilience frameworks than people to implement them, pointing to a need for harmonisation and aggregation.
- Telehealth’s success created a cybersecurity nightmareon March 7, 2021 at 7:09 am
Relaxed regulations have made it easier to see a doctor during the pandemic—and given hackers more chances to target medical records.
- Cybersecurity SOC As A Service Scalable Affordable Business Protection Launchedon March 5, 2021 at 11:01 pm
SubRosa has updated its SOC as a service cybersecurity solution to help businesses implement a remote team to monitor their systems to reduce expenses without compromising on security.Hudson, United ...
- Okta CEO defends move to acquire rival cybersecurity firm Auth0on March 5, 2021 at 10:28 pm
Okta CEO Todd McKinnon explained why the identity and access management company dished out $6.5 billion for Auth0, an identity management platform for app developers.
- CEOs on Okta's $6.5 billion deal for rival cybersecurity outfit Auth0on March 5, 2021 at 9:31 pm
Okta CEO Todd McKinnon and Auth0 CEO Eugenio Pace joined Jim Cramer on "Mad Money" to break down the details behind the tie-up between the cybersecurity companies.
- A Formula 1 Team Was Hacked. Its Sponsor Is A Cybersecurity Firmon March 5, 2021 at 2:03 pm
You may have already read that the Williams FW43B Formula 1 car leaked on Friday, which prefaced my chance to crown Williams the winner of this year’s F1 season as far as looks are concerned. You ...
- 80% of senior IT leaders see cybersecurity protection deficitson March 5, 2021 at 10:44 am
A lack of confidence in companies' defenses is prompting 91% of organizations to boost 2021 budgets, according to a new IDG/Insight Enterprises study.
- Address cybersecurity challenges before rolling out robotic process automationon March 5, 2021 at 10:05 am
The security aspect of RPA isn’t implemented in the early stages of development — leaving organizations vulnerable to cybercriminals.
- NIST Cybersecurity Framework: A cheat sheet for professionalson March 5, 2021 at 9:11 am
The US National Institute of Standards and Technology's framework defines federal policy, but it can be used by private enterprises, too. Here's what you need to know.
via Bing News