In recent months, government officials in the United States, the United Kingdom and other countries have made repeated calls for law-enforcement agencies to be able to access, upon due authorization, encrypted data to help them solve crimes. Beyond the ethical and political implications of such an approach, though, is a more practical question: If we want to maintain the security of user information, is this sort of access even technically possible?
That was the impetus for a report — titled “Keys under doormats: Mandating insecurity by requiring government access to all data and communications” — published July 7, 2015, by security experts from MIT’s Computer Science and Artificial Intelligence Lab (CSAIL), alongside other leading researchers from the U.S. and the U.K.
The report argues that such mechanisms “pose far more grave security risks, imperil innovation on which the world’s economies depend, and raise more thorny policy issues than we could have imagined when the Internet was in its infancy.”
The team warns that rushing to create a legislative proposal is dangerous until security specialists are able to evaluate a comprehensive technical solution that has been carefully analyzed for vulnerabilities.
CSAIL contributors to the report include professors Hal Abelson and Ron Rivest, Ph.D. student Michael Specter, Information Services and Technology network manager Jeff Schiller, and principal research scientist Daniel Weitzner, who spearheaded the work as director of MIT’s Cybersecurity and Internet Policy Research Initiative, an interdisciplinary program funded by a $15 million grant from the Hewlett Foundation.
The group also includes cryptography expert Bruce Schneier and researchers from Stanford University, Columbia University, Cambridge University, Johns Hopkins University, Microsoft Research, SRI International, and Worcester Polytechnic Institute.
In October, FBI Director James Comey called for what is often described as “exceptional access” — namely, that computer systems should be able to provide access to the plain text of encrypted information, in transit or stored on a device, at the request of authorized law enforcement agencies.
The research team outlines three reasons why this approach would worsen the already-shaky current state of cybersecurity.
First, it would require preserving private keys that could be compromised not only by law enforcement, but by anyone who is able to hack into them. This represents a 180-degree reversal from state-of-the-art security practices like “forward secrecy,” in which decryption keys are deleted immediately after use.
“It would be the equivalent of taking already-read, highly sensitive messages, and, rather than putting them through a shredder, leaving them in the file cabinet of an unlocked office,” Weitzner says. “Keeping keys around makes them more susceptible to compromise.”
Second, exceptional access would make systems much more complex, introducing new features that require independent testing and are sources of potential vulnerabilities.
The Latest on: Cybersecurity
via Google News
The Latest on: Cybersecurity
- 2 Top Cybersecurity Stocks to “Set It and Forget It”on May 27, 2022 at 6:00 pm
With so many cybersecurity companies vying to be top dog, it's critical that you know the attributes that will lead to long-term success.
- Cybersecurity norms may make it ‘difficult’ to do business in India: 11 industry bodies to CERT-Inon May 27, 2022 at 5:51 pm
CERT-In’s cybersecurity directive requires entities to report cybersecurity incidents to the agency within six hours. They also mandate VPN providers to store information such as names, email IDs, ...
- Global bodies raise concerns over new cybersecurity normson May 27, 2022 at 3:45 pm
The 11 associations include US-India Business Council, US chamber of commerce, ITI, Tech UK, US-India strategic partnership forum, Digital Europe, BSA, and Cybersecurity Coalition, among others.
- Cybersecurity breach at the city of Portland led to fraudulent $1.4M transactionon May 27, 2022 at 12:48 pm
A cybersecurity breach at the city of Portland led to a fraudulent $1.4 million transaction using city funds, according to the city of Portland. Officials said the incident happened in late April. The ...
- Portland government email account used to defraud city of $1.4M in cybersecurity breachon May 27, 2022 at 12:41 pm
The costly cybersecurity breach occurred in late April but was only discovered weeks later on May 17 when the city flagged a second transaction attempt from the same account, according to a news ...
- KPMG CEO Reveals Top Focus in 2022 is Cybersecurityon May 27, 2022 at 8:04 am
KPMG US Chair and CEO Paul Knop revealed that one of the biggest focus areas for the global accounting firm in 2022 is cybersecurity. Speaking on which roles within the company are currently in high ...
- How to Start a Cybersecurity Clinicon May 27, 2022 at 5:00 am
As social engineering continues to top the charts in data breach attack patterns, a fully volunteer-run nonprofit obtained high-quality cybersecurity awareness training materials and adopted training ...
- What does it mean for cybersecurity to “align with the business"?on May 27, 2022 at 2:00 am
Showing how security helps business achieve its objectives is a two-step process: Speak the language of business and do cost-benefit analyses that prove value returned.
- Cybersecurity is a corporate social responsibility, especially in times of waron May 26, 2022 at 10:09 am
Organizations have a corporate social responsibility (CSR) to implement strong cybersecurity defenses and prepare for a scenario in which Russia deploys cyberattacks on an unprecedented scale.
- The FDA's New Cybersecurity Guidance for Medical Devices Reminds Us That Safety & Security Go Hand in Handon May 26, 2022 at 10:00 am
But that is about to change in a major way. Instead of finalizing the 2018 premarket cybersecurity draft guidance, the FDA has decided to issue a new 2022 version to reflect the rapid evolution of ...
via Bing News