In recent months, government officials in the United States, the United Kingdom and other countries have made repeated calls for law-enforcement agencies to be able to access, upon due authorization, encrypted data to help them solve crimes. Beyond the ethical and political implications of such an approach, though, is a more practical question: If we want to maintain the security of user information, is this sort of access even technically possible?
That was the impetus for a report — titled “Keys under doormats: Mandating insecurity by requiring government access to all data and communications” — published July 7, 2015, by security experts from MIT’s Computer Science and Artificial Intelligence Lab (CSAIL), alongside other leading researchers from the U.S. and the U.K.
The report argues that such mechanisms “pose far more grave security risks, imperil innovation on which the world’s economies depend, and raise more thorny policy issues than we could have imagined when the Internet was in its infancy.”
The team warns that rushing to create a legislative proposal is dangerous until security specialists are able to evaluate a comprehensive technical solution that has been carefully analyzed for vulnerabilities.
CSAIL contributors to the report include professors Hal Abelson and Ron Rivest, Ph.D. student Michael Specter, Information Services and Technology network manager Jeff Schiller, and principal research scientist Daniel Weitzner, who spearheaded the work as director of MIT’s Cybersecurity and Internet Policy Research Initiative, an interdisciplinary program funded by a $15 million grant from the Hewlett Foundation.
The group also includes cryptography expert Bruce Schneier and researchers from Stanford University, Columbia University, Cambridge University, Johns Hopkins University, Microsoft Research, SRI International, and Worcester Polytechnic Institute.
In October, FBI Director James Comey called for what is often described as “exceptional access” — namely, that computer systems should be able to provide access to the plain text of encrypted information, in transit or stored on a device, at the request of authorized law enforcement agencies.
The research team outlines three reasons why this approach would worsen the already-shaky current state of cybersecurity.
First, it would require preserving private keys that could be compromised not only by law enforcement, but by anyone who is able to hack into them. This represents a 180-degree reversal from state-of-the-art security practices like “forward secrecy,” in which decryption keys are deleted immediately after use.
“It would be the equivalent of taking already-read, highly sensitive messages, and, rather than putting them through a shredder, leaving them in the file cabinet of an unlocked office,” Weitzner says. “Keeping keys around makes them more susceptible to compromise.”
Second, exceptional access would make systems much more complex, introducing new features that require independent testing and are sources of potential vulnerabilities.
The Latest on: Cybersecurity
[google_news title=”” keyword=”cybersecurity” num_posts=”10″ blurb_length=”0″ show_thumb=”left”]
via Google News
The Latest on: Cybersecurity
- Industrial Cybersecurity Market (New Research Report of 116+ Pages) Gives Up to Date Analysis of Industry 2029on February 6, 2023 at 5:43 pm
The MarketWatch News Department was not involved in the creation of this content. Feb 06, 2023 (The Expresswire) -- The Industrial Cybersecurity Market report with massive business opportunities in ...
- Cybersecurity, Red Teaming and Penetration Testing Market (New Research Report) By 2023 Which is Experiencing Strong Growth in the Globe till 2029on February 6, 2023 at 5:23 pm
The Cybersecurity, Red Teaming and Penetration Testing Market report with massive business opportunities in the ...
- This bipartisan bill would give the GSA new cybersecurity responsibilityon February 6, 2023 at 3:41 pm
A bill before the House would create a new cadre of people to help the government in case of a serious cyber attack. The National Digital Reserve Corps would be managed by the General ...
- Corporate boards struggle to understand cybersecurity and digital transformationon February 6, 2023 at 1:45 pm
Boards are trying to understand the ever-evolving threat landscape as federal regulators plan additional breach disclosure rules.
- AI accelerates the cybersecurity arms raceon February 6, 2023 at 11:36 am
Artificial intelligence is now at the point where it can code sophisticated custom malware, but cybersecurity pros see great potential for both attack and defense.
- The Top U.S. Cybersecurity Diplomat's Personal Twitter Account Was Hackedon February 6, 2023 at 11:16 am
The top American cybersecurity diplomat downplayed this weekend that his personal Twitter account was hacked and described it simply as part of the "perils of the job." Though it is unclear who was ...
- Center for Internet Security announces Alan Paller Laureate Program in memory of cybersecurity pioneeron February 6, 2023 at 10:13 am
The program will empower U.S.-based nonprofit organizations, academic institutions, and individuals who are focused on improving cybersecurity ...
- FTX Being Advised by Cybersecurity Firm Sygnia on Hack Inquiry, CEO Ray Sayson February 6, 2023 at 8:32 am
The crypto exchange’s current chief executive blasted weak cybersecurity controls at the company under Sam Bankman-Fried’s leadership.
- Gov. Abbott’s vision for San Antonio: 'Cybersecurity Capital of Texas'on February 6, 2023 at 7:00 am
It’s catching on. While San Antonio has long been known as Military City USA, many civic leaders in recent years have frequently tossed out another nickname — Cyber City USA. Gov. Greg Abbott recently ...
- A prominent UK cybersecurity stock is under attack from short sellers. Here's what you need to knowon February 6, 2023 at 5:55 am
Cybersecurity firm Darktrace was targeted in a short seller report from New York-based asset manager Quintessential Capital Management.
via Bing News