In recent months, government officials in the United States, the United Kingdom and other countries have made repeated calls for law-enforcement agencies to be able to access, upon due authorization, encrypted data to help them solve crimes. Beyond the ethical and political implications of such an approach, though, is a more practical question: If we want to maintain the security of user information, is this sort of access even technically possible?
That was the impetus for a report — titled “Keys under doormats: Mandating insecurity by requiring government access to all data and communications” — published July 7, 2015, by security experts from MIT’s Computer Science and Artificial Intelligence Lab (CSAIL), alongside other leading researchers from the U.S. and the U.K.
The report argues that such mechanisms “pose far more grave security risks, imperil innovation on which the world’s economies depend, and raise more thorny policy issues than we could have imagined when the Internet was in its infancy.”
The team warns that rushing to create a legislative proposal is dangerous until security specialists are able to evaluate a comprehensive technical solution that has been carefully analyzed for vulnerabilities.
CSAIL contributors to the report include professors Hal Abelson and Ron Rivest, Ph.D. student Michael Specter, Information Services and Technology network manager Jeff Schiller, and principal research scientist Daniel Weitzner, who spearheaded the work as director of MIT’s Cybersecurity and Internet Policy Research Initiative, an interdisciplinary program funded by a $15 million grant from the Hewlett Foundation.
The group also includes cryptography expert Bruce Schneier and researchers from Stanford University, Columbia University, Cambridge University, Johns Hopkins University, Microsoft Research, SRI International, and Worcester Polytechnic Institute.
In October, FBI Director James Comey called for what is often described as “exceptional access” — namely, that computer systems should be able to provide access to the plain text of encrypted information, in transit or stored on a device, at the request of authorized law enforcement agencies.
The research team outlines three reasons why this approach would worsen the already-shaky current state of cybersecurity.
First, it would require preserving private keys that could be compromised not only by law enforcement, but by anyone who is able to hack into them. This represents a 180-degree reversal from state-of-the-art security practices like “forward secrecy,” in which decryption keys are deleted immediately after use.
“It would be the equivalent of taking already-read, highly sensitive messages, and, rather than putting them through a shredder, leaving them in the file cabinet of an unlocked office,” Weitzner says. “Keeping keys around makes them more susceptible to compromise.”
Second, exceptional access would make systems much more complex, introducing new features that require independent testing and are sources of potential vulnerabilities.
The Latest on: Cybersecurity
[google_news title=”” keyword=”cybersecurity” num_posts=”10″ blurb_length=”0″ show_thumb=”left”]
via Google News
The Latest on: Cybersecurity
- Join Us for Cybersecurity Webinarson September 28, 2023 at 10:30 pm
Four webinar sessions on cybersecurity are scheduled in October. Join any or all of them to learn about protecting your personal data. Ask questions and increase your understanding of what it means to ...
- The Next Market AI Will Disrupt Is Cybersecurityon September 28, 2023 at 9:05 pm
Combining cybersecurity with AI has a natural affinity as cyberattacks are computer generated, and ... READ MORE ...
- Government Shutdown Poised to Stress Nation's Cybersecurity Supply Chainon September 28, 2023 at 3:31 pm
CISA announces it will furlough more than 80% of staff indefinitely if Congress can't reach an agreement to fund the federal government.
- Dallas-Based Cybersecurity Provider Vector0 Acquired by Stratascaleon September 28, 2023 at 3:21 pm
Vector0's ASM platform helps organizations discover, prioritize, and mitigate critical security risks, the company said, using continuous internet scans to identify assets, unify vulnerability and ...
- BlackBerry FQ2 revenue slumps on weakness in cybersecurity business, IoT performs wellon September 28, 2023 at 2:27 pm
BlackBerry (BB) on Thursday reported a slightly narrower quarterly loss and a more than 20% decline in revenue. Read more here.
- Looking Beyond the Hype Cycle of AI/ML in Cybersecurityon September 28, 2023 at 10:00 am
Artificial intelligence and machine learning aren't yet delivering on their cybersecurity promises. How can we close the gaps?
- The Ultimate Guide to Cybersecurity Trends and Threat Awarenesson September 28, 2023 at 10:00 am
However, staying abreast of cybersecurity trends and threats is not only about safeguarding sensitive data but also about keeping the integrity and trustworthiness of the systems upon which we rely.
- These cybersecurity online boot camp courses are now $40on September 28, 2023 at 9:41 am
Through Sept. 30, save on lifetime access to these self-paced online courses and study in-demand IT skills and certifications.
- UMaine Augusta Partners for Cybersecurity Apprenticeship Programon September 28, 2023 at 9:35 am
The University of Maine at Augusta is working with the Maine Department of Labor on a cybersecurity and IT registered apprenticeship program to recruit, train or upskill employees for those fields.
- Cybersecurity Sucks And Here’s Why: Three Truths To Accepton September 28, 2023 at 5:45 am
If we shift our thinking to the current reality and ask ourselves the right questions, being in cybersecurity doesn’t have to suck.
via Bing News