In recent months, government officials in the United States, the United Kingdom and other countries have made repeated calls for law-enforcement agencies to be able to access, upon due authorization, encrypted data to help them solve crimes. Beyond the ethical and political implications of such an approach, though, is a more practical question: If we want to maintain the security of user information, is this sort of access even technically possible?
That was the impetus for a report — titled “Keys under doormats: Mandating insecurity by requiring government access to all data and communications” — published July 7, 2015, by security experts from MIT’s Computer Science and Artificial Intelligence Lab (CSAIL), alongside other leading researchers from the U.S. and the U.K.
The report argues that such mechanisms “pose far more grave security risks, imperil innovation on which the world’s economies depend, and raise more thorny policy issues than we could have imagined when the Internet was in its infancy.”
The team warns that rushing to create a legislative proposal is dangerous until security specialists are able to evaluate a comprehensive technical solution that has been carefully analyzed for vulnerabilities.
CSAIL contributors to the report include professors Hal Abelson and Ron Rivest, Ph.D. student Michael Specter, Information Services and Technology network manager Jeff Schiller, and principal research scientist Daniel Weitzner, who spearheaded the work as director of MIT’s Cybersecurity and Internet Policy Research Initiative, an interdisciplinary program funded by a $15 million grant from the Hewlett Foundation.
The group also includes cryptography expert Bruce Schneier and researchers from Stanford University, Columbia University, Cambridge University, Johns Hopkins University, Microsoft Research, SRI International, and Worcester Polytechnic Institute.
In October, FBI Director James Comey called for what is often described as “exceptional access” — namely, that computer systems should be able to provide access to the plain text of encrypted information, in transit or stored on a device, at the request of authorized law enforcement agencies.
The research team outlines three reasons why this approach would worsen the already-shaky current state of cybersecurity.
First, it would require preserving private keys that could be compromised not only by law enforcement, but by anyone who is able to hack into them. This represents a 180-degree reversal from state-of-the-art security practices like “forward secrecy,” in which decryption keys are deleted immediately after use.
“It would be the equivalent of taking already-read, highly sensitive messages, and, rather than putting them through a shredder, leaving them in the file cabinet of an unlocked office,” Weitzner says. “Keeping keys around makes them more susceptible to compromise.”
Second, exceptional access would make systems much more complex, introducing new features that require independent testing and are sources of potential vulnerabilities.
The Latest on: Cybersecurity
via Google News
The Latest on: Cybersecurity
- Improved Cybersecurity Data Could Yield Better Practices, Policieson August 8, 2022 at 10:06 pm
The U.S needs defined metrics and more data about cyber happenings across the nation, experts say. Otherwise, it’ll struggle to understand which practices and policies are most effective and where to ...
- Sen. Maggie Hassan Introduces Small Businesses Cybersecurity Acton August 8, 2022 at 1:42 pm
Looking for the latest Government Contracting News? Read about Sen. Maggie Hassan Introduces Small Businesses Cybersecurity Act.
- Clearwater's KnowBe4 launches venture arm with a focus cybersecurity startup investingon August 8, 2022 at 11:17 am
The company has invested in three cybersecurity companies since March and is talking to Tampa Bay entities to find potential local talent.
- Why Cybersecurity Pros Never Sleep, According to the Former Head of White House Cybersecurityon August 8, 2022 at 8:19 am
We chat with Roselle Safran, former head of White House cybersecurity, about how she started her career and why experts in her field never sleep.
- Your cybersecurity staff are burned out - and many have thought about quittingon August 8, 2022 at 8:01 am
Cybersecurity staff are feeling burnout and stressed to the extent that many are considering leaving their jobs. According to research by VMware, 47% of cybersecurity incident responders say they've ...
- Why cybersecurity is an issue for business leaders – and not just IT professionalson August 8, 2022 at 6:30 am
The situation is prompting organizations to take a more comprehensive approach to improving cyber defenses – and the key, according to industry experts, is finding the “sweet spot” that balances ...
- Why Physical Security Should Be Part of a Cybersecurity Strategyon August 8, 2022 at 2:00 am
By David Weingot, Founder and CEO, DMAC Security Our modern world is full of various types of physical and cyber-related threats. The war in Ukraine is ramping up Russian attacks on American targets, ...
- Validate Your Cybersecurity Skills On The Rangeon August 7, 2022 at 8:24 pm
Good practice makes you better and allows you to both hone and verify your skills—and one of the best ways to practice is on a range.
- The cybersecurity funding bubble hasn’t burst — but it’s starting to deflateon August 7, 2022 at 9:30 am
Despite a slowdown in financing and an apparent over-investment in certain cybersecurity subsectors, investors don’t expect doom and gloom for the cybersecurity market going forward.
- Cybersecurity: Why We’re Stronger Togetheron August 7, 2022 at 2:00 am
Advocating for greater security collaboration between businesses, law enforcement, and government By Nicole Mills, Exhibition Director at Infosecurity Group Cybercrime is on an extremely worrying ...
via Bing News