In recent months, government officials in the United States, the United Kingdom and other countries have made repeated calls for law-enforcement agencies to be able to access, upon due authorization, encrypted data to help them solve crimes. Beyond the ethical and political implications of such an approach, though, is a more practical question: If we want to maintain the security of user information, is this sort of access even technically possible?
That was the impetus for a report — titled “Keys under doormats: Mandating insecurity by requiring government access to all data and communications” — published July 7, 2015, by security experts from MIT’s Computer Science and Artificial Intelligence Lab (CSAIL), alongside other leading researchers from the U.S. and the U.K.
The report argues that such mechanisms “pose far more grave security risks, imperil innovation on which the world’s economies depend, and raise more thorny policy issues than we could have imagined when the Internet was in its infancy.”
The team warns that rushing to create a legislative proposal is dangerous until security specialists are able to evaluate a comprehensive technical solution that has been carefully analyzed for vulnerabilities.
CSAIL contributors to the report include professors Hal Abelson and Ron Rivest, Ph.D. student Michael Specter, Information Services and Technology network manager Jeff Schiller, and principal research scientist Daniel Weitzner, who spearheaded the work as director of MIT’s Cybersecurity and Internet Policy Research Initiative, an interdisciplinary program funded by a $15 million grant from the Hewlett Foundation.
The group also includes cryptography expert Bruce Schneier and researchers from Stanford University, Columbia University, Cambridge University, Johns Hopkins University, Microsoft Research, SRI International, and Worcester Polytechnic Institute.
Not-so-exceptional access
In October, FBI Director James Comey called for what is often described as “exceptional access” — namely, that computer systems should be able to provide access to the plain text of encrypted information, in transit or stored on a device, at the request of authorized law enforcement agencies.
The research team outlines three reasons why this approach would worsen the already-shaky current state of cybersecurity.
First, it would require preserving private keys that could be compromised not only by law enforcement, but by anyone who is able to hack into them. This represents a 180-degree reversal from state-of-the-art security practices like “forward secrecy,” in which decryption keys are deleted immediately after use.
“It would be the equivalent of taking already-read, highly sensitive messages, and, rather than putting them through a shredder, leaving them in the file cabinet of an unlocked office,” Weitzner says. “Keeping keys around makes them more susceptible to compromise.”
Second, exceptional access would make systems much more complex, introducing new features that require independent testing and are sources of potential vulnerabilities.
Read more: Giving Government Special Access to Data Poses Major Security Risks
The Latest on: Cybersecurity
[google_news title=”” keyword=”cybersecurity” num_posts=”10″ blurb_length=”0″ show_thumb=”left”]
via Google News
The Latest on: Cybersecurity
- Disciplines In Cybersecurity In The New Marketon May 1, 2024 at 9:07 pm
Paul Suarez, a seasoned professional in risk management, information security, and strategic planning with over three decades of experience, ...
- U.S. lawmakers slam UnitedHealth's cybersecurity, call the company 'a monopoly on steroids'on May 1, 2024 at 11:11 am
Andrew Witty has been called before the Senate Finance and House Energy and Commerce committees to answer questions about the data breach.
- Former Microsoft engineers raise $3M for cybersecurity startup StepSecurityon May 1, 2024 at 10:00 am
StepSecurity, a Seattle-area startup aiming to help developers secure their projects, raised a $3 million seed round led by Runtime Ventures.
- The US Government Is Asking Big Tech to Promise Better Cybersecurityon May 1, 2024 at 9:01 am
The Biden administration is asking tech companies to sign a pledge, obtained by WIRED, to improve their digital security, including reduced default password use and improved vulnerability disclosures.
- The Cybersecurity Checklist That Could Save Your M&A Dealon May 1, 2024 at 7:00 am
With mergers and acquisitions making a comeback, organizations need to be sure they safeguard their digital assets before, during, and after.
- A Human-Centric Approach to Cybersecurity Branded Contenton May 1, 2024 at 6:26 am
Rather than offer one-size-fits-all solutions, RedTrace Technologies does a deep dive into understanding the unique needs of every client.
- I host the world’s largest cybersecurity conference. Here’s what is top of mind for security experts right nowon May 1, 2024 at 4:30 am
You may not know it, but the cybersecurity world is about to have its Super Bowl. More than 40,000 people from over 130 countries will descend on San Francisco the week of May 6 for the 33rd annual ...
- With cybersecurity risks increasing, here are 5 steps to take if your company has a data breachon April 30, 2024 at 10:00 pm
The risk of cybersecurity incidents, like data breaches, continues to grow as the use of internet-connected technology continues to expand.
- Improving HBCU Cybersecurity Programs To Build A Capable Workforceon April 30, 2024 at 5:30 am
Historically Black colleges and universities are crucial in preparing students for technical careers, but accreditation and cybersecurity program enrollments are at risk.
- Cybersecurity Is Becoming More Diverse … Except by Genderon April 29, 2024 at 1:35 pm
While other professions are making up ground, cybersecurity still lags behind in female representation, thanks to a lack of respect and inclusion.
via Bing News