In recent months, government officials in the United States, the United Kingdom and other countries have made repeated calls for law-enforcement agencies to be able to access, upon due authorization, encrypted data to help them solve crimes. Beyond the ethical and political implications of such an approach, though, is a more practical question: If we want to maintain the security of user information, is this sort of access even technically possible?
That was the impetus for a report — titled “Keys under doormats: Mandating insecurity by requiring government access to all data and communications” — published July 7, 2015, by security experts from MIT’s Computer Science and Artificial Intelligence Lab (CSAIL), alongside other leading researchers from the U.S. and the U.K.
The report argues that such mechanisms “pose far more grave security risks, imperil innovation on which the world’s economies depend, and raise more thorny policy issues than we could have imagined when the Internet was in its infancy.”
The team warns that rushing to create a legislative proposal is dangerous until security specialists are able to evaluate a comprehensive technical solution that has been carefully analyzed for vulnerabilities.
CSAIL contributors to the report include professors Hal Abelson and Ron Rivest, Ph.D. student Michael Specter, Information Services and Technology network manager Jeff Schiller, and principal research scientist Daniel Weitzner, who spearheaded the work as director of MIT’s Cybersecurity and Internet Policy Research Initiative, an interdisciplinary program funded by a $15 million grant from the Hewlett Foundation.
The group also includes cryptography expert Bruce Schneier and researchers from Stanford University, Columbia University, Cambridge University, Johns Hopkins University, Microsoft Research, SRI International, and Worcester Polytechnic Institute.
Not-so-exceptional access
In October, FBI Director James Comey called for what is often described as “exceptional access” — namely, that computer systems should be able to provide access to the plain text of encrypted information, in transit or stored on a device, at the request of authorized law enforcement agencies.
The research team outlines three reasons why this approach would worsen the already-shaky current state of cybersecurity.
First, it would require preserving private keys that could be compromised not only by law enforcement, but by anyone who is able to hack into them. This represents a 180-degree reversal from state-of-the-art security practices like “forward secrecy,” in which decryption keys are deleted immediately after use.
“It would be the equivalent of taking already-read, highly sensitive messages, and, rather than putting them through a shredder, leaving them in the file cabinet of an unlocked office,” Weitzner says. “Keeping keys around makes them more susceptible to compromise.”
Second, exceptional access would make systems much more complex, introducing new features that require independent testing and are sources of potential vulnerabilities.
Read more: Giving Government Special Access to Data Poses Major Security Risks
The Latest on: Cybersecurity
[google_news title=”” keyword=”cybersecurity” num_posts=”10″ blurb_length=”0″ show_thumb=”left”]
via Google News
The Latest on: Cybersecurity
- Report: EPA Needs Strategy for Water Sector Cybersecurityon August 2, 2024 at 2:51 pm
A new report from the Government Accountability Office released this week calls for a more thorough approach to improving cybersecurity for water and waste water systems nationwide.
- Are Your Cybersecurity Measures Good Enough?on August 2, 2024 at 1:49 pm
There’s a delicate balance between implementing stringent cybersecurity measures and maintaining operational efficiency.
- Judge dismisses most of SEC’s suit against SolarWinds over cybersecurity disclosureson August 2, 2024 at 12:15 pm
U.S. District Judge Paul Engelmayer of the U.S. District Court for the Southern District of New York issued a comprehensive ...
- Cybersecurity: A Critical Stock Picking Theme In An Increasingly Digital Worldon August 2, 2024 at 11:44 am
By Christopher Gannatti, CFA & Ayush Babel In today’s interconnected digital landscape, we believe cybersecurity has emerged as a crucial investment ...
- Jonathan Hernandez: Triumph in Cybersecurity as an Immigranton August 2, 2024 at 9:35 am
In today’s digital age, cybersecurity is more crucial than ever. It requires a deep understanding of technology, industry-specific challenges, and unwavering integrity. Cybersecurity professionals act ...
- Why the market's most-regulated companies need military-grade cybersecurityon August 2, 2024 at 7:18 am
As cyberthreats become increasingly sophisticated, regulated industries need to look at whether they're doing enough to elevate their cybersecurity standards.
- Girls-only cybersecurity camp at Dakota State University challenges stereotypeson August 2, 2024 at 4:01 am
The campus of Dakota State University came to life in the middle of summer break, when more than 100 middle school girls arrived to learn about cybersecurity.
- Cybersecurity M&A Roundup: 25 Deals Announced in July 2024on August 2, 2024 at 1:29 am
Roundup of the more than two dozen cybersecurity-related merger and acquisition (M&A) deals announced in July 2024.
- Crucial Lessons Learned For Cybersecurity Resilienceon August 1, 2024 at 2:21 pm
The recent outage event highlighted weaknesses in technology and processes and provides a unique opportunity for organizations to examine ways to be more resilient.
- Cybersecurity in the Digital Ageon August 1, 2024 at 1:51 pm
Multi-factor authentication (MFA) isn’t new, in fact I was using it at my first IT job in the late 1990s and it was commonplace even then. Now, though, the set-up is more complex. Today we use a phone ...
via Bing News