RSA 2016: Ex-NSA officer admits other countries could open encryption backdoors

The Apple-FBI encryption battle rightly dominates discussion at security conference

NSA data

Here in San Francisco, the NSA and FBI are exhibiting alongside encryption vendors on the show floor of the RSA security conference.

They seem to be on a dual-pronged mission mixing recruitment (there's plenty of talented folk walking the floors here) with marketing, but their appearance is somewhat ironic given their attitudes to encryption.

Edward Snowden has accused the NSA of breaking encryption methods to protect web users' data.

The FBI, meanwhile, is currently embroiled in a battle with Apple in Congress, seeking to force the tech giant to help it bypass an iPhone security barrier.

Advertisement
Advertisement - Article continues below

This has been the main talking point here at RSA 2016 when you leave the fantasy world of the vendor booths on the show floor. Move into the smaller halls and the multiple conference rooms, and you'll find the academics, security researchers, tech experts and policy people who really are all talking about the problems of deliberately weakening strong encryption.

The argument used today by everyone from the FBI to our own government is that strong encryption weakens national security and presents a real and present danger to our wellbeing. But that same argument has been used in all the 'crypto wars' dating back at least thirty years, and it's as wrong now as it was then.

What threatens our wellbeing are terrorists, what weakens national security are misguided efforts to undermine that encryption, coupled with the naive belief that a backdoor can somehow only be exploited by one set of actors.

As I write this I have just stepped out of a debate with the title 'Can government encryption backdoor and privacy coexist?', and the answer is no.

Michelle Dennedy, chief privacy officer of Cisco, debated the question with Dr. Matthew Green, a renowned crypto-engineer and co-author of the 'Keys Under Doormats' paper with Rivest, and the former general counsel for the NSA, Richard Marshall.

Marshall spent a great deal of the debate shooting quizzical looks in the direction of Dr Green and shaking his head at the latter's claims that "the NSA steals keys" or "no country can break good encryption, the NSA only breaks lousy encryption".

Dennedy was much better value, and the session would have been worth sitting through just for her quip in response to Dr Green suggesting that if it looks like a backdoor and smells like a backdoor then let's agree to call it a backdoor: "I'm not smelling your backdoor" she insisted.

Jocular retorts aside, this was an important debate. Even Marshall admitted that "10 or 12 countries have the technological know-how to be able to take advantage of encryption vulnerabilities as we do". This, for me, pretty much seals the deal. When the former NSA guy who appears to be broadly supportive of the FBI position suggests that a backdoor could be opened by others, this should effectively end the debate.

Backdoors always weaken the encryption ecosystem. Fact.

Backdoors violate tried and tested design principles of secure systems. Fact.

Advertisement
Advertisement - Article continues below

If the FBI really wanted to get the data off that iPhone, then why not hand it over to the NSA? As I have said before, this is less about technical backdoors and more about legal precedents.

And that's what really worries me. If the current legal moves to force a backdoor into the encrypted iPhone fail, then what is the alternative? Could it be something much worse, like the banning of all strong encryption?

There's the real dichotomy of the situation, and it's one that will only become worse as time passes and crypto-tech advances. If we don't get to grips with the issue today then the consequences could become very chilling indeed in the future.

Advertisement
Related Resources

Application security fallacies and realities

Web application attacks are the most common vulnerability, so what is the truth about application security?

Download now

Your first step researching Managed File Transfer

Advice and expertise on researching the right MFT solution for your business

Download now

The KPIs you should be measuring

How MSPs can measure performance and evaluate their relationships with clients

Download now

Life in the digital workspace

A guide to technology and the changing concept of workspace

Download now

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Visit/backup/33385/arcserve-udp-9240dr-review-beef-up-your-backups
backup

Arcserve UDP 9240DR review: Beef up your backups

4 Apr 2019
Visit/data-processing/32432/ico-says-metropolitan-police-breached-data-protection-laws-with-gangs-matrix
data processing

ICO says Metropolitan Police breached data protection laws

23 Nov 2018

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

4 Nov 2019
Visit/domain-name-system-dns/34842/microsoft-embraces-dns-over-https-to-secure-the-web
Domain Name System (DNS)

Microsoft embraces DNS over HTTPS to secure the web

19 Nov 2019
Visit/strategy/28115/the-pros-and-cons-of-net-neutrality
Business strategy

The pros and cons of net neutrality

4 Nov 2019
Visit/social-media/34844/can-wikipedia-founders-social-network-really-challenge-facebook
social media

Can Wikipedia founder's social network really challenge Facebook?

19 Nov 2019