July 24, 2019 | 11:05
US Attorney General William Barr has become the latest to call for back-door access in end-to-end encryption systems, claiming that the risk of adding such capabilities is not 'materially greater than [vulnerabilities] already in the unmodified product.'
Cryptography, the art of using mathematics to turn data into gibberish and back into useful data again only when accessed by those recipients for whom it is intended, is at the heart of modern computing. From protecting your online banking system to attempting to stop you pirating the latest games, it does a reasonable job at keeping everyone safe - including, critics argue, those who have no right to be safe: Criminals, terrorists, and other ne'er-do-wells.
The growth of easy-access end-to-end-encrypted messaging systems like WhatsApp has been on the radar of governments and security forces worldwide for some time. Back in 2017 then-Home Secretary Amber Rudd called for intelligence services to be given the ability to access encrypted data, something only achievable by adding a back door - something of which she would later clarify her complete incomprehension. Since then the Five Eyes intelligence partnership has voiced its own support for mandatory back doors in end-to-end encryption platforms, supported by both the director of the UK Government Communications Headquarters (GCHQ) and National Cyber Security Centre (NCSC).
Now, US Attorney General William Barr has put his own weight behind the call for an end to secure cryptography, arguing that the security risk from adding a back door for law enforcement and government use is no greater than those risks already present in modern software.
'The argument is that a business is thwarted in its purpose of offering the best protection against bad actors unless it can also override society’s interest in retaining lawful access. Some hold this view dogmatically, claiming that it is technologically impossible to provide lawful access without weakening security against unlawful access,' Barr told attendees of the International Conference on Cyber Security (ICCS) late yesterday. 'But, in the world of cybersecurity, we do not deal in absolute guarantees but in relative risks. All systems fall short of optimality and have some residual risk of vulnerability — a point which the tech community acknowledges when they propose that law enforcement can satisfy its requirements by exploiting vulnerabilities in their products.
'The real question is whether the residual risk of vulnerability resulting from incorporating a lawful access mechanism is materially greater than those already in the unmodified product. The Department does not believe this can be demonstrated. Moreover, even if there was, in theory, a slight risk differential, its significance should not be judged solely by the fact it falls short of theoretical optimality. Particularly with respect to encryption marketed to consumers, the significance of the risk should be assessed based on its practical effect on consumer cybersecurity, as well as its relation to the net risks that offering the product poses for society.
'After all, we are not talking about protecting the Nation’s nuclear launch codes. Nor are we necessarily talking about the customised encryption used by large business enterprises to protect their operations. We are talking about consumer products and services such as messaging, smart phones, e-mail, and voice and data applications. If one already has an effective level of security — say, by way of illustration, one that protects against 99 percent of foreseeable threats — is it reasonable to incur massive further costs to move slightly closer to optimality and attain a 99.5 percent level of protection even where the risk addressed is extremely remote? A company would not make that expenditure; nor should society. Here, some argue that, to achieve at best a slight incremental improvement in security, it is worth imposing a massive cost on society in the form of degraded public safety. This is untenable, again using a crude illustration, if the choice is between a world where we can achieve a 99 percent assurance against cyber threats to consumers, while still providing law enforcement 80 percent of the access it might seek; or a world, where we have boosted our cybersecurity to 99.5 percent but at a cost reducing law enforcements access to zero percent — the choice for society is clear.'
Critics of the plan to insert backdoor access for governments point out historically poor track records when it comes to security concerns, with even the US' top intelligence outfit the National Security Agency having had confidential data leaked through a contractor's anti-virus software while its international equivalent the Central Intelligence Agency (CIA) lost a vast trove of top secret documentation and software, including zero-day vulnerabilities used to attack target systems, in March 2017. Should such a leak compromise whatever back-door mechanism is chosen for implementation, it would immediately render all users of all compliant end-to-end cryptography systems at risk of information disclosure.
Barr, meanwhile, warns that if companies do not cooperate voluntarily they may be forced to do so legislatively. 'Obviously, the Department would like to engage with the private sector in exploring solutions that will provide lawful access,' he told attendees at the event. 'While we remain open to a cooperative approach, the time to achieve that may be limited. Key countries, including important allies, have been moving toward legislative and regulatory solutions. I think it is prudent to anticipate that a major incident may well occur at any time that will galvanize public opinion on these issues. Whether we end up with legislation or not, the best course for everyone involved is to work soberly and in good faith together to craft appropriate solutions, rather than have outcomes dictated during a crisis.'
The script for Barr's speech can be found on the Department of Justice website.
July 1 2020 | 17:34