Skip to main content
banner image
venafi logo

Encryption Backdoors and Federal Cybersecurity Posture

Encryption Backdoors and Federal Cybersecurity Posture

Picture of a federal building with a flag in front of it
August 29, 2019 | Guest Blogger: Anastasios Arampatzis


Last July 2019, Attorney General William Barr and FBI Director Christopher Wray re-ignited a years-long debate on placing encryption backdoors on smartphones, computers and messaging apps. They both argue that the existing barriers to law enforcement agencies to access otherwise encrypted and, thus, private communications is putting American security at risk. To counter this threat, they urge technology companies to stop using advanced encryption and other security measures that effectively turn devices into “law-free zones.”


Instead, they would like to add eavesdropping mechanisms to consumer-level software and devices. This would allow investigators to forcibly decrypt and access end-to-end encrypted communications, such as chats, emails, files and calls. They have even gone one step ahead by proposing three technical solutions that, as they argue, will solve the problem.



 

In their own words:

  • “The Fourth Amendment strikes a balance between the individual citizen’s interest in conducting certain affairs in private and the general public’s interest in subjecting possible criminal activity to investigation.” AG Barr in New York Times
     
  • “There have been enough dogmatic pronouncements that lawful access simply cannot be done…It can be, and it must be.” AG Barr in The Register
     
  • “I’m well aware that these are provocative subjects in some quarters. I get a little frustrated when people suggest that we're trying to weaken encryption — or weaken cybersecurity more broadly. We're doing no such thing.” FBI Director in The Register
     
  • “It cannot be a sustainable end state for us to be creating an unfettered space that’s beyond lawful access for terrorists, hackers, and child predators to hide. But that’s the path we’re on now, if we don’t come together to solve this problem.” FBI Director in FBI Press Release
     

There is a strong opposition to encryption backdoors coming from both sides of the Atlantic. Professor Matthew Green of the Jons Hopkins University fears that, beyond his technical / cryptographical objections, “Barr and the Trump administration have nothing new to offer here except for a creatively terrifying interpretation of the Fourth Amendment and a desire to minimize risks.” 
 

German prosecutor Markus Hartmann disagreed with his US counterparts, saying that criminals and terrorists “will simply just turn to different services” if a country like the US passes a law to bypass encryption. “What can be done to prevent anybody to use some foreign service that is not following the law by US, Germany, France, Europe, whatever?” Hartmann said.
 

How strong is your cybersecurity posture? See how you stack up.

Installing encryption backdoors on every commercial communications application is like police having a master key to access all houses. It doesn’t matter if you have installed the latest, most secure lock to protect your property. There will always be a corrupted officer who will take advantage of the master key. Would you allow this? Does this make you feel more safe?
 


A last argument. GDPR defines privacy as a fundamental human right and urges all organizations processing, storing and transmitting personal identifiable information to take all appropriate measures in order to safeguard this human right. How is this backdoor narrative compliant with strict privacy legislation in Europe and elsewhere?
 

In fact, the issue of dealing with encryption is broader than providing lawful access. The efforts of fighting terrorism and criminality and, thus, strengthening the sense of public safety, can be enhanced by the use of communications’ metadata, which are not encrypted and are easy to be analyzed because they are structured. Although there are certain concerns about the legislative framework for the retention and destruction of this data with regards to preserving people’s privacy, this is an area of increased interest in the field of criminology.
 

What is more worrying is that high level government officials do not seem to be paying attention to the news about how cyber criminals misuse encrption. Even if technology companies are doing their best to safeguard communications privacy and the keys and certificates that serve as machine identities, the news is overwhelmed by security incidents. This is exactly how the NotPetya ransomware that crippled businesses worldwide spread: via poisoned software updates using fake keys. Also Stuxnet used stolen digital keys to cryptographically sign itself so that it looked like legit software. And the list goes on.
 


One last thought: how are government officials and agencies going to safeguard these backdoors for falling prey to malicious state actors if the same federal agencies cannot protect their own infrastructure? The recent (July 2019) Government Accountability Office (GAO) report finds that 23 federal agencies come up short in their cybersecurity efforts even as attacks on their IT infrastructures continue to grow and concerns about foreign interference in the upcoming 2020 elections persist.
 

The GAO found that most federal agencies had failed in key areas of risk management, such as developing a cybersecurity risk management plan, creating policies for assessing, monitoring and responding to risk, and establishing processes for coordinating their cybersecurity and enterprise risk management programs. The government watchdog identified 58 recommended steps the 23 agencies should take to shore up their cybersecurity defenses, saying that until they do, "agencies will face an increased risk of cyber-based incidents that threaten national security and personal privacy."
 

Lack of pragmatic approach, “creative interpretation” of the Constitution and legislation, disrespect of fundamental human rights cannot be the solution to a long-standing problem. And placing backdoors can and will act like a “Κερκόπορτα” (kerkoporta = backdoor, the door through which the Ottomans were able to sneak into Constantinople and capture it) to tear down the walls that keep hackers out of citizens' private spaces.
 

Are you concerned about government mandated encryption backdoors?


Learn more about machine identity protection. Explore now.

 

Related posts

Like this blog? We think you will love this.
picture of the statue of liberty from the bottom, holding a lit torch
Featured Blog

Is Cryptography Really a Threat to Liberty? [Labor Day Musings]

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection
Industry Research

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

Guest Blogger: Anastasios Arampatzis
Guest Blogger: Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat