Why are government officials who know next to nothing about encryption so eager to mandate encryption backdoors?
This topic came up the other day while I was chatting with one of my security colleagues who posited a very fascinating concept:
“You know, the government has already broken all the encryption algorithms”.
I was shocked when I heard this, and the mere thought made me extremely uncomfortable.
Fortunately, we do not have to believe such a theory: it is easily disproved by the number of high-ranking officials who are arguing for encryption backdoors. Once those encryption algorithms are broken, the rhetoric will fall mysteriously silent. Imagine if, however, my friend is right and the government has in fact broken encryption. The fact that they have not made decryption keys available to all the victims of ransomware would make them complicit in the largest digital criminal enterprise in recent memory.
Many folks simply do not understand encryption at all, so it seems like a mysterious bit of witchcraft. Some incorrectly argue that only it protects the criminals. The best and worst part about encryption is that its foundation rests in math. That is good because math is agnostic; it is bad because too many people fear math.
One need not blame the politicians alone for the chatter about allowing special decryption access for law enforcement. Former FBI director Jim Comey spoke at a law enforcement conference a couple of years ago, and when he spoke about the “going dark” problem, most folks in the room nodded affirmatively at the need for the government to have a back door into encryption.
It is easy for a person to declare encryption as a bad thing simply due to its unfamiliar and highly complicated process. So what? This is not the real issue. I do not expect anyone to understand encryption in order to recognize its value. Most people do not know anything about how their own heart operates, so why would we expect anyone to understand something as arcane as encryption?
What people understand is the need for safety and security, and the anti-encryption song of our officials is all that is available to promote that feeling. What is needed is a reasoned and strong counterpoint that is equally compelling.
As InfoSec folks, we need to avoid the technical aspects of encryption when we are explaining it outside of our circles. There are few things more eye-glazing than when we start to wax technical with a non-technical audience. I usually tell my non-technical friends that encryption is exactly like any scrambled message that we have all experimented with in our youth. More recently, it is like some of the language in many hip-hop songs. That is a language in dire need of decoding! In its simplest form, encryption is just a way to keep secret messages secret.
The arguments by the people in charge include:
The encryption back door could only be executed via a court order;
The encryption keys would be stored securely; and
This would make us all safer.
These are all trivial, and unfortunately, laughable to the InfoSec community, and worse, to the criminal enterprises who make their living breaking all of these rules. Stop for a moment, put on your security hat and think how each of these safeguards are easily circumvented. We have already seen examples, from the loss of sensitive data in recent data breaches, as well as other failures in security and the administration of justice.
To answer the question of why government officials who know next to nothing about encryption are so eager to mandate encryption backdoors: because that is the convenient solution. However, we all know that convenience over security is never a good idea.
Our guest blogger Bob Covello is a 20-year technology veteran and InfoSec analyst with a passion for security topics. Follow him on Twitter @BobCovello