Encryption & Key Management , Governance & Risk Management , Next-Generation Technologies & Secure Development
Crypto Review: Backdoors Won't Help
Bad for Business, Won't Stop Terrorists, Report WarnsThe push by the U.S., U.K. and some other governments to require that software and hardware products use only weak encryption - adding in so-called "backdoors" - would do nothing to restrict the availability or use of strong crypto. That's because such products are available worldwide, often for free.
See Also: Webinar | Securing Cloud Architectures: Implementing Zero Standing Privileges
So says a team of information security researchers who have been cataloging the number - and origin - of publicly available technology that includes crypto.
In "A Worldwide Survey of Encryption Products," so far they report having found 865 hardware or software products that use encryption, developed in 55 different countries. And two-thirds of those products come from outside of the United States, meaning that any lawmakers' attempt to restrict the use of strong crypto - not least by criminals or terrorists - would fail, argues cryptographer Bruce Schneier, together with security researchers Kathleen Seidel and Saranya Vijayakumar, in the report.
"Laws regulating product features are national, and only affect people living in the countries in which they're enacted," they say. "Any national law mandating encryption backdoors will overwhelmingly affect the innocent users of those products. Smart criminals and terrorists will easily be able to switch to more-secure alternatives."
The study arrives in the midst of what's been dubbed "Crypto Wars 2," owing to some government officials arguing that the "good guys" need backdoors to fight terrorism and crime. The issue has even found its way into the 2016 U.S. presidential debates (see Rivals Avoid Taking Stand on Backdoor).
But many information security experts, cryptographers and technology CEOs - including Apple's Tim Cook - have responded with stinging rebukes, noting that strong crypto is essential for everything from safeguarding people's privacy, to securing the online banking and e-commerce ecosystem, to blocking mass surveillance by adversaries or rogue states (see Why "Cryptophobia" Is Unjustified).
Many Strong Crypto Options
Today, the researchers report, the greatest number of crypto products - 304 - are of U.S. origin, followed by Germany, which has 112 products, as well as a government that has rejected crypto backdoors. Likewise, while there are 54 U.K. products and 41 French products - both of their governments have been pushing for backdoors - 19 offerings are available from the Netherlands, which says that it will not support weak crypto (see Paris Attacks Reignite Encryption Debate).
"Anyone who wants to avoid U.S. surveillance has over 567 competing products to choose from," Schneier says in a related blog post.
Many of these products - including hard drive encryption tools, crypto for messaging and voice calls, and virtual private networks - are also free, or available in free "light" versions. Of all of the products found, researchers say 56 percent are available for sale, while 44 percent are free, and that 66 percent are proprietary, while 34 percent are open source. Some offerings are hosted on servers that span multiple countries, thus making them "jurisdictionally agile" if any government attempts to shut them down. Others, such as encrypted smartphone maker Silent Circle, have relocated - in its case from the United States to Switzerland - to take advantage of stronger privacy laws (see Blackphone: Inside a Secure Smart Phone).
Free Market for Crypto
The researchers say they do not believe that products from outside the U.S. are any less secure than U.S.-built products, and that it's easy for individuals to switch from a product with weak crypto to a product with strong crypto, or even to build their own.
"Any mandatory backdoor will be ineffective simply because the marketplace is so international," they say in the report. "Yes, it will catch criminals who are too stupid to realize that their security products have been backdoored or too lazy to switch to an alternative, but those criminals are likely to make all sorts of other mistakes in their security and be catchable anyway."
The researchers' assessment echoes the findings of a recent report from Harvard University's Berkman Center for Internet & Society - co-authored by Schneier - which challenges many officials' assertion that crypto is causing law enforcement agencies' investigative capabilities to "go dark" (see Study: Default Encryption Won't Hinder Surveillance). Instead, lead report author Jonathan Zittrain, an Internet law professor at Harvard Law School, argues that various human and technical weaknesses, as well as the burgeoning Internet of Things, will give law enforcement and intelligence agencies the edge against adversaries.
Encryption is a vital tool; adding backdoors will create greater risk, says Bruce Schneier https://t.co/4ddvW8bMTB pic.twitter.com/MsDA0Re161
" Berkman Center (@berkmancenter) February 1, 2016
Crypto War Parallels
The new survey of currently available crypto products parallels a similar study, conducted by George Washington University researchers 17 years ago, in the midst of the first Crypto Wars, when the Clinton administration mandated that backdoors be installed in exported products with crypto. Back then, researchers found that 805 hardware and software crypto products were available from 35 countries outside the United States. They concluded that backdooring U.S. crypto would not restrict access to it, yet would also place U.S. businesses at a competitive disadvantage globally.
The same reality now faces U.S. businesses, amplified already by the Snowden revelations, which revealed the extent to which the U.S. National Security Agency has been eavesdropping on U.S.-built hardware, software and cloud services (see Juniper Firmware: New Crypto Flaw Found). Indeed, if the U.S. mandates weak crypto, U.S. software and technology providers could face a withering marketing assault by foreign competitors. "The potential of an NSA-installed backdoor in U.S. encryption products is rarely mentioned in the marketing material for the foreign-made encryption products," write Schneier, Seidel and Vijayakumar.
According to their report, few of the 805 products seen in 1999 are still available, thus showing how much the crypto landscape has continued to change.
Lawmakers Tussle
Meanwhile, the debate over crypto backdoors continues to rage. The Obama administration, notably, continues to pressure U.S. technology firms into building in backdoors, although no longer appears to be trying to push a related measure through Congress. State lawmakers in California and New York have also recently proposed legislation that would mandate that all U.S. technology products with crypto include backdoors.
In response, on Feb. 10 a bipartisan House group introduced the Encrypt Act, which would block attempts to impose backdoors. "Requiring companies to weaken devices with 'backdoors' means we open up innocent Americans to the bad actors who would love easier access to our citizens' personal information," says Congresswoman Suzan DelBene, D-Wash. (see China: Chinese Criminals Hacked OPM).