[ Pour lire cet article en français, cliquez ici ]
Any form of surveillance creates a pool of data that bad actors can try to access
Chief Technology Officer
20 October 2020 (Paris, France) – This week the UK made an additional move to try and make it harder to communicate securely. It joined the justice department/home affairs departments of the “Five Eyes” intelligence-sharing alliance (the UK, US, Canada, Australia and New Zealand) asking once more for tech companies to give them “lawful access” to encrypted communications.
In other words, these governments want backdoors into encrypted messaging apps such as WhatsApp and Signal. The term “backdoor” has been popularised more recently by the Trump administration’s campaign against Chinese tech, accusing Huawei and other companies of leaving backdoors for Chinese government access.
There is an enormous issue here and many people are not making the link: bad domestic cyber policy decreases our ability to defend against foreign adversaries. Any form of surveillance creates a pool of data that bad actors can try to access. Breaking end-to-end encryption, in particular, leaves gaping vulnerabilities for hackers to exploit.
The reason for this is in the otherwise tight design of such programs. An app such as Signal encrypts your messages so that they can only be accessed using a private key, or password, that is generated on your phone and is sealed there. Signal’s servers and programmers can’t access the key and use it to decrypt your messages as they flow through the internet. The only person who can access it is the person in control of the phone, the message’s final “end point”: hence the term end-to-end encryption.
The efficacy of end-to-end encryption means that everyone, from banks to ecommerce sites to healthcare systems, relies on it to protect their users. Without access to the private key, the number of calculations it would take to break open a well-encrypted message would take longer than a lifetime.
As a result, backdoors into end-to-end encrypted communications usually require app designers to produce extra keys that are given to law enforcement agencies. But unlike the keys stored on a device, these extra keys are designed to be shared. Their existence increases dramatically the chance that a key gets leaked. Once a key is leaked, all the contents of the encrypted messages can be read.
In general, if a security flaw exists, it is only a matter of time before someone finds it. Even tools built by government agencies such as the NSA have ended up in the hands of Chinese, North Korean and Russian hackers. Creating a master set of keys to access all encrypted communications would mean building a nuclear internet bomb without the ability to guard it.
In general, if a security flaw exists, it is only a matter of time before someone finds it. Foreign spies have abused “lawful intercept” backdoors in the past. One high-profile example comes from the telecoms industry — the same market Huawei dominates, to the concern of the Five Eyes governments. In what has become known as “Greek Watergate” or the “Athens Affair”, in 2004-05, the prime minister of Greece and more than 100 high-ranking officials and executives had their phonelines hacked. Someone had taken advantage of the lawful intercept ability embedded into the Ericsson equipment used by Vodafone. The episode also involved the apparent suicide of a Vodafone engineer.
Once you lose trust over security, it is difficult to get it back. People would stop conducting commercial transactions, for example, over platforms with backdoors once those backdoors have been exploited. Then they would shift to the newer platforms that spring up — before the government clamps down on them. And enforcement would be ugly: if Facebook continued to hold out against installing backdoors, would the UK ban WhatsApp?
That is the struggle: to make our systems robust against a world in which bad actors will always be a threat.
* * * * * * * * * * * * * * * *
To learn more, I urge you to attend FIC 2021, the International Cybersecurity Forum held in January every year in Lille, France. The event is free to attend (the vendors pick up all the costs). You’ll see presentations on the following subjects, and you’ll have the opportunity to attend workshops and tutorials and met specialists in these areas:
- Social Engineering and Social Networks
- Cybercriminal groups
- SOCMINT and Threat Intelligence
- Lawfare and cyber defence
- Regional issues
- Cyber defence doctrines and approaches
- Geopolitical issues
- Country analyses
- Focus on “cyber” conflicts
- Governance of the cyberpace
It just opened its registration web site. It will be held on-site in Lille and not virtually. There is a “FIC 2021 Sanitary Protocol” link on the web site that describes their COVID-19 safety measures. For information on FIC 20201 and how to register and the COVID-19 Protocol, click here.
For our coverage of FIC 2020, click here. Next month I’ll have a more detailed “pre-event” post about FIC 2021.
