In-Depth

Backdoor Encryption Battle Takes Center Stage

Concerns about restrictions on encryption took center stage at the annual RSA Conference where experts and government officials discussed the precedent that Apple's legal battle with the FBI could set.

As the mass market for cellphones was unfolding back in the mid-1990s, the Clinton administration made a concerted effort to require manufactures to equip all handsets with hardware-based keys, giving law enforcement authorities a backdoor key to unlock any encrypted data. The highly controversial Clipper Chip proposal pitted the administration and others in the government, military, intelligence agencies and law enforcement against privacy and civil liberties advocates. Opponents of the Clipper Chip, typically described as an escrow key, ultimately prevailed but only after a two-year battle. In hindsight, it only scratched the surface of what was at stake for the general public and IT professionals.

At the time, the implications of this to many were quite opaque because much of the technology this could impact still didn't exist -- nor was it clear if and when it would appear. Consequences of the Clipper Chip debate more than two decades later are in focus following Apple's decision to defy an order handed down by California Federal District Court Magistrate Judge Sheri Pym that it help the FBI access the contents of the iPhone used by suspected terrorist Syed Rizwan Farook, who, with his wife Tashfeen Malik, killed 14 people in the December 2015 San Bernardino, Calif., shooting attack. While some debate whether the two sides have picked the right case to square off, Microsoft and many key players in the IT industry have united behind Apple, knowing it is critical that IT professionals and consumers can trust that data on their devices, in their software or the cloud can't be accessed without their knowledge and permission.

The Backdoor Path to Hell
Setting the tone for this debate was Microsoft President and Chief Legal Officer Brad Smith, who gave one of the opening keynote addresses at last month's annual RSA Conference in San Francisco, where 40,000 cybersecurity officials gathered just days after Apple said it wouldn't comply with the order. "Businesses have a right to know so they can defend themselves, and it's why we at Microsoft are joining other companies across our industry to stand up for and stand with Apple in this new, important case," said Smith, who testified at a U.S. House Judiciary Committee hearing investigating the dispute and who was among those who filed an amicus brief with the court in support of Apple. "We need to stand up, be thoughtful and also be vocal. Despite the best of intentions, one thing is clear: The path to hell starts at the backdoor and we need to make sure that encryption technology remains strong."

"The path to hell starts at the backdoor and we need to make sure that encryption technology remains strong."
Brad Smith, President and Chief Legal Officer, Microsoft

These fears and concerns are similar to those that surrounded the Clipper Chip debate nearly a generation ago. The difference now is the stakes are more clear. One advocate who took a hard line in support of requiring the Clipper Chip at the time was Michael McConnell, who then headed the National Security Agency (NSA). McConnell now admits it was hard to envision the consequences of mandating these escrow keys and backdoors.

"I really believed in it at the time but since that time, the early ‘90s, I've been a product of this digital age and what I've come to understand is we are digitally dependent," said McConnell, speaking on a panel discussion at RSA. "We have a digital dependence as a country on commerce and trade and interaction and it's going to impact human behavior more than we ever imagined."

Speaking of his consulting work in his post-government career as a consultant, McConnell said: "We never examined any computer of consequence that we didn't find an advanced persistent threat implanted by the Chinese. Not once, not in the government, private sector, anywhere we looked. When you understand that level of abstraction of vital important information, research and development, intellectual property, business plans, new product development, we have to stop it. And I think that's the higher calling for this community to build that capability, so it's a logical train of thought for me. Ubiquitous encryption is something the nation needs to have."

Changing Sides
McConnell, now a senior executive advisor at the consulting firm Booz Allen Hamilton, is not the only former fed bigwig with a different outlook on the issue. Speaking on the same panel, which was moderated by former RSA executive chairman and now consultant Art Coviello, was Michael Chertoff, who was President George W. Bush's Secretary of Homeland Security from 2007 to 2009. Chertoff, who now runs his own cybersecurity consulting firm, has seen it on both sides. As Homeland Security Secretary he was serving in an administration that was hawkish on asserting the need for better eavesdropping in the wake of the Sept. 11, 2001, attacks. Since leaving the government, Chertoff has spoken out against requiring backdoors to devices and information systems.

"When I look at security I look at it in a broad sense," Chertoff said when asked about his position. "It's not just securing the country against foreign entities or terrorist groups, but it's our personal security and integrity against all kinds of threats, whether they are nation states or whether they are criminal groups. And to me it would be a strategic error to sacrifice the security value of end-to-end encryption, which gives each of us the ability to control and secure our data, simply in order to give the authorities that opportunity."

At the same time, Chertoff hasn't forgotten the shoes he wore not too long ago. "I lived this. When you have a responsibility to prevent attacks that can cause the loss of lives to thousands of people, that is a heavy responsibility," he said. "I've been in situations where we had information about a threat, and I knew I had to move heaven and earth to find out where that threat was coming from and how to stop it. There are power­ful equities on the side of security."

As the Apple-FBI case and others likely to follow play out, it raises the question: Is there a balance or compromise? "The question of privacy or security is not a binary choice. You don't get one and lose the other. We have to achieve both," said J. Trevor Hughes, president and CEO of the International Association of Privacy Professionals (IAPP), which describes itself as the world's largest policy-neutral information privacy association. "What we see today in society is a negotiation going on, a discussion about the right places to draw the lines, to set our expectations of privacy, but also understand the important demands of our physical and national security."

Nuala O'Connor, president and CEO of the Center for Democracy and Technology, warned it would be a mistake for the U.S. government to legislate backdoors to devices, cloud services or enterprise IT infrastructure. "We are behind as a country in our cybersecurity endeavors, in our national security and law enforcement efforts," she said. "The answer is not to blur the lines between the private-sector data and the public-sector data. The answer is to get clear on what law enforcement and national security are entitled to do and have them do it as best they can and make sure they have the resources and the intellectual capital to fight this cyber war."

The Snowden Effect
While the Apple-FBI battle has renewed fears about the implications of backdoors, many organizations have worried about it for some time. It's been nearly three years since Edward Snowden revealed the leaked documents that exposed the NSA's surveillance activities. Those revelations alarmed IT and security professionals on a number of fronts. For many, it showcased the implications of giving a trusted official with an escrow key who could go rogue with it -- the very reason Apple and the IT industry oppose backdoors. But the revelations also exposed the extent and determination of law enforcement and intelligence agencies to gather information at the expense of privacy.

Rebecca Herold, an information privacy, security and compliance consultant and a faculty member with IANS (Institute for Applied Network Security) Research, said in an interview that many of her clients have raised new concerns following news of the Apple-FBI dispute, especially those who are based -- or do business outside of -- the United States. "They can't be sure their data will be properly secured because if there's a backdoor that allows for surveillance, not only does that create a vulnerability and an opportunity for inappropriate access to the data, but it also creates a big problem with many other organizations' and other countries' data protection laws where you're not allowed to touch the data," Herold said. "From an international point of view, it causes a big problem, and from a technical point of view we already have so many organizations trying to figure out how to secure their devices and data and they simply don't want to allow more access to the data."

Many, including Herold, agreed that government, law enforcement and intelligence agencies in the United States will have to recognize that it's too late to demand backdoors or escrow keys because customers will merely find devices or encryption wares from other countries. And as Edward Snowden showed back in 2013, escrow keys in the hands of a trusted but rogue actor could get into enemy hands and put data security more at risk.

Quest for Informed Debate
McConnell, who has spent much of his career on Capitol Hill, argued part of the problem is that many in Congress and in other key government positions are, on a technical level, ill-informed of the implications of many of the cybersecurity battles taking place. In the weeks after the California judge ordered Apple to help unlock the phone used by Farook, McConnell met with several members of Congress.

"They want to form a legislatively directed commission of leading experts to have an informed dialogue with all information, all clearances, so they can make some reasonable recommendation," McConnell said during the RSA panel. "Because I think the members of Congress are mostly like society at large. By and large, the public at large is not informed on this issue. So we need to have this informed set of review and dialogue."

Several current government leaders spent time at last month's RSA Conference, including Attorney General Loretta Lynch and Secretary of Defense Ash Carter, seeking to assure the 40,000 security professionals attending the confab that they're not anti-encryption.

Lynch argued the iPhone used by the San Bernardino bomber was an older iPhone and that it didn't have the stronger level of encryption like the newer devices and versions of iOS.

"It's an older version of the phone, it doesn't involve encryption at all," Lynch said. "It's one of the many cases in which they [Apple] and other companies have provided assistance over the years and their position didn't change until the judge's request for their opinion became public. It's ‘Will you do what you've always done,' which is, as every American citizen and company will do, comply with the law and respond to a request for the government for assistance."

While privacy and civil liberties experts dispute that view, even some of the top experts on encryption have conflicting opinions. During the traditional Cryptographer's Panel at the RSA Conference, Adi Shamir, who co-developed the RSA cryptosystem (the "S" in RSA) with Ron Rivest and Leonard Adleman, differed on whether the FBI's demand was tantamount to asking Apple to create a backdoor. "The FBI is asking Apple to do something very specific," said Shamir, who is now a professor of computer science at the Weizmann Institute in Israel. "The FBI will give Apple a particular phone and ask Apple privately to open up that particular phone. It has nothing to do with placing backdoors in millions of telephones around the world. It's not an issue of mass surveillance. I think we are confusing the issue."

"The FBI will give Apple a particular phone and ask Apple privately to open up that particular phone... It's not an issue of mass surveillance."

Adi Shamir, Co-Inventor of RSA Encryption

But Martin Hellman, who played a key role in developing public key cryptography and is now a professor emeritus in electrical engineering at Stanford University, disagreed and said he filed an amicus brief in support of Apple asking the court to vacate the order. "I think it is a mistake," Hellman said during the panel discussion. "The danger is it will set a precedent."

Apple's argument is that the government has asked it to write "a unique version of iOS that would bypass security protections on the iPhone Lock screen." That requirement "would also add a completely new capability so that passcode tries could be entered electronically," Apple argued. "The passcode lock and requirement for manual entry of the passcode are at the heart of the safeguards we have built into iOS. It would be wrong to intentionally weaken our products with a govern­ment-ordered backdoor. If we lose control of our data, we put both our privacy and our safety at risk."

Complying with the order would have other far-reaching implications, according to Apple's argument. "The order would set a legal precedent that would expand the powers of the government and we simply don't know where that would lead us. Should the government be allowed to order us to create other capabilities for surveillance purposes, such as recording conversations or location tracking? This would set a very dangerous precedent."

While there's discord about that in Congress and the executive branch, Carter argued the current administration is aware of the issues. "We're square behind strong data security including strong encryption, no question about it," Carter insisted. "I'm not a believer in backdoors or a single technical approach to what is a complex and complicated problem. I don't think that's realistic, I don't think that's technically accurate. The reality is the problems of data security are many. We have to work together to work our way through these problems."

Featured

comments powered by Disqus

Subscribe on YouTube