There has been a lot of discussion in the media and in security circles about the FBI’s request for Apple to help them “hack” the iPhone used by the San Bernardino shooters. So, it is not surprising that Tuesday’s RSA keynote sessions all touched upon or downright dissected the topic.
The first two speakers were from RSA and Microsoft, and they both discussed the topic of trust and the role of regulation in security. Both agreed that weakening encryption for the convenience of law enforcement would, in the end, only make it easier to catch petty criminals, as terrorists would just stop using the insecure technology. Following these two speakers came the Cryptographer’s Panel, which predictably debated this very topic. Here are some of the highlights from these three sessions:
Amit’s presentation wasn’t solely focused on the issue of weakening encryption. He started by talking about some of the major breaches over the last year and the impact they’ve had on businesses and individuals. He then made the very valid point that knowledge of these breaches doesn’t seem to be changing behaviors.
He noted that it is almost as if we are giving in to the inevitable, and preparing for breaches rather than attempting to prevent them. He cited a Gartner statistic that by the end of 2018, 60 percent of security budgets will be spent on detection and response rather than prevention. What does this mean for the security industry, I wonder? Shouldn’t both be equally important? I think back to John Elliot’s talk yesterday about fire prevention, detection and response and its parallels to security, and his point that we need all three – prevention, detection, and response – in order to be secure.
Amit also talked about adversaries and explained how they operate with no rules, boundaries or predictability. He asserted that we need to fight the battle against these adversaries not with technology alone, but also with creativity. Is he advocating offensive defenses?
Finally, he did make a call for regulations, and for the industry to continue pushing for tighter encryption, not weaker. He also noted that the government has a separate agenda than that of the security industry.
I didn’t do a scientific analysis, but I am willing to bet the most tweeted comment from both keynotes would be from Brad: “the path to hell starts at a backdoor.” Brad’s presentation briefly took us back through history to talk about technology through the ages. He noted that the trans-continental railway, as well as the invention of automobiles were major technological advances that required us to rethink safety and security. As such, we’ve been having the “safety vs. freedom” debate for over a century. What changes is public attitudes about safety and what is acknowledged as an acceptable tradeoff.
With this line of discussion, he is, of course, referring to the FBI/Apple case. He noted that technology requires trust, and that once that trust is broken, there is nothing that can be done to get it back. He also mentioned that this is an economic issue; if we break trust by allowing encryption to be weakened, our enterprises will have a harder time doing business overseas. And, ultimately, we will be making ourselves less secure in the name of national security.
Brad conceded that this is a complicated issue. Lives may be at stake in some cases, but that does not change the fact that trust is paramount when it comes to today’s technology, as it holds our most personal data. He called for the creation of a commission, made up of technologists and security experts, who will discuss and debate the issue, and then inform and advise Congress.
Not surprisingly, the Cryptographer’s Panel focused on the issue of weakening encryption. The debate went quickly, and there were varying degrees of cynicism from the panelists. One question that was debated: if Apple concedes and does what the FBI is asking, what kind of precedent does this set? Will companies then be required to do anything the FBI asks that isn’t explicitly illegal? What happens to trust then? Would companies be forced to provide the government with information about their customers, both corporate and private citizens? When a person or corporation gives another corporation information, there is trust that this data will be kept private. So what happens when this trust no longer exists?
One line that struck me was, “He who controls the machines will control the world.” Maybe because the movie was on last week, but this line made me think of Skynet. We can put all the controls in place to ensure our “backdoors” can only be used by the intended groups, but can we really control them? What if we lose control like our fictional government did with Skynet in Terminator? I’m not saying weakened encryption will cause a nuclear holocaust where machines rise up and subjugate humanity. But I am asking, could the very “backdoors” created to help find terrorists be exploited by terrorists to attack our infrastructure or personal devices? I don’t think we can be sure.
This is a complex issue, and I agree with Brad Smith when he says no one person or company has the answers. I also agree with him that it is a debate that we should all be part of as it will impact the state of security for years to come.