The past few days have seen two incidents which on first sight are not related, but present an unquestionable danger to cybersecurity as a whole. Firstly, on Tuesday, President Trump fired – or, in his words, terminated – Christopher Krebs, Director of the Cybersecurity and Infrastructure Security Agency in the United States Department of Homeland Security. Krebs’ mistake was to state that the recent presidential election was “the most secure in American history” – which apparently Trump disagreed on. Secondly, in the European Union, demands were raised to build backdoors into encryption of widely used messaging services – which would effectively render that encryption pretty much useless. While the consequences of these two issues differ, they would deliver a blow to the industry which will impact cybersecurity for years to come. Let’s take a deeper look.
The Krebs Incident
When taking a closer look at the layoff of Christopher Krebs, it becomes obvious that he suffered the consequences of doing his job. Not only that, compared to the election in 2016, were evidence was found that foreign states meddled with the election process, Krebs actually prevented any manipulation whatsoever. In other words he was fired for doing his job. Soon-Former-President Trump is still clinging to the phantasy that somehow he won this election and therefore apparently doesn’t agree with Krebs – resulting in his “termination”. Worrying is the outlook for the future. Even when Biden leads the US, Krebs’ successor might be inclined to do and say what is expected from him or her, resulting in a significant loss of trust in the CISA agency – where trust is the one thing cybersecurity thrives and survives on. And even though I personally think Biden is above this sort of influence as well as having enough confidence into the American system to think that however succeeds Krebs will be an incorruptible person, this episode will always linger in the back of their minds. As mentioned this will not only result in a loss of trust into the measures and actions of the agency, but will make the new director of CISA vulnerable in any case. In other words, in addition to whatever else Trump did, this is another example of his actions leading to irreparable damage.
The planned backdoor
The second example, where the state secretaries of member states of the European Union demand a backdoor into encryption used by messaging services like WhatsApp, Telegram or similar, might be an even worse blow to cybersecurity’s integrity. A German proverb states that you cannot be pregnant “a little bit”. Similarly, you cannot open up encryption “just a little bit”. If there is a backdoor, two things happen: firstly, the criminals will have it, too. Very soon. Secondly, probably even more importantly, cybercriminals will move to other platforms which are not within jurisdiction of those countries who agreed to the backdoor. Which obviously thwarts the intention of opening up the backdoor in the first place, namely preventing cybercriminals from being effective. It would be easy to say now that politicians are trying to fight a 21st century war with the instruments of the 20th century by insisting that digital chats should be accessible to their law enforcement agencies as easy as analogue telephone conversations. If you do take a closer look, however, this is not at all the case. In the past, it wasn’t feasible (as – unfortunately, I might add is the case today) to store all conversation held over any telephone out there. Instead, if you had a suspicion, you would ideally go to the court, ask for a permission to bug a phone and go for it. You would still be able to do that today, with the 21st century phone bug being a keylogger (or audiologger), which would be able to do the exact same thing as a phone bug some 50 years ago.
Until now, there is a huge difference in these two examples mentioned above. With the Krebs incident, the milk is already split. In the European Union, however, such a deep intervention into one of the foundations of cybersecurity can still be prevented. Let’s just hope that European politicians make the right choice instead of making life harder – not only for cybersecurity professionals, but eventually for all of us.