General

Security for Everybody or Security for Nobody

This opinion piece is inspired by the recent opinion piece from Patrick Boc called: Cybersecurity must not be political. In this article I will be dealing with the EU wanting to backdoor encryption for law enforcement. A spectacularly bad idea, but let me come back to that. The initial leak of the document detailing this intent from the EU was initially detailed by an Austrian media outlet called Radio FM4, by the journalist Erich Moechel, shortly after the terror attack in Vienna. You can find the full document here: https://files.orf.at/vietnam2/files/fm4/202045/783284_fh_st12143-re01en20_783284.pdf I highly recommend that you read this document before moving on in this article.

Since you are reading articles here on Cybersecurity Magazine, I am assuming that you are knowledgeable about cybersecurity in general. That being the case, I am sure that you can see the irony of some of the statements in the document describing the EU’s intent. First a quote from section 2 of the document:

In today’s world, encryption technology is increasingly used in all areas of public and private life. It is a means to protect governments, critical infrastructures, civil society, citizens and industry by ensuring the privacy, confidentiality and data integrity of communications and personal data: it is evident that all parties benefit from high-performance encryption technology. Encryption has been identified by EU data protection authorities as an important tool contributing for instance to the protection of personal data transferred outside the EU but subject to the requirement of an essentially equivalent level of protection, which according to the Court of Justice is a legal requirement for data transfers2 . Not only are electronic devices and applications increasingly programmed to encrypt stored user data by default, but more and more communication channels are also secured by end-to-end (E2E) encryption. This is positively reflected in an increasing response by the communication and application industry, where the majority of instant messaging apps and other online platforms have also implemented end-to-end encryption.

This part of the document sees encryption as a positive, as I am sure you do as well. The arguments in this part is a fairly good argumentation for keeping the integrity of encryption in place, especially with the transfer of data on European citizens to US, where we already know about the hunger for data from the likes of Facebook and Google, not to mention the American intelligence agencies. The NSA for instance is actively engaged in efforts to weaken encryption, like the RSA incident from a few years back and earlier this year CIA was exposed as the owner of the Swiss company called Crypto AG. You can read more about that case here: https://www.theguardian.com/us-news/2020/feb/11/crypto-ag-cia-bnd-germany-intelligence-report and on 26 November another Swiss company was caught in the same. You can read that article here: Second Swiss firm allegedly sold encrypted spying devices – SWI swissinfo.ch Now the EU is joining the choir of authorities that wants a master key to the encryption we all rely on, on a daily basis. Let’s look at one of the parts that argues for the weakening:

Digital life’” and cyberspace not only present great opportunities, but also considerable challenges: the digitalisation of modern societies brings with it certain vulnerabilities and the potential for exploitation for criminal purposes. Thus criminals can include readily available, off-the-shelf encryption solutions designed for legitimate purposes in their modi operandi.

At the same time law enforcement is increasingly dependent on access to electronic evidence to effectively fight terrorism, organised crime, child sexual abuse (particularly its online aspects), as well as a variety of cyber-enabled crimes. For competent authorities, access to electronic evidence is not only essential to conduct successful investigations and therebybring criminals to justice, but also to protect victims and help ensure security

First off, yes, the authorities do have a legitimate need for access to communication and electronic devices as part of their normal investigative powers! But a blanket master key to the encryption is a massive threat to our individual privacy and security, something that is guaranteed in the European constitution! But back to the document:

Protecting the privacy and security of communications through encryption and at the same time upholding the possibility for competentauthorities in the area of security and criminal justiceto lawfully access relevant data for legitimate, clearly defined purposes in fighting serious and/or organizedcrimes and terrorism, including in the digital world, are extremely important. Any actions taken have to balance these interests carefully

The interesting word in the above is balance, in the last sentence. Sounds good and opens for a debate about how to go about the master key concept. Having the master key/backdoor as a non-official part (malicious or not), will most likely not just enable the actor to decrypt all European traffic/data in the future, but also potentially stored data or traffic from the past. This added to the fact, that updating/replacing a broken version across all installations in Europe, given the extend that even SSLv3 is still available, will take ages, putting huge amounts of data privacy-wise at risk. The trouble here is that encryption is designed for SECURITY, weakening encryption is weakening our security! I can fully understand the frustrations that law enforcement is facing with modern encryption, but weakening encryption is not just weakening encryption for law enforcement, it is weakening encryption for the various intelligence agencies and hackers as well. Let us look at how the EU is planning on doing this:

Moving forward, the European Union strives to establish an active discussion with the technology industry, while associating research and academia, to ensure the continued implementation and use of strong encryption technology. Competentauthorities must be able to access data in a lawful and targeted manner, in full respect of fundamental rights and the data protection regime, while upholding cybersecurity. Technical solutions for gaining access to encrypted data must comply with the principles of legality, transparency, necessity and proportionality

The irony is thick in the above section from the EU document. ‘Competent authorities must be able to access data’. Yes, and so will everybody else if they get access to the master key, which they will focus significant efforts to gain! Encryption provides security for everybody and if weakened it will provide security for nobody. That is, unless the weakening will only focus on the encryption in use by the citizens… Having said this, it easy enough to demand that all encryption used in Europe has to be with an algorithm that governmental parts can reverse, for the sake of identifying malicious actors, preventing terror etc, however, if that is the actors, that is the reason for lessening all of Europe’s security-level, we will have failed, as the chance that a malicious actor planning a terrorist attack is going to choose a backdoored encryption algorithm for communication is probably quite low.

With all the above in mind, it looks like that the law in suggestion actually will not only put the privacy, that we fought so hard for retaining in the European Union in risk, it too will totally miss the goal of exposing major criminals. The authorities and corporations and politicians might still be allowed to use the strong version of encryption? Given the increased focus on surveillance of the European citizens, it would not really surprise me if that was the outcome of this debate. Something to ponder, is it not?

Print Friendly, PDF & Email
Tom Madsen
Senior Security Consulting Manager at Accenture | + posts

Tom Madsen has been active in the cybersecurity industry for more than 20 years. Tom graduated from the University of Aalborg and covered several technical roles in security during his professional career. He is certified as CISSP, CISA, CISM, CGEIT, CRISK, CCSP, CDSPE and CSSLP, and has published the book "The Art of War for Cybersecurity". He is currently writing a book 'Security Architecture - How & Why'.

Anders Hoegh Olesen
Security Architect at ATEA | + posts

Leave a Reply

Your email address will not be published. Required fields are marked *