Leaked Intelligence Document Calls For More, Not Less Encryption To Protect Companies And Citizens From Cybercriminals
from the and-yet,-everyone-seems-to-be-calling-for-less dept
Everyone from FBI Director James Comey to UK Prime Minister David Cameron is calling for an end to encryption. The FBI is afraid it won't be able to catch criminals if it can't immediately access content and communications. David Cameron is afraid it will be nothing but constant terrorist attacks from here on out if authorities don't have access to "every means of communication."
Considering many of these voices decrying encryption presumably have access to top secret briefings and documents otherwise unseen by the general public, it's rather surprising they've ignored previous advice from intelligence officials to the contrary.
A secret US cybersecurity report warned that government and private computers were being left vulnerable to online attacks from Russia, China and criminal gangs because encryption technologies were not being implemented fast enough.This document comes from The Guardian's stash of Snowden leaks. What it says runs completely contrary to the panicked assertions of officials. It even runs contrary to the NSA's own actions, like its active attempts to weaken NIST standards. The report recommends strong encryption, coupled with multi-factor authentication, which would make data and communications wholly inaccessible to the NSA (and GCHQ, its steady surveillance partner).
[...]
The document from the US National Intelligence Council, which reports directly to the US director of national intelligence, made clear that encryption was the “best defence” for computer users to protect private data.
But this recommendation doesn't come from an outside source. It's an intelligence council that reports directly to the head of national intelligence. And yet, the word didn't spread very far. The NSA isn't thrilled with encryption because it keeps what it wants out of reach. Law enforcement has the same "problem." Both have actively worked to undermine encryption for their own aims and both are perfectly willing to open up citizens and companies to outside attacks in order to preserve the status quo.
And it's not just American agencies that have ignored these recommendations. The GCHQ is engaged in the same cognitive dissonance.
Another newly discovered document shows GCHQ acting in a similarly conflicted manner, despite the agencies’ private acknowledgement that encryption is an essential part of protecting citizens against cyber-attacks.Again we see agencies charged with protecting nations walking away from this responsibility in order to pursue their own ends. Sure, some safety may have resulted from the collection of unencrypted communications, but both agencies are willing to compromise corporate hardware and consumer software in order to grab just a little more hay for the haystacks.
The 2008 memo was addressed to the then foreign secretary, David Miliband, and classified with one of the UK’s very highest restrictive markings: “TOP SECRET STRAP 2 EYES ONLY”....
The memo requested a renewal of the legal warrant allowing GCHQ to “modify” commercial software in violation of licensing agreements. The document cites examples of software the agency had hacked, including commonly used software to run web forums, and website administration tools. Such software are widely used by companies and individuals around the world.
The document also said the agency had developed “capability against Cisco routers”, which would “allow us to re-route selected traffic across international links towards GCHQ’s passive collection systems”.
GCHQ had also been working to “exploit” the anti-virus software Kaspersky, the document said. The report contained no information on the nature of the vulnerabilities found by the agency.
You can't make a nation safer by destroying its safety features. There's a bigger picture that these agencies refuse to see -- even when internal guidance puts it front and center. If you weaken protections, seek legislation to prevent encryption, collect and stash exploits and install backdoors in hardware and software, you make the nation's cybersecurity that much harder to maintain. The NSA and FBI both want a piece of the cyberwar action but they want to leave everyone that isn't them defenseless. Over on the other side of the pond, the GCHQ is doing the same thing and it has the support of a Prime Minister who feels no communication should be able to escape the agency's notice.
And behind it all, there are documents touting the protective powers of encryption. But that makes intelligence gathering and law enforcement too difficult, so I guess we'll all have to do without.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, encryption, fbi, gchq, nsa, privacy
Reader Comments
Subscribe: RSS
View by: Time | Thread
Security without encryption is like a hamburger without ham. And either case, it's a sham.
[ link to this | view in thread ]
from hackers with love
[ link to this | view in thread ]
Re:
A better one would be something more like...
Security without encryption is like a doorway without a door. It's just a big hole a wall that people, wild animals and the weather can just go right through. Sure you can do some things to keep the hole "secure" like not telling anyone it's there and praying no one and nothing finds it, or constantly stationing someone (more like several someones given the need for shifts and bathroom breaks) there with a gun to keep people and animals out. But none of that really beats having a stout door with a solid lock. Something that leaves anyone or anything wanting to get in two options; 1) spend an hour cutting it open with a lightsaber, 2) find the guy that has the key and start hitting him with a wrench.
[ link to this | view in thread ]
No contradictions, just the usual double-standards
As they have shown, they don't care what happens to the rest of us, but they treasure their security and privacy very highly indeed.
This attitude is very widespread, from the NSA/GCHQ, all the way down to the police and local politicians, the idea of "Your privacy and rights can and will be sacrificed for 'public safety'/'National Security', but mine are untouchable because I'm one of the elite."
[ link to this | view in thread ]
So, where's this document?
"The document from the US National Intelligence Council"
"The advice, in a newly uncovered five-year forecast written in 2009"
[ link to this | view in thread ]
Have you ever seen a gate with no fence?
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
i have to ask myself how the hell does someone get a job like this? the brain power is staggeringly lacking!!
[ link to this | view in thread ]
Re: No contradictions, just the usual double-standards
The problem is that people who don't understand the technical aspects of computer security don't understand that they are asking to have their cake and eat it too. The "backdoor all the things!" policy will not happen for a few reasons:
1. People don't like it because it's govt overreach (though govt doesn't much care about people).
2. Companies don't like it because it hurts their sales (and thus hurts campaign donations).
3. It's impossible to implement (people who don't understand the technical aspects also don't understand this point).
[ link to this | view in thread ]
Re:
It's an impossible dream, but I think that they really believe it's achievable because from a mathematical point of view, it is. From a practical or realistic point of view, it's not.
[ link to this | view in thread ]
Bears repeating
[ link to this | view in thread ]
Re:
They live in fear of an attack which leads to deaths and the immediate shouts from people and the media to say "You are to blame for not taking action earlier!"
Essentially they think the electorate is dumb. Mostly it is.
[ link to this | view in thread ]
Re: Re:
Alternatively, and honestly at this point I would say more likely, they know full well that backdoors allow anyone access to a program/system/network, and they just don't care as long as it makes their immediate job easier.
(Not to mention they have a vested interest in other systems and networks being hacked, as, much like the Sony hack, it allows them to push for even more power and laws in their favor, meaning they have yet another reason to not care about weakening security)
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Bears repeating
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Encryption is not foolproof, but you should use it anyway
Once individuals are identified, there are a number of methods that could be and are employed to circumvent the encryption (mal/spyware, MitM, black bag jobs, etc). In these cases, encryption works not as a total protection for users, but only up until they are targeted by intelligence agencies.
I believe this is a reasonable tradeoff as long as the capabilities to compromise hardware remain limited to some degree. By no means a given in the changing world of technology, but enough to review and conduct oversight of the surveillance of a relatively small number of targets rather than trying to keep collected plaintext data private from analysts.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Encryption would prevent spying on the Adversay!!
============
"... that encryption is an essential part of protecting citizens against cyber-attacks."
When the vast majority of "cyber" attacks on 5-Eyes citizens are coming directly from those governments' own Spy Agencies, encryption can only be perceived by those governments as an effective and therefor undesirable deterrent to their clandestine surveillance activities and the associated lucrative criminal enterprises those activities make possible.
Since it has been shown repeatedly that almost no real effort is being spent in the actual pursuit of real criminals or real terrorists - usually to insure that crime and terror remain an effective excuse for demanding bigger and bigger budgets - and that the lion's share of all Five Eyes governments' efforts in this area are specifically spent spying on their own citizens, it should come as no surprise at all that any recommendation of implementing strong encryption nationwide in any Five Eyes nation will be perceived as counter productive by all current Five Eyes Governments and be buried as Top Secret.
To put this in a simpler way, No Five Eyes Government has any desire whatsoever to initiate any process that might protect their citizens from Cyber Attacks, because those governments ARE the primary Cyber Attackers of their citizens.
The simple truth, so obvious yet so hard to swallow that 99.9 % of the population simply refuse to see it, is that there is no government in any nation on earth today.
Instead, members of organized crime and minions of multi-billionaire tycoons from Oil, Medicine, Tobacco, Booze, Insurance, Illegal Drugs and other massively wealthy industries, have usurped the halls of power for fun and profit, and have quietly rewritten the laws of the land to benefit only themselves and their friends.
However, I have complete faith in the willing ignorance and self delusion capabilities of the general populations of earth and expect that this reality will continue to be unanimously and purposely avoided until such time as it too late to effectively reverse the process.
After all, human civilization has always failed in the past from this exact came state of affairs between the rich and poor. I see no reason to expect a change, just because nearly 50% of the world's population is now literate.
On the other hand it is always fun to poke the beast with a sharp pointy stick, when you know there is no way to avoid the fact, that the beast will eventually eat you anyway.
---
[ link to this | view in thread ]