Cybersecurity Official Believes Encryption Can Be Backdoored Safely; Can't Think Of Single Expert Who Agrees With Him

from the broken-encryption-isn't-broken-said-no-one-ever dept

The government continues to looks for ways to route around Apple and Google's phone encryption. The plans range from legislated backdoors to a mythical "golden key" to split-key escrow where the user holds one key and the government shares the other with device makers.

None of these are solutions. And there's no consensus that this is a problem in search of one. Law enforcement and intelligence agencies will still find ways to get what they want from these phones, but it may involve more legwork/paperwork and the development of new tools and exploits. Without a doubt, encryption will not leave law enforcement unable to pursue investigations. Cellphones are a relatively recent development in the lifespan of law enforcement and no crime prior to the rise of cellphone usage went uninvestigated because suspects weren't walking around with the entirety of their lives in their pockets.

But still the government continues to believe there's some way to undermine this encryption in a way that won't allow criminals to exploit it. This belief is based on nothing tangible. One can only imagine how many deafening silent beats passed between question and answer during White House cybersecurity policy coordinator Michael Daniel's conversation with reporters following the recent RSA conference.

In a meeting with a handful of reporters, Daniel was asked whether or not he could name a respected technology figure who believed it possible to have strong encryption that could be circumvented by just one party's legal authority.

"I don't have any off the top my head," Daniel said…

And he never will. No one who knows anything about encryption will ever say it's possible to create a "good guys only" backdoor. Or front door. Or whatever analogy government officials choose to deploy when arguing for the "right" to access anyone's device with minimum effort.

But that's not the end of Daniel's embarrassing response. He went on to disingenuously toss this back at "Silicon Valley" with a back-handed compliment insinuating that if these companies don't solve this "problem" for the government, they're either stupid or evil.

[Daniel] added that if any place could come up with an answer, it would be the "enormously creative" Silicon Valley.

The government believes there's a solution out there -- some magical alignment of hashes that would keep malicious hackers out and let the government in. It certainly can't figure out this conundrum, so it's going to keep insinuating that tech companies already know how to solve the problem but they hate children/law enforcement/America so much they won't even consider meeting the government halfway.

But the tech companies know -- as do security experts -- that there's no "halfway." You can have encryption that works and keeps everyone locked out or you can have the government's "encryption," which is spelled exactly the same but has extremely leaky quote marks constantly appended, and which lets everyone in the same "door," no matter who they are or what their intent is.

Filed Under: backdoors, cybersecurity, cybersecurity czar, encryption, michael daniel

White House's Cybersecurity Guy Proud Of His Lack Of Cybersecurity Knowledge Or Skills

from the say-what-now? dept

So we were just writing about how the White House appeared to be going with a security by obscurity tactic in denying an Associated Press FOIA request concerning the security behind Healthcare.gov. Specifically, the request was denied because the White House claimed that revealing such info might help hackers. As we noted, if revealing the basic security plan you're using will help hackers, then you're not secure and chances are you've already been hacked.

Of course, perhaps the reason why the cybersecurity is so awful is because the White House's "cybersecurity coordinator," Michael Daniel, not only isn't a cybersecurity expert but thinks that's a good thing. I wish I was joking. After spending a few minutes talking about all his training at Princeton and the Kennedy School at Harvard taught him to communicate well and "break down problems" he dismisses the need for actual technical knowledge.

You don't have to be a coder to really do well in this position. In fact, actually, I think being too down in the weeds at the technical level could actually be a little bit of a distraction..... You can get taken up and sort of enamored with the very detailed aspects of some of the technical solutions. And, particularly here at the White House... the real issue is to look at the broad, strategic picture and the impact that technology will have.

Now there is some truth to the idea that it's important to be able to look at the bigger picture, but when you're talking about cybersecurity, part of the way that you can look at the bigger picture is to actually understand the technology. That's not "a distraction" it's part of the core and necessary knowledge to then do the job of a cybersecurity coordinator. People who don't spend much time with these things view cybersecurity and technology as a kind of "magic." But it's not. Nor is technology economics, but Daniel thinks it is:

But the other issue in my mind is that at a very fundamental level, cybersecurity isn't just about the technology but it's also about the economics of cybersecurity. Why companies choose to invest the way they invest. It's about the pscyhology of cybersecurity. You know, one of my sayings is that 'expediency trumps cybersecurity every time' meaning that people will prioritize convenience over being secure many times. So you need to have the understanding of those kinds of factors: the psychology, the economics, the broad policy, the politics with a little p, in addition to the technology. So you need to be more of a generalist than having a lot of expertise particularly in the technological side.

Yes, in addition to the technology. All of those things are important, but they're mostly useless if you don't understand the underlying technology. He's then asked what are the biggest challenges and... after talking about how important it is to understand the psychology and economics (more important than the technology) he admits that he doesn't actually understand the psychology and economics. Because, apparently, he wants to make sure that he has none of the job qualifications for the job.

There are a few [challenges] that I can identify. One is that we don't actually truly understand the economics and psychology behind cybersecurity. We know that a huge number of intrusions rely on known fixable vulnerabilities... We know that intruders get in through those holes that we know about that we could fix. The question is, 'Why don't we do that?' That clearly leads me to the conclusion that we really don't understand all of those economics and psychology well enough.

So there you have it folks. The White House's cybersecurity expert doesn't have the technological expertise, but insists it's okay because he's focused on the economics and psychology of the fact that people don't patch their computers -- and then admits he has no idea why that happens.

This doesn't make me feel any safer.

Filed Under: cybersecurity, cybersecurity coordinator, michael daniel, skills, white house

White House Says It Can Withhold Vulnerabilities If It Will Help Them Catch 'Intellectual Property Thieves'

from the say-what-now? dept

We've been among those critical of the White House for the administration's dangerous policy of not revealing security vulnerabilities it discovers, as it seeks to exploit them. In trying to respond to some of the criticism about this policy, the White House has put out a blog post by White House Cybersecurity Coordinator Michael Daniel, in which he explains how the intelligence community determines whether to disclose a vulnerability... or hoard it for its own use. He lists out three potential reasons for not disclosing:

Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation's intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks.

As Marcy Wheeler points out, withholding the release of such vulnerabilities for terrorism purposes is not new or surprising. Ditto for so-called cybersecurity (protecting against "hackers or other adversaries" looking to "exploit our networks") What's a bit of a surprise is the new inclusion of "intellectual property theft." However, the NSA, DHS and various supporters have long used claims of China "stealing intellectual property" as an excuse to try to ratchet up surveillance powers. Rep. Mike Rogers, author of CISPA, used the "scary Chinese stealing our IP!" FUD card to push CISPA a few years ago. And former cybesecurity czar Richard Clarke has argued that China stealing intellectual property is a good reason for DHS to be able to spy on all internet traffic.

So, the fact that this argument is used as a sort of "cybersecurity" claim perhaps isn't that surprising. However, it still seems like a massive logical leap to go from "well we need to protect corporate intelletual property from the Chinese" to arguing that's a good reason for withholding the disclosure of key technical vulnerabilities that might put everyone at risk. Does anyone honestly believe that the US government should withhold details of a major technical vulnerability... just so it can catch some IP infringers?

And of course, by broadly allowing the NSA and others to fail to patch vulnerabilities, because they want to "prevent intellectual property theft," it's just opening up the whole system to be abused even more widely than before. Sure, they may mean "stopping Chinese hackers from swiping plans for a new fighter jet," but vaguely denoting that it can withhold info on zero day vulnerabilities because of "pirates" seems wide open to abuse -- especially given the way many in law enforcement and the administration seem to want to equate every day file sharers with "internet terrorists" or whatever.

Filed Under: cybersecurity, disclosure, intellectual property, michael daniel, nsa, surveillance, vulnerabilities, white house

White House Cybersecurity Boss -- Who Argued Against Overhyping Threats -- Resigns

from the too-bad dept

There's been a lot of attention lately on various "cybersecurity" bills making their way through Congress, and the White House's role in the debate has been pretty important. So it's interesting to see that the White House's cybersecurity czar, Howard Schmidt, has announced that he's resigning. While I don't always agree with Schmidt, he was one of the few (perhaps only?) high level government officials talking about online security issues who seemed willing to avoid hyperbole. In fact, he actually hit back against those who kept talking about "cyberwar," saying there was no such thing and it was "a terrible concept." One hopes that his successor, Michael Daniel, will be similarly willing to push back against the rush of hype around "cybersecurity."

Filed Under: cispa, cybersecurity, howard schmidt, michael daniel, white house