As the legal battle between Apple and the FBI took an interesting turn this week, congressional maneuvering over...
the "going dark" problem continued, as lawmakers are now considering two bills for encryption legislation.
New this week is a draft of an encryption bill being passed around Capitol Hill by Sens. Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.), chairman and vice chairman, respectively, of the Senate Select Committee on Intelligence.
The draft gives federal judges the power to demand that technology companies help law enforcement agencies gain access to data encrypted with their products; the latest version of the proposed encryption legislation began circulating this week, Reuters reported, though it does not specify how tech firms must help, or the circumstances under which such help must be provided. The draft provides no specific penalties for noncompliance either, leaving that to the judges. Reuters' sources indicated that Obama administration officials had seen the bill and offered suggestions, which they said was a sign of potential support for the legislation.
The response from the White House seemed to indicate a turnaround from last year, when FBI Director James Comey said encryption backdoor legislation was unnecessary, as long as tech firms complied with court orders to access encrypted data.
Burr and Feinstein -- the Senate Intelligence Committee's top Republican and Democrat, respectively -- began work on the draft following speculation that encryption had been used by terrorists in the November 2015 attacks in Paris.
Encryption commission vs. encryption working group
The second proposed encryption legislation is the encryption commission bill, which was first made public at the end of February by the chairman of the House Committee on Homeland Security, Rep. Michael McCaul (R-Texas), and Sen. Mark Warner (D-Va.).
The encryption commission bill bypasses questions of how to gain access to encryption by proposing a bipartisan, 16-member "National Commission on Security and Technology Challenges" tasked with making recommendations on encryption policies.
However, the bill was snubbed by the House Judiciary and the Energy and Commerce Committees' leadership, who formed their own eight-member, bipartisan encryption working group.
According to the House Committee on Energy and Commerce press release, the encryption working group will "examine the complicated legal and policy issues surrounding encryption. The group will identify potential solutions that preserve the benefits of strong encryption -- including the protection of Americans' privacy and information security -- while also ensuring law enforcement has the tools needed to keep us safe and prevent crime."
House Energy and Commerce Committee Chairman Fred Upton (R-Mich.) and House Judiciary Committee Chairman Bob Goodlatte (R-Va.), with ranking members Frank Pallone, Jr. (D-N.J.) and John Conyers (D-Mich.) are set to serve as ex officio members of the working group. They released the following joint statement:
"The widespread use of strong encryption is important to protecting Americans' privacy. We also recognize that challenges remain for law enforcement agencies seeking to disrupt criminals and terrorists from doing us harm. The bipartisan encryption working group will examine the issues surrounding this ongoing national debate. Members will work toward finding solutions that allow law enforcement agencies to fulfill their responsibility, without harming the competitiveness of the U.S. technology sector, or the privacy and security protections that encryption provides for U.S. citizens. We look forward to continuing our work on this important issue facing our country."
Upton, Goodlatte, Pallone and Conyers jointly announced the creation of the working group on Monday. Members of the group include Rep. Bill Johnson (R-Ohio), Rep. Adam Kinzinger (R-Ill.), Rep. Yvette Clarke (D-N.Y.), Rep. Joseph Kennedy III (D-Mass.), Rep. Jim Sensenbrenner (R-Wis.), Rep. Darrell Issa (R-Calif.), Rep. Zoe Lofgren (D-Calif.), and Rep. Suzan DelBene (D-Wash.).
GOP representatives on bad cybersecurity
Meanwhile, two Republican Party reps went on the record in an op-ed piece in the Washington Times blaming bad cybersecurity in the government on collective bargaining. House Oversight and Government Reform Committee Chairman Jason Chaffetz (R-Utah) and Rep. Gary Palmer (R-Ala.) cited a case dating back to 2011, when the Immigration and Customs Enforcement Agency determined that an uptick in "mail infections and privacy spills" was caused by workers accessing personal webmail accounts from their work computers.
They wrote that the largest federal employee union, American Federation of Government Employees (AFGE), protested the subsequent ban on personal webmail access, because such access was "a negotiated benefit that could not be removed," at least not without further negotiation. That decision, Chaffetz and Palmer noted, came up again last year in the wake of the OPM breach.
Chaffetz and Palmer surmised that because the collective bargaining agreement guaranteed workers the right to access webmail, and collective bargaining therefore created a situation where workers' rights conflicted with cybersecurity, collective bargaining caused bad cybersecurity. While the unions were unwilling to give up negotiated benefits, they did file a class action suit against OPM for losing employee data.
"The AFGE and AFL-CIO cannot have it both ways," the representatives claimed. "It defies logic to insist agencies provide the opportunity to bargain before addressing cyberthreats, while simultaneously suing agencies for failing to protect employee information."
In other news
- Google's support for Certificate Transparency continued this week, with the announcement of a new Certificate Transparency log. The Submariner log tracks "certificates that chain to roots that are on track for inclusion in browser roots, or were trusted at some previous point," according to its description on the listing of known Certificate Transparency logs. "Initially, Submariner includes certificates chaining up to the set of root certificates that Symantec recently announced it had discontinued, as well as a collection of additional roots suggested to us that are pending inclusion in Mozilla," according to Martin Smith, software engineer for Certificate Transparency at Google. Smith wrote that it "will provide a public record of certificates that are not accepted by the existing Google-operated logs," noting that the Chrome browser will not trust certificates in the Submariner log. "Cryptographic keys and digital certificates are powerful, and provide the foundations of online trust and cybersecurity. By design, they are natively trusted by servers and other security applications to provide privacy and authorization for everything that is IP-based today," said Kevin Bocek, vice president security strategy & threat intelligence at Salt Lake City-based security firm Venafi. "Yet, this same blind trust is being misused against organizations by cybercriminals, so they can appear trusted, and monitor and impersonate their targets to execute attacks and steal data."
- "Significant vulnerabilities" were reported in Apple's iMessage encryption protocols this week by a team led by Matthew Green, computer science professor at Johns Hopkins University. "Our analysis shows that iMessage has significant vulnerabilities that can be exploited by a sophisticated attacker," the team reported. "The practical implication of these attacks is that any party who gains access to iMessage ciphertexts may potentially decrypt them remotely and after the fact." In a blog post describing the research, Green wrote: "Apple iMessage, as implemented in versions of iOS prior to 9.3 and Mac OS X prior to 10.11.4, contains serious flaws in the encryption mechanism that could allow an attacker -- who obtains iMessage ciphertexts -- to decrypt the payload of certain attachment messages via a slow but remote and silent attack, provided that one sender or recipient device is online." Noting that acquiring encrypted messages can be difficult, it could still be done "by a nation state attacker, or a hacker with access to Apple's servers," Green wrote. "You should probably patch now."
- Oracle this week released a patch for a vulnerability that was found -- and patched, incompletely -- 30 months ago. Two weeks after Polish security research firm Security Explorations reported that Oracle's fix for the flaw, originally tracked as CVE-2013-5838, was trivially bypassed, Oracle released its patch for the flawed patch, which is tracked as CVE-2016-0636. The vulnerability had a severity rating of 9.3 out of 10.0, because it could be exploited remotely, without authentication to control vulnerable systems. "Oracle recommends customers apply this security alert as soon as possible," Eric Maurice, director of Oracle Software Security Assurance, wrote on the Oracle Software Security Assurance blog. "Oracle recommends that Java home users visit Java.com to ensure that they are running the most recent version of Java SE, and that all older versions of Java SE have been completely removed. Oracle further advises against downloading Java from sites other than Java.com, as these sites may be malicious."
- Attempting to respond to critics of its handling of the Common Vulnerabilities and Exposures (CVE) vulnerability tracking system, MITRE Corp. last week announced plans to launch an experimental platform intended to solve the issues raised -- and then, almost immediately, put the project on ice indefinitely when even more criticism was leveled at the attempted fix. The Register earlier this month reported the problems with the tracking system: long backlogs on assigning CVE numbers to vulnerabilities, as well as a lack of responsiveness from Bedford, Mass., MITRE, a not-for-profit organization that operates research and development centers sponsored by the federal government. Last week, after MITRE announced plans for a pilot replacement system to speed up CVE assignment, it met with more criticism: The proposed new system was developed with no input from the community, would be incompatible with existing software and would likely confuse users, critics were reported to say. Plus, it likely wouldn't help speed up the CVE ID allocation process. Monday, MITRE announced the program would be put on "indefinite hold." Joe Sain, CVE communications and adoption lead at MITRE, wrote: "The pilot described yesterday was designed to run in parallel and to be completely separate from the production CVE stream, but we certainly understand the importance of not perturbing any operating aspect of CVE. Our goal is to be responsive to the critical need for the no-description use case, but we must also ensure that we have the correct operating model." He added that moving forward, MITRE would be "developing an operating model that enables CVE to move forward, and that preserves the foundational work that the community has put into the effort."