Government encryption backdoor debate is more nuanced at RSAC

RSAC panelists had a spirited and nuanced debate about government encryption backdoors, and the topic is more difficult to parse than expected.

SAN FRANCISCO -- Chenxi Wang, chief strategy officer at Twistlock Inc., knew she was going to have a tough road trying to structure a nuanced discussion about encryption backdoors and government intelligence gathering.

"Chenxi, have you lost your marbles? Why is this even a debate?" Wang was asked.

Ultimately, Wang was right to push for the debate, because even at the RSA Conference with security experts there was disagreement not only about the legal precedent of encryption backdoors but also about what constitutes a backdoor in the first place.

Backdoor views

Michelle Dennedy, chief privacy officer at Cisco, was adamant that the term backdoor only applied when access was intentionally built into a system. This means that, in her view, what was reported as a backdoor in Juniper systems was merely a flaw, because the unauthorized code that created the access was inserted by hackers, not by Juniper.

Matthew Green, assistant professor at Johns Hopkins University and cryptography expert, said intent didn't matter as long as the code allowed for unauthorized access.

The one thing we've probably learned over the last few years going back to Snowden is that ... no country knows how to ... break encryption.
Matthew Greenassistant professor, Johns Hopkins University

And Richard Marshall, CEO at X-SES Consultants LLC and the NSA's former associate general counsel, defined a backdoor as a designed vulnerability but said it was an overblown topic because hackers have plenty of vulnerabilities to gain access without the help of encryption backdoors.

"Nation-states do not care that much about cryptography. It slows the process down, but they can get in it. You don't need to build a backdoor when there are so many other vulnerabilities ... being exploited on a day-to-day basis," Marshall said. "Unless and until we can make software bulletproof, that's where we should spend our energy."

What about CALEA?

Wang asked the panel about the Communications Assistance for Law Enforcement Act (CALEA), which Wang said stipulated that telephone companies must engineer their systems with the capability of wiretapping. An audience member noted, however, that CALEA only grants law enforcement access to the communication path and does not require decrypting data.

"We don't live in an anarchist society," Wang said. "It seems like a reasonable argument to make that, if the government has met the requirements of reasonable doubt and by way of a court order, there should be a capability for them to intercept the communication, be that telephone or digital communication as we know today. Do you think it's likely, facing today's debate, that Congress may step in and push for an update of CALEA?"

Dennedy said that regardless of what Congress is likely to do, she wasn't confident that there would be a nuanced discourse about the issue.

"I think no matter what our Congress today here in the U.S. proposes, it has a very slim chance of passage or, I think, even reasoned and nuanced discourse, and that is a sadness and shame to me," Dennedy said. "And, I'll add another thing -- this may come as a shock to you -- there are other countries out there. I think we have not just the ability but the duty as a species to have this debate as transparently and publicly and openly as possible, and to allow nuanced voices from different cultures to help influence before we build something."

Marshall agreed that it was the "height of American technology arrogance to assume with any degree of certitude that we're the only ones that know what the hell we're doing with communications technology." He said he believed that, instead of just updating CALEA, the government needs to modernize all statutes related to communications technology, especially the Electronic Communications Privacy Act.

"It does not reflect the current state of technology. It strains the brain to try to enforce it or try to interpret it to do something to a public good or to protect the private industry," Marshall said. "Nuances give too much wiggle room, and when you're in a business environment ... it's very hard to explain that with any predictability. And, in a business environment ... you want predictability because that's where you're going to invest your money."

Encryption backdoors: Handle with care

Green warned that lawmakers will need to be careful because encrypted messaging is a fairly young technology, and we don't know what the consequences are going to be for technology as a whole.

"The one thing we've probably learned over the last few years going back to Snowden is that ... no country knows how to ... break encryption," Green said. "We do know that encryption works. If encryption didn't work, this debate would be so easy for all of us."

Green noted that the only ways nation-states can break encryption is by weakening it or stealing the keys. He said keys are not something that can be trusted because they can be stolen if kept long enough, and suggested the best option is to use keys that are thrown out after each process, but he saw no possible way for there to be a one-time-use master key system to create a government encryption backdoor.

Innovation required

Dennedy said the best way forward may be in engineering software to be transparent about privacy requirements and properly educating users.

"I think it's possible to have security people recognizing that when we have information flowing through our systems, we are not engaging in some sort of commercial activity but in a sacred trust," Dennedy said. "We have an ethical, moral and legal obligation to build in that desire for privacy into our systems. As a technologist, this entire debate is a requirement-setting process. "The minute you talk about something being transparent and having processes, it's no longer a backdoor."

Next Steps

Apple San Bernadino case gives glimpse of a 'backdoor' world.

FBI Director James Comey says encryption backdoors are not a legal or technical issue but rather a 'business model question.'

New York state is considering a law that requires smartphone content to be accessible to law enforcement agencies.

Dig Deeper on Data security strategies and governance