Can there be a winner in the Crypto Wars?
Alexei Balaganski, analyst, Kuppinger Cole
If there is one thing that can be said about most politicians, it’s that they do not understand technology. This is especially true when the technology in question is related to cybersecurity and strong encryption in particular. Governments have always considered the ability to intercept and decrypt communications of foreign nations a matter of national security, but no other country has been as persistent in their fight against encryption as the United States.
In the previous round of the Crypto Wars in the 90s, the US government had come up with the idea of an encryption device with a built-in backdoor to be installed into every communication device, which would allow government agencies to obtain the encryption key and intercept all data transmitted by that device. The proposal was met with unanimous opposition, and security experts have demonstrated multiple weaknesses in both the concept of “key escrow” and the actual implementation of the chip. The idea has been abandoned in the end, but export controls that restricted which encryption methods could be exported from the USA were introduced. Although eventually those regulations were lifted, many current software products still have to support those weakened ciphers for compatibility reasons. Just recently, nearly a third of all websites were found to be vulnerable to the FREAK attack, which allowed downgrading the security of an encrypted session and then successfully breaking the encryption.
Fast-forward twenty years, and the US and UK governments are now discussing very similar plans. Again, claims are brought forward that without having exceptional access to all digital communications intelligence agencies will “go dark” and won’t be able to fight terrorism. The same idea of a centralized body holding all encryption keys in escrow for the government agencies is being discussed again. The UK government has gone so far as to suggest banning certain types of encryption completely. It is all as if nothing has changed since the 90s. Alas, the world we are living in is now completely different.
Before discussing technical implications of these new proposals, it’s worth noting that the very premise of the current debate is demonstrably wrong. Thanks to the documents leaked by Edward Snowden, we now know that NSA has not gone dark since the 90s. In fact, their technical, legal and clandestine arsenal of surveillance tools has expanded immensely in the last decade. Essentially, they are capable of intercepting a vast majority of communications around the world. Unfortunately, they are yet to show any evidence that this has actually helped prevent a single act of terrorism.
In fact, if these new regulations on encryption are going to be adopted after all, criminals and terrorists won’t have any real difficulties going back to “low tech” communication methods. Legitimate enterprises, however, will face much bigger problems. With all the recent trends of digitalization of businesses, the companies are becoming increasingly interconnected. Secure communications channels are now an essential component of every company’s infrastructure. This is especially true for cloud service providers, financial, health organizations, and other companies dealing with large amount of other people’s sensitive data.
A government-mandated backdoor to their infrastructures obviously introduces a vulnerability ready to be exploited by a malicious agent, but that’s not the biggest problem. A centralized government-controlled body holding credentials for multiple such infrastructures is an even more lucrative target for attackers, and government agencies aren’t exactly known for their high cybersecurity standards.
Another problem is jurisdiction: if a US company operates in another country, should it provide exceptional access to that country’s intelligence agencies as well? What if the country in question is a geopolitical enemy of the “free world”? Does it mean that we’ll need to maintain another “export-grade” backdoor, too? Just imagine how complex and expensive addressing these technical and legal problems would be.
All these efforts, however, are most likely to be in vain, since anyone wishing to evade the mandatory surveillance can simply switch to a solution from a non-US company, and that won’t be just the criminals, but every business or individual concerned about security and privacy of their communications. This effectively means that US and UK companies are going to lose their competitive advantage in the world markets, especially in the European Union countries like Germany, where privacy is considered an almost sacred right. Their reputation has already been damaged by Snowden’s revelations, and with new regulations in place, their entire business models will be severely crippled.
In fact, with all things considered, it’s difficult to imagine a single party that would gain any advantage, political, financial or otherwise, from these proposed regulations. To me, it seems that in the Crypto Wars, like in a nuclear war, everybody loses.
Alexei Balaganski is an analyst at Kuppinger Cole with specific focus on cybersecurity. After graduating with an MSc degree in Mathematics and Computer science he has worked in the IT industry for over 15 years. His experience includes software development, network administration and information security. Before joining KuppingerCole in 2007, he has taken part in multiple IT projects including e-commerce, high-load and cloud applications.