In the current job environment, Artificial Intelligence (AI) skills are no long....
Back or Front Door
It was 1990 when the US government publicly presented the idea to have decryption keys used in encryption systems saved “in escrow”, to wiretap encrypted voice calls.
Twenty-five years have passed since then, twenty-five years of research, work and resources to achieve an advanced level of privacy and security on encryption systems. However, the US government renewed again the idea, and now is asking to access decryption keys, but with a little difference, the U.S. intelligence and law enforcement agencies want to transcend the borders and have a global reach.
Today, from “cryptowars” notation used in 90’s, we hear about “cyber army” and “cyber command”, evermore, we hear officials of information security making parallels between the encryption system and the nuclear protection system. What is happening? Has information security, or better say, threats and vulnerabilities toward it came to such level that we have to face these comments and all these controversies toward this topic? How have we arrived here?
Big names such as Apple and Google have already developed encryption systems that automatically in a robust form are encrypting data using the method called “end to end encryption”. This method encrypts information in such a way that only the sender and the recipient are able to unlock the communication between these two parties. Neither tech companies nor service provides, or state security institutions can have access to it. All this activities are undertaken with the purpose to advocate and achieve the highest level of privacy protection for their customers.
So, basically these encryption technologies have become beyond the reach of government control in lots of countries, a fact which has caused a lot of debates since the national security institutions and agencies are proclaiming that these strong encryption systems can be used by hackers, pedophiles, kidnappers, drug dealers and terrorists, who will feel safe to conduct and hide their crimes, as the national security systems will not be able to see, understand or prove anything against their illicit activities. As an answer to this, some countries’ government are openly requesting the development of “back doors” to have access in encryption systems, IT systems, networks or endpoint communications devices.
Achieving this access to encrypted data, respecting regular juridical processes and procedures as US government is appealing, companies that are developing devices and systems for data security will have to end encryption, a feature which will be used by security officers just for a security reason.
In fact the National Security Agency (NSA) director Mr. Michael Rogers is not calling it a “back door” at all; he is concluding that a “front door” is what they are asking for, a front door with multiple locks.
A back door or front door, this would be hardware or an algorithm which ensures access to a computer system or device to obtain plaintext without being authenticated or even detected.
According to technical experts, if companies let intentional vulnerabilities and back doors into encryption systems, they will undermine the overall security of digital world, because the required back door, as it can be used legally from state security agencies, it can also be used by hackers.
As an answer to this, a group of tech companies, civil society groups, academics, privacy advocates, UN office and High Commissioner for Human Rights have already made their movement against this situation. Lately, the ball is thrown to the National Institute of Standards and Technologies (NIST) which defines encryption. It is required form the NIST to stop cooperation with the NSA for compromising standards for the purpose of spying.
The obvious question is what should be done, how can the needs of all concerned be met? On one hand, how can we live in a safe country where the national security systems have no access to criminals and hackers activities? One the other hand, how can we ensure that intelligence and national security systems will have access to communication and data only when they have a legal permission for the reason to do so?
Rreze Halili is a Security, Continuity and Recovery (SCR) Product Manager at PECB International. She is in charge of developing and maintaining training courses related to SCR. If you have any questions, please do not hesitate to contact: training@pecb.com.
For further information, please visit our training courses.