With the British election this June, cryptography on the internet is a hot topic. This past March, British Home Secretary Amber Rudd criticized WhatsApp's implementation of encryption in the wake of a terrorist attack:
"It is completely unacceptable. There should be no place for terrorists to hide. We need to make sure that organisations like WhatsApp, and there are plenty of others like that, don’t provide a secret place for terrorists to communicate with each other."
There was another terrorist attack in early June that hit London. Shortly after the attack, the terrorist suspects killed themselves. British Prime Minister Theresa May, while busy in political campaigning mode, said in response: "We cannot allow this ideology the safe space it needs to breed. Yet that is precisely what the internet and the big companies that provide internet-based services provide. We need to work with allied democratic governments to reach international agreements that regulate cyberspace to prevent the spread of extremist and terrorism planning. We need to do everything we can at home to reduce the risks of extremism online." May has said that she either wants to ban public access to cryptography technology or to only permit cryptographic systems where the British government has a backdoor. Even previous British Prime Minister David Cameron has endorsed restricting internet rights for the sake of supposed security. In reaction to the Paris terrorist attacks in January 2015, he said: "In extremis, it has been possible to read someone’s letter, to listen to someone’s call, to mobile communications. The question remains: are we going to allow a means of communications where it simply is not possible to do that? My answer to that question is: no, we must not. The first duty of any government is to keep our country and our people safe." Cameron's statement opposes the idea of ordinary people having access to cryptography. As a cybersecurity researcher, I'm frustrated by the technological ignorance that many politicians have. It's okay to not understand information security but only if you don't have the power to make decisions regarding cybersecurity regulation. Ordinary people in the U.K. and around the world need access to good cryptography. One of my idols in my field is Bruce Schneier, and he said it best:
"Encryption keeps you safe. Encryption protects your financial details and passwords when you bank online. It protects your cell phone conversations from eavesdroppers. If you encrypt your laptop, and I hope you do, it protects your data if your computer is stolen. It protects our money and our privacy. Encryption protects the identity of dissidents all over the world. It's a vital tool to allow journalists to communicate securely with their sources, NGOs to protect their work in repressive countries, and lawyers to communicate privately with their clients. It protects our vital infrastructure: our communications network, the power grid and everything else. And as we move to the Internet of Things with its cars and thermostats and medical devices, all of which can destroy life and property if hacked and misused, encryption will become even more critical to our security."
But what if we allow public use of cryptography only with a government backdoor, so that intelligence and law enforcement can decrypt any online communication without needing to crack a cipher or obtain a specific search warrant? The disastrous WannaCry ransomware attack illustrates the danger of government backdoors. WannaCry exploited a Microsoft Windows Server Message Block vulnerability that was designed by the NSA. Shadow Brokers obtained and then leaked the NSA toolkit, which bad actors subsequently incorporated into the process of WannaCry's development. Schneier warned about the danger of government backdoors long before WannaCry happened:
"The FBI wants the ability to bypass encryption in the course of criminal investigations. This is known as a 'backdoor,' because it's a way at the encrypted information that bypasses the normal encryption mechanisms. I am sympathetic to such claims, but as a technologist I can tell you that there is no way to give the FBI that capability without weakening the encryption against all adversaries. This is crucial to understand. I can't build an access technology that only works with proper legal authorization, or only for people with a particular citizenship or the proper morality. The technology just doesn't work that way. If a backdoor exists, then anyone can exploit it. All it takes is knowledge of the backdoor and the capability to exploit it. And while it might temporarily be a secret, it's a fragile secret. Backdoors are how everyone attacks computer systems."
When Britons hit the polls on Thursday, they should be wary of grandiose proposals that exploit public fear of terrorism in order to promote technologically backwards policy. I watched the One Love Manchester concert that Ariana Grande hosted in response to the terrorist attack after her Manchester performance in May. She bravely decided that she isn't going to stop singing in public. That's how terrorists win. Terrorists engage in terror with the aim of promoting fear, and when politicians exploit that fear, they're playing right into terrorists' hands.
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine. Her first solo developed PC game, Hackers Versus Banksters, had a successful Kickstarter and was featured at the Toronto Comic Arts Festival in May 2016. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
