Wednesday, January 6, 2016

When your strategy fails!

Cyber Regulation Debate

The best regulatory effort...
I want to point out two interesting elements of the recent fronts in the ongoing Cyber Policy War. The first one, is the baffling Wassenaar support from various human rights groups upset at a tiny Italian company named "HackerTeam".

Someone, I'm sure not at all connected to any of these human rights groups, tried to buttress their argument that penetration testing software should be export controlled by uber-double-ironically hacking into HackerTeam and releasing all of their internal emails and documents.

At first, this worked well: HackerTeam had a number of contracts with people who they said they did not (Sudanese Govt, etc.).

However, it also demonstrated that HackerTeam had, in fact, gotten an export control license to do whatever they wanted, which completely undercut the whole rational for the Wassenaar cyber regulations, and in the end, helped cripple support for it. It also pointed out that of course HackerTeam's biggest customers were Western agencies - and if they really wanted to kill off HackerTeam, they could just close their pocket books.

Encryption Debate

Likewise, the crypto debate has always had a number of supporters of key escrow threatening loudly "When a terrorist attack happens, and the terrorists use crypto, this law is going to get shoved down your throat, so you better prepare a nicer version of the law for us and promise to self regulate!"

The FBI Director has been the head cheerleader on this, but everyone else on the key escrow side has parroted these remarks. And lo and behold, once a terrorist attack happened we saw a MASSIVE push to get the argument moved to pressure Apple and Google to change "Their business model" to allow for key escrow/crypto backdoors to happen.

But what also happened? JUNIPER. We still don't know how Juniper found the backdoor in their code. They claim "internal code review" which could very well be language that means "The NSA told us."

But what we do know is that they used the cryptographic primitive (DUAL_EC) that DOES provide for a "secure backdoor". It's the perfect key escrow!  This is what the FBI is asking for! But having a perfect mathematical primitive doesn't help the engineering side of things.

The weakness everyone is complaining about is not a mathematical weakness. It's an engineering weakness. And the Juniper hack completely demonstrated the fragility you introduce when you implement a "Cryptographic backdoor" in your system. Attackers then have a place to use to put implants into your network that are very hard to audit or control.

And, of course, China jumped the gun by requiring key disclosure from companies - the exact thing technology companies have been wanting the US Government to help prevent, which is why they were so angry the FBI was taking the opposite position in the first place.

So now the conversation has swung the other way, but with an EVEN MORE pissed off technology lobby, during an election year no less.

In summary: The crypto backdoor conversation is not one the government can win, in any likely scenario. It is time to move on and deal with the consequences.

No comments:

Post a Comment