Earlier this month, FBI Director James Comey said that the widespread use of encryption was a national security problem for the United States. In a blog post, he warned of the threat of “ISIL operators in Syria recruiting and tasking dozens of troubled Americans to kill people,” communicating using encrypted messaging apps.
“There is simply no doubt that bad people can communicate with impunity in a world of universal strong encryption,” Comey wrote.
It’s widely expected that Comey will push for the federal government to force private tech companies to create a “golden key,” a universal encryption backdoor that law enforcement agencies can use to monitor potential terrorist threats, an idea that Comey first raised in October.
The proposal has received a swift and vehement backlash from the private sector and the cybersecurity community, which has roundly denounced the “golden key” as an impractical concept, working only in the minds of those who don’t understand how cryptography works.
“There is no such thing as a golden backdoor that only one party can have access to, you would have to make it a weaker system, easier to compromise” said Brian Levine, director of cloud security at Syncplicity. “As you’re building a backdoor, a weakness, it will be eventually found, and that will allow the hackers in.”
Levine said that the government’s existing track-record in managing cryptography is already bad enough, attributing the lower encryption algorithm standards introduced by the National Institute of Standards and Technology (NIST) to the government’s wish to make encryption easier to crack.
“People that are asking for this are from the government and from the legal community, they’re not proposing a specific technical solution,” Levine said.
Others are concerned that the creation of a central encryption database is just a ticking time-bomb, because it’s only a matter of time before such a central database is itself hacked.
“Creating government accessible backdoors into encryption algorithms everyone uses is just asking for trouble, because now you’ve created a target for the bad guys to go after,” said Stu Sjouwerman, CEO of KnowBe4, a security company.
Sjouwerman said that humans are the “weak link” in IT security and that it’s inevitable for a large system of that kind to suffer from vulnerabilities sooner or later, and gave the example of how difficult such a project would be in comparison with the “Obamacare” websites, which experienced significant difficulties in the takeoff stage.
“That was only for health care and only for around 50 million people, [for a golden key] now you’re talking about hundreds of millions,” Sjouwerman said. “I honestly don’t think the FBI understands the feasibility challenges that a project like this actually has.”
The implementation of an encryption backdoor would likely have sweeping consequences beyond national security; it could precipitate a fragmentation of the Internet along nation–state lines.
“There’s already a significant blowback with Snowden, it’s increasingly clear that the U.S. government and its agencies have basically been owning the Internet from day one and have been monitoring everybody,” Sjouwerman said.
As a result, states could want to build their own systems.
“You run the risk of balkanizing the Internet, which was was built for open access,” Sjouwerman added.
The golden key proposal has also drawn criticism from former government insiders as well. Former Secretary of Homeland Security Michael Chertoff inveighed against the idea in a talk last week at the Aspen Institute.
“I think that it’s a mistake to require companies that are making hardware and software to build a duplicate key or a back door even if you hedge it with the notion that there’s going to be a court order,” Chertoff said, stating that in addition to the heightened security vulnerabilities commonly addressed, “the really bad people are going to find apps and tools that are going to allow them to encrypt everything without a backdoor. These apps are multiplying all the time.”