Limiting encryption may open doors to criminals

US calls for all encryption software to have 'backdoors' may cause even worse security problems, warn experts

A new call for limits on encryption technology is finding weak political support in the United States, despite a looming clandestine war against terrorism that is likely to hinge on the effectiveness of police and military intelligence.

In response to attacks this month on the World Trade Center and the Pentagon, Senator Judd Gregg, a New Hampshire Republican, said he favoured establishing mandatory backdoors in the software used to scramble digital messages and to ensure that only the intended recipient can read the contents.

The spectre of unbreakable encryption falling into the hands of criminals, terrorists and hostile governments has long been used to promote policies limiting commercial data-scrambling products. Such arguments are out of date, however, according to many experts. Critics include not only civil libertarians and a self-interested software industry, but those concerned with preventing terrorism as well.

Two factors have decisively changed the playing field: So-called strong encryption technology is already widely available and can't realistically be recalled. In addition, fear of cyberattacks hitting strategic targets such as electrical grids and nuclear power plants has raised the stakes for domestic security.

"The danger in weakening encryption is that our infrastructure would become even less secure," said Bill Crowell, a former deputy director of the National Security Agency, the organisation charged with gathering electronic intelligence for the military and protecting the United States' own communications networks. "There is no indication that the administration is serious about these proposals."

Already, some members of Congress are readying opposition to Gregg's proposal.

Representative Bob Goodlatte, a Virginia Republican and longtime critic of anti-encryption measures, said he is working to build Senate opposition for such a bill that equals momentum in the House. Goodlatte belongs to a camp of lawmakers that believes such legislation would be a threat to national security.

"It's not a matter of privacy vs security, but security vs security," Goodlatte said in an interview.

"Encryption protects our national security," he said. "It protects the controls of everything from nuclear power plants to the New York Stock Exchange, government communications, credit cards and the electric power grid. Encryption plays a critical role in our entire communication system, and to require that a backdoor be built into that system is just an incredibly dangerous thing to do."

Former NSA Deputy Director Crowell, now president and chief executive of security software maker Cylink, said intelligence and law enforcement agencies will have to find other ways to gather information than plucking it from the ether.

"Yes, it's hard," he said. "But that is the world that we live in today. I think the alternative of having banks, companies and the government use weak encryption is not a good one."

Gregg stated that he would present legislation to create a "quasi-judicial entity," appointed by the Supreme Court, that would act as an independent third party giving authority to the lawmakers with proper warrants to crack encrypted documents.

"This judicial element would have the ability, with absolute search-and-seizure rights protected, to get access to security keys with cooperation from the industry," said Brian Hart, press secretary for the senator.

Gregg is discussing the proposal with other senators and is waiting to see Attorney General John Ashcroft's full anti-terrorism recommendation, expected to be released next week, Hart said.

"We want to defer to the president and the Bush administration to combat terrorism," he said.

For law enforcement and officials of the newly formed Office of Homeland Security, encryption holds both a promise and a threat.

Today's encryption technology allows anyone with a PC to scramble their email and files so that even the most powerful computers in the world would take centuries, if not longer, to crack the code. Only the correct key can decipher the original message.

On one hand, encryption has made the Internet more secure. In the past, most information on the Internet was sent in plain text with no encryption protecting it. Anyone listening on the line could capture passwords, financial transactions or personal emails. Today, the ability to encrypt the content of messages has heightened the security of the Internet.

However, that same ability to scramble messages has left lawful authorities bereft of any ability to eavesdrop on suspected terrorists when encryption is being used. Although there is no evidence yet that encryption was used by the terrorists that attacked the World Trade Center and the Pentagon, many consider it likely.

The dangers of giving criminals the ability to hold absolutely private communications has been debated often in the past decade.

In the late '90s, a group of federal regulators including former FBI Director Louis Freeh and former Attorney General Janet Reno championed legislation that required encryption software to include government safeguards and that restricted US exports.

The Clinton administration introduced a proposal for technology known as the "Clipper Chip," or an extra key held by the government, which could with a warrant unlock encrypted electronic messages for criminal investigations. The proposal met with opposition from the American public, businesses and foreign governments, and eventually failed. Critics said foreign consumers or businesses would not buy US encryption software accessible by the US government.

"Everyone gets really nervous when you start talking about backdoors because you have to trust the other fellow a lot," said James Lewis, director for the technology and public policy program at the Center for Strategic and International Studies, based in Washington D.C.

"If you put domestic restrictions on US encryption use, it doesn't do any good, because first, there are real costs to the economy -- the Internet is weakened -- and second, without the cooperation of every other crypto supplier in the world, it doesn't prevent terrorists from getting their crypto from somewhere else," Lewis said. "None of these issues have changed."

For now, Gregg seems unlikely to gain many adherents.

Scott Schnell, senior vice president of corporate development for encryption technology seller RSA Data Security, argued that a backdoor could make the Internet far more vulnerable to attack.

"The fatal flaw is that if the terrorist ends up with a key [to a backdoor], it could be disastrous," he said. "A single key could compromise a whole company or a large segment of the population."

Rather than preventing terrorism, argued Schnell, Gregg's proposal would empower terrorists by allowing them to focus their attack on a single weakness.

"The proposal not only wouldn't work, but it would force the country to pay a huge penalty to get access to a small body of potential evidence," he said.

Privacy advocates weighed in against the proposal as well. Richard Smith, chief technology officer for the Denver-based Privacy Foundation, characterised any potential encryption laws as a "total waste of time."

"It will take years to get updated forms of the software, assuming that people will even upgrade voluntarily," Smith said. Worse, such legislation would have little effect on terrorists who could just use the software publicly available now. "The bad guys will keep using the old products without the backdoors."

Steve Bellovin, a security researcher with ATT Labs, said any impression the United States has of pre-eminence in the encryption field is wrongheaded. The encryption algorithm to be used by the US government in the future, known as the Advanced Encryption Standard, was originally developed by two Belgian scientists.

Terrorists outside the United States will have access to such expertise, he said. "These people are not stupid," he said. "They will write their own code. I know high-school students who could take the AES specification and write a program."

Gregg hopes to head that off by enlisting other nations' help. One key to legislation would be the cooperation of governments around the world, which Gregg has urged in congressional hearings. Global enforcement is essential to ensuring that terrorists and hackers are unable to obtain encryption software without backdoors.

But opponents to encryption laws believe such cooperation to be impossible.

"Because you can download software on the Internet, people outside the country could sell encryption without a backdoor," said the Privacy Foundation's Smith. "To have practical value, it would have to have worldwide enforcement, and plenty of countries wouldn't want to do this."

See the Viruses and Hacking News Section for the latest headlines.

See the Net Crime News Section for the latest on hacking, fraud, viruses and related issues.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All