Thou shalt be secure: RSA says you can't force private sector to break encryption

RSA's VP and GM of Global Public Sector Practice Mike Brown believes there's a better way to thwart terrorism than breaking end-to-end encryption, as recently proposed by the Australian government.

Australian Prime Minister Malcolm Turnbull, along with Attorney-General George Brandis, announced plans last week to introduce legislation that would force internet companies to assist law enforcement in decrypting messages sent with end-to-end encryption.

After stuttering through an explanation of what a "backdoor" was and how the proposed legislative direction does not come under that definition, Turnbull was posed a question by ZDNet: Won't the laws of mathematics trump the laws of Australia?

To which Turnbull replied, "The laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia."

During his media rounds, the prime minister made sure he let Australia know his intention was to protect the nation against terrorism and to protect its greater community from criminal rings such as those involved in paedophilia, rather than nutting out the technical specs of the laws modelled on the UK snoopers' charter.

"I'm not a cryptographer, but what we are seeking to do is to secure their assistance," Turnbull said of the responsibility of tech companies in his future plans. "They have to face up to their responsibility. They can't just, you know, wash their hands of it and say it's got nothing to do with them."

Speaking with ZDNet while in Sydney this week, Mike Brown, VP and GM, Global Public Sector Practice at security firm RSA, said not having an understanding spanning government as well as private sector leads to "too much assuming".

Brown, a former United States Department of Defense (DoD) cryptographer, spent the last four years of his government term assigned to the Bush and Obama Administration to develop and execute the United States' cybersecurity strategy that reached beyond the DoD and the government and into the private sector.

During his government tenure, Brown took part in many meetings with the Australian government to share intel on what the US was doing and offer advice around what had proven to be successful. He said this allowed Australia to somewhat learn from the mistakes the US made in the past.

He is also of the opinion there is a more effective way to thwart terrorism than the Coalition's proposed method.

"For roughly 10 months, we've been very vocal that you can't force the private sector to provide keys or other technical solutions because that undermines the very fabric that you're trying to utilise encryption for," he said.

"Encryption is extremely important for governments -- as a cryptologist, that was part of what I did -- and the operational capabilities that exist for governments rely on the ability to have information assurance, have the ability to conduct their operations. Encryption is a key element of that."

From a cybersecurity perspective, Brown said end-to-end encryption is also critically important for the private sector's ability to execute safely.

"That creates a significant conundrum when you have government on the one hand regulating that, 'thou shalt be secure' and then on the other hand saying, 'create this intentional weakness'," he explained.

Instead, Brown believes there are other avenues the government can pursue if they are "properly resourced" and are "paying attention".

To Brown, there are two primary areas of concern: National security and public safety, with everything else flowing from there.

"They also have to balance their mission space which includes the use of encryption with the ability to, in particular with a lot of the cases we see, provide intelligence or the law enforcement capabilities that are necessary and why they're looking for decryption," Brown told ZDNet.

The retired Navy Rear Admiral has spent a big chunk of his career calling for transparency from governments when addressing the public, and strongly recommends the private and public sectors communicate to create a path where the objectives of ensuring national security and public safety are met, while also not putting the private sector in an undesirable position, such as one that actually creates a much more significant or detrimental effect.

"For example, if these great allies, the governments all come together and say, 'thou shalt do the following', what that will do is potentially force the malicious actors to use tools and capabilities that are produced outside those five countries," he said of the members of the Five Eyes.

"The net effect is you still have the significant threat to the environment, to each and every one of us, from both the national security and public safety perspective; we've significantly hindered the ability for the private sector's entities to conduct worldwide business, potentially harming the private sector, and fostering bad activity outside the five countries."

If you create a backdoor, or allow for one to be created, you're not the only one with capability and you shouldn't assume that you are; Brown said it is simply part of best practices.

"The conversation didn't start well because you're saying to us to potentially introduce vulnerabilities one way or another ... but here you have best practices that include the use of encryption and now you're saying you must weaken your encryption, one way or another, in order to solve another really important issue, but you've created other issues from that," Brown added.

Earlier this week, it was reported that privacy executives from Apple had flown to Australia to meet with Brandis, as well as Turnbull's senior staff, to discuss the company's concerns about the proposed changes.

It is believed the tech giant is attempting to sway the government from implementing the laws, lobbying instead for a better approach.

Apple previously stood its ground against the FBI, refusing to unlock the phone of the San Bernardino terrorist.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All