While the public interest in backdoors has been centered on the FBI's court battle with Apple, a larger fight has been brewing amidst security and policy professionals for years. Law enforcement has repeatedly asked for cryptographic backdoors to prevent communications between criminals from "going dark." But the rousing response in favor of strong encryption and against backdoors has brought together seemingly intractable enemies, from the Secretary of Defense to hackers and many in between.
Last week's RSA conference was the backdrop for several discussions about backdoors into encryption. Current and former administration officials, along with security researchers, were asked whether encryption systems should be accessible to law enforcement.
Mike McConnell, former director of the NSA, took pains to paint himself as a traditional opponent to privacy issues. At one time, he was "all for espionage," and reminded the audience that he was a proponent of the Clipper Chip, an encryption system with a built-in backdoor. His opinion changed, however, when he began working in the private sector, and discovered advanced malware being used to steal intellectual property, allegedly at the behest of the Chinese government.
"Ubiquitous encryption is something this nation needs to have," said McConnell.
McConnell was also pointedly critical of law enforcement's belief that encrypted communications will enable crime and terrorism. "Law enforcement is enabled by plain text," he said. "But we actually had criminal prosecution before we had telephones."
Former Secretary of Homeland Security Michael Chertoff, meanwhile, couched his opinion on strong encryption on moral grounds. "Security without privacy is protecting an empty treasure chest," he said. "The values that we're protecting would simply be evaporating."
Chertoff also said that strong encryption is especially important when critical industries, like power generation, could potentially need to repel attacks. "We've been telling [industry] the responsibility is on you," said Chertoff. "So if we're going to ask the private sector to be partners, whether it's information or operating controls systems, we need to give them the tools to complete the mission."
That sentiment of encryption as a valuable tool at all levels was also the basis of Secretary of Defense Ashton Carter's assertion that he is "not a believer in backdoors or a single technical approach to a complex problem." Carter said that the Department of Defense uses the same encryption systems as everyone else, and that without strong encryption there is no way to secure communications between tanks, ships, and so on.
Much of the argument against backdoors in encryption systems hinges on the possibility of unauthorized access to those doors. In this context, the backdoor meant to enable law enforcement or intelligence gathering becomes a major vulnerability when in the hands of an attacker. This is usually a hypothetical situation, but security researcher and one of the minds behind the Signal app, Moxie Marlinspike, argued that it might have already happened.
He pointed to Dual_EC_DRBG, a psuedo-random number generator endorsed by the NSA and the National Institute of Standards and Technology, which contained a backdoor. The flawed generator was in use on Juniper Systems servers, which was secretly hacked and had control of the backdoor presumably placed in the hands of the attackers. Marlinspike pointed out that these servers were possibly in use at the U.S. Office of Personnel Management at the time of the massive OPM breach.
"It's entirely possible that a U.S. backdoor was used to gain access to a U.S. system," said Marlinspike.
One of the traditional defenders of privacy fully agreeing with these traditional opponents was Nuala O'Connor, the President and CEO of the Center for Democracy and Technology. O'Connor said America needs to start working on privacy protections that will be meaningful when everything is connected.
"My personal device, my connected home, my connected car, and government systems, and our critical infrastructure; all off those are interconnected and to break encryption in any part of that chain affects national security," she said.
What About Apple?
But while nearly everyone was in lockstep about encryption, not everyone agreed about Apple. It's important to note that the FBI has argued that it is not asking Apple to break its encryption system. Rather, the agency has requested that Apple disable a feature that would allow the FBI to brute-force the PIN code locking the phone.
A few at RSA commented that Apple and the FBI picked a bad case to test the waters for these issues. "Apple goofed several ways," said Adi Shamir, one of the co-inventors of the RSA algorithm. He pointed out that the FBI had a strong case in that the owners of the phone were already dead and their guilt in a horrific action firmly established. "The FBI had been waiting for a long time to find the perfect issue from their perspective," he said. Though he made clear that he did support backdoors, he felt Apple should comply in this case and find a more favorable court case to press these issues.
And while support from the technology community for Apple was strong, the support from the government was unsurprisingly nonexistent. U.S. Attorney General Loretta Lynch was unequivocal in her remarks, tearing Apple's constitutional arguments apart. Secretary Carter voiced his support for encryption, but was careful to point out that he could not comment on the Apple case, which he described as a law enforcement, not defense, problem.
But among the technology professionals, support seemed strong for Apple. "The real reason we're having this discussion today is because Apple tried to make products that protect their users, which is unusual while most companies try to sell out [user] data at any turn," said Marlinspike.
Marlinspike went on to argue that in this case, the FBI is effectively trying to engineer away people's ability to break the law. Whitfield Diffie, one of the two inventors of public key encryption, agreed, saying, "The difference between a free society and totalitarianism of course being responsible for your action. But in tyranny, you build mechanism to prevent them from having their action."
The Path Forward
Nearly all of the prominent individuals who spoke on the subject maintained that the case of Apple and the FBI should not be the single discussion about backdoors or weak encryption. Instead, many held that the discussion should happen at the congressional level and not in the courts.
McConnell suggested that the technology sector be tapped to help lead the discussion in government. He called for the creation of a legislative commission to advise in the creation of new laws on encryption. "The public at large is not informed on this issue, just like when we went through the 9/11 commission to have a more engaged dialog for how we go forward," said McConnell.
Chertoff, like many this week, insisted that the technology sector had to work with government to find the best solution. "People from the security community, the privacy community, and the public want the same thing: a secure Internet, control of their data, and the benefits of technology without worrying about harm."
O'Connor agreed, saying that the discussions "should be in the legislative branch and they should be transparent." She and others emphasized the point that there is, in fact, much to agree about in terms of encryption and security. "I'm always profoundly optimistic and surprised that we're all able to find more common ground," concluded O'Connor.
This article originally appeared on PCMag.com.