Intelligence agencies have stepped pressure for encryption backdoors and weaker encryption in the wake of the Paris bombing. Various reports allege the attackers used encrypted communications, or Playstation 4 notes, to plan their assault.
Meanwhile, there are reports that the Iraqi and Turkish intelligence agencies had warned of the attack in advance, and that at least one of the alleged bombers was a known terrorist, having previously been jailed for terrorist activities by the French.
Security experts from Tripwire explain whether or not weakening encryption or providing back doors for intelligence agencies is a good idea and why planning of the attacks wasn’t picked up :
Tim Erlin, Director of Security and Product Management at Tripwire :
“The tension between privacy and security is certainly not new.
It’s important to realize that there’s common ground in this conversation. Outside of the terrorists themselves, everyone involved wants to prevent these kinds of attacks.
Encryption isn’t a product where production is limited to specific companies. Encryption is a mathematical operation that can be performed in many ways across many mediums. There’s a reasonable argument that limited encryption would simply result in a black market for strong encryption.
It’s hard to argue that the ability to read every bit of text traversing the Internet wouldn’t enhance the ability to prevent these kinds of attacks, but there are reasonable opposing arguments that crippling commercial encryption wouldn’t result in this kind of access.”
Craig Young, Security Researcher at Tripwire :
“Forcing product and service vendors to provide law enforcement agencies with unfettered access to encrypted communications is unlikely to ultimately provide the level of intelligence required to detect and prevent terror attacks. As they say, “the cat is out of the bag” with regard to cryptography and any attempt to monitor popular communications platforms will only lead to home-brewed alternatives implementing strong crypto using published standards.
Reports from the Associated Press currently indicate that US intelligence services did in fact have forewarning of an impending attack in Europe. Unfortunately intelligence agencies are bombarded with information pointing to generalized attacks and there is not always an effective way to discern credible threats for further investigation. This is in many ways the ultimate big data problem.
Based on past reporting, the jihadist threat actors are careful with electronic communications with a preference for covert communication including physical transport of coded messages and the use of steganographic techniques to hide messages within image sharing sites.
The demands of intelligence agencies must be evaluated on an individual basis to determine whether the potential benefit for public safety outweighs associated privacy intrusions.”
Travis Smith, Senior Security Researcher at Tripwire :
Weakening encryption is a double edged sword. On one hand the government has their immediate benefit of being able to monitor everything they can get their hands on. On the other hand, we’ll have to assume that attackers will have the means to use the backdoor as well. By opening up the backdoor, the entire internet is less secure for everyone.
This would leave legitimate actors as well as critical infrastructure with their pants down, while nefarious actors would still have “unbreakable” encryption at their disposal.
The ability to detect attacks relies on the ability to correlate, or bring together, data from a wide array of sources. Due to the sheer amount of data being processed, there are not enough resources to follow up on every threat. Hindsight is always 20/20, so hopefully intelligence agencies can learn about the events that led up to these attacks to prioritize what threats to follow up on in the future.
Tyler Reguly, Manager of Software Development at Tripwire :
“Anyone that believes that increased control and/or restrictions related to encryption will help detect and prevent criminals, terrorist or otherwise, is naive. Any limitations on encryption will have much greater negative impact on law-abiding citizens than on criminal elements. Proposed encryption back-doors may foil half-hearted criminals or identify those that make mistakes in the planning process but it won’t deter or catch those that are truly committed, especially terrorists with an end game. Cyber criminals of all stripes will simply adopt new methods.
Strong encryption is out there, that can’t be undone. It’s ridiculous to assume it’s possible to weaken all encryption and backdoor all communication. Even if this could be accomplished via some herculean effort, criminals would simply develop their own communication techniques.
This is a knee-jerk reaction from an intelligence community that is ill-prepared for the realities of our digital world and still playing catch up. If the cybersecurity community were to cave and implement these requests, these backdoors would be discovered and subverted by criminals to hamstring enterprises making it even easier for criminals and terrorists alike to pull off cyberattacks.
The ultimate question is not whether or not it’s beneficial to cripple encryption because the technology community knows this is not a viable option. The real question is whether or not we’re willing to trade the prevention of low hanging physical attacks for an increase in cyber attacks directed at critical infrastructure.”
Dwayne Melancon, CTO of Tripwire :
“The genie is out of the bottle on encryption, and recent proposals to outlaw it will not stop criminals. In fact, a ban is likely to have the opposite effect; encryption protects electronic financial transactions, private Internet communication and much of our national critical infrastructure. Encryption is so essential to the ability to communicate securely over the Internet that it is a fundamental requirement in a wide range of government regulations designed to protect sensitive data it from hackers, nation state attackers and others with malicious intentions. Anything we do to restrict or weaken encryption would weaken the mechanisms we use to secure the Internet.
The reality is that declaring encryption to be illegal won’t stop people from using it. All crime is illegal and every day in the news we see the extraordinary lengths people go to in order to get around these restrictions. Furthermore, a ban on encryption would be completely ineffective at improving national security unless other nations follow suit, and I don’t see that happening any time soon. Instead, the collateral damage an encryption ban could inflict on the nation’s economy and on consumer privacy is hard to estimate.”[su_box title=”About Tripwire” style=”noise” box_color=”#336588″]
Tripwire is a leading provider of advanced threat, security and compliance solutions that enable enterprises, service providers and government agencies to confidently detect, prevent and respond to cybersecurity threats. Tripwire solutions are based on high-fidelity asset visibility and deep endpoint intelligence combined with business-context and enable security automation through enterprise integration. Tripwire’s portfolio of enterprise-class security solutions includes configuration and policy management, file integrity monitoring, vulnerability management and log intelligence.[/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.