The director of the NSA, Admiral Michael Rogers, just admitted at a Senate hearing that when Internet companies provide copies of encryption keys to law enforcement, the risk of hacks and data theft goes way up.
The government has been pressuring technology companies to provide the encryption keys that it can use to access data from suspected bad actors. The keys allow the government “front door access,” as Rogers has termed it, to secure data on any device, including cell phones and tablets.
Rogers made the statement in answer to a question from Senator Ron Wyden at the Senate Intelligence Committee hearing Thursday.
Wyden: “As a general matter, is it correct that anytime there are copies of an encryption key — and they exist in multiple places — that also creates more opportunities for malicious actors or foreign hackers to get access to the keys?
Rogers: Again, it depends on the circumstances, but if you want to paint it very broadly like that for a yes and no, then i would probably say yes.”
Security researchers have been saying for some time that the existence of multiple copies of encryption keys creates huge security vulnerabilities. But instead of heeding the advice and abandoning the idea, Rogers has suggested that tech companies deliver the encryption key copies in multiple pieces that must be reassembled.
From VentureBeat
Get faster turnaround on creative, more testing, smarter improvements and better results. Learn how to apply agile marketing at our roadshow in SF.
“The NSA chief Admiral Rogers today confirmed what encryption experts and data scientists have been saying all along: if the government requires companies to provide copies of encryption keys, that will only weaken data protection and open the door for malicious actors and hackers,” said Morgan Reed of the App Association in a note to VentureBeat.
Cybersecurity has taken center stage in the halls of power this week, as Chinese president Xi Jinping is in the U.S. meeting with tech leaders and President Obama.
The Chinese government itself has been linked with various large data hacks on U.S. corporations and on U.S. government agencies. By some estimates, U.S. businesses lose $ 300 billion a year from Chinese intellectual property theft.
One June 2nd, the Senate approved a bill called the USA Freedom Act, meant to reform the government surveillance authorizations in the Patriot Act. The Patriot Act expired at midnight on June 1st.
But the NSA has continued to push for increased latitude to access the data of private citizens, both foreign and domestic.
Numerous federal agencies rely on legacy systems that have security bolted on as an afterthought instead of security “being deeply embedded” in the systems. It is unsurprising that such older hardware, software and operating systems are vulnerable to intrusions. But sometimes security problems have more to do with human vulnerabilities – stupid PEBKAC and ID10T errors committed by the person behind the keyboard – than legacy systems. If the same people who handle sensitive government information also keep falling for phishing scams, should they have their security clearance revoked? Indeed they should, according to DHS chief security officer Paul Beckman.
Some of the best app ideas are also the most obvious, and that’s definitely the case with the Companion app
The app makes it easy to recruit friends and family to virtually accompany you on your way home at night when you’re in areas where you feel less than safe
And before you poo-poo the app as playing on our fears, try to remember just how many friends you’ve known who have called you up while walking the streets at night, often in a bid to make sure someone knows that they’re safe while traveling in risky circumstances
This app eliminates the need for a lengthy, possibly nervous conversation packed with small talk and instead offers a dedicated tool designed to increase your feeling of safety Read more…
Earlier this year, President Obama held a Summit on Cybersecurity and Consumer Protection where he challenged public and private sector leaders to work together to protect American consumers and companies from the growing threat of cyberattacks. This outreach comes as several other key pieces are falling into place. Just this summer, the Congress is moving on new legislation to provide liability protection to private and public entities sharing cyber threat intelligence. Add to this the increasing adoption of new automated cyber threat sharing standards STIX and TAXII, and we have the roadmap to successfully sweep away some of the digital weeds that criminal and nation state hackers use to launch attacks that undermine our trust in the Internet.
However, President Obama correctly stated that government efforts alone will have little effect unless enterprises also step up to the challenge of sharing their cyber threat intelligence. Unfortunately, despite some notable exceptions like the Cyber Threat Alliance, organized cyber threat sharing efforts among U.S. companies to date has been sporadic. There are pockets of private sector threat sharing, but these are often focused on particular sectors (such as the financial industry) and are primarily built upon relationships among trusted partners rather than a scalable system that is required for protection throughout the ecosystem. Ironically, threat sharing within the security industry has traditionally lagged behind other sectors. This reluctance is largely due to concerns about competition and an antiquated belief that threat intelligence indicators should comprise the sole basis upon which security companies differentiate themselves. These entrenched mindsets have built barriers towards developing an infrastructure by which private and public entities can share information they’ve gleaned about cyberattacks.
I realize the idea of sharing information between security companies (many of which are direct competitors) goes against decades of competitive behavior. But to those who feel that the information they’ve learned from their own experiences with cyberattacks provides a competitive advantage, I’d say your thinking is short sighted. Here’s why.
Threat Intel Has a Short Shelf Life – As soon as an enterprise identifies and mediates one attack signature, hackers will quickly develop another one to take its place. In a rapidly changing environment like this, the value of shared threat intelligence often has a very short shelf life. So rather than keep information about a cyberattack to themselves, companies should share information with others that would benefit from it. Limiting the effective breadth of a cyberattack forces hackers to spend more time developing new attack methods and less time using established ones to steal data or disrupt business. The company your threat intel helps today may very well share the intel that helps your company stop a cyberattack tomorrow.
Your Feed’s not as Effective as You Think – The 2015 Verizon Data Breach Report notes that among feeds they studied, there was only minor overlap, meaning a customer would need access to all the feeds for any real benefit against KNOWN threats. Rather they state, “there is a need for companies to be able to apply their threat intelligence to their environment in smarter ways so that even if we cannot see inside the whole lake, we can forecast which parts of it are more likely to have a lot of fish we still haven’t caught.” The real value of threat intelligence sharing is its ability to increase the effectiveness of companies’ unique solution. As threats are exposed, sharing information about them with a continuously expanding network of companies will ensure more experts are working on finding a way to mediate a threat. And once a fix is discovered, the larger the threat intelligence network, the more quickly that fix will be implemented and further degrade the ability of cyberattackers to cause harm.
From VentureBeat
Get faster turnaround on creative, more testing, smarter improvements and better results. Learn how to apply agile marketing to your team at VB’s Agile Marketing Roadshow in SF.
Customers Want Action, Not an Excuse – There are fewer and fewer excuses left for security companies not sharing threat information. At the end of the day, enterprises know their future success is contingent upon providing customers with a safe, predictable user experience. Even the US Department of Justice issued guidance last year exempting the sharing of cyber threat intelligence from antitrust concerns. It’s irresponsible for companies not to take advantage of any activity that could help them better protect their customers.
Some in the security industry get this and believe it’s time to quit stalling and get to work. Palo Alto Networks, Fortinet, Intel Security, and Symantec established the Cyber Threat Alliance in order to share cyber threat intelligence for the purpose of a more cyber secure community. But these are just a few of the many companies with access to threat intelligence that could benefit the larger cyber ecosystem. I strongly encourage technology vendors, government agencies, non-profit groups, and corporations to visit http://cyberthreatalliance.org/ to learn how they can help the effort to build a safer, more reliable cyber infrastructure.
Whether or not an attack is successful depends on how ready we are to defend against it. So would you rather deal with the problem on your own, fingers crossed in the hope that your customers don’t have a bad day? Or would you rather be part of an organized network of enterprises united in the fight to stop cyberattacks, a network that includes companies who have already dealt with the attack you’re currently facing and know how to stop it?
Wyden: “As a general matter, is it correct that anytime there are copies of an encryption key — and they exist in multiple places — that also creates more opportunities for malicious actors or foreign hackers to get access to the keys?
Rogers: Again, it depends on the circumstances, but if you want to paint it very broadly like that for a yes and no, then i would probably say yes.”
