Yahoo Chief Information Security Officer Alex Stamos on Monday confronted National Security Agency Director Adm. Mike Rogers over the United States government’s plan to require built-in backdoors in hardware and software made by American companies. The exchange took place at the New America Foundation’s cybersecurity conference in Washington.
Building backdoors into cryptography is “like drilling a hole in the windshield,” Stamos said, according to a transcript of the conversation published by JustSecurity.org.
Asked if U.S. high-tech companies also should build backdoors for other countries’ governments, Rogers said it needed to be done in a framework.
He acknowledged that there were international implications but repeatedly said “I think we can work our way through this” in response to Stamos’ subsequent remarks.
“We have got to be willing as a nation to have a dialog,” Rogers later said. “This simplistic characterization of ‘one side is good’ and ‘one side is bad’ is a terrible place for us to be as a nation.”
He also objected to use of the term “backdoor” as having a shady connotation and maintained the U.S. could create an appropriate legal framework for the technology.
“Does the NSA really believe that their legally approved vulnerabilities will never be exploited by the bad guys?” wondered Eric Cowperthwaite, vice president of advanced security strategy at Core Security. “Do they really want to provide backdoors into commercial and government computer systems that are now known to be there?”
It “would be helpful to know what [Rogers] thinks ‘working our way through this’ means,” Cowperthwaite told the E-Commerce Times.
No Agency Is an Island
Rogers was speaking specifically about ways for the NSA to break encryption using some sort of government master key, “but that is not where it will stop if we open Pandora’s Box,” Cowperthwaite pointed out. Instead, governments globally will backdoor hardware and software, as well as platforms like Yahoo.
“What happens when the French government passes a law requiring the same capability that Rogers wants?” Cowperthwaite queried. “Notice he refused to answer that question.”
Once backdoors are available, researchers with malicious intent will begin to scout them out and figure out how to exploit them, he warned. “This sort of thing can’t be kept secret.”
Look East, Young Man
Rogers’ views and those of the Obama administration aren’t far afield from those of China’s government on this score. China may order its banks to purchase Internet and information communications technology products with backdoors.
That has agitated U.S. businesses, which have sought discussions with the Chinese authorities.
U.S. high-tech companies and American lawmakers have voiced similar concerns about the Obama administration’s plans for cyberbackdoors.
Consider the Superfish adware that Lenovo preinstalled on PCs. US-CERT issued an alert after the news broke last week, and the company now is facing several lawsuits.
Meanwhile, U.S. Reps. John Sensenbrenner, R-Wis., Thomas Massie, R-Ky., and Zoe Lofgren, D-Calif., this month reintroduced a bill to prohibit agencies from requiring or compelling surveillance backdoors in products and services.
In addition to weakening security, the backdoors could hit U.S. businesses, noted Andy Rappaport, chief architect at Core Security.
Global businesses might route their traffic, data and business around U.S. soil and U.S. businesses, he told the E-Commerce Times.
“A backdoor is a backdoor,” said Elia Yehuda, cofounder and CRO at Zimperium.
“It means someone other than yourself can get into your house uninvited, look at your most sensitive information … and you can’t even tell what he’s doing,” he told the E-Commerce Times.
No, Nyet, Non!
The U.S. is a major target for hackers, who are hitting public and private sector websites. The U.S. State Department is still trying to get rid of hackers who penetrated its unclassified email network three months ago.
Further, terrorists use the Internet for communications. Given ISIL’s online posts of beheadings and Al-Shabaab’s video calling for the bombing of malls in the U.S. and Europe, wouldn’t it be a good idea to be able to track them through backdoors?
“Not really,” said Jim McGregor, principal analyst at Tirias Research.
“This would open the floodgates for similar actions by other governments,” he told the E-Commerce Times, “which would … threaten everyone’s trust in current electronic systems.”