Rod Rosenstein’s responsible encryption fantasy

The politicians are at it again. This time, US Deputy Attorney General, Rod Rosenstein, wants tech companies to come up with a concept he calls, “responsible encryption.”

I wrote a blog post about government putting its fingers in encryption in early 2016, when the FBI threatened war with Apple over the San Bernardino case.  Although they eventually resolved it peacefully, the deeper issue remains. And, unfortunately, so do the conclusions. No matter what government calls it, Rosenstein’s not-so-new concept of responsible encryption is a fantasy.

Here is the transcript of Rosenstein’s speech.

Rosenstein and other officials are correct when they point out that encryption enables unsavory activity. Child molesters, robbers, murders, terrorists, you name it, all use encryption. Encryption does have a dark side.

The policy challenge is, what can and should government do about it?

The US Government could force a central key repository, where it keeps a copy of encryption keys with a due process to use them.

Imagine a repository containing the billions, maybe trillions of encryption keys we use every day in 21st century society. Now imagine keeping all those keys safe from cyber-attack, keeping in mind the US government’s track record. Just ask any of the millions of OPM breach victims about government and cyber-security. Or read about repeated NSA breaches. Do we really want to trust the government with the encryption keys that keep modern society functioning?

But forget about criminals compromising a government key repository. Consider this – after pouring $billions into setting up a vast bureaucracy to manage all these keys, years of effort into design and implementation, and multiple acts of Congress to set up a legal framework for all this, I’ll click a few mouse buttons and spend $5 to buy end to end encryption software from an overseas supplier. And the US Government will have no ability to regulate me. All that money. All that time. All that effort. All wasted. Child molesters, robbers, murderers, terrorists, you name it, will still use encryption.

Politicians like Rosenstein will argue that this notion of a key bureaucracy is a strawman, and if only tech companies used all their brainpower to come with better ideas, we could achieve responsible encryption. Rosenstein and the politicians are wrong. Encryption depends on keys and algorithms. There are two ways to grant government access to encrypted communication. Either give government access to the keys or weaken the algorithms. Both have so many opportunities for abuse, and so many easy workarounds, the cure is worse than the disease.

The tech industry, and every cyber-security expert I know of, is not putting profit above safety here. We’re just telling the truth.

I want to thank Ryan Conley with Bigger Law Firm, a publication dedicated to legal news, for quoting me in its article.  Here is a link.


Care and Share to be Prepared – Part 1, Caring

I’ve tried and failed to convince more people than I can remember why they should care about Internet security.  Typical responses include eye rolls, yawns, looking at their watch, and taking “important” cell phone calls. Yes, I do notice.

As an IT and security professional, I’m used to being ridiculed, ignored, and marginalized.  It should have an acronym, say, RIM, because it happens all the time, and it should be a verb, as in, “I was RIMed again.”

One organization leader offered this helpful feedback: “Just tell me what I need to know in twenty-five words or less.”  A few bystanders chuckled; another tech-weenie failing in an adult conversation.

It’s frustrating when nobody listens. When people say they want everything they need to know packaged into twenty-five words or less, the real message is, they see no value in learning anything about the subject matter because it’s somebody else’s problem.

But, in fact, they’re playing Russian Roulette.

Don’t believe me? Isn’t all this just meaningless numbers and letters on a computer screen?  Isn’t cyber-security a job for big companies and the NSA? Ask former US Senator, Norm Coleman about that.  Or the former Target CEO.  Or the former US Office of Personnel Management Director.  Or several top officers at Equifax.  Or a few identity theft victims.  Or millions of people now exposed to extortion, blackmail, and identity theft because of data breaches.  I don’t know about you, but I’m tired of watching CEO after CEO parade in front of the TV cameras to claim they take security seriously.  I have a hunch many of us want to ask the obvious question — if you take security so seriously, why don’t you do anything about it?

More than a year after publishing “Bullseye Breach,” a thought came to me. What if I could give busy people everything they need to know about security in twenty-five words or less?  If we give ’em what they want, maybe we won’t be RIMed so often.  Maybe they’ll pay attention.  And then the answer came.  Everything busy people need to know about cyber-security, packed into a six-word rhyme.

Care and share to be prepared.

Nineteen words to spare.  Care enough about Internet security to take action, share what you learn liberally.  I’ll talk about sharing in part 2 (here is a link).  Here, in part 1, I’ll make the case for caring.

If you’re a busy CEO, stop brushing off your security specialists with stupid excuses like, “We sell hammers.”  No matter what your organization does, private sector, public sector, nonprofit, you name it, the information you keep is your most valuable asset.

Think about that.  How much cash do you have?  What’s the secret formula for your world-changing invention?  How much inventory do you have on-hand?  Think about any hard asset or attribute about your organization. What good is any of it if you don’t know about it?  Criminals see value in your information; that’s why they keep stealing it.  Hello?  That should tell you something.  Stop treating your information as an afterthought.

I remember a meeting with a CEO a while ago.  He told me he liked to download and install random software on his laptop and then hand it to his IT Department to fix when it broke. He said it made his IT staff sharp. I have a hunch his IT staff had a different opinion.

Arrogant, ignorant, and proud of it is a dangerous combination for a leader.  Learn to respect the people who stay up all night keeping your company running while you spend quality time with your family.  Unless you enjoy facing TV cameras and resigning in disgrace.

If you’re a busy tech professional, maybe a software developer or system administrator, keep security and layers of defense in mind. Always. I saw a discussion with a rookie developer who did not understand why it was important to protect a few important files against access to anyone logged in.  His argument was, only administrators should access this system, so why go to the extra trouble of denying read access to the world?  Wrong.  Should and is are seldom the same, and what happens if a non-administrator somehow gets inside that system? The community gave that developer a lesson on layered defense. I hope he took it to heart.

If you’re a busy Internet user, educate yourself on the basics.  Just like our great-grandparents recognized basic literacy was important in the horse and buggy days, we need to recognize that basic Internet literacy is even more important today.  The Internet is here to stay.  It’s past time for the public to learn about the dark side of free cell phone ringtones and social media and search engines.

I’ve cleaned more computer viruses than I can count.  Reactions are always the same; people are mystified by how that malicious software got inside their computer, they’re usually worried about the family taxes and 20,000 pictures they never backed up, they still think lonely teenagers launch Internet attacks from their bedrooms, and they’re amazed when I tell them about botnets.

When I was an independent consultant, one end user complained they were unable to access email. I asked what email program they used.  The answer:  “I click on ’email,'”  followed by the usual eye-roll.  Another tech-weenie asking meaningless questions.

Ignorant and proud of it is dangerous for everyone, not just leaders.  It has to stop.

How you care for the confidentiality, integrity, and availability of your data, whether you’re an organization leader, a tech professional, or anyone else, speaks volumes about how much you care about overall quality.  It’s not just a tech thing – it’s how you approach life.  If caring about cyber-security is too techie for you, then care about quality.  Your identity and millions of your stakeholders’ identities could depend on it.