Privacy has been getting a lot of attention lately. And with good reason, given the increasing occurrences of privacy breaches, personal information records breaches, all the many new types of smart devices being used by more and more people, and the collection of more personal and associated data than ever before. It would appear that the 2014 Sony hack was the tipping point that motivated US President Barack Obama to propose the Personal Data Notification & Protection Act and the Student Digital Privacy Act on 12 January this year. It was encouraging to see this new interest in taking steps to better protect personal information—not only for improving personal privacy of US residents, but also to help show the rest of the world that the US is moving beyond having a patchwork set of privacy laws and being considered as an “inadequate” privacy protections country by the rest of the world, to moving forward with actions to better protect personal information throughout all industries, and not just a chosen few that exist in the US today.
However, on 16 January, the White House released a statement showing their support of an announced UK goal to outlaw encrypted messages and other communications unless the government is given a backdoor to decrypt such communications. These two messages from 12 and 16 January are in direct conflict with each other. You cannot achieve privacy without strong information security, and you cannot have strong information security when tools have backdoors built into them. This is an Information Security 101 lesson that has been taught for decades, but seems to have been lost (or never learned) by leaders making decisions that impact everyone’s privacy and information security. It is also something that all information security professionals need to make sure their own organization leaders understand.
Here are five important and compelling facts that government and other types of organizational leaders need to know:
- Backdoors can often be exploited accidentally, resulting in great harm. Backdoors in technologies are nothing new. Hearken back to 1988 when the Morris worm became the first widespread Internet attack. It spread quickly and destructively to infect systems and spread widely by using backdoors purposefully built into technologies. The backdoors in that case were a set of secrets then known by a small technically proficient group of Internet users. One error resulted in a large-scale attack that disabled many systems and brought the nascent Internet to a virtual standstill. Lessons were not learned, were they, if leaders still want to build backdoors into technology systems. As a systems engineer at a large multi-national organization at the beginning of my career, I saw fellow programmers building in backdoors and hardcoded passwords that “only they knew” (and of course anyone else examining the code) at the urging of their managers, many of which resulted in significant systems outages and program mistakes once they were put into production through accidents, which caused unforeseen problems.
- Backdoors will not remain a secret. Backdoors will be discovered and used by the adversaries and crooks they were established to find in the first place. This is not a new truth. History demonstrates that so-called “secret” technology backdoors are dangerous, put the associated systems at risk, and lead to breaches and security incidents. And the more people that know about each backdoor, the more dangerous having such backdoors will become. Consider another real-life example. In 2013, the security company Barracuda had an undocumented backdoor in its security tool that allowed high levels of access from the Internet addresses assigned to Barracuda. However, when it was publicized, as of course secrets will be when humans are entrusted with them, it became extremely unsafe and Barracuda’s customers said they didn’t want it. There is no such thing as a “secret” backdoor if even one human knows about it.
- Backdoors created to fight crime will be used to commit crime. Proficient enemies who are looking for vulnerabilities in security technologies know how to exploit the weaknesses when they find them. It has happened many times before. One example of how attackers can use backdoors placed into systems occurred in Greece’s largest commercial cellular network operator. Switches installed in the system came with built-in wiretapping features created specifically for authorized law enforcement agencies. A yet-to-be-identified attacker was able to install software, use these embedded wiretapping features to secretly, and of course illegally, collect the calls from many cell phones, including those belonging to the Prime Minister of Greece, a hundred high-ranking Greek dignitaries, and a US Embassy employee in Greece. The crooks are also willing to pay large amounts for the details on such built-in backdoors and other types of unpublished vulnerabilities. An undisclosed vulnerability in widely used commercial software reportedly sells for US $160,000, on average, on the black market.
- Backdoors and other types of weakened security create opportunities for malicious insiders and the authorized unaware. Humans are the weakest link in information security, and trusted insiders present the greatest threat to systems and information. Edward Snowden has become the poster child for the high risks and consequences of trusted insiders that break their promises to keep the secrets entrusted to them. Even though he started releasing his pilfered data in June 2013, he still continues to trickle out large chunks of stolen data, such as the F-35 blueprints he recently posted that had already been obtained by Chinese hackers.
- Backdoors in technology hurt business success and thwart technology advances. If weakened security in commercial products and services is the result of a national policy (as opposed to other causes, such as human error or corporate interests), this weakened security harms the nation economically. After having so many privacy breaches impact hundreds of millions of individuals, consumers justifiably want products and services from companies that they believe are building secure technology and that do not build in backdoors, regardless of who told them to do so. Implementing such policies could have a significant negative impact on competitiveness in the information technology sector. For example, Forrester Research Inc. estimates that recent allegations about US data surveillance activities may have reduced US technology sales overseas by as much as US $180 billion, or 25 percent of information technology services, by 2016. The government could be significantly damaging the economy even more if they would require such backdoors to be installed within security technology products that are used by consumers throughout the world.
Governments and other entities with goals of creating backdoors in security technologies, by a well-intended but fatally flawed attempt to improve security, could ultimately compromise information security and privacy and make systems and data more vulnerable. Data Privacy Day on 28 January is an opportune time to point out, to government leaders, business leaders and individuals, that privacy protections are weakened when information security protections are weakened. There are ways to ensure a country’s security without making security tools, such as encryption, weak and vulnerable to exploitation.
Rebecca Herold, CISA, CISM, CIPM, CIPP/IT, CIPP/US, CISSP, FLMI
CEO of Rebecca Herold & Associates and partner of Compliance Helper
Member of ISACA’s Privacy Task Force