Euro Security Watch with Mathew J. Schwartz

Encryption & Key Management , Next-Generation Technologies & Secure Development , Security Operations

Highlights of RSA Conference Crypto Debate

Apple, FBI, Going Dark and Beyond
Highlights of RSA Conference Crypto Debate
RSA crypto panel: Who fears going dark? (Photo: Schwartz/ISMG)

In previous years, heading into the annual RSA Conference in San Francisco, key themes included endpoint security, advanced persistent threats, nation-state attackers and threat intelligence.

See Also: Live Webinar | Navigating Identity Threats: Detection & Response Strategies for Modern Security Challenges

But this year, the sheer pace of updates in the latest installment of Crypto Wars 2.0 - encapsulated by the FBI versus Apple battle - seemed to outpace anyone's attempt to gain control of the "spin cycle." Changes were simply coming too fast to try to do more than anything but keep up.

Here are five crypto debate highlights from the conference:

1. Justice Department: Hearts and Minds Campaign

How ironclad is the court order obtained by the FBI, which requires Apple to help it unlock an iPhone seized during the course of the investigation of the San Bernadino, Calif. shootings? Loretta E. Lynch, Attorney General of the United States, argued in an RSA keynote that the Department of Justice needs to be able to "fully investigate" crimes and broadly called on the technology industry to make that happen. "We have to be engaged in open dialog so that we can draw on each other's resources, hear each other's concerns and draw on each other's perspective."

Asked what sort of middle ground she might be proposing, however, Lynch said "the middle ground is to devolve to what the law requires." Her "it's either the government's way, or the highway" argument drew audible hissing from the audience, suggesting that if the government is currently executing a backdoor-related "hearts and minds" campaign - as it appears to be doing, likely hedging its bets against related court cases failing - then it has failed to sway large swaths of the U.S. technology sector. Indeed, some of the biggest names in technology are backing Apple's side (see Apple, FBI Battle Before House Judiciary Committee).

2. No One Party Line

But not all U.S. officials or legislators in attendance at RSA voiced agreement with Lynch. House Homeland Security Committee Chairman Michael McCaul, R-Texas, for example, noted in a session that the law will always lag behind technology. He said that where the crypto debate is concerned, he wants to assemble a panel of experts to find the best way forward.

U.S. Secretary of Defense Ashton Carter also dismissed any attempt to add backdoors to products. "I'm not a believer in backdoors," he said at the conference. "It's not realistic and it's not technically accurate."

3. Cryptographers Agree: Backdoors are Bad

Five out of five famous cryptographers also agree: Backdoors are bad. That was the message at RSA's opening day "Cryptographers' Panel" (see RSA Conference Debates Apple vs. FBI).

For proof, the sixth panelist - security and privacy expert Moxie Marlinspike, founder of Open Whisper Systems - referenced Juniper Networks, and its ScreenOS firmware, which security experts believe was backdoored by up to three countries' intelligence agencies, beginning with what many believe was the U.S. National Security Agency (see Who Backdoored Juniper's Code?).

Ironically, however, if the NSA was behind the initial backdoor, that enabled rivals or adversaries to then add their own backdoors. Juniper devices, however, are widely used, including by U.S. government agencies, such as the Office of Personnel Management, Marlinspike said. That raises some interesting - and as yet unanswered - questions. "It's entirely possible that a U.S. government backdoor was eventually used to compromise the U.S. government," he said.

4. Going Dark Warning

In her RSA speech, Attorney General Lynch repeated U.S. government warnings that its investigatory capabilities are being eroded as more people begin using devices and services that offer encryption. "As you know, the going dark problem is a very real threat to law enforcement's mission to protect public safety and ensure that criminals are caught and held accountable," she said.

5. Expect End-to-End Encrypted Messaging

But at the conference, Marlinspike referenced Apple's plans to build a device that not even it could hack, thus taking itself out of the loop when it comes to anyone - FBI or otherwise - attempting to conduct surveillance on its customers (see Report: Apple Building iPhone It Can't Hack). He said that in light of the FBI attempting to compel Apple to bypass security features built into its devices, and following Edward Snowden's NSA revelations and the realization that the FISA court was rubber-stamping U.S. government requests, the push for default crypto was only natural.

In fact, he predicted that Apple's move will be emulated by many more technology firms, and that everything from Facebook Messenger to the WhatsApp mobile messaging app would soon build in end-to-end encryption by default.


Moxie Marlinspike discusses end-to-end encryption as part of the Cryptographers' Panel at RSA 2016.

Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.