You have to admit that the US government has a pretty dismal record when it comes to computer security.
In just the last year, the Office of Personnel Management (OPM) revealed that hackers had stolen the personal information of more than 20 million current and former federal government applicants and employees. The stolen data included more than six million fingerprints — considered the “gold standard” for proof of identity.
If that wasn’t enough, the IRS acknowledged it also had suffered a massive data breach, with hackers stealing information of more than 300,000 taxpayers to claim more than $50 million in bogus refunds. And just a few months later, the IRS admitted that the system it used to identify taxpayers electronically had itself been hacked!
While I don’t consider myself an expert on computer security, I can tell you the steps I would take if an organization I ran suffered breaches of this magnitude. The first thing I would do is pull the plug. Take the systems offline — completely — until the vulnerabilities were isolated, repaired, and then tested under a variety of attack scenarios.
The second thing I would do would be to encrypt everything on both infected and non-infected networks. And by “everything,” I mean exactly what that word indicates.
With encryption software, no one but you and your intended recipient can read your email messages, text messages, instant messages, etc. You can even encrypt your entire hard disk to protect everything on your PC from prying eyes. If hackers managed to penetrate your network, all they’d see is unintelligible gibberish.
For instance, here’s a link to a message I just wrote to myself in an encrypted format.
Can you tell me what it says?
Give up? The message is simply, “Encryption works.”
However, encryption doesn’t just help protect the communications of good people. It also protects the communications of criminals and terrorists. For that reason, some people think that the government should always have a convenient way to unlock encryption to read, listen, or view messages. A “back door,” if you will.
That’s a really horrible idea, because strong encryption is really the only certain way to protect sensitive databases like the ones hackers penetrated at the OPM and IRS. And of course, there’s a very real prospect that hackers might discover the back door. That’s happened on numerous occasions in the past.
For instance, when encryption first came into the forefront in the 1990s, police and intelligence agencies worried about “going dark” — not being able to monitor the encrypted communications of criminals and terrorists. The Clinton administration responded with a proposal for an electronic circuit called the “Clipper Chip.”
The purported advantage of Clipper was that it provided a standard for securing private voice communication. With Clipper, however, the government would hold a back door — a key that could be used to unlock encrypted conversations. Congress refused to go along with the scheme after a researcher discovered the actual back door in the Clipper design. It would allow anyone with the knowledge of the compromised algorithm to listen in. And some in Congress figured out that it wouldn’t do much good anyway, because criminals seeking to protect their communications would simply use equipment or software created outside the US.
But apparently some members of the US Senate have short memories. On April 7, the leaked text of a bill called the “Compliance with Court Orders Act of 2016” showed up online. Basically, it would require communications companies presented with an “authorized judicial order for information or data” to provide end-to-end unencrypted data to law enforcement.
Essentially, the proposal would criminalize user-controlled encryption in every modern smartphone. In addition, “license distributors,” such as Apple iTunes or Google Play, could only distribute software that’s in compliance with these requirements. Essentially, anyone posting an app on any US-based software distribution platform would have to prove to the distributor that Big Brother — or anyone else who found the back door — could unlock whatever encryption it included.
Not surprisingly, the US tech industry reacted with horror to this proposal. Michael Beckerman, president and CEO of the Internet Association, put it succinctly: “The draft legislation, as currently written, creates a mandate that companies engineer vulnerabilities into their products or services, which will harm national security and put Americans at risk.”
In response, the sponsors of the bill — Senators Diane Feinstein (D-CA) and Richard Burr (R-NC) — cut and pasted a bit and came up with a slightly less draconian proposal. The only real difference from the leaked draft is that the bill narrows the scope where the legislation would apply: in cases involving drug offenses, child victims, foreign intelligence operations, or any other offense that caused or could cause death or serious injury.
Fortunately, this bill doesn’t have a snowball’s chance in Hell of passing. President Obama hasn’t endorsed it, and there is concerted opposition within the Senate Intelligence Committee to the proposal. But all bets are off if there’s a terrorist attack on American soil where encryption plays a role. At that point, voters will be baying at Congress to “do something.” And you can count on Congress to enact very stupid legislation that could mandate some type of encryption back door.
What’s almost laughable about this entire effort is that as I pointed out a moment ago, it would be incredibly simple to bypass these restrictions entirely. Anyone who wants to communicate privately would simply need to use non-US encryption products without the built-in back doors.
It wouldn’t be a bad idea to prepare yourself for this development by starting to use non-US encryption technologies. There’s a summary of the encryption resources we use to protect our communications and data in this article. You might want to start using these tools yourself, if you’re not already doing so.
Are you into beautiful Costa Rica?
All interesting things you want to know about Costa Rica are right here in our newsletter! Enter your email and press "subscribe" button.