If there are buzzwords at this year’s RSA conference, they are without question “mistrust” and “NSA.” And if there’s anywhere irrefutable impact the “Summer of Snowden” reverberates, it’s through the corridors at the Moscone Center in San Francisco, CA.
Tuesday morning’s keynote panelists expressed their “shame” and “shock” upon first hearing the revelations, in particular, that the U.S. government had intentionally thwarted national standards to get the data it wanted. Panelist Whitfield Diffie of SafeLogic said the shock to him was that he had always believed the National Security Agency (NSA) was “100-percent interested in the security of American communications.” But then he read of the NSA’s workarounds of NIST standards.
“The U.S. government has become an advanced, persistent threat,” said Adi Shamir of Israel’s Weizmann Institute of Science, the only panelist who was not American.
Panelist Brian LaMacchia of Microsoft Research said he was especially surprised by the multiple attempts the NSA made to get access to data it wanted. If one data retrieval mechanism failed, he said, the agency simply moved on to another method. It was downright aggressive.
“I guess, if you have a budget that big, it’s easy to do,” he said.
But just because it’s easy doesn’t mean it’s a good idea, right?
Moderator Paul Kocher of Cryptography Research, Inc., asked the panel: Are there lines that shouldn’t be crossed? In the medical field, for example, doctors take a Hippocratic Oath that they will “do no harm.” So are there certain things a CISO should never do?
Whitfield said ethics are essential, but ethics without some mechanism of discovery and enforcement are “not going to do anything but provide cover to people who have no ethics.”
But who carries the nightstick? Should the government be the enforcer, or even involved in ensuring the privacy of its citizens? MIT’s Ronald Rivest said we’re still in the businesses of figuring that out.
In the meantime, what should we do differently? If the government is going to ignore standards like NIST, what can be done?
Maybe it’s not all broken, Shamir said, noting that it’s important to distinguish between the application and the mathematics of cryptography.
“The silver lining in the Snowden revelation is that there wasn’t any indication that the NSA was able to break any of the major cryptography systems,” he said. “If you look at all the documents, there’s no indication they were able to break the mathematics. But it’s the Windows, Androids and endpoint security which is suffering.”
While the government didn’t break the cryptography, it was able to bypass it, LaMacchia added, indicating that what’s essential now is to improve the infrastructure around the core algorithms, if not the algorithms themselves.
If new standards are needed, given that such workarounds were possible, Kocher asked the panel who should be in charge of that forward march?
Whoever it is, Shamir said, it shouldn’t be the U.S. because “we don’t trust the U.S. government from a worldwide perspective.”
Shamir noted that a United Nations (UN) agency, the International Telecommunications Union, is looking to add “governing the Internet” to its list of responsibilities.
“I’m not a big fan of this highly politicized organization,” he said of the UN. “We should find some group of technical people, people who will not be under the control of the U.S. and sufficiently trusted by the rest of the world.”
A standards organization should be involved, panelists said, and it should be an open process in which reasonable discussion and debate can occur.
If new algorithms are someday adopted in the name of data protection, going with what’s fastest might not be the best idea, Rivest said. Rather, the standards should be relatively conservative.
Shamir agreed, saying efficiency should take a back seat to security. Oh, and then there’s that whole privacy thing to worry about, which the panelists confessed they aren’t above as end-users themselves.
“Privacy is something that concerns a small percentage of the world’s population; maybe slightly higher in this room,” Shamir said to the crowd. “I’m really worried not only about my data being kept by the NSA, but my personal data being kept my telephone company, by Gmail and by all the other cloud services which make life very convenient. I deposit my data to them, and I’m trading off this privacy for convenience.”
Shamir isn’t alone in his concerns. While it may have once been thought in industry crowds such as this that it’s impossible to build a successful business model on privacy’s back, there are signs of user traction indicating privacy is now a fundamental part of business propositions, LaMacchia said.
Looking at a future in which consumers continue to vote with their feet on privacy, LaMacchia said it might come down to consumes virtually buying it back; maybe, for example, consumers stop using their discount cards at the grocery store, knowing if they do it will track all of their purchases. Sure, you give up the discounts, but you gain something pretty valuable, too.
“There, you have a very clear mapping between ‘how much extra am I going to pay for not disclosing my purchase history,’” he said. “Users seem to now mind giving up privacy.”
Read More by Angelique Carson:
If Gov’t Won’t Protect Privacy, Innovation Will
From RSA: In Times of Distrust, Innovation and Collaboration Will Be Key
NTIA Holds First Meeting on a Facial-Recognition Technology Code of Conduct
Will the FTC’s Recent Safe Harbor Settlements Quench Europe’s Thirst for Increased Enforcement?
If you want to comment on this post, you need to login.