Everything is broken and state-sanctioned backdoors are everywhere
UPDATE: for an updated verison of this event background post, see The Challenges page.
First, everything is broken. Revelations on systems and programs like NSA Turbine, NSA FoxAcid and Hacking Team, have shown the huge scalability – in terms low of risk and cost – of complete comprimization of end-point devices, by numerous public and private actors, and even more numerous actors that trade or lend such capabilities. It’s become clear that no IT system that assumes need for trust in any one person or organization – and there are none – can be considered meaningfully trustworthy.
What’s being doen? On the first issue, IT security industry create solutions that either are based on or add to systems which are non verifieable in critical parts, and whose complexities are way beyond what can ever be adequately verified; while IT privacy activists push simlarly inadequate existing free-open source privacy tools to the masses, while justincreasing usability, or at best seeking inadequate small grants for very inadequate complexity reduction, and increases in siolation and auditing.
Second, state backdoors are everywhere. State-mandated backdoors – legal hidden or public like the telephone interception systems – or state-sanctioned backdoors -l ike undisclosed critical vulnerabilities created, acquired or discovered, and then legally or illegaly used – are in nearly all IT devices, today.
What’s being done? On the second issue, almost all citizens recognize the benefits of enabling due process lawful access for criminal investigation, but grave incompetence and abuse by states have brought half the population to believe that such access cannot be ensured without unacceptable risks for citizens’ liberty. Over the last decades, democratic nation states have repeatedly proven to be utterly incapable of either socio-technically design, or legally oversee, or set adequate socio-technical requirements for due process lawful access systems and processes.
Everything is broken, easily.
This situation is mostly due to 2 structural, and possibly interlinked, problems:
- The lack of sufficiently extreme and comprehensive standards for high-assurance IT services that provide meanigful confidence to end-users that the entire life-cycle of its critical components are subject to oversight and auditing processes, that are comprehensive, user-accountable, publicly-assessable, and adequately intensive relative to complexity. According to a recent ENISA report as many other expert reports, highlights: “At the time of writing, there is no single, continuous ‘line of standards’ related to cyber security, but rather a number of discrete areas which are the subject of standardisation”
- The decisive actions, by state security agencies, to maintain pre-Internet lawful access capabilities– since the popularization of alghorhytmically-unbreakable software encryption in the 90s – through huge sustained investments in the discovery and creation of critical vulnerabilities, throughout the lifecycle and supply chain of virtually all ordinary and high-assurance IT technologies. Furthermore, the covert nature of such programs has allowed for decades such agencies (and other advanced actors) to remotely and cheaply break into virtually all end-points thought to be safe by their users – with extremely vague accountability – as well as covertly overextend their preventive surveillance capacities.
IT security and privacy is a complete debacle from all points of view. EU citizens, businesses and elected state officials have no access, even at high cost, to IT and “trust services” that are NOT remotely, undetectably and cheaply compromisable by a large number of medium- and high-threat actors. Criminal entities that are most well-financed avoid accountability through effective use of ultra-secure IT technologies, or by relying mostly on advanced non-digital operational security techniques (OpSec). National defenses are increasingly vulnerable to large scale attacks on “critical infrastructure” by state and non-state actors, increasingly capable of casuing substantial human and economic harm.
EU IT security/privacy businesses are increasingly unable to sustainably compete and innovate as they are unable to differentiate on the basis of meaningful and comprehensive benchmarks. They are also increasingly unable to convince users to investing in fixing vulnerabilities in one part of their systems, when most-surely many other remain in other critical parts, which are known to the same kind of threat actors. In a post-Snowden World, the success of even high-asurance cyber-security systems are increasingly “security theatre”, because even the highest-assurance systems in the civilian market contain at least one critical vulnerability, accessible in a scalable way by even mid-level threat actors, with very low risk of discoverability and attribution. So therefore it is almost impossible to measure and sustain the actual overall security added value of any new security service, and related risk management strategies, even before assessing the increase in attack surface and vulnerabilities that any new product entails.
All the while – such security agencies’ media success in wildly overstating the “going dark” problem – has enabled them to gather substantial political and public opinion consensus for: (1) unconstitutional surveillance practices gravely affecting non-suspect citizens, and often the granting multiple redundant legal authorities; (2) the possibility to regularly press politicians and public opinion with the need to “outlaw” encryption and/or extend to all digital communications inadequate lawful access mandate traditionally reserver to telephone operators.
State-mandated or state-sanctioned backdoors are nearly everywhere, today.
The critical vulnerabilities that make so that everything is broken are nearly always either state-mandated or state-sanctioned backdoors, because the state has either created, acquired or discovered them, while keeping that knowledge hidden, legally or illegally.
After Snowden, nearly all IT privacy experts and NGOs are up in arms to fight a 2nd version of the 90s’ Crypto Wars to prevent backdoors in IT systems to be mandated by nations, in the wake of “terrorism threats”. Most are mostly focused on (a) pushing existing free-open source privacy tools to the masses, while making them more user friendly and incrementally safer with small grants and (b) going out there to campaign to fight the 2nd Crypto Wars to prevent the government to create official backdoors.
Most IT privacy experts and activists have not noticed, and are fighting on a far away imaginary frontline, when their cities are occupied by the enemy, undefended.
Meanwhile, they propose nothing about what we should do about those the backdoors and/or critical vulnerabilities that already exist everywhere. Almost no-one challenges state security agencies pretence that they are “going dark” to trumpet the dire need to find ways to enable lawful access, when they overwhelmingly are not, not even for scalable targeted attacks.
First off, the 1st Crypto War in the 90’s was not won but lost 3 times over. In fact, while the US and other government backtracked on their proposal for a ill-conceived mandatory backdoor (such as Clipper Chip), the most powerful states, over the next 2 decade, : (1) state security agencies have have surreptitiously and undetectably place backdoors nearly everywhere, with no or much worse due process oversight, compared to the already terrible lawful interception systems; (2) Tons of valuable targets, even very very up there, have kept using IT devices that they thought lacking backdoors, but which were unknowingly snooped upon for years or decades; (3) They’ve prevented even a demand for meaningful IT devices to be developed, which did away from the need of trust in a tons of untrustworthy actors and individual along the device life-cycle.
What is a backdoor? a state backdoor?
Let’s backtrack, and make some necessary clarity in ill-defined terms.
To clarify what we mean, we necessarily need to try to understand together what a backdoor, a critical vulnerability and a state-sanctioned backdoor.
A vulnerability is weakness in a software, hardware or human process component of a computing experience or service, for which exploitation means (information, techniques, software and/or hardware) exist or can be built, which gives an attacker the capability to impede expected actions and/or enact unexpected actions.
A backdoor is a critical vulnerability which at a given time is known and actionable to one or more entities, whose existence and/or its exploitation means details are kept hidden to most or all end-users. Such capability can be obtained through engineering subversion, acquisition or discovery. May or may not be legal and illegal. It may allow access to all data or all users, or to targeted selections.
A state-mandated backdoor is a legal and mandatory critical vulnerability and desgin by the state for a specific IT system component. It includes any current mandatory lawful interception system for telephone operators; the 90’s Clipper Chip proposal; but also any critical zero-day vulnerability, which is publicly undisclosed but legally-authorized for certain uses. Mandatory lawful interceptions systems for telephone operators are subject to national regulations – often inspired to international standards such as ETSI or NIST – which specify incredibly incomplete and inadequate technical and organizational to prevent their wide abuse. As telephone moves to IP and LEA access to such functionality is enabled from remote through VPN connections among loosely-specified end-points, the possibility of wide scale undetected abuse increase exponentially. These are gradually being expanded to other IP communications.
A much wider set of state backdoors are state-sanctioned backdoors. These include critical vulnerabilities illegally-used by state agencies, with extremely low level of accountability, due to impunity through pardons, state security claims during legal proceeeding, and more. It has emerged, in fact, that powerful state agencies have surreptitiously implanted – or illegally acquired, fept hidden or utilized – critical vulnerabilities in nearly all IT systems, that can be exploited and managed scalably and undetectably, even for nearly all highest-assurance devices, for hundreds of thousands or millions of devices. And they extensively and widely share, trade or “lend” with other agencies and nations. These are overwhelmingly extremely scalable in terms of cost per user, and risks of discoverability and attribution.
Though illegal, for state-sanctioned backdoors, it has proven to be extremely difficult to demonstrate malevolent intent of any involved parties in their non-disclosure or direct implantation of a critical vulnerability. It’s very easy to just claim to have made an error, or to not have known about it, with plausible deniability. Furthermore, the generally low or inexistent liability of vendors for critical vulnerabilities in their products, drastically reduces the economical risks of their direct involvement in such malevolent actions, which has been demonstrated by Snowden to be very common.
It is in the very definition of backdoor and state-sanctioned backdoor to be disguised as accidental critical vulnerabilities and human errors. These most probably include “errors” such as unencrypted sharing of smart-card master keys (Gemalto); SSH access keys to devices “forgotten” since beta testing phase) SSH access left “erroneously” for access (Cisco), and innumerable others.
Just a minute amount of sophisticated critical vulnerabilities – because of the nature of the target device manager skills and/or target device setup – carry cost in terms of detection, exposure of exploitation techniques and possibly some level of attribution, which are higher than average environmental interception.
Can new IT paradigms and certifications make a difference?
Maybe, let’s see.
On or more sets of new high-assurance IT paradigms and certification standards, that can support the creation of a wide, open and resilient ecosystsem that can:
- (A) build radically-more trustworthy IT services that are meaningfully and sustainably resistant to both critical vulnerabilities and state-sanctioned backdoors, mostly within current constitutional or legal frameworks;
- (B) seek ways to ensure that existing pubblic state-mandated backdoors, such as telephone lawful interception, be radically improved in their safeguards and oversight;
- (C) Explore ways in which provider-managed socio-technical systems, certified by competent and citizen-accountable independent – which possibly shift as much as possible the risk from technical to human organizational processes – could provide sufficient safegards for the citizen privacy and state security mandate for investigation.
However, over the last decades, states have repeatedly proven to be utterly incapable to either socio-technically design, legally manage, or issue proper standard requirements for socio-technical systems for due process lawful access. They have also been similarly unable to create voluntary or mandatory IT security standards, that were nearly sufficiently extreme and comprehensive.
Similarly, private initiatives such as Trusted Computing Group or Global Platform (trust services), have proven to align to the interests of the companies and of the states, and never of the liberties of the users, so long as no legal vendor liability for any large scale damage to such liberties, and noone else has been able to offer anything substantially more trustworthy.
So therefore, those standards will have to be primarily independent, international, highly-competent and citizen-accountable, and the role of the state can only be of official recognition of an already established and widely adopted standard, as it has happenend with the World Wide Web Consortium, but with wider user- or citizen-accountability to avoid having companies having too much control.