Paranoid Technology All things cybersecurity


Forget Weak Encryption, Rely on OpSec Fundamentals & Human Intelligence

LooseTweetsHillary Clinton recently joined the growing chorus of politicos suggesting that Silicon Valley tech giants need to stop treating the government like an adversary and calling for collaboration to “find solutions” to encrypted communication. “Finding solutions” meaning weakening encryption so that the US government has a legal means of eavesdropping on what would otherwise be private communications – not only among terrorists, but also among people in the (much) larger population.

This begs the question, is weakening encryption the only means of improving national security? Reviewing the recent attacks, there are a few important things to note: the terrorists in Paris were not using encrypted communications; that said, ISIS does have a sophisticated OpSec manual – which shows their heightened awareness of encryption technologies and means to maneuver around them; plus, several other nation states (the U.S. and Germany among them) shared intelligence with France on either the attacks or on the attackers that wasn’t acted on in a timely manner.

Putting aside these other programmatic gaps, let’s assume that weakening encryption is the only means of improving security. For the government to have “back door” access to any encrypted application or systems, the country would need to be operated as an enormous Public Key Infrastructure (PKI), with the government as the top level certificate authority (CA) for all domains and communications; it would issue all certificates for encryption, which would also conveniently enable surveillance.