Pages

29 June 2017

Going Dark—Strong Encryption and Security (Part 1)

By Andrew Davies

The debate about law enforcement access to encrypted communications has flared up again recently. It seems that everyone has a view on the subject, including a string of American visitors to our shores: US Senator John McCain, former Director of National Intelligence James Clapper and security advisor Jake Sullivan. Local commentators on security issues have a view as well, including ASPI’s own Jacinta Carroll. And Australia’s Attorney-General has said that the government wants the law to be

…sufficiently strong to require companies, if need be, to assist in response to a warrant to assist law enforcement or intelligence to decrypt a communication.

This is a tricky public policy issue by any standard, and a sensible discussion requires some history to put the contemporary debate into perspective. The first thing to note is that this isn’t a case of the government wanting expanded powers under the justification of new security threats. It’s more a case of running to stand still—that is, governments around the world are trying not to lose capabilities they have enjoyed for some time. (For those keeping score, it seems to go back to around 1653 where Parliamentary systems are concerned.)

This post looks at how the world used to be for security agencies. I’ll come back to the contemporary challenges in a later one. Bear with me for some legalese to start with. The legislative basis for the Australian government to gain access to domestic telecommunications is the Telecommunications (Interception and Access) Act 1979. Section 191 of the Act says that:

Each carrier supplying a particular kind of telecommunications service that is not covered by any determination under section 189 but that involves, or will involve, the use of a telecommunications system must ensure that the kind of service or the system has the capability to: 

enable a communication passing over the system to be intercepted in accordance with an interception warrant; and 
transmit lawfully intercepted information to the delivery points applicable in respect of that kind of service. 

(Section 189 grants The Attorney-General the ability to use legislative instruments to ‘make determinations in relation to interception capabilities applicable to a specified kind of telecommunications service’. The issuing of warrants is covered in Section 9.)

In other words, a compulsory condition of being allowed to provide telecommunications in Australia is that the carrier must provide the government with access when presented with a warrant. In the days of copper telephony—which was pretty much all that was around when the Act was first drafted—almost all of the accessed communications would be unencrypted. (It’s likely that the main exception was encrypted communications to and from foreign embassies.)

Individuals associated with politically motivated violence or other groups of interest to the police and ASIO wouldn’t have had access to an encryption system. The telecommunication providers of the time had to adhere to a few industry standard protocols, most devices were analogue, and there was no internet data to worry about.

The landscape is now entirely changed. We now have a panoply of wholesale and retail suppliers of bandwidth, along which travels a wide variety of signal types. At both ends of the communication path data can be manipulated by apps and programs widely available on the world market. The providers of the ‘pipes’ that carry the data still have to provide access as per the Act, but now there’s a much higher probability that intercepted data won’t be immediately usable or, in the worst case for security agencies, won’t be able to be exploited in time to be useful.

Another significant change from the 1970s is that governments were in many ways at the cutting edge of cryptographic techniques. Capabilities developed over decades of experience in two world wars and the Cold War were ahead of those in the private sector. In fact, the US government pushed secure cryptography out into the commercial sector, in an early and successful attempt to protect commercial and financial sector transactions. The National Bureau of Standards, with significant input from the National Security Agency (NSA), released an IBM-designed cipher system in the late 1970s.

The Data Encryption Standard (DES) (technical description here) was used by the US Government for protecting sensitive but not national security classified information, and by banks and other businesses from 1977–2001. Not surprisingly, the involvement of the NSA led to some suspicions that ‘back doors’ had been engineered in. The NSA promulgated a modification to the scheme at one stage, prompting suspicions that the DES was being deliberately weakened to allow NSA access to encrypted material.

In fact, the suggested changes strengthened DES against a cryptologic attack known to the NSA at the time, but not discovered in the ‘outside’ world until the late 1980s. Through that pre-emptive measure, the NSA significantly strengthened the ability of the wider community to safely store and transmit data. Of course time marches on, and computing power caught up with the simplest version of DES. Although more complicated variations remain secure today, it has been replaced by the Advanced Encryption Standard.

Today, of course, the government’s prime positioning on strong encryption is but a distant memory. Techniques such as public key encryption (also discovered within government—the UK in this case—long before becoming publicly known) are widespread. There are many systems in use today that are difficult for even the most sophisticated governments to break into on a useful timescale. In my next post I’ll explore some possible ways ahead.

No comments:

Post a Comment