The Cyber World Is Falling Apart And The DOJ Is Calling For Weakened Encryption

It seemed like the (mostly) one-man War on Encryption had reached a ceasefire agreement when "Going Dark" theorist James Comey was unceremoniously ejected from office for failing to pledge allegiance to the new king president. But it had barely had time to be relegated to the "Tired" heap before Deputy Attorney General Rod Rosenstein resurrected it.

Rosenstein has been going from cybersecurity conference to cybersecurity conference raising arguments for encryption before dismissing them entirely. His remarks have opened with the generally awful state of cybersecurity at both the public and private levels. He says encryption is important, especially when there are so many active security threats. Then he undermines his own arguments by calling for "responsible encryption" -- a euphemism for weakened encryption that provides law enforcement access to locked devices and communications on secured platforms.

Considering recent events, this isn't the direction the DOJ should be pushing. Russian hackers used a popular antivirus software to liberate NSA exploits from a contractor's computer. Equifax exposed the data of millions of US citizens who never asked to be tracked by the service in the first place. Yahoo just admitted everyone who ever signed up for its email service was affected by a years-old security breach. Ransomware based on NSA malware wreaked havoc all over the world. These are all issues Rosenstein has touched on during his remarks. But they're swiftly forgotten by the Deputy Attorney General when his focus shifts to what he personally -- representing US law enforcement -- can't access because of encryption.

DAG Rosenstein needs to pay more attention to the first half of his anti-encryption stump speeches, as Matthew Green points out at Slate:

[A]ny technology that allows U.S. agencies to lawfully access data will present an irresistible target for hackers and foreign intelligence services. The idea that such data will remain safe is laughable in a world where foreign intelligence services have openly leveraged cyberweapons against corporate and political targets. In his speech, Rosenstein claims that the "master keys" needed to enable his proposal can be kept safe, but his arguments are contradicted by recent history. For example, in 2011 hackers managed to steal the master keys for RSA's SecurID authentication product-and then used those keys to break into a slew of defense contractors. If we can't secure the keys that protect top-secret documents, it's hard to believe we'll do better for your text messages.

Rosenstein is steering everyone towards his new term "responsible encryption" but there's nothing responsible about creating a set of encryption keys for lawful access. It may not necessarily be a backdoor -- a term Rosenstein is trying hard to distance himself from -- but it is a hole that wouldn't otherwise exist. And if keys are created and stored by manufacturers and platform providers, the chance malicious hackers can find them will always remain above 0%.