I’ve grown up reading Tom Clancy and probably most of you have at least seen Red October, so this book caught my eye when browsing used books for a recent trip. It’s a fairly human look at what’s involved in sailing on a Trident missile submarine…
I’ve heard the argument, “I’ve got nothing to hide. If it helps them catch the next guy, I’m all for it.” Even if that’s 100% true and even if every single person in goverment with access to the data is 100% genuine and sincere in doing his or her job, here are four issues that position misses.
The Bad Guys (Cyber Crime) Have Smart People
We know there are smart folks working for cyber criminals. Not all the folks working for them are smart. However, money is a powerful motivator and that does attract some very smart individuals. In some jurisdictions, criminal hacking activity is worn like a badge of honor and can get a person out of poverty. It’s the same idea as why the drug culture is celebrated by some.
What the government is betting on, even if it’s unintentionally, is that the bad guys aren’t smart enough to find and exploit the same back doors. This is a bad assumption. We already see evidence that some of the malware exploits we see are very sophisticated. It’s been assumed that there are backdoors. However, dedicating resources towards an assumption means pulling resources from what should be a sure thing for something that may not exist. As more and more stories come forward that say the backdoors are definitely there, it’s now about assigning more resources towards what should be a bigger sure thing, and one that cannot be stopped.
Consider what we use computer systems for now. You might not have anything to hide from the government. However, do you want your banking login, you credit card number, etc., swiped by a criminal?
The Bad Guys (Cyber Crime) Can Get Lucky
The government is also betting that the bad guys won’t “get lucky” and happen on to the backdoor and break it. Sometimes security vulnerabilities and bugs are found through a slightly uncommon use of a resource. All it takes is one of these and the backdoor is revealed and the criminals are in. And once they are in, they’ve got access to whatever you do on your computer.
Nation State Actors Can Allocate Nearly Unlimited Resources
A nation state actor can pull the code and decompile it and put a team of folks on the code to analyze it. They can take apart hardware components and, again, allocate a team, to figure out how it all works. If they suspect there’s a backdoor, then that team will be looking for said backdoor. And nation state actors can put their own smart people on these teams. This has an appeal that cyber criminals can’t generate – patriotism for one’s nation when one isn’t motivated by the money a cyber criminal can offer.
Why would they target a regular user? They could to provide a hop from inside the right county. They could to get info or access to somebody you do know.
Someone Could Decide to Sell Secrets
Fuchs provided information to the USSR from the British and American Manhattan projects. The Walkers provided classified information for years. A nation state actor can offer some big bucks. They can offer sex and drugs and appeal to other vices. That’s why our intelligence folks constantly run counter-espionage stings. Would they run such activities if their was never anyone to catch? Exactly.
Folks who are responsible for building the backdoors or who are knowledgeable to how they work or where they are can be turned and then the backdoor is no longer a secret. BTW, it doesn’t just have to be a nation state actor. Organized crime has done this, too.
So given these four issues, government required backdoors are a risk to everyone’s security. I can understand the mentality that leads to thinking it’s a good idea. It becomes a type of tunnel vision that filters out the possible negative impacts. Even if you are of the mindset that you have nothing to hide (from the government), you still don’t want those backdoors. And when you consider that the backdoors have been reported in encryption mechanisms as well, it’s just bad all around. That’s why security folks are making such a big deal out of all of this. Yes, we kind of shake our heads and go, “It was inevitable,” however, that doesn’t mean we have to like it or approve of it.