More on the Five Eyes Statement on Encryption and Backdoors

Earlier this month, I wrote about a statement by the Five Eyes countries about encryption and back doors. (Short summary: they like them.) One of the weird things about the statement is that it was clearly written from a law-enforcement perspective, though we normally think of the Five Eyes as a consortium of intelligence agencies. Susan Landau examines the details…

Earlier this month, I wrote about a statement by the Five Eyes countries about encryption and back doors. (Short summary: they like them.) One of the weird things about the statement is that it was clearly written from a law-enforcement perspective, though we normally think of the Five Eyes as a consortium of intelligence agencies.

Susan Landau examines the details of the statement, explains what's going on, and why the statement is a lot less than what it might seem.

from https://www.schneier.com/blog/

Five-Eyes Intelligence Services Choose Surveillance Over Security

The Five Eyes — the intelligence consortium of the rich English-speaking countries (the US, Canada, the UK, Australia, and New Zealand) — have issued a "Statement of Principles on Access to Evidence and Encryption" where they claim their needs for surveillance outweigh everyone’s needs for security and privacy. …the increasing use and sophistication of certain encryption designs present challenges for…

The Five Eyes -- the intelligence consortium of the rich English-speaking countries (the US, Canada, the UK, Australia, and New Zealand) -- have issued a "Statement of Principles on Access to Evidence and Encryption" where they claim their needs for surveillance outweigh everyone's needs for security and privacy.

...the increasing use and sophistication of certain encryption designs present challenges for nations in combatting serious crimes and threats to national and global security. Many of the same means of encryption that are being used to protect personal, commercial and government information are also being used by criminals, including child sex offenders, terrorists and organized crime groups to frustrate investigations and avoid detection and prosecution.

Privacy laws must prevent arbitrary or unlawful interference, but privacy is not absolute. It is an established principle that appropriate government authorities should be able to seek access to otherwise private information when a court or independent authority has authorized such access based on established legal standards. The same principles have long permitted government authorities to search homes, vehicles, and personal effects with valid legal authority.

The increasing gap between the ability of law enforcement to lawfully access data and their ability to acquire and use the content of that data is a pressing international concern that requires urgent, sustained attention and informed discussion on the complexity of the issues and interests at stake. Otherwise, court decisions about legitimate access to data are increasingly rendered meaningless, threatening to undermine the systems of justice established in our democratic nations.

To put it bluntly, this is reckless and shortsighted. I've repeatedly written about why this can't be done technically, and why trying results in insecurity. But there's a greater principle at first: we need to decide, as nations and as society, to put defense first. We need a "defense dominant" strategy for securing the Internet and everything attached to it.

This is important. Our national security depends on the security of our technologies. Demanding that technology companies add backdoors to computers and communications systems puts us all at risk. We need to understand that these systems are too critical to our society and -- now that they can affect the world in a direct physical manner -- affect our lives and property as well.

This is what I just wrote, in Click Here to Kill Everybody:

There is simply no way to secure US networks while at the same time leaving foreign networks open to eavesdropping and attack. There's no way to secure our phones and computers from criminals and terrorists without also securing the phones and computers of those criminals and terrorists. On the generalized worldwide network that is the Internet, anything we do to secure its hardware and software secures it everywhere in the world. And everything we do to keep it insecure similarly affects the entire world.

This leaves us with a choice: either we secure our stuff, and as a side effect also secure their stuff; or we keep their stuff vulnerable, and as a side effect keep our own stuff vulnerable. It's actually not a hard choice. An analogy might bring this point home. Imagine that every house could be opened with a master key, and this was known to the criminals. Fixing those locks would also mean that criminals' safe houses would be more secure, but it's pretty clear that this downside would be worth the trade-off of protecting everyone's house. With the Internet+ increasing the risks from insecurity dramatically, the choice is even more obvious. We must secure the information systems used by our elected officials, our critical infrastructure providers, and our businesses.

Yes, increasing our security will make it harder for us to eavesdrop, and attack, our enemies in cyberspace. (It won't make it impossible for law enforcement to solve crimes; I'll get to that later in this chapter.) Regardless, it's worth it. If we are ever going to secure the Internet+, we need to prioritize defense over offense in all of its aspects. We've got more to lose through our Internet+ vulnerabilities than our adversaries do, and more to gain through Internet+ security. We need to recognize that the security benefits of a secure Internet+ greatly outweigh the security benefits of a vulnerable one.

We need to have this debate at the level of national security. Putting spy agencies in charge of this trade-off is wrong, and will result in bad decisions.

Cory Doctorow has a good reaction.

Slashdot post.

from https://www.schneier.com/blog/

New Report on Chinese Intelligence Cyber-Operations

The company ProtectWise just published a long report linking a bunch of Chinese cyber-operations over the past few years. The always interesting gruqq has some interesting commentary on the group and its tactics. Lots of detailed information in the report, but I admit that I have never heard of ProtectWise or its research team 401TRG. Independent corroboration of this information…

The company ProtectWise just published a long report linking a bunch of Chinese cyber-operations over the past few years.

The always interesting gruqq has some interesting commentary on the group and its tactics.

Lots of detailed information in the report, but I admit that I have never heard of ProtectWise or its research team 401TRG. Independent corroboration of this information would be helpful.

from https://www.schneier.com/blog/

New Report on Chinese Intelligence Cyber-Operations

The company ProtectWise just published a long report linking a bunch of Chinese cyber-operations over the past few years. The always interesting gruqq has some interesting commentary on the group and its tactics. Lots of detailed information in the report, but I admit that I have never heard of ProtectWise or its research team 401TRG. Independent corroboration of this information…

The company ProtectWise just published a long report linking a bunch of Chinese cyber-operations over the past few years.

The always interesting gruqq has some interesting commentary on the group and its tactics.

Lots of detailed information in the report, but I admit that I have never heard of ProtectWise or its research team 401TRG. Independent corroboration of this information would be helpful.

from https://www.schneier.com/blog/

The Spy in the Boardroom

The government has former spies, military officials, and law enforcement professionals on hundreds of corporate boards to protect national security, in what a Washington University Law Review study calls an increase in “national security corporate governance.”

The government has former spies, military officials, and law enforcement professionals on hundreds of corporate boards to protect national security, in what a Washington University Law Review study calls an increase in “national security corporate governance.”

The study claims that,in effect, shareholders are relegated to little influence on the corporation’s business or management.

“Corporate boardrooms have quietly become instruments of national defense, marrying the efficiency norms of corporate law and the protective ambitions of national security,” writes the author of the study, Andrew Verstein, an associate professor at the Wake Forest University School of Law.

The program was developed from the idea of merging private sector efficiency and economy with public security efforts, Verstein writes, adding that roughly 400 companies are currently operating under this government oversight.

A firm is subject to this form of government intervention if its work includes a classified project, a potentially influential foreign client or investor, or is a project “vital to military or espionage agencies.”

The report, entitled “The Corporate Governance of National Security,” focuses especially on the ways in which the government’s national security corporate governance affects the defense contracting industry, particularly those companies involving some measure of Foreign Ownership, Control, or Influence (FOCI).

Impositions on contractors with FOCI include, among other things, a Government Security Committee, composed of senior management and company directors tasked with security compliance with the Defense Security Service (DSS). The contractor must also “be organized , structured, and financed so as to be capable of operating as a viable business entity independent from the foreign owner,” the study says

Much of American defense has outsourced its preparation and production to private contractors, “where market dynamics encourage creativity and economy” normally considered optimal goals, added Verstein.

The study also warns that market dynamics can damage national security if corporations perceive their interests are better served by subverting projects of vital national security importance and engage in spying or leaking information “perhaps because a major investor or another client has ties to a foreign state.”

The report notes the program has potential structural shortcomings

“(It) works by inverting the dictates of orthodox corporate governance wisdom. If this lowers accountability and efficiency at vital projects, then the nation will get far less security than it bargained for.”

The report points out that national security corporate governance also generates opportunities for wasteful management that exploits shareholders, and it tempts government officials serving on these boards to favor foreign companies in the hopes of lucrative retirement jobs on the boards of FOCI firms.

There is also the risk that private defense contractors may be influenced by shareholders pushing for immediate profits, even if it puts the country at risk.

When companies comply with the imposition of government officials, the decision-making capacity lies with the government agents, and decisions are made in the interest of national security rather than shareholder interests.

Tensions that arise from the practice of national security corporate governance involve the mandates of corporate law and national security law. Corporate law is designed around private organization, the accountability of shareholders, profit and efficiency. National security law is based on general defense, even if that mandates secrecy, coercion, and bureaucracy, says the report.

National security corporate governance provides “a channel for increased government influence and preparatory field for possible wartime industrial efficiency. It has a secret ambition as a succession planning tool, allowing the government to better control captured assets in times of emergency.”

In a wartime scenario, if America should choose to expropriate foreign-owned assets, national security corporate governance can ease government expropriation of private enterprise by assisting in succession planning, thus contributing to industrial readiness and security.

During World War 2, the US expropriated a German chemical plant, but the government found it difficult to find “competent and skilled personnel under wartime conditions.” The U.S. was forced to staff potential “enemy spies and saboteurs just to keep the factory running.”

Ever since, national security corporate governance has installed former intelligence and defense officials at complying companies that would be most likely to face expropriation during a war.

“These are foreign-owned companies that provide functions useful to America’s espionage or military efforts,” the report says.

A full copy of the paper can be downloaded here:

This summary was prepared by TCR news intern John Ramsey. Readers’ comments are welcome.

from https://thecrimereport.org

Japan’s Directorate for Signals Intelligence

The Intercept has a long article on Japan’s equivalent of the NSA: the Directorate for Signals Intelligence. Interesting, but nothing really surprising. The directorate has a history that dates back to the 1950s; its role is to eavesdrop on communications. But its operations remain so highly classified that the Japanese government has disclosed little about its work ­ even the…

The Intercept has a long article on Japan's equivalent of the NSA: the Directorate for Signals Intelligence. Interesting, but nothing really surprising.

The directorate has a history that dates back to the 1950s; its role is to eavesdrop on communications. But its operations remain so highly classified that the Japanese government has disclosed little about its work ­ even the location of its headquarters. Most Japanese officials, except for a select few of the prime minister's inner circle, are kept in the dark about the directorate's activities, which are regulated by a limited legal framework and not subject to any independent oversight.

Now, a new investigation by the Japanese broadcaster NHK -- produced in collaboration with The Intercept -- reveals for the first time details about the inner workings of Japan's opaque spy community. Based on classified documents and interviews with current and former officials familiar with the agency's intelligence work, the investigation shines light on a previously undisclosed internet surveillance program and a spy hub in the south of Japan that is used to monitor phone calls and emails passing across communications satellites.

The article includes some new documents from the Snowden archive.

from https://www.schneier.com/blog/