Closing the backdoor to Australia

In July Australian Prime Minister Turnbull announced plans for legislation to compel device manufacturers and service providers to assist law enforcement to access encrypted information. And at the United Nations earlier this month, foreign minister Julie Bishop said Australia wants to “work constructively with communications service providers to prevent terrorists from using encryption to hide online.”

Although this might sound reasonable on its face, any plan to undermine encryption would actually put the people of Australia at much greater risk. And I should know. I’ve spent much of my career contemplating how criminals compromise systems protected with encryption.

I used to work for one of Australia’s big four banks. I was a member of the bank’s security team, a team whose responsibilities included assessing the bank’s information technology systems for security vulnerabilities that could allow malicious actors to compromise the bank. Such compromises can cause damage through anything from direct financial fraud to a loss of customer trust in the bank’s security. To perform these types of security assessments, to probe the bank’s systems for security holes, required that we “think like the bad guys.”

Encryption is the strongest defense against the bad guys. So strong in fact, that instead of attempting to crack the encryption itself, they will try to find ways to circumvent, or bypass, the encryption. On a fundamental level, encryption is math. Very few vulnerabilities exist in the cryptographic algorithms themselves, since they are open, public, known, tested, and have to withstand the rigors of academic peer review, as well as a maturity of practical implementation.

To compromise a security system, you don’t need to crack encryption. You just have to find the “weakest link in the chain.” And those weak links are in the software that provides the framework the cryptographic functions operate within. These could be protocol errors, dangerous coding mistakes, design flaws in where or how data are stored, or mistakes in the mechanisms that control authentication and access. Fundamental design decisions have a large impact on the number of vectors for attack of a system.

The Australian government’s proposal would require device manufacturers and service providers to build weaker links in the security chain. Consider a simple physical security system, such as a lock and key. If the lock opens for only one unique key, it has a fairly good security profile. But if that lock, and many others like it, can be opened by a master key in addition to the unique key, then you have weaker security for all the locks. Anyone attempting to pick the lock now has double the chance of opening each lock. Additionally, any of the lock owners could pull apart their lock, reverse engineer the master key, and then open everything.

This is also true of applications with common backdoors to unlock the encryption. Although the  Australian government intends to use those common backdoors for law enforcement to get access to your encrypted content, the fact is that the bad guys will also know those backdoors exist, and they will pursue uncovering them.

And this should be important to you. Encryption protects your online banking, it protects your online shopping, it enables innovation like mobile payments, it protects your online accounts, and it protects our very identities. It even reduces street crime like theft because a locked and encrypted device is useless to the thief.

While we’d all like to feel safer, undermining encryption would put us all at great risk. And if you think the hackers won’t succeed in breaking into law enforcement networks to obtain access to the backdoors, think again.

Just a few years ago, a hacker was able to attack the Australian Federal Police and allegedly accessed police evidence and intelligence from their protected systems. Just this summer, another hacker broke into a West Australian Police computer and obtained the names, addresses, and offenses of people paying traffic fines.

Those in the U.S. have not fared better. Hackers have compromised U.S. police databases. An infamous hacker group calling themselves Shadow Brokers hacked the secretive National Security Agency, stealing hacking tools used by the secret agency, and then releasing them. A 16-year-old hacker was arrested for hacking the personal email account of the CIA director, John Brennan, and releasing personal information relating to 31,000 government agents.

For much of my adult life I have been paid to think like a criminal. So here is some free advice: don’t make it any easier to get access to encrypted information.  Do not deliberately add a weak link to the chain of secure encrypted communications systems that Australian citizens rely on. To do so only plays into the hands of the very people the government claims they need the backdoors to defeat. Strong encryption, with no deliberate weak links, and no backdoors, is the best defense against entities that wish to harm the interests and assets of Australian citizens.