Civics: Resisting Law Enforcement’s Siren Song: A Call for Cryptographers to Improve Trust and Security

Cindy Cohn:

The world is waking up to something that digital security experts have known for a very long time: Digital security is hard.

Really hard. And the larger and more complex the systems, the more difficult it is to plug all the security holes and make them secure and trustworthy. Yet security is also increasingly important in systems ranging from the smartphones in our hands to our power grids. So why isn’t everyone—especially the governments of the Five Eyes countries—promoting, supporting, and celebrating important security work? In part, it’s because law enforcement in each of these countries wants to take advantage of the same security holes that criminals do—a result that puts us all at risk. Even worse, many of these governments are now pushing companies—both through both law and through nonlegal pressure—to ensure that any future technology that the public relies on continues to have security holes they (and criminals) can use.

The drumbeat of the daily headlines on cybersecurity incidents shows us that the risks of weak digital security are already here. We’ve heard about phishing attacks by foreign governments aimed at undermining our democracy and ransomware attacks on hospitals. We’ve seen nation-state level attacks on corporations like Sony and on sensitive government employee databases like the one maintained by the federal Office of Personnel Management. Corporate data breaches like the ones suffered by Equifax and Target have affected tens of millions of users. Countless others have suffered from identity theft, malware, and more recently, spouseware—malware used by domestic abusers. Meanwhile, we’ve seen more research proving how easy it is to break into many U.S. voting systems. The attacks and undermining strategies are different in each of these, but the underlying problem is the same: Our digital systems are not secure enough, and our current security techniques are not up to the task.

Creating systems of trust and real security for users should be all hands on deck, from government to the private sector. We need to encrypt the web, secure data at rest and in transit, and ensure that homes, cars and anything that can be connected to the internet are safe and trustworthy. The array of options is poor since security architects have to bolt security onto insecure systems. But that’s all the more reason to encourage people who understand how computer security works (and how it fails) to help. After all, there are only so many hours in the day, and the more attention we pay to these problems, the faster and better we can address them.