Bruce Schneier is a computer security expert who, for decades, has been a leading voice for cryptography and all things security. In this question-and-answer formatted interview, Schneier describes the disjunction of today’s abundance of encryption tools and a dearth of personal security. Schneier also touches on some of the dangers associated with “middle ground” compromises in encryption to placate law enforcement.
TP: What does the term “going dark” mean to you and is there a middle ground where law enforcement and cryptographers can meet?
Bruce: “Going dark” is a marketing term for an FBI narrative that encryption makes it impossible for the FBI to solve crimes. It’s propaganda, really, and has little basis in reality. As we see again and again, cryptography is not an impediment to law enforcement. We saw in the recent Mueller indictments (against Paul Manafort) that some of the messages sent using secure messaging apps were recovered. Investigators didn’t break the encryption, they were able to find backup copies of the message stored in various places. This is not uncommon.
TP: So the non-propaganda term for “going dark” would be strong encryption, secure communication or protecting data?
Bruce: What you are describing is security. The problem with notions of a “middle ground” is that cryptography is mathematics and law enforcement is policy. The laws of mathematics are not something that can be compromised, they just are.
TP: Today there is an abundance of encryption, or security, tools for keeping conversations and data private. Does that mean we are more secure than we were, say five years ago?
Bruce: Yes, today we have more encryption tools than before. That’s mostly due to the rise of smart phones as computing platforms, and secure messaging systems. We’ve always had secure email, but it’s never really worked very well. Today, people use secure messaging tools such as Signal and WhatsApp. At the same time, more end-user devices are natively encrypted. And more of the Web is encrypted.
Are we more secure because of this? Of course we are, but security is a lot more than encryption. And there is an enormous amount of insecurity in the Internet services and systems we use. The threats have gotten more serious. So we are less secure than we were five years ago.
TP: Less secure in that people’s long tail of digital metadata can be used to exploit them despite how secure someone’s practices are?
Bruce: Partly, but I am thinking more of the increased threat landscape. Consider something like a car. Five years ago it would be impossible to hack a car because they weren’t on the internet. Now they are on the internet, and they’re vulnerable. Security used to be about data, but now it’s about the real world. We’re seeing the rise of computers that affect the world in a direct physical manner, and that adds a new level of risk that doesn’t exist when we were only concerned with data.
TP: Are we talking about IoT devices?
Bruce: IoT is part of it. IoT is the small things. I also worry about larger things — cyber-physical systems — such as power plants. We have seen successful attacks against Ukrainian power plants and other large critical infrastructure. These kinds of attacks are certainly possible and becoming easier for nation states, but also non-nation state actors. More critical systems are going online and that is bringing danger because they are not vulnerable to the same type of threats that computers are.
TP: Thinking a little bit more on the topic of encryption, we are seeing a lot of encryption cat-and-mouse games. On one hand Apple or Signal make their products stronger to lock out third parties. Then the government or an enterprise security company devise a workaround. Have we ever seen this back-and-forth before at this pace?
Bruce: It’s absolutely an arms race. We have seen it throughout human history again and again. There has always been and always will be that arms race between attacker and defense. You can go back to DES (Data Encryption Standard) in the 1970s. There is a constant battle between making something secure and rendering it insecure.
TP: In the context of today, has the US government gotten better at sidestepping encryption?
Bruce: It’s not just the government. Everybody has gotten good at sidestepping encryption. The US government, foreign governments, criminals, everybody. Sidestepping encryption is how we break systems. We almost never break the actual encryption. The Manafort indictments are a perfect example. Strong encryption is hard to break. So why would you spend your time doing the hard thing when you can do the easy thing?
TP: What’s your sense of the Justice Department and the FBI under Trump and where they want to take the encryption issue?
Bruce: I have no idea. Trump is a chaos agent. Making predictions about his policies seems fruitless.
TP: Thinking about the FBI, is there is there a middle ground between the things that law enforcement wants to do and the people’s right for security and privacy?
Bruce: The middle ground is having less security and giving more access to people who want to break into systems – that’s the FBI and the Chinese government and cybercriminals. That’s the middle ground. Think of it as a dial. How much security do you want to have? How much access do you want?
This notion that I can build a backdoor that only works if a [person with a] certain morality tries to use it. That’s what doesn’t work. If you’re willing to have your nuclear power plant a little less safe in exchange for giving the FBI access, that’s your tradeoff.
(Images courtesy of Wikimedia Commons: Rama)