Content

Cryptographic Policy – What’s the Blowback?

In early 2000, Americans became aware of a common U.S. Intelligence term called ‘blowback.’

In its initial context, the term was used as a type of internal shorthand, denoting "the unintended consequences of U.S. policies kept secret from the American people." Over time, the term 'blowback' has been applied to a number of circumstances in which the government has leaned toward unpopular decisions that reaped a negative harvest for the people. The government's take on blowback is that it couldn't have been prevented, that whatever happened was going to happen eventually anyway and that the decisions made were in the best interest of the people they were elected to protect.

For the most part I believe them. Difficult decisions are made when both sides of the coin mean conflict. There are no easy answers to the inevitable. It's more a question of enabling or disabling and whose opinion is the right one. I do believe that the U.S. government does what it can to run the country the right way. Being part of a democracy means that we put up with laws and policies that don't always make sense to everyone around the table. Sometimes decisions are made that leave me scratching my head in disbelief. At times I wonder whether I am the only person who sees the ramifications. Often I am amazed by the frenzy that accompanies decisions made around e-security.

I haven't heard the term blowback applied to economic policy. Yet it should be. Economic policy determines the interconnectedness of thousands of issues. This is the only word that comes to my mind when considering the new cryptographic trade policies unleashed in the wake of the Clinton Administration. When decisions are made in the interest of economic progress, with little thought (in my opinion) to what it means at the cellular level, bad things are fixin' to happen.

During the end of the Clinton era, the U.S. saw a concerted movement toward the relaxation and standardization of U.S. cryptographic policy and trade laws. A large part of this was frantically pushed by private industry and parties with vested interest. Keeping our encryption technology so close to the vest was considered a "bad move" in the economic arena of technology. Our products were "too hard" to ship out, and our policies were "too rigid" and "too difficult to understand." We used to closely monitor our technology, applying for an export license by supplying chronically detailed information to the Bureau of Export Administration (now called the Bureau of Industry and Security, BIS, interestingly enough). We were tasked with running background checks on our potential customers, screening them against several lists comprised of terrorists, people who had committed trade violations and people who just outright weren't safe.

This all seems pretty relevant in light of today's heightened security concerns doesn't it? Seems like it should be a concern. Code that our intelligence teams cannot break doesn't seem to bode well for any kind of timely interception. Since the people we are selling this technology to aren't really monitored, how can we possibly know who has what kind of encryption? This 'chatter in the system" the U.S. government keeps speaking of, is any of it encrypted? What happens when the people creating that chatter decide to do so utilizing strong cryptographic code? Could we crack it? Most likely. Could we crack it quickly enough? I believe if the message isn't decipherable the minute it's being intercepted, then no, it's not quickly enough.

So basically, we have a predominant school of thought in U.S. industry that says when it comes to ringing that bell at the end of the quarter, booking millions in sales of strong cryptographic products is surely worth risking national security over. Except, they don't see it as risking national security. They see it as the sale of a product, failing to understand what the product contains. Unfortunately, the people who are not our friends have been able to bank on this. They had the ingeniousness to take the microprocessors out of hundreds of gaming systems to create enough power for military tanks. Yet nobody in that sales department thought it was odd that so many systems were going to such an underdeveloped nation? Interesting. The technical term for that is 'dual-use technology.' Every salesperson in every industry that gives a thought to his or her country's security should consider the potential dual-use of their product before making that sale.

I have this debate with colleagues all the time. Their argument is generally the same, "But they would have gotten their hands on the encryption anyway wouldn't they?" I suppose they would, yes, eventually. Do I really want to be the person responsible for selling them the gun to shoot me in the back with? Consider this: We have nations, previously considered 'high risk' nations, previously considered untrustworthy for reasons of anti-terrorism, weapons of mass destruction, nuclear proliferation, etc. (all categories of concern determined by the BIS), that are now able to buy our cryptographic products with little to stand in their way. Why, one new President later, are we allowing them to freely purchase the strongest encryption we produce? What kind of cleansing ritual have we performed on these previously very undesirable trade partners that has suddenly guaranteed our ultimate safety? What kind of assurance do we have that those very same nations aren't home to teams of brilliant scientists, looking to use our technology against us?

As far as making the laws so much more lax, where is the data that tells me our economy is doing so much better that possibly risking my country's safety was worth it?

Every security conference I have attended recently has touched on our encryption policies. People are heralding the new laws as "progressive" and denouncing the old laws as "ridiculous," laughing off the stringent process that used to preclude the sale of strong encryption. Countries have money to buy our algorithms, why not sell it to them? In the name of progress, isn't that what counts?

I wonder though, what will the blowback be?

Melisa LaBancz is a California security journalist anxiously watching the world for signs of impending blowback.


 

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.