The Red Herring of Digital Backdoors and Key Escrow Encryption

Conference season is here again and this year’s Aspen Security Forum hosted a session regarding the proverbial public-private partnership in cyberspace. During the hour-long meeting former Secretary of Homeland Security Michael Chertoff commented that he thought digital back doors were a bad idea:

“I think that it’s a mistake to require companies that are making hardware and software to build a duplicate key or a back door even if you hedge it with the notion that there’s going to be a court order.”

This opinion is in glaring contrast to public statements made by the current FBI Director James Comey, who has asserted that law enforcement agencies are going dark and that they need cryptographic back doors (using what’s known as key escrow encryption) to protect us against criminals and terrorists.

At this year’s forum another high-level retiree named Michael echoed Chertoff’s message. That would be former NSA, and CIA, director Michael Hayden who also happens to work for the Chertoff Group. Hayden told a reporter from the Daily Beast:

“I hope Comey’s right, and there’s a deus ex machina that comes on stage in the fifth act and makes the problem go away… if there isn’t, I think I come down on the side of industry. The downsides of a front or back door outweigh the very real public safety concerns.”

While many scientists and researchers ‒your author included‒ insist that key escrow is a ridiculous zombie idea, it’s important to recognize what’s being left out of the aforementioned discussion. Pay attention and you may detect a telltale whiff of public relations tradecraft in the air. Specifically, notice how the debate over back doors is almost entirely focused on back doors implemented through cryptographic technology.

This subtle misdirection shifts the conversation away from a different sort of back door currently being leveraged on a global scale. That would be back doors that are built upon zero-day exploits. An entire industry has emerged to cater to the growing demand for zero-day bugs and the tech monoliths have quietly provided assistance. For example it’s well documented that companies like Microsoft gave the NSA early access to information on zero-day bugs in their products.

By concentrating on key escrow the CEOs of Silicon Valley are able to conjure up the perception of an adversarial relationship with federal agencies. This is absolutely crucial because tech companies need to face the public wearing a white hat. In the aftermath of the PRISM scandal, where C-suite types were caught colluding with the government on a first-name basis, American executives are frantically trying to convince people on behalf of quarterly revenue that they’re siding with consumers against spying. An interesting but fundamentally flawed narrative, given how much economic espionage the government conducts and how much spying corporate America does. Who do you think benefits from this sort of mass surveillance?

Having said that, the comments of the two Michaels (Hayden and Chertoff) aren’t necessarily significant because both men are simply adopting the talking points of the corporate community which they both belong to.

All told it’s likely that private sector involvement henceforth will transpire off stage. Far removed from the encryption debate. Rather than forgo the benefits of aggressive spying, CEOs will merely conceal their complicity more deeply while making lots of noise for rubes about encryption. In this sense zero-day bugs offer the added benefit of plausible deniability. That is, backs doors based on zero-day bugs are vital spy tools that masquerade as mere accidents. Only fitting, one might conclude, as spies and magicians are kindred spirits performing artful tricks that beguile more susceptible members of the audience.

Bill Blunden is a journalist whose current areas of inquiry include information security, anti-forensics, and institutional analysis. He is the author of several books, including “The Rootkit Arsenal” andBehold a Pale Farce: Cyberwar, Threat Inflation, and the Malware-Industrial Complex.” Bill is the lead investigator at Below Gotham Labs and a member of the California State University Employees Union, Chapter 305.