Susan Landau on Cybersecurity in an Insecure Age


Susan Landau is Bridge Professor in the Fletcher School of Law and Diplomacy and the School of Engineering, Department of Computer Science, Tufts University, and visiting professor in the Department of Computer Science, University College London.

In part one of this Q&A series, she described the challenges arising at the intersection of cybersecurity, national security, law, and policy. In part two, she discusses her latest book, Listening In: Cybersecurity in an Insecure Age, in which she explores the nuances and implications of not only those challenges, but also their proposed solutions, such as weakening encryption to help law enforcement.

Question: Why did you write Listening In now?

Landau: In March 2016 I testified at the house judiciary committee on the Apple-FBI case. I argued that for security’s sake it was important that Apple not develop software to open the phone. I spoke about the security risks that would ensue were Apple to do so. After the hearing, I had lots of requests to give talks and interviews about the issue, and I realized that didn’t scale. I decided to write a book about the encryption issue that would be accessible to the general public.

This was an issue that we, as a democracy, need to discuss and think hard about, and I wanted to put the ideas out in front of the public. So I wrote the book as quickly as I could, and it seems it is currently a very hot topic now. Indeed last month Deputy Attorney General Rod Rosenstein gave a speech about the problems that law-enforcement encounters with encryption, but it was a very one-sided view. The Deputy Attorney General didn’t seem to understand the risks of the position he was espousing. So I’m very glad that Listening In has just come out.

Question: What’s the book about?

Landau: It has several general themes. It explains cryptography — at least enough for a general audience — and it talks about the cybersecurity risks we face. It also examines the rapid changes in society due to technology, including the changes to manufacturing, farming, and even healthcare, and how sensors and the Internet of Things are changing the nexus of controls. That gets us to risks, which is at the heart of the book. I’m really concerned with the cybersecurity risks we face. The last election showed Russia’s willingness to attack US civil society; that’s a part of the US that is crucial to our democracy and yet very poorly secured. That’s why we need good security within consumer devices.

Question: Tell us a little bit more about Russia.

Landau: In 2015 hackers in Russia brought down three power distribution networks in western Ukraine. This was a sophisticated attack. These attackers first broke into the business networks of the three power distribution companies, then spent months studying the systems. The attackers found ways from each of the business networks into the power distribution networks themselves. But here is where it gets really interesting. Each of the power distribution networks was configured somewhat differently, but that didn’t stop the attackers from being able to bring down all three systems within a half hour of each other. That’s quite impressive. Clearly what happened is that the attackers had time and money to experiment on control systems back in their own labs so that they were able to run the attack as they did. This was not script kiddies doing the attacks; these were sophisticated attackers with access to a considerable amount of resources, and that enabled them to experiment carefully before they conducted the attack.

A similar incident occurred for TV5Monde, France’s international network running a dozen stations, in 2016. It, too, was suddenly pulled off the air, its webpages defaced, and so on. The attack corrupted hardware controlling the network’s operations. There were claims that this was done by the “Cyber Caliphate,” but there is no such organization. It seems, rather, that this was a test run by the hackers to see if they could pull off such an attack, perhaps on a different target. Again, there had been considerable reconnaissance before the actual attack. The station happened to be lucky; some technicians were there that day, and one of them quickly pulled the plug on the server that was corrupting the whole system. Again, this attack has been ascribed to Russia.

Question: Why is all this happening? And what are the risks?

Landau: Russia has been at war against the west since the early 2010s, engaging in what they call “fighting a war without fighting the war.” Russia’s leadership views western support of democratic movements in various countries along what we used to call the Eastern Bloc as attacks against Russia itself. And it turns out that liberal democracies, with our open press and vibrant civic society, provide a very soft spot to attack.

Civil society organizations might be local groups involved in local issues (that is, community organizations), they might be professional societies, they might be charitable groups or church groups. They are the social glue in democracies, and are critical to democracies’ healthy functioning. But if you mess them up — if you publish internal emails (and everyone always says things on emails that they shouldn’t) or start tampering with their files before these organizations publish a report — you can really destroy trust in civil society.

This happened in Climategate, where someone — and we don’t know who — stole emails and files from the University of East Anglia and published correspondence from a group of climate scientists. Even though the scientists were doing legitimate, honest work, the way they wrote — which is like the way all of us do when we’re writing informally — made it sound as if they were cooking the data. Public belief in climate change and trust in scientists went way down after that. It’s something I discussed in an article in Foreign Policy in September. The problem is that these civil-society groups are not well equipped to protect themselves. And that’s an argument for widespread security, including easy access to end-to-end encryption.

Question: But what’s the problem if law enforcement can get into encrypted communications? Isn’t that a good thing?

Landau: Requiring such access weakens the encryption system in really serious ways. As I say in the book, if you undo security protections by allowing what law enforcement calls “exceptional access”— and what Rosenstein recently called “responsible encryption”— you create four types of weaknesses. First, you allow retroactive compromise of prior communications (that’s because you eliminate the possibility of forward secrecy). Second, you’ve made encrypted communications more complicated, and that creates a security risk. Third, if you discover a problem with the system, because of backwards compatibility in communications infrastructure — the need for modern systems to connect with older protocols — the weak system lives on, creating a long-term danger; that’s exactly what occurred in the FREAK attack of 2015. Finally, you still have the issue of who controls the keys, the problem that did in the Clipper chip in the 1990s. My colleagues and I also discussed this in our “Keys Under Doormats” paper in 2015.

Question: And what about phones? Shouldn’t law enforcement be able to open locked devices if they have a search warrant?

Landau: There’s “should” and there’s designing systems so that they’re weak. The problem is that the first, if it were a requirement, leads to the second.

This all blew up with the phone of the San Bernardino shooter, where the FBI wanted Apple to create a special update to undo the security protections of the locked iPhone the dead shooter had left behind. At the time, the FBI claimed it was only the phone they wanted opened. In fact, as Rosenstein said last month, law enforcement has thousands of phones they want opened. And that means that Apple, or any other manufacturer of phones, would have to create a process in which they’re providing updates daily. That completely messes up the security of the update process.

Right now only a small group of highly trusted, highly vetted people touch Apple’s update mechanisms. If you do “unlock updates”— and these “unlock updates” have to be tied to individual phones to prevent them from spreading to others — and if you do these “unlock updates” frequently, you’re creating great insecurity in the process. You’re taking devices which carry all sorts of personal and proprietary data, and they are now suddenly less trustworthy. This is the major argument in my testimony, in my book, and in my recent blog post about Rosenstein’s speech.

Question: Doesn’t this mess law enforcement up? How can it conduct investigations if communications are encrypted and phones are locked?

Landau: So now we’re coming full circle to the beginning of the book in which I discuss the Digital Revolution — the speed with which it’s occurring and the different ways that we need to do things. Law enforcement has different tools than it did a couple of decades ago, far more metadata, far more information about where we are, with whom we are, and what we’re doing. We communicate constantly. We carry around radio antennae — we call them cellphones — that advertise our whereabouts to cell towers. We use apps that let remote sites know what we’re buying, where we are, what we’re doing. We’re dropping hints about our activities all over the place. The whole Internet of Things Revolution contributes to this.

Now law enforcement needs more resources. The new technologies can be complicated to access, not just because of encryption and locked devices, but because of things that are simple to solve technologically, like different formats for communications metadata, and so on. Making more money available, and doing much better information sharing between the greater capabilities on the federal side and the lower resources on the state and local end is certainly an important aspect of simplifying law enforcement’s job.

We’ve also got to change the laws some. On the legal side, we have an outdated legal regime with respect to wiretapping. Since the late ’70s, we’ve had a distinction between communications metadata — dialing, addressing, routing, and signaling information — and communications content. That worked fine in the wireline and cell phone eras. It makes much less sense when you’re talking IP communications.

Steven Bellovin, Matt Blaze, Stephanie Pell, and I explored this distinction in our Harvard Journal of Law & Technology article, “It’s Too Complicated: How the Internet Upends Katz, Smith, and Electronic Surveillance Law.” For example, with voice over IP (VoIP), even when those communications are encrypted, it’s still possible to analyze the packets to determine what language the people are speaking and their gender. In some cases, it’s also possible to identify the words they’re saying because of how data compression and encryption work. Information in the packet headers is not content, but still capable of revealing content.

All of this is part of the picture that says the Digital Revolution has fundamentally changed the way we do many aspects of society. Law enforcement needs to catch up.