Tufts University professor Susan Landau has a long and distinguished background in computer security and policy that includes several books on wiretapping and surveillance. She has repeatedly argued that damaging our security by embedding holes for law enforcement — whether that’s wiretap equipment inside ISPs or exceptional access (that is, special decryption capabilities in encryption software) is a dangerous approach. Encryption is not sufficient to guarantee cybersecurity, but it is essential.
In Listening In: Cybersecurity in an Insecure Age, Landau considers the changing world in which law enforcement must operate with exceptional clarity. She begins with a brief history of cybersecurity. The first known cyberattack was in 1986, when Clifford Stoll began trying to understand a 75-cent discrepancy in computer time; he told the story in detail in his book The Cuckoo’s Egg. The next, and the first proper internet attack — although it wasn’t really intended as such — was the 1988 Internet Worm. Despite these early warnings, Landau writes, quoting from a US government report, “security lost to convenience in the 1980s. And then it kept on losing”. It wasn’t until 2008 that cyber-threats began to be taken seriously.
Throughout the 1990s, credit card theft, online bank robbery, and other financial crimes were growing. By the mid 2000s, the targets were expanding from corporate servers to nation states. In 2007, a DDoS attack on Estonia lasted nearly a month. In 2009, Iran began noticing problems with its nuclear centrifuges; in 2012, the reason was identified as Stuxnet, which brought cyber-attacks into a new era.
It was against this background that the ‘First Crypto War’, which pitted law enforcement against privacy campaigners, took place. In 2013, Edward Snowden’s revelations swung the pendulum back toward privacy, while the terrorist attacks in London, Paris, and San Bernardino swung it away again. When the FBI sought access to the iPhone belonging to San Bernardino shooter the court case reopened all those old wounds.
What does law enforcement need? It complains about ‘going dark’ because encryption limits access to content, but equally can take advantage of many more kinds of data than ever existed before — and most of it is never deleted. In one case Landau cites, a cryptic text message unraveled an insider trading case; in an earlier era, it might have been destroyed before law enforcement ever saw it. Linked databases, communications metadata, and analytics from companies like Palantir all play their part in helping law enforcement do its job, as does properly warranted legal wiretapping and hacking.
But during this time law enforcement has ceased to develop its own technical capabilities. Landau argues that a reversal is essential, and that law enforcement needs 21st century capabilities to conduct investigations that match those of its enemies and attackers.
Landau ends her book with the 2016 and 2017 attacks on the US and French presidential elections. Government’s role, she concludes, is to provide security — but not to prevent individuals from maintaining their own. It should, in other words, be helping us.
RECENT AND RELATED CONTENT
A Winning Strategy for Cybersecurity (ZDNet special feature)
The smartest companies now approach cybersecurity with a risk management strategy. Learn how to make policies to protect your most important digital assets.
Security warning: Your suppliers are now your weakest link
Cybersecurity agency warns of 796 attacks against business, says that hackers will attempt to reach their targets through their suppliers.
Ransomware takes malware mantle in Verizon data breach investigations report
Ransomware fares well in Verizon’s 2018 data breach recap and cybercriminals are becoming more targeted and taking aim at human resources in many cases.
Zuckerberg’s Facebook testimony: 5 big questions for businesses and developers (TechRepublic)
The Facebook CEO is set to testify before Congress on the Cambridge Analytica big data scandal that left data from 87 million users compromised.
Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)
It’s one thing for a company to create a cybersecurity strategy, but it’s another thing entirely to put strategy into practice. In February 2018, Tech Pro Research surveyed 236 professionals, aiming to find out how companies are doing in both areas.