The dangers of weakening cybersecurity to facilitate surveillance
In response to the controversy over the alleged surveillance practices of the NSA, the White House established the Review Group on Intelligence and Communication Technologies, which is expected to provide recommendations to the president next week.
In comments to the Review Group, Carnegie Mellon University’s Jon Peha recommended a re-evaluation of those practices that weaken commercial products and services. These practices include weakening standards and placing “back doors” into products that are accessible to U.S. government agencies.
Peha, a professor of engineering and public policy and former chief technology officer of the FCC and assistant director of the White House’s Office of Science and Technology, said deliberately weakening commercial products and services may make it easier for U.S. intelligence agencies to conduct surveillance, but “this strategy also inevitably makes it easier for criminals, terrorists and foreign powers to infiltrate these systems for their own purposes.” Peha pointed out that cybersecurity vulnerabilities created to eavesdrop on terrorists could have vast unintended consequences.
“If we can weaken the standard for a general-purpose encryption algorithm, then it is impossible to predict what will become vulnerable. Perhaps this algorithm will be used to protect stock market transactions, or the real-time control of an electric power grid, or the classified designs of a military aircraft, which would then become vulnerable,” Peha said.
While some argue that these policies sacrifice privacy to improve national security, Peha says such policies “may have actually compromised both privacy and security in a failed attempt to improve security.”
“Policies that deliberately weaken the security of U.S. products and services will affect U.S. competitiveness,” Peha said. “Customers will naturally prefer products and services from companies that they believe are immune from such a policy.”
Peha argues that the solution is for the NSA to apply a “comprehensive approach to assessing risks associated with these practices,” which includes “protecting individual Americans from cyberattacks that lead to credit card fraud, protecting companies from cyberattacks that lead to theft of intellectual property, and protecting the competitiveness of U.S. information technology firms in the global marketplace.”
“A risk assessment that only considers NSA’s ability to conduct surveillance would inevitably lead to practices that weaken the security of commercial products and services even when doing so is harmful to American interests,” he said.