Spy vs. Spy
How to Keep Our Privacy While Remaining Secure
I remember growing up reading the comic strip Spy vs. Spy in the MAD Magazine and I confess that I never quite made sense of it. Other than the absurdity of the spy games during the Cold War, I couldn’t quite figure out why sometimes one would win, sometimes the other, and there were times when both would win, or both would lose. Well, this was until now.
In the world of cybersecurity, the debate between security and privacy has been going on for several decades, especially since the inception and dissemination of cryptographic systems like PGP (“Pretty Good Privacy”) in the early 90s for e-mail security. Since then, arguments have been made by law enforcement, notably, the FBI in the United States, that strong cryptography allows criminals to operate in the shadows. Repeatedly, in a friendly manner or via the courts, the case has been made to request technology providers to provide exceptional access or back doors for government agencies’ use. The culprit varies, from terrorism to kidnapping, to child sexual abuse, but the question is always the same: are we willing to trade off privacy for security? Like several others, I have written about the dilemma of national security in my “The Right to Privacy in the Digital Age” piece, twisting myself into a pretzel to try and figure out the right balance in these most extreme situations.
This was until I read the Lawfare series on “Perspectives on Encryption and Surveillance” and the reframing of the debate from security vs. privacy into security vs. security by Bruce Schneier. This recasts the race between law enforcement and the “bad guys” as a real-life version of the characters in Spy vs. Spy, constantly trying to catch up with each other. Susan Landau’s 2016 congressional testimony on “Balancing Americans’ Security and Privacy” also sheds a good light on the topic. I encourage you to browse the articles in the series and the Congress minutes for additional background.
Today most of us carry mobile devices that store a significant amount of personal information (from bank accounts to family photos). These devices are also used to carry conversations, increasingly in the form of text messages. Moreover, they act as gateways to a plethora of cloud-enabled services and data repositories. In addition to our personal information, we use the same devices (or a second separate one) for work, typically with access to proprietary and confidential information including trade or national security secrets. All of that is protected by encryption - of data at rest and data in transit - with the mobile devices being used as the primary gate for authentication via passwords, biometrics, or both. The strong mechanisms in place today to protect that data and access enable trust in the system. The moment this trust is eroded, the system and the economy built around it collapse. The damage that cybercriminals can impart on businesses or nation states can on their antagonists is immeasurable.
Encryption, therefore, protects not only consumers but also the economy, national security, minorities, and vulnerable populations including political opposition to authoritarian regimes.
While there is a trade-off between privacy and security, the reduction of the latter can cause much more harm. Once exceptional access is granted, the path towards that exceptional access is created and a vulnerability exposed - even if this happens in the most extreme situations, following rigid governance, and under the authority of a respectable democratic regime. I would prefer law enforcement to focus on prevention, using leading-edge technology, then try to wage war on encryption or ask for backdoors which will help with the forensics after the fact. We would need to help by adequately funding law agencies to have the resources and to attract talent in this security vs. security race: with technology companies continuing to invest in the best privacy tech, and both law enforcement and criminals racing to break it.
Like in the comic strip, sometimes one would win, sometimes the other, sometimes both will win, or both will lose. Cybersecurity is a hard game: to defend, you need to protect against any form of attack, all the time. Attackers need to win only once. This is why adopting a defense-dominant approach and not compromising on encryption is key, no pun intended.
@paulo insightful as always. Having served in the very humbling role of CISO for a public cloud I deeply embrace the need for zero trust architecture, accept this is a chronic illness for which there is no cure and constant curation and update of medication is required, and to be truly safe from all of this one would need to disconnect from all technology and networks - which I personally accept I'm not going to do. (thus my first 2 rules)
If I were to add a 4th it would be that one must fight fire with fire. AI and quantum increase this risk. It's imperative to embrace both to manage it.