10:30 AM
Connect Directly
E-Mail vvv

Better Locks Than Back Doors: Why Apple Is Right About Encryption

What the landmark privacy case and a new documentary about Stuxnet both have to say about the encryption versus government oversight debate.

There’s never a shortage of headlines in the world of cybersecurity and recent weeks have been no exception. I’m referring to the landmark privacy case between the FBI and Apple and the Berlin debut of the documentary “Zero Days,” which delves into the 2010 Stuxnet worm. The two events have brought the encryption vs. government oversight debate into the public arena in a very real way.

At first glance, these are two separate issues. One is allowing the government to get into a device of a suspected terrorist. In the other case, we’re talking about government-backed cyber-warfare. However, I believe the parallels are clear, and in my opinion, both cases have simple resolutions: If governments really want to keep their citizens safe, they need to focus more on defense than offense. 

Offensive cybersecurity tactics offer short term benefits but have long term consequences. A government focused on offense is motivated to hide vulnerabilities for later exploit. This puts every citizen at risk, as bad actors will surely find these holes too.  

Governments too focused on offense are also motivated to weaken security for their own purpose. To use the Apple case as an example, the FBI wants to remove security features designed to keep criminals out of consumer devices for the sake of learning more about one dead terrorist. Unfortunately, purposely weakening defense in this way could expose new risks, which no one can guarantee won’t fall into the wrong hands. This also applies to governments hoping to maintain some “master key” for public encryption solutions.

Not having seen the “Zero Days” documentary yet (it releases in the US in May), I can’t yet comment on its accuracy or content. That said, I’m not surprised to hear that governments—including our own—are planning, or have already carried out offensive cyber campaigns.

If you’ve followed information security the past five or so years, you've seen plenty of evidence showing governments creating “red teams” trained to launch computer and network attacks. You’ve seen the details about Operation Olympic Games, experts have analyzed Stuxnet, you’ve followed the Snowden leaks, you’ve seen government cyber budgets expand, and most recently, you’ve probably heard Ukraine accuse another country of attacking its critical infrastructure. With all of this evidence, it should not come as a surprise that governments are considering cyber attacks… However, it should concern you greatly.

These types of “cyber” attacks—ones that target critical infrastructure and pose physical, real-world ramifications—are not only possible but increasingly probable. Stuxnet proved that. Furthermore, I believe digital attacks can result in real human death. Many of our most critical systems rely heavily on computers and cyber networks, which don’t always have the protection they should. Alex Gibney’s Stuxnet documentary will reportedly suggest that the US government planned to launch a digital attack on the Fordo nuclear facility in Iran. While such a plan might seem like science fiction to some, and would certainly pose difficulties (the facility has more defenses than most), the past has proven that motivated, persistent attackers with money can often breach the strongest defenses. 

Are the governments considering launching such attacks really prepared to defend themselves from these same attacks? The short answer is no. Even the former director of the CIA and NSA says that we’re not prepared. In fact, with calls to create “backdoors” and encryption master keys, they’re actively tearing down our defenses, thus making everyone’s problem worse. 

Government, heal thyself
Countless government breaches, like ones affecting the State Department, White House email, and the OPM, have proven attackers can infiltrate government networks and hijack the accounts of key government employees, showing government defenses are less than perfect. Shouldn’t they be spending more time building their defenses rather than knocking their citizens’ down?

When governments make commercial software and public networks part of their "cyber battleground,” they expose private citizens and organizations to the “war.” Unfortunately, I expect future “state-sponsored" attacks will include private targets, like we saw with Sony Pictures in 2014. With governments weakening the security of consumer products, how will their citizens survive such attacks?

The very act of promoting a red team, responsible for carrying out cyber attacks, is at odds with the motivation of building a defense team. By definition, a red team is motivated to find ways to defeat defenses, and more importantly, stock-pile and hide those attack techniques so that they can continue to use them. How do you fix a problem you don’t know about, when it’s in the red team’s best interest to keep that problem hidden?

If a government red team finds a new zero day flaw in commercial software, will they share it with the world so we can fix it and all be safe, or will they hold onto it for their next attack campaign, leaving the potential for other bad actors to find it and exploit the flaw as well? Do governments realize that leaving their citizens exposed to such flaws will likely affect their own country as well? I would like to think the answer is, yes, but hearing of authorities around the world exploiting blackhat hacking techniques to catch criminals makes me think otherwise.

Yes, I agree that it’s great that we caught a nasty criminal, but do you realize the public safety you might be sacrificing so the police can hang on to their favorite 0day?

In my opinion, the ends don’t always justify the means. If the means include citizens of a free democracy sacrificing privacy, freedom, and security all for the sake of some vague idea of safety that governments can never really deliver on, I say to heck with those means.

Rather, if governments are really serious about our digital security, they need to get serious about information security. They should spend their time making Apple, and all other public and private vendors’ security features stronger; they should create unbreakable encryption that protects all citizens’ communications; and they should find and plug every zero day vulnerability they can, so no terrorist or nation state can leverage it to gain asymmetric power over others.

As I believe Gibney’s documentary will illustrate (and I argued a year ago), Stuxnet opened the Pandora’s box of the cyber arms race. If we want to close that box, we should focus less on the arms and more on building better armor.

Related Content


Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Corey Nachreiner regularly contributes to security publications and speaks internationally at leading industry trade shows like RSA. He has written thousands of security alerts and educational articles and is the primary contributor to the WatchGuard Security Center blog, ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/7/2016 | 8:02:51 PM
Re: John McAfee
BTW.. an update to my response that I thought McAfee's claims about hacking the iPhone 5c was all bluster... Turns out I was on to something... Anew article just came out where he said he lied about it to get more attention on the issue... I can't share the direct link, but you can find it on The Daily Dot, titled: 

John McAfee lied about San Bernardino shooter's iPhone hack to 'get a s**tload of public attention'



User Rank: Apprentice
3/4/2016 | 5:28:30 PM
Re: John McAfee
I think it's all bluster... As another security expert already said, if McAfee really had someone that could crack the iPhone 5c, he'd actually use a real 5c and do a video proof-of-concept (PoC) on that phone to prove it. In other words, pics, or in this case, video or it didn't happen...


That said, sure it's theoretically possible that there is an vulnerability somewhere in iOS that a researcher finds one day, but until McAfee shows a PoC, I assume its all talk...
User Rank: Apprentice
3/4/2016 | 5:24:24 PM
Re: Ends Don't Justify the Means
I actually think intelligence gathering attempts are proper in this case.

I honestly don't care about the privacy of a dead terrorist and murder... So I don't think there is anything wrong with the FBI having all the terrorist's stuff and trying to break into this phone... However, I do think asking an external third party to specifically break a security control and have to take the undue burdern of designing a special operating systems for this one case is too much...

I do care about the privacy of Apple's millions of other customers. So while the FBI does keep insisting this special firmware will only be for this one phone, I think this would set a precident for many others, which may not be as clear cut as this one terrorist case... Plus, it doesn't even discuss how much burden a private company needs to go under to support the authorities... If they do decrypt this one phone, and then authorities come to Apple with hundreds of other phone, next thing you know Apple is spending all time and money on something that is really not their business.. So besides just that fact that the existence of this technique makes everyone's phones less safe, we need to also consider the burden on a private business that had nothing to do with the attack.
User Rank: Ninja
3/2/2016 | 8:20:15 AM
Ends Don't Justify the Means
I agree with you that in this case that the ends do not justify the means because they jeopardize the privacy of so many others. But when is intelligence gathering the proper course of action. The phone in question could harbor data that may lead to potential saving of lives, etc.
User Rank: Ninja
3/2/2016 | 8:13:30 AM
John McAfee
Is there truth in that John McAfee interview around the ability of cracking into an iPhone. Logically what he is saying makes sense but I think he is over simplifying the process of cracking into the phone.
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
New 'Mac-A-Mal' Tool Automates Mac Malware Hunting & Analysis
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/14/2018
IoT Product Safety: If It Appears Too Good to Be True, It Probably Is
Pat Osborne, Principal - Executive Consultant at Outhaul Consulting, LLC, & Cybersecurity Advisor for the Security Innovation Center,  3/12/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.