At the RSA Conference in San Francisco, on February 14, 2017, a panel of noted cryptographic scientists addressed current opportunities, challenges and policy implications of cryptography as a critical cyber security tool.
The panel:
- Paul Kocher President and Chief Scientist, Cryptography Research division of Rambus, Moderator
- Whitfield Diffie, Cryptographer and Security Expert, Cryptomathic
- Susan Landau, Professor of Cybersecurity Policy and Professor of Computer Science, Worcester Polytechnic Institute
- Ronald Rivest, IT Institute Professor, MIT
- Adi Shamir Borman, Professor of Computer Science, The Weizmann Institute, Israel
Kocher opened with the insight that with the exponential growth in vulnerable devices and attackers, cryptographic algorithms offer one bright spot in the war against cyber threat.
Kocher: What are your predications for how artificial intelligence will change computer security?
Rivest: I’m skeptical there will be much impact. We’ve seen already with the recent election, there are AI bots adding information and disinformation.
Landau: The real problem is that machine learning is effective at dealing with lots of data, but the attacks we’re dealing with are anomalous solutions. AI probably won’t be useful there.
Borman: When you talk about finding deviations from normal behavior, AI will be very useful in comparing all kinds of strange behaviors, finding deviations, and warning about them.
Kocher: What are your thoughts about risks and advancements in quantum computing?
Rivest: It’s hard to tell how fast the field is moving. The NSA has been adjusting Suite B in response to expected quantum advancements; quantum cryptography does not seem to be moving as fast as computational cryptography.
Borman: It could turn out that by 2013 computers could break what are quantum-proof schemes we’re developing now. There are so many possibilities about what could happen in 20 to 30 years. I don’t worry too much about quantum now.
Landau: I’m not seeing deep enough mathematical research behind quantum resistant algorithms, and that concerns me.
Kocher: What are the real problems with the voting system today?
Rivest: Voting is interesting in many respects. The ability to check that your hardware and software is doing what it’s supposed to via post-election audits is essential. It should be applied universally, but we’re a long way from that. We need to learn how to exercise good hygiene and best practices. We didn’t do that during this last election.
Landau: If we look back to the fall of Soviet Union, the West saw what happened as good for developing democracies. But the Russians saw it as war by other means. Now it’s a Russian strategy to attack the US and the West via war by other means. The way the information was used was new – the drip, drip, drip of the emails coming out, which had a tremendous effect on the election. We have civic organizations, think tanks and universities that were attacked. It’s a much broader swath of society to protect. These attacks won’t be effective against an autocratic government. This kind of attack works best against open, wired societies.
Kocher: After the Apple/FBI controversy last year, what are your thoughts on the attack on security as corporations practice it?
Landau: The FBI argued strongly that the only way to get into just that one phone was for Apple to update the security. It turned out there were many more phones they wanted to get into. In the end, a Cambridge researcher did it with $100 worth of technology he bought on eBay.
Borman: There were rumors that an Israeli company helped the FBI extract information from that phone, and by doing so it became a target and got hacked, with many of its tools released on the internet.
Kocher: US Attorney General Jeff Sessions say it’s critical that national security and criminal investigators be able to overcome encryption. What are the policy implications?
Rivest: To me it means the government wants a back door. There was a joint bi-partisan report from the House Judiciary Committee working with the Energy and Commerce committees, with four key conclusions:
1) Any measure that weakens encryption works against the national interest
2) Encryption technology is global and widely increasing around the world
3) There’s no one size fits all solution for encryption
4) Congress should encourage cooperation between technology companies and law enforcement
Borman: If companies put back doors in products they’ll be shooting themselves in the foot. It’s an international game. It may be strongly influenced by the US, but there are many countries involved.
Kocher: Apple and Google have announced they’re using Differential Privacy to help protect user data. Can you explain what that is?
Landau: The principle is that you’ve smudged the data a little bit, so it’s still useful to who’s colleting it but you add noise to hide the identity of an individual. If someone is in the group or not in the group it’s impossible to tell. The smudging can sometimes not be executed well – and then maybe you don’t get the useful answer out.
Borman: If you have sensitive databases, and you want to share with certain third parties like researchers, you can smudge a little bit. But it wouldn’t work with governments who can force entities to turn over data.
Kocher: If someone hacks us, should we hack back?
Diffie: I think we’re going about everything the wrong way. Defensive techniques that ‘look like’ cryptography, in particular logical, proven, correct code, are vastly underrated. If anything like the resources currently being spent on security were spent on improving the logical functioning of devices, which is largely making a very big improvement in the quality of programming, we’d get much better results.
Borman: I’m completely against hacking back in revenge. My government should work to understand the plans and tools of the attackers [before attacks].
Landau: I’m heartened by the efforts for usable security like Duo, which uses 2nd factor authentication. Their customer target is small businesses that aren’t technically sophisticated. Products like this will allow naïve users to understand what’s happening and how to protect themselves. Usability is extremely important.
Rivest: It takes a large team to fight back and develop the tools we need. We must invest in education and security, and focus on people.