Three Public Policy Recommendation for Privacy & IT Security

5 December 2015

As many in the UK are fighting a rear-guard action to prevent the most shocking provisions of the IP Bill becoming law (incl. secrecy and loose definitions), I was invited to provide three public policy recommendations for strengthening IT security in the EU. Instead of trying to limit specific powers (such as backdoors) here are some more radical options, more likely to resolve the continuous tug-of-war cyber civil liberties and the security services have been engaging in a while.

1) Total disentanglement of institutions relating to IT security and assurance from those in charge of interception, signals intelligence and “offensive” operations, to prevent irreconcilable conflicts of interest.

One of the key public policy challenge of our time is that a number of nations hosting large parts of the IT industry, conflate the institutions in charge of domestic assurance, and those in charge of foreign and national security signals intelligence (eg. GCHQ/CESG, NSA/ NCSC). Even beyond the realm of sigint, and much more widely, there is a systemic confusion within national bodies (police, CIP, …) in charge of quality engineering and assurance, and those in charge of the investigatory and offensive side of things. Yet, the conflits of interest between those two entirely different missions are irreconcilable: attackers’ jobs become easier by weakening widely deployed infrastructures (particularly those used by the public in case of LE, or foreign nations in case of SIGINT), while those in assurance always aim to build system that could not be compromised even by themselves. Conflating those two roles into single institutions, in particular those that put the emphasis on offense, creates incentives to subvert any assurance process and make it subservient to the offensive goals. This includes participation in standardization, advice to industry, briefing the press, parliament of the executive, and advice on legislative changes.

It is therefore imperative, to strongly separate IT offense and defence institutions and create an effective “Chinese wall” between the two functions of states. Spies can spy and hack – that is the sovereign right of states. However, the same people and organizations should have no influence on the standards, research funding, incubation funding, procurement, design advice, and any other activities involved in IT assurance. Assurance activities should proceed as if that part of the state did not exist, even if that means that offensive operations may become harder (which is usually the goal of assurance). Defensive institutions should be fully civilian, open, and have working and hiring practices in-line with the rest of the global IT industry. They should be geared towards global open cooperation, as well as open cooperation with the IT industry and academia.

There are a couple of objections to this policy that I would like to discuss. First, there is a fallacious argument that those best in offense are also the best in defence, and therefore it “makes sense” to have the same institutions responsible. While, this may have been true at some point, today the open security community is extremely apt in both attack and defence, and there are no special “dark arts” that are the mere prerogative of the state. In fact a lot of offensive know-how in government comes from private contractors. Thus defenders have ample information and opportunities for training (including in offense), and can coordinate widely amongst themselves — something that is not possible if their roles also involve offensive operations against each other. A similar argument is that talent is limited, and thus one has to conflate the roles: however, the shortage of talent to work on offence is compounded by the needs to keep national secrets, while defensive institutions can align their hiring practices (and all other practices) with the hiring practices of state of the art security teams in academia and industry – without nationality restrictions or burdensome clearance requirements. Finally, the job of defence against all attack is significantly different than the job of offence, when one weaponises and keep secret a small number of attacks.

2) Mechanisms for the establishment of enforceable or consequential, open, public, and peer-reviewed engineering norms in IT security and privacy based on evidence.

Since IT is taking an increasingly important social role, and security problems are likely to affect life very soon, it is high time to apply to it models of engineering excellence regulation as those seen in the construction, aviation, automotive, health or other industries. However, due to its high specialty and complexity it is imperative that IT security is regulated in ways that are effective to foster excellence and not in fact detrimental to it – for example innovation in the adoption of better techniques should not be inadvertently slowed-down.

One key model that a large part of the IT world has adopted is to use “openness” as a means to achieve excellence in design, architecture and implementation of security systems: open standards that all can see, open competitions to decide on ciphers, open source code, and nowadays even high-integrity systems that make operational data open such as bitcoin and certificate transparency. Given the complexity of certification, and the dynamic nature of software, only such radical openness can guarantee high-assurance in the long term. Note however, that even though the designs and artefacts may be open it may be prudent to protect the IP rights of their owners: thus to truly embrace openness state institutions may wish to provide IP protections – in the same spirit that the parent system used to provide protections for publishing inventions (even though this specific model is inappropriate for IT).

In line with openness as an assurance mechanisms, policy makers may wish to establish a number of rights to support it: first in a high-tech world more and more devices are opaque to their users and call upon third services to be useful. It should be established as a right that if a customer or citizen may be affected by a technological artefact that have the right to know what it does and how it works. This is in effect the high-tech equivalent of saying “people have the right to study physics” – yet the right to fully understand ones technical surroundings is in fact not protected, and threatened by inappropriate IP provisions. This right is particularly important if a technology has the potential to impact the security, safety or privacy of a person. Secondly, it should be established, and enforced that security is not enhanced by secrecy, but in fact that secrecy of the mechanisms (but not some operational details like keys) usually weakens assurance.

3) Public promotion and use by public bodies of architectures that embody PETS, and that provide security and privacy guarantees even if those public bodies become compromised.

Public bodies should embrace technologies that protect privacy and integrity in a very strong sense, even by themselves. A key reason computer security is in a dire state is the wide spread use of a model by which organizations are “crunchy on the outside, and soft on the inside”: namely once an attacker manages to get “inside” they have free reign to exfiltrate or change information. Instead modern security systems emphasize a “defense in depth” approach, that ensure no single partly or system, or small coalitions thereof, can compromise privacy or integrity.

Public bodies should lead the way in adopting such systems: for example citizens should be allowed to discuss matters with government services through end-to-end encrypted channels, and anonymous access to on-line services (where appropriate) should be supported; selective disclosure credentials should be used for government authentication and authorization; high-integrity distributed cryptographic ledgers should be used to keep information safe.

All these technologies ensure that single component failure or compromise has little effect on the service and citizen security, strengthening our infrastructure against foreign (and domestic) powerful adversaries. Their acquisition is likely to stimulate an EU industry to become fluent in the engineering of such systems providing it with a competitive advantage over other IT industries.