Denis Mandich, CTO of Qrypt, a quantum cybersecurity company, founding member of the Quantum Economic Development Consortium and CQT.
Cybersecurity is entering the quantum era with a legacy of backdoors and deeply flawed code, often decades old, which government directives on the software bill of materials (SBOM) are meant to solve. These are regularly exposed through basic research and, most recently, in a global standard for encrypted communications serving the military, police and critical infrastructure.
The conundrum is the software was developed by the European Telecommunications Standards Institute (ETSI), which presumes a level of trust and reliability. Since there would be no red flags in the SBOM for any ETSI-approved and validated products, is this box-checking process just another spreadsheet and more security theater?
It is increasingly difficult to have an honest debate when thoroughly understood and accepted terminology becomes malleable to the point of arbitrary meanings used on an individual basis. Zoom famously had its own definition of end-to-end encryption, which included issuing encryption keys from servers in China for U.S.-only video conferences, resulting in a $85 million fine.
A quick look at the NSA’s website on “Selecting and Safely Using Collaboration Services for Telework” reveals the caveat emptor problem. It is not revealed until reaching the bottom of the page: “The government has not undertaken any testing or evaluation of the products listed under this analysis, but has only reviewed the published attributes of the products.” Many of the products are FedRAMP certifications. Considering the scrutiny these tools withstood, who is accountable when the next Heartbleed happens in the open-source community?
Terrestrial Trunked Radio (TETRA) is the ETSI global communications standard for emergency services, public safety, military, critical infrastructure and much more. It is used by almost every NATO country and all nuclear-armed nations, including Russia, China, Pakistan and India, where the majority of all the nuclear weapons ever made are currently deployed.
A small team of Dutch researchers recently discovered one of the TETRA proprietary and unpublished cryptographic algorithms in use since the 1990s is backdoored. ETSI described it as an undisclosed but intentional weakening of the security guarantees for the purposes of export approval to some unwitting clients. The Orwellian doublespeak was even more astounding when the full list of critical vulnerabilities was revealed, including a hacker’s dream set: flawed authentication, deanonymization, tracking, and encryption key weakening.
These defects are approaching three decades of use and market penetration and were almost certainly known to sophisticated attackers employing the reliable “harvest now, decrypt later” methodology. No quantum computers are required—just a cheap laptop.
The obvious problem is now everyone knows, and this is a global system in areas of high terrorist activity, war zones and nation-state threats. No one should consider this an operational success because we want both our nuclear-armed adversaries and allies to have the best security possible. The CIA will not use this access to steal nukes or get materials for radiological weapons, but I’m sure ISIS will try. Again.
Some of ETSI’s commentary is even more troubling, suggesting the users should have known something was wrong because there were multiple encryption tools available—effectively victim blaming. Given the choice, what safety organization would choose the weakest option?
The advertised level of security was 80 bits, but in practice, the entropy was lowered to only 32 bits for generating encryption keys. Even in the 1990s, 56-bit DES and RSA-155 (512) bits had already been broken, making arguments for issuing a 32-bit system inexplicably. Surely the cryptographers involved in this process were not incompetent.
Additional vacuous statements report there were no exploits known nor data exposed, implying adversaries like intel agencies and hackers would disclose their secret access and exactly the information compromised. Who pays the remediation costs, fines and other expenses for this bomb in the SBOM? The spreadsheet would have been clear of alerts.
Trust in the SBOM must run deep—down to the components in each software package—because backdoors pose a significant threat to large enterprises. These may lead to network breaches, persistent access and the compromise of critical systems. A prevention strategy requires a comprehensive and proactive approach leveraging corporate leadership and the security team:
• Implement secure development practices during the software life cycle. Coding standards, secure design principles and regular reviews will minimize the introduction of new vulnerabilities and detect industrywide emergent issues.
• Embrace code audits. Skilled professionals capable of identifying suspicious code and vulnerabilities must be included in the process because backdoors may be inserted intentionally or inadvertently through third-party packages.
• Vendor verification is essential and must include rigorous procedures for vetting. This may incorporate an assessment of their security practices and review of their components and providers, including the origin of all their suppliers.
• Adopt zero-trust architecture. This will minimize the damage and access any backdoored software may hope to leverage. Strong identity verification, device health and contextual requirements across the enterprise will often prevent unauthorized access.
• Encryption and segmentation: These operate on the assumption some fraction of the network is already compromised. Restricting the reach and utility of any captured data and accessible networks will mitigate the damage even on breached systems.
• SBOM documentation: Regulatory compliance can be driven by industry organizations and the government, but it will take time to establish standards. SBOM documentation is an essential foundation for best practices.
If “democracy dies in darkness,” and that includes lies of omission in reporting, then cybersecurity suffers the same fate with backdoors. The corollary is “don’t roll your own crypto” even if well-intentioned. The arguments for weakening encryption to make law enforcement easier falls demonstrably flat, with TETRA just the latest example. Secrets rarely stay that way forever, and sensitive data is more remotely accessible than at any time in history. Privacy and global security affect us all, and the existence of these single points of failure in our cybersecurity efforts are unsustainable and will have unforeseeable consequences. We need to innovate and evolve the internet away from this model to have durable security assurances.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Read the full article here