Press Release: Digital Infrastructure should integrate Malware

Sanna/ July 22, 2020/ Conference, Press, Security

The German government wants to force Internet providers to install malicious software and intercept network traffic.

MYK-78 "Clipper chip" Package Markings, photographed by Travis Goodspeed.Since the 1990s, there has been a constant struggle between authorities and security experts. One side wants to make digital infrastructure, especially data transport and communication, as secure as possible for business and society. The other side constantly strives for back doors to intercept data and correspondence. The fight for access to secure data transmissions, originally titled “Crypto Wars” is entering the next round. The German federal government has created a draft law that is intended to legally force Internet providers and companies with related activities to distribute malware and manipulate network traffic. In future, the installation of apps on smartphones or automatic software updates can compromise computer systems. This destroys the basis of digitalisation – with far-reaching consequences for society and the economy.

The Oil of the 21st Century stirs up Greed

According to highly simplified slogans from politicians, data is the oil of the 21st century. The comparison limps, because no energy can be obtained from data; instead data just uses energy. However, the German draft law is not about economic benefits. The opposite is the case. On the surface it is being discussed that investigative authorities need access to communication between people and data stored on local devices. The documentation of government measures for espionage by Edward Snowden has led to far-reaching improvements in information technology in the past 7 years. The encryption of your own data has been retrofitted in many products. In addition, companies and private individuals have increasingly switched their correspondence and communication to encrypted channels. The most critical point in the implementation is the so-called end-to-end encryption (“E2E Encryption”). Cryptographic methods are only really secure if there is no back door – in the form of a duplicate/recoverable key – or no way of guessing the key (s).

Based on Snowden’s revelations, the manufacturers of smartphone operating systems, software development methods and the Internet Engineering Task Force (IETF) have incorporated many improvements in protocols and algorithms. For example, against strong opposition from lobbyists when specifying the new Transport Layer Security (TLS) Version 1.3, the IETF made sure that no more unsafe methods are allowed. TLS is the basis for encrypted websites (recognizable by the HTTPS prefix). It is the basis of telebanking, web shops, communication with authorities, all kinds of portals, e-mail traffic, video streaming, teleconferencing, and much more. All modern systems now support end-to-end encryption. This is exactly the motivation for the legislative proposal to call for back doors for all these areas of application.

Worldwide Attack against E2E

Germany is not alone when it comes to attacks against secure systems. In the United States, Republican Senator Lindsey Graham has introduced a law that prohibits secure encryption in chat systems and messengers. The prohibition, as is so often the case, is only expressed indirectly. Third-party access to the transmitted and stored data is required. This wording does not change the purpose. Both a digital attack and the provision of data according to official requests are technically the same procedure. One actually weakens information security with these laws in general. The German draft law, for example, stipulates that malicious software is delivered to end devices via manipulated software updates. Apart from the technical aspects, there are unresolved legal consequences. Who is liable for damage caused by federal malicious software? Who bears responsibility if this mechanism is exploited by criminals? These predetermined breaking points of security would then apply to all areas – from hospitals to companies to private households. Information security is being eliminated nationally.

Infrastructure, be it digital or analogue, will always be part of legal and illegal activities. Motorways are used both by emergency services and for the transport of stolen goods. The same applies to power supply, the Internet, water supply, traffic, transportation, food supply, banking and telephony. Nevertheless, communication networks are in the spotlight. The current bills show how little understanding there is of the history of surveillance and the analog world. The US government legally and technically implemented the monitoring of cellular networks in the 1990s. The reason was the action against organized crime, above all drug smuggling. The effect was that organized crime switched to alternative communication methods. The damage remains to those who cannot protect themselves and have protection needs. In this specific case, it will affect its own citizens and companies, which the state must actually protect by law.

Gateway to Industrial Espionage

The systematic installation of back doors and the dismantling of security measures has far more far-reaching consequences. The longstanding discussion about the upcoming 5G technology shows it clearly. The company Huawei is accused by the USA of delivering its 5G products with undocumented access to the mobile phone networks. The focus is on the accusation of espionage. At the same time, Western governments are drafting laws to weaken their own digital infrastructure and allow third parties unrestricted access to the data. Even the Austrian federal government has the examination of the use of state malware for monitoring in the government program. And it doesn’t stop at national efforts. A confidential document from the EU Council of Ministers dated 8 May 2020 describes the strategy for Europe. Encrypted data carriers, end-to-end encryption, cross-platform encryption, self-developed software and encrypted Internet protocols are listed as critical barriers for government investigations. Exactly these components are the foundation of an implemented information security. The absence of basic technologies to secure data and correspondence is based on the mathematical methods of cryptography. They are an integral part of modern IT infrastructure – both for authorities and companies.

Return to Reality

People need privacy, so they have a legal right to it. Companies need legal certainty for their projects, products and services. This includes all communication. Remote work and teleconferencing systems have become critical tools through Covid-19 safeguards. Also data center operators must not be forced to install back doors in systems. Legally mandated prying out of security standards also endangers Europe as a technology location. British and Australian laws have already made it impossible for software products developed in these countries to be used safely due to legally required access by third parties.

The discussion in no way addresses an important aspect that law enforcement officers and security experts share. Information security must also defend itself against attacks and find evidence of compromised systems. Nevertheless, companies rely on strong encryption. This is not a contradiction. In November, at this year’s DeepSec In-Depth Security Conference, approaches will be discussed again and experiences exchanged. Cryptography is a fundamental issue and must remain part of secure infrastructure without back doors.

Spicy detail on the side: The German state of Schleswig-Holstein and the German Armed Forces want to use the Free Software Matrix for their communication. The latter would like to use Matrix explicitly for messages that are classified as confidential. This raises the legitimate question of how the concerted attack on IT security by other authorities fits into the picture.

Programs and Booking

The DeepSec 2020 conference days are on November 19th and 20th.

The DeepSec trainings take place on the previous two days, November 17th and 18th.

The DeepINTEL Security Intelligence Conference will take place on November 18.

The venue for the DeepSec event is The Imperial Riding School Vienna – A Renaissance Hotel, Ungargasse 60, 1030 Vienna.

You can order tickets for the DeepSec conference itself and the training sessions at any time under the link https://deepsec.net/register.html.

Please note that due to planning security we are dependent on timely ticket orders.

Share this Post