I wrote recently in Wired about the many problems with an FBI proposal to require Internet providers to render their services more wiretap-friendly. Perhaps chief among these is the deleterious effect such a mandate would have on cybersecurity.
This is so, first, because it would tend to push companies away from design choices that make a system more resilient or secure but harder to intercept. If you risk massive fines when you can’t cough up user communications, that’s a powerful incentive to prefer server-side over end-to-end encryption, centralized routing over peer-to-peer, and closed over open standards and source code. Second, as 20 renowned computer scientists and security experts also pointed out in a letter released last Friday [PDF], the surveillance interface companies create to comply with orders can itself become an attractive “attack surface” subject to exploitation. The primary concern there, of course, is that lawful intercept code can be hijacked by a third party to enable their own surveillance—but it can also be a source of information about government investigations for hackers in the service of foreign powers.
Lo and behold, The Washington Post reports today that a successful 2010 hack against Google, believed to have originated in China, also compromised a sensitive database of information on accounts that had been flagged for national security surveillance. That’s a boon to any foreign government looking to discover which agents have had their covers blown and which remain undetected—and something worth throwing considerable hacking resources at. It’s not clear whether the attackers were also able to use any internal law enforcement interface to assist them in targeting the accounts of Chinese dissidents, which is the part of the attack that had been previously reported.
Defenders of the FBI proposal tend to pooh-pooh security concerns raised about requirisng such backdoors: Our brilliant American programmers, they assert, will find ways to enable wiretapping without creating new vulnerabilities. But if a company like Google, with its massive financial resources and a stable of some of the smartest coders anywhere, can be victimized in this way, how realistic is it to expect thousands of Internet startups to achieve better security?