Intense debate for over two decades has focused on the proper balance between privacy, security, and law enforcement access to the personal and confidential data and communications of individuals and entities stored on electronic devices with strong encryption. New authentication, storage, and encryption technologies on PCs, smartphones, and other computing devices can make it impossible for law enforcement to access encrypted data, even with a valid search warrant. The government asserts that this situation is undermining national security and has suggested that the software on computing devices should have a “backdoor” that would enable law enforcement access to encrypted data. Critics charge that these backdoors would provide a means for hackers to compromise the devices and steal sensitive and private data. If backdoors are built in for law enforcement, they will be available to everyone. Blunt backdoor instruments represent uncontrolled cybersecurity threats. This panel describes the current state of the encryption debate and the positions of the various stakeholders. It outlines existing federal, state, and global encryption requirements, and identifies the available technology options for the protection of personal and confidential communications, including encryption. Panelists examine approaches for how law enforcement can fulfill its broad responsibilities to conduct investigations under civil and criminal laws, and identify gaps if strong encryption is used. The panel assesses U.S. and global “lawful access” laws and technology proposals to strike a proper balance between the use of strong encryption and the need to protect the public interest and national security.
PRIVACY IN AN AGE OF ZERO TRUST WEBINAR SERIES
Zero Trust? Encryption and Other Approaches to Protecting Private Data and Communications
Panelists
- Eric A. Hibbard, Director, Product Planning - Storage Networking & Security, Samsung; Council Member, ABA Science and Technology Law Section
- Susan Landau, Bridge Professor in Cyber Security and Policy, The Fletcher School and School of Engineering, Department of Computer Science, Tufts University
Moderator
- Lucy L. Thomson, CISSP, Founding Principal, Livingston PLLC; 2012-13 Chair, ABA Science and Technology Law Section; Editor, ABA Data Breach and Encryption Handbook
Joint Sponsor: ABA Science and Technology Law Section
Co-Sponsors: ABA Center for Public Interest Law, ABA Criminal Justice Section
Resources
The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals, Third Edition
LIMITED TIME: 20% off with ABACYBER20
Keys Under Doormats Security Report | The MIT Press
Bugs in our Pockets: The Risks of Client-Side Scanning | arXiv
Listening In: Cybersecurity in an Insecure Age | Professor Susan Landau
Rethinking Encryption | Lawfare Blog
New Perspectives on the Future of Encryption | Lawfare Blog
Moving the Encryption Policy Conversation Forward | Encryption Working Group of the Carnegie Endowment for International Peace
Privacy on the Line: The Politics of Wiretapping and Encryption | The MIT Press
How the Netherlands Is Taming Big Tech | The New York Times
CRSJ Chair Chat with Susan Landau on Encryption
ISO/IEC 10116:2017, Information technology — Security techniques — Modes of operation for an n-bit block cipher
ISO/IEC 15408-1:2022, Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 1: Introduction and general model
ISO/IEC 15408-2:2022, Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 2: Security functional components
ISO/IEC 15408-3:2022, Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 3: Security assurance components
ISO/IEC 15408-4:2022, Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 4: Framework for the specification of evaluation methods and activities
ISO/IEC 15408-5:2022, Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 5: Pre-defined packages of security requirements
ISO/IEC 11770-1:2010, Information technology -- Security techniques -- Key management -- Part 1: Framework
ISO/IEC PWI 17603, Confidential computing
ISO/IEC 18033-3:2010, Information security — Security techniques — Encryption algorithms — Part 3: Block ciphers
ISO/IEC 18045:2022, Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Methodology for IT security evaluation
ISO/IEC 18367, Information technology — Security techniques — Cryptographic algorithms and security mechanisms conformance testing
ISO/IEC 19790, Information technology – Security techniques – Security requirements for cryptographic modules
ISO/IEC 19896 (all parts), IT security techniques — Competence requirements for information security testers and evaluators
ISO/IEC 20540, Information technology — Security techniques — Testing cryptographic modules in their operational environment
ISO/IEC 20543, Information technology — Security techniques — Test and analysis methods for random bit generators within ISO/IEC 19790 and ISO/IEC 15408
ISO/IEC 20648, TLS specifications for storage systems
ISO/IEC 24759, Information technology – Security techniques – Test requirements for cryptographic modules
ISO/IEC 27040, Information technology – Security techniques – Storage security
ANSI INCITS 462-2010: Information Technology - Fibre Channel - Backbone - 5 (FC-BB-5)
NIST Federal Information Processing Standards (FIPS) Publications 140-3 (FIPS PUBS 140-3), Security Requirements for Cryptographic Modules
NIST Federal Information Processing Standards (FIPS) Publications 180-4 (FIPS PUBS 180-4), Secure Hash Standard (SHS)
NIST Federal Information Processing Standards (FIPS) Publications 197 (FIPS PUBS 197), Advanced Encryption Standards (AES)
NIST Special Publication (SP) 800-38A, Recommendation for Block Cipher Modes of Operation
NIST Special Publication (SP) 800-38C, Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality
NIST Special Publication (SP) 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC
NIST Special Publication (SP) 800-38E, Recommendation for Block Cipher Modes of Operation: the XTS-AES Mode for Confidentiality on Storage Devices
NIST Special Publication (SP) 800-57 Part 1-3, Recommendation for Key Management
NIST Special Publication (SP) 800-88, Guidelines for Media Sanitization
NIST Special Publication (SP) 800-107, Recommendation for Applications Using Approved Hash Algorithms
NIST Special Publication (SP) 800-111, Guide to Storage Encryption Technologies for End User Devices
NIST Special Publication (SP) 800-131A, Transitioning the Use of Cryptographic Algorithms and Key Lengths
NIST Special Publication (SP) 800-132, Recommendation for Password-Based Key Derivation Part 1: Storage Applications
NIST Special Publication (SP) 800-140, Derived Test Requirements (DTR): CMVP Validation Authority Updates to ISO/IEC 24759
NIST Special Publication (SP) 800-140A, CMVP Documentation Requirements: CMVP Validation Authority Updates to ISO/IEC 24759
NIST Special Publication (SP) 800-140B, CMVP Security Policy Requirements: CMVP Validation Authority Updates to ISO/IEC 24759 and ISO/IEC 19790 Annex B
NIST Special Publication (SP) 800-140C, CMVP Approved Security Functions: CMVP Validation Authority Updates to ISO/IEC 24759
NIST Special Publication (SP) 800-140D, CMVP Approved Sensitive Parameter Generation and Establishment Methods: CMVP Validation Authority Updates to ISO/IEC 24759
NIST Special Publication (SP) 800-140E, CMVP Approved Authentication Mechanisms: CMVP Validation Authority Requirements for ISO/IEC 19790 Annex E and ISO/IEC 24579 Section 6.17
NIST Special Publication (SP) 800-140F, CMVP Approved Non-Invasive Attack Mitigation Test Metrics: CMVP Validation Authority Updates to ISO/IEC 24759
NIST Special Publication (SP) 800-190, Application Container Security Guide
NIST Special Publication (SP) 800-208, Recommendation for Stateful Hash-Based Signature Schemes
IEEE 1619-2018, IEEE Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices
IEEE 1619.1-2018, IEEE Standard for Authenticated Encryption with Length Expansion for Storage Devices
IEEE 1619.2-2021, IEEE Standard for Wide-Block Encryption for Shared Storage Media
IEEE 2883-2022, IEEE Standard for Sanitizing Storage
IETF RFC 1334, PPP Challenge Handshake Authentication Protocol (CHAP)
IETF RFC 2246, The TLS Protocol Version 1.0
IETF RFC 2404, The Use of HMAC-SHA-1-96 within ESP and AH
IETF RFC 2406, IP Encapsulating Security Payload (ESP)
IETF RFC 2451, The ESP CBC-Mode Cipher Algorithms
IETF RFC 3686, Using Advanced Encryption Standard (AES) Counter Mode
IETF RFC 3821, Fibre Channel Over TCP/IP (FCIP)
IETF RFC 3723, Securing Block Storage Protocols over IP
IETF RFC 4171, Internet Storage Name Service (iSNS)
IETF RFC 4346, The Transport Layer Security (TLS) Protocol Version 1.1
IETF RFC 5246, The Transport Layer Security (TLS) Protocol Version 1.2
IETF RFC 7143, Internet Small Computer System Interface (iSCSI) Protocol (Consolidated)
IETF RFC 7144, Internet Small Computer System Interface (iSCSI) SCSI Features Update
IETF RFC 7146, Securing Block Storage Protocols over IP: RFC 3723 Requirements Update for IPsec v3
OASIS Key Management Interoperability Protocol Specification Version 2.1
OASIS Key Management Interoperability Protocol Profiles Version 2.1
Storage Networking Industry Association (SNIA), Storage Security: Fibre Channel Security, Draft
Storage Networking Industry Association (SNIA), Storage Security: Sanitization
National Security Agency (NSA) Cyber Security Directorate (CSD), Commercial Solutions for Classified (CSfC) Data-at-Rest (DAR) Capability Packages (CP), V5.0
NVM Express Inc NVM Express™ Base Specification, Revision 2.0b, January 2022
PCI-SIG PCIe Base Specification
DMTF, Secure Protocol and Data Model (SPDM), Version 1.2
Support CRSJ
CRSJ provides free webinars and resources for legal professionals and advocates nationwide and relies on generous donor support and volunteer service. Your charitable gift ensures that we continue to address the deepening crises in our collective pursuit of advancing law and justice. Thank you!