I usually agree with the opinions expressed by Bruce Schneier. Seldom do I think that he is dead wrong, and yet less often do I think that an essay of his is bluntly unsubstantiated. About a month ago, he published such a post, titled: How Israel Regulates Encryption. He quoted a research that sounds sensible, but ended up interpreting it entirely wrongly, in my opinion.
The essay he quoted reads:
…the Israeli encryption control mechanisms operate without directly legislating any form of encryption-key depositories, built-in back or front door access points, or other similar requirements. Instead, Israel’s system emphasizes smooth initial licensing processes and cultivates government-private sector collaboration. These processes help ensure that Israeli authorities are apprised of the latest encryption and cyber developments and position the government to engage effectively with the private sector when national security risks are identified.
Bruce’s interpretation was:
Basically, it looks like secret agreements made in smoke-filled rooms, very discreet with no oversight or accountability. The fact that pretty much everyone in IT security has served in an offensive cybersecurity capacity for the Israeli army helps. As does the fact that the country is so small, making informal deal-making manageable. It doesn’t scale.
The quoted essay gets it right in the sense that as it seems, the Israeli authorities rightly assume that mandating back-doors and similar methods is doomed to fail, and more importantly – that the government is better off cooperating with the private sector rather than fighting against it, to get what it needs. Every reasonable security practitioner would stress that preventing crypto from making it to the bad guys by banning it, or by requiring back-doors, is never a sound approach. The bad guys will have access to tools that do not follow those rules anyway (e.g., from other countries, or home-made), and the only punishable people will be the good guys who will end up using products that are flawed-by-design. So, kudos to the Israeli authorities who at least recognize this and understand that the only way to know what is going on, is by forming healthy relationships with the industry. Healthy relationship is formed by not posing extravagant deal-breaking requirements that kill business, but rather by offering a smooth registration process.
Bruce wrote that this model does not scale. I am not sure how accurate this statement is. Indeed, there are many more companies doing crypto in the US than there are in Israel, but the manpower spent on enforcement in the US is also dramatically larger. It is my impression that the whole crypto licensing operation in Israel is carried out by a handful of individuals. Maintaining the same type of operation in the US would require a few hundreds of agents. Is this a larger headcount than already employed on maintaining control over crypto in more futile ways?
The claim that “pretty much everyone in IT security has served in an offensive cybersecurity capacity for the Israeli army” is just plain false. The Israeli security industry can only wish to get as much skilled manpower from the military. The lion’s share of security practitioners in Israel (of those I got to know) were trained as civilians just like cyber-security pros everywhere else.
Lastly and most alarmingly, Schneier’s off-the-cuff claim that secret agreements are made in smoke-filled rooms is entirely unsubstantiated. To his credit, he did not present it as a fact. I had my interactions with this office in Israel, and have witnessed no smoke-filled rooms. The purpose of the licensing process is not to have back-doors installed; it is to maintain some clear enumeration of what crypto technologies are out there, who owns them, and where they are shipped to. The purpose is closer to that of the Wassenaar Arrangement on Export Controls than to downgrading crypto.
As I like to say, the fun thing about being a conspiracy theorist is that you never really need to prove anything you say…