The Justice Department is requesting more than $20 million in federal funding to bankroll efforts related to resolving the governments continuing Going Dark problem, Deputy Attorney General Rod Rosenstein said Tuesday, signaling one of the Trump administrations first attempts at tackling the issue of ubiquitous, hard-to-crack encryption amid growing concerns involving its impact on criminal investigations.

While federal investigators have fought for years to counter the so-called Going Dark phenomenon the governments growing inability to access and decipher digitally encrypted communications Mr. Rosenstein said during a Justice Department budget-request hearing Tuesday that resources needed to reverse the trend are required now more than ever.

The seriousness of this threat cannot be overstated, Mr. Rosenstein told the Senate Subcommittee on Commerce, Justice, Science and Related Agencies. This phenomenon is severely impairing our ability to conduct investigations and bring criminals to justice.

The Justice Department is requesting $21.6 million specifically towards countering its Going Dark program, Mr. Rosenstein testified in his prepared remarks.

The FBI will use this funding to develop and acquire tools for electronic device analysis, cryptanalytic capability and forensic tools, he added, in turn enabling the Justice Department to continues its leading role in enhancing the capabilities of the law enforcement and national security communities.

Mr. Rosenstein was not initially slated to testify Tuesday, but appeared after the hearings previously scheduled witness, Attorney General Jeff Sessions, canceled in lieu of speaking before the Senate Intelligence Committee with respect to the Trump administration and its purported ties to Russia, as well the presidents abrupt firing last month of former FBI Director James Comey.

Days before leaving office on May 9, Mr. Comey said federal investigators had legally seized more than 6,000 smartphones and electronic devices during a recent six-month span but found that 46 percent couldnt be opened with any technique.

That means half of the devices that we encounter in terrorism cases, in counterintelligence cases, in gang cases, in child pornography cases, cannot be opened with any technique, Mr. Comey told the Senate Judiciary Committee on May 3. That is a big problem. And so the shadow continues to fall.

The vast majority of smartphones currently sold in the U.S. run either Apples iOS or Googles Android operating systems, the likes of which allow customers the ability to protect their digital contents and communications from eavesdroppers with security-minded technology including strong encryption. While hailed by privacy and security proponents, however, the issue became a hot-button issue last year after federal authorities found themselves unable at first to access the contents of an Apple iPhone recovered from the scene of a December 2015 mass shooting in San Bernardino, California.

If Apple doesnt give info to authorities on the terrorists Ill only be using Samsung until they give info, President Trump tweeted from the campaign trail February. Boycott all Apple products until such time as Apple gives cellphone info to authorities regarding radical Islamic terrorist couple from Cal.

The Obama administration was not in a position where they were seeking legislation, Mr. Comey told lawmakers last month when asked about the possibility of establishing a legal statue to resolve the Going Dark dilemma. I dont know yet how President Trump intends to approach this. I know he spoke about it during the campaign, I know he cares about it, but its premature for me to say.

Read more:
Justice Department requests $21.6M to tackle 'Going Dark' encryption problem - Washington Times

COMMENTARY

This article first appeared on The Conversation.

The Australian government wants the ability to read messages kept secret by encryption in the name of aiding criminal investigations. But just how it proposes to do this is unclear.

As Australian Attorney-General George Brandis recentlytold Fairfax Media, "[a]t one point or more of that process, access to the encrypted communication is essential for intelligence and law enforcement."

Inan interviewwith Sky News, he spoke favorably of controversial U.K.legal powersthat seek to impose on device makers and social media companies a greater obligation to work with authorities where a notice is given to them to assist in breaking a communication.

Brandis has insisted the government doesnt want a backdoor in secure messaging apps. How, then, he expects companies to break them is unclear.

As many havepointed out, its hard to see any tool that gives law enforcement privileged access to otherwise encrypted messages as anything else but a backdoor.

How end-to-end encryption works

Backdoor or not, its worth being skeptical of any mechanism aimed at accessing encrypted messages on platforms like WhatsApp. To explain why, you need to understand how end-to-end encrypted messaging services work.

Encrypted messaging servers scramble the original message, the plaintext, into something that looks like random gibberish, the cyphertext.

Translating it back to plaintext on the receivers phone depends on a key -- a short string of text or numbers. Without access to the key, it isnt feasible to get the plaintext back.

Keys are generated in pairs, a public key and a private key, of which only the private key must be kept secure. The sender of the secure message has the receivers public key, which is used to encrypt the plaintext. The public key cannot be used to unscramble the cyphertext, nor does possessing the public key help in obtaining the private key.

End-to-end encryption simply keeps the private key securely stored on the phones themselves, and converts the cyphertext to plaintext directly on the phone. Neither the private keys nor the plaintext are ever available to the operator of the messaging service.

Compromising security

An encrypted messaging app could hypothetically be modified in a number of ways to make it easier for authorities to access.

One would be to restrict the range of keys that the app can generate. That would make it possible for the government to check all possibilities.

The U.S. government, which imposedregulations to this effectfor a brief period in the 1990s, may have once had computing resources far in excess of any other entity, but this is no longer the case. In fact, these old rules are themselves still causing security problems, as some applications can be tricked into reverting to the insecure export mode encryption that is trivially crackable today.

Other national governments and well-funded private bodies would find brute force checking of all the possible keys well within their capabilities, compromising the security of legitimate users.

And while governments might believe they can keep their backdoor secure, such secrets have a nasty habit of leaking out, as did hacking techniques used by theCIAandNSA.

Nor can governments simply make possessing encryption software a criminal offence.

Take the application Pretty Good Privacy (PGP) -- or, more precisely, its open-source equivalent GNU Privacy Guard (GPG).

Once used for securing email messages, its now more often used to ensure software updates on Linux systems are from the original authors and have not been tampered with. For instance, thesystem update tool in Ubuntu Linuxuses the GPG machinery for this. Without it, the Linux servers that run much of the internet would become much more vulnerable to hackers.

Similar mechanisms are used in Windows, iOS and Android to prevent tampered applications from being installed. As such, banning or undermining end-to-end encryption would seriously affect internet security.

Endless workarounds

In any case, creating backdoors in end-to-end encrypted messaging services would not achieve its goals. Once messaging app backdoors became known, savvy users would simply switch to another service, or make their own.

Originally posted here:
When is 'not a backdoor' just a backdoor? Australia's struggle with encryption - GCN.com

The FBI is asking for more than $20 million in the 2018 fiscal year budget to counter what the bureau sees as the threat of encryption, both in devices and in real-time communications tools such as text or voice apps.

The request is part of the Department of Justices proposed budget for the next fiscal year, and Deputy Attorney General Rod Rosenstein said during a Senate hearing Tuesday that the FBI would use the money for a wide variety of things. In his testimony, Rosenstein said that the increased use of encryption, which the FBI and other law enforcement agencies refer to as the problem of going dark, is a growing challengeand needs funding support.

The seriousness of this threat cannot be overstated. Going Dark refers to law enforcements increasing inability to lawfully access, collect, and intercept real-time communications and stored data, even with a warrant, due to fundamental shifts in communications services and technologies, Rosenstein said.

This phenomenon is severely impairing our ability to conduct investigations and bring criminals to justice. The FBI will use this funding to develop and acquire tools for electronic device analysis, cryptanalytic capability, and forensic tools.

In the proposed budget, the FBI asked for $21.6 million to address the encryption issue. As Rosenstein said in his testimony, the money may be used for developing or buying tools and techniques to analyze encrypted devices, perform forensic analysis, or cryptanalytic analysis, all of which are time consuming and expensive. While the FBI has been raising concerns about the use of encrypted communications for years, much of the current concern comes from the proliferation of encrypted communications apps and devices that store user data in encrypted form by default.

Most currentiPhones and Android devices have encrypted data storage enabled by default, and law enforcement agencies have struggled to bypass the protections. During the tense showdown between Apple and the FBI last year over an encrypted iPhone used by a terrorist, the bureau sought a court order to getApple to build a backdoored version of iOS specifically to bypass the devices encryption. Apple officials called the request offensive and fought it. Eventually the FBI bought a technique from a third party to unlock the phone.

But that case was just one of many involving encrypted devices, and FBI officials and others in the law enforcement community have continued to push for methods to bypass or weaken encryption systems, both in transit and at rest. Privacy advocates and security experts have pushed back, saying that any backdoored or intentionally weakened encryption system would put all users at risk.

Read more:
FBI Seeks $21M to Counter Encryption - On the Wire (blog)

A lobby group for IT workers has slammed the Coalition government over its proposal to introduce laws to gain access to encrypted communications, saying such moves were completely unworkable.

IT Professionals Association president Robert Hudson said though the government was saying it did not want a backdoor into encrypted communication applications, such a method was the only way that it could achieve what it had stated it wanted to do.

In the wake of the terrorist incidents in London, both Prime Minister Malcolm Turnbull and Attorney-General George Brandis have proposed that curbs be imposed on encryption.

But Hudson said just making such statements could be interpreted as "political opportunism" because anyone who had an understanding of how encryption worked would know that such proposals could not be implemented.

"With modern encryption processes, this is only possible if you have access to the key required to decrypt the message, as 'cracking' the encryption is largely not possible otherwise due to the mathematical complexity of the algorithms used."

Hudson said this meant that despite the government's protests that it did not want backdoors, "that's the only way to achieve what they want and if they have backdoors into the encryption, then two things will happen:

"The backdoor will be leaked/exposed. This basically means that the encryption process can no longer be trusted.

"People will stop using encryption processes they cannot trust."

He said this would have little effect on the "bad guys" because those who were competent would switch to communications protocols they trusted or else manage the encryption keys themselves.

"By some reports, less than half of all communications between 'bad guys' is estimated to be encrypted today and these are likely already the competent ones. Such a knee-jerk reaction will, however, have a horrific impact on innocent use of encryption. Legitimate users will be forced to find other methods of encryption," Hudson said.

"If SSL certificate vendors are forced to bake 'backdoors' into their certificates, the impact on eCommerce alone (currently a $32 billion business in Australia in 2017) will be immense.

"This government appears to have not learnt anything from past technology initiatives that were implemented on the run. In typical fashion, there appears to have been no serious consultation with experts and disregard for (or no understanding of) the complexities involved."

Read this article:
ITPA slams Turnbull Government over proposed encryption laws - iTWire

Source: Thinkstock

June 14, 2017 -Healthcare cybersecurity is essential for covered entities of all sizes, especially as ransomware attacks and other types of malware become more common. Healthcare data encryption is often discussed in these situations as well, with many in the industry underlining its importance.

HIPAA regulations do not specifically require data encryption, and instead qualify it as an addressable aspect. However, it is a very necessary piece to the larger data security puzzle.

In this primer, HealthITSecurity.com will review the basics of healthcare data encryption and explain why it is so critical in the current healthcare cybersecurity landscape.

Encrypting data means an organization converts the original form of the information into encoded text. Data is unreadable unless an individual has the necessary key or code to decrypt it.

With healthcare data, this involves securing ePHI and keeping it confidential so unauthorized individuals cannot access or use the information, even if they are able to find the information in a database or network.

READ MORE: Implementing HIPAA Technical Safeguards for Data Security

The Security Rule defines confidentiality to mean that e-PHI is not available or disclosed to unauthorized persons, HHS states on its website. The Security Rule's confidentiality requirements support the Privacy Rule's prohibitions against improper uses and disclosures of PHI.

Furthermore, the Security Rule also emphasizes the importance of ePHI integrity and availability. Covered entities maintain integrity by ensuringePHI is not altered or destroyed in an unauthorized manner, while availability relates to the data is only accessible and usable by authorized individuals.

There are also two kinds of two kinds of data that can be encrypted: data in motion and data at rest.

Data in motion is information that is being sent from one individual or device to another. For example, this can be done through secure direct message or email. Data at rest is when the information is being stored.

Encryption and decryption fall under the Access Control aspect of HIPAA technical safeguards. The Security Rule does not require specific technical solutions, and instead maintains that there are many technical security tools, products, and solutions that a covered entity may select to maintain PHI security.

READ MORE: How Data Encryption Benefits Data Security

Determining which security measure to implement is a decision that covered entities must make based on what is reasonable and appropriate for their specific organization, given their own unique characteristics, as specified in 164.306(b) the Security Standards: General Rules, Flexibility of Approach, states the HIPAA Security Series from HHS.

Access Control will give users the necessary rights or privileges to access certain areas containing information, including information systems, applications, programs, or files. These rights and/or privileges should be granted based on an individuals necessary job function, and the minimum necessary must be followed.

Essentially, individuals should only be given the minimum necessary access to properly perform their job. This is especially critical when PHI access is taken into account.

For encryption and decryption specifically, HHS explains that healthcare organizations must determine if this measure will be necessary and benefit workflow.

it permits covered entities to determine whether the addressable implementation specification is reasonable and appropriate for that covered entity, HHSstated. If it is not, the Security Rule allows the covered entity to adopt an alternative measure that achieves the purpose of the standard, if the alternative measure is reasonable and appropriate.

READ MORE: HIPAA Data Breaches: What Covered Entities Must Know

HHS added that covered entities should consider which ePHI should be encrypted and decrypted to prevent unauthorized access by persons or software programs. Additionally, organizations can consider reasonable and appropriate mechanisms to prevent access to ePHI by persons or software programs that have not been granted access rights.

Healthcare organizations can use their risk analysis to better determine whether or not something is addressable or required. This is another key aspect of HIPAA regulations, and all entities should be performing regular risk analyses.

Davis, Wright, Tremaine LLP associate Anna Watterson explained in a previous interview with HealthITSecurity.com that the risk analysis is the foundation of the security role for an organization.

The addressable ones need to be implemented if reasonable and appropriate, Watterson said. So the risk analysis can be the basis for determining whether a particular addressable implementation specification is reasonable and appropriate to implement in a particular circumstance.

The National Institutes for Standards and Technology (NIST) explained in a storage encryption guide that organizations should implement encryption solutions that use existing system features, such as operating system features.

It can be more difficult when solutions require extensive changes to the infrastructure. Furthermore, end user devices should generally be used only when other solutions are not sufficient.

Organizations should carefully consider how key management practices can support the recovery of encrypted data if a key is inadvertently destroyed or otherwise becomes unavailable, NIST wrote. Organizations planning on encrypting removable media also need to consider how changing keys will affect access to encrypted storage on removable media and develop feasible solutions, such as retaining the previous keys in case they are needed.

NIST also establishedthe Cryptographic Module Validation Program (CMVP) to analyze, test, and validate that crypto modules are functioning properly and deploying approved algorithms. All algorithms and modules are tested for conformance with the Federal Information Processing Standard (FIPS) 140-2.

Many federal agencies require FIPS 140-2 validation, noted HealthITSecurity.com contributor Ray Potter.

Essentially this means that crypto is useless until proven otherwise, a blunt but accurate sentiment, Potter wrote. Other sectors have adopted the standard as their own, as well, with increasingly strict adherence in state and local government, finance, and utilities. Either encryption is validated or it is not. Its very black-and-white.

With healthcare data encryption, NIST also released NIST SP 800-66:An Introductory Resource Guide for Implementing the HIPAA Security Rule.

NIST security standards and guidelines (Federal Information Processing Standards [FIPS], Special Publications in the 800 series), which can be used to support the requirements of both HIPAA and FISMA, may be used by organizations to help provide a structured, yet flexible framework for selecting, specifying, employing, and evaluating the security controls in information systems, the guides executive summary explained.

Overall, healthcare organizations need to take the time to understand all available options to properly maintain ePHI security. Technology will only continue to evolve, and covered entities and their business associates are becoming more digital and connected both to other organizations and in utilizing internet connected devices.

A ransomware attack could lead to data becoming compromised, but what if it was already encrypted in the first place and was inaccessible? A laptop containing ePHI might be stolen, but what if that data is unreadable without an access key?

HHS even notes in its ransomware guidance that if the ePHI was properly encrypted before an incident occurs, then it is not considered unsecured PHI and the entity is not required to conduct a risk assessment to determine if there is a low probability of compromise, and breach notification is not required.

Healthcare organizations should conduct thorough and regular risk analyses to properly determine how and where data encryption would be beneficial. Staying educated on all available options and any federal or state requirements will also help entities ensure ePHI security. While not technically required, data encryption is quickly evolving into a very necessary part of data security.

More here:
Healthcare Data Encryption not 'Required,' but Very Necessary - HealthITSecurity.com