Originally I published this on LinkedIn, here’s the comment.

The [lost] ability to define long term [IT] strategy

One thing I absolutely love about the US presidential elections is that the candidates are actually challenged to provide opinions on theoretic subjects that actually matter. This allows getting a decent insight into their ability to define long term strategies often on subjects which are very abstract and require a certain type of mental discipline and the ability to imagine multiple levels of implications. The most recent example is the case of the demand against Apple to introduce backdoors to their software.

Long story short, those candidates remaining in the race, with an exception from the Libertarian Party, agree that the government needs to have some sort of a “master key” in order to tap into communications where required [1]. As commenters [2] already noticed – such requirement leads to a number of issues. First of all, the next vendor might not be US-based and thus the whole efort will be futile. Second, currently the suspects have used software as provided by the vendor, but what stops them from creating a cryptographic application that would encrypt the communication for them? Nevertheless, the presidential candidates make it quite clear in their speaches: security above liberty, because “something must be done”.

So that leads me to the long term part. By the rule of induction – should cryptography be banned alltogether? No ciphers, all communication in the open? I think it is safe to say it is clear such approach will just not work. In vast majority of cases cryptography is there to secure our information, payment card information inclusive.

So the residual facts that remain seem to be:

  • Backdoors or Master Keys are not the answer – they do not solve the problem, but are probably likely to win some votes. And they end up opening a whole new bag of problems
  • Cryptography is here to stay.

But the long-term question stands: what should we be doing to avoid these situations? And how does all this tie to IT? In my line of work, I often lead technical incident response teams challenged to find a solution to an actual problem. One thing I have learned over the time is that sometimes having the best minds in the team is simply not enough to solve a case. Sometimes you need to take a few steps back and realize the root cause is outside of the picture everyone is focusing on. Sometimes, a long term strategy of doing (or not) certain things in a certain (standardization!) way offers the solution – the catch is, it might seem completely unrelated!

Does that mean the FBI should just allow San Bernardino to happen? Of course not, simply the root cause is completely outside of the scope of the discussion and cryptography has nothing to do with it. The problem will not be solved in this area, but who will be the leader that can still notice that and can democratic elections still give us such leaders?

  1. http://windowsitpro.com/security/where-do-presidential-candidates-stand-encryption
  2. http://politics.slashdot.org/story/16/02/19/0019218/where-do-the-presidential-candidates-stand-on-encryption