Speaker 0
0:10 – 0:14
Welcome to Tech Talk. Bye. CT. Tea.
Speaker 1
0:16 – 0:49
Welcome to CDT's Tech Talk, where we dish on tech and Internet policy while also explaining what these policies mean to our daily lives. I'm Brian Wasilowski, and it's time to talk tech. Today's guest on Tech Talk is Susan Landau, an esteemed technologist, inductee in the cybersecurity hall of fame, and the author of a new book, Listening In, Cybersecurity in an Insecure Today. Welcome, Susan. Thanks very much for having me. It's our pleasure. So tell me about this book. What prompted you to write it? So,
Speaker 0
0:49 – 1:42
in, February 2016, I was invited to testify in the House Judiciary Committee. And that turned out to be the time that the Apple FBI case was heating up. And we ended up testifying and talking about unlocking phones, secure phones, authenticating phones. And I argued very strongly during the testimony that what the FBI was seeking would actually create greater insecurity and would be very problematic. I found myself being asked to do a number of talks and to interview. And as we say in the field, that didn't scale. There's only so many places I could go. And I decided the best thing to do was write a book, and so I did. So for folks, this is you know, you've written books before. This is kind of a different book for you. It's meant for kind of a more general public. Why did you do that? And and what do you who do you hope reads it? So perhaps it sounds a little snobbish. I was thinking of the NPR New York Times reading public.
Speaker 1
1:42 – 1:45
And you got TikTok, which is not bad. So And I got TikTok.
Speaker 0
1:47 – 2:17
What I, what I wanted to do was spread these ideas past the policy wonks and the tech geeks. And so I tried to reach reach people who are interested in scientific technological issues, who are interested in public policy issues, but who are don't have expertise anywhere. The same people who would, read a book by, Stephen Jay Gould or, you know, one of one of or Lewis Thomas. I'm realize I'm mentioning old fashioned science engineering writers, but Henry Petrovsky. But it's it's it's that audience.
Speaker 1
2:18 – 2:39
That's great. So you kind of you brought up Apple. Obviously, that's what prompted it. Kind of, I think, made crypto and encryption in general a little bit more mainstream. People started to ask what that is. Where do you think we're going in the crypto debates? You were a part of, you know, what they used to call the crypto wars of the nineties and early two thousands, and then Apple brought it back to the mainstream.
Speaker 0
2:39 – 3:37
Where are we right now in kind of the crypto debate? We've been in the same place for a few years. Apple and then, Google followed with Android. Apple started securing phones, and they did that because criminals were finding ways to hack data off phones and then commit other crimes. So Apple thought as a security measure, it should protect the data on the phones and make them more secure. And the way to do that was to make them harder to unlock. Law enforcement would have had grown very accustomed to being able to pull data off of phones for evidentiary purposes is very unhappy. And we're at this unresolved situation. We've been that play in that place for almost four years now. It's hard to know where we're going. We've seen different kinds of attacks, including the Russian attacks that argue for much better authentication. And the phones serve as great authenticators, as sec great second factor authenticators. And that argues that the phones are really good for security. Keeping the phones secure is really good for security generally. So I would say we're currently at an impasse.
Speaker 1
3:38 – 4:00
Well, you do a wonderful job of you did a great talk here at CDT, with some folks. And you do a great job of really turning it from privacy versus security to security versus security which I think is the point that you just made there and also said that the end goal of all of this is to have easy to use easy to access default encryption for all why is that so important
Speaker 0
4:00 – 5:02
when you make encryption hard to use people don't use it when it is the when it's not easily accessible, when they have to search for it, whether it's a Tor browser or some other way of protecting themselves, they don't do it. But when you make it the default, it's what people use. Now, of course, making it the default makes it much harder for law enforcement because now everything is encrypted and now every phone is locked. What one has to do is take a step back and look at what are the threats to society. In the case of locked phones, the threats to society are increasing amounts of online theft, increasing amounts of access to online accounts and so on. And having a second factor to use as you authenticate yourself to an account, something past your password, is really important. The phones are something we all carry with us. The phones are something that, we will notice if it's stolen. And so it's a a particularly good form of authentication but only if the phone itself is secure
Speaker 1
5:03 – 5:25
you also made an interesting point in the talk about two factor or multi factor second factor and how SMS is insecure. Why is that? I mean, I'm someone who, you know, has been taught to use two factor, and I use SMS typically as my second factor. Why should I be a little worried about that? Well, it depends who you are. Okay. If you're somebody that's high profile I'm not. Darn it.
Speaker 0
5:26 – 6:24
Or you have a large Bitcoin account and people know about it No. Then then then SMS doesn't work so well because criminals have gotten really good at calling the phone company, claiming their phone got lost, their phone got stolen, they need to move the number to a different device. And then they're the ones who have if they've stolen your password, they then receive the SMS text on their device, move those Bitcoins or tweet on your account, because now they have the authentication. Whereas if you instead use a a piece of software, it might be from this company Duo. In Michigan, it might be Authy. It might be, Google Authenticator. But if it's software on your phone, then if your phone is locked, if your criminal gets a hold of the phone, they can't actually use that to authenticate themselves. Whereas the the changing of your number has become, unfortunately, too easy. Number has become, unfortunately, too easy. Interesting.
Speaker 1
6:24 – 6:41
So I'm gonna pivot a little bit. Obviously, you've talked about law enforcement a bit, and a lot of the book is about a a more modern approach to law enforcement. What do you mean by that? What does that look like, law enforcement in the digital age? So, there was an interesting article in the Times quite recently where they talked about,
Speaker 0
6:42 – 8:00
policemen a police chief investigating the opioid crisis. And what the police chief finally realized is that they needed to look at, how the opiates were being sold. And that meant looking online, but trying to get at the root of the problem. We have seen a lot of criminal activity move online. A good example is credit card. When credit card, were authenticated through the magnetic strip at the on this on the on the card, you had a lot of in person, use of of fake credit cards. But once you got to move to chip and PIN, it's hard to duplicate a credit card. So instead, credit card fraud has moved to online where there is no chip and PIN and then the the criminal orders stuff, gets it sent, and and does whatever they do. Police have not moved to the digital age in the way that they should have. They they they don't have the capabilities. They don't have the under technical understanding. Now, we can't train all the policemen in The United States or all the policemen in the world to be able to do this. What we need to do excuse me. What we need to do is, enable transference of knowledge probably from the federal government, probably from the FBI. Doesn't mean taking over jurisdiction, but it means sharing information.
Speaker 1
8:01 – 8:20
And you mentioned a bit the n sorry. No. Of course. And you mentioned a bit the NSA. Does the NSA you know, are they a model on some levels? I mean, they've been vilified a little bit bit by folks. But are some of their approaches to, intelligence a model that could be used by law enforcement? Well, the NSA uses very different techniques.
Speaker 0
8:21 – 9:54
They're collecting intelligence rather than, prosecuting cases. So for example, communications metadata, where somebody is, who they connect to, and so on, is often much more useful to them than it is to to law enforcement. Everything in law enforcement has to be collected under a warrant. It has to be collected under probable cause. Well, not everything. You can collect, with a subpoena if it's pertaining to an ongoing investigation. But, national security doesn't operate under the same rules. Right. What they have done is remarkably honed their capabilities to get it information that they've done that over the last twenty years as as communications around the world, especially the communications they were interested in, became encrypted, they had to go to other methods of of doing their types of investigations. Law enforcement didn't make that same transition. And there are a number of reasons, including, what people have called the golden age of surveillance. The fact that phones were for a long time easy to open. And in fact, often, criminals still open phones for for police. And the fact that communications weren't encrypted and that we communicate much more than we did twenty years ago. As we've shifted away from that to encrypted communications and even more so to locked phones, police have complained and and and raised serious issues about their ability to get evidence. But part of that problem is we didn't do the shift for law enforcement in, at the same time that that NSA was doing its shift, for example.
Speaker 1
9:55 – 10:24
That's great. So one of the the bigger takeaways I also, have from your book is that everyone really needs to care about encryption. And you kind of, you know, at the end of your talk, focused on civil society. And I wasn't quite sure where you were going with it as you started to put the names up there, Planned Parenthood and Southern Poverty Law Center. But then you quickly explained explained why they could easily be the victims of pretty malicious attacks. Could go into that a bit and why, you know, civil society, it could be so damaging to them,
Speaker 0
10:24 – 13:38
if they're not secure. So one of the takeaways from the Office of Director of National intelligence report in January 2017 was that the Russians went after think tanks and other groups that affect, US public policy. And we know from studying the history of the Soviets, that they have tried in previous times in in 1917 in Russia, unsuccessfully done in Russia, and then again in the Soviet satellite states after the second World War, a destruction of civil society. Civil society serves many functions. It serves to smooth over disputes, among the public when there are divisive issues, but it also serves as a way to connect the legislators with the public. It explains what issues are really happening in legislation, and and it transmits to legislators what people feel about issues. Some organizations like the Southern United States. Uh-huh. And I'm sure they've secured their electronic systems. But securing your electronic system against, an attack from within The United States that is gonna come at one level and an attack from a nation state that is very sophisticated and very capable is a very different thing. If you think about, Greenpeace, which was the subject of attacks by the French government twenty years ago, or Sierra Club or, well, let me just take Greenpeace or Sierra Club. People who object to their environmental messages or who wanna disrupt politics in in parts of the country like the West, might use disrupting let let me let me back off and try again. So if you take organizations like Greenpeace or Sierra Club, there are there are issues that they push about environmental issues. There let me try one more time. If if you take Greenpeace or Sierra Club and the environmental issues that they're concerned with and the reports that they issue, the public statements they make, if an enemy state were to go in and muck with their email or print their email or change their reports, what's the matter with printing their email? We all know when we converse, that we're jocular. We say things that are flippant. Those look very different when somebody else reads them. Absolutely. I mean, Sony is a great example of this. Right? That's right. That's right. The emails where where people were saying fairly rude things about other, producers, about, actresses and actors, about president Obama. Yeah. Things that they would never have wanted to be said in public, and then all they were all of a sudden they were out in print. But if you take those organizations and those comments and you publish them or you tweak the reports a little, then all of a sudden those those organizations look less good to the public. Absolutely. They stop serving the function that is so important in a democracy. Yeah. I know. The same thing could happen for the American Cancer Society or or any other organization that produces scientific reports that help guide public policy. And it's a very dangerous situation because the Russians are clearly interested in subverting disrupting
Speaker 1
13:38 – 14:02
US civil society. And doing so in a very savvy way, it seems. So as a you know, we're a small nonprofit here in the think tank space. What should we do? What what what you know, how do I feel not helpless in this space? And so I'll ask you that from kind of an organizational level because you you do need to think through that. And then maybe an individual level, what are some small steps that we can as individuals do? So I am really impressed with,
Speaker 0
14:03 – 15:11
CitizenLab in Toronto, which not only produces reports about surveillance and active surveillance efforts against human rights workers, against journalists, and so on. But they've also put up a site, and I I don't remember the URL, but you can find it. I'll find it. They've put up a site that suggests how you secure your systems. And they ask you you what systems are you trying to secure? Is it a laptop? Is it a phone? Is it an an iPad? Is it what operating system are you using? What kind of attacks might you expect? What kind of job do you do? And they have promised to keep it up to date. That's great. Which is a wonderful resource. Yeah. So that's something that everybody in your organization should do. I think educating the public to understand what the threats are, because the threats have changed, is a very valuable thing to do. And doing that via blog posts, but also doing it in more public ways, op eds and so on, I think is really important. Talking to staffers so that congressional staffers so that they understand the issues last few years. And we're really talking about protecting a much wider swath of society
Speaker 1
15:12 – 15:29
is is quite important to do. That would be a very good start. So last question. You know, if someone, you know, unfortunately doesn't read your book, although you all should buy it on Amazon or your local bookstore and it's a beautiful cover, what's the thing that they should take away? What's the top level that they should get from this?
Speaker 0
15:30 – 15:35
That encryption is for everybody. That securing yourself, protecting
Speaker 1
15:36 – 16:08
yourself, it's not just about privacy, but it's about security. That's wonderful. Susan Landau, thank you so much for joining. Her book is Cybersecurity in an Insecure Age. Is that right? Yes. Insecure Age. Thank you so much for joining us, Susan. Thanks very much for having me. That's it for this episode of Tech Talk. For the very latest on what CDT is doing to shape a vibrant digital future, follow us on Twitter, like us on Facebook, or visit cdt.org. I'm Brian Wasilowski. Thanks for listening.