The massive breach of US security highlights the danger of weakening encryption

Published on October 8, 2024

A ‘potentially catastrophic’ cyber attack(new window) against broadband infrastructure in the United States, the Chinese government likely provided access to a large amount of highly sensitive security information, including from systems used by the federal government for court-authorized network surveillance requests.

As devastating as this news is for U.S. national security, it also highlights the problem inherent in all surveillance systems that give governments “backdoor” access to critical data. These systems can be compromised, especially by state-sponsored foreign actors.

This is a lesson that the EU would be wise to heed. While Hungary currently assumes the rotating presidency of the Council of the EU, it is the Hungarian Prime Minister and close friend of Russia(new window) and China(new window)Victor Orbán has pushed hard(new window) to help EU countries agree on a common position on the highly controversial issues(new window) chat control legislation.

Crucially, Hungary, like Belgium before it, wants to push for an extremely intrusive and dangerous approach that could eventually force end-to-end encryption.(new window) (E2EE) services to create a backdoor for law enforcement. The European Parliament, on the other hand, went in a completely different direction, arguing that legislation should not weaken end-to-end encryption.(new window).

What happened in the US?

In an attack that may have lasted “months or longer,” Chinese hacking group “Salt Typhoon” compromised the networks of major U.S. internet providers including AT&T, Verizon and Lumen. Salt Typhoon accessed federally mandated surveillance systems that allow Internet service providers to intercept domestic electronic information related to criminal and national security investigations. It is unclear whether systems for monitoring foreign intelligence have also been compromised.

Authorities investigating the incident are investigating whether Salt Typhoon accessed U.S. Internet infrastructure through Cisco Systems routers(new window)responsible for routing a large percentage of all Internet traffic. However, no such link has been confirmed, and although Cisco is investigating the matter, they claim to have found no evidence that their routers are involved.

What is chat control?

The EU’s chat monitoring legislation, formally called the “Regulation on preventing and combating child sexual abuse”, aims to tackle the growing problem of child sexual abuse material online. Introduced in 2022, it opens the door to mandatory scanning of digital communications, including images, videos and links, on platforms such as messaging apps and email services.

Supporters, including EU officials and child protection advocates, argue that this regulation is necessary to protect children from online exploitation and highlight the difficulties law enforcement authorities face in gaining access to encrypted messages used by perpetrators. The proposed law focuses solely on the fight against ‘content’ and aims to detect CSAM and prevent it from spreading using technology-based mechanisms.

One of the more controversial aspects to emerge during the legislative process is the Commission and EU governments’ push for client-side scanning, where messages are scanned for illegal content before being encrypted. This may prevent law enforcement from viewing just the content you share(new window)but also the content that you easily save to your device.

The legislation faces strong opposition(new window) from privacy advocates, academics, digital rights groups and privacy-focused tech companies, including Proton(new window). While we fully support measures that help protect children, this legislation is not the answer. It would essentially create a new method of mass surveillance, requiring service providers to scan all digital communications indiscriminately. Worse, such surveillance would do little or nothing to catch the perpetrators or help the victims of such despicable acts.

Chat control and end-to-end encryption

A particular point of contention is E2EE, where only the sender and the intended recipient have access to the mutual communication.

While the European Parliament understands the importance of E2EE in protecting the privacy of citizens (including children) while ensuring a high level of cybersecurity, EU Member States see this differently. Despite the ineffectiveness of such measures in protecting the real victims, most EU governments remain in trouble(new window) are happy to use the fight against CSAM as an excuse to demand that online services develop systems that give law enforcement access to all encrypted communications.

Lessons to be learned

There is no such thing as end-to-end encryption with a ‘back door’ that only lets in the good guys. Even if we assume that governments would not extend scanning of encrypted communications to any minor criminal offense in the future, using a backdoor is tantamount to creating a weakness that puts the entire system at risk. And the Salt Typhoon attack on America’s surveillance systems clearly shows that if “authorized personnel” can access a backdoor, so can hackers.

This includes state-sponsored hackers, and it can’t be a coincidence that Victor Orban, an authoritarian leader who openly supports and admires other authoritarian leaders like Vladimir Putin and Xi Jinping, is so eager to introduce weakness into the encryption standards that hold us all back . safe.