恐怖袭击后遗症:要安全还是要隐私?
惨绝人寰的巴黎恐怖袭击引发了一系列国家安全问题,其中一项便是网络安全。目前,针对政府是否应该以国家安全之名,轻易突破保护公民通信和交易隐私的技术这一问题,各界正在展开激烈的讨论。 巴黎恐怖事件将这一问题推到了世人面前,因为人们首先想到的一个问题是,恐怖分子是如何策划,并执行了一场如此复杂的袭击,又是如何避开了情报部门侦察的。答案或许就在于加密技术。事实上,专家们提出了三种可能性:(1)恐怖分子使用了强大的场外加密技术;(2)他们借助黑暗网络完成分工协作;(3)准备工作达到一定程度之后,他们便停止使用技术手段进行联系。 首先,我们必须了解现代加密技术的工作原理,以及这项技术为什么会突然引起关注。数百年来,人类一直在使用加密技术保证信息传输的安全,但高级加密技巧和技术从未像现在这样被如此广泛地使用,同时也变得更加复杂。 简而言之,加密就是将信息或数据转换成一组代码的过程,让信息变得晦涩难懂,无法读取,只有使用正确的密钥(或多个密钥)才能破译或解密信息。今天,世界上任何一个人都可以轻松购买和使用高度复杂的256位AES加密技术——这种加密技术非常强大,美国政府自2002年起也采用这种加密标准。 一般企业每天也都在使用加密技术,防止身份盗窃和其他犯罪。例如,捕获和传输非加密状态下进行支付的信用卡信息,曾经是一种非常普遍的作法。道高一尺,魔高一丈。网络犯罪分子现在开始想方设法在支付过程的某个节点窃取这些信息。之后,他们会利用这些信用卡信息进行牟利。 意识到这个问题之后,支付处理商就部署了许多不同类型的加密技术,让传输的信息变得更难拦截或牟利。虽然加密通信可以解密,但这需要时间和计算能力。此外,在我们的私人生活和商业生活当中,加密设备与通信已经变得非常普遍。 事实上,恐怖分子很容易便能找到安全的通信方式。为了保护我们的隐私和个人信息,我们今天使用的许多手机应用均支持加密通信。我们购买的许多设备,例如智能手机,也会出于同样的原因,对数据进行加密。因此,我们的数据在源头(设备)、传输过程和接收设备上均经过了加密。问题在于,这意味着恐怖分子的设备和通信同样如此。 当然,加密技术仅是其中之一。除此之外,还有通过各种方式保护隐私的软件和服务。比如,让我们可以匿名使用互联网的软件——当用户使用这些软件和服务登录互联网时,犯罪分子和情报人员都无法识别用户身份或锁定他所在的位置。 巴黎恐怖袭击发生之后,全世界都已经注意到了这个问题——恐怖分子和其他犯罪分子可以使用这些普遍可用的技术,造成巨大的危害。现在,我们需要密切关注争论的方向及结果是否会发生转变。 例如,随着加密通信的日益普遍,执法部门和情报机构一直在要求植入“后门”,从而使执法机构可以绕开加密。某些科技公司和隐私倡议者强烈反对,因为他们担心政府会干扰人们的私人生活。就在上个月,白宫驳回了执法部门要求科技公司植入后门的请求。 值得注意的是,白宫给出的结论是,植入后门将导致美国公民更易受到外国政府、网络犯罪和恐怖分子的侵扰。 巴黎恐怖袭击能否改变白宫的看法,我们拭目以待。更广泛地说,围绕着加密技术和其他隐私技术而展开的争斗,将日益反映出一个更加宽泛的政策辩题:如何平衡国家安全与公民自由。 随着下一个十年的到来,我们将迎来更强大的计算能力,尤其是随着量子计算技术的普遍应用,每个人都将有能力对自己的通信进行难以破解的高级别加密。到时候,这场争论将会变得更加激烈。(财富中文网) 本文作者戴维•伯格为普华永道的全球网络安全负责人。 译者: 刘进龙/汪皓 审校:任文科 |
The horrendous Paris attacks raise a number of national security issues, including one involving cybersecurity, and the debate over whether governments should have easy ways to break through technology that safeguards the privacy of our communications and transactions — all in the name of national security. Paris thrusts this issue onto the front pages because one of the big questions that quickly emerged was how a group could execute such a complex attack while evading detection from intelligence services. Encryption is one potential answer. Indeed, experts hypothesize three different possibilities: (1) the attackers used powerful over-the-counter encryption; (2) they collaborated on the dark web; (3) they stopped using technology for coordination once they reached a certain level of operational readiness. Let’s be sure we understand how modern encryption technologies work and why they are now springing to the forefront. Though encryption technologies have been used to securely transmit information for hundreds of years, never before have advanced encryption techniques and technology been so widely available and so sophisticated. Simply put, encryption is the process of converting information or data into a code that obscures information so it cannot be read without the correct key (or keys) used to decipher or decrypt the message. Today, anyone around the world can easily purchase and use highly-sophisticated, 256 bit AES encryption technologies – encryption that is so strong that it has been the U.S. Government standard since 2002. Businesses use encryption every day to prevent identity theft and other crimes. For example, it was once common to capture and transmit credit card information in an unencrypted state to process payments. Cybercriminals knew this and found ways to copy the information at specific points in the payment process lifecycle. They were then able to use the payment card information and monetize it. Recognizing the problem, payment processors deployed a number of different encryption technologies, rendering the transmitted information far more difficult to intercept and monetize. While encrypted communications can be decrypted, doing so requires time and computing power. And encrypted devices and communications are now common throughout our personal and commercial lives. Indeed, terrorists need not look far to find secure ways to communicate. Many apps that we use every day enable encrypted communications to protect our privacy and personal information. And, many of the devices we buy – such as our smartphones – encrypt he data on it for the same reasons. Thus, our data is encrypted at the source (our devices), as its communicated in transit, and at the receiving device. The issue is, such is the case for terrorists’ devices and communications as well. This, of course, is just encryption. On top of it are software and services that protect privacy in other ways, such as those enabling us to use the Internet anonymously – bad actors and intelligence services alike are unable to identify a user or his location when he goes on the Internet using such software and services. After the Paris attacks, the world is already seeing heightened attention to the way terrorists and other bad actors can use this commonly-available technology to help them inflict enormous harm. We will need to watch closely to see whether the debate and its outcomes shift. For example, as the use of encrypted communication has spread, law enforcement and intelligence agencies have pushed for “back doors” – ways to enable law enforcement to bypass the encryption. Some technology companies and privacy advocates have opposed them, fearing government intrusion into their personal lives. And, just last month, the White House overruled law enforcement’s request to push tech companies to create such back doors. Notably, the White House concluded that creating such back doors would increase U.S. citizens’ vulnerability to foreign government, cyber criminal, and terrorist intrusions. Time will tell whether the Paris attacks change the White House’s calculus. More broadly, the battle over encryption and other privacy-related technologies will increasingly reflect the larger public policy debates we have seen that balance national security with civil liberties. As we move in the next decade into a world where far more powerful computing capability will come on line, specifically as quantum computing becomes widely available, the ability for every man and woman to encrypt their communications at levels that may not be able to be decrypted will only help sharpen that debate. David Burg is the global cybersecurity leader at PricewaterhouseCoopers. |