At a glance.
- US Department of Justice takes a tougher line in the crypto wars.
- US state governments urged to close-read their contracts with Chinese vendors.
- How was Voatz vetted?
US Justice Department moves from persuasion to desiring legislation.
The US Department of Justice, for some time the principal antagonist of domestic tech firms in the crypto wars, has, according to the Washington Post, largely given up on persuading industry to voluntarily build ways of accessing encrypted information into their devices. John Deemers, Assistant Attorney General for National Security, told reporters in a pre-RSAC meeting this week that Justice would be interested in hearing a proposal for cooperation, but that at this point both sides seem to be "rehashing their own positions." He added that the mood in both Congress and the country at large had shifted. “I've never seen such a bipartisan appetite for legislation. It seems to me that in Congress something has shifted and it's shifted in favor of trying to find some solution to this problem.” Some of this shift in the general public at least seems due more to growing skepticism about Big Tech than it does to an informed commitment to ensuring law enforcement access to encrypted communications. The models that the Assistant AG has in mind for possible US legislation are the UK's Investigatory Powers Act of 2016 (explained here by WIRED) and Australia's data encryption laws (summarized here by the BBC). Australia's laws have recently come in for their share of controversy, as the Labor Party, the Independent Security Legislation Monitor, and the Law Council of Australia have this month called for tighter oversight and limitations on data collection and storage.
Caution urged on US state procurement offices doing business with Chinese IT vendors.
A report from China Tech Threat warns that many US state procurement officials are buying risky technology from Chinese vendors. The group’s report mentions Lexmark and Lenovo in particular, and urges the National Association of State Procurement Officers to help its members introduce greater security into their acquisition processes. Lexmark denied presenting any such threat, telling Nextgov that the report contains “inaccuracies and mischaracterizations.” Lenovo hadn’t replied to Nextgov by the time they went to press. China Tech Threat’s warning is based not on any specific behavior on the part of either Lexmark or Lenovo, but rather on the group’s observations of state purchases, the permissions the contracts give to vendors, and China Tech Threat's understanding of China’ 2017 National Intelligence Law. The group recommends that the states ask themselves two questions: “Have procurement leaders unwittingly allowed China to access sensitive government and private citizen information?” And, “Should state procurement officials eliminate existing contracts with Chinese-owned manufacturers for the sake of maintaining data privacy and confidentiality?” In fairness to Lenovo and Lexmark, while any Chinese firm may well represent some degree of risk, it's worth noting that the specific security bad behaviors alleged of Huawei, particularly accusations of systematic theft of intellectual property, haven't generally been charged against these firms.
Voatz receives some Senatorial scrutiny.
Meritalk says that US Senator Ron Wyden (Democrat of Oregon) has written ShiftState Security to ask what sort of vetting the company applied to its client Voatz when it checked Voatz’s voting app. The Senator is particularly interested in ShiftState’s reaction to an adverse report on Voatz MIT researchers rendered on February 13th. He's asked in particular that ShiftState’s Chief Security Officer provide him, by March 9th, answers to three questions:
- How many of the ShiftState personnel who audited Voatz had “experience in election security, cryptographic protocol design and analysis, side channel analysis, and blockchain security?”
- “Whether ShiftState discovered the same flaws as the MIT Team?” And, if they didn’t find those flaws, could they please explain why they publicly said Voatz did well in the audit.
- Does ShiftState disagree with the MIT researchers’ findings, and if they do, why?
Voatz has strongly disputed the results reported by the MIT researchers, so any response from ShiftState will be worth following closely. Senator Wyden has also asked NSA, in a letter to Secretary of Defense Esper and Director NSA Nakasone, to conduct a security audit of Voatz, which suggests that he’s unlikely to be fully satisfied by whatever ShiftState winds up telling him.