Archer

The Kazakhstan government wants to see everything going in and out of the country online. Could the US follow suit, getting access to your encrypted information?

The new year in Kazakhstan will bring a new form of government eavesdropping, according to multiple news reports.

The people in this former Soviet republic, once home to nomadic tribes roaming the vast steppes, will have to give their government access to their encrypted information on the Internet, as announced by the country’s Internet service provider, Kazakhtelecom JSC. 

The ISP said people in Kazakhstan will have to install “national security certificates” on their computers, smartphones and other devices.

“The national security certificate will secure protection of Kazakhstan users when using coded access protocols to foreign Internet resources,” said Kazakhtelecom JSC in a press release.

Government eyes on encrypted info

“Once users install the certificate, its issuer—-the state-owned Internet service provider-—will have access to all their HTTPS-encrypted Internet traffic. From that vantage point, the government can read users’ requests, log them, and even edit the outgoing and incoming data—all without the users’ knowledge,” reported Defense One.

Cybersecurity experts say the plan, starting January 1, would do more than allow surveillance of citizens and censorship of information. It could also compromise safety for the people and the government.

“Kazakhstan’s new encryption law will run the risk of eliminating secure communication for an entire country and could drive up the cost of reliable surveillance and security,” said Daniel Lance, with Archer Security Group.

The plan could open up multiple ways for attackers to view encrypted data and inflict damage. 

“The first issue they will have is verifying the client,” said Lance. “That means, how do they know I truly am who I say I am in the first place? This has long been a issue for certificate authorities.”

Lance said once attackers get in, they will not spare heads of state.

“Mark my words, it will happen,” said Lance. “If you open up the attack surface to the client, it becomes easy for political leaders to have their phone OS [operating system] broken into and keys stolen. Keys are only as secure as the barriers to entry on the container storing them.”

Attackers might try to take the certificate authority hostage, Lance added.

“Hacker groups like Anonymous could issue very unsophisticated attacks with modified versions of the DOSing architecture they’ve used in the past when they’ve opposed political issues,” he said.

Will the U.S. follow suit?

Some officials in the U.S. want technology companies to give law enforcement backdoor access to encrypted information. 

But cybersecurity experts say an encryption eavesdropping plan like the one in Kazakhstan is risky.

“We need to be careful to consider all possible impacts of establishing potentially invasive laws and regulations,” said Bob Beachy with Archer Security Group.

He said requirements for a “national security certificate” could lead to more focus on arresting people with rogue devices than on the original goal — people with a desire to do harm to a large number of citizens.  

“There are so many potential pitfalls with such an effort, let alone the part where the government has helped engineer a singularly exploitable and infinitely valuable way to compromise our nation’s critical infrastructure,” Beachy said.

A war on encryption?

Some cybersecurity experts say encryption is not the enemy.

“Using encryption makes you a terrorist like using a spoon makes you unhealthy,” said Patrick C. Miller of Archer Security Group. “We need encryption for everything from banking security to ensuring the integrity of our critical infrastructure technologies.”

Encryption allows you to do your banking and other activities online, without giving your info over to hackers and criminals.

“The beneficial and legitimate uses of encryption outweigh the non-legitimate and detrimental,” said Miller.