As the Balance of Security Controls Shifts, Where Does Responsibility Rest?

We are in the midst of a volley of "tussles" on security control points and surveillance/privacy protections. If you are unfamiliar with the term tussle, it refers to a paper by David Clark et. al. that describes the evolving dance between technology and policy. Tussles surrounding privacy and surveillance arise every so often, sometimes including a rebalance of the ownership or access to metadata.

Industry, standards, policy

The current set of tussles involves a push and pull from industry, standards, and policy with the debate remaining open as to how it will all settle out. As encryption becomes stronger and more pervasive on the Internet to protect our sessions while in transit, the ability to use traditional tools to detect malicious traffic has and will continue to diminish.

At the same time, strong encryption that cannot be intercepted is promoted as part of a zero-trust architecture and is important to adopt to prevent lateral movement. Another argument in favour of strong encryption is that it prevents having points of aggregation where all traffic is visible (e.g. intrusion prevention systems holding a shared key to access and view all data).

In the recent volley, the dance includes:

• Standards: Inclusion of the Encrypted Client Hello (ECH) in Transport Layer Security (TLS) sessions between a browser and a content delivery network (CDN) that enables this feature.
• Policy: Proposal in 2023 to amend the Regulation on electronic identification and trust services (eIDAS) to allow and EU government to perform traffic interception on all Internet messages including encrypted sessions.
  • ECH prevents interception between the browser and CDN at a technical level, and thus the volley included a push to intercept traffic after the point of decryption at an endpoint.
• Standards/Technology: Prominent leaders in the Internet technical community have pushed back on this interception proposal with a letter explaining the harmful nuances that would create security problems that would be imposed with the current proposal, a normal part of the tussle process.

This tussle is a very interesting one, shaping significant changes on the Internet in terms of how we as an industry ensure the security of sessions, data, and endpoints. The distributed nature of the Internet along with the multi-stakeholder governance model allows for and encourages these debates. The debates typically settle out with slight differences when national laws are considered due to the slight differences in historical cultural norms between nations that we may consider similar in many regards.

In some cases, it is difficult to see through the trees when we are in the midst of change. How security is integrated into products, services, and the network itself is transforming at a rapid pace. This means that security controls will settle out differently in terms of placement and responsibility than they may have in the past.

Ideally, we wind up with a more secure, resilient, and easier to manage infrastructure as we work through these tussles. There are methods to provide security in these new models, and they may even provide improvements from the current state where security is not only built-in by design and by default but also managed on a scale.

In terms of how the controls settle out, there is another important consideration, how does the responsibility balance shift with intrinsic changes to points in visibility?

Prior observations on ECH

Several considerations were raised in this blog on the changes specific to ECH. Summarised, those include:

• As controls managed by the organisation are eliminated (e.g. intrusion detection/prevention systems), does the responsibility to protect data and systems shift away from the enterprise? Is the browser then liable? Is the CDN liable?
• Are enterprises still responsible for security breaches when they have little ability to intercept and prevent them?
• Are regulatory requirements required to shift the responsibility when control points shift-left or change?
• Does this shift-left further motivate application providers, CDNs, and browser vendors to build secure code and ensure memory safety?

Additional questions should be considered as the tussle begins to take shape as it is too early to tell what will happen with the proposal to the eIDAS. If that dance settles out as recommended in the referenced letter, a shift in balances will not occur at this time, as some technical adjustments will aid in the aims of the policy objectives, where parties work collectively.

This article was originally published over on the RSA Conference pages.