UPDATE 7/18/10: If this doesn’t prove the point of this article…nothing does. Security expert Bruce Schneier posts, “Skype’s Cryptography Reverse-Engineered” and if this proves to be true, it would be trivial for rogue nations or eavesdroppers to listen-in on Congressional Skype conversations!
A fake Skype call highly unlikely to ever occur
In a time when cybersecurity has become the new battleground among nations and calls for enhanced national defense online are accelerating, Congresswoman Michele Bachmann is trumpeting the use of a technology for communications that has an unknown security model and seems at odds with the usual Republican focus on national security.
An article by Jeremy Herb in the StarTribune this morning caught my eye, “Bachmann pushes Congress to embrace Skype.” It outlines the reasons why Rep. Michele Bachmann is calling for the use of the free Skype program on Congressional networks—so she and others can talk directly with their constituents or hold “virtual town halls”—but its use is banned in the House of Representatives.
The article quotes a University of Minnesota computer science professor, Joseph Konstan, who says this about the fundamental reason a peer-to-peer program like Skype is problematic and why it would be banned: “The reason people worry about using tools like these is they are inherently insecure. The design of Skype is something that hasn’t been carefully scrutinized, and so it may very well be there are bugs in there.”
Sure there could be bugs, but the biggest reason installing Skype on Capitol computer networks is a huge problem is because of that unknown security model of Skype. It is not possible to know much about the security of Skype since their code is proprietary and is not open to peer review or close examination of potential security holes.
As a fan of Skype and someone who has used it daily for several years, I evangelize its use constantly. That said, I wouldn’t want my government to embrace it without some very close scrunity and safeguards and I’m puzzled why Rep. Bachmann would now be banging-the-drum for Congress to adopt Skype. Here’s why doing so isn’t wise.
Lawmakers are questioning the Department of Homeland Security’s readiness for cybersecurity attacks and according to this article in NetworkWorld, “Reported attacks on U.S. agencies increased by 400% from 2006 to 2009, said Rep. Bennie Thompson, a Mississippi Democrat and committee chairman. “Whether the military or intelligence-gathering operations of foreign nations; domestic or international terrorist groups; lone-wolf, hate-driven individuals; common criminals, or thrill-seeking hackers, those attempting to infiltrate and exploit this country’s computer networks are both numerous and determined,” he said.”
The need for enhanced cybersecurity leadership has been pointed out by the U.S. Government Accountability Office (GAO). This agency is adamant that the government doesn’t have a prioritized national cybersecurity research and development agenda. In a report released on July 7th (PDF), the concern is that government officials don’t have the ability to track all active and completed cybersecurity programs and much of a process to share key information between government and industry.
Quite simply, it is unknown whether it would be “safe” to load Skype on Capitol computer networks or not and when lawmakers are calling for coordinated and orchestrated approaches to cybersecurity and the GAO says we’re not ready as a nation, Skype red flags like these are highly troubling (from Wikipedia):
- “Skype incorporates some features which tend to hide its traffic, but it is not specifically designed to thwart traffic analysis and therefore does not provide anonymous communication. Some researchers have been able to watermark the traffic so that it is identifiable even after passing through an anonymizing network.” (PDF)
- “Skype uses a proprietary Internet telephony (VoIP) network based on peer-to-peer architecture. The protocol has not been made publicly available by Skype and official applications using the protocol are closed-source.“
- “Skype is a secure communication; encryption cannot be disabled, and is invisible to the user. Skype reportedly uses non-proprietary, widely trusted encryption techniques: RSA for key negotiation and the Advanced Encryption Standard to encrypt conversations. Skype provides an uncontrolled registration system for users with no proof of identity. Instead, a free choice of nicknames permits users to use the system without revealing their identity to other users. It is trivial to set up an account using any name; the displayed caller’s name is no guarantee of authenticity. A third party paper analyzing the security and methodology of Skype was presented at Black Hat Europe 2006. It analyzed Skype and found a number of security issues with the current security model. (see, “Silver Needle in the Skype” PDF).”
Unless this call by Rep. Bachmann is a veiled attempt to ask for the use of an insecure Skype use but is really all about drawing attention to an to-be-alleged cybersecurity leadership issue that can be leveraged in the upcoming elections, perhaps the U.S. Chief Information Officer, Vivek Kundra, can sit down with her over a cup of coffee and educate her on the reasons why cybersecurity is in our national interest and Skype is a bad idea.