One of the fun and fascinating—and sometimes frightening—things about Internet security policy is that no one has any idea how to do it well. Governments pretty much make it up as they go along—often attempting slight variations on other country’s efforts, occasionally coming up with unusual and unexpected new twists. Witness the decision by Kazakhstan earlier this month to require its citizens to install a “national security certificate” on all of their devices as of Jan. 1.
Digital certificates are how we make sure that the websites we visit and communicate with are actually the websites we think they are. Kazakhstan’s approach here is an odd melding of old and new policy ideas—lots of countries, including the United States, have been struggling to deal with encrypted digital communications and to provide appropriate access channels for law enforcement or intelligence officials. That is, essentially, what a mandatory certificate issued by the Kazakh government would do, by enabling government officials to execute man-in-the-middle attacks on their citizens’ encrypted communications. At the same time, Kazakhstan’s approach is a relatively new one, both because it seems to rely on its government issuing a certificate specifically designated for the purpose of intercepting traffic, and because it relies on individuals to proactively download that certificate onto devices.
Unsurprisingly, the Kazakhstan plan has drawn considerable criticism for undermining cryptographic protections and weakening device security. Somewhat more surprisingly, the criticism seems to have actually had some effect—the telecommunications company that initially announced the policy, Kazakhtelecom JSC, later removed the statement from its website. It’s unclear whether that means the policy has actually been retracted, but a policy that relies on getting the word out to every single Kazakh citizen that they need to download a new certificate is going to be hard to execute covertly.
Whether or not it takes effect with the beginning of the New Year, it’s a noteworthy proposal, in part because it takes advantage of the digital certificate infrastructure that has long been a source of concern among people in the computer security community. Certificates are issued by companies known as certificate authorities, and all Web browsers come with a list of pre-approved certificate authorities whose certificates are trusted by that browser. That’s why it’s a big deal when certificate authorities are compromised and are used to issue rogue certificates, or when certificate authorities that are trusted by major browsers issue unauthorized credentials for popular websites, or when hardware manufacturers deliberately install root certificates that can intercept Web traffic on the devices they sell. If your devices or browsers trust compromised certificates or certificate authorities, then the whole trust infrastructure of the Web starts to fall apart: You have no way of ensuring that you’re actually communicating with the sites you think you are, or that those connections will be private.
Kazakhstan issuing a mandatory national security certificate is pretty clearly a bad idea, and one that will detract from its citizens’ digital defense as much—or more—than it is likely to add to their security. But it’s also an idea that exhibits some technological savvy—it’s bad encryption policy being written by people who understand at least a little bit about how the Internet works and where the vulnerabilities are that can be most readily exploited.
And yet, at the same time, it’s also a policy that seems to have been written by people with no understanding of how the Internet works. Who thinks that the most effective way to get a certificate onto millions of devices is by mandating that each individual person in Kazakhstan download it? For years, we have been struggling with figuring out how to make people take computer security seriously at an individual level—how to get them to download security updates or pay attention to warning messages (some of them about certificates!) or not click on suspicious email attachments and links—with very limited success.
If Kazakhstan succeeds in forcing each of its citizens to install a new certificate, it will have vastly surpassed every other previous attempt at communicating to people something they should do in the name of computer security. Frankly, if Kazakhstan succeeds just in informing its citizens of the requirement and what a digital certificate is, it will still have achieved nothing short of a miracle. (But who knows—maybe it will turn out that after all these years of awareness campaigns and educational efforts, all we needed to do to get word out about security initiatives was post an announcement on a telecom company website and then take it down.)
There are two possible explanations for this policy’s peculiar combination of an effective technical design for interception and completely ineffective rollout strategy. One is that despite its grasp of the role of digital certificates, Kazakhstan’s government has not yet realized that technical alterations of devices can only be efficiently carried out by the major intermediary companies that manufacture hardware or develop browsers. In other words, if Kazakhstan really wanted to ensure the ubiquity of this certificate, it would make it illegal for companies to sell devices in Kazakhstan that did not already have it installed.
Another possible explanation is that the policymakers behind this proposal fully understand that passing the responsibility to individuals is an entirely ineffective means of distributing their certificate. Perhaps they anticipate—expect, even—that not everyone will install the certificate (and certainly not the people whom they most wish to intercept communications from). Perhaps the plan is just to have something simple to hold those people accountable for—failing to install the national security certificate.
Parsing policies like this one can be unsettling not just because they could likely lead to bad outcomes for security, but also because they suggest that policymakers worldwide have an increasingly strong technical understanding of the Internet—and that that’s not necessarily a good thing.
