The handling of “large companies” in Threat Actors is ridiculous.
Compare:
Nation States
[…] Nation states are most likely to target the Cloud deployments of other nation state customers, and may target political dissidents and other targets for surveillance. Nation states might also target Google or other infrastructure providers for military or economic reasons.
Insider Threats
Google and other companies are working to build a quantum computer, which eventually might become cryptographically relevant. As with other prized technologies, insider threats remain a vector. To that end, companies will need to take necessary precautions to protect their crown jewels to avoid theft or exploitation by a nation state threat and other motivated attackers.
So “Nation states” are bad guys – should be assumed to potentially bad guys, which is reasonable and historically accurate. But “Google and other companies”? Of course not, those are beyond reproach. If they were to use quantum computers for threatening purposes, of course this would be because of a rotten apple or two inside them. (Probably acting on behalf of a nation state.)
This lack of self-awareness is comical, but it makes it a bit difficult to take the rest of the document (which otherwise looks excellent) seriously. I don’t know if the authors of the document are unintentionally naive, or if they are intentionally naive – they were careful not to say anything that could suggest that their employer should be considered as a potential threat. The latter is much more plausible (you don’t make a career in crypto without encountering the idea that large companies might be bad actors in some contexts) and in fact rather worrying.
First of all, it is common for certain structures to define threat models where they are the attacker in some sense. For example, the government of a state will often pass laws that are designed to reduce its own power or watch its own corruption – taking into account a diversity of internal actors as well as the evolution over time (the people in power in N years may be distinct from the one today).
Second, irrespectively of how they think of their own company, one may expect them consider other companies as threats – after all, Google is far from the only private actor working on quantum computers.
It just makes no sense to me that we would hold a company’s threat model to this standard just because, as an example, a government body may abdicate rights. These seem unrelated in almost every way.
You could advocate that companies should ask the question “What if this company becomes evil in the future?” but, again, this is far beyond the standard of any company, and it still doesn’t make sense in terms of a threat model design to protect “the company” as an entity that will exist at that time.
one may expect them consider other companies as threats – after all, Google is far from the only private actor working on quantum computers.
It is simply the premise that these companies are building the technologies in a way that conforms to the model. You can reject that premise but it’s not relevant to the document that it is referring to companies that conform to one way of using the technology.
I’d be willing to maybe grant that, as a whole, threat models should ask “what if our company becomes evil” when we’re talking about this sort of technology, but to dismiss the entire document for what is, again, definitely not the standard, seems like an extreme reaction.
This is not the same thing at all. When you deploy E2E you are considering the insider threat, you are not considering the company itself as being evil.
The handling of “large companies” in Threat Actors is ridiculous.
Compare:
So “Nation states” are bad guys – should be assumed to potentially bad guys, which is reasonable and historically accurate. But “Google and other companies”? Of course not, those are beyond reproach. If they were to use quantum computers for threatening purposes, of course this would be because of a rotten apple or two inside them. (Probably acting on behalf of a nation state.)
This lack of self-awareness is comical, but it makes it a bit difficult to take the rest of the document (which otherwise looks excellent) seriously. I don’t know if the authors of the document are unintentionally naive, or if they are intentionally naive – they were careful not to say anything that could suggest that their employer should be considered as a potential threat. The latter is much more plausible (you don’t make a career in crypto without encountering the idea that large companies might be bad actors in some contexts) and in fact rather worrying.
Why would you write a threat model where you are the attacker? What you’re suggesting just doesn’t make sense.
Because this is a threat model in terms of their employer’s risk. So… it would be really insane to include that.
First of all, it is common for certain structures to define threat models where they are the attacker in some sense. For example, the government of a state will often pass laws that are designed to reduce its own power or watch its own corruption – taking into account a diversity of internal actors as well as the evolution over time (the people in power in N years may be distinct from the one today).
Second, irrespectively of how they think of their own company, one may expect them consider other companies as threats – after all, Google is far from the only private actor working on quantum computers.
It just makes no sense to me that we would hold a company’s threat model to this standard just because, as an example, a government body may abdicate rights. These seem unrelated in almost every way.
You could advocate that companies should ask the question “What if this company becomes evil in the future?” but, again, this is far beyond the standard of any company, and it still doesn’t make sense in terms of a threat model design to protect “the company” as an entity that will exist at that time.
It is simply the premise that these companies are building the technologies in a way that conforms to the model. You can reject that premise but it’s not relevant to the document that it is referring to companies that conform to one way of using the technology.
I’d be willing to maybe grant that, as a whole, threat models should ask “what if our company becomes evil” when we’re talking about this sort of technology, but to dismiss the entire document for what is, again, definitely not the standard, seems like an extreme reaction.
The whole point of deploying an end-to-end encryption system is a threat model that includes those supporting the system.
This is not the same thing at all. When you deploy E2E you are considering the insider threat, you are not considering the company itself as being evil.