twitter facebook rss

CISO view: encryption backdoors

Posted by on October 5, 2015.

WG_lookingglass_logo_160x160A group of Chief Information Security Officers within Wisegate was asked for its views on encryption backdoors specifically for law enforcement. The response was an overwhelming rejection.

  • no encryption should ever have a backdoor for anyone
  • “today’s backdoor is tomorrow’s compromise”
  • “if data is required, information can be subpoenaed or NSLs can be issued”

Snowden’s revelations have demonstrated that the Crypto Wars of the 1990s never ended – they just became covert. Now it is back on the public agenda: law enforcement and intelligence agencies are again vociferous in their demand for curbs on encryption. The government argument is simple: terrorists, criminals and pedophiles should have no place to hide. But its solution is drastic: products using encryption should be compelled to include a government backdoor.

In the US, presidential candidate Jeb Bush recently claimed“If you create encryption, it makes it harder for the American government to do its job — while protecting civil liberties — to make sure that evildoers aren’t in our midst.” In the UK, Prime Minister David Cameron is considering a ban on apps that include encryption without a backdoor (it would appear that he expects vendors to find some way to allow government access to encrypted data). But this will be difficult if not impossible. Apple has an example. It has been ordered by US courts to hand over texts wanted in a guns and drugs case. It simply cannot do so because of the end-to-end encryption in iMessage.

The battle lines are now drawn. On one side civil liberties and security researchers defend the use of encryption. On the other side are the massed ranks of government agencies: FBI, CIA, NSA, Interpol, Europol, NCA, Met Police and more who claim they cannot protect the public without crypto backdoors.

The security industry itself is split. Many large companies, including Google, and Apple – and many smaller companies – are challenging the government. Microsoft is a bit different. It doesn’t offer end-to-end encryption, nor does it allow peer review of its BitLocker encryption used for OneDrive. The likelihood is that it could easily comply with government demands; but we simply don’t know. Other companies are suggesting that technology can be developed to satisfy both sides.

But there is one vital group of people who haven’t spoken: the people charged with keeping our personal information and their company’s intellectual property safe – the security practitioners, the Chief Information Security Officers.

Twenty leading CISOs from within the Wisegate community answered one simple question: Should encryption have a government backdoor? The options were:

  • use of encryption should be banned
  • all encryption should have a backdoor for law enforcement
  • apps & operating systems that have built-in encryption should have a law enforcement backdoor
  • a compromise technology will be found, satisfying both civil liberties and law enforcement
  • no encryption should ever have a backdoor for anyone

The response was overwhelming. 90% of the CISOs said that no encryption should ever have a backdoor for anyone. None of them believes that encryption should be banned, and none of them believes that a satisfactory compromise will be found. Only one CISO believes that all encryption should have a backdoor, and only one other CISO believes that apps should have a backdoor.

Their reasoning includes security and legal issues. One CISO commented, “The backdoor that exists ‘exclusively’ for law enforcement today will be the compromise that affects everyone tomorrow.”

A second view took a legal standpoint. “While there are legitimate times for the need,” he commented, “a back door can easily lead to abuse. If data is required, information can be subpoenaed or NSLs can be issued to acquire information. There are legal steps and requirements for a reason. Should law enforcement have keys to your house so they can enter at their will, with or without consent? Laws and regulations need to be addressed, not just granting an all access pass.”

Without any doubt, the business executives charged with maintaining security do not want encryption to be compromised by government backdoors.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Perspectives | Tags: ,