InfoSec pros reject DHS criticisms of encryption

Information security professionals were overwhelmingly opposed to a plea to rethink encryption by the Department of Homeland Security at last week's RSA conference.

"The current course we are on, toward deeper and deeper encryption in response to the demands of the marketplace, is one that presents real challenges for those in law enforcement and national security," said Secretary of Homeland Security Jeh Johnson in his speech in San Francisco.

The spread of encryption is posting public safety challenges and making it harder for the government to fight both criminals and terrorists, he said.

"We need your help to find the solution," he said.

But for security vendors providing encryption technology to enterprise customers, any tampering with encryption protocols would do more damage than harm. Here are seven ways security pros believe the DHS is wrong on encryption.

Encryption protects against criminals

First of all, encryption helps enterprises protect their data.

Given the recent spate of high-profile breaches, this is a significant concern.

"Asking America to decrease our corporate security posture in the wake of the recent exponential increase in nation-state and crime syndicate cyber incursions seems to lack a holistic understanding of the security threat, cost, and problems faced daily by corporations," said Carl Wright, general manager at San Mateo, Calif.-based TrapX.

"Encryption is the most basic tool in any arsenal to protect confidential material," he added.

If encryption is outlawed, only outlaws will have encryption

Meanwhile, strong, unbreakable encryption technology is already in the public domain.

If corporations are forced by law to use watered-down encryption mechanisms with government-friendly back doors, it's unlikely that criminals and terrorists will comply.

"The criminals always seem to find a way to get access to the tools that honest citizens cannot acquire," said Wright.

Back doors can be exploited

Back doors, key escrows and other mechanisms that allow government agencies to bypass encryption can also be used by criminals, foreign governments and terrorists -- helping the very groups that these mechanisms were designed to fight.

"Weakening encryption will make it easier for law enforcement to counter the 'public safety challenges' they face," said Cris Thomas, strategist at Tenable Network Security. "But it also will make it easier for anyone else to get access to information they shouldn't have."

Jonathan Cogley, CEO at Washington DC-based Thycotic Software, was also skeptical about about Secretary Johnson's comments.

"Many companies are still extremely wary after the Snowden revelations about the government's ability to collect data from private sector companies secretly, and with little oversight," he said. "If the Department of Homeland Security wants the private sector to share more and encrypt less, they must do more to ease companies' concerns about the NSA spying and bulk data collection that prompted additional encryption efforts in the first place."

Backdoors put too much data in government hands

If government agencies are able to vacuum up and decrypt communications, they will be collecting legitimate traffic as well as traffic between criminals or terrorists, said Jon Heimerl, senior security strategist at Solutionary.

"Encryption requires law enforcement to rely more on metadata -- who sent the data, who is receiving it, how was it encrypted, who encrypted it, what kind of encryption was used -- all these things that hint at what the data is about, without really revealing the actual data," he said.

Vendors and developers need to put users first

If anything, more communications need to be encrypted, not less, said Domingo Guerra, president and founder at Appthority, a mobile security company.

For example, many social apps do not currently encrypt traffic because it's not seen as particularly sensitive.

However, if these apps are able to access social networks, calendars, and other features on mobile devices used in the enterprise, then even innocuous data might become useful for criminals looking for social engineering information or other exploitable information.

"I don't think it's our job to make it easier on the NSA," said Guerra. "It's our job to protect our clients. "Both Apple and Google provide encryption tools for free and there's no downside to encrypting, so we should be encrypting as much as possible."

Governments already have subpoena powers

If a government agency needs access to security encrypted enterprise information, there are other options available.

For example, the government has subpoena powers, said Gerry Grealish, CMO at  security vendor Perspecsys.

"Enterprises have a legitimate, sometimes legal, requirement to maintain control of their regulated sensitive data and intellectual property and trade-secrets," he said. "Since the enterprise holds the encryption keys when encryption is implemented properly, the government must approach them with the appropriate subpoenas for data access."

Encryption allows the growth of cloud platforms

It's risky to put vital corporate data in the hands of a third party. But when that data is encrypted -- and that third party doesn't have access to the keys -- then those risks can be significantly lowered.

Cloud storage, cloud computing and cloud services are a major new technological advance. Security fears could have significant negative repercussions.

"The ability to implement strong encryption and tokenization in cloud environments is critical to the next phase of cloud growth in companies," said Grealish. "One in which all sorts of sensitive data will start to migrate to applications written in cloud platforms."

Join the CSO newsletter!

Error: Please check your email address.

Tags Department of Homeland SecurityDHSapplicationsTrapXsoftwaredata protection

More about AppleCMOGoogleNSARSATenableTenable Network Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts