Obama advisors: Encryption backdoors would hurt cybersecurity, net infrastructure vendors

Leaked National Security Council advisory report weighs pros and cons of laws to make encryption keys available to law enforcement

Making encryption backdoors available to law enforcement would be bad for cybersecurity in general and hurt vendors that make encryption gear, a presidential advisory group says.

While the FBI argues that it needs legislation to require access points into encryption platforms, the National Security Council is preparing to tell President Obama that the downsides include weakening the privacy of Internet communications, according to a draft NSC report obtained by the Washington Post.

“[B]ecause any access point to encrypted data increases risk, if government efforts to secure access are successful, this approach would reduce cybersecurity,” the document says.

At the same time, laws forcing vendors to build in encryption keys for police use would create a thicket of problems for vendors such as losing buyers in other countries that don’t want their communications hackable by U.S. law enforcement. If other countries enacted similar laws, though, that might ease the burden.

“If long-term successful in gaining government access, this option would significantly harm economic competitiveness, though the harm might be somewhat mitigated if there was broad international success in getting government access,” the document says.

The NSC drafted an analysis of three stands Obama might take in regard to encryption backdoors, listing the pros and cons of each. The options are:

* opposing backdoors altogether

* asking vendors to voluntarily provide backdoors or at least help law enforcement any way they can within the limits of their current technology

* making no stand on the issue

None of the options favors a law to mandate backdoors. Falling short of favoring a law “could encourage the use of more encryption which would likely be good for cybersecurity,” the draft says. Further, “eschewing mandated technical changes ensures the greatest technical security.”

Trying to get vendors to voluntarily introduce keys for law enforcement use is a pipedream, some of the NSC policy team says. “Some working group participants, however, have indicated they think it unlikely that industry will be willing to voluntarily modify their technology even if the threat of legislation is removed. Others further expressed the opinion that so long as the threat of future legislation remains on the table, it may dissuade industry cooperation,” the report says.

That threat of future legislation isn’t a very big stick with which to persuade vendors anyway, some in the working group say. “[F]ew, if any, in industry likely find this threat to be credible,” the report says.U.S. providers have not indicated they would be willing to voluntarily modify their systems to enable law enforcement access to encrypted information, even if the government were to eschew legislation.”

Still, the NSC group says if the administration outright opposes backdoor legislation, that could sway security vendors and encourage more cooperation with the government on other fronts. “This approach would remove technology companies’ most consistent grievance with the Administration, which could improve cooperation across a range of important priorities on technology issues including, but not limited to, encryption,” the report says. “It may also foster better cooperation on information that is not encrypted and will not fracture the Internet products and services market which may also preserve better access to unencrypted information, thus aiding public safety/national security.”

Join the CSO newsletter!

Error: Please check your email address.

More about FBINational Security Council

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place