Acts of terrorism could push Congress toward encryption backdoors in 2016

Enterprises, vendors would face painful overhauls to gear, networks.

Despite the risks to online commerce, international high-tech sales, security of trade secrets and the fact that it won’t actually make encryption useless to criminals, decryption backdoors to let law enforcement access encrypted communications could become U.S. law in 2016 – and a nightmare to enterprises – especially if terrorists succeed in carrying out major acts of violence.

So far the arguments against such a law have prevailed, but that could change if public opinion turns strongly in favor of it, which is more likely in the wake of events that generate fear.

+More on Network World: 20 years ago: Hot sci/tech images from 1995 | Read all the stories that predict what is to come in 2016 +

Following the killings in Paris and San Bernardino, Calif., this year, legislators in Congress renewed a push to require businesses that sell encrypted hardware, software and services to create a way to unlock the encryption when ordered to do so by a judge.

If backdoors become law, complying could mean overhauling or recalling vast amounts of backdoor-free encryption gear already deployed by businesses, a potential financial and logistical nightmare for enterprises and the vendors who make the gear. It could affect commonly used VPN and remote access platforms as well as device encryption used to secure corporate mobile devices containing sensitive information.

It’s impossible to know the scope of such a law since there is no draft, just broad talk from lawmakers interested in giving law enforcement a new investigatory tool.

Two top lawmen – FBI Director James Comey and New York’s Manhattan District Attorney Cyrus Vance, Jr. – strongly advocate for such a law to help stop terrorists, kidnappers, child pornographers and other criminals. Neither cites a case in which a criminal act could have been prevented with such backdoors, but they paint compelling pictures of the possibilities.

A report by Vance’s office cites cases in which evidence gleaned from smartphones that did have backdoors contributed to convictions for murder, rape and sex trafficking. That access to phones was undermined when Apple and Google made it so they cannot unlock their phones, only users can, the report says. “[A]llowing a phone to be locked such that it would be beyond the reach of lawful searches and seizures was unprecedented, and posed a threat to law enforcement efforts,” Vance’s office writes.

+More on Network World: US Homeland Security wants heavy-duty IoT protection+

Comey testified to the Senate Judiciary committee last week that terrorists know about hardware and software that can’t be decrypted and they use it routinely. “There’s no doubt that use of encryption is part of terrorist tradecraft now because they understand the problems we have getting court orders to be effective when they’re using these mobile messaging apps especially that are end-to-end encrypted,” he says. “We see them talking about that all over the world it is a feature especially of ISIL’s tradecraft.”

Vance seeks federal legislation that would require that any smartphone sold in the U.S. must be able to have the data on it accessed by the operating system designer. “It would require, simply, that designers and makers of operating systems not design or build them to be impregnable to lawful governmental searches,” he writes.

Senators are also talking about making it possible to decrypt communications not just data stored on devices.

President Obama in a televised speech after the San Bernardino shootings called loosely for unspecified technology – possibly backdoors – to help fight terrorism. “And that is why I will urge high tech and law enforcement leaders to make it harder for terrorists to use technology to escape from justice,” he said.

He’s not necessarily referring to ways that secret messages could be decrypted - he avoided calling for legislation to bring that about earlier this year - but the political environment could push things in that direction.

There is precedent for it, says Phil Zimmermann, who successfully fought encryption backdoors two decades ago during the so-called Crypto Wars of the 1990s when the government pushed to limit access to uncrackable cryptography. It included mandated use of the Clipper Chip – with a built-in crypto backdoor – in mobile phones.

He points to the passage of the U.S. Patriot Act in 2001 just six weeks after the 9/11 attacks, a sweeping law that has been used for purposes beyond fighting terrorism for which it was written. “When you put a law in place at times of emergency, it can be used for a lot of things,” he says. “If you press for backdoors it would create effects that would be with us for many years.”

Amit Yoran, president of RSA, makes a similar observation. “There’s certainly a Patriot Act opportunity at the ready,” he says, in which an emotional response to specific acts could prevail, despite widespread lack of support for it. “Except for the FBI there’s a uniform dislike of this policy at senior levels in the intelligence community.”

The National Security Council drafted a report for Obama this fall that concluded, “[T]his approach would reduce cybersecurity.”

If enacted, such a law would create big problems for enterprises, says John Pironti, president of  IP Architects, who consults with businesses on how to secure their networks and data. Complying would be beyond the resources of small and midsize businesses, which would have to rely on service providers and encryption vendors to overhaul or replace existing encryption infrastructure.

From the vendor side, it would mean establishing and maintaining secure infrastructure to house the keys they would need to break encryption on their products. “The cost of maintaining something like that is enormous,” Pironti says. “It’s less expensive not to have the ability.”

Yoran says RSA “wouldn’t do it” if laws required backdoors. RSA is getting out of the encryption business, because “it’s not part of our vision for the future,” he says. It’s an open question whether the company would make modifications to its encryption products already sold.

Pironti says he wouldn’t do it either. “I’m not going to work with a client to degrade technology to decrypt,” he says. “They would rely on the vendors.”

Designing in a way to decrypt encrypted messages creates guaranteed weak points in the security of the encryption, says Zimmermann, leaving the system more open to cracking by unauthorized parties.

Pironti says setting up a way to protect encryption keys would be hard. “How do I protect this in a way it can’t be used for malicious purposes by a malicious party or an insider?” he says.

A prime reason not to create backdoors is that malicious actors - who are already criminals - will use technology created outside the jurisdiction of U.S. laws or build their own, Pironti says; the law wouldn’t be effective.

Peter Swire, a professor at the Scheller College of Business at the Georgia Institute of Technology, testified to the Senate Judiciary Committee this year that the downside of such a law would be widespread.

“[G]overnment-mandated vulnerabilities would threaten severe harm to cybersecurity, privacy, human rights, and U.S. technological leadership, while not preventing effective encryption by adversaries,” Swire says.

Join the CSO newsletter!

Error: Please check your email address.

Tags Look ahead 2016

More about AppleClipperFBIGeorgia Institute of TechnologyGoogleManhattanNational Security CouncilRSATechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place