Schneier: terrorists will switch to more secure alternatives to avoid encryption backdoors

Study says there are 546 encryption products that lie outside US law, maybe more

A study shows that if the U.S. mandates backdoors to decrypt secret messages in order to help law enforcement, there would still be hundreds of alternative encryption products made outside the reach of U.S. law that terrorists and criminals could get their hands on.

“Smart criminals and terrorists will easily be able to switch to more secure alternatives,” is the conclusion drawn by the study “A Worldwide Survey of Encryption Products”. The authors were Internet security authority Bruce Schneier of Harvard’s Berkman Center for Internet and Society, independent security researcher Kathleen Seidel, and Saranya Vijayakumar, a Harvard student.

The argument from the FBI and others in law enforcement is that they need to be able to see what suspects are saying in encrypted messages in order to catch them. The study concludes that those who want to, can get their hands on secure products because the marketplace for them is international.

“Even if a criminal has to use, for example, a US encryption product for communicating with the world at large, it is easy for him to also use a non-US, non-backdoored encryption product for communicating with compatriots,” the study says. Still, since the study says 304 encryption products are made in the U.S. installing backdoors would affect a significant percentage of the market.

Some companies that make encryption products have business entities in more than one country, making them “jurisdictionally agile,” the study says. “Some organizations can change jurisdictions, effectively moving to countries with more favorable laws.”

+ ALSO ON NETWORK WORLD Bill filed in Congress would ban encryption backdoors +

The bottom line, the study says, is that backdoors will have a bad impact on the masses that rely on encryption for legitimate purposes without helping to catch the cleverest criminals. “The smart criminals that any mandatory backdoors are supposed to catch – terrorists, organized crime and so on – will easily be able to evade those backdoors,” it says.

Of the 587 separate entities that make encryption products 374 are based outside the U.S. Two countries that are major sources of these products, Germany and the Netherlands, have repudiated encryption backdoors.

A similar study in 1999 found 805 encryption products worldwide. That study was intended to measure the effectiveness of blocking exports of advanced encryption technology. It concluded that blocking it did not prevent people in other countries from obtaining the products.

The new study says the strength of encryption products is about the same no matter where they are made since most use the same set of published encryption algorithms, the study says, and there is no reason to believe they are better. The most recent encryption standards put forth by the National Institute of Standards and Technology were based on foreign designs.

“Additionally the seemingly endless stream of bugs and vulnerabilities in U.S. encryption products demonstrates that American engineers are not better [than] their foreign counterparts at writing secure encryption software,” the study says. Plus many U.S. companies making encryption software hire engineers working outside the U.S.

Meanwhile the study, which the authors admit isn’t comprehensive, found 865 hardware and software encryption products worldwide – 546 of them made in the U.S. - with functions ranging from file, messaging, voice and email encryption to VPNs.

The next four behind the U.S. are Germany, the U.K., Canada, France and Sweden, with that top five accounting for more than two-thirds of the total.

“The US produces the most products that use encryption, and also the most widely used products,” the study says. “Any US law mandating backdoors will primarily affect people who are unconcerned about government surveillance, or at least unconcerned enough to make the switch. These people will be vulnerable to abuse of those backdoors by cybercriminals and other government.”

Congress is considering a proposal to create a commission to study the encryption issue as well as considering blocking states from creating their own encryption legislation.

Join the CSO newsletter!

Error: Please check your email address.

More about BillFBISmartTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts