InfoSec pros reject DHS criticisms of encryption
- 01 May, 2015 01:09
Information security professionals were overwhelmingly opposed to a plea to rethink encryption by the Department of Homeland Security at last week's RSA conference.
"The current course we are on, toward deeper and deeper encryption in response to the demands of the marketplace, is one that presents real challenges for those in law enforcement and national security," said Secretary of Homeland Security Jeh Johnson in his speech in San Francisco.
The spread of encryption is posting public safety challenges and making it harder for the government to fight both criminals and terrorists, he said.
"We need your help to find the solution," he said.
But for security vendors providing encryption technology to enterprise customers, any tampering with encryption protocols would do more damage than harm. Here are seven ways security pros believe the DHS is wrong on encryption.
Encryption protects against criminals
First of all, encryption helps enterprises protect their data.
Given the recent spate of high-profile breaches, this is a significant concern.
"Asking America to decrease our corporate security posture in the wake of the recent exponential increase in nation-state and crime syndicate cyber incursions seems to lack a holistic understanding of the security threat, cost, and problems faced daily by corporations," said Carl Wright, general manager at San Mateo, Calif.-based TrapX.
"Encryption is the most basic tool in any arsenal to protect confidential material," he added.
If encryption is outlawed, only outlaws will have encryption
Meanwhile, strong, unbreakable encryption technology is already in the public domain.
If corporations are forced by law to use watered-down encryption mechanisms with government-friendly back doors, it's unlikely that criminals and terrorists will comply.
"The criminals always seem to find a way to get access to the tools that honest citizens cannot acquire," said Wright.
Back doors can be exploited
Back doors, key escrows and other mechanisms that allow government agencies to bypass encryption can also be used by criminals, foreign governments and terrorists -- helping the very groups that these mechanisms were designed to fight.
"Weakening encryption will make it easier for law enforcement to counter the 'public safety challenges' they face," said Cris Thomas, strategist at Tenable Network Security. "But it also will make it easier for anyone else to get access to information they shouldn't have."
Jonathan Cogley, CEO at Washington DC-based Thycotic Software, was also skeptical about about Secretary Johnson's comments.
"Many companies are still extremely wary after the Snowden revelations about the government's ability to collect data from private sector companies secretly, and with little oversight," he said. "If the Department of Homeland Security wants the private sector to share more and encrypt less, they must do more to ease companies' concerns about the NSA spying and bulk data collection that prompted additional encryption efforts in the first place."
Backdoors put too much data in government hands
If government agencies are able to vacuum up and decrypt communications, they will be collecting legitimate traffic as well as traffic between criminals or terrorists, said Jon Heimerl, senior security strategist at Solutionary.
"Encryption requires law enforcement to rely more on metadata -- who sent the data, who is receiving it, how was it encrypted, who encrypted it, what kind of encryption was used -- all these things that hint at what the data is about, without really revealing the actual data," he said.
Vendors and developers need to put users first
If anything, more communications need to be encrypted, not less, said Domingo Guerra, president and founder at Appthority, a mobile security company.
For example, many social apps do not currently encrypt traffic because it's not seen as particularly sensitive.
However, if these apps are able to access social networks, calendars, and other features on mobile devices used in the enterprise, then even innocuous data might become useful for criminals looking for social engineering information or other exploitable information.
"I don't think it's our job to make it easier on the NSA," said Guerra. "It's our job to protect our clients. "Both Apple and Google provide encryption tools for free and there's no downside to encrypting, so we should be encrypting as much as possible."
Governments already have subpoena powers
If a government agency needs access to security encrypted enterprise information, there are other options available.
For example, the government has subpoena powers, said Gerry Grealish, CMO at security vendor Perspecsys.
"Enterprises have a legitimate, sometimes legal, requirement to maintain control of their regulated sensitive data and intellectual property and trade-secrets," he said. "Since the enterprise holds the encryption keys when encryption is implemented properly, the government must approach them with the appropriate subpoenas for data access."
Encryption allows the growth of cloud platforms
It's risky to put vital corporate data in the hands of a third party. But when that data is encrypted -- and that third party doesn't have access to the keys -- then those risks can be significantly lowered.
Cloud storage, cloud computing and cloud services are a major new technological advance. Security fears could have significant negative repercussions.
"The ability to implement strong encryption and tokenization in cloud environments is critical to the next phase of cloud growth in companies," said Grealish. "One in which all sorts of sensitive data will start to migrate to applications written in cloud platforms."