IT Pros Fear Encryption Backdoors - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile // Enterprise Mobility Management
News
4/20/2016
09:06 AM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

IT Pros Fear Encryption Backdoors

A survey of IT professionals by network services company Spiceworks finds concern about the risk of backdoors that bypass encryption.

Master iOS 9.3 With These 9 Tips And Tricks
Master iOS 9.3 With These 9 Tips And Tricks
(Click image for larger view and slideshow.)

Amid federal and state bills written to weaken computer security by mandating backdoors that bypass encryption, IT pros are alarmed at the prospect of security made insecure, according to a report released Tuesday by IT services firm Spiceworks.

In a survey of 600 IT professionals from North America, Europe, the Middle East, and Africa, Spiceworks found that 87% said they believe backdoors increase the risk of a data breach.

As an individual identifying himself as Dave Ohlendorf explained in the Spiceworks forum, "ANY backdoor -- no matter who knows about it, can and likely will be reverse engineered and end up in the wild where it will get into the hands of 'very bad people.'"

This view has been echoed by cryptography experts such as Matthew Green, assistant professor in the department of computer science at Johns Hopkins University. As Green put it in a tweet earlier this year, "The problems with encryption backdoors come up when you try to scale them from an idea to something that affects millions of people."

The Athens affair, in which the Vodaphone phone network in Greece was compromised over a decade ago, is often cited as an example of the problem with backdoors.

Backdoors in encrypted systems can make life easier for law enforcement agencies, but they impose a potential cost on businesses. Simply put, compromised security has become a tough sell. Some backdoors are put in place deliberately, as a matter of administrative convenience. Others, like the backdoor in Juniper's NetScreen firewalls, are supposedly unauthorized. Either way, they're generally not welcome.

(Image: Maksim Kabakou/iStockphoto)

(Image: Maksim Kabakou/iStockphoto)

Spiceworks separately surveyed 220 IT pros about how awareness of a backdoor in a company's products might affect that company's sales prospects. The firm found that 65% of IT pros would be less likely to buy from a company known to install backdoors in its products. Only 20% said a history of backdoors would have no impact when considering a purchase.

Given reports about the NSA's ability to access networking equipment from Cisco, Dell, Huawei, and Juniper, not to mention a supposedly inadvertent backdoor in a MediaTek phone chip used for some Android phones, it may be difficult to avoid products with backdoors or vulnerabilities that could become backdoors.

Nevertheless, some businesses see value in declaring their commitment to encryption, even if their execution remains imperfect. Apple, for example, has taken a public stand against the US government's attempt to force it to undo its encryption for the convenience of investigators. And more recently, consumer messaging providers like WhatsApp and Viber have committed to end-to-end encryption.

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

According to a separate Spiceworks security report released in December 2015, more than 80% of businesses experienced some form of security incident last year and 27% of the 200 IT pros surveyed planned to increase spending on encryption in 2016.

In the report that was released Tuesday, more than half of those surveyed (57%) said they believe that network or device encryption had helped their organization avoid a data breach.

Encryption has become common on networks. Some 47% of Spiceworks respondents said they encrypted data in transit to laptop and desktop computers. But encryption is less common on mobile devices like tablets (35%) and smartphones (40%). It's also less common for data at rest: laptops/desktops (36%), tablets (25%), and smartphones (28%).

Still, some organizations don't see the value of encryption. According to the IT pros surveyed, 16% of organizations don't enforce encryption across any devices or services.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
jastroff
50%
50%
jastroff,
User Rank: Ninja
4/26/2016 | 1:41:43 PM
Re: "We have to be able to do it"
I was an Apple person for a while. It usually passes if you want to come back from the dark side :-)
vnewman2
50%
50%
vnewman2,
User Rank: Ninja
4/26/2016 | 12:50:25 PM
Re: "We have to be able to do it"
You raise an interesting point.  People formed their allegience to Apple long before these ecryption issues came to the forefront and long before people closed the space between work devices and personal.  So now they have a legion of minions  (I am one of them lol) that are hooked on the devil they know as opposed to the devil they don't.
jastroff
50%
50%
jastroff,
User Rank: Ninja
4/26/2016 | 11:37:12 AM
Re: "We have to be able to do it"
Has anyone who opted for Android over iPhone chosen the less secure phone?

>>   But if you have choices, wouldn't you opt for the super-secure one? 

I think they can all be broken into, and that security is like a red-herring, at least at this level. 
Broadway0474
50%
50%
Broadway0474,
User Rank: Ninja
4/26/2016 | 7:54:38 AM
Re: "We have to be able to do it"
Vnewman, you touched on something there. There is really not too much diversity in certain tech products. It's not like autos where if I don't like VW cheating, I can choose a dozen other makes.
Broadway0474
50%
50%
Broadway0474,
User Rank: Ninja
4/26/2016 | 7:54:35 AM
Re: "We have to be able to do it"
Vnewman, you touched on something there. There is really not too much diversity in certain tech products. It's not like autos where if I don't like VW cheating, I can choose a dozen other makes.
Depressiondesmamans
50%
50%
Depressiondesmamans,
User Rank: Apprentice
4/26/2016 | 5:37:55 AM
reply
I'm a french entrepreneur and all my staff encrypted data in transit to laptop and desktop computers. This practice will become widespread for a long time ! Thanks for your post !
vnewman2
50%
50%
vnewman2,
User Rank: Ninja
4/25/2016 | 9:34:14 PM
Re: "We have to be able to do it"
@Broadway - Well, I certainly was!  The only thing I can think of is if you absoltely, positively needed the product and they were the only game in town.  But if you have choices, wouldn't you opt for the super-secure one?  
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
4/25/2016 | 12:03:48 PM
EU/US split?
@Thomas: Based on my knowledge of Spiceworks surveys/reports, I'm curious how that broke down between European countries and other nations.  I would tend to think that the lack of trust of encryption would be higher -- but perhaps US/North American respondents are more self-aware in the wake of Snowden's revelations...
SaneIT
50%
50%
SaneIT,
User Rank: Ninja
4/25/2016 | 8:28:25 AM
Re: "We have to be able to do it"
Add the fact that now people know where the key is not just that it exists and you've opened up the gates for attack.  I think of things like key generators for popular software packages, once someone knows how it works pretty soon there are dozens of sources to get past any security. Once the first key is leaked it will be less than a week before that key and how to exploit it is on hundreds of hacking sites. 
Broadway0474
50%
50%
Broadway0474,
User Rank: Ninja
4/24/2016 | 9:52:58 PM
Re: "We have to be able to do it"
Was anyone else surprised that only 65% of the respondents said they wouldn't want to buy from a company that's known to have installed a backdoor? I'd assume smart IT people would be in the 90-95% range of objection. Could it be that they would want to know which firm it was before they swore them off?!
Page 1 / 2   >   >>
Slideshows
Top-Paying U.S. Cities for Data Scientists and Data Analysts
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/5/2019
Slideshows
10 Strategic Technology Trends for 2020
Jessica Davis, Senior Editor, Enterprise Apps,  11/1/2019
Commentary
Study Proposes 5 Primary Traits of Innovation Leaders
Joao-Pierre S. Ruth, Senior Writer,  11/8/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll