Encryption Debate: 8 Things CIOs Should Know
Governments want access to encrypted communications to prevent terrorist attacks, but IT professionals and tech vendors say any weakening of encryption is a threat to privacy and data security.
![](https://eu-images.contentstack.com/v3/assets/blt69509c9116440be8/blt6fcd065cc8129ed5/64cb4382a79e5437f14a06a0/1-intro.jpg?width=700&auto=webp&quality=80&disable=upscale)
Perhaps it's due to the recently televised presidential debates. Or perhaps it's a sign of the times in which we live. Either way, the topic of data encryption is hotter than ever.
On one side we have the pro-encryption camp that insists on maintaining encryption without backdoors or master keys of any kind. Once data is encrypted, only the sender and receiver will know what was sent. On the other side of the debate are those who believe special circumstances dictate when data can and should be decrypted through due process.
There's no doubt that valid points are made on both sides of the issue. Yet, you'll find that the majority of IT security professionals and technology companies are coming out against any method to weaken encryption standards. This obviously includes backdoors and storing encryption keys.
The US government seems to be changing its tune regarding what it is requesting from technology vendors in terms of data decryption capabilities. Until recently, federal law enforcement agencies were demanding complete backdoor access to encrypted applications. This would have given the US government the unfettered ability to decrypt data with little public oversight.
In fall 2015, the US government dropped the "backdoor" verbiage and now is requesting that technology vendors "maintain their ability to comply with state and local judges' warrants" by storing encryption keys for the government. When warrants are served that demand decryption of data on devices such as PCs, smartphones, and tablets, technology vendors would have to comply with these requests.
Many technology companies -- including Apple, Cisco, Google, and Microsoft -- have already made it clear that they don't want to create backdoors. Nor do they want to store encryption keys for the government. Their reason? It significantly decreases the effectiveness of encryption -- a critical component of an IT security posture. Businesses are under pressure to protect customer information, intellectual property, and other sensitive data from getting into the wrong hands. Handicapping encryption weakens their ability to meet that goal.
We break down the encryption debate, as it stands today. By exploring eight key factors influencing the discussion, we aim to reflect the thought processes on both sides of the debate -- and explain why the vast majority of IT professionals and technology vendors oppose altering their encryption protocols at the request of various governments around the world. Once you've reviewed these considerations, tell us what you think in the comments section below.
**Elite 100 2016: DEADLINE EXTENDED TO JAN. 15, 2016** There's still time to be a part of the prestigious InformationWeek Elite 100! Submit your company's application by Jan. 15, 2016. You'll find instructions and a submission form here: InformationWeek's Elite 100 2016.
When FBI Director James Comey testified before Congress in July 2015, he stated that his department was struggling to keep track of terrorist communications because they were moving to communications applications that use data encryption. This creates a situation in which communications can no longer be monitored for terrorist activity.
Terrorist organizations are far from the only ones embracing encryption. All technology users are using encryption, whether they know it or not. This is because a growing number of operating systems and applications now enable encryption by default.
For example, with Apple's iOS 8 release in the fall of 2014, data that resides on its smartphones and tablets is now encrypted by default, which renders the information useless to law enforcement.
For a long time, governments around the world had a fairly easy time intercepting unencrypted communications for various investigations. But now that encryption is taking hold, that visibility -- and effectiveness -- is quickly deteriorating. There's a case being made about why governments should maintain an easy avenue into monitoring communications, but it's being met with staunch resistance from vendors.
US and UK governments recently claimed they don't want "backdoors" into encryption mechanisms. Instead, they want vendors to hold onto the encryption keys, which can be used when warrants are issued in criminal cases.
This is assumed to be safer because it doesn't allow governments to decrypt communications. Only the vendors can when presented with a warrant. Is this a meaningful change, or simply a shift in rhetoric to soften the magnitude of the request? In either scenario, encryption is weakened for the user.
Global technology companies are in an especially difficult position over the encryption debate. Western firms working in the Middle East and Asia find it tough enough to build trusting relationships when governments of different countries don't trust one another. To allow, or be part of, any method to compromise encryption that favors one country over another simply adds fuel to the fire.
The US government's current proposal claims it only wants the ability to decrypt data "at rest" -- meaning when it's stored on a device. The government has backed away from requests for a backdoor to read encrypted messages as they are transmitted in real-time. Still, it's not hard to imagine they'll eventually want that, too.
If people are aware of ways that their encrypted messages can be read by government agencies, and are concerned about keeping their data private, they look for alternative methods to communicate. While giving in to government demands for encryption keys would be a victory in the short term for spy agencies and law enforcement, the cat-and-mouse game would simply continue. Data security is not static in nature, and will continue to evolve over time.
The idea that backdoors or master decryption keys can be kept safe from evildoers is a tough pill to swallow. After all, we hear about data theft in the public sector as much as in the private sector. The likelihood of software bugs and zero-day vulnerabilities turning up that allow unauthorized access through backdoor software also increases significantly. So, in my view, taking encryption -- the strongest tool in the IT security toolbox -- and weakening it is not the best way to tackle this problem.
Data security is a constantly evolving and fluid field, and governments must come to grips with this. In my view, simply giving in to their decryption demands won't solve anything. If governments truly need access to intercept communications from people that want to harm us, they'll almost certainly find a way. But please, don't get the private sector involved.
Data security is a constantly evolving and fluid field, and governments must come to grips with this. In my view, simply giving in to their decryption demands won't solve anything. If governments truly need access to intercept communications from people that want to harm us, they'll almost certainly find a way. But please, don't get the private sector involved.
-
About the Author(s)
You May Also Like