Sad but true: many government officials have difficulty accepting the importance, and necessity, of encryption. Although it’s a foundational component of every responsible organization, each day seems to bring a new threat to encryption technology from well-meaning, but ill-informed government officials.
The latest attack on encryption tools comes from US Deputy Attorney General Rod Rosenstein. Earlier this month, Rosenstein gave a speech at the US Naval Academy where he admonished private tech companies for using “warrant-less encryption.” Instead, Rosenstein wants organizations to embrace “responsible encryption.”
But what, exactly, is responsible encryption?
“Responsible encryption, according to the lawmakers who demand it, would require companies to create a secret key, or back door, that would make it possible to read coded data,” writes Alfred Ng, a reporter for CNET. “Only the government could access the key, so that with the proper warrant or court order, law enforcement could read through messages. The key would be kept secret—unless hackers stole it in a breach.”
Not only does Rosenstein believe responsible encryption exists, he insists that it allows organizations to keep their communications private and provide government access at the same time. “Responsible encryption can protect privacy and promote security without forfeiting access for legitimate law enforcement needs supported by judicial approval," he said in his speech.
Cyber security experts, however, are skeptical of Rosenstein’s remarks. Many believe his concept of responsible encryption is simply wishful thinking.
“Tinkering with encryption is like trying to fly a plane without understanding the basics of lift and gravity: it’s a terrible idea, and will cause a lot of unintended damage” said Kevin Bocek, chief security strategist for Venafi. “We have no reason to believe that law enforcement can to a better job at stopping cyber criminals than a bank with legions of security professionals. It’s simply impossible for there to be any kind of ‘good’ backdoor which will only be available to law enforcement, and not to cyber attackers.”
Ultimately, we need to call “responsible encryption” for what it really is: the desire for government mandated backdoors. Sadly, Rosenstein’s comments represent a continued disconnect between security professionals and government officials. And this mistrust can have disastrous results.
For example a recent Venafi survey revealed that 91% of the security professionals believe cybercriminals could take advantage of government-mandated encryption backdoors. In addition, 72% do not believe that encryption backdoors would make their nations safer from terrorists.
The question bears repeating: how can we educate our government officials about the dangers of encryption backdoors?
After all, the next government comment that threatens encryption is just around the corner. And, who knows if that threat may be acted upon, whether we like it or not.