Last week’s tragic events in Paris, and fears over similar terrorist attacks around the world, have revived a long-standing debate. Early evidence suggests that the terrorists used a readily available encryption appto hide their plans and thwart detection by law enforcement. This has led to finger-pointing by intelligence officials and politicians demanding that something be done to control this dangerous technology. Keep in mind that the terrorists also used multiple other dangerous technologies including consumer electronics, explosives, lots of guns, cars, trains and probably airplanes – but these are better understood and attract less grandstanding about controlling them.
Setting aside the obvious privacy concerns, the argument for weakening encryption ignores a basic question – can this technology really be controlled? More specifically, those arguing for diluted encryption are demanding “back doors” that would allow easier access by law enforcement. For many reasons, this idea simply won’t work and will have no impact on bad guys. It also could have serious unintended negative consequences. Here are a few reasons why:
- Encryption = Keeping Secrets
Encryption is more of an idea than a technology and trying to ban ideas generally backfires. For thousands of years, good and bad actors have used encryption to protect secrets, while communicating across great distances.
In the wake of traumatic public events, it’s easy to start thinking that only bad guys need to keep secrets, but that’s clearly not true. Governments must keep important secrets. Businesses are legally required to protect secrets (such as their customers’ personal information) and individuals have reasonable expectations (and constitutional guarantees in many countries) that they can keep their personal data private. Encryption, if properly applied can be a highly effective way to protect legitimate and important secrets.
- Who Keeps the Keys to the Back Door?
Allowing government agencies unfettered access to encrypted data is not only Orwellian – it’s also simplistic and unrealistic. Assuming back doors are created, who exactly should have access? Beyond the NSA, FBI, and CIA, should we share access with British Intelligence? How about the French? The Germans? The Israelis? Saudi Arabia? How about the Russians or the Chinese? Maybe Ban Ki-Moon can keep all the keys in his desk drawer at the UN…
As we all know, the Internet doesn’t respect national boundaries and assuming that all countries will cooperate and share equal access to encryption back doors is naïve. But if governments only require companies within their respective jurisdictions to provide back doors, the bad guys will simply use similar, readily available technology from other places.
- Keys to the Back Doors Can Easily Get into the Wrong Hands
If there are back doors to encryption, hackers will almost certainly steal and exploit them. As the Snowden revelations demonstrated, large government bureaucracies are not particularly good at protecting secrets or ensuring that the wrong people don’t get access. The OPM hack, which uncovered millions of government employees’ data (purportedly by Chinese hackers), highlights the risks when large numbers of humans are involved.
In a very real way, the existence of encryption back doors would represent a serious threat to data security across the government, business and private sector.
- To Control Encryption You Need to Control Math
Ironically, while some government agencies seek to crack encryption, other agencies such as NIST are chartered with testing and validating the security efficacy of encryption algorithms and implementations. The FIPS 140-2 validation process is globally recognized and provides assurance that encryption does not have flaws.
Today’s best encryption is based on publicly vetted and widely available algorithms such as AES-256. Most smart, college-level math majors could easily implement effective encryption based on a multitude of publicly available schemes.
So far I haven’t heard policy pundits recommend that potential terrorists be barred from high-level math education. Preventing clever people anywhere in the world from applying readily available encryption or developing their own encryption schemes is impossible.
- The Tools Do Not Cause the Actions
It does appear that the Paris terrorists used commercial encryption to hide some of their communications and it must be acknowledged that this may have hindered law enforcement. They also probably also used off-the-shelf electronics to detonate their explosives, drove modern rental cars to haul people and weapons and perhaps were radicalized in the first place through social media. Today’s technology accelerates everything in ways that are often frightening, but going backwards is never an option. And the tools, no matter how advanced, do not create the murderous intent behind terrorism.
Readily available technology likely made their jobs easier, but in the absence of easy to find encryption tools, the terrorists could have found many other effective ways to hide their plans.
- Neutering Encryption Will Hurt Legitimate Businesses
So let’s imagine that in the heat of terrorist fears, the US, UK and a few other governments demand that companies within their jurisdictions create and turn over encryption back doors. Confidence in security technologies from those countries would plummet, while creative entrepreneurs in many other countries would quickly deliver more effective security products.
The growth of the Internet as a trusted platform for business has been closely tied to encryption. The development of SSL encryption by Netscape in the 90s enabled e-commerce and online banking to flourish. And today, encryption is playing a critical role in creating the trust required for today’s rapid growth of the cloud applications.
There are many recent examples of governments trying to legally close barn doors after the horses have long since disappeared. Ironically, the US government already bars the export of advanced encryption technology to rogue states and terrorist groups including ISIS. Clearly this ban had zero effect on the terrorists’ ability to easily access encryption technology.
We live in scary times and should never underestimate the challenges we all face in deterring terror. But latching onto simplistic solutions that will not work does not make us safer. In fact, if we undermine the effectiveness of our critical security technology and damage an important industry, we will be handing the terrorists a victory.
Willy Leichter, Global Director of Cloud Security, CipherCloud
[Cloud Security Alliance Blog]