digibyte - new encryption legislation is misguided, but no short-term fallout for enterprises
- Summary:
- The new encryption bill in Congress is another discouraging step back from a smart approach to encryption and threat detection - here's why.
Looking at the comment barrage on encryption news, it is easy to demonize the government for trodding on privacy, or on Silicon Valley for putting profits over safety. For a different angle, I'll analyze this story as if both sides have the best of intentions.
1. The proposed law is asking for a concession that is not technically possible with end-to-end encryption. Some lawmakers fail to understand that current encryption technology simply does not support a foolproof third party access that can't be exploited by bad actors. Perhaps in some future time there will be a way to provide incorruptible back door access, but right now, it's not technically possible. As per Yahoo, in a recent congressional hearing on encryption, University of Pennsylvania associate professor of computer science Matt Blaze said:
The encryption issue has been characterized as a question of whether we can build systems that allow the good guys in and keep the bad guys out,” Blaze, who has been studying encryption for over two decades, said in his opening statement. “Much of the debate has focused on questions of whether we can trust the government with keys for data. But before we can ask that question, there’s an underlying technical question, of whether we can trust the technology to actually give us a system that does that. And unfortunately, we simply don’t know how to do that safely and securely at any scale.”
2. Rolling back end-to-end encryption will simply hurt U.S. tech companies and consumers - without preventing such encryption globally. As I wrote last time, the encryption genie is out of the bottle. Some legislators want Apple and other tech companies to revert to prior encryption models that *were* vulnerable, such as the infamous San Bernardino phone that was ultimately accessed by a third party agency hired by the FBI. Should such a law pass, many consumers would vote with their wallets to purchase devices manufactured outside the U.S. and not subject to these backdoors.
My (enterprisey) take
Chasing this legal tail distracts agencies from more effective steps:
- Many criminals will still expose their trails, even with encrypted devices. Whether it's insecure cloud uploads, geolocational data permission mistakes, poor password choices, monitored phone calls to family members, or simply human error, modern surveillance technology still gathers plenty of intrusive bread crumbs that can be used for threat detection and investigation.
- Rather than urge myopic legislation, agencies should lobby for investment in threat detection systems that detect anomolies, chart potential threats in real time and offer predictive analysis of threats to come. The technology is getting there. External data like shipping port logs can be pulled into predictive engines and yield important clues. However, agencies must ensure that a data scientist/predictive expert can warn against the dangers of flawed predictive models that can flag the wrong correlations or people.
- The most sophisticated terrorists will use uncrackable devices or fully encrypted applications. If you force certain companies, devices or apps (e.g. WhatsApp) to provide access, bad actors will simply move to other apps or devices. We've back to the importance of human intelligence, infiltration of radical groups, and more importantly, building an economically viable world that reduces disaffection.
My advice to tech companies: The FBI has cited their lack of internal encryption expertise and distaste for relying on third party "gray hat" hackers. Invest in collaborative programs to make sure that technical skills are available to government agencies. There is still a big risk that legal battles will be lost and public opinion will turn.
For enterprises, this legislation has no immediate impact on planning for device encryption. If you look at my last encryption piece - as well as the blog comments, there are plenty of pro-active steps to take. Updating vulnerable outdated software would keep most companies busy for the rest of 2016.