Once upon a time, cybersecurity was rarely discussed and we paid mild attention to the content we shared online. However, large scale breaches like those at Target, Anthem and Home Depot opened Americans’ eyes to the information we release in the cyber world – even Obama spoke to the need to balance American safety with privacy. Apple also increased security so that only the user could unlock data. Other popular messaging services followed in Apple’s footsteps by encrypting user devices.
While tech companies embraced encryption, some government officials started seeking the right to use secret keys to track terrorists and other criminals. They felt encryption could render information government officials claim is vital to national security invisible.
The Justice Department eventually obtained a court order demanding Apple turn over text messages between suspects using iPhones. Apple responded that the system was encrypted so they could not physically comply. While the government had warned for months that this type of standoff was inevitable, senior Justice Department and F.B.I. officials advocate taking Apple to court. Mike Rogers, director of the NSA, recently argued that there should be legal frameworks that allow government to monitor data – with the hope that with surveillance, government has the ability to monitor potential terrorists, or in this case cyber terrorists.
While the government’s reasoning for creating a backdoor is sound, opening a door for the government means that same door is open for hackers.
In line with this ongoing debate, we’ve released a report, in conjunction with Wakefield, on the results of how Americans view “backdoor” access by government entities. The results were surprising. As many as 91% of Americans who recognized that there were risks to encryption backdoors felt that it was also justified in some circumstances.
But adding backdoors to encryption compromises the technology, and this has not gone unnoticed by the American public. According to survey respondents:
- Data accessed through a “backdoor” could be abused by hackers (69%)
- Data accessed through a “backdoor” could be abused by government entities (62%)
- S. businesses could lose their competitive advantage (34%)
Responses also ranged based off age and location:
- Twenty-six percent of respondents on the West Coast believe the government should never be able to access/view encrypted data, as compared to 17% of respondents on the East Coast
- A higher percentage of respondents in the 18-24 range (41%) are concerned about U.S. businesses losing their competitive advantage than those in the 55-64 range (28%)
- Both Southerners (38%) and Westerners (37%) are much more concerned about U.S. businesses losing their competitive advantage than are Northerners (25%) and Midwesterners (29%)
In certain circumstances, Americans are in favor of “backdoor” access. While arguments for catching cyber terrorists is sound, giving government officials the keys to encryption is dangerous. Even providing a ‘front door’ to government organizations is dangerous.
Respondents were in favor of backdoor access:
- In response to a national security threat (63%)
- As part of a federal investigation (39%)
- As part of a state or local investigation (29%)
In a May 2015 blog post, Andy Kicklighter dove into the technical reasons encryption backdoors just won’t work. He discussed how the most dangerous bad guys will be safe anyway. “Anyone seriously worried about being compromised by a backdoor has only to get hold of a moderately talented programmer, create their own, secure encryption tools and then use them. Result – the ones who are serious about eluding detection will continue to do so.”
There have been two proposals for “how” to allow government to get access to data in motion and at rest
- Option A: Give access to the keys used to encrypt the data under warrant/subpoena
- Option B: Build in an actual mathematical backdoor to a given algorithm
Both options are technically infeasible, as any backdoor reserved for just one group, will eventually be discovered, and harnessed by the “other” side.
Encryption is sexy again … and for good reason. Organizations are learning that if they don’t do encryption right, people are able to get around it. Really, it becomes an access control and key management issue: determining how much access to give each employee while protecting corporate data by locking that data down with encryption from unauthorized access.
Regardless of how you feel about the topic, there are some things we all should have learned. Far more users are being impacted by businesses not encrypting data than they are by the government not having access to their data. While a backdoor to encryption might help identify the run-of-the-mill perpetrator, it is not going to stop the truly dangerous people.
In this incredibly risky cybersecurity environment usage of encryption is one of the smartest moves companies can make. As we all know by now, breaches and data theft can cause major legal, financial and reputational harm – or even ruin – for both human beings and businesses.
The answer is simple: front door or backdoor, creating intentional vulnerabilities will be detrimental to all parties involved. Hopefully with some education, we can ultimately increase awareness of how backdoor encryption plays out in the real world – a world where opened doors will be ineffective at differentiating between government and hacker access.