Workload and Application Security Blog

6 Reasons Why Encryption Back Doors Won’t Deter Criminals

Written by William Leichter | Jul 18, 2019 12:42:25 AM

Law enforcement, the government, and high-tech companies erupt in disagreement – and private citizens are caught in the middle

Washington DC has recently revived a long-standing debate about encryption. Every couple years something causes the issue to erupt again. People’s view shift and law enforcement has expressed increasing frustration during events the last few years when their investigative efforts were stalled by encryption.

Encryption roadblocks happen both in the US and in Europe. Going back to the Paris bombings in November 2015, early evidence suggested that the terrorists used a readily available encryption app called Telegram to communicate secretly about their plans and thwart detection by law enforcement. ISIS is known to use this app. Their ability to keep their communications hidden from investigators led to finger-pointing by intelligence officials and politicians demanding that something be done to control this dangerous technology.

A similar scenario played out in the 2015 San Bernardino shooting. The DOJ took Apple to court in an effort to force them to assist in breaking into one of the shooter’s work-issued iPhones. The FBI asked Apple to develop software the FBI could use to get into the iPhone, a 5C. Having refused to comply with nearly a dozen requests to unlock the phone, Apple was viewed as blocking law enforcement efforts. A third-party ultimately intervened and was able to get into the phone, settling the matter for the time being. For all the effort, they found no useful information about the attack on the phone.

Violating privacy and controlling technology can bring unintended consequences

Apple stood its ground resisting breaking into the phone because taking that action would permanently jeopardize the privacy of customers at large, creating another nest of problems.

Even though criminals use encryption to their advantage and this aggravates officials (understandably), criminals also use multiple other "normal" technologies and devices that can be dangerous in their hands. This often can include consumer electronics, servers and networks, cars, trains, airplanes, explosives and more. But the operation of these items doesn’t stymy police and therefore doesn’t create the same kind of outcry about gaining control of them.

Weakening encryption creates obvious privacy concerns, but the argument for weakening encryption also ignores a basic question: Can this technology really be controlled? More specifically, those arguing for diluted encryption are demanding “back doors” that would allow easier access by law enforcement. For many reasons, this idea simply won’t work, plus it will have no impact on the bad guys. It could also have serious negative consequences.

Here are 6 reasons why it's a problem.

1. Encryption = Keeping Secrets

Encryption is as much a concept as it is a technology and trying to ban concepts generally backfires. For thousands of years, good and bad actors have used encryption to protect secrets, while communicating across great distances.

In the wake of traumatic public events, it’s easy to start thinking that only bad guys need to keep secrets, but that’s clearly not true. Governments must keep important secrets. Businesses are legally required to protect secrets (such as their customers’ personal information) and individuals have reasonable expectations (and constitutional guarantees in many countries) that businesses will keep their personal data private. Encryption, if properly applied, is one of the few highly effective way to protect legitimate and important secrets.

2. Who Keeps the Keys to the Back Door?

Allowing government agencies unfettered access to encrypted data is not only Orwellian – it’s also simplistic and unrealistic. Assuming back doors are created, who exactly should have access? Beyond the NSA, FBI, and CIA, should we share access with British Intelligence? How about the French? The Germans? The Israelis? Saudi Arabia? How about the Russians or the Chinese? Maybe Ban Ki-Moon can keep all the keys in his desk drawer at the UN…
As we all know, the Internet doesn’t respect national boundaries and assuming that all countries will cooperate and share equal access to encryption back doors is naïve. Even if governments only require companies within their respective jurisdictions to provide back doors, the bad guys will simply use similar, readily available technology from other sources. On the opposite side of the spectrum, who’s to say secret information entrusted to another entity won’t be stolen out from under that entity? Happens all the time - the US and others have hardly been immune to having their information stolen.

3. Keys to the Back Doors Can Easily Get into the Wrong Hands

Adding on to the risks of theft, if back doors to encryption are created, hackers will almost certainly steal and exploit them. Going back some years to 2014, all the Snowden revelations, among other things, demonstrated large government bureaucracies are not particularly good at protecting secrets or ensuring that the wrong people don’t get access. High tech companies have been all in favor of using end-to-end encryption to protect consumer information, with good reason – it protects them too. Every message exchanged between sender and receiver is then kept private between the two parties, with no big brother or government party eavesdropping.

But whenever the government departments suggest giving themselves the ability to access private communication, as well as carrying the responsibility of keeping that backdoor access “safe” within its own hands, organizations and the public are understandably skeptical. In recent years we continue to see repeated hacks of government data, demonstrating that the government has its hands full keeping its own data safe. Various corporations and businesses at large do no better, with their corporate and private data exposed in massive volumes on a regular basis. Equifax and Facebook come to mind and many others. Such data breaches make headlines daily, clearly highlighting the risks to human information no matter who is managing its security. (See links to our blogs below.)

In a very real way, the existence of encryption back doors would represent a serious threat to data security across the government, business and private sector.

4. To Control Encryption, You Need to Control Math

Ironically, while some government agencies seek to crack encryption, other agencies such as NIST are chartered with testing and validating the security efficacy and strength of encryption algorithms and implementations. The FIPS 140-2 validation process is globally recognized and provides assurance that encryption does not have flaws. Indeed, one of the only recommended means that corporations are offered to achieve Safe Harbour in the event of a data breach is if they can demonstrate they took efforts to protect data through encryption.

Today’s best encryption is based on publicly vetted and widely available algorithms such as AES-256. Most smart, college-level math majors could easily implement effective encryption based on a multitude of publicly available schemes.

So far I haven’t heard policy pundits recommend that potential cybercriminals be barred from high-level math education. Preventing clever people anywhere in the world from applying readily available encryption or developing their own encryption schemes is impossible. Whether encryption is applied to protect corporate data or personal devices (also used for business), it doesn’t make sense to dumb it down under any circumstances.

5. The Tools Do Not Cause the Actions

It does appear that with terrorist attacks, the perpetrators use commercial encryption to hide some of their communications and it must be acknowledged that this may have hindered several law enforcement cases. But criminals – and terrorists -- are also known to use off-the-shelf electronics to carry out many actions, from utilizing social media to manipulate or make cryptic plans to detonating explosives. Often having social media posts in plain site hasn’t prevented a violent action from taking place. Today’s technology accelerates everything in ways that are often frightening, but going backwards as a knee-jerk reaction is not a useful option.

Readily available technology may make a criminal’s job easier, but in the absence of easy-to-find encryption tools, criminals would always find other effective ways to hide their plans.

6. Neutering Encryption Will Hurt Legitimate Businesses

So let’s imagine that in the heat of cybercriminal fears, the US, UK and a few other governments demand that companies within their jurisdictions create and turn over encryption back doors. Confidence in security technologies from those countries would plummet, while creative entrepreneurs in many other countries would quickly deliver more effective security products.

The growth of the Internet as a trusted platform for business has been closely tied to encryption. The development of SSL encryption by Netscape in the 90s enabled e-commerce and online banking to flourish. And today, encryption is playing a critical and irreplaceable role in creating the trust required for today’s rapid growth of the cloud applications.

There are many recent examples of governments trying to legally close barn doors after the horses have long since disappeared. Ironically, the US government already bars the export of advanced encryption technology to rogue states and terrorist groups including ISIS. Clearly this ban is having zero effect on criminals’ ability to easily access encryption technology.

We live in scary times and should never underestimate the challenges we all face in deterring cybercrime and terror. But latching onto simplistic solutions that will not work, but will in fact make things worse. In fact, if we undermine the effectiveness of our critical security technology and damage an important industry, we will be handing the criminals a victory and undermining our own safety.

Sources:
http://www.thedailybeast.com/articles/2015/11/16/this-is-isis-new-favorite-app-for-secret-messages.html

Further resources:

Blogs:

1. Trump Admininistration Debating Encryption Crackdown
2. Chinese Hackers Linked to Global Telco Attacks

3. Despite US defenses, Russian hackers are still trying to break in to America’s power grid
4. Could Russia shut down US electric grids

5. DHS about electrical grid attacks by Russian agents
6. Critical infrastructure will have to operate if there's malware on it or not

7. Chinese Hacking Group Used Stolen NSA Hacking Tools Ahead of Shadow Brokers’ Leaks

8. Congressional investigation into Equifax breach finds multiple security failures

White paper: Triton attack

Newsletter: Latest issue