Speaking at the Conservative Party conference earlier this week the UK home secretary, Amber Rudd, stated that she didn't need to "understand how encryption works to understand how it's helping the criminals." She does, however, need to understand how backdooring encryption would disadvantage perfectly legitimate businesses and potentially cost them dearly.
With such things as the EU General Data Protection Regulation coming into play in May next year, and the UK Data Protection Bill already progressing through Parliament, encryption is a topic that will not be going away. It's vital that businesses not only know under what circumstances encryption should be implemented, but also understand the how such encryption gels with the regulatory compliance process. That Rudd is, in effect, muddying the waters with demands for technical solutions to enable encryption to be broken on demand is unhelpful to say the least.
This is not just a case of talking technical semantics either; understanding how encryption enables law-abiding business is central to the whole backdoor for law enforcement debate. Rudd insists that she will "engage with the security services" to find the best way to combat the 'end-to-end encryption threat' as she refers to it. Trouble is, here at SC Media UK we have been hard-pressed to find any security vendors who feel much like being part of that engagement process.
Kevin Bocek, chief cyber-security strategist at Venafi likens tinkering with encryption and the machine identities that turn it on without understanding to trying to fly a plane without understanding the basics of lift and gravity. "It's a terrible idea" he insists "and could cause a lot of damage before its realised for citizens, business, and national security." And as Trend Micro's VP of security Research, Rik Ferguson, points out "encryption only becomes a weapon when individuals with a malicious agenda make it so."
But Charl Van Der Walt, chief security strategy officer at SecureData, did argue that the use of the 'backdoor' term "puts security people into a complete spin" and went on to tell SC Media that "the resulting stand-off isn't helping anyone." Van Der Walt proposes that governments and law enforcement should "clearly and simply articulate a need they have to access the communications of suspected individuals under specifically defined circumstances." Then, he suggests, technology providers can work with them in a mature manner to explore how these legitimate requirements could be met. Wicus Ross though, a researcher at SecureData, told us separately that "people do not need to understand encryption or cryptography to realise that purposefully weakening something can have severe consequences if the details on how to compromise it is leaked."
This is a theme that security professionals return to time and time again, and for good reason: it's common sense. Can end-to-end encryption be made accessible to law enforcement without introducing the potential for access by nefarious parties? "The idea that end-to-end encryption can be accessed by law enforcement is by its very definition, absurd" says James Maude, senior security engineer at Avecto who goes on to refer to such a compromised technology as being 'end-to-anyone' encryption.
But the arguments are not only confined to the definition. As encryption algorithms are already standardised, and assuming the private sector wouldn't accept a flawed encryption implementation voluntarily, the government would have to introduce both a new standard of encryption algorithm *and* build the legal framework that enforces it. "The problem with this is that the standards for encryption algorithms are set by the International Organisation for Standardization (ISO)" Dan Brown, security consultant at FarrPoint Ltd said in conversation with SC, continuing "The ISO has already rejected new standards from the NSA, based on fears of an implicit backdoor." And, of course, there's the small matter that the ISO does not actually enforce these standards. Brown concludes that there is "no global governmental organisation that could."
But assuming for a moment that a backdoored encryption methodology was in place, how might this impact upon businesses from both a practical and regulatory compliance viewpoint? "If one country or region degrades its encryption, simply put market forces will take over and customers will choose to deal with business, located in other countries" Ian Trump, chief technology officer at Octopi Managed Services says "when you think about it, our data is free to move anywhere it wants, needs or is taken."
Backdoors in encryption could have a massive legal impact on business, suggests Lee Munson, security researcher at Comparitech.com who told SC "with GDPR only just over the horizon, how would any business be able to do any trade involving personal information, or even communicate about its own employees, if it cannot do so securely?" As Vince Warrington, founder of Protective Intelligence, argues "it would put both businesses and regulators in an unfortunate position - we've built a lot of our trusted digital systems on the premise that the encryption we use would not be weakened, so to do so would bring huge uncertainty into almost every aspect of those systems." And David Emm, principal security researcher at Kaspersky Lab, likens encryption weakened in this way as "effectively creating a zero-day vulnerability in the application" with all the known chaos that brings with it.
So, where does this leave the Home Secretary and her statement? "One would assume that Amber Rudd had access to experts and professionals in the field that can advise her on this issue" says Tony Rowan, chief security consultant at SentinelOne, who continues "but if that is the case, I firmly believe that the *advice* is not being understood and reflected in her public interactions."
Nobody really expects Rudd to have a PhD in cryptography, but there is an expectation that she might grasp the importance of the technology to both businesses and individuals. "Her knowledge is either lacking" Vince Warrington concludes "or she's choosing to ignore it..."
Weds 21st Nov, 3pm
A practical risk-based approach to implementing GDPR and building a security-aware culture in your organisation.
Brought to you in partnership with Metacompliance
Mon 19th Nov
Brought to you in partnership with Mimecast