“Governments and businesses alike depend upon strong encryption (high-assurance) to protect personal information, intellectual property, state secrets and more. Legislative attempts to weaken this encryption threaten the security and integrity of our critical data.”
This sentiment has been echoed across the world and is one of the reasons why, decades ago, strong encryption became mandated for government and defence agencies.
The high standards demanded by these applications led to the development of a series of globally recognised encryption standards. These standards have been adopted by security-aware businesses and are an integral part of the security landscape that protects the global, digital economy.
It now appears that security may be under threat; from legislators who, in an effort to assist law enforcement, are seeking to undermine the very fabric of strong encryption.
In a letter to Australian MPs, a group of 76 security, technology and civil rights organisations/individuals from around the world are urging the Government to abandon its plans to introduce legislation that would compel device manufacturers to assist law enforcement in accessing unencrypted data.
The group highlight the “deleterious impact” such legislation would have on Internet security, individual rights and the country’s ability to compete in a global digital economy. Beyond this, the weakening of encryption standards has the potential to impact everything from critical national infrastructure to financial services and the continued investment in transformative technologies such as smart cities.
Security is a key differentiator for many organisations, something that will become even more important as the Internet of Things continues to evolve. The letter, published on accessnow.org emphasises that mandating “backdoor” vulnerabilities would effectively prohibit companies from offering some of the strongest cyber-security solutions available; both now and in the future. This could result in a fundamental erosion of trust in businesses and the technologies they employ.
Minsters’ claims that decryption mandates would not involve backdoors or key escrow reveal a lack of understanding of the principles behind strong encryption. Not all encryption solutions are the same, and not all solutions provide the certified high-assurance encryption security required by government and defence agencies.
Secure, client-side-only key management is one of the core principles of high-assurance encryption security (along with dedicated hardware, end-to-end authenticated encryption and the use of standards-based algorithms). The only way to enable third-party access to decrypted data would be to introduce a backdoor.
Legislators and public policy makers may do well to focus their intentions inwardly, and address the government’s own cyber-security issues. The recently published Office of Management and Budget’s cyber-security audit condemned the lack of security preparedness and resources to deal with cyber-security threats among all agencies.
The authors of letter “strongly urge the government to commit to not only supporting but investing in the development and use of encryption”. Whilst they recognise this may impact on law enforcement’s ability to gain access to certain types of data, they welcome the opportunity to engage with policy makers and help determine a balanced course of action.