Encryption Needs Tight Controls, Not Backdoors
In recent weeks, debate has been raging about encryption and its role in terrorism. Just a few days ago, President Obama said more needs to be done to keep technology out of the hands of terrorists. Encryption is most certainly one of those technologies. Many have suggested that encryption needs a backdoor thereby allowing government agencies access to communications.
A 'backdoor' weakens encryption by sidestepping normal authentication. Hidden deep in the design of an encryption program or algorithm, such a backdoor is usually inserted before a product gets widely distributed and allows access to encrypted information without having proper credentials.
Setting aside any ethical debates about whether they should be there, backdoors are a bad idea for many reasons because they introduce many more problems than they're likely to solve. Simply put, they weaken encryption.
Businesses don't leave their offices unlocked at night to allow anyone to walk in to sift through critical information. In the same vein, by weakening encryption, corporations would be even more vulnerable to intellectual property theft. Think about tampered pharmaceutical compounds or packaging. Think about a utility's ordinary operational communications subverted by enemies or mischief-makers that lead to widespread power outages. What about financial transactions intercepted by bad actors that lead to real losses? Air traffic control towers, public safety, and the military - all would have their communications laid bare, risking maliciousness from the very same terrorists that we're trying to combat. Encryption plays a crucial role in keeping a society open, free, and yes, safer.
Instead of asking how we can weaken encryption, we should be asking different questions. How can we better control the enormous power of encrypted communications? How can we prevent communications encryption from falling into the wrong hands? How can we safeguard legitimate uses of this critical technology in every enterprise's security infrastructure?
The answer is control.
Today, encryption apps can be downloaded and encrypted phones can be ordered anonymously, or with a false identity, easily. There is no oversight or accountability. How do we fix that?
First, we must control who has access to encryption solutions. The best way to do this, is to distribute encryption solutions through thoroughly-vetted third-party managed security providers. This third-party must have fiduciary duty to act on behalf of the organization and not on the behest of some foreign government.
Second, the organization itself must have the ability to control its own encryption solution, its own meta-data, and the employees and partners who have access to encrypted communications. The only way to do this is to architect tight enterprise controls into the secure communications software; built from the ground up as a core design philosophy, not as an afterthought. It must give the enterprise the option of hosting its own encryption solution without any third-party at all - including the encryption provider. Backdoors weaken, if not altogether diminish, the value of encryption. We can't have it both ways; it's impossible to have both strong encryption and backdoors. The key is control.