By Fahmida Y. Rashid
Jan. 3, 2017
Cybercriminals are using encryption to great effect in ransomware. Once the files are encrypted, victims have to either pay up to obtain a key or wipe their systems and start over. Just as attackers target flawed implementations, security researchers have successfully developed decryption tools for ransomware variants that contained mistakes in their encryption code.
Government backs down on backdoors
Technology firms have always had to balance security and privacy concerns with law enforcement requests for user information. FBI Director James Comey had been pushing hard for backdoors in technology products using encryption, claiming that increased use of encryption was hindering criminal investigations. While companies frequently quietly cooperate with law enforcement and intelligence requests, the unprecedented public showdown between the FBI and Apple showed that in recent years, enterprises are beginning to push back.
The FBI backed down in that fight, and a bipartisan Congressional working group—with members of both House Judiciary and Energy & Commerce Committees—was formed to study the encryption problem. The House Judiciary Committee’s Encryption Working Group unequivocally rejected Comey's calls for backdoors and advised the United States to explore other solutions.
“Any measure that weakens encryption works against the national interest,” the working group wrote in its report. “Congress cannot stop bad actors—at home or overseas—from adopting encryption. Therefore, the Committees should explore other strategies to address the needs of the law enforcement community.”
Weakening encryption so that police can break into encrypted devices would speed up criminal investigations, but it would be a short-term win "against the long-term impacts to the national interest," the working group warned. Alternative strategies include giving law enforcement legal methods to compel suspects to unlock their devices and improving metadata collection and analysis.
While the working group report indicates Congress will not pursue legal backdoors, other encryption-related battles are looming on the horizon. The report seemed to support letting police use "legal hacking" to break into products using software vulnerabilities that only law enforcement and intelligence authorities know about, which poses its own security implications. The technology industry has an interest in learning about vulnerabilities as soon as they are found, and not letting the government stockpile them with no oversight.
As for Comey's "going dark" claim, the working group said “the challenge appears to be more akin to ‘going spotty.’”
Adding to the enterprise tech stack
Governments have been trotting out the terrorists “going dark” argument for years and will always play on those fears, says Mike Janke, co-founder and chairman of encrypted communications company Silent Circle. What's changing is that the enterprises are becoming more serious about securing their communications stack and are less willing to compromise on those features.
Many organizations were shocked at the extent of government surveillance exposed by former NSA contractor Edward Snowden. They reacted by integrating secure video and text messaging tools along with encrypted voice calls into the enterprise communications stack, Janke says. Encryption is now a bigger part of the technology conversation, as enterprises ask about what features and capabilities are available. IT no longer treats encryption as an added feature to pay extra for, but as a must-have for every product and platform they work with.