Security Platforms/Tools

Telecom Should Weigh In on Encryption Debate

WASHINGTON -- As the US Senate ponders a bill that would force companies to crack encryption under court order, a group of security technologists urged telecom service providers to consider how that would make everyone less safe and potentially weaken the business case for hosting and security services.

Speaking at the Incompas conference at National Harbor, almost in the shadow of the Capitol, Radware Ltd. (Nasdaq: RDWR)'s Mike O'Malley, VP of strategy and business development, said breaking encryption under court order is "a slippery slope" for the tech industry and telecom carriers.

"This isn't like past years, where if I saw someone who was a bad actor, I went and got a warrant to search their house, and that gave me the right to get them to hand over the key to their house," he said. "You are not handing over the key to a house, you are handing over the key to everyone's house."

That is a fundamental change in how the process works and not for the better, he noted. Increasingly businesses expect that, along with high-speed services, network service providers are providing a level of security from distributed denial of service attacks and more. That makes it "extremely important to our business" for encryption to be one of the tools that operators can use, O'Malley says.

Security Experts
(Left to right) Alan Hill, SVP, government relations and strategic business development for Incompas; Edward Henigin, CTO, Data Foundry; Mike O'Malley, VP strategy and business development, Radware; and Nicole Bucala, principal, business operations, for RSA.
(Left to right) Alan Hill, SVP, government relations and strategic business development for Incompas; Edward Henigin, CTO, Data Foundry; Mike O'Malley, VP strategy and business development, Radware; and Nicole Bucala, principal, business operations, for RSA.

Although much of the discussion was centered on the now-resolved battle between Apple and the FBI over cracking the iPhone of the San Bernadino terrorist, there are broader issues looming at the legislative level, where the Feinstein-Burr bill has bi-partisan backing of the idea that tech companies should crack encryption when ordered by the court to do so.

Edward Henigin, CTO of Data Foundry , said without secure encryption, consumers and businesses are less likely to entrust their equipment, their data and their applications to companies such as his, which will have serious consequences for cloud services, colocation and the outsourcing economy in general.

"Our business depends on the ability to protect individuals from invasions of privacy and intrusion," he said.

Most of the data that law enforcement needs is already available from other means -- much of it is stored in the cloud, said Nicole Bucala, principal, business operations, for RSA, The Security Division of EMC Corp. (NYSE: EMC). Noting that we live in "the golden age of surveillance," she pointed to all the ways everyday activity is tracked, via GPS, electronic transactions and ubiquitous surveillance cameras. Even most information that is stored on phones is also stored in the cloud, Bucala says, making it less necessary for law enforcement to seek "back doors" into encrypted devices or data streams.

Bucala also warned against promoting the idea that encryption is all consumers need to be safe, saying it's just one tool against an increasingly sophisticated set of threat vectors.

For network operators, many of whom view security services as a substantial business opportunity, a multi-level layered approach is important, using encryption but also a wide variety of tools -- authentication, firewalls for premises and web applications, DDoS monitoring and prevention and protecting of SIP traffic are among those O'Malley cites.

"All the essential ingredients are in place, but [operators] need to be more proactive about making sure the layers of protection are in place, because businesses are demanding from carriers that there is this degree of security and privacy," he said.

Learn more about how carrier security strategies are evolving at our upcoming Big Communications Event in Austin, TX, May 24-25. You can register now.

Alan Hill, senior vice president of government relations and strategic business development, for Incompas , and panel moderator, noted the telecom sector has been largely quiet about the encryption debate. Telecom carriers are long accustomed to CALEA requirements for cooperation with law enforcement, and under the Patriot Act, also provided calling records to the National Security Administration.

The panelists encouraged the telecom operators assembled to get more active in educating both the public and the politicians about the issues around security and encryption. Those efforts can be focused on direct lobbying of members of Congress or alignment with groups that are working to protect encryption.

Data Foundry's Henigin said the issue should be a matter of choice by the owner of the data, as to how much is made public or generally consumable by law enforcement, absent a criminal investigation.

"We ought to come at the conversation framing the question, not 'I'm encrypting something because I have something to hide, but because I have something that is valuable,'" he commented. "We shouldn't have to defend that [encryption] is something important and something we want to do to keep our information to ourselves. This should be in the hands of the owners of the data, and if I want to disable my encryption, that is my right and my choice but to have someone take that choice away from me is not right."

— Carol Wilson, Editor-at-Large, Light Reading

danielcawrey 4/16/2016 | 2:17:38 PM
Re: Things will get interesting Good points here. Telecom hasn't been very vocal, perhaps becuase they need to cater to both sides. Whereas the tech companies must appeal to user's rights to privacy, telecom companies must cater to businesses and governments in order to stay viable. Something to consider with thinking about why they aren't being as vocal. 
cnwedit 4/15/2016 | 5:32:28 PM
Re: Things will get interesting Actually I wasn't assuming they would be the message content because you are right, that would be encrypted.
brooks7 4/15/2016 | 5:17:53 PM
Re: Things will get interesting Carol,

Your comment here makes the assumption that there is no endpoint encryption of the content.  You could still get the metadata, but there is no reason to send clear text across the web - voice, data or video.  It requires prior knowledge on both ends, but if we are talking about criminal/terror enterprises then they have it.


Kelsey Ziser 4/15/2016 | 11:37:55 AM
Re: Things will get interesting In October, the Justice Department issued new federal policy requiring federal investigators to obtain a warrant anytime they want to use stingray surveillance technology, devices used by law enforcement to mimic cell phone towers and gain access to a phone's location, pick up on incoming/outgoing phone numbers, and can tap in to phone conversations. However, that policy doesn't apply to local law enforcement. The additional unnerving thing about those devices is that they can also intercept cell phone data from phones in the area that aren't on the target list.  
cnwedit 4/14/2016 | 4:06:21 PM
Re: Things will get interesting That is pretty much what the Data Foundry guy was discussing - trying to give consumers control over their data. That means we give bad guys control over their data. 

But as the woman from RSA pointed out, the police already have access to your email (it's in the cloud), your credit card transactions, the route you take (via cellphone GPS, toll booths, surveillance cameras and more) and a ton of what you do and where you go via surveillance cameras and more. They can also access the metadata of your accounts - like who you are calling and/or messsaging. 

So it's not like they are completely shut out. They actually have far more data than they used to. 
Mitch Wagner 4/14/2016 | 3:14:30 PM
Things will get interesting Things are going to get interesting when technologists develop secure systems that NOBODY can break except for the person holding the key. The conversation will go like this:

POLICE: "I need to you break encryption so we can catch a drug dealer, terrorist, child molester, and/or gangster."

SERVICE PROVIDER: "Love to help you but I can't."

POLICE: "But I have a court order!"

SERVICE PROVIDER: "I don't mean I won't. I mean I *can't*. It mathematically cannot be done. Only the account holder can grant access to that account."

Sign In