WASHINGTON -- As the US Senate ponders a bill that would force companies to crack encryption under court order, a group of security technologists urged telecom service providers to consider how that would make everyone less safe and potentially weaken the business case for hosting and security services.
Speaking at the Incompas conference at National Harbor, almost in the shadow of the Capitol, Radware Ltd. (Nasdaq: RDWR)'s Mike O'Malley, VP of strategy and business development, said breaking encryption under court order is "a slippery slope" for the tech industry and telecom carriers.
"This isn't like past years, where if I saw someone who was a bad actor, I went and got a warrant to search their house, and that gave me the right to get them to hand over the key to their house," he said. "You are not handing over the key to a house, you are handing over the key to everyone's house."
That is a fundamental change in how the process works and not for the better, he noted. Increasingly businesses expect that, along with high-speed services, network service providers are providing a level of security from distributed denial of service attacks and more. That makes it "extremely important to our business" for encryption to be one of the tools that operators can use, O'Malley says.
Although much of the discussion was centered on the now-resolved battle between Apple and the FBI over cracking the iPhone of the San Bernadino terrorist, there are broader issues looming at the legislative level, where the Feinstein-Burr bill has bi-partisan backing of the idea that tech companies should crack encryption when ordered by the court to do so.
Edward Henigin, CTO of Data Foundry , said without secure encryption, consumers and businesses are less likely to entrust their equipment, their data and their applications to companies such as his, which will have serious consequences for cloud services, colocation and the outsourcing economy in general.
"Our business depends on the ability to protect individuals from invasions of privacy and intrusion," he said.
Most of the data that law enforcement needs is already available from other means -- much of it is stored in the cloud, said Nicole Bucala, principal, business operations, for RSA, The Security Division of EMC Corp. (NYSE: EMC). Noting that we live in "the golden age of surveillance," she pointed to all the ways everyday activity is tracked, via GPS, electronic transactions and ubiquitous surveillance cameras. Even most information that is stored on phones is also stored in the cloud, Bucala says, making it less necessary for law enforcement to seek "back doors" into encrypted devices or data streams.
Bucala also warned against promoting the idea that encryption is all consumers need to be safe, saying it's just one tool against an increasingly sophisticated set of threat vectors.
For network operators, many of whom view security services as a substantial business opportunity, a multi-level layered approach is important, using encryption but also a wide variety of tools -- authentication, firewalls for premises and web applications, DDoS monitoring and prevention and protecting of SIP traffic are among those O'Malley cites.
"All the essential ingredients are in place, but [operators] need to be more proactive about making sure the layers of protection are in place, because businesses are demanding from carriers that there is this degree of security and privacy," he said.
Alan Hill, senior vice president of government relations and strategic business development, for Incompas , and panel moderator, noted the telecom sector has been largely quiet about the encryption debate. Telecom carriers are long accustomed to CALEA requirements for cooperation with law enforcement, and under the Patriot Act, also provided calling records to the National Security Administration.
The panelists encouraged the telecom operators assembled to get more active in educating both the public and the politicians about the issues around security and encryption. Those efforts can be focused on direct lobbying of members of Congress or alignment with groups that are working to protect encryption.
Data Foundry's Henigin said the issue should be a matter of choice by the owner of the data, as to how much is made public or generally consumable by law enforcement, absent a criminal investigation.
"We ought to come at the conversation framing the question, not 'I'm encrypting something because I have something to hide, but because I have something that is valuable,'" he commented. "We shouldn't have to defend that [encryption] is something important and something we want to do to keep our information to ourselves. This should be in the hands of the owners of the data, and if I want to disable my encryption, that is my right and my choice but to have someone take that choice away from me is not right."
— Carol Wilson, Editor-at-Large, Light Reading