Comment

Ban encryption? Don't believe the hype

Dwayne Melancon is Tripwire’s chief technology officer.

Tripwire's Dwayne Melancon says stifling encryption will not achieve the results supporters of such a move envision.

The genie is out of the bottle on encryption, and recent proposals to outlaw it will not stop criminals. In fact, a ban would likely have the opposite effect.

Encryption protects electronic financial transactions, private Internet communication and much of our nation's critical infrastructure. It is so essential to the ability to communicate securely over the Internet that it is a fundamental requirement in a wide range of government regulations designed to protect sensitive data from hackers, nation state attackers and others with malicious intentions.

Anything we do to restrict or weaken encryption would weaken the mechanisms we use to secure the Internet.

The reality is that declaring encryption to be illegal won’t stop people from using it. All crime is illegal, and every day we see the extraordinary lengths people go to in order to get around those restrictions. Furthermore, a ban on encryption would not improve our national security unless other countries follow suit, and I don’t see that happening any time soon. Instead, the collateral damage an encryption ban could inflict on the U.S. economy and consumer privacy is hard to estimate.

Requiring companies to install “back doors” or provide universal encryption keys is another fundamentally flawed idea. Information that is supposed to be secure, including those back doors and universal encryption keys, would immediately become extremely high-value targets for cybercriminals. Unfortunately, even with encryption widely available, distributed organizations don’t have a great track record of protecting valuable information from unauthorized access or abuse.

We continually hear about data breaches that involve attackers stealing credentials to mimic the identity of a trusted person, and there is every reason to believe that cybercriminals would eventually be successful in gaining access to any backdoors or universal keys that defeat encryption. Worse yet, once they gained access, there would be no restriction on what they could do and fundamentally no way to recover.

As with every security issue, secure communications is not simply a technology problem -- it is also a human problem. People always find ways to get around restrictions when they are determined to do so -- look at Prohibition, the war on drugs and human trafficking for examples of this challenge. If history is any guide, prohibiting encryption will only encourage its widespread adoption by anyone with nefarious intentions.

Another consequence of a ban is that all sorts of privileged information would be subject to unauthorized government or private surveillance, including email messages, health care data and financial records. It’s likely that cybercriminals would quickly gain access to a treasure trove of private data that could be used for a host of secondary crimes, such as blackmail, reputation damage, identity theft and cyber bullying. The data would also simplify a range of off-line crimes, such as burglary, harassment and stalking.

A ban on encryption might have the short-term effect of disrupting some criminal activity, but the potential risks to individuals and national security are severe. In every age, there are technology advancements that change how the world works. Encryption is one of those advancements. History shows us that we need to adapt how we live and work in light of technological change. Stifling the technology -- particularly once it’s been widely adopted -- simply won't work.

About the Author

Dwayne Melancon is Tripwire's chief technology officer.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.