Ban encryption? Don't believe the hype
- By Dwayne Melancon
- Sep 28, 2015
Tripwire's Dwayne Melancon says stifling encryption will not achieve the results supporters of such a move envision.
The genie is out of the bottle on encryption, and recent proposals to outlaw it will not stop criminals. In fact, a ban would likely have the opposite effect.
Encryption protects electronic financial transactions, private Internet communication and much of our nation's critical infrastructure. It is so essential to the ability to communicate securely over the Internet that it is a fundamental requirement in a wide range of government regulations designed to protect sensitive data from hackers, nation state attackers and others with malicious intentions.
Anything we do to restrict or weaken encryption would weaken the mechanisms we use to secure the Internet.
The reality is that declaring encryption to be illegal won’t stop people from using it. All crime is illegal, and every day we see the extraordinary lengths people go to in order to get around those restrictions. Furthermore, a ban on encryption would not improve our national security unless other countries follow suit, and I don’t see that happening any time soon. Instead, the collateral damage an encryption ban could inflict on the U.S. economy and consumer privacy is hard to estimate.
Requiring companies to install “back doors” or provide universal encryption keys is another fundamentally flawed idea. Information that is supposed to be secure, including those back doors and universal encryption keys, would immediately become extremely high-value targets for cybercriminals. Unfortunately, even with encryption widely available, distributed organizations don’t have a great track record of protecting valuable information from unauthorized access or abuse.
We continually hear about data breaches that involve attackers stealing credentials to mimic the identity of a trusted person, and there is every reason to believe that cybercriminals would eventually be successful in gaining access to any backdoors or universal keys that defeat encryption. Worse yet, once they gained access, there would be no restriction on what they could do and fundamentally no way to recover.
As with every security issue, secure communications is not simply a technology problem -- it is also a human problem. People always find ways to get around restrictions when they are determined to do so -- look at Prohibition, the war on drugs and human trafficking for examples of this challenge. If history is any guide, prohibiting encryption will only encourage its widespread adoption by anyone with nefarious intentions.
Another consequence of a ban is that all sorts of privileged information would be subject to unauthorized government or private surveillance, including email messages, health care data and financial records. It’s likely that cybercriminals would quickly gain access to a treasure trove of private data that could be used for a host of secondary crimes, such as blackmail, reputation damage, identity theft and cyber bullying. The data would also simplify a range of off-line crimes, such as burglary, harassment and stalking.
A ban on encryption might have the short-term effect of disrupting some criminal activity, but the potential risks to individuals and national security are severe. In every age, there are technology advancements that change how the world works. Encryption is one of those advancements. History shows us that we need to adapt how we live and work in light of technological change. Stifling the technology -- particularly once it’s been widely adopted -- simply won't work.
Dwayne Melancon is Tripwire's chief technology officer.