Industry pros defend data encryption
A national debate on data encryption has followed the recent terrorist attacks in San Bernardino, Calif., and Paris with some lawmakers calling for legislation to mandate access for law enforcement and government agencies to “backdoors” that will allow them to decipher encrypted data.
“Criminals in the U.S. have been using this [encryption] technology for years to cover their tracks,” wrote Senate Intelligence Committee Chairman Richard Burr (R-N.C.) in a recent Wall Street Journal op-ed. “The time has come for Congress and technology companies to discuss how encryption ”” encoding messages to protect their content ”” is enabling murderers, pedophiles, drug dealers and, increasingly, terrorists.”
Yet here in Connecticut some industry professionals see the targeting of encryption as a scapegoat ”” Neil Weicher, founder and chief technology officer of the Stamford-based data encryption and database security firm NetLib ”” is among them.
“Politicians and security officials are ignoring the well-known rule of unintended consequences,” he said. “It will have minimal or no effects on terrorist communications, which we have seen, often tend toward the low-tech. On the other hand, it will create a devastating financial and regulatory burden on American businesses, who can never be sure that their data and intellectual property ”” and that of their customers ”” is secure.”
With a master”™s degree in computer science from Columbia University, Weicher founded NetLib after observing massive security lapses in companies over the decades he has worked in the tech industry.
“They were completely unprotected,” he said.
He now makes his living protecting databases from security breaches, which are increasingly becoming the norm, he said.
The global computer magazine PC World reports that in 2015, not a week went by without a major data breach, significant attack campaign, or serious vulnerability report.
Weicher refers to the service his company provides as the “red dye in the money bags” that destroys currency once stolen from a bank.
His proprietary software works in a similar way by making data unusable once it has been compromised.
But despite the increase in attacks on data, Weicher said handing over the keys to decipher encrypted data to government and law enforcement agencies is a knee-jerk reaction to recent events based on fear, not common sense.
He adds that even institutions intending to secure and protect data, such as the Internal Revenue Service, have been the subject of recent scandals and data breaches, and states there is no way to ensure that those holding the keys to encryption will always use them ethically ”” a point echoed by Brian Kelly, chief information security officer at Quinnipiac University for the last nine years.
“With 20 plus years in information security I am leaning towards encryption,” he said. “It”™s designed to make data secure. If you put in backdoors and allow certain entities, whether national international or local, it really weakens security and becomes this moral and ethical debate of when do they access the encryptions.”
Kelly”™s background includes 20 years as an Air Force officer working on computer network defense.
He compares providing what are known as backdoors, entry points in software that allow the bypassing of security protocols, to giving every law enforcement agency the keys to every home in the communities they serve.
“We would be freaked out about that,” he said.
As with Weicher, he recognizes there are needs ”” particularly on a local level ”” when police may need to access encrypted data, but said technology already exists that allows for this type of specific access.
On the macro level, legislation should focus less on access and more on accountability, he said.
“The onus is on the corporations to encrypt the data,” he said.
Weicher points out that high-profile data breaches such as that of apparel retailer T.J. Maxx in 2007, where the credit and debit card information for 47.5 million customers was exposed, was the result of lax security mechanisms, particularly regarding encryption.
Both Weicher and Kelly argue that once a backdoor to encryption is created, regardless of who holds the key, the possibility of a breach increases and puts customers and organizations at risk.
Kelly points to tech-industry leader Apple”™s refusal to create backdoors for government access to encrypted data as an indicator of where some organizations at the forefront of technology stand on the issue.
In just the last few years massive data breaches have occurred among some of the country’s largest businesses including JPMorgan Chase, Target, Home Depot, Anthem and Ebay affecting hundreds of millions of customers in total.
With the scale and frequency of data theft, Kelly said citizens have reached “breach fatigue” and anticipates the malaise around the issue will continue until either corporations feel an impact to their bottom lines or the physical well-being of citizens is threatened.
“I don”™t think there are not enough fines or legal proceeding that are impacting those companies,” he said. “General consumers just don’t care anymore; they hear it on the news and feel like there is nothing they can do personally.”
At Quinnipiac, Kelly has seen a generational shift in perceptions of digital privacy, with the student data he is tasked with protecting at times being given away freely by students through social media sites, he said.
He believes that as this new cohort enters the workforce, perception on privacy and security will evolve, possibly alongside legislation to hold corporations accountable for the troves of data they hold.
“I think we are just at the beginning of this dialogue,” he said.