Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How FBI vs. Apple could cripple corporate and government security

Rich Mogull | March 22, 2016
The implications go way beyond whether law enforcement can unlock an alleged criminal's phone.

The problem is it is impossible to scale this kind of system. First, if the FBI truly wants to eliminate warrant-proof (properly encrypted) storage and communications they would need the key for every encrypted product and service on the Internet. They would need highly-secure mechanisms for every software developer and hardware manufacturer to provide their keys. Since that is completely unworkable, perhaps only major manufacturers and developers over a certain size would have to participate.

Then there’s the issue of access. Does only the FBI get to use the system for terrorism cases? Do local law enforcement officers get access to catch child predators? Drug dealers? Could this be limited only to the U.S.? Or would other countries, including ones, like China, that the U.S. government itself publicly accuses of hacking corporate systems, also gain access or require their own alternate keys? These are legitimate and complex questions, not mere aggrandized slippery slope arguments. The more access there is to a key, the more often it is used, the less secure it is by definition.

Ignoring the privacy concerns, the impact on business and government systems (and thus operations) could become crippling.

The impact on devices

When I advise companies on properly encrypting laptops, aside from the complexities in key management, I have to guide them through all the potential weaknesses. For example, I tell them if they are crossing certain international borders or keep highly sensitive information on a Mac they might lose physical control of to ensure the system is always shut down, not put to sleep, because encryption keys are often stored in nonvolitile RAM, leaving the Mac vulnerable.

This isn’t paranoia. We know for a fact that certain governments hack corporations (and other governments), and a stolen laptop can be a great source of information. The same is true for industrial espionage (it’s real) or targeted criminal attacks. Corporations spend many millions of dollars to secure mobile computers using enterprise encryption software, and millions more on managing secure phones and tablets.

If the FBI mandates alternate decryption keys for all devices, those keys would potentially need to be generated for all corporate systems, not just consumer phones. If such a law didn’t apply to laptops, that would be an easy way to skirt the requirement. If it does, then the government gains direct access to all those systems, and complex key-exchange mechanisms would need to be created and every business or government agency that encrypts would have to provide recovery keys.

Then how would companies handle international operations? Or international companies with workers in the U.S.? This is before we even get into the issue of other nations requiring their own access keys. One outcome could be that internationally encrypted devices are inaccessible by the U.S., and U.S. systems are safe in other countries—unless the governments cooperate in major cases and exchange evidence, which isn’t unprecedented.

 

Previous Page  1  2  3  4  5  6  Next Page 

Sign up for CIO Asia eNewsletters.