If the scope is limited to just phones, and only in the U.S., and only for terrorism and a few other cases, the risk and burden to U.S. companies would possibly be manageable. But based on the stated objectives of the FBI and President Obama, it is reasonable to assume the scope is wider, and it is hard to imagine that only the U.S. would mandate a golden key, and only for phones. Even without some malicious hackers stealing the keys, the end result is corporate devices, especially those used with international travel, could no longer be considered secure in many real-world situations.
The impact on communications and the Internet
In previous statements, FBI director James Comey also expressed concern with encrypted communications, like iMessage, where the government can’t access the key. Businesses depend on secure communications on multiple levels, ranging from employee communications to secure transactions with partners and services.
With some of these systems the government can mandate backdoor access, forcing the provider like Apple or Facebook to keep records of communications, or at least have the ability to sniff communications when required.
But not all these systems are centralized. Enterprises commonly set up their own hosted communications systems since they don’t trust an external service providers or for regulatory reasons. If a tool like iMessage requires access, what about VPNs? Secure connections to websites and email servers? Secure messaging systems? Secure file transfer systems? Financial transaction systems that run over the Internet?
We simply don’t have scalable mechanisms to support lawful access without reducing security.
All of these rely on the exact same set of foundational technologies, and all are abused by criminals every day. Worrying they may be within regulatory scope isn’t much of a mental stretch.
There are thousands of systems and technologies out there, and few lines between those used by businesses and the general public. If the bad guys switch from the providers known to work with the government to the open source and commercial technologies used by business, those systems will likely also have to support government access. That means backdoors and recovery keys, since there isn’t any known alternative.
This brings us back to the same problems we have with devices. We simply don’t have scalable mechanisms to support lawful access without reducing security. There is a very real risk that secure communications on multiple levels could be deeply compromised and result in real criminal losses. And that’s before we start worrying about foreign governments.
The impact on data centers and applications
The strongest encryption in the corporate world isn’t found in phones, but in data centers. Enterprises commonly use specialized security appliances designed as unbreakable safes for encryption keys and operations. These Hardware Security Modules, or HSMs, secure banks, retailers, and even your iCloud Keychain backups. Access requires smart cards (sometimes multiple cards held by different employees), and physical tampering can trigger failsafe deletion of all the stored keys.
Sign up for CIO Asia eNewsletters.