If you don’t want to buy an HSM, you can always rent one from one of multiple major cloud providers. They aren’t cheap, but provide the ultimate in security since not even the cloud provider can access your data.
That’s merely one example of the strong encryption tools absolutely essential for secure data centers and applications. This equipment and these tools aren’t the kinds of things you can pick up at Best Buy, but they are certainly within the budgets of terrorists and a range of criminals. They are more secure than iPhones and can easily be used to build storage and communications systems. We use them for encrypted financial and medical databases, secure file storage, or even to keep those little CVV codes on the back of your credit card safe.
If these tools remain legal for enterprise, the odds are they will be used by nefarious groups to avoid government monitoring of consumer tech. If businesses are required to add back doors and golden keys too, we once again undermine the foundation for digital security.
The decision is binary, not absolutist
The President and the director of the FBI have portrayed this conflict as one between privacy absolutists and government compromise. The issue is that the technology itself forces us to make a binary decision. There are no known techniques for providing lawful access to encrypted communications and storage at scale. The only way to allow government access is to reduce the security of foundational technologies used by business and government agencies, not merely individual citizens. That is math, not politics.
Further complicating the situation is that security constantly evolves, and we continue to adopt ever stronger technologies in more situations simply to stop the criminals, including hostile governments. These aren’t outlandish movie scenarios; they are the painful, expensive reality for every business in the world. The only difference between consumer, corporate, and government technologies are the price tags. Restrictions on these improvements could be catastrophic.
Last July a group of extremely well respected cryptographers published an excellent overview of the feasibility and security impact of government access. They concluded:
Even as citizens need law enforcement to protect themselves in the digital world, all policy-makers, companies, researchers, individuals, and law enforcement have an obligation to work to make our global information infrastructure more secure, trustworthy, and resilient. This report’s analysis of law enforcement demands for exceptional access to private communications and data shows that such access will open doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend. The costs would be substantial, the damage to innovation severe, and the consequences to economic growth difficult to predict.
Sign up for CIO Asia eNewsletters.