7 reasons why the feds shouldn’t mess with encryption

Information security professionals were overwhelmingly opposed to a plea to rethink encryption by the Department of Homeland Security at last week's RSA conference.

dhs secretary jeh johnson

Ask what you can do for your government

The spread of encryption is posting public safety challenges and making it harder for the government to fight both criminals and terrorists, said Secretary of Homeland Security Jeh Johnson.

But for security vendors providing encryption technology to enterprise customers, any tampering with encryption protocols would do more damage than harm. Here are seven ways security pros believe the DHS is wrong on encryption.

enigma machine encryption

Encryption protects against criminals

First of all, encryption helps enterprises protect their data. Given the recent spate of high-profile breaches, this is a significant concern.

"Asking America to decrease our corporate security posture in the wake of the recent exponential increase in nation-state and crime syndicate cyber incursions seems to lack a holistic understanding of the security threat, cost, and problems faced daily by corporations," said Carl Wright, general manager at San Mateo, Calif.-based TrapX.

outlaw bandits vintage

If encryption is outlawed, only outlaws will have encryption

Meanwhile, strong, unbreakable encryption technology is already in the public domain.

If corporations are forced by law to use watered-down encryption mechanisms with government-friendly back doors, it's unlikely that criminals and terrorists will comply.

doggy door

Back doors can be exploited

Back doors, key escrows and other mechanisms that allow government agencies to bypass encryption can also be used by criminals, foreign governments and terrorists -- helping the very groups that these mechanisms were designed to fight.

snowden painting

Backdoors put too much data in government hands

If government agencies are able to vacuum up and decrypt communications, they will be collecting legitimate traffic as well as traffic between criminals or terrorists, said Jon Heimerl, senior security strategist at Solutionary.

texting iphone

Vendors and developers need to put users first

If anything, more communications need to be encrypted, not less, said Domingo Guerra, president and founder at Appthority, a mobile security company.

For example, many social apps do not currently encrypt traffic because it's not seen as particularly sensitive.

However, if these apps are able to access social networks, calendars, and other features on mobile devices used in the enterprise, then even innocuous data might become useful for criminals looking for social engineering information or other exploitable information.

scales justice statue

Governments already have subpoena powers

If a government agency needs access to security encrypted enterprise information, there are other options available.

For example, the government has subpoena powers, said Gerry Grealish, CMO at  security vendor Perspecsys.

"Enterprises have a legitimate, sometimes legal, requirement to maintain control of their regulated sensitive data and intellectual property and trade-secrets," he said.

dark clouds

Encryption allows the growth of cloud platforms

It's risky to put vital corporate data in the hands of a third party. But when that data is encrypted -- and that third party doesn't have access to the keys -- then those risks can be significantly lowered.

Cloud storage, cloud computing and cloud services are a major new technological advance. Security fears could have significant negative repercussions.

Read the full story, "InfoSec pros reject DHS criticisms of encryption"