Governments have been wrestling with an encryption dilemma for a number of years. On the one hand, they mandate the use of strong and effective encryption internally; insisting on the use of high-assurance technologies to provide long-term data protection.
On the other, they are exploring the creation of legislation that forces vendors of robust encryption technologies to compromise on security; enabling law-enforcement to decrypt criminals’ data more easily.
The call to weaken security or introduce encryption backdoors has been met with varying degrees of disbelief and condemnation from leading cyber-security and technology experts.
Now, the world’s largest technical professional organization and standards body, IEEE, has made its opinion against legislative compromises to encryption clear. The IEEE has published a joint statement by its Board of Directors, criticising government interference in strong encryption technologies by mandating “key escrows and back-doors”.
In its position statement, “In support of strong encryption standards”, dated 24 June 2018, IEEE says:
“We oppose efforts by governments to restrict the use of strong encryption and/or to mandate exceptional access mechanisms such as “backdoors” or “key escrow schemes” in order to facilitate government access to encrypted data.
Governments have legitimate law enforcement and national security interests. IEEE believes that mandating the intentional creation of backdoors or escrow schemes — no matter how well-intentioned — does not serve those interests well and will lead to the creation of vulnerabilities that would result in unforeseen effects as well as some predictable negative consequences.”
The same strong (high-assurance) encryption technologies that were developed for government and defence use have been widely adopted by commercial organisations. Recognised as the gold standard for encryption security, they are used to protect citizen privacy, safety and security across the world. High-assurance technologies are also subject to certification by international testing authorities, including FIPS (in the US), Common Criteria and NATO.
It is clear by their reaction that cyber-security and technology professionals do not support any attempts to compromise the security integrity of these systems. The proposed introduction of backdoors or key escrow is cause for concern; an issue that becomes both more real and more serious when it falls into the hands of legislators.
Recent plans by the Australian government to mandate the inclusion of backdoors and/or key escrow (the only methods by which these products may be compromised) points to lack of understanding, both of the technology itself and the potential impact of the proposed legislation. There are wider, macro-economic implications to be considered for a start. In a global digital economy, any legislation that creates a perception of weakened cyber-security cloud be disastrous to the national economy.
What of the cyber-security certification standards that vendors must meet before supplying products to government? How does the Australian government plan to address a set of globally acknowledged standards that do not provide for compromised encryption products?
In his article for the Lowy Institute, Exceptional access: Australia’s encryption laws, Dirk van Graver comments:
“Encryption is the bedrock of a safe and secure internet. It safeguards government services, the global digital economy, and communication over some messaging apps. Default encryption protects a device’s data at rest. End-to-end encryption protects data in transit. Anonymised technologies mask the identity of individuals online.”
Graver also highlights how the debate pits technologists against the realities of law enforcement. Obviously, the answer lies somewhere between mandating dangerous compromises to a critically important security technology and the addressing the needs of law enforcement. Graver concludes:
“When the legislation is unveiled, the Australian Government, it is hoped, will take the middle-ground approach. One with appropriate judicial oversight.