Encryption is a double-edged sword. At one and the same time, it holds the promise of security while simultaneously constituting a powerful means of subverting it.
As a host of technological developments and advances have enabled and catalyzed new platforms for digital transactions and communications, sensitive information now flows constantly through cyberspace. From our phones to cars to fridges and furnaces— everything is now connected. This interconnectivity poses a challenge for governments, companies, and individuals alike: how to protect the privacy and integrity of data that bears upon matters of national, enterprise, or personal (individual) security? The concerns include intellectual property theft, and economic and industrial espionage. By encoding data to render sensitive material unreadable to unauthorized parties, encryption offers one answer.
Unfortunately, however, our adversaries can likewise benefit from the protections afforded by encryption. Consider, cryptocurrency, which is just one application of encryption.
Cryptocurrency permits one party to transact digitally and directly with another, both securely and anonymously. Such architecture clearly has constructive and productive uses. On the other hand, cryptocurrency may also be used to support money laundering, illicit drug deals, terrorist financing, and extortion in the form of ransomware payment (indeed it is encryption that enables ransomware and allows it to thrive as an ‘industry’)—to name just a few illegal and unwelcome activities.
Against this background, in which encryption empowers both attackers and defenders alike, how should government officials and enterprise executives proceed?
The equities at stake are of the highest order and include national and economic security and top priority corporate assets. Yet the answer to the question is by no means obvious. And, regardless of where one stands on the issue, the pace of technology development and innovation is likely to render today’s response obsolete far sooner than later.
Nevertheless, at the heart of the debate as currently conceived is the ‘backdoor’ concept, which refers to a method of bypassing the normal authenticated process of data recovery so as to allow access to otherwise unauthorized parties. Simply put, a backdoor builds flaws into the encryption system to create avenues for third-party entrance.
"Encryption is a double-edged sword. At one and the same time, it holds the promise of security while simultaneously constituting a powerful means of subverting it"
Once more, though, the concept cuts in two directions. While backdoor proponents contend that law enforcement and intelligence officials will otherwise be blinded (by “going dark”) and thus, undercut in their homeland or national security mission, backdoor critics emphasize that if the encryption system is by design open to manipulation then other (potentially hostile) cyber actors may gain access as well.
These are not the only arguments for and against. It has been further suggested, for instance, that backdoors also act as disincentives to innovation and undermine demand.
Encryption is thus a complex issue with compelling arguments on both sides of the equation. As with other challenging issues however, it becomes an exercise in risk management—in which an array of factors must be considered, in context, and balanced one against the other. While it is important to acknowledge the difficulties at play, it is also important to recognize that thoughtful treatments of the issue do exist (including in the public domain) and these frameworks may help guide the actions and practices of government and corporate decision-makers and their teams.
What is clear is that the United States is not alone in searching for the best way forward on encryption. Other countries, too, are grappling with the issue and exploring different approaches. It may be that one size will not fit all, worldwide. But certainly none of us will have the luxury of ducking the issue altogether given everything that is at stake.
Co Author: Sharon L. Cardash, Deputy Director, Auburn University’s Center for Cyber and Homeland Security