Infosec pros slam government-mandated backdoors

Nearly three-quarters (73%) of cyber security professionals polled at RSA Conference 2019 say countries with government-mandated encryption backdoors are more susceptible to nation-state cyber attacks.

This is the top finding of a survey of more than 500 information security professionals by cyber security firm Venafi. The survey also revealed that more than two-thirds (69%) believe that encryption backdoors put countries at an economic disadvantage in the global marketplace.

“This is a tense moment for industry professionals because they know backdoors make our critical infrastructure more vulnerable,” said Kevin Bocek, vice-president of security strategy and threat intelligence at Venafi.

“This is not rocket science. Backdoors inevitably create vulnerabilities that can be exploited by malicious actors. It’s understandable that so many security professionals are concerned because backdoors are especially appealing to hostile and abusive government agencies, and more governments are considering these mandates.”

Opponents of encryption backdoors have also said repeatedly that they put the privacy and security of everyone at risk because backdoors created for law enforcement and intelligence surveillance are vulnerabilities available for hackers to exploit.

The survey shows that 70% of those polled believe governments should not be able to force technology companies to grant access to encrypted user data, while only a quarter said they believe that technology companies are doing enough to protect consumers’ personal information.

In December 2018, Australia’s parliament passed controversial legislation requiring tech businesses to create encryption backdoors within their products, prompting criticism from security and privacy advocacy groups, including the Electronic Frontier Foundation (EFF).

Commenting on the Australian legislation, EFF staff attorney Nate Cardozo warned of a “potential dystopic future” in which only backdoored communication tools are permitted and all other services and protocols will face “government-mandated blocking and filtering”.

While the Australian law does not ban encryption, it gives the government the power to issue secret orders to tech companies and individual technologists to re-engineer software and hardware under their control, so that it can be used to spy on their users. 

The Australian legislation is based on the UK’s equally controversial Investigatory Powers Act, but Cardozo notes that the Australian law goes a step further by including the power to compel individual network administrators, sysadmins, and open source developers to comply with secret demands, including potentially to force them to keep their cooperation secret from their managers, lawyers, and executive leadership.

Australia and the UK are members of the Five Eyes intelligence alliance, which in September 2018 called on tech firms to include backdoors in their encrypted products to give access to law enforcement authorities or face various measures.

The group said it encouraged information and communications technology service providers to voluntarily establish lawful access solutions to their products and services, but warned in a statement that should governments “continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions”.

While some governments are seeking to impose restrictions on technology developers, Bocek said attackers do not abide by any restrictions.

“They don’t follow the rules or buy products in controlled markets, and so countries that enact these near-sighted restrictions, harm law-abiding businesses and risk economic damage as well as intrusions focused on sovereign government processes,” said Bocek.