Security pros doubt officials can enact effective security laws

Eight out of 10 of more than 380 security professionals polled at Black Hat USA 2019 believe more security and privacy legislation is needed, but 82% do not trust their elected officials to provide it.

The majority of respondents said elected officials do not understand cyber risks well enough to develop and enact effective security and privacy legislation, according to the survey by security firm Venafi.

The findings come against a background of debates about how far social media organisations should be regulated by governments and a long-running disagreement between governments and the security industry over the need for mechanism for law enforcement and national security officers to bypass encryption mechanisms.

The poll also revealed that 93% of respondents to do not trust social media organisations to protect their personally identifiable information. However, 82% do not trust the government to protect their personally identifiable information, and 80% said government officials do not understand the cyber risks targeting digital infrastructure.

“There is a global wave of legislators, regulators and law enforcement officials proposing controversial surveillance laws such as government-mandated encryption backdoors,” said Kevin Bocek, vice-president of security strategy and threat intelligence at Venafi.

“However, security professionals lack confidence in politicians’ abilities to improve cyber security, given the unabated flood of government breaches in the US and around the world. The results of our survey send a clear message that governments must improve their cyber security fluency in order to make a meaningful impact and help our frontline defenders protect the global economy, freedoms and privacy.”

Governments and law enforcement officials around the world, particularly in the Five Eyes intelligence alliance, continue to push for encryption backdoors, which they claim are necessary in the interests of national safety and security as criminals and terrorists increasingly communicate via encrypted online services.

According to the Five Eyes governments, the widening gap between the ability of law enforcement to lawfully access data and their ability to acquire and use the content of that data is “a pressing international concern” that requires “urgent, sustained attention and informed discussion”.

Opponents of encryption backdoors have said repeatedly that government-mandated weaknesses in encryption systems put the privacy and security of everyone at risk because the same backdoors can be exploited by hackers.

In July 2019, US attorney general William Barr said consumers should accept the risks that encryption backdoors pose to their personal security to ensure law enforcement can access encrypted communications. But more recently, Canada’s public safety minister, Ralph Goodale, called for his government to work with internet companies to find a balance between internet privacy and the needs of law enforcement. 

In December 2018, the parliament of another Five Eyes member, Australia, passed controversial legislation requiring tech businesses to create encryption backdoors within their products, prompting criticism from security and privacy advocacy groups, including the Electronic Frontier Foundation (EFF).

The Australian legislation is based on the UK’s equally controversial Investigatory Powers Act, but the Australian law goes a step further by including the power to compel individual network administrators, system administrators and open source developers to comply with secret demands, including potentially to force them to keep their cooperation secret from their managers, lawyers and executive leadership.

The US, Canada, Australia and the UK are all members of the Five Eyes intelligence alliance, which in September 2018 called on tech firms to include backdoors in their encrypted products to give access to law enforcement authorities or face various measures.

The group said it encouraged information and communications technology service providers to voluntarily establish lawful access solutions to their products and services, but warned in a statement that should governments “continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions”.