Partners, Security Experts Worry New Encryption Bill Will Harm Business

Solution providers and security experts say they are worried a new bill designed to give law enforcement "backdoor" access into encryption technologies will seriously hurt their businesses -- especially if they are called upon to open the backdoors themselves.

The bill, proposed Wednesday by Sens. Richard Burr, R-N.C., and Dianne Feinstein, D-Calif., under the name Compliance With Court Orders Act of 2016, says that "no person or entity is above the law," and therefore all data security solutions must comply with legal regulations and court orders, even if it means building in backdoor access.

The bill covers all "providers of communications services and products," which could include manufacturers of devices, software, remote computing services, wire or electronic communication services, or "any person who provides a product or method to facilitate a communication or the processing or storage of data."

[Related: Report: Optiv Security To Seek IPO In Coming Months]

Sponsored post

For partners, the critical element is the bill's impact on license distributors, which it defines as "a provider of remote computing service or electronic communication service to the public that distributes licenses for products, services, applications, or software," will have to ensure that those distributed products meet the requirements for law enforcement access.

Jamie Murdock, chief information security officer at Binary Defense Systems, a Hudson, Ohio-based managed security service provider, said these types of requirements would be "challenging for our business," especially since the company offers its own endpoint detection product with secure communication capabilities.

"The implications to us could mean that we could have to allow access into this system, as well as the software that runs on thousands of individual endpoints," Murdock said. "This could mean our company may have to provide access to the monitoring that we do for our customers. There are other caveats to this, such as only needing to do this if the data has been made 'unintelligible.' "

While his company is bound to abiding by U.S. law and supports law enforcement efforts, Murdock said, his top priority is the security of his clients' environments. This bill would harm client information security, he said.

"As [a managed security service provider], security of our clients is our main focus -- that’s why we’re here and do what we do. This is something we are adamant about," Murdock said. "My personal hopes are that this will not pass. There have been many cases where an individual device, whether physical or application, needed to be accessed for an investigation. … There becomes an issue when the access must be 'baked in.' By doing this, you are asking for malicious actors to exploit this capability."

In another development Thursday with a potential impact on industry privacy, Microsoft said it had filed a lawsuit against the U.S. Justice Department, arguing that customers using cloud services should be notified when the government wants to access their data. Microsoft said nearly half of the 5,624 federal demands for data in the past 18 months have said the company couldn't tell its customers about the request.

The two developments are the latest iterations in a growing debate over encryption technologies and information privacy vs. law enforcement capabilities. That debate came to a crescendo in recent months in the ongoing struggle between Apple and the FBI, though that case was settled late last month as the law enforcement agency managed to hack into the encrypted iPhone in question without the help of the technology company.

Jane Wright, principal analyst at Technology Business Research, said the proposed bill could have a major impact on the ability of security technology companies to compete in an international market, as consumers will likely turn to foreign companies outside of the reach of the backdoor requirements.

"If passed, the bill could make some customers wary of purchasing solutions from U.S.-based VARs, driving a portion of the U.S.' tech revenue to other countries," Wright said. "It could also dampen margins for U.S.-based VARs, because they will need to ramp up resources so they can provide decrypted data to law enforcement agencies when asked."

Ajay Arora, CEO and co-founder of Vera, a Palo Alto, Calif.-based data security company, agreed with Wright on the implications the bill could have on U.S. companies. While he said Vera will see a benefit from the move, as it doesn't store the data that it encrypts, Arora said the bill is "crazy," as the amount of loopholes it creates will make it easier for hackers to attack U.S. companies.

"[The bill would mean] every hacker in the world knows that there is an inherent weakness in every encryption scheme produced in U.S. or used by a U.S. company. Every piece of data used by an organization is now subject to be cracked open," Arora said. "I think this makes the U.S. fundamentally less secure than other countries, in some ways. I know the intentions of some of these things are positive, but the practical implications of covering all the use cases and scenarios are almost impossible."

Arora said legislators will have to come up with some common ground with the security industry, instead of trying to dictate broad policies on technology outside their realm of expertise. That being said, Arora asserted, there likely isn't a quick-fix solution for this complicated of an issue.

"You just can't legislate yourself out of this," Arora said. "There's no silver bullet. It's going to take some time."