The old year is over, the new one has begun, and that means information security predictions galore! From my very unscientific perusal of many of those, incident response, cyber insurance, information sharing, and vendor management top the lists of high importance target areas for 2016. All of these are timely issues, I agree.
But what is surprisingly missing is the use of encrypted communications by terrorists to plan and coordinate attacks and the possibility of legislation to mandate a sort of backdoor access for law enforcement. CISOs should pay close attention to this debate as it unfolds in 2016.
Certainly the issue is hot with the presidential hopefuls, as evidenced in the primary debates in December. A common theme emerging among candidates is that something must be done, but little detail has been offered thus far as to what.
The battle lines are clear and well known regarding the proposed authorized interception of encrypted communications. Law enforcement claims such backdoor access is the most effective method to acquire timely and actionable intelligence. They contend that without such abilities, and with an increase of encrypted communication used by terrorists, information may not be obtained in time to thwart a potential attack.
On the other hand, many security professionals are adamant that the unintended consequences of such access will outweigh the benefits. The introduction of another point of exploitation may result in an increase in information security risks with no tangible benefits.
With the recent attacks in Paris and San Bernardino serving as poignant examples, terrorism is a significant risk, yet sometimes we like to distill complex problems down to simple answers. The truth is the best solution to this is likely somewhere between the two polar positions. We must focus on finding that pragmatic point.
We need to look at the backdoor access as a risk management issue. That approach begins with taking off the table the Fear, Uncertainty, and Doubt (FUD) rhetoric about terrorist activities increasing if we do not build in some measure of accessibility to tap encrypted communication streams, and on the other extreme, claiming exposure of more vulnerabilities and subsequent cyberattacks if we do.
We need to define the problem and not diminish its complexity by assuming Silicon Valley can solve it with a simplified technical endeavor. How many times in our careers have we heard something along the lines of “We have a firewall, how could we have any information security issues?” The simplified attitude that a piece of technology will solve all of the problems is naive to the point of dangerousness.
If anything, CISOs need to contribute to the discussion not by feeding the FUD frenzy but rather by continuing to evangelize in a practical manner the potential risks. Just as we inform our board of directors and our executive management on complex information security elements as it relates to our businesses, we must educate them whenever possible about the intricacies of encryption and all consequences of incorporating backdoor access.
We need to ask questions that probe beyond encryption technologies. What if the most productive opportunity for improvement rests in adjusting processes and people? What if the intelligence necessary to mitigate the risks of terrorist attacks can be effectively obtained without compromising encryption? What other compensating controls can be enacted?
This is too serious an issue to ignore, too complex to let sound bites and political rhetoric decide the direction, and too critical to not make a risk-informed decision.
However, those are not the primary reasons why I believe this is a top issue for CISOs in 2016.
How would you protect your organization’s information if backdoors become a reality? Depending on your company’s level of international presence, how might the trend towards increased law enforcement access affect your ability to safeguard corporate IP globally?
Compensating controls will have to be analyzed and adjusted. Will you implement more stringent monitoring? Will you avoid part of the risk by eliminating a BYOD program and accept changes to productivity and the bottom line? Is altering cyber security insurance coverage the preferred primary mitigation route in your environment? Will policies on where data is stored change? What other alterations to your corporate information security program will you need to propose and implement?
These are a few of the very real questions relating to the encryption access issue facing all of us today. Mitigating the increased risks of any type of backdoor access can become quite complicated and require significant resources and time.
If not thought through properly, unintended consequences and risk exposures may result. Now is the time to consider all scenarios, because the cheese may move much faster than you thought it could.