Experts Weigh In On the ENCRYPT Act

Lawmakers seek standardized national encryption policy — FCW

Chase Gunther posted yesterday in FCW.com that there’s a push on Capitol Hill looks to preempt a possible patchwork of data encryption policies varying from state to state. Read Full Article Here.

As Gunther noted, “The ENCRYPT Act (an acronym for Ensuring National Constitutional Rights for Your Private Telecommunications) would preempt state and local government efforts to implement disparate policies.

The bill, introduced June 7 by Reps. Ted Lieu (D-Calif.), Mike Bishop (R-Mich.), Suzan DelBene (D-Wash.) and Jim Jordan (R-Ohio), would instead create a single, standardized national policy.

According to Ted Lieu, “Any discussion of encryption and law enforcement access to data needs to happen at the federal level, Encryption exists to protect us from bad actors, and can’t be weakened without also putting every American in harm’s way.”

This is a potentially significant piece of legistation that will have an impact on the cyber security industry. Experts weigh in:

Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposure Research Team (VERT), commented, “This is a nice direct bill to protect state governments from compelling companies to take actions which dilute or circumvent security functions in their products or services. This includes that states are not allowed to ban products or services on the basis that they employ strong encryption.

He added, “This is an incredibly important set of protections, but I am left wondering why they couldn’t take this a step further by applying the same restrictions to the federal government. The risk of government mandated backdoors can have serious detriment for companies looking to compete in the global technology markets regardless of what level of government is demanding the backdoor.”

Cybersecurity experts from CipherCloud, STEALTHbits Technologies, and Virsec also shared their views. Anthony James, CMO at CipherCloud remarked, “The trend towards government access to your encrypted data has picked up speed. Many states within the U.S. are moving forward on policies that would essentially enable “back doors” into encrypted data sets. At the top of their well-intended agenda is support for law enforcement on a variety of challenges including, of course, terrorism. This new legislation for a national encryption policy is trying to avoid the various states from implementing their own legislation and instead, position one clear and more easily implemented national policy.”

James also expressed a view that, “Despite the noble objective of nationally standardized encryption in support of law enforcement and counter-terrorist activity, the use by government of forced disclosure, whether at the state level or the federal level, can move the control of your data into someone else’s hands. ‘Back doors,’ or special APIs that access your data at various points of being used within applications, can also easily circumvent basic protection such as ‘at rest’ encryption for your databases.”

He added, “The only way to maintain firm control over your confidential data is to implement Zero Trust end-to-end encryption. This level of protection, for example, will not allow anyone using a backdoor into one of your 3rd party provided cloud applications to access your data without your explicit knowledge, and approval. Only your decision to deliver your data encryption keys to the requesting party will expose the data.”

According to Gabriel Gumbs, vice president of product strategy at STEALTHbits Technologies. “The re-introduction of legislation to not force technologies to implement security backdoors is an unfortunate necessity. Undoubtedly any backdoor that is introduced will be available to both law enforcement and bad actors alike, collectively making us less secure.”

Willy Leichter, vice president of marketing at Virsec explained, “It seems like a positive move to have a standardized national encryption policy. However, this doesn’t solve the basic collision of interests around encryption – law enforcement wants broader access, while privacy experts (and most of the security industry) don’t want to neuter the effectiveness of encryption. This group seems to understand that encryption is a fundamental building block of most digital business, and weakening it, for whatever reasons, can be disastrous.”