Asking for the Future, Now – Encryption, RSA & the Law
The future is now for encryption. After months of data protection paranoia, the appetite is growing for an evolved, stronger version of encryption to solve today’s big security problems.
Data security shouldn’t be built to solve last century’s problems.
We were talking about this recently with Hanselman in preparation for a webinar on business use of encryption when he dropped the bon mot at the start of this blog. (Pandering break – sign up to listen to this free, exclusive discussion here; it’s also be available for on-demand listening for registrants)
In all other aspects of technology, we rely on – celebrate, even – the latest and greatest thing. Yet, through privacy and fear and misunderstanding, some corners expect information security to pull in the reigns while remaining effective. This has been most apparent in encryption, though two recent events hint at the desire for a smarter path forward for encryption’s central role in data protection.
First, among the slog of vendor glad-handing and marketing-speak at the annual RSA Conference in San Francisco, the new-ish host company president presented a fairly modern, five-fold plan for tomorrow’s security. Amit Yoran made it clear that sitting and “waiting for instructions” won’t work, especially in how perimeter security has failed businesses. This, to room at least half-filled with vendors offering just those solutions, was refreshing after a year of big breaches and lax security. Rather than castigation, though, Yoran focused on points to move security forward – the importance of sorting out authentication and ID; building better patterns and predictions in threat intelligence; putting information in line with organizational assets and then ranking them for increased protection where it matters most.
RSA has had a troubling recent history when it comes to backdoors and security flaws. But if this boldness is backed up with any number of potential advances for protection, we’re all better off.
Not long after, a House of Representatives subcommittee on information technology held a hearing on realistic policy steps on encryption. It did not devolve into that same rhetoric which puts child predators and international arms smugglers as the leading advocates for encryption, though Massachusetts D.A. Dan Conley attempted to steer it in that direction. Law enforcement members at the hearing couldn’t give a clear instance of encryption itself allowing a criminal to operate. Conversely, software developers and computer scientists explained clearly that encryption was in use every day to guard millions of business, government and personal interactions. No so-called “golden key” would make the population any safer, or, as Rep. Ted Lieu (D-Calif.) put it: “You’d be asking the American public to trust all of the employees in the federal government.”
Conley later backed off from his call for a law enforcement key from Apple, Google and others. Instead, he evoked JFK’s moon shot moment to “get the best minds together” from the computer science community on a balance between encryption and legal needs. Not the worst lofty goal.
Rep. Blake Farenthold (R-Texas) responded with a pragmatic take on the importance of fluid process on security advancement. “It’s not like we’re saying we can’t develop a secure system,” Farenthold said. “But we’re also saying, 'Can we really develop a … system that will be secure for any length of time, that somebody smarter might not be able to hack five years down the road?'”