alphaspirit - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Governments weigh strong encryption vs. terror threats

News roundup: Cyber politics in U.S., as leaders attempt to balance access to strong encryption with terror threats. Also: Microsoft's German data centers, SHA-1 deprecation schedule, and more.

This week saw a number of developments in the ongoing struggle between balancing the need for strong encryption and, as President Barack Obama urged in his Oval Office address to the nation on Sunday, the need "to make it harder for terrorists to use technology to escape from justice."

On Monday, Rep. Michael McCaul (R-Texas), in what he called the first annual State of the Homeland Security Defense Address, announced his plan to introduce legislation creating a "national commission on security and technology challenges in the digital age." McCaul is chairman of the House Committee on Homeland Security.

Noting that terrorists are able to "hide their messages in 'dark space,' using encrypted applications and other secure platforms to evade law enforcement," McCaul went on to say: "We should be careful not to vilify 'encryption' itself, which is essential for privacy, data security and global commerce."

The proposed commission would "bring together the technology sector, privacy and civil liberties groups, academics, and the law enforcement community to find common ground" in the debate over strong encryption. "The threats are real, so this legislation will require the commission to develop a range of actionable recommendations that protect privacy and public safety," McCaul said.

FBI director's Senate testimony

FBI Director James Comey, testifying before a Senate Judiciary Committee hearing on Wednesday, said that it's "too soon to tell" if the recent National Security Agency's (NSA) surveillance program reforms have hurt or helped the U.S. government's efforts to fight terrorism. The NSA ended its program of bulk collection of telephony metadata under Section 215 of the USA Patriot Act at the end of November.

While the NSA collection program has ended, the NSA continues to have access to that metadata under the USA Freedom Act, which mandates metadata be collected, held and queried by telecommunications service providers.

Comey also testified that businesses need to "change their business models" so they can cooperate with law enforcement requests for encrypted data from their customers' devices, while still providing secure services with strong encryption to their customers. He suggested that tech companies should adopt encryption techniques that provide security for their customers while also being able to turn over data to law enforcement when served with a warrant.

Data breach reporting rule a first for EU

Meanwhile, the European Union has agreed to rules for mandatory data breach reporting, but the details and legislation will be up to individual EU member states. According to the EU announcement, the new rule, called the Network and Information Security Directive, requires that "transport and energy companies will have to ensure that the digital infrastructure that they use to deliver essential services, such as traffic control or electricity grid management, is robust enough to withstand cyberattacks."

The rule also mandates that "online marketplaces like eBay or Amazon, search engines and clouds will also be required to ensure that their infrastructure is secure." However, smaller digital companies will be exempted from the required reporting, while Reuters reported that social network companies, like Facebook, will also receive an exemption from the rules.

Petition on strong end-to-end encryption

The White House responded this week to a petition to publicly affirm support for strong encryption, with a meeting on Thursday with New America Foundation's Open Technology Institute, the American Civil Liberties Union, the Center for Democracy and Technology, Human Rights Watch, and Access Now, according to USA Today.

Kevin Bankston, director of the Open Technology Institute, attended the meeting and told US News and World Report that the meeting would hopefully lead to more productive discussions about encryption. "They did not signal a change in policy, but they agree that it is time for this discussion to go beyond the use of encryption to how law enforcement and government can be more effective," Bankston said. "We made clear to them that the best way to move on is end this 'debate' about encryption. The longer we keep having this debate we have had since the '90s, the longer it will take for us to have discussions about how investigations can be effective in a world where encryption exists."

The Electronic Frontier Foundation, which launched the petition, was not invited to the meeting.

In other news:

  • Microsoft is taking no chances when it comes to the upcoming changes in protecting data privacy as the EU Safe Harbor decision turns into a debate over what comes next. Ralf Wigand, senior program manager for Microsoft Germany, gave more details on Microsoft's new German data centers. Starting in 2016, Microsoft will be offering cloud services from German data centers -- as it already does from more than 100 worldwide data centers. According to Wigand, "That alone wouldn't be really surprising or innovative, but the unique thing about this is that the keys (physical and logical) that control access to customer data in this cloud are held by a German company, Deutsche Telekom's subsidiary, T-Systems, which will act as a Data Trustee. So, Microsoft will have no access to customer data without approval and supervision by the Data Trustee."
  • Google, Microsoft and Mozilla have all begun sunsetting support for the Secure Hash Algorithm, or SHA-1, but Facebook and CloudFlare are warning that deprecating the SHA-1 hashing algorithm could strand users in "the poorest, most repressive and most war torn countries in the world," according to CloudFlare CEO and Founder Matthew Prince. Alex Stamos, CSO at Facebook, wrote, "One of the most interesting areas of balance is between making systems secure against new attacks and providing security to the broadest population. This dynamic is readily apparent in the debate around the upcoming sunset of the SHA-1 hash algorithm, and my colleagues and I at Facebook believe that the current path forward should be re-examined." According to Stamos, "Facebook's data shows that 3-7% of browsers currently in use are not able to use the newer SHA-256 standard," meaning that tens of millions of users could be shut out when SHA-1 support is withdrawn.
  • As predicted last month, Java deserialization is still a problem, as long as libraries are used and programmers take shortcuts. The vulnerability happens when programs de-serialize user-supplied untrusted serialized data, and it's not trivial to figure out which libraries are vulnerable. "It's not possible to look at a library and tell if it's vulnerable most of the time because the deserialization behavior was almost always generic," wrote Caleb Fenton, security researcher at SourceClear, in a blog post. "Its uses or misuse was entirely up to how an application used the library." Fenton reported that many more libraries than previously reported were subject to the issues, but he added, "It should be emphasized that the libraries themselves are not vulnerable, but they have the building blocks that could be used with a vulnerable application."
  • Adobe this week released patches for 77 vulnerabilities -- all rated critical -- in its Flash Player. The patches were released barely more than a week after Adobe announced plans to rename Flash Professional CC when it is updated next year to support creation of animation with both HTML5 and Flash, leading many to speculate that the end was near for the embattled program.
  • Google stepped up its game on security this week, announcing that its Safe Browsing technology is now available on the Android version of the Chrome browser. The program, started in 2007, is currently able to warn users before they enter websites that are associated with malware, phishing attempts or unwanted software -- both for intentional attacks and for websites that have been compromised and subverted by attackers. According to Google, most Android users probably already have access, as the "new Safe Browsing client on Android is part of Google Play Services, starting with version 8.1."

Next Steps

Find out more about President Obama's stance on strong encryption

Learn how strong end-to-end encryption drives the "going dark" debate

Read about previous Senate testimony from FBI director Comey on "going dark"

Dig Deeper on Information security laws, investigations and ethics