twixx - Fotolia
Experts are confounded by the latest comments from the head of the CIA on the potential effects to U.S. business of a proposed encryption backdoor. In a Senate committee hearing, CIA Director John Brennan said no one should worry about encryption backdoors hurting American companies.
During the congressional hearing on Thursday, Sen. Ron Wyden (D-Ore.) questioned the CIA's support for weakening cryptography by mandating encryption backdoors, and Brennan said the CIA needed access to encrypted communication in order to track terrorists.
"U.S. companies dominate the international market as far as encryption technologies that are available through these various apps, and I think we will continue to dominate them," Brennan testified. "So, although you are right that there's the theoretical ability of foreign companies to have those encryption capabilities available to others, I do believe that this country and its private sector are integral to addressing these issues."
This comment seemed to surprise Wyden and security experts, who said the ability of foreign companies to provide encryption in products is far from theoretical.
"It is clearly inaccurate to say that foreign encryption is a 'theoretical' capability," Wyden wrote in a public statement. "Strong encryption technologies are available from foreign sources today -- half of them of them are inexpensive, and the other half are free. U.S. tech companies dominate this field today, but they are competing in a global marketplace. These products are used by consumers and businesses every single day to protect everything from bank records and business transactions to personal communications and other sensitive data."
Rebecca Herold, CEO of Privacy Professor, told SearchSecurity she has seen the effects firsthand, as potential clients in Europe put deals on hold because they were worried about the government mandating encryption backdoors.
"I anticipate that there are hundreds, or thousands, of other U.S. businesses similarly stymied in making business deals because of government pressure to have us use weak encryption. Likely costing millions of dollars for our economy," Herold wrote in an email. "The government needs to realize that in their quest to collect all data possible by mandating weak encryption (backdoors [equals] weakness), they are damaging U.S. businesses that depend upon encryption in order to have international clients. So, they are damaging our U.S. economy and will get no additional data, because everyone who wants to choose strong encryption will get it from other countries -- helping other countries' economies instead of ours and providing no improvement to homeland security."
Elad Yoran, executive chairman of KoolSpan Inc., based in Bethesda, Md., wanted Brennan to stop using generalities when talking about U.S. businesses.
"I challenge Director Brennan to identify companies and government organizations by name that would be willing to use encryption with backdoors to protect their confidential communications and intellectual property," Yoran said. "My guess is that not a single company or government organization will go on the record saying that backdoored encryption is good enough for them. Businesses and government organizations will still need to protect themselves, and if they cannot get what they need from U.S. cybersecurity companies, then they'll source their protection elsewhere."
Wyden also noted that Brennan's stance on the security afforded by encryption backdoors was misguided.
"Requiring American companies to deliberately build backdoors into their products would not stop terrorists from using strong encryption, and it would undermine American competitiveness and Americans' digital security at a time when the threat from foreign hackers and cyberattacks has never been greater," Wyden wrote.
Herold said she was "completely flabbergasted" when she heard Brennan's quote.
"If he was trying to dismiss the availability of obtaining encryption from outside of the U.S., then he must not realize that, with a quick online search, anyone can find strong encryption products from other countries," Herold said. "The government needs to realize that U.S. tech firms are successful through hard work, strong security products and innovation -- things that all other industrialized countries are also doing to compete with us. Without strong encryption, our tech businesses and sectors that depend upon strong encryption, such as financial and healthcare, etc., will have massive amounts of personal data, as well as intellectual property, put at risk."
Herold said the debate "feels like we are once again on the government's 1990s Clipper chip highway, only with even more to lose, with no safety to gain."
"Why can't our government learn from past mistakes?" Herold asked. "Or, better yet, listen to tech experts who can tell them pursuing encryption backdoors for all U.S. businesses is an exercise in security futility that will only give government leaders, and the public who believes them, a false sense of increased security and safety."
Learn more about the Burr-Feinstein draft bill concerning encryption backdoors.
Get the latest on Gen. David Petraeus coming out against encryption backdoors.