The idea of making end-to-end encryption breakable is “so misguided as to boggle the mind,” according to Amit Yoran, the president of RSA.
He says it will “catastrophically weaken” security for those using it for legitimate purposes without accomplishing the goals for which it is sought – catching terrorists and the worst criminals. “It is solely for the ease and convenience of law enforcement when pursuing petty criminals,” he says, while the toughest adversaries would be unaffected.
“No terrorist or nation-state would ever knowingly use such technology,” he says, except to take advantage of innocent users by exploiting the backdoors. Only small-time actors with no technical sophistication will be caught, he says. The net result would be bad for businesses in all industries trying to defend their digital environments.
He urged the 40,000 in attendance at the conference to deliver the message against backdoors to the government officials speaking at the conference, including FBI Director James Comey, who is the prime campaigner in favor of vendors and service providers being able to read encrypted communications if ordered to do so by a court.
+ NOT AT THE SHOW? See all the news as it happens +
Other government officials at the conference include Attorney General Loretta Lynch, Secretary of Defense Ash Carter and NSA Director Adm. Mike Rogers.
“We need to be respectful but we need to be sure our voices are heard loud and clear,” he says.
Yoran also spoke to the need for more and better trained security professionals to deal with attackers who constantly come up with more creative ways to attack networks, data and identities.
Security professionals should nurture the kind of outside-the-box thinking adversaries use to create attacks in order to stop them and track down attackers, he says. “If you don’t have hunters, grow them,” he says, “or at least don’t stand in their way.”
He says businesses should provide the automated tools that lift a lot of the necessary security drudge work so analysts can focus on what machines can’t. “Technology to reduce the mundane is good,” he says.
With the proper support, security pros can become master analysts within six months while on the job, he says, but it’s a big job that may take changing how they think about their work. They need to be free thinkers and curious. They should not focus on compliance check lists, but rather on solving problems.
“The private sector can’t do this alone,” he says. It needs government to make incentives that encourage cybersecurity education and to set policies that make better cybersecurity possible.
He cited the Department of Justice’s push for encryption backdoors as one of the government efforts that is not helping.