When Does Customer Cybersecurity Trump the Government’s Demands? Intel’s Cybersecurity Strategist Weighs In
Most of the time, debates over arcane encryption practices and how they play into the efforts of law enforcement remain sequestered within the relatively small community that works on such issues. But that all changed recently with the San Bernardino shooting massacre and the FBI’s demands that Apple create a backdoor method that would allow law enforcement to bypass the company’s encryption technology. Rather than complying, Apple fought back against the demand, arguing that meeting it would make its products more vulnerable to hackers and other threats.
Because this case involved an event — the San Bernardino shooting — that had touched a cultural nerve, the debate over encryption and Apple’s responsibilities spilled over into the mainstream. GOP presidential nominee Donald Trump called for a boycott of Apple products and suddenly you had virtually every prominent politician, pundit, and technology executive weighing in on the issue. Though the debate eventually wound down after the FBI announced it had cracked the shooter’s password without Apple’s help, the issues remains unresolved for the millions of companies out there that want to comply with the country’s laws while also doing right by their customers.
Matthew Rosenquist spends more time than most thinking on these issues. For 25 years he’s worked in security, and as Intel’s cybersecurity strategist he’s built out and managed both the company’s first 24/7 security operation center to protect corporate assets and the roadmap for security features embedded in Intel’s products. Currently he provides insights to the industry on the emerging risks and opportunities for the security of technology. With billions of dollars and thousands of jobs at stake, this is much more than just an abstract debate for Rosenquist. Decisions the industry makes have ramifications that can extend far into the future.
On June 21, Rosenquist will be participating in a panel hosted by the Society for Information Management on the contrasting issues of consumer communications privacy and the need for digital information by law enforcement. We recently interviewed him about the rising cybersecurity threats and how companies can strike a balance between government demands and customer security. Here are four ways he thinks companies should think about and frame the issue:
Any policy you make has global implications
Technology that is designed and operated in the United States is bought, sold, and used globally in a highly competitive market to the benefit of people around the world. Business decisions become more complicated as international competitors, regulations, and market demands are taken into account. “The decisions around this issue are not limited to products and people only in the U.S. There are global ramifications.” explained Rosenquist.
In the hypothetical situation where a government wants a telecommunications company or device manufacturer to weaken its security or provide an embedded means, like a backdoor, to remotely monitor conversations, track locations, and access personal data of users, other countries around the world would probably respond in one of two ways. The first, whether friendly or not, they would demand the same exact access to all such devices, which would make our own government uneasy because they would then be able to spy on our own citizens, businesses, military, and government officials. It also puts at risk some people around the world who are being targeted by oppressive governments or find themselves in the midst of war. Oppressive regimes have already used technology to identify and target people at peaceful protests who were using social media tools to communicate their views or document government atrocities.
[LIKE THIS ARTICLE SO FAR? THEN YOU’LL REALLY WANT TO SIGN UP FOR OUR IT LEADERSHIP NEWSLETTER OVER HERE]
The second likely path involves governments who strongly value the privacy and security of their citizens. They would likely enact laws which prohibit technology companies from intentionally weakening security or for them to provide backdoor tools for widespread governmental surveillance. It is likely these governments would enact regulations to block the importation or use of products from companies showing such disregard, basically closing those markets due to non-compliance. International competitors would rise to fill the market gap, placing U.S. companies at a distinct disadvantage with their economic growth or viability. Ultimately, customers would migrate to other non-U.S. products where security and privacy expectations are met. This degradation in both economic market-share and user-base erodes the overall value of having a backdoor in the first place. Strategically, such a governmental backdoor mandate is a self-defeating proposition that also puts product users at risk of victimization.
Most companies are already compliant with the law
Spanning back decades, whenever law enforcement has wanted to obtain information in an investigation or for civil litigation lawsuits, courts have been able to secure a warrant or order from a judge that requires a company to turn over data specific to that case. Ethical companies comply with these requests all the time, said Rosenquist, and there’s very little friction on that front. We all benefit from criminals being brought to justice and support law enforcement in their role. “What we’re talking about now is something very different,” he said. “When you look at the Apple case, for example, it wasn’t the US government saying ‘give us all the information you have on the suspect, and here’s our warrant.’ The difference here is the government has said, ‘We want you to modify your technology to allow a third party to be able to go in and gather information. That’s different. That isn’t subpoenaing information that a company has. That’s ordering them to modify their products, weaken them, so that the government can go in and access data, and potentially do broad surveillance.” Once you frame it that way, it makes the potential ramifications clearer, which leads to his next point:
Companies need to do right by their customers
The reason this has become an issue has nothing to do with U.S. companies harboring anti-government sentiments, said Rosenquist. It’s about them working hard to stay one step ahead of those trying to do their customers harm. In 2015, over 700 million records were exposed by hackers, and the average data breach costs a company $3.8 million. “Keep in mind, the strongest, most powerful companies out there struggle every single day to keep their products secure,” he said. “Look at the number of hacks and data breaches. Cyber threats are becoming more agile and powerful, targeting consumers, businesses, critical infrastructure, and governments. Technology companies are working continuously to keep their customers secure, which means they are constantly going to be adding new security features, patches, and updates. They have to. That’s the race that we play with the bad guys. And so, for anyone to ask, ‘Please slow that down, put extra vulnerabilities in, and create tools to undermine security.’ That is crazy. By definition, that makes the users much more vulnerable to those who are malicious.” Ethical companies have a duty to provide safe and secure products.
Government policy always lags behind technological progress
It’s important to remember that there will always be friction between government policy and technological innovation. Rosenquist pointed out that much of the encryption technology we embrace today was once illegal. “The very encryption technology that we use for web communications and protecting passwords was once banned from export,” he said. “And yet today we realize, ‘Of course I want my bank transactions and online purchase-orders encrypted, what were they thinking?’ So it makes common sense to us now, but back then it didn’t. I think as we move forward in time, certain practices around security and privacy will become common sense.”
Looked at this way, it becomes clear why people in Rosenquist’s position take a more nuanced view on the encryption debate. While many view it through an emotional lens, going so far as to claim that Apple is supporting terrorism, companies must consider the larger picture.
“This is not about unlocking a single phone in regards to a single case,” he said. “Certain people may want to look at it that way, but if you’re seeing the challenges through a long term lens, you start to realize the dominos falling and the unintended consequences that can happen based on decisions we are faced with today. That’s why we want cooler heads to prevail and the relevant facts to be discussed. We want an understanding from the public and governments around the world, a global conversation. We want law enforcement to protect society while technology maintains strong security and adheres to individuals’ rights to privacy. We want U.S. business to be strong, ethical, compliant with global regulations, and deliver the best products to enrich the lives of people worldwide. We need to be talking about this and coming to a balanced resolution that everybody understands and accepts.”