Enterprise IT Watch Blog

Sep 28 2010   5:09AM GMT

Is a new Obama mandate putting IT security at risk?

Melanie Yarbrough Profile: MelanieYarbrough

We’re not here to discuss politics, but one of the big stories today is the Obama administration’s development of plans to require that backdoors be placed on Internet-based communication services, allowing for compliance to federal wiretap orders.

The bill, slated for 2011, would require communication service providers to have the capability to intercept and decrypt messages. The proposal, as related to the Communications Assistance to Law Enforcement Act (CALEA), which requires telecom providers to provide interception capabilities for law enforcement, is an extension into the realm of the Internet. In the New York Times article on the bill, FBI’s Valerie Caproni said:

We’re not talking expanding authority. We’re talking about preserving our ability to execute our existing authority in order to protect the public safety and national security.

But does “public safety and national security” come at the cost of personal and enterprise security? Extending interception capabilities to the Internet could prove disastrous if not executed correctly. Computer science professor at Columbia University Steven Bellovin thinks “it’s a disaster waiting to happen. If they start building in all these back doors, they will be exploited.” Just like in 2005, he cites, when “hackers [took] advantage of a legally mandated wiretap function to spy on top officials’ phones, including the prime minister’s.”

On the flipside, there may be side-effects to adding to the already overwhelming honey-do lists of enterprise IT. Former Sun Microsystems engineer Susan Landau worries that the mandate would hinder the progress of small startups. Engineers would be dedicated to incorporating wiretapping capabilities rather than innovation and product release dates.

Federal response to the privacy community’s uproar is hardly comforting: Service providers would be the sole carriers of the decryption capabilities, for which the agency would need a court order to utilize. Ira Winkler, president of the Internet Security Advisors Group told Computerworld that his main concern isn’t the “government’s ability to intercept communications for legitimate law enforcement purposes, the real concern should be over continued compromise of personal data online.”

Melanie Yarbrough is the assistant community editor at ITKnowledgeExchange.com. Follow her on Twitter or send her an email at Melanie@ITKnowledgeExchange.com.

4  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Halvard
    This was coming regardless of administration, regardless of who won whichever election. Law enforcement and national security want it, other governments have demanded and received it and the Feds used to effectively have it when DES was the encryption standard. That doesn't mean I like it, far from it. I just recognize that governments everywhere have been pushing for and getting greater and greater police powers. Even before the the War on Terror, governments were pushing for these powers. Gore and Gingrich were both pushing for these sorts of powers 15-20 years ago. The same career people are in place in intelligence, law enforcement and commerce. They push for the same things regardless of administration. Don't like the appointee in charge? No problem, wait a year or two and they are gone. So how do you think we should go about preventing and / or overturning these powers?
    0 pointsBadges:
  • TomLiotta
    [I]...for which the agency would need a court order to utilize.[/I] Which court? Regardless, if true, it's probably legal. But... [I]...the capability to intercept and decrypt messages.[/I] It'll be interesting to learn how "decryption" will be enforced. Will there be penalties for inability to decrypt? Who would be charged in instances that take a few months to decrypt?? Tom
    125,585 pointsBadges:
  • Techbaron
    I think there has been enough done and enough said in regards to security measures already in place with such as the presidential emergency powers. I agree with Halvard, how do we stop this? It is really now up to IT professionals to stop such a thing from being passed, I have heard there was something that was being attempted, which would allow for the closure of internet access completely for up to 4 months in emergencies, can anyone shed light on this? I mean, come on, if governments are that concerned about security then one has to ask, is the government working for the people anymore? It is starting to sound suspiciously like a paradigm shift... I hate sounding liked some freaked out conspiracy theorist but things have got to the point where you are forced to think in such a way.
    0 pointsBadges:
  • Chippy088
    I agree with those opinions already stated here. Sometimes i think politicians are like new graduates. Intelligence without the practicalities. The difference being, new grads will listen to experienced advisers before taking major decisions, where as the politicians want to be seen as proactive, whatever the cost. An idea like this simply causes all sorts of costly development and implementation problems. Civil rights, legal implications, and last but not least, where does the money for it come from. Who will watch the watchers? The bigger the task, the more resources needed, and the bigger the blunders. Glad this is not my project.
    4,625 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: