When the director of cybersecurity at the National Security Agency assured Bloomberg last week that the new encryption standards his agency is working on with the National Institute of Standards and Technology would have no backdoors, it caused a few grins among cyber professionals (NIST).
A backdoor is a purposeful weakness in a system or software that can be exploited by an attacker without being detected. The NSA-developed encryption standard was abandoned as a government standard in 2014 after rumours that it featured a backdoor surfaced.
“Backdoors can help law enforcement and national security, but they also introduce vulnerabilities that hackers can exploit, and they’re subject to potential misuse by the agencies they’re supposed to help,” John Gunn, CEO of Token, a biometric-based wearable authentication ring maker based in Rochester, N.Y., told TechNewsWorld.
“Any encryption backdoor may and will be discovered by others,” said John Bambenek, principal threat hunter at Netenrich, a San Jose-based IT and digital security operations firm.
He told TechNewsWorld, “You can trust the US intelligence community.” “However, when the Chinese and Russians have access to the backdoor, will you trust them?”
Trust but double-check
Inside Quantum Technology, of Crozet, Va., is a distributor of information and intelligence about quantum computing, and its president and founder, Lawrence Gasman, believes the public has cause to be dubious of NSA officials’ statements. He told TechNewsWorld, “The intelligence community is not known for telling the absolute truth.”
“The NSA employs some of the world’s best cryptographers, and well-founded rumours have circulated for years about their efforts to embed backdoors in encryption software, operating systems, and hardware,” said Mike Parkin, an engineer with Vulcan Cyber, a Tel Aviv, Israel-based provider of SaaS for enterprise cyber-risk mitigation.
“Similar things may be said about software and firmware sourced from other nations,” he told TechNewsWorld. “They have their own agencies with a vested interest in monitoring what’s in the traffic passing a network.”
“The authorities have a long-standing antipathy for encryption, whether it’s in the name of law enforcement or national security,” he said.
When it comes to encryption and security in general, Dave Cundiff, CISO at Cyvatar, a provider of an automated cybersecurity management platform in Irvine, Calif., recommends taking a trust but verify strategy.
He told TechNewsWorld, “Organizations may have the best of intentions but fail to see those ideas through.”
“Government entities are constrained by legislation, but it doesn’t mean they won’t mistakenly or purposely provide a backdoor.”
Checkout more relevant articles for Mobile and Tech section: