Article by Information Week
Amid federal and state bills written to weaken computer security by mandating backdoors that bypass encryption, IT pros are alarmed at the prospect of security made insecure, according to a report released Tuesday by IT services firm Spiceworks.
In a survey of 600 IT professionals from North America, Europe, the Middle East, and Africa, Spiceworks found that 87% said they believe backdoors increase the risk of a data breach.
As an individual identifying himself as Dave Ohlendorf explained in the Spiceworks forum, “ANY backdoor — no matter who knows about it, can and likely will be reverse engineered and end up in the wild where it will get into the hands of ‘very bad people.'”
This view has been echoed by cryptography experts such as Matthew Green, assistant professor in the department of computer science at Johns Hopkins University. As Green put it in a tweet earlier this year, “The problems with encryption backdoors come up when you try to scale them from an idea to something that affects millions of people.”
The Athens affair, in which the Vodaphone phone network in Greece was compromised over a decade ago, is often cited as an example of the problem with backdoors.
Backdoors in encrypted systems can make life easier for law enforcement agencies, but they impose a potential cost on businesses. Simply put, compromised security has become a tough sell. Some backdoors are put in place deliberately, as a matter of administrative convenience. Others, like thebackdoor in Juniper’s NetScreen firewalls, are supposedly unauthorized. Either way, they’re generally not welcome.
Spiceworks separately surveyed 220 IT pros about how awareness of a backdoor in a company’s products might affect that company’s sales prospects. The firm found that 65% of IT pros would be less likely to buy from a company known to install backdoors in its products. Only 20% said a history of backdoors would have no impact when considering a purchase.
Given reports about the NSA’s ability to access networking equipment from Cisco, Dell, Huawei, and Juniper, not to mention a supposedly inadvertent backdoor in a MediaTek phone chip used for some Android phones, it may be difficult to avoid products with backdoors or vulnerabilities that could become backdoors.
Nevertheless, some businesses see value in declaring their commitment to encryption, even if their execution remains imperfect. Apple, for example, has taken a public stand against the US government’s attempt to force it to undo its encryption for the convenience of investigators. And more recently, consumer messaging providers like WhatsApp and Viber have committed to end-to-end encryption.
According to a separate Spiceworks security report released in December 2015, more than 80% of businesses experienced some form of security incident last year and 27% of the 200 IT pros surveyed planned to increase spending on encryption in 2016.
In the report that was released Tuesday, more than half of those surveyed (57%) said they believe that network or device encryption had helped their organization avoid a data breach.
Encryption has become common on networks. Some 47% of Spiceworks respondents said they encrypted data in transit to laptop and desktop computers. But encryption is less common on mobile devices like tablets (35%) and smartphones (40%). It’s also less common for data at rest: laptops/desktops (36%), tablets (25%), and smartphones (28%).
Still, some organizations don’t see the value of encryption. According to the IT pros surveyed, 16% of organizations don’t enforce encryption across any devices or services.