What’s New in Security: Forget Apple v. DOJ – What is Congress up to?

Recently, the biggest security story has been Apple’s spat with the Department of Justice (DOJ) about creating a backdoor into the iPhone used by the San Bernardino shooter. Both sides have waged a PR war to lay out their arguments which can be summarized as follows:

The DOJ wants technology companies to be able to defeat their own security when requested for law enforcement investigations. Apple argues that you can’t build a secure product if you are forced to build backdoors into it.

Recent developments include the FBI hired hackers who help them break into the phone without Apple’s help, and Apple working on building a better phone that cannot be broken into. Additionally, there are dozens of similar cases around the country where judges have ruled both in favor and against Apple on their role in assisting the FBI to gain access to locked iPhones. The part of the story that has gotten the least publicity however, may be the most interesting part: Congress has gotten involved.

Earlier this month Senators Dianne Feinstein (D-CA) and Richard Burr (R-NC) introduced a draft bill titled “Compliance with Court Orders Act of 2016” aimed at addressing the heart of the issue the between Apple and DOJ. The legislation requires companies to comply with any authorized court order for encrypted data and any “unintelligible” data be made “intelligible” before being delivered to law enforcement.

It simply means that technology companies would be required by law to know how to decrypt any data they encrypt. This gets complicated because in order to offset privacy and cyber risks, technology companies have shifted to encrypting as much as possible to protect their customers. There has been an ongoing dialogue about the privacy v. safety debate as decryption relates to individuals, but little has been said about the impact on businesses.

3 major concerns for businesses regarding the proposed legislation:

1. Makes US Companies Targets for Cyber Attacks – When technology companies have to engineer their own encryption to be broken for law enforcement, cyber criminals know that organizations relying on those technologies have backdoors that are ripe to be exploited. US businesses rely heavily upon US technology companies for their infrastructure and products from giants such Microsoft, Apple, Amazon, and Google.

   These technology companies may even begin to develop two versions of their products, one with robust encryption for Europe, Latin America, Africa, and Asia, and one for countries whose governments want additional access such as the United States, China, and Russia. Needless to say, hackers will target American businesses running these backdoor versions. 

2. Shifts Technology R&D Out of the US – As American technology firms focus on developing products that meet the requirements of this legislation, technology firms in other countries may bypass the US as a market to avoid the burdensome legislation and instead, develop for the rest of the world. The brightest minds in Silicon Valley, frustrated with developing software that is hindered in functionality, may take their talents to European and Asian technology firms.

   For the US small business owner, the companies they rely on most for technology may suffer a brain drain and ultimately, reduced innovation. Even worse, their foreign competitors will likely not be impacted by these concerns, making the US business owner less competitive on the global scale.

3. Moves US Companies into a Murky Legal Area – Many businesses rely on encryption to protect trade secrets, customer information, confidential financials, and numerous other types of data. When the next big technology springs up from a foreign technology company that doesn’t have to operate under US rules, what will happen if US companies adopt that technology through non-official channels?

   Pirated software is nothing new, but now companies will be looking to pirate software because of availability, not cost. If law enforcement comes for a US companies’ records only to find they are encrypted using illegal encryption, what will the legal consequences be for the US business?

   Additionally, as it becomes obvious to cyber criminals that US companies are downloading pirated versions of software with robust encryption, they will modify it to come bundled with malicious code, damaging the security posture of these companies further.

This new legislation is a perfect example of what happens when Congress legislates technology issues without bringing experts to the table. The outcry from this proposed legislation has been nearly unanimous throughout the technology community; even from technology interests that often find themselves in conflict with each other, such as privacy advocates and Big Tech. Many small business leaders have no idea this conversation is even happening. This law has little chance of getting passed, but raises the important issue - why aren’t all interested parties involved to understand what the impact of such a dramatic shift in US law would bring?

Nathan Horn-Mitchem is first vice president of Information Security at the Provident Bank. Based in Provident’s Iselin office, Horn-Mitchem oversees the bank’s Information Security and Cybersecurity programs. He holds a bachelor’s degree in business administration from Georgetown University in Washington D.C.