The backdoor threat to UK plc
As the debate over NSA spyware continues, Origin Storage's Andy Cordial asks whether customers will continue to have faith in encryption software
The new crisis regarding creating a "backdoor" or a "golden key" to encrypted hard drives is a major threat to technology.
The National Security Agency (NSA) director, Mike Rogers, tried to calm doubts about the government's plans to maintain built-in access to data held by US technology companies, by saying that creating these "backdoors" will not be harmful to privacy, would not fatally compromise encryption and would not ruin international markets for US technology products.
But there is a flaw in this plan of allowing intelligence agencies to decrypt data on someone's phone or computer: if you create a vulnerability that can be exploited by the US government, where is the guarantee that other governments cannot access the same data through the same "backdoor"?
Other governments or third party organisations will be able to crack that vulnerability and destroy encryption all together. How will this affect the international markets?
Will customers still believe in encryption software and encrypted hard drives? Encryption is something imposed by law in certain areas and new laws to fine those companies that don't keep their data encrypted are being enforced.
We at Origin Storage have been educating the market on the benefits of using encryption and have seen many companies lose market share and customers because they have not used encryption, thus getting their data stolen. Will this new approach in creating a "backdoor" to encryption impact the channel?
We certainly believe so!
Infecting the firmware is outrageous and uncovering this gap in security means that "thieves" will now start to look at new ways on how to access data. The biggest challenge we face is the reliance on encryption standards such as FIPS (USA standard) and CPA (UK standard) as major corporations make decisions on security policies which FIPS and CPA forms part of the criteria, if you have FIPS or CPA approval for your encryption product you are in, if you don't you do not get shortlisted.
Our advice is to be careful how much reliance you put on such encryption standards. As a manufacturer of encryption solutions you have to hand over your source code in order to get FIPS and CPA approval. We wonder what happens to our source code when the NIST or GCHQ get their little paws on it?