Encryption & Key Management , Governance & Risk Management , Incident & Breach Response

Obama Sees Need for Encryption Backdoor

Cameron Describes a 'Front Door' to Circumvent Encryption

Prime Minister Cameron and President Obama discuss encryption at a press conference. (from White House video)

Although President Obama said he sees the need for law enforcement to gain access to encrypted data on a suspected terrorist's digital device, he stopped short of calling for a law to require manufacturers to provide a so-called "backdoor" to break encryption on mobile devices.

See Also: Top 5 Log Sources You Should Be Ingesting but Probably Aren't

At a Jan. 16 White House joint press conference with British Prime Minister David Cameron, Obama said his administration is discussing with device manufacturers and software providers ways for authorities to gain access to the encrypted data without compromising the privacy and civil liberties of citizens.

"The dialogue that we're engaged in is designed to make sure that all of us feel confident that if there is an actual threat out there, our law enforcement and our intelligence officers can identify that threat and track that threat at the same time that our governments are not going around fishing into whatever text you might be sending on your smart phone," Obama said.

Cameron, being less nuanced than the president, reiterated his belief that it's justifiable for authorities to gain access to encrypted data on mobile devices, just as for years, laws and regulations allowed telephone conversations to be tapped or mail intercepted and read.

'Keep Our Countries Safe'

"We're not asking for backdoors; we believe in very clear front doors through legal process that should help to keep our countries safe," Cameron said. "My only argument is that as technology develops as the world moves on, we should try to avoid the safe havens that otherwise could be created for terrorists to talk to each other."

In October, FBI Director James Comey said he wants Congress to update a 20-year-old law to give law enforcement authorities access to encrypted data of suspected criminals (see FBI Director Ignites Encryption Debate).

Listen to the full remarks on encryption President Obama and Prime Minister Cameron delivered.

Cameron reportedly planned to lobby Obama to criticize technology companies that offer encrypted communications that cannot be cracked by government authorities for terrorist investigations (see Cameron to Ask Obama to Help Weaken Crypto).

Obama, in his remarks, wasn't critical of the technology companies that have resisted creating a backdoor; indeed, he was a bit sympathetic. "We're still going to have to find ways to make sure that if an al Qaeda affiliate is operating in Great Britain or the United States that we can try to prevent real tragedy; I think the companies want to see that as well," Obama said. "They're patriots, they have families they want to see protected.

Squaring the Circle

"We just have to work through in many cases what are technical issues. It's not so much that there are differences in intent, but how to square the circle on these issues is difficult. And, we're working with partners like ... the United Kingdom, but we're also going to be in dialogue with companies to try to make that work."

From a technical standpoint, however, many security experts say that any attempt to undermine crypto, for example by mandating that backdoors be added to encrypted services, would fail on numerous fronts - not least because of the availability of free tools for encrypting communications.

Jake Laperruque, a fellow at the civil liberties group Center for Democracy and Technology, says he's somewhat troubled by the president's remarks because allowing backdoors to circumvent encryption could allow criminals to gain access to secret data of individuals. "We continue to be concerned about the idea of a backdoor, although the president's comments reflects that he understands the risk associated with this," Laperruque says. "It raises questions whether the government will properly account for those risks with a policy like this that would outweigh any benefits for the average Internet user."

Bilateral Meetings

Obama and Cameron met over two days, Jan. 15 and 16, and part of their conversations focused on cyberthreats, which they characterize as one of the most serious economic and national security challenges both nation's face. In their bilateral meetings, both leaders agreed to bolster efforts to enhance the cybersecurity of both nations, strengthen threat information sharing and intelligence cooperation on cyber matters and support new educational exchanges between American and British cybersecurity academics and researchers.

According to the White House, the U.S. and U.K. will conduct joint cybersecurity and network defense exercises to enhance their combined ability to respond to malicious cyber-activity, with the first joint exercise later this year to focus on the financial sector (see U.S., UK Plan Cyberwar Games).

In addition, both national governments will work with industry to promote and align their cybersecurity best practices and standards, to include the U.S. cybersecurity framework and the United Kingdom's cyber essentials scheme.

The U.S. and Britain already work closely on a range of cyberdefense matters, such as the U.S. Computer Emergency Readiness Team and CERT-UK collaborating on computer network defense and sharing information. To deepen this collaboration in other areas, the White House says, the U.K.'s Government Communications Headquarters and Security Service (MI5) will work with the U.S. National Security Agency and FBI to further strengthen U.S.-UK collaboration on cybersecurity by establishing a joint cyber cell, with an operating presence in each country. The cell, which will allow staff from each agency to be co-located, will focus on specific cyberdefense topics and allow cyberthreat information to be shared at a greater pace and scale.

Cambridge vs. Cambridge

Both governments also have agreed to provide funding to support a new Fulbright Cybersecurity Award, starting in the 2016-2017 academic year, which will allow scholars from both countries to conduct cybersecurity research for up to six months, with applications being accepted later in 2015.

The White House also announced that MIT's Computer Science and Artificial Intelligence Laboratory, located in Cambridge, Mass., has invited Britain's University of Cambridge to take part in a Cambridge vs. Cambridge cybersecurity contest, the first of what's intended to be many international university cybersecurity competitions. Officials say the aim of the competition is to enhance cybersecurity research at the highest academic level within both countries in order to bolster their cyberdefenses.