Dear Honorable Members of the United States Congress:
I work in application security in the cybersecurity field to make software more secure from attack. The cybersecurity threats that face our nation are very important to my wife and me. As Americans, our private data is in great jeopardy because of increased cybersecurity threats. Our infrastructure is prone to being hacked, and major data breaches of both private and government networks are routinely in the news. The best way to prevent these breaches is to increase the use of strong encryption with no backdoors.
The track record of data breaches demonstrates an uncomfortable truth: when sophisticated adversaries want to hack a network, they will ultimately win. Among the few tools known to computer science that can prevent a data breach is strong encryption. This means that there is no backdoor and no backup key. Either the original user needs to enter the password, or the data is un-retrievable.
While having the ability to access private information for criminal investigation seems to protect Americans, the technology for this will leave a backdoor open to the general public’s private information also. This is because there is not a technologically feasible way to build an encryption backdoor that cannot be compromised by hackers or foreign enemies. This ultimately means that Americans are made less safe with government-mandated backdoors. One example is the hacking of Juniper Networks’ firewalls through a backdoor in their software.
As a professional in information security, it is my stance that strong encryption is the best way to protect the privacy and safety of all Americans’ information and our cyber infrastructure. If the government starts to require backdoors into encryption, this is equivalent to government-mandated insecurity in our software.
I want to be very clear about my use of the term backdoor. Even today, Wednesday, May 3, 2017, in testimony before the Senate Judiciary Committee, FBI Director James Comey insisted that “none of us want backdoors” in response to a question by Senator Hatch (TechCrunch article). Let me be clear. This distinction that the Director makes has no basis in fact or science. Any imaginable key escrow system that would by design provide routine access to encrypted data is a backdoor that will be able to be hacked. Any such system of so-called lawful intercept is an unfixable, mandated security vulnerability that will make Americans less safe both at home and abroad.
The matter of strong encryption versus government-mandated backdoors to accommodate lawful intercept is likely to come before this Congress. Think carefully about your stance because what you do will determine the fate of American’s freedom to encrypt so that their data is protected from being stolen.
I am available to discuss this strong encryption topic with you and your staff.
Frank S. Rietta
CEO of Rietta, Inc., a Web Application Security Firm