Lance Bellers - Fotolia

DOJ's 'responsible encryption' is the new 'going dark'

News roundup: The DOJ calls for 'responsible encryption' to comply with court orders. Plus, there's more bad cybersecurity news for banks, and Accenture data in AWS gets exposed.

Calling on tech companies that offer encrypted services to deploy those services using "responsible encryption," Deputy Attorney General Rod Rosenstein picked up the anti-encryption baton from former FBI Director James Comey.

Rosenstein's comments at the United States Naval Academy Tuesday echoed Comey's position on the use of encryption by criminals and others to evade law enforcement or national security agencies. In an attempt to rebrand the debate around "going dark," Rosenstein urged tech companies to deploy what he called "responsible encryption," or encryption that can be bypassed by the tech company in order to provide law enforcement agencies access to encrypted data subject to a court order.

"Responsible encryption can involve effective, secure encryption that allows access only with judicial authorization," Rosenstein said, adding that it was not necessary for the government to mandate any particular key management or escrow service, but rather for individual companies to deploy encryption or encrypted services in a way that supports a "lawful access" to encrypted data on demand by law enforcement or national security agencies.

"Look, it's real simple. Encryption is good for our national security; it's good for our economy. We should be strengthening encryption, not weakening it. And it's technically impossible to have strong encryption with any kind of backdoor," said Rep. Will Hurd (R-Texas), when asked about Rosenstein's proposal for responsible encryption at The Atlantic's Cyber Frontier event in Washington, D.C.

"This is a conversation we're going to be involved in forever," Hurd said. "You can protect our digital infrastructure, chase bad guys and protect our civil liberties all at the same time. It's hard, but we can do it. And our civil liberties are not burdens -- they're the things that make our country great. So, you can call it whatever you want, but make sure you have strong encryption."

Look, it's real simple. Encryption is good for our national security; it's good for our economy. We should be strengthening encryption, not weakening it.
Rep. Will Hurd(R-Texas)

Unlike previous calls from the Department of Justice to curb secure, end-to-end encryption and put government-accessible backdoors on all data, Rosenstein suggested tech companies that offer encrypted communications services incorporate the ability to access encrypted data in response to court orders.

Rosenstein concluded by saying, "There is no constitutional right to sell warrant-proof encryption. If our society chooses to let businesses sell technologies that shield evidence even from court orders, it should be a fully informed decision."

In other news

  • The latest company to accidentally expose data in an Amazon Web Services Simple Storage Service bucket is Accenture, a global management consulting and professional services giant -- and cloud service provider. Chris Vickery, cyber-risk analyst for UpGuard Inc., a cybersecurity company based in Mountain View, Calif., reported the exposure in a blog post. "Accenture, one of the world's largest corporate consulting and management firms, left at least four cloud-based storage servers unsecured and publicly downloadable, exposing secret API data, authentication credentials, certificates, decryption keys, customer information, and more data that could have been used to attack both Accenture and its clients," Vickery wrote. "The servers' contents appear to be the software for the corporation's enterprise cloud offering, Accenture Cloud Platform, a 'multi-cloud management platform' used by Accenture’s customers, which 'include 94 of the Fortune Global 100 and more than three-quarters of the Fortune Global 500' -- raising the possibility that, if valid, exposed Accenture data could have been used for critical secondary attacks against these clients."
  • The Federal Deposit Insurance Corporation (FDIC) suffered as many as 54 data breaches of personal information from the start of 2015 to the end of 2016, according to an audit by the FDIC Office of Inspector General (OIG). The FDIC, a government agency formed in the wake of the Great Depression to protect bank customers, insures all deposits at participating banks up to at least $250,000. To accomplish its mission, the FDIC collects large amounts of data, including personally identifiable information about bank customers. Writing in the audit report, which included in-depth reviews of some of the reported FDIC data breaches, the FDIC OIG "initiated this audit in response to concerns raised by the Chairman of the Senate Committee on Banking, Housing, and Urban Affairs regarding a series of data breaches reported by the FDIC in late 2015 and early 2016. Many of these data breaches involved PII."
  • Trustwave's SpiderLabs researchers reported a sophisticated hybrid cyberattack against banks netted thieves as much as $40 million. According to the report, the scam involved people opening bank accounts, while also breaking into the banks' computer systems to manipulate overdraft limits on those accounts, and then having other people withdraw large amounts from ATMs abroad. While the attacks described in the SpiderLabs report were mostly against banks in post-Soviet states, the researchers warned the techniques would spread. "Currently, the attacks are localized to the Eastern European and Russian regions. However, in cybercrime, this area is often the canary in the mineshaft for upcoming threats to other parts of the world." SpiderLabs warned: "All global financial institutions should consider this threat seriously and take steps to mitigate it."
  • Rapid7 reported a SQL injection vulnerability in the SmartVista end-to-end banking payment software offered by Switzerland-based BPC Banking Technologies. Rapid7 first notified BPC of the vulnerability in May and, after receiving no response from BPC, notified the U.S. CERT Coordination Center in July. Rapid7 recommended SmartVista users contact BPC support directly for assistance, but in the meantime, users should limit as much as possible access to the SmartVista management interface. The security vendor also recommended performing regular audits of successful and failed logins and using web application firewalls to prevention attacks using SQL injection.

Next Steps

Learn why security and privacy experts were wary about changes to Rule 41.

Read how the conflict between Apple and the FBI could affect enterprise mobility management.

Understand the roots of the FBI's "going dark" controversy.

Dig Deeper on Security operations and management