×

Why Apple is right to fight FBI backdoor

The U.S. Department of Justice's motion issued last week to compel Apple to create a bypass of its iPhone data self-destruct feature is understandable. The FBI wants to access data stored on an encrypted iPhone owned by Syed Farook, who, with his wife, killed 14 people in San Bernardino last December.

Apple's CEO Tim Cook wrote a public letter to customers, calling the order a dangerous precedent.

However, when we examine the implications of having Apple and other companies build "backdoors" into their products that enable law enforcement authorities to access encrypted data on endpoint devices, we soon find that building such backdoors actually creates more problems than it solves.

Apple CEO Tim Cook.
Getty Images
Apple CEO Tim Cook.

It could lead to putting these backdoors into everyone's smart phone, PC or other computing device, creating a whole new attack vector for hackers to exploit. Hackers and hostile foreign countries will see this as an opportunity to use this vulnerability to their benefit.

If these backdoors are built, it will be a question of when, not if, a hacker will create his own exploit and use it to get his hands on an enterprise's, person's or government agency's data.

In addition, if we start down the slippery slope of including backdoors in our computing devices, then sophisticated terrorists and other criminals will pursue alternative security solutions. Rather than depend on an endpoint's built-in encryption and other security features, they will add off-the-shelf security tools to protect their data.

The Department of Justice will end up finding itself playing a game of "whack-a-mole," working to compel every third-party encryption vendor within its jurisdiction to build backdoors into its products. Yet even if the government finds a way to win this game it will still lose.

Sooner or later, companies located in countries beyond the U.S. Department of Justice's legal jurisdiction will develop and sell their own encryption tools – companies that the U.S. Department of Justice will be unable to compel to install backdoors.

Meanwhile, the negative impact of creating these backdoors in hardware and software products is significant. Corporations and individuals will no longer trust that the data they save on their smart phones, PCs and other computing devices is safe – unless they add complex and expensive third-party encryption tools to these devices themselves.

Also, computing device manufacturers would likely need to create whole new teams to manage the hundreds to thousands of unlock requests they are likely to get from not just the federal government, but state, local, and foreign governments as well.

Moreover, creating backdoors to access encrypted data on endpoint devices is not a silver bullet that will win the war on terrorism. If law enforcement agencies have a suspect in their sights, there are many tools, processes and capabilities they can leverage to gather data that will further their investigations. Trying to decrypt data on an endpoint, while very valuable, isn't the only option.

In the end, if we force companies to build backdoors that the government can use to access encrypted data we wind up making our security problem worse, not better. Terrorists and criminals will continue to use other tools to secure or encrypt their data.

Corporations, governments, and individuals will need to add yet another piece of software to their technology stack to mitigate a known backdoor. If they don't, and they are compromised, government leaders and executives will ask the security team, "If you knew about the vulnerability, why didn't you protect us from it?"

I believe we all want to prevent terrorism. But in doing so, we should not weaken the security posture of the internet, and only make ourselves less safe, not more.

Commentary by Rick Orloff, Chief Security Officer, software company Code42. Previously he was Apple's senior director of security.

For more insight from CNBC contributors, follow @CNBCopinion on Twitter.