Ban on software ‘backdoors’ could help small businesses – industry body

Backdoors are ways of bypassing normal authentication processes in software, which allow people to gain access to users’ data.

Alex Whalen, a senior policy manager at Digital Europe, a membership organisation representing the digital technology industry, says that companies often come under pressure from governments to provide backdoors or decryption keys in their products.

‘Understandably, from the point (of view) of government, there’s a lot of concern about being able to protect society and the barriers they face with encryption technology,’ he said. ‘But that’s something that our members don’t want to budge on at all, they don’t want to provide backdoors or give keys or in any way weaken encryption.’

He was speaking in response to an independent scientific opinion about how to shore up cybersecurity in Europe, which was published on 24 March by the EU’s Scientific Advice Mechanism (SAM). In it, the authors – a selection of leading European scientists from a range of disciplines – recommend that ‘neither backdoors nor other ways of weakening encryption should be introduced’.

The report said a general no-backdoor policy could be crucial to small businesses, who may find it hard to resist government-mandated backdoors and could easily lose trust and customers as a result.

“

‘If you start weakening encryption or you provide backdoors … hackers will find a way to utilise those backdoors.’

Whalen also points out that the deliberate bypassing of authentication would, in fact, decrease security. ‘If you start weakening encryption or you provide backdoors, although the intention might be great and positive for the government, hackers will find a way to utilise those backdoors. For companies that’s certainly something they … can’t allow for their customers.’

The recommendation was one of 10 coming out of the report, which covered issues of data protection and privacy as well as cybersecurity. It does not recommend specific policies, but rather is designed to be used as a basis for updating the EU’s cybersecurity strategy, the current version of which dates from 2013.

An updated policy is considered critical to complete the EU’s digital single market to allow digital companies to operate across borders by removing regulatory barriers.

Training

One of the other key issues that emerged from the report was training – both for end users and professionals – to ensure that cybersecurity is not undermined.

Fabrizio Gagliardi, from the Association for Computing Machinery, which represents 15 000 computing professionals in Europe and 100 000 worldwide, agreed that more education and training is vital to ensure that people are aware of their responsibilities.

‘The weakest component very often is the user, the human factor. Of course you need an infrastructure that is well-designed, but you also need educated users. Any student needs to be educated to a minimum in rules or sets of principles because if they don’t learn very early on then … they will have a relaxed attitude towards security, privacy (and) data protection.’

The scientific opinion recommends that the EU works to promote data-literacy education and build people’s awareness on cybersecurity. However, it also cautions against piling blame on users at the expense of creating more secure systems.

‘Calling for knowledgeable and responsible users should not be used as a step towards imparting blame to users for issues beyond their awareness, control or power,’ says the report.

Agustín Reyna, a senior legal officer with the European Consumer Organisation (BEUC), agrees. 'There is a lack of awareness about the risks and there is room for consumer education, clearly. But the responsibility shouldn't be put on the shoulders of the consumer in the sense that providing information is not itself enough to clear from any type of liability the suppliers or the developer.

'There are things that are out of control of consumers in terms of security, particularly in relation to data breaches that happen at service level. We have to work much more on where we define the lines.'

The report also recommends that the EU works to promote lifelong cybersecurity training among professionals and educate systems engineers to develop a security skills base in Europe.

As for next steps forward, Gagliardi says that the important thing is to ensure that the scientific opinion is acted upon.

‘It’s only by keeping hammering the authorities, the policymakers, on the importance of the programme that something will happen. That is one (piece of) advice I could give to SAM – keep insisting. Come back in one year ... and ask: “What have you done to follow our recommendations?” ’

If you liked this article, please consider sharing it on social media.