The Bottom Line: Global 5000 organizations must know where all keys and certificates are used, who is responsible for them, and how to continuously protect them.
In February 2016, a U.S. court ordered Apple to use its code-signing key and certificate to authorize software that would circumvent iPhone native security self-defenses. Venafi, along with many others, believe that the required access and use of Apple’s key would pose a serious threat to Internet security.
Apple’s Tim Cook contends that government access to keys and certificates, and the power they enable in providing trust and privacy, is “asking Apple to hack our own users and undermine decades of security advancements that protect our customers — including tens of millions of American citizens — from sophisticated hackers and cybercriminals.” Or, as Time recently describes: “the software equivalent of the secret name of God.”
Venafi views this type of government action as ultimately hijacking the expectation of privacy that exists in a digital world – the privacy and trust that cryptographic keys and digital certificates enable. At Venafi, we are serious about protecting privacy. We disagree with the government and law enforcement’s action to require disclosure. Given access to the proper data – precise awareness of all keys and certificates - our customers can make informed decisions about their legal responsibilities as well as their responsibility to their customers, shareholders, and other stakeholders and should they decide to comply with a legal request, they will be able to do so.
Trending: Global laws are changing to bypass security and expose encrypted data
Regardless of the outcome of the U.S. court deliberations of Apple vs. FBI, the issue of law enforcement requesting keys and certificates is a growing trend in many parts of the world. Whether your organization is a bank, a retailer, an insurer, or a telco, all organizations today are software businesses that rely on keys and certificates for secure communications, commerce, computing, and mobility. In that light, Apple vs. FBI and the impact of key and certificate disclosure is a topic that is very relevant to all global organizations.
One of the reasons this issue is so serious is that a compromised, stolen, or forged key and certificate can allow bad guys to impersonate, surveil, and monitor servers, clouds, and mobile devices — acting as trusted on the network.
Source: TechValidate. TVID: 363-53E-598
Keys and certificates have become high-value targets
The reality is organizations not only need to protect keys and certificates from bad guys looking to misuse them, but they also need to be completely aware of the status of every key and certificate in order to property secure them and make informed decisions about meeting global government and law enforcement requirements.
With tens of thousands of keys and certificates used in businesses today, most of them unknown and unprotected, the issue of key and certificate disclosure presents a serious risk to the Global 5000 (see Figure 1). Concerns over liability will impact CEOs, boards of directors, general counsels, and CISOs across the board.
Apple vs. FBI is part of a global trend of law enforcement seeking access to and use of keys and certificates. The most relevant of the laws of this type are those in Europe:
- United Kingdom: The Regulation of Investigatory Powers Act’s section 49 (RIPA) enables law enforcement to gain access to cryptographic keys. Failure to provide keys requests carries a mandatory jail sentences for those involved, including those representing a business such as a managing director or board.Deliberations are now underway on updates to RIPA that would allow law enforcement to require businesses to use surrendered keys and certificates to undermine security and introduce new vulnerabilities.
- France: Article 434-15-2 enables law enforcement to gain access to cryptographic keys and carries not only a criminal penalty of jail time of 3 years but also mandatory fine of €45,000 for each infraction. Fines increase to €65,000 and jail time to five years in cases where failure to provide the key could have prevented or limited the impact of a criminal act.
If Apple were a French or U.K. business, would Tim Cook or a Board Member be serving jail time for failing to provide access to its code signing key and certificate? It seems likely. But the potential impact doesn’t stop there. Subsequent action in these countries could still affect Apple executives and board members travelling abroad.
Action for all G5000: Detect and Protect all Keys and Certificates
Issues of key disclosure extend well beyond Apple. Because all businesses are essentially software companies, which use keys and certificates throughout, key disclosure can have a very real impact on productivity, success, and even liability. To minimize these risks, G5000 companies need to gain deeper knowledge of all aspects of protecting their keys and certificates.
Preparing for key disclosure requires a full understanding of the use and ownership of keys and certificates, especially those that IT security teams may not be aware of, including those used by marketing, engineering, and manufacturing teams. To learn what steps to take, download our Readiness Brief.
How Venafi Helps You Manage Your Keys and Certificates
Venafi helps you manage and protect the keys and certificates that establish trust, privacy, and confidence for your business. As disclosure requirements and laws continue to evolve, having in-depth information about your keys and certificates will become a competitive advantage. Venafi gives you the information you need to help reduce risk and protect the trust and privacy that keys and certificates were designed to create.
Update March 28, 2016: FBI Drops Its Case Against Apple After Finding a Way Into the iPhone
The battle between the FBI and Apple might be on hold, but the wider war will continue to rage on. The FBI’s dropped case has by no means settled the wider issues around encryption, privacy and public safety. The fact remains that the US courts have been trying to push Apple to make a decision that could fundamentally undermine security and privacy for all. Not a good thing.
The recent and public battle was a deliberate ploy by the US government to get its hands on the most sacred and powerful mass weapon of our times: the cryptographic keys and digital certificates that provide the foundations of all cybersecurity and trust on the internet. As a result, keys and certificates have become the target of nation states and bad guys. Just like Apple, every enterprise uses and is dependent on keys and certificates for trust and privacy and therefore face many of the same issues.
We should also be concerned that now that an iPhone can be hacked, others will try. The iPhone has been seen as a tiny little Fort Knox that from the outside has shown how hard it is to crack and get into. Although someone helped the FBI break into the iPhone, probably in exchange for money, other people who stumble upon the same hacking technique could choose to sell to cyber criminals or other governments, which could sound the end to privacy as we know it.