By Steven J. Ross, CISA, CISSP, MBCP
At the time this was written (October 2010), there have been numerous news items about conflicts over encrypted messaging between some national governments and Research in Motion, the manufacturer of BlackBerry® personal digital assistants (PDAs), and with other companies that are transforming communications such as Goggle, Facebook and Skype.1 These stories are rapidly evolving, and my current knowledge will surely be dated by the time this column is printed. Moreover, the ISACA Journal takes no position on geopolitical issues, and I certainly do not intend to do so now. But, this issue does raise what I consider to be a fundamental issue of information security: Do corporations have the right to secure their information? Put another way, do governments have the right to compel corporations to divulge information if governments see national (or local) safety at stake?
This is not a question of an individual’s right to data privacy, which is established by law in many countries. Nor does it apply to a government agency’s need to protect information; it becomes self-referential to question whether a government has the right to see data that the government already has. Corporations, as a group, possess an extraordinary amount of information. If a government—and not necessarily the government in the location where the company is headquartered or keeps its data—asks to see information, does a company have any recourse except to hand it over?
Some of a corporation’s information concerns its customers, vendors and employees, and so the company has an implicit responsibility to prevent unintended use of its information. The rest of the information deals with the affairs of the enterprise itself; a corporation’s shareholders have a reasonable expectation that this intellectual property will be kept secure. At the same time, companies are a part of the world and exist in a society of states and laws. Corporations have officers and employees who must answer to the governments of where they live. So, when a government demands access to a company’s information about itself and others, what is the company’s ethical obligation?
This is as much a philosophical question as one concerning information security. The ancient philosophers also considered it, but there were no corporations in Aristotle’s time.2 Thousands of years later, the Utilitarians3 found that the greatest good for the greatest number should prevail over what is best for individuals, but Aristotle, Jeremy Bent ham or John Stuart Mill had never seen a corporation such as we see today. Much that has been written about the roles of governments and corporations deals with the problems of them working together,4 not about conflicts among them over the security of information.
Modern corporations, especially global ones, are a creation of the 20th century and the latter part at that, so there is not a great deal of literature in economics, philosophy or ethics to provide guidance. Nor would such counsel mean much more than the opinion of an individual writer (this column included). The dilemmas some companies face today with regard to state demands for access to information go beyond the day-to-day activities of most information security professionals. When they arise, it is usually senior management or general counsel that must deal with them. But, they do have a practical aspect, as well: How tightly secured should information be? Should access to systems and databases be so strictly controlled that no one can bypass the controls, or should they be designed with a “trapdoor” that could be exploited by governments and, therefore, by malefactors, as well?
This is not just an academic discussion. It is a problem that affects the telecommunications and financial services industries and many others that form a nation’s critical infrastructure. As encryption has become more robust and ubiquitous, governments have become increasingly concerned that terrorists and other criminals may use secure means to perpetrate crimes. The US government is seeking to require all services that enable communications to be technically capable of complying if served with a wiretap order, including being able to intercept and unscramble encrypted messages.5 In the recent past, the Dutch and UK governments, among others, have insisted on key escrow so that they can have access to encrypted files and communications.6, 7 Paradoxically, for many security practitioners, it appears that as the protection of information becomes more effective (for the good guys), there will be more government demands to circumvent security (to stop the bad guys).
Many multinational corporations do business in countries in which the governments may indeed be counted among the bad guys. Sadly, there are repressive regimes in many parts of the globe. If those states were to be given access to corporate information, they could use it against a corporation not only within their borders, but everywhere it conducts operations. The government could use the information to the benefit of local competitors or, worse, to harm its own citizens. What is the ethical position in circumstances such as those? Practically speaking, what are corporate executives, chief information security officers (CISO's) among them, supposed to do?
These questions, which seem to me to have fundamental significance for information security, are highly strategic in nature. They need to be considered as a risk in every jurisdiction in which a company does business. Simply put, corporate boards and senior managers must decide the degree to which they will accede to government demands for secured information and the extent to which they will resist. And, if they choose not to comply, they must be prepared for the risk of penalties or even of ceasing operations in those countries.
Corporate CISO's ought to be contributors to these deliberations, if only so that these strategic decisions are made with as much factual understanding of the security systems involved as possible. It is my recommendation that CISO's counsel management to secure information as tightly as possible, but to be prepared to lower barriers to access when presented with legitimate state demands. Even as I write these words, I feel that this is an inadequate response, but it may be the only one. A corporation would maintain high security, except when it does not.
And who is to decide when to lower the barriers—to open the trapdoor? I believe that this is a major part of the solution. Reduction of security in these special instances should be executed by only a small number of senior executives, such as general counsel or the chief financial officer (CFO). It should not be done by anyone lower, not even the CISO, on the basis of a decision transmitted from above. When the exception mechanism for security is in the hands of the most senior people in a corporation, it is less likely to be abused from below or used without significant and demanding examination of the issues involved.
1 Savage, Charlie; “U.S. Tries to Make It Easier to Wiretap the Internet,” New York Times, 27 September 20102 See my earlier ISACA Journal article, “There Ought Be a Law,” volt. 6, 2006, in which I quote Aristotle’s Encroachment Ethics. He concludes that the interests of the state outweigh those of the individual.3 Bent ham, Jeremy; An Introduction to the Principles of Morals and Legislation, 17804 For example, see Emblem, Thor stein; The Theory of the Leisure Class: An Economic Study of Institutions, 1899.5 Op cit, Savage6 Van Burden, Jelled; “Dutch Government Puts Trusted Third Parties Under Pressure,” 8 May 2001, www.heise.de/tap/r4/Ariel/7/7571/1.html7 Park ins, Keith; “UK Proposals for a Key Escrow Encryption System,” July 1996, http://home.clara.net/eureka/sunrise/ukescrow.asc
Steven J. Ross, CISA, CISSP, MBCPis executive principal of Risk Masters Inc. He can be reached at st [email protected]
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2011 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.