• United States




The economics of back doors

Feb 24, 201610 mins

Why it’s bad for U.S. corporations and the U.S. economy

The debate between Apple and the FBI has become a major national public issue. The key component missing from this debate is the economic impact to US corporations and the US economy.

The FBI versus Apple debate is about data at rest. We should not forget that the US government to local law enforcement agencies can already capture data in flight with our mobile devices. For instance, it has been well publicized that Harris Corporation makes a surveillance technology device called StingRay that can intercept your location, who you are calling, can record your conversation and capture SMS text messages.

The StingRay will simulate cell phone towers into tricking nearby mobile phones into connecting to them and revealing your private information whether you are a terrorist or not. Your data and mobile phone device information are going through this StingRay device and being stored for analysis with thousands of other mobile phone users. The StingRay technology can cost upwards of $400,000, but the US federal government funds most of the purchases, via anti-terror grants.

If the StingRay is not capturing data in your area, your cell phone provider (Verizon, T-Mobile, Sprint, AT&T, etc.) is required by law to track every single phone call you make/receive and the duration of the call including your location data. In addition, your text message content may be retained depending on provider, including pictures, IP information, payment history, and service applications on your mobile device. The image above shows which states are using cell phone surveillance technology.

Let’s set aside the FBI versus Apple debate and look at a broader economic picture. What we do know is the US government is asking Apple to fully cooperate with an ongoing terrorist investigation and is alluding to some type of a “backdoor” to allow the US government to access data at rest for Apple mobile devices and possibly other criminal cases as indicated by the NY Attorney General. Apple is a US-based company. The US government could force Apple to have a “backdoor” under the guise of “matter of national security” and permit the US government to access Apple devices “at will.” If this did happen, this could be a financial disaster for US corporations selling any type of device that contains encryption technology.

If we look at other mobile devices, such as BlackBerry, this is a Canadian company and the CEO has gone to battle with the Pakistani government refusing to handover its encryption technology using the BlackBerry Enterprise Server (BES) for mobile devices. The Pakistani government wanted to decrypt the encrypted communications between a BlackBerry mobile device and BES to read contacts, email, text messages, applications, social media, pictures, etc. on a mobile device to fight and investigate terrorism.

The CEO of BlackBerry refused to cooperate and was going to shut down BlackBerry operations in Pakistan. BlackBerry stood its ground and won a victory with the Pakistani government as the government rescinded its shutdown order. The Pakistani government came to terms that if BlackBerry was forced to leave the country, the move would have affected thousands of enterprise customers in the country and cause a negative financial impact.

When we look at other mobile phone makers, Apple is the only mobile phone manufacturer in the United States. Other phone manufacturers are mostly based out of Korea, China, and Canada. If the US government is going to force a “backdoor” on Apple devices, then to be fair, they should be enforcing a “backdoor” on other mobile phone devices as well.

We know the US government would not be successful forcing China to install a “backdoor” on all of the mobile devices made in China and expose its citizens and government officials to the US government. This puts Apple in a very unfair competitive situation where BlackBerry, Samsung, LG and other mobile device makers would thrive at the demise of Apple because they are headquartered outside the USA.

[ MORE: Apple’s lawyers release list of other iOS devices waiting for backdoors  ]

Right now, if the US government forces Apple to have a “backdoor,” Apple may become the most “shorted” stock in US history as other mobile device makers outside of the US will thrive. The US government would have to convince foreign country governments to install “backdoors” that would expose mobile devices to unfriendly governments and hackers. We know the US government would not be successful at this request as this flies in the face of capitalism.

Imagine if Apple was forced to have a “backdoor” in its software as the US government tries to use the terrorism threat to strong arm tech companies into providing “backdoor” access to its devices. Would this also happen for other US tech companies such as RSA, Microsoft, Cisco, Google, Symantec, Oracle, Facebook, Palo Alto Networks, HP, IBM, Hitachi, Computer Associates, etc. that make encryption software and technologies?

The US government needs to be more practical and pragmatic at considering the financial consequences and business impact it would have to start installing “backdoors” into successful mainstream US made encryption technology. US corporations would lose significant global market share for trying to sell its products in foreign markets, because what foreign company would want to risk their intellectual property to a product that contains a “backdoor.”

The US government would place a foreign corporation in jeopardy if the decryption passcode was ever lost in addition to allowing the US government to spy on a foreign corporation and would be exposed to hackers. These foreign companies would seek other companies that sell tech products that don’t have “backdoors,” because they need privacy and security for the product/service that they are producing.

[ MORE ON THE DEBATE: Many unanswered questions in Apple-FBI controversy ]

The US government is struggling just like the private sector with record security breaches in all major branches of the US government. How could US corporations place all of its investment eggs in one basket hoping nothing bad would ever happen with the decryption passcode being lost or misplaced with a US government agency? Why would US corporations want to expose themselves to the rest of the world with hackers always trying to break into their products?

Having a “backdoor” in US based encrypted products would allow technology savvy terrorist organizations to continuously attack a product that could expose the data of thousands of US companies and create massive security breaches on an exponential scale. This could hurt the overall US economy.

Let’s say the US government gets its way and mandates “backdoors” for every encryption technology product made in the USA. What if the US government agency lost or misplaced the decryption passcode. This could destroy a US corporation if the “backdoor” decryption passcode was lost.

Is the US government going to be responsible and accountable for the major financial losses and the workers that get laid off? What is the US government going to do for the company they just financially destroyed and the fallout for the impacted companies that just had their sensitive data exposed? Is their immunity or a safe harbor for all the impacted US companies?

A compromise may be in order. As an Air Force veteran, we all want to fight terrorism on a domestic and global level. We will have situations where the US government will need to solve terrorist attacks within the USA and abroad. Just saying “no” to assist our US government to prevent and solve terrorism is not a solution. While the idea of having a “backdoor” and having a master key has been discussed by many, this solution can cause severe economic harm to a company as it is not a practical solution. This is the solution I propose using mobile devices as an example:

1. Modify existing algorithms (AES256 or Triple DES) to create a random key for each unique mobile device, whereby a separate encryption key is installed only on one device. No more master encryption key for every device which can expose every device.

2. The encryption key that is stored on a device can be easily read. For instance, the encryption key can be the device serial number imprinted on the device and displayed by default on the main PIN entry screen.

3. For Part 1 of the decryption method–The device serial number can be reverse engineered with a special algorithm (held with the device manufacturer i.e. Apple) to determine the device encryption key. Once the encryption key is determined, the encryption key value will need to go through a second algorithm to determine the first half of the encryption key that can only partially unlock one device. The second part of the encryption key will need to be decrypted by the US government and requires two independent parties to complete the entire process. The manufacturer is in full control of the decryption process.

4. For Part 2 of the decryption method—The device manufacturer will provide the US government agency the encryption key and the first half of the decrypted key using tamper-proof encrypted communications to share this sensitive information. The device manufacturer will provide the US government a provided algorithm to decrypt the second half of the encryption key to have the full decrypted key value to enter the device and read the contents at rest. The US government agency can only unlock one device at a time. The US government would not be able to unlock a device without the manufacturer initiating the decryption process.

The benefits to the aforementioned decryption process is to comply with the US Constitution, respect the privacy of US citizens by only unlocking one device at a time and not on a mass scale, and to protect the manufacturer from catastrophic financial loses and erosion of its customer base.

There will be no exposed backdoors for hackers or terrorist groups to attack since only one mobile device can be attacked at a time. In addition, this method could support other foreign governments and not just the US government alone. The device manufacturer can determine if they want to support or decline government requests to view the contents of its customer devices to ensure proper due diligence is being performed to protect its customers from government overreach. This will be a cooperative process to fight terrorism, but also respect the privacy and security of US citizens and the financial viability of US corporations.

Bottom line, the US government needs to rethink its encryption “backdoor” strategy, because the US government is playing with billions of dollars and thousands of jobs that could adversely impact the US economy if they make a single mistake. If we stop and think about the consequences if Apple was forced to install a “backdoor” into its software code and if the US government lost the decryption passcode, this single action could destroy an innovative multi-billion dollar global corporation at the expense of a single mistake.  

If Apple is hypothetically forced to install a “backdoor” into its software code, you can bet Apple will relocate its headquarters outside the US and kill thousands of jobs in the US.

It is time to compromise with a better solution and stop rolling the dice with the thought of using a “backdoor” with this modern day dilemma.

Note: Special thanks to Dr. Mansur Hasib author of Cybersecurity Leadership: Powering the Modern Organization for peer review.


Todd Bell has become an international expert and leading speaker on preventing security breaches for new start-ups to Global Fortune 500 companies. As a CIO & CISO, Todd has made a global impact for safeguarding millions of consumers information around the globe by building new cyber programs to maturing existing programs.

Todd is also the architect & inventor of the Bell Security Enterprise Security Architecture method that streamlines cybersecurity controls as a virtual overlay onto an existing flat network architecture without having to move any existing systems, saving thousands of dollars and accelerates data protection with a low cybersecurity budget. The method is based on zero-trust model and adapted to co-exist with malware in an untrusted internal corporate network.

Todd is also the creator of "What Is Your Risk Number" to properly assign cybersecurity risk ratings that vary within an enterprise to have the balance of business needs and having proper cybersecurity controls.

The opinions expressed in this blog are those of Todd Bell and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author