Web security consists of multiple moving parts that can move in opposite directions. As a result, actions or technologies that improve one aspect of security may weaken another. Some enhancements might end up compromising your overall Web security.
An entanglement of just this sort builds even more complexity around the issue of government monitoring. Should Web traffic be limited in how much merits encryption? Should law enforcement have "back door" access to encrypted activity? More to the point, what are the security implications of these policies or standards with respect to your department?
This concern isn't about government traffic monitoring in general, however strong (and mixed) many people's feelings may be about the government monitoring personal content. Your questions relating to encryption are narrower and less ideological, in a sense, because they carry profound implications for your company's Web security.
A Double-Edged Sword
Online encryption wars are not new; as Cat Zakrzewski reports at TechCrunch, the debate goes back two decades. With so many growing more concerned about Web security, though, the issue has new urgency. In a nutshell: It is widely agreed in cybersecurity that encryption — particularly end-to-end encryption — is one of the most powerful tools in your infosec toolbox. For thieves, stolen data is a worthless jumble if they can't read it. That's the point of encryption.
End-to-end encryption provides a layer of protection to data over its full journey, from sender to recipient. Wherever thieves may intercept it along the way, all they can steal is gibberish. Law enforcement's concern about this depth of encryption, however, is that anyone can use it — from terrorists to common criminals, both of whom have particularly strong reason to avoid being overheard. Moreover, new categories of malware, such as ransomware, work by encrypting the victim's data so the blackmailer can then demand assets before decrypting it to make it usable again.
For Whom the Key Works
This problem is difficult, but not unusual: If lockboxes are available, cybercriminals can use them to protect their own nefarious secrets. The effective legal response is to then require that all lawfully sold lockboxes come with a universal passkey available to the police, who can then open them. There's your back-door access.
But that's where things get complicated. If a universal passkey for back-door access exists, it could potentially fall into the hands of unauthorized users — who can use it to read any encrypted message they intercept. Your personal mail, your bank's account records, whatever they get access to.
(The NSA and its affiliates abroad can build their own encryption engines without this vulnerability, but such high-powered technology isn't cheap — beyond the means of most criminals, terrorists and the like, of course.)
More Keys, More Endpoints
A special passkey available to law enforcement would presumably be very closely held, and not the sort of thing bad actors are likely to get their hands on by compromising an FBI clerk's computer. But the primary concern in cybersecurity is that the software mods needed to provide a back door would make encryption less robust. This means encryption will be less effective for all uses, even the most legitimate ones.
In essence, a lock that two different keys can open is inherently easier for a burglar to pick. According to Reuters, White House cybersecurity coordinator Michael Daniel acknowledged he knew no one in the security community who agreed with him that a back door wouldn't compromise encryption.
Crucially, this problem is independent of any concern about the governmental misuse of back-door decryption technology. Even if no government agency ever used the back door to decrypt a message, its existence makes it possible for a third party to reverse-engineer the key, or exploit a subtle bug in the backdoor functionality — thus enabling them to read the once-encrypted messages.
Encryption isn't an absolute security protection; nothing is. But it is one of the most powerful security tools available, and your team is rightfully concerned about the risks of compromising it.