In a move which epitomises the phrase “the left hand doesn’t know what the right hand is doing” the Government has rolled out its new Cyber Security Strategy on the same day its draft Investigatory Powers Bill, which has been criticised for the real threat it poses to encryption, takes its penultimate step towards becoming law.
The Chancellor today announced plans to expand police units tasked with tackling online gangs as well as increase the funding available to help improve the security of connected devices such as laptops, tablets and smartphones. In total £1.9bn will be spent on the measures in the Cyber Security Strategy.
Protecting citizens from the growing threat of cybercrime is a laudable aim and something that has to be taken seriously. Unfortunately the Strategy’s treatment of encryption undermines this. On page 52 it notes:
“When served with a warrant, companies are asked to remove any encryption that they themselves have applied, or that has been applied on their behalf, so that the material provided is in readable form.”
This practice, through the use of Technical Capability Notices, can be found in the Investigatory Powers Bill. Critics of the plans have pointed out that the notices will weaken encryption (and therefore security) for everyone, not just criminals. Put simply it is impossible to guarantee that backdoors will be used only by a benign UK government, as soon as they are created they are open to malicious parties as well.
This problem was noted by Google in its submission to the Joint Committee on the draft Investigatory Powers Bill:
“We believe it would be wrong to weaken security for hundreds of millions of law-abiding customers so that it will also be weaker for the very few who pose a threat. In this rapidly evolving cyber-threat environment, companies should remain free to implement strong encryption to protect customers.”
Not only could the plans harm UK customers, but they could disproportionately damage UK businesses. During a debate on the Bill Liberal Democrat Peer Lord Paddick pointed out that the notices may not be legally enforceable on overseas companies and may therefore have the “potential to act as a competitive disadvantage to UK technology businesses”.
Whilst it is good that Ministers are trying to tackle cybercrime they also need to look at the problems their own legislation will cause. If they don’t they will simply be undermining themselves.