30 Nov 2018
Cyber-attacks can range from IP theft to voter fraud, identity theft to industrial espionage; they are creating havoc among the IT security community and beyond. However, this could be just the tip of the iceberg.
Quoting CNBC “The threat of cyber espionage goes above and beyond endangering some of the world’s largest oil and gas companies, industry experts warned, saying ‘entire countries’ are being targeted.
Cyber-security solutions loosely fall into one of two categories: Prevent and Protect. Since prevention technologies are seemingly incapable of defending against a breach, it falls to protection technologies, such as encryption, to provide the last line of defence against cyber-attacks. Should a breach occur, if the data is protected using high-assurance encryption, the lost or stolen information is rendered meaningless.
The role of encryption in securing critical national infrastructure is often underappreciated. It is used to secure a broad range of applications; including real-time video surveillance, transactional data and SCADA control systems (commonly used by national utilities and service providers).
Senetas is trusted globally to supply high-assurance encryptors for use in protecting energy generation plants and ocean-based oil rigs, among others. In the case of control network data, encryption prevents the insertion of malicious and rogue data into these sensitive networks. Strong encryption is, therefore essential to maximise the protection of critical national infrastructure.
So, if encryption is used by governments (protecting secrets and citizen identities), defence forces (to protect the country), infrastructure providers (to protect lives and their assets) and enterprises (to protect their businesses), why do some wish to demonize encryption?
There have been efforts in the USA, UK and now Australia to weaken encryption; including attempts to mandate the inclusion of “backdoors” that would enable law enforcement to access unencrypted data. Although the US and the UK abandoned their plans, the Australian government is currently seeking to fast-track its proposed Access and Assistance Legislation.
Criminals typically represent a small percentage of a nation’s population. Governments are unlikely to consider legislating against the ownership of a car, a balaclava or a crowbar, so why legislate against a tool that is predominantly used for legitimate purposes? One government minister has gone so far as to cast encryption as “the weapon of first choice for terrorists”.
One of the (many) challenges this legislation poses is the provision that vendors assist law enforcement in accessing encrypted data. In the case of high-assurance, end-to-end encryption solutions this is technically impossible. Access is only granted to authorized users in possession of the encryption keys (IE the customer using the encryption solution). The only way to get around this would be to introduce vulnerabilities into the system.
There are three fundamental flaws with this approach:
- Truly robust encryption solutions cannot be decrypted without access to the encryption keys. These sit with the data owner. Not even the original systems manufacturer has access to them.
- Would anyone seriously consider weakening a technology what protects all 99.9% of good citizens’ data just because criminals may use it?
- Australia is a trusted exporter of cyber-security solutions. Mandating system vulnerabilities would erode trust in the market and could be catastrophic for local manufacturers.
Should such a Bill be passed Australia’s export reputation would join that of the US, China and Russia; all of whom are suspected of weakening security through the inclusion of “backdoors”. Ironically, the Australian government itself recently banned Chinese technology companies from participation in the national 5G infrastructure for reasons of “national security”.
The UK’s security agency, GCHQ, has attempted similar far reaching legislation. Most recently, as it wrestles with the principles of end-to-end encryption, it has suggested it can simply be added to encrypted messaging apps as an invisible party. The problem is, that would require a weakening of the encryption model. Commentators argue this would be severely damaging to the UK’s cyber-security reputation, not to mention a breach of data protection rules.
Be careful of what you wish for, lest it come true.