Australian Government cyber-security preparedness found wanting as it calls on crypto vendors to help with decrypting cyber-criminals’ data.
In the wake of the recent Notifiable Data Breach legislation in Australia, and Europe’s General Data Protection Regulation (GDPR), national government is turning its attention to cryptographic vendors and telecommunications application developers.
Further legislation is proposed that will compel crypto vendors to weaken their standards or provide encryption backdoors to enable authorities to decrypt cyber-criminal’s data.
At the same time, Tech Crunch has published an article pointing to a lack of cyber-security preparedness among federal government agencies. The article references an Office of Management and Budget (OMB) report that finds little situational awareness and a lack of standard processes for the reporting and management of attacks, and limited use of even basic encryption. It concludes that the current situation is “untenable”.
Both stories raise some questions about government understanding of encryption. What data does the government encrypt and what encryption solutions does it use? The Tech Crunch article claims that government agencies either “do not understand, or do not have the technical resources available to combat the current threat environment”.
Not all encryption solutions offer the same degree of data protection. The certified, high-assurance encryption standards demanded by government agencies, defence forces and major corporations around the world do not allow for backdoors.
One of the core tenets of a high-assurance solution is the provision of end-to-end encryption security. Advanced encryption key management systems are designed to limit access to the keys. In the case of a high-assurance encryption solution, this means only the data owners themselves have access to the keys.
The trouble with advanced cryptographic technologies is that you can’t simply limit access to the good guys. Cyber criminals are just as likely to benefit from data security, integrity and forward secrecy. They certainly have access to sophisticated big data analytics and storage technologies.
The Australian government is not alone in calling on crypto vendors for help. Both the US and the UK have considered legislating for the inclusion of backdoors or master keys in recent years. However, both have recognized the impact this would have on their own data security and have backed away from the idea.
Of course, there are “weaker” encryption models available that do not rely upon end-to-end encryption and client-only key management. In some instances, vendors may be prepared to share access to these systems. The downside though, is that this is likely to make the solution less appealing to the end-user.
Going back to the Tech Crunch article, it seems that government has lost its leadership role when it comes to data security. Twenty years ago, it was government that lead the charge for stronger data protection and helped establish the global standards that are in place today.
The article reveals that nearly 75% of federal agencies have cyber security programs that are either “at risk” or “high risk”, and that many of them are unable to detect when a large amount of data leaves their network. Again, this raises questions about how sensitive data is secured across government networks. Is it encrypted whilst at rest and in motion? If so, how?
At a time when the cyber threat landscape is so diverse, and the data security world gears up for the game-changing arrival of the quantum computer, it is more important than ever that government maintains the highest possible security standards.
This should start by embracing the high-assurance promise of end-to-end encryption, not calling for a weakening of the standards that were designed to protect citizens’ data in the first place.
Discover more about high-assurance encryption.
To read the original Innovation.com article “An encryption bill with holes in it”: https://www.innovationaus.com/2018/06/An-encryption-bill-with-holes-in-it
To read the original TechCrunch.com article “Government investigation finds federal agencies failing at cybersecurity basics”: https://techcrunch.com/2018/05/30/government-investigation-finds-federal-agencies-failing-at-cybersecurity-basics/