Everyone appears to be gobsmacked when it comes to encryption … techies, IT folks, infosec professionals, legislators, regulators and the public at large. After all, encryption algorithms have been developed by the brightest of mathematicians and computer scientists. But, apart from a few geniuses, how many of us really understand the math behind PKI (public key infrastructure) other than it has something to do with very large prime numbers? Yet we hail it as the wave of the future in data and transaction-message protection?
So it was somewhat surprising to come across the article “More Encryption Means Less Privacy” by Poul-Henning Kamp, who is involved in the FreeBSD project, in the March 17, 2016 issue of the ACM Queue . Kamp takes the controversial position that, in response to the Snowden affair, groups such as the IETF (Internet Engineering Task Force), which issued “Best Current Practice 188,” are insisting that SSL/TLS encryption is being “hammered into and bolted onto protocols and standards throughout the IETF working groups” and that “when all you have is a hammer, all problems look like nails …”
Kamp points out that BCP 188 essentially supports the idea that there is “a universal human right to absolute privacy … against law enforcement, even if law enforcement has a court order …”
Many years ago, Peter Tippett M.D., Ph.D., founder of TruSecure and ICSA Laboratories, pointed out that a relatively small percentage of hacks are actually against data in motion (or in transit). So the real danger is in the hacking of data at rest (or stored). Yet encryption is only protective when a hacker gets access to databases containing private information. While that clearly happens with unsettling frequency, hackers are still challenged with the task of decrypting the data, which can be expensive in skills and resources. As a result, the crime changes. Hackers find it much easier and more effective to get at user access credentials through phishing and to use such retrieved data to get into applications which automatically decrypt the data for them. Encryption doesn’t prevent this, no matter how strong the algorithms. Also, phishing can get not only usernames, passwords, secret answers to popular questions, etc., which data enable account hijacking and consequent access to intellectual property, but also account numbers and other personal information (date of birth, Social Security number, etc.) for identity theft and subsequent fraud.
Kamp comes to the following conclusion:
“Slapping unbreakable crypto onto more and more packets is just going to make matters worse. The only way to retain any amount of electronic privacy is through political engagement.”
Judging from the current contentious relationships between politicians and law enforcement, on one side, and the high-tech industry, on the other, it would appear that it will be a very long time before the two sides sit down and hash out the real issues and their practicality in order to arrive at a mutually-acceptable approach.
Some of my more recent presentations and papers, some of which have been, and will be, posted to IEEE Xplore, address the issue of establishing generally-accepted global cybersecurity and privacy standards. The papers also consider what lawmaking, regulatory, testing and certification entities will be needed to enforce these standards. There is a lot of productive work to do. Better to bite the bullet and get started at least on the standards component, rather than generating much heat and little light by arguing about secondary technical matters.