England and Australia are currently trending in the tech community because of their desire to ambitiously undermine the way the internet functions. (https://arstechnica.com/tech-policy/2017/06/australia-to-target-encrypted-messaging-apps-at-upcoming-security-meeting/)
Citing a variety of reason such as criminals, terrorists, and foreign political agents to explain why we should undermine our currently established security. This is in drastic contrast to the call from professionals in the industry who are currently trying to push for increased security of communication protocols (a better HTTPS).
By taking a complex issue (security) and simply looking at one very narrow application of it, various ministers in England and Australia are calling for backdoors to undermine the ability of people to protect their data and communication.
And when looked at in this narrow view in the context of nefarious agents and criminals, their point seems like a great plan. But when placed within the wider context of encryption and it’s uses, the flaws become glaringly apparent.
Encryption is a maths formula, made to protect information. It’s designed to be so complicated than simply trying to reverse engineer it would take more time then the value of the data locked within the alterations. This is how we protect communications and information. It is also what allows data breaches to not be crippling events.
If the communication is intercepted, or the data is stolen, when correctly encrypted it is still safe. Your personal details, the company’s payroll, the client’s information is kept from being divulged.
The current proposal is to create a backdoor. We retain all the benefits of encryption while giving our governments a key to open all locks at the drop of a hat. The problem arising is that currently encryption has one solution. A backdoor is essentially a second solution to all encryption with that formula. It creates the same solution for a large amount of secure information. The burden will be placed on providers of encryption to create this one key for all their methods of securing information.
The dangers of this are that we could be mandated to register our data and the ways to access it in a database. This would limit the damage from key breaches but create a large database full of targeted attack potential. Or we create one key per provider that would allow them to crack any and all encryption locks of that provider. Creating one piece of duplicatable electronic data that could open all locks.
In response, providers of encryption will either comply and carry the burden of potential breaches, or move to do business in legislative zones that do not mandate encryption backdoors. The recent problems the Australian government with securing Medicare details and their response to the difficulties shows who will bear the brunt of such mishandling. (https://www.theguardian.com/australia-news/2017/jul/08/data-breaches-undermine-trust-in-governments-ability-to-protect-our-information)
In response to the discovery that data was actively available and breached, the response was “traditional criminal activity”.
What do we take away from all this? Encryption is a major part of securing our data and our communications. It is important to be aware of how much of our details are secured from access. Encrypt your devices and data. Back it up. Secure a secondary set of access credentials.
Devices can be lost, stolen, destroyed. Having a backup of encrypted data is fantastic but useless if that data cannot be unlocked because the device with the credentials is destroyed.
Best practices are to get a security professional to create not just an encryption methodology, but also a contingency plan. Have an audit. Evaluate how secure you want to be. And make sure to retain control of its access in case of major crisis.
Bernard Collins is the CEO of SafeComs, established in 1999 in Australia with a focus on computer security in the SME and enterprise market. In 2003 he launched the Asian branch of the company located in Bangkok. Prior to launching SafeComs Bernard was CEO of Pacer Software Inc in Europe and was with Digital Equipment and Apple.
[email protected] 02 105 4520