Cybersecurity and encryption
IN today’s world of ubiquitous computers and networks, it’s hard to overstate the value of encryption. Quite simply, encryption keeps you safe. Encryption protects your financial details and passwords when you bank online. It protects your mobile phone conversations from eavesdroppers. If you encrypt your laptop — and I hope you do — it protects your data if your computer is stolen. It protects your money and your privacy.
Encryption protects our government. It protects our government systems, our lawmakers, and our law enforcement officers. Encryption protects our officials working at home and abroad.
Encryption protects our critical infrastructure: our communications network, the power grid, our transportation infrastructure especially in aviation, our financial institutions and everything else we rely on in our society. As we move to the Internet of Things (IoT) with its interconnected cars and thermostats and medical devices, all of which can destroy life and property if hacked and misused, encryption will become even more critical to our personal and national security.
Cybersecurity is more than encryption, of course. But encryption is a critical component of cybersecurity. While it’s mostly invisible, you use strong encryption every day, and our Internet-laced world would be a far riskier place if you did not.
When it’s done right, strong encryption is practically unbreakable. Any weakness in encryption will be exploited by hackers, cybercriminals and foreign governments. Many of the systems breaches that make the headlines can be attributed to weak or worse — nonexistent encryption.
The security and law enforcement agencies of nations have always wanted the ability to bypass encryption in the course of criminal investigations. This is known as a ‘backdoor,’ because it’s a way to access the encrypted information that bypasses the normal encryption mechanisms. I am sympathetic to this, but as an electronic engineer I can tell you that there is no way to give the authorities that capability without weakening the encryption against all adversaries as well. This is critical to understand. I can’t build an access technology that only works with proper legal authorisation. The technology just doesn’t work that way.
If a backdoor exists, then anyone can exploit it. All it takes is knowledge of the backdoor and the capability to exploit it. And while it might temporarily be a secret, it’s a fragile secret. Backdoors are one of the primary ways hackers use to attack computer systems.
This means that if the authorities, legally enforcing through service providers can listen in on your conversations or get into your computers without your consent, and so can any number of nation state or nation state-sponsored cyber attackers. Backdoors weaken us against all sorts of cyber threats.
Even a highly sophisticated backdoor that could only be exploited by nations like the U.S. and China today will leave us vulnerable to cybercriminals tomorrow. That’s just the way technology works: things become easier, cheaper, more widely accessible. Give the authorities the ability to hack into a smartphone today, and tomorrow you’ll hear reports that a criminal group used that same ability to hack into our power grid or other critical infrastructure.
The authorities treat this as a trade-off between security and privacy. It’s not. It’s a trade-off between more security and less security. Our national security and critical infrastructure systems need strong encryption.
I wish it were possible to give the law enforcement and security agencies the access they want without also giving the bad guys access, but it isn’t. If the authorities get their way and forces companies to weaken encryption, all of us - our data, our networks, our infrastructure, our society, will be at risk.
‘I have nothing to hide’ was once the standard response to surveillance programs utilising cameras, border checks, and casual questioning by law enforcement.
Privacy used to be considered a concept generally respected in many countries, at least in the West, with a few changes to rules and regulations here and there often made only in the name of the common good.
Things have changed, and not for the better.
China’s Great Firewall, the UK’s Snooper’s Charter, the US’ mass surveillance and bulk data collection - compliments of the National Security Agency (NSA), Russia’s alleged election tampering and countless censorship and communication blackout schemes are all contributing to a global surveillance state in which privacy is a luxury of the few and not a right of the many.
As surveillance becomes a common factor of our daily lives, privacy is in danger of no longer being considered an intrinsic right
Everything from our web browsing to mobile devices and the Internet of Things (IoT) products installed in our homes have the potential to erode our privacy and personal security, and you cannot depend on vendors or ever-changing surveillance rules to keep them intact.
Having ‘nothing to hide’ doesn’t cut it anymore. We must all do whatever we can to safeguard our personal privacy.
Google’s search engine, alongside other major options such as Yahoo! and Bing, make use of algorithms based on your data to provide ‘personalized’ experiences. However, browsing histories and search queries can be used to create user profiles detailing our histories, clicks, interests, and more, and may become invasive over time.
To prevent such data from being logged, consider using an alternative that does not record your search history and blocks advertising trackers.
The threats to our privacy and security are ever-evolving and within a few short years, things can change for the better or for the worse. It is a constant game of push-and-pull between governments and technology giants when the conversation turns to encryption; cyber attackers are evolving and inventing new ways to exploit us daily, and some countries would rather suppress the idea of individual privacy, rather than protect it.
In a world where many of us have been asked to rapidly change our working practices and to do our jobs from home, research suggests cyber incidents are on the rise with many of us oblivious to security best practices, and if we don’t take basic precautions, we may be risking not only our personal devices, but also our company or employer’s systems.
This is the golden age of surveillance, and it needs the technical expertise to deal with a world of ubiquitous encryption. Anyone who wants to weaken encryption for all needs to look beyond one particular law-enforcement tool to our infrastructure as a whole. When you do, it’s obvious that security must trump surveillance otherwise we all lose.
Thankfully, the threat to our privacy has now been acknowledged by technology companies and many organisations, both for and non-profit, have taken it upon themselves to develop tools for our use to improve our personal security - and it is now up to us to do so.
I urge you all to keep updated and cybersecurity aware, take the necessary precautions and stay safe and secure in both the physical and digital world.