March 6, 2018

Cryptography is Our Digital Immune System

A fifth, man-made domain serving as a great force multiplier for commerce and free expression, cyberspace has also made us more vulnerable.  We have intertwined nearly every aspect of society including critical infrastructure, business, and communication to internet technology, all of which was not initially designed to be secure in this hyper-connected world. 

No organism, life form, species or society can survive without an immune system, which is stronger than the bacteria, epidemics and infections that threaten it.  Similarly, a digitally driven and digitally interconnected world cannot function without data protection. There is little practical difference between a medical virus, which produces social chaos and a digital virus, which triggers unrest by shutting down a city or country's energy grid. 

The internet has survived as the critical backbone of our democratic process and free market because we are continuously strengthening our online connectivity's immune system, which protects us from global pandemic threats including computer hacks and viruses.   Cryptography is our digital immune system which authenticates and protects data, money, the health and safety of people and reputation.  Cryptographers are the small group of highly specialized mathematicians, on whom we rely to ensure encryption keeps pace with technology and digital connectivity.

During the past few years, the explosive proliferation of digital connectivity—from smart phones to the widespread adoption of connected consumer products comprising the Internet of Things—has strained the most commonly used methods of encryption and authentication. Todays standards function as the equivalent of white blood cells, staving off opportunistic infections and disease—are sometimes stretched to the breaking point.

Private correspondence, critical infrastructure, protection of intellectual property, and financial services depend on cryptography to function securely. Without cryptography, correspondence, which is sent or received electronically and the links we click on would serve as a contagion agents for virus, attack, threat and data breach. For years, cryptographers have been raising red flags, not only about the strained weight bearing down on cryptography today, but also the complete inadequacy of current cryptograhpy against the rapidly approaching reality of quantum computing, and the need for clear standards to address both. NIST (National Institute of Standards) has initiated a process to solicit, evaluate, and recommend one or more quantum-resistant public-key cryptographic algorithms.

Bolstering cryptography is not the only solution.

In most though by no means all cases, the mathematical algorithms forming the substance of encryption and authentication have held up remarkably well. More important is what happens once encryption passes from cryptographers to users. Is it implemented correctly? How is it managed?

For decades, cryptography has been launched piecemeal and without the agility to make necessary changes and updates. Although strong cryptography is as critical to protecting entire digital networks as it is to protecting the organizations that deploy it, there are no enforceable and accepted standards for its application and management.  Cryptography lacks the agility to make necessary changes once deployed. It has become so deeply entrenched across all the digital systems we access daily that it is almost impossible to release updates, patch vulnerabilities and conduct cryptographic lifecycle management.

The damage, severity and frequency of attacks are increasing.  Cryptography runs the risk of degrading overtime without improvements and enhancements. There is of course no multinational, organizational body to adopt protocols, release fixes, or address attacks. 

Consider one example from 2014: The Heartbleed Bug.  A serious security vulnerability in the popular OpenSSL cryptographic software library, this weakness allows threat actors to steal information protected by the SSL/TLS encryption used to secure the Internet. It took more than 800 days to identify it, and cost more than $500 million to fix—and years later, nearly 200,000 websites are still at risk.

Going forward, three key elements will impact how we protect the data, money, and reputation, on which commercial success relies.  

First, we should not expect a global, universal adoption of stronger cryptographic protocols and processes.  In fact, we should expect the global trend of countries wanting their own cryptographic standards and protocols to increase. Each enterprise must deal with this challenge individually.  Businesse should make it a priority to know their risk exposure, as well as the cost and consequences of an attack—for employees, customers, and partners. Compliance, regulations and policies will become stricter for the private sector and the fines associated to companies with things like GDPR (General Data Protection Regulation) in the UK will push enterprises to prepare for stronger data protection.

Second, the aftermath of the 2015 San Bernadino attack demonstrated a potential schism between the U.S. government's and the private sector's approaches to cryptography. The advanced cryptographic and encryption that has been used in the government sector is now required for private sector. While the FBI sought to collect counterterrorism intelligence, Apple was understandably loath to degrade the security of its device.  Degrading the iPhone's encryption would have harmed one critical element of national security while seeking to serve another, creating a dangerous precedent for public-private sector collaboration.  U.S. national security relies as much on conducting forensics following a terrorist attack as it does on protecting encryption and by extension security in cyberspace in which we entrust our intellectual property and sensitive data.  The FBI's eventual use of a cyber tool to unlock the iPhone deferred public debate on what is a mutually exclusive offensive intelligence collection and defensive technical countermeasure.  Cognizant of the importance of encryption to protect its own sensitive communications, the U.S. government should support the same strategy for our private sector.
 

Third, with digital technology now connecting people around the world instantaneously, we should recognize cryptography is the essence of our immune system.  Cryptography and its life-cycle management are critical to countering the growing number of nefarious state and non-state actors who seek to do us harm.

Understanding cryptographic protocols and tracking network vulnerabilities is as challenging as it is vitally important to ensuring consumer confidence.  Maintaining the highest levels of cryptographic standards and life-cycle management is essential if we are to maximize the gain of operating in cyberspace while minimizing the enormous and growing risk.

Go to news