Encryption, it’s still not a household word, despite the fact that most households use it to protect the privacy and security of their Internet activities, and most companies use it to interact securely with their customers as well as keep secrets. But now encryption is in the news, thanks to a story that the Guardian broke last week:
US and British intelligence agencies have successfully cracked much of the online encryption relied upon by hundreds of millions of people to protect the privacy of their personal data, online transactions and emails, according to top-secret documents revealed by former contractor Edward Snowden.
This news was alarming to IT departments in many companies and has raised a lot of questions, most notably: What do we do about encryption now? My advice? I have three suggestions to offer (based on reading and writing about encryption and the NSA for over 20 years):
1. Don’t stop encrypting. In other words: “Keep calm and carry on encrypting.” The fact that the NSA might have cracked, or have the keys to, the various encryption systems your company is using to protect confidential information does not mean you should give up on that protection effort. For a start, encryption is mandated in a wide range of security standards and regulations.
HIPAA is just one example where failure to encrypt information (PHI) can lead to fines, whereas encrypting PHI can keep you off the HHS wall-of-shame website and avoid both fines and lawsuits. The fact that an agency of the federal government could potentially intercept and decrypt PHI entrusted to you does not put you in violation of HIPAA. I think the same can be fairly said of the various laws and regulations around personally identifiable information (PII) involved in financial transactions, including retail activity and card payments.
So, keep using your VPN and file encryption, disk encryption, encrypted messaging, and so on, even though you might find it unsettling–galling, upsetting, infuriating, insert your own feelings here–that an agency of the United States government might well be able to defeat the products you are using. At the same time, you do need to begin the process described in suggestion #2.
2. Think about what and how you’re encrypting. Despite my advice to keep on encrypting, I also think now is a good time to revisit your current use of encryption. What data are you encrypting? What data should you be encrypting? And how strong does that encryption need to be? Encryption schemes and products currently approved in areas such as PCI, HIPAA, and financial transactions probably don’t need to be changed. However, if your organization is handling data that might be targeted by nation states or their proxies, then you may want to makes changes to the way you encrypt such data, both in storage and in transit.
Bear in mind that this advice can apply to companies big and small. An example I use in presentations is the railgun developed by the U.S. Navy. Over 80 companies, some of them very small, worked on this, under contracts that averaged just $250,000 each, which sounds like small potatoes, but the value of the intellectual property involved could be worth many millions to the right thief/buyer.
For further thoughts on changes to your encryption choices, I highly recommend Bruce Schneier’s advice in The Guardian. I don’t agree with Bruce on some topics, but I do have a lot of respect for his expertise in matters of encryption and his analysis of national security issues. (I’m also a fan of air gaps and symmetrically encrypted removable media, to which Bruce refers in his work on the Snowden papers.)
3. Support changes to encryption and surveillance. As I said in my conversation with Kelly Jackson Higgins at Dark Reading: “I think the latest [Snowden NSA] revelation will energize efforts to improve some of the security and privacy fundamentals of the Internet protocols…and we will see a lot of growth in new encryption software, for example, that could potentially defeat current NSA capabilities.” In other words, now is not the time to throw up our hands in despair that we can never achieve a balance between privacy, legitimate secrecy, and national security.
For example, as reported in Computer Weekly, one of the key U.S. players in the setting of encryption standards, NIST, is already vowing to move forward with greater transparency and will re-open the public vetting of the Dual EC DRBG pseudorandom number generator described in NIST SP 800-90 (.pdf). Some people may be tempted to scoff at such assurances given the way that the NSA has apparently bullied NIST in the past, but I think we have to rebuild trust, through scrutiny, rather than abandon all hope.
At the end of the day there are a lot of very good and clever people working at both NIST and the NSA, striving to do the right thing. Those people deserve industry support, as do other entities involved in setting Internet standards, such as the IETF, which was already talking about changes before the latest revelations (see Financial Times, registration required).
For IT managers and CISOs on the front line I don’t see many immediate changes needed in the wake of the NSA code-busting revelations, unless you are charged with protecting highly sensitive data that might be targeted by the NSA or its equivalent from other countries. But moving forward it makes sense to revisit risk assessments and mitigating controls relative to encryption, and maybe up the spend on lobbying for reforms that would bring greater oversight to digital surveillance.
Author Stephen Cobb, We Live Security