Tammy Moskites is chief information security officer at Venafi, an IT security software company that helps organisations track and manage their digital keys and certificates
The encryption debate has rumbled on for years and is now heading to a crescendo that could result in the foundations of online trust being blown away – a doomsday we may never recover from.
Whether it’s the FBI trying to force Apple to create software to crack its own encryption or the UK government using the Snooper’s Charter to force companies to break encryption and provide the contents of encrypted communications, the message is starkly clear – they want the master ‘God Key’ to unlock all data and are so desperate to get it that they no longer care about the dangers.
Our online world is predicated on a system of crypto keys and digital certificates, which has formed the bedrock of secure communications for 20 years. By design, keys and certificates are natively trusted by servers and other security applications to provide privacy and authorisation for everything that is IP-based today, that’s servers, clouds, mobile devices, applications and Internet of Things (IoT) devices.
Essentially, they allow our machines to talk to one another, know who or what can and can’t be trusted.
If you get the master God Key that allows you to take control of these communications, you have the power to bend the machines to your will and access whatever data you want. It’s almost understandable why governments have become so obsessed with getting it, but can they really be trusted?
Consider the facts
We have already seen examples of government over-reach. From whistleblower Edward Snowden lifting the veil on the NSA’s activities (using a stolen key no less), which led to the UK government being found to be spying on millions of its citizens.
The fact is that governments are already over-stepping and gaining data on citizens, many of whom have committed no crime or infringement, without their knowledge or consent.
And this is not just an issue for technology companies like Apple – today, every company is a digital business and all organisations are custodians of data. How far will governments reach? Will they demand real-time access to monitor transactions from banks? Or access to transport tracking systems?
To date, encryption has been standing in the way of governments being able to see and read everything we communicate and that is what’s driving them mad.
How dare people actually want to decide who sees their data and why? They must be terrorists or have something else to hide.
This is the common rhetoric from government – yet there are many reasons that companies and individuals would want to safeguard their basic right to privacy, it doesn’t make people criminals.
Even if you are willing for the government to access your data that does not mean you want to allow just anyone to gain free access to it.
Our intellectual property, customer trust and company DNA is wrapped up in our data, hence why it is so closely guarded. It is not just the government abusing the power of the God Key we need to worry about – it is government incompetence too. Time and again we have seen government breaches of security.
If they are given the powers they are asking for, they will now be responsible for our corporate security – they’ll have the God Key that would enable a hacker to walk into a high street bank and empty each of our bank accounts.
As a consumer, I’m not sure I feel comfortable about this, but as a shareholder I’d be rushing to sell my shares in that bank if I found out a government held the God Key to it.
Forcing legitimate companies to offer backdoor access to their solutions will also create blueprints that could easily get into the wrong hands. Take Stuxnet, for example.
Here, we saw the US government creating a vulnerability that leveraged misused keys and certificates for their own means, which was soon hijacked and put to use in the worst possible way, an attempt to tamper with critical infrastructure.
That government attack formed the basis for an attack blueprint that is now commonly used by your average cyber criminal.
Secrets do not stay secret, especially in the murky world of the intelligence services.
When the US created the nuclear bomb, I’m sure they hoped that they could keep it secret. Now, Kim Jong Un’s finger hangs over the detonate button.
The God Key has the potential to be even more destructive. Our whole world, our critical infrastructure, from online commerce to hospitals, everything is connected by machines – if someone gains the power to take those over we face a ‘Year Zero ‘scenario that could rocket us back over 100 years. Society could collapse.
As we see more and more devices added into this web of machine dependency with the growing adoption of IoT the problem becomes even more pressing.
And of course, the hackers are onto us.
The Dark Web is a vibrant marketplace where the bad guys can trade and barter on keys and certificates. Imagine if they got hold of the overriding God Key?
To quote Doc Brown (from Back to the Future, not the rapper): “the consequences could be disastrous”.
We would likely see a rise in IoT ransomware with companies at the mercy of hackers having to hand over millions of pounds.
If you are a nation state looking to launch an attack on a country, why not knock out its electricity grid? Or even change the temperature in its nuclear facilities to make it unstable?
If in the wrong hands, keys and certificates can become potent weapons of mass destruction – do we really want WMD blueprints to flood the market?
This is why it’s vital for the future of the world that we do not provide access to the God Key.
If we do, the world as we know it could be completely transformed – and not for the better.
In a mini-win for the anti-IPB camp, the government has just agreed to conduct an independent review into the powers surrounding bulk data collection.