Encryption is one of the core foundations of the internet. It enables the trusted exchange of information between two entities on the web, as well as protecting the identity of those online.
Without this valuable technology, financial institutions would not be able to transfer money online and legal firms would not be able to share documents over the internet.
But identity does not extend just to the human user, but to machines as well. “There are two actors on a network – people and machines,” said Jeff Hudson, CEO of Venafi.
“People identify themselves to a network using usernames and passwords, and then machines talk to one another throughout the network, but instead of usernames and passwords, they use machine identities,” he told Computer Weekly.
The number of machine identities is increasing exponentially because digital information is built using machines, not people. “We recognise the fact that identities get stolen and we spend about $8bn a year protecting human identities, but we are spending hardly anything on protecting machine identities,” said Hudson.
It is our collective trust in encryption technology that enables the internet to operate as it currently does, allowing us to transmit information confidentially without it being intercepted or manipulated. But if that trust should fail, then the internet itself would become unusable.
Unfortunately, encryption is currently under attack from not one, but two sources – governments seeking backdoor access to encryption algorithms, and criminals wanting to breach encryption to gain access to sensitive data.
Although she later backed down, former UK home secretary Amber Rudd demanded last year that technology companies create backdoors in messaging apps to give the security services access to encrypted communications.
More recently, FBI director Christopher Wray renewed his call for backdoors in encryption, exclusively for the use of law enforcement agencies, and US senator Dianne Feinstein is spearheading a campaign for law enforcement to have access to any information sent or stored electronically.
“I think there is a naivety about the cyber world and how to secure it,” said Hudson. “People tend to run off and make proclamations, like installing a backdoor is a really good idea.”
Governments want encryption to work, but they also want to be able to access encrypted information in order to pursue criminals. However, installing a backdoor in an encryption system would create a fundamental vulnerability in the protection that would inevitably be exploited.
Jeff Hudson, CEO, Venafi
“There is no such a thing as a backdoor that doesn’t get used by criminals,” said Hudson. “Never in the history of the world has there been a backdoor that doesn’t get exploited by criminals.”
Hudson believes such backdoors would be a disaster. “In no way, shape or form should anybody within this industry be complicit with a government in providing a backdoor,” he said. “Because if you do, the bad guys will get it. Also, how do you give access to a backdoor to one government and not another?”
Requesting backdoor access is not the same as requesting an encryption key. An encryption key is used to access specific encrypted traffic; backdoor access fundamentally breaks the encryption. Once a backdoor has been installed, no matter the assurances from government, there will come a time when it is abused. When that happens, trust in encryption will fail and it will no longer be usable.
“Backdoors would be a security catastrophe,” said Hudson.
Governments are currently trying to balance the desire for security with respecting people’s privacy. “Encryption gives people privacy and that means terrorists have privacy too,” said Hudson. “I think governments are listening to the arguments against backdoors, but their basic desire is to want to control and know everything. They can’t help themselves.”
Some might argue that governments are not deliberately attacking encryption and that they are only considering such policies as a form of protection. But Hudson politely disagrees. “A bad guy is someone who is working not in your interests,” he said. “They are attacking you because they are not aligning with you.”
Criminals are also trying to break encryption in order to steal identities. Using these identities, they would subsequently be able to gain access to valuable information. These identities are not just people, but devices, too. “If somebody, such as bad guys who want to watch [network] traffic, can steal a private key, then they can attack encryption,” said Hudson.
Research into quantum computers is also a concern, because these powerful machines are capable of processing mathematical equations far more quickly than conventional computers, so they could well be able to decode existing encryption through sheer brute force. However, said Hudson, quantum-resistant encryption algorithms are already being developed in anticipation of this (quantum) leap in processing power.
Jeff Hudson, CEO, Venafi
According to Hudson, one of the biggest threats in the world today is that machine identities are not protected. Identities can be stolen and when they are compromised in such a way, they can damage systems’ operations. “Most corporations do not have that line of sight on machine identities,” said Hudson. “About 95% of companies we talk to do not know much at all about their machine identities.”
This lack of awareness could mean organisations are unwittingly in breach of the European Union’s General Data Protection Regulation (GDPR). If data falls into the hands of an unintended recipient, the organisation could be fined. “An unintended recipient could mean a person, but a recipient can also mean a machine,” said Hudson.
With this in mind, organisations need to understand which of their machines are authorised to access their databases. This means companies have to be able to testify as to that device’s identity, otherwise they cannot fulfil their obligations under the GDPR.
To protect themselves, organisations should conduct a hardware audit to catalogue all of the machine identities of their devices. Having visibility of where all these identities are enables companies to recognise how their devices could be used to harm the organisation. “If there are seven of the same machine identities being used at the same time, then you cannot trust any of them,” said Hudson. “Know what they are and what they mean.”
Organisations must be proactive in anticipating possible threats to their communication networks and take a risk-averse approach to their security, rather than prioritising continued network operations. “If you think an identity or private key has been compromised, switch it out,” said Hudson. “That way, if someoney has been able to steal that private key, the one they stole will no longer work.”
As such, if organisations suspect that their device identities and/or encryption keys have been obtained illegally, they should seek to further reinforce their networks against possible future attacks, and thus further lessen the risk of criminals obtaining this critical information.
As well as protecting themselves from criminals, organisations should also seek to liaise with the government. Engaging with legislators and government bodies allows the industry to educate policy-makers on the unfortunate consequences that ill-advised legislation, such as demanding backdoors in all encryption, could have on the internat’s future.
Encryption is one of the fundamental building blocks of the internet and, as such, must be protected from both malicious compromises and misguided interference. Without this, our online identities – both human and machine – would be vulnerable to exploitation, thereby removing the trust that allows information to exchanged. If this happened, the entire internet would be rendered unusable.
“The greatest threat to privacy is backdoors created by technology providers,” concluded Hudson.