As SC Media reported yesterday the Internet Society has called upon G20 nations to ensure ubiquitous encryption of the web.
The president and CEO of the Internet Society, Kathryn Brown, has gone on record to state that encryption “should be made stronger and universal, not weaker”.
Some have taken this as a call to encrypt everything online, however in her ‘Securing our Digital Economy' statement Brown says, “Strong encryption is an essential piece to the future of the world's economy and the Internet Society believes it should be the norm for all online transactions.”
Brown also mentions how rather than being recognised as a way to secure online transactions, or conversations, the debate too often focuses on the use of encryption “as a way to thwart law enforcement”.
Which got us thinking here at SC Media UK, would it actually be technically possible to encrypt the entire web and perhaps a little more controversially could this be achieved in a way that enabled decryption to facilitate criminal and national security investigations?
Yes, we know, one country's terrorist is another's journalist, but considering the ongoing global clamour for encryption backdoors we wondered how technically feasible it might be at an internet-wide scale?
As always, we turned to the cybersecurity industry itself for some answers:
Neil Cook, chief security architect at Open-Xchange, welcomed the Internet Society comments and reckons that universal encryption should not only be possible, but mandatory for web traffic, communications and data at rest. “We cannot let the actions of a small minority of people compromise the security and privacy of everyone else by weakening the encryption we all rely on to keep us safe and our data private,” he says.
Which, while admirable, doesn't get us any closer to the technical feasibility point. Dan Panesar from Certes Networks ponders whether that's because it's not actually possible. “In practical terms, it would need to focus on utilising secure connections to everything, rather than blanket encryption of the entire web,” Panesar says. “Blanket web encryption would almost create more problems than it solves, slowing the internet and causing serious functionality problems.”
Chris Hodson, EMEA CISO at Zscaler, is more positive about whether it can be achieved technically. “In a word, yes,” he told SC Media. “Though encryption remains only part of the security puzzle. Front loading the internet with the ‘silver bullet' of encryption only serves to protect information in transit between two parties and does not maintain security hygiene overall.”
As Hodson adds, encryption is only actually valid against those who shouldn't have access to data. Encrypted information is still accessible if a hack is undertaken via ‘legit' means such as the spear-phishing of an admin account.
Mark James, security specialist at ESET, agrees that it's a nice thought but says that while in theory it would enable private communication of all personal data, in practise “with so many parts operated, owned and channelled through so many gateways it's a job that's seems highly unrealistic to achieve”.
Javvad Malik, security advocate at AlienVault, prefers to try and break the problem down into component parts of which, he told us, there are primarily three:
Areas of the web that absolutely should be encrypted and active efforts should be made to increase the security. For example, with it comes to online banking transactions there should be no margin for doubt.
Areas of the web that need privacy and security, but could co-operate with law enforcement without undermining the security model. For example, a cloud provider that holds the encryption keys, or that can create additional access accounts can provide access. This is more common in SaaS type scenarios.
The real pain points which involves all those apps that need to be secured and have no easy way to intercept. This is where apps like WhatsApp sit which offer end-to-end encryption and even the service provider should not be able to access the data.
Lee Munson, security researcher at Comparitech, moved on to our secondary question, that of law enforcement access to encrypted communications.
“For them to gain access to encrypted traffic there would be a need to share keys which, by definition, removes the encryption,” Munson explains. “While this could be controlled in such a manner that no third-party gains access to those keys, experience has told us that as soon as you slip a backdoor of any kind into an encrypted medium, some unauthorised person or group will find a way to leverage it for their own purposes.”
High-Tech Bridge's CEO, Ilia Kolochenko, was equally perplexed by this at a technical level. “It's technically impossible to design an encryption that good guys could break, while bad guys could not,” he says. “Even if we do develop such an algorithm one day, the bad guys will hack the good guys and decrypt all your data.”
His answer then? That we need to make a choice between privacy and law enforcement. But then again, as Javvad Malik pointed out, “the way currently encryption works, I'm not aware of a way that the communication can be kept secure but access allowed; not unless the laws of mathematics can be changed…”
We will leave it to the Venafi chief cyber-security strategist, Kevin Bocek, to swing the debate back around to commerce and the digital economy.
Encryption is key (no pun intended) to the system of trust which underlies the security of every machine on the Internet, of that there's no doubt. “There is no replacement so we really need to continue to make this system work,” Bocek told SC Media.
“Machines have to be able to know which machine they are taking to, they need privacy,” he explained. “This goes beyond enabling ecommerce and online banking – all machine identities need to be protected and to do this we need encrypted and private communications.”
This, argues Bocek, is why our IoT-driven future, where decisions are made and business is conducted in the cloud through machines, needs encryption. “If government wants to have an e-enabled, information society of the future,” he concludes, “encryption is a required ingredient, not an optional one that can be picked up or put down at will.”