enterprisesecuritymag

The Need of the Hour: Encryption

By Frank J. Cilluffo, Director, Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security and the Center for Cyber and Homeland Security And Matthew Edwards, Staff Assistant, Auburn University’s Center for Cyber and Homeland Security

Frank J. Cilluffo, Director, Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security and the Center for Cyber and Homeland Security

Encryption is a double-edged sword. At one and the same time, it holds the promise of security while simultaneously constituting a powerful means of subverting it.

As a host of technological developments and advances have enabled and catalyzed new platforms for digital transactions and communications, sensitive information now flows constantly through cyberspace. From our phones to cars to fridges and furnaces— everything is now connected. This interconnectivity poses a challenge for governments, companies, and individuals alike: how to protect the privacy and integrity of data that bears upon matters of national, enterprise, or personal (individual) security? The concerns include intellectual property theft, and economic and industrial espionage. By encoding data to render sensitive material unreadable to unauthorized parties, encryption offers one answer.

Unfortunately, however, our adversaries can likewise benefit from the protections afforded by encryption. Consider, cryptocurrency, which is just one application of encryption.

Cryptocurrency permits one party to transact digitally and directly with another, both securely and anonymously. Such architecture clearly has constructive and productive uses. On the other hand, cryptocurrency may also be used to support money laundering, illicit drug deals, terrorist financing, and extortion in the form of ransomware payment (indeed it is encryption that enables ransomware and allows it to thrive as an ‘industry’)—to name just a few illegal and unwelcome activities.

Against this background, in which encryption empowers both attackers and defenders alike, how should government officials and enterprise executives proceed?

The equities at stake are of the highest order and include national and economic security and top priority corporate assets. Yet the answer to the question is by no means obvious. And, regardless of where one stands on the issue, the pace of technology development and innovation is likely to render today’s response obsolete far sooner than later.

Matthew Edwards, Staff Assistant, Auburn University’s Center for Cyber and Homeland Security

Nevertheless, at the heart of the debate as currently conceived is the ‘backdoor’ concept, which refers to a method of bypassing the normal authenticated process of data recovery so as to allow access to otherwise unauthorized parties. Simply put, a backdoor builds flaws into the encryption system to create avenues for third-party entrance.

"Encryption is a double-edged sword. At one and the same time, it holds the promise of security while simultaneously constituting a powerful means of subverting it"

Once more, though, the concept cuts in two directions. While backdoor proponents contend that law enforcement and intelligence officials will otherwise be blinded (by “going dark”) and thus, undercut in their homeland or national security mission, backdoor critics emphasize that if the encryption system is by design open to manipulation then other (potentially hostile) cyber actors may gain access as well.

These are not the only arguments for and against. It has been further suggested, for instance, that backdoors also act as disincentives to innovation and undermine demand.

Encryption is thus a complex issue with compelling arguments on both sides of the equation. As with other challenging issues however, it becomes an exercise in risk management—in which an array of factors must be considered, in context, and balanced one against the other. While it is important to acknowledge the difficulties at play, it is also important to recognize that thoughtful treatments of the issue do exist (including in the public domain) and these frameworks may help guide the actions and practices of government and corporate decision-makers and their teams.

What is clear is that the United States is not alone in searching for the best way forward on encryption. Other countries, too, are grappling with the issue and exploring different approaches. It may be that one size will not fit all, worldwide. But certainly none of us will have the luxury of ducking the issue altogether given everything that is at stake.

Co Author:  Sharon L. Cardash, Deputy Director, Auburn University’s Center for Cyber and Homeland Security

Weekly Brief

Read Also

Security Vendors: Leveraging Partnerships and Reducing Risk

Security Vendors: Leveraging Partnerships and Reducing Risk

Michael A. Clancy, Chief Security Officer, Enterprise Resiliency & Security, Fannie Mae
Cyber Resilience Begins with Effective Cybersecurity

Cyber Resilience Begins with Effective Cybersecurity

Shannon Lawson, CISO, City of Phoenix
Top Skills Needed for Security Guards

Top Skills Needed for Security Guards

Titan Samuel Jonas, Head of Global Sales, Titan Security Europe
Cybersecurity 2.0 - 4D (Digital Defense, Detection & Deception)

Cybersecurity 2.0 - 4D (Digital Defense, Detection & Deception)

Umesh Yerram, Vice President, Chief Data Protection Officer, AmerisourceBergen
Managing Risks to Security Officers during Covid

Managing Risks to Security Officers during Covid

Samuel Jonas, Head of Global Sales, Titan Security Europe
Security Aspect of Remote Access Technology

Security Aspect of Remote Access Technology

Dan Macgregor, IT Director, MMI Hotel Group