Privacy, back doors, and you – get ready for the tech encryption debate of 2016

SUMMARY:

I usually avoid tech predictions like the plague, but I’ll make one: the 2016 tech encryption debate is coming, and it’s going to be noisy. Here’s my take on best actions.

The aftermath of the awful terror event in Paris had led to posturing and finger pointing. Encryption tech has been hauled into the fray, with political opportunists blaming everyone from Snowden to SONY Playstation.

I ordinarily avoid tech prediction posts, but I’ll make one now: 2016 will see encryption technology at the forefront of tech debates. For enterprises, this means understanding that security goes beyond firewalls into the nuances of how networks can be subverted. That means learning about techniques that are sometimes missing from a security checklist, such as messaging apps that self-delete.

For citizens, this means educating ourselves enough about security tech to grasp the tradeoffs we may be asked to make between privacy and national security. To make things tougher, sometimes these “tradeoffs” are wrongly portrayed, and have nothing to do with our own protection.

High-tech firms are in the middle of the encryption blame game

High-tech firms will find themselves in the center of it. U.S. politicians rushed to demand weakened encryption to aid in surveillance. As noted in Tech Giants Don’t Budge as Lawmakers Push Weakened Encryption:

At the heart of the debate is just how much information the tech firms — including Alphabet, Apple, Facebook, Oracle and Microsoft — can be required to hand over to U.S. intelligence and law enforcement agencies.

Intelligence agencies piled on, claiming that the fallout from Edward Snowden meant terrorists have sought out encrypted channels that are “dark” to intelligence agencies. This irresponsible piece from hacked.com “reports” the terrorists planned the Paris attacks via the PlayStation 4. Another media outlet, digitaljournal.com, which raised the possibility the attacks could have been planned via Playstation 4, was later compelled to update/retract, saying:

The link between the PlayStation 4 and the attacks in Paris no longer appears to exist. A “reporting error” in the original Forbes article that this report is based on incorrectly stated that a PlayStation 4 console had been recovered during a raid in France and quoted Belgian federal home affairs minister Jan Jambon as saying “PlayStation 4 is even more difficult to keep track of than WhatsApp” in the wake of the attacks.

It has since emerged that Jambon made the comment three days before the attacks in Paris, on November 10. Forbes author Paul Tassi admitted to Kokatu this afternoon that he “misread” the minister’s statement, leading to the publication of his incorrect, and since amended, report.

Fanning fears in a rush-to-judgement will be the modus operandi during this election season, as NBC News notes:

So far, little evidence as to the preferred methods of communication employed by the terrorists behind those attacks has been made public.

That’s not stopping Republicans and Democrats from renewing calls for agencies to be given access to encrypted data held by tech companies, perhaps via so-called back doors with keys that allow them to more quickly obtain information about suspected terrorists, all in the name of in the name of protecting Americans.

With that context in mind, I’m going to provide some security recommendations, keeping in mind that I am not a national security expert.

Surveillance tech – my take

The following are my views:

1. Terrorists and other criminals are now much better aware of how agencies track “soft”/trackable communications systems like email and cellular communications (cellular/satellite info was one part of how Bin Laden was finally located, through his courier).

2. The debate around whether high tech companies should provide back-doors into encryption services to government entities is an important one, but it is flawed. Those who want to communicate in untrackable ways are most likely to avoid such systems in the first place. Creative ways of avoiding communications detection are always out there. One PlayStation example I ran into was the ability to communicate via in-game player actions like raising flags, or even writing sentences with gun bullets on walls. How would forcing high-tech companies to allow encryption back doors begin to address such issues?

3. Successful threat detection almost always involves human intelligence on the ground, which means cooperation within embedded or isolated groups. You can’t just eavesdrop and hope to anticipate every bad thing – eventually you have to win hearts and minds as well. Tech companies can play a big role in the long game here – IF their hiring practices are diverse enough to expand opportunities (this is a topic we have hit on at diginomica, here’s one example). If we find ways of crossing the digital divide and bringing tech/education to those in need, it will help. It’s not a cure-all, but it’s better than exacerbating inequality, which digital has a tendency to do if we aren’t diligent.

What enterprises should do

Enterprises can add a practical set of requirements to this list, including:

  • Understand the terms and conditions of data security and sovereignty for all providers
  • Ensure regional data policies, which vary greatly, are aligned with local governance and pending legislation
  • Make sure security include the latest mobile devices and hackable wearables
  • Track the latest encryption/security trends, from the sophisticated to the mundane

The mundane isn’t so mundane after all – it includes all the loopholes in a company’s operational systems. When I visited ERP security firm Onapsis in Boston last week, they walked me through a potential threat scenario, showing me how they could hack into an ERP portal. From there, with full administrative access, if they were a hacker or cybercriminal, they could inspect the systems and ponder their next move. This two stage attack is a more sophisticated approach to hacking that Onapsis is seeing more often. It’s the equivalent of getting an “all access” badge into a building, and then having free reign to find further vulnerabilities once inside.

You can check out the podcast I taped with Onapsis for more details on how ERP systems are breached (Onapsis specializes in SAP and, more recently, Oracle). As the Onapsis guys told me, access can be as simple as an old dev or Q/A system that the admins don’t realize is active.

System audits and rigorous patching are often the most potent security moves an enterprise can make. That sounds dead simple but in practice, it may not be – especially for companies with high tech staff turnover, or coming off mergers and acquisitions. I asked Dave Crandall of Onapsis for advice on how enterprises should tackle this:

At first, you meed to understand your landscape – the topology map. Do I have one system, 10 systems, 100 systems? Once you understand those systems, you then need to say, Okay how are they all connected?”

The next step is to document information assets:

That’s the next level, where you say, “OK, what are the assets on those systems? Is it IP? Is it data that is essential to a compliance issue? Is it a business process that is essential for you to make money?

Crandall echoed my sentiment that culture is a big part of this, as in better communications:

What we find, also, is that forward thinking organizations have stopped talking about “Oh, that’s a security issue, or that’s an IT issue, or that’s an SAP basis issue. They’re saying, “OK, how do we work together as a team because it might be everyone’s issue in some shape or form.”

Encryption matters, but so does old-fashioned diligence. Hopefully we can remain above the fray of sensationalism and discern the right steps.

Image credit: concept of computer security © lucadp – Fotolia.com

Disclosure: SAP and Oracle are diginomica premier partners. Diginomica has no financial ties to Onapsis. I visited them to find out more about what they do and to have a back-and-forth with them about security tactics and disclosures. I will likely share more of that in a future piece.