A Vision For a Safer, More Balanced Web:
How Far Are We Willing to Go to Achieve Cyber Security?
Nico Sell & Gilman Louie
With every high-profile data breach and emerging global terrorist threat, public discourse on cyber security and encryption becomes increasingly polarized and unproductive. The recent terrorist attacks in Paris claimed by ISIS have re-launched the international encryption backdoor debate. The proponents of mandatory backdoors have continuously argued that end-to-end encryption makes it impossible for law enforcement to combat criminal activity, including terrorism. On another front, the growing threat of foreign, quasi–state attacks often attributed to Chinese, Russian and Iranian hackers compels private companies to ramp up their cyber defenses prompting rapid adoption of strong crypto to protect commercial IP and customer data. Focusing the public dialogue on the dichotomy of these seemingly competing priorities inevitably prevents us from advancing global security, which is why it is time to directly address security challenges by first looking for a fact-based starting point we can all agree upon.
At a time of understandably heightened concerns over potential terrorist attacks around the world, many governments view control of and visibility into citizens’ communications as a key prerequisite to preventing extremism, both domestically and internationally. The only publicly discussed means to achieving such control and visibility is the so-called backdoor into encryption technology designed to protect digital communications from being listened to – by criminals or governments.
While having access on the backend of countless web networks will enable mostly unobstructed data access, the question is to what extent would this capability compromise the government’s own ability to secure its citizens?
As the Web continues to grow, it is adding an unprecedented number of devices constantly engaged in information sharing – some more sensitive than the rest, with most data still transmitted in the clear. Increased connectivity has facilitated the rapid growth of successful attacks aimed to steal valuable personal, business and government data. The only defense for data in transit is encryption, properly implemented to ensure information is only accessible by the intended recipient, not by criminals. Often unnoticed, encryption secures countless core applications – from satellite and power control systems to instant messaging, to air traffic communications, to healthcare and stock exchange transactions. It literally is the first line of defense for any information we deem sensitive or proprietary.
As a thought experiment, let’s play out the backdoor scenario to its logical end.
Tech companies developing technology for banking, medicine, the energy sector and the auto industry are now required to introduce a US government-mandated backdoor in their systems. The government is entrusted to safeguard the decryption keys that access the backdoors of information networks. Law enforcement agencies still have to obtain a warrant or perhaps a FISA court order to decrypt the information – all for national security purposes. However, unless government systems undergo a seismic overhaul of their information security, the encryption key repository will be breached sooner rather than later, as countless other national databases have been, with OPM alone leaking over 20 million of the most sensitive background check records.
Following the US or UK precedent, the Chinese government, with a different set of national security targets and interests – potentially including dissidents and foreign companies – will ask for similar access to encrypted data. Others including Russia, France, and UK will demand the same. Most technology companies, including US–based enterprises, are global players, and will face a choice – comply with national laws to continue to operate internationally or risk losing a hard-earned share in Chinese, French and UK markets.
A capability that was sought by one or two governments as a defense against terrorist threats now becomes a liability that will be exploited by other nation states for offensive operations against US economic or national security interests. Of course, with vulnerabilities mandatorily built into security systems, criminal hacks will become even easier to carry out. To defend business IP and customer data, the private sector will be left to rely on protecting windows, garage doors and the chimney, while the backdoor into their systems is wide open to criminal breaches that are often supported by foreign national interests.
So how do we navigate our collective way out of this dead-end debate the outcome of which does not serve anyone’s interests?
It is time to shift the focus from seeking special access to serve political needs or give one nation an advantage over another to keeping the Web safe for all its beneficiaries – whether they are governments, businesses or citizens. Because when the Web is not secure, it is not secure for all.
Developing an effective global cyber security approach must therefore address technology and policy at both levels –government and private sector.
At the international policy level, the challenge lies in bringing everyone to the table to develop a set of unified rules for what we can and cannot do to advance national interests on the Web. Clearly, it will take time and commitment to truly understand the technology in question and engage in diplomatic craftsmanship. What we can do today is begin designing bilateral and multilateral agreements with our closest allies, including the private industry, to join forces to secure the global digital space. Critical to the success of this strategy is our ability to negotiate credible enforcement mechanisms for such international agreements including the recently announced cyber framework between the US and China focused on protecting intellectual property and the economy.
Building a working model for domestic and international threat information sharing is a good first step in preempting and investigating attacks that may compromise financial or other critical information systems. It requires mutually beneficial cooperation between the government and private companies whose networks may be targeted by state and non-state actors. Timely sharing of threat indicators is key to a government’s ability to effectively protect its citizens and national infrastructure, and bring certain threats to the attention of our international partners.
However, since the state has not maintained a particularly impeccable information security track record, the private industry is legitimately concerned about sharing critical data that may contain sensitive business and user information with a partner that cannot guarantee its protection. If we are serious about bringing technology companies to the table to jointly counter criminal intrusion threats, it is time for significant improvement of government security practices, including wide adoption of encryption across the board.
For its part, the private sector, including e-commerce, financial services and internet tech companies, has built unprecedented collections of information that are a rich target for criminal hackers and nation states. The cost of largely inevitable security breaches is only going to grow as more information is mined for further monetization. In the short term, we, as an industry, need to carefully assess our capability to secure data and refrain from collecting information we cannot protect.
It is in companies’ economic interest to establish a policy of transparency about data collection and innovate ways for users to opt out of information repositories that retain personally identifiable data. The idea that we all need to have greater control of our personal information is fundamental for the development of digital economy. Although potentially expensive, it must become a long-term goal for the industry to rethink our business strategies around data collection, similar to the car industry lowering emission and fuel consumption levels, which once was considered impossible.
In parallel, the same security overhaul required for government information systems is overdue across all enterprise industries. Proper protection of business assets including IP, high value communications and most importantly critical digital infrastructure will become key factors in growth and business evaluation. As the cost of cyber breaches to the global economy continues to grow, security ratings will undoubtedly play a much larger role in determining companies’ resilience and financial longevity. Audits of digital protocols and infrastructure may well become a decisive factor in determining key financial indicators and opportunities including insurance rates and long-term credit ratings for businesses and countries. Today, we all – including enterprises and governments – need to work towards establishing a set of new standards that will govern the Web as a global resource and economic engine.
Since the inception of the internet, we have come a long way in improving its security and expanding its benefits globally. Last year, around 29% of the North American web traffic, including online communications, banking and shopping transactions, was protected by encryption of various degrees of sophistication. That number has been steadily growing over the past few years, recorded at around 2.3% just two years ago.
To collectively build up the Web’s resilience to global security challenges, its various stakeholders – nation states, technology companies and citizens – have to realize that even though we may have different goals related to the internet, the means to achieve those goals are rooted in a fundamental question: how do we keep it safe? Because when the Web is safe, it is safe for all.
Nico Sell is Co-Founder of Wickr Foundation and Co-Chair and Co-Founder of Wickr Inc., a secure communications platform providing end-to-end encryption to users in over 190 countries. Sell serves as an advisor to various security start-ups including AllClear ID, Crowdstrike, and Lookout, and has helped to organize DEF CON, the largest hacker convention in the world.
Gilman Louie is Co-Founder and Partner with Alsop Louie Partners, a venture firm based in San Francisco. Gilman serves as a member of the Markle Foundation Task Force on National Security in the Information Age, serves as a member of the Technical Advisory Group for the United States Senate Select Committee on Intelligence, chairs the committee on Persistent Forecasting of Disruptive Technologies for the National Academies, and was appointed as member of the National Commission for Review of Research and Development Programs of the United States Intelligence Community.