The recent terrorist activity in the UK has reignited the debate about the use of encryption online. With news that the British Prime Minister, Theresa May, is calling for new regulation of the Internet, effectively demanding the abolition of encryption, David Emm, Principal Security Researcher at Kaspersky Lab commented below.
David Emm, Principal Security Researcher at Kaspersky Lab:
“Recent terrorist activity in the UK has reignited the debate about the use of encryption online. Some politicians have appealed to Internet companies to provide a way for government to inspect the communications of those suspected of criminal activity, for example terrorists. Others have even called for a blanket ban on end-to-end-encryption altogether.
The requirement for application vendors who use encryption to provide a way for government or law enforcement agencies to ‘see through’ encryption, poses some real dangers. Creating a ‘backdoor’ to decipher encrypted traffic is akin to leaving a key to your front door under the mat outside. Your intention is for it to be used only by those you have told about it. But if someone else discovers it, you’d be in trouble. Similarly, if a government backdoor were to fall into the wrong hands, cybercriminals, foreign governments or anyone else might also be able to inspect encrypted traffic – thereby undermining not only personal privacy, but corporate or national security. It would effectively create a zero-day (i.e. unpatched) vulnerability in the application.
This places application vendors in an invidious position. In response to growing privacy concerns in recent years, more vendors have implemented encryption to secure their customers’ communications. They’re unlikely to be happy about switching to a ‘snoopable’ form of encryption – as illustrated by the stand-off between Apple and the FBI last year.
A blanket ban on encryption would be just as dangerous. Law-abiding citizens and organisations would seek to comply with such legislation – compromising their privacy. But cybercriminals would either make use of encryption capabilities developed in another country (i.e. beyond the reach of the UK government), or implement encryption for themselves.
There’s an inherent tension between privacy and security. This isn’t going to disappear, although the emphasis may shift depending on the geo-political situation and security context at any given time. Theresa May must surely be conscious of the fact that there’s no way to restrict the use of encryption to honest, law-abiding citizens. However, at the same time, the government has made it clear that it wants organisations in the UK to protect themselves from cybercriminals and other would-be intruders. There are steps organisations can take to do this such as running fully updated software, performing regular security audits on their website code and penetration testing their infrastructure. However, since no company can guarantee 100 per cent that its systems will not be breached, encryption is essential to ensure that such a breach doesn’t result in the loss of sensitive information. The best way for organisations to combat cyber-attacks is by putting in place an effective cyber-security strategy before the company becomes a target.”