Dear Encryption, We're Worried About Your Future

December 1, 2017

Encryption, my friend, there’s a lot riding on your shoulders. There have been decades’ worth of debate as to whether you are too strong, or too weak. Entire nations think you are so powerful that they restrict your import, your export and your use. No less than the NSA has been accused of trying to influence your standards, presumably to break you. Indeed, you have been broken, and secrets have been lost. It’s true you always bounce back, but for how long?

Let’s talk about Wi-Fi. Remember WEP? It turned out anybody could crack the code in minutes. Then we got WPA, which failed to withstand a 60-second attack. So, we moved on to WPA2. I don’t need to tell you about the KRACK attack, which affected nearly all Wi-Fi devices. KRACKers were able to read communications and, perhaps even worse, inject malicious packets into traffic. As a separate matter, man-in-the-middle campaigns have successfully used fake digital certificates to impersonate encrypted websites and steal information. I guess you shouldn’t be blamed for that though.

Still old friend, we can’t forget about OpenSSL and the nasty Heartbleed programming vulnerability. That flaw provided access to encryption keys, giving the criminally curious an ability to decrypt SSL traffic. Imagine the delight of those who hoarded stolen encrypted data in hopes of such a flaw. Maybe you can’t be blamed for that either. After all, if somebody gets the key or underlying password, it no longer matters that a brute force attack otherwise would have taken well over a trillion years to succeed. That’s an impressive statistic indeed, if not for workarounds. Speaking of brute force, just imagine the power of quantum computing in years to come. Will NIST succeed in its current search for “quantum-resistant” cryptographic algorithms? Nobody knows.

In your defense, Encryption, there is no perfect security. That said, in addition to applying patches, there are a number of steps companies can take to mitigate the highest risks:

First, to fully protect an organization’s most sensitive data at rest and in-motion, consider full-disk encryption and file-level encryption. The latter will protect files in transit, and ensure that simply powering up and logging onto a system doesn’t expose all files to all users.
Second, remember to encrypt laptops, thumb drives, backups and archives.
Third, set up corporate websites to offer HTTPS, and browsers to default to HTTPS sites.
Fourth, review key management as a lifecycle that includes key selection, generation, distribution, storage, escrow and backup, key rotation, accountability and audit, and key compromise and recovery.
Fifth, anticipate data breaches and encryption failures not only by deploying defenses in depth, but by scaling back altogether on certain highly sensitive electronic communications. Collect and store less, and have an appropriately aggressive destruction schedule.

Well Encryption, it’s hard to know what tomorrow will bring. When it comes to your future, please don’t mind the pun, there’s a lot left to hash out.

Steven Chabinsky is global chair of the Data, Privacy, and Cyber Security practice at White & Case LLP, an international law firm. He previously served as a member of the President’s Commission on Enhancing National Cybersecurity, the General Counsel and Chief Risk Officer of CrowdStrike, and Deputy Assistant Director of the FBI Cyber Division. He can be reached at chabinsky@whitecase.com.

Pandemics, Recessions and Disasters: Insider Threats During Troubling Times

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Industrial Cybersecurity: What Every Food & Bev Executive Needs to Know

ON DEMAND: There's a lot at stake when it comes to cybersecurity. Reputation, productivity, quality. Join us to discuss the future of your global security strategy and a path forward with trusted partners Cisco and Rockwell Automation, and turn your Food & Bev security challenges into strategic advantages that drive business value.

Poll

Who has ownership or primary responsibility of video surveillance at your enterprise?

View Results

Poll Archive

Products

Effective Security Management, 7th Edition

Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics.

See More Products

Dear Encryption, We're Worried About Your Future

Recent Articles by Steven Chabinsky

Who's Responsible for Cloud Security?

Clear, Purge & Destroy: When Data Must be Eliminated, Part 2

Clear, Purge & Destroy: When Data Must be Eliminated

Bug Bounty Programs: An Emerging Best Practice

Managing Supply Chain Risk

The latest news and information

Content written for business-minded executives who manage enterprise risk and security

Dear Encryption, We're Worried About Your Future

Recent Articles by Steven Chabinsky

Related Articles

Related Products

Related Events

The latest news and information

Content written for business-minded executives who manage enterprise risk and security