Dear Encryption, We're Worried About Your Future

Encryption, my friend, there’s a lot riding on your shoulders. There have been decades’ worth of debate as to whether you are too strong, or too weak. Entire nations think you are so powerful that they restrict your import, your export and your use. No less than the NSA has been accused of trying to influence your standards, presumably to break you. Indeed, you have been broken, and secrets have been lost. It’s true you always bounce back, but for how long?

Let’s talk about Wi-Fi. Remember WEP? It turned out anybody could crack the code in minutes. Then we got WPA, which failed to withstand a 60-second attack. So, we moved on to WPA2. I don’t need to tell you about the KRACK attack, which affected nearly all Wi-Fi devices. KRACKers were able to read communications and, perhaps even worse, inject malicious packets into traffic. As a separate matter, man-in-the-middle campaigns have successfully used fake digital certificates to impersonate encrypted websites and steal information. I guess you shouldn’t be blamed for that though.

Still old friend, we can’t forget about OpenSSL and the nasty Heartbleed programming vulnerability. That flaw provided access to encryption keys, giving the criminally curious an ability to decrypt SSL traffic. Imagine the delight of those who hoarded stolen encrypted data in hopes of such a flaw. Maybe you can’t be blamed for that either. After all, if somebody gets the key or underlying password, it no longer matters that a brute force attack otherwise would have taken well over a trillion years to succeed. That’s an impressive statistic indeed, if not for workarounds. Speaking of brute force, just imagine the power of quantum computing in years to come. Will NIST succeed in its current search for “quantum-resistant” cryptographic algorithms? Nobody knows.

In your defense, Encryption, there is no perfect security. That said, in addition to applying patches, there are a number of steps companies can take to mitigate the highest risks:

First, to fully protect an organization’s most sensitive data at rest and in-motion, consider full-disk encryption and file-level encryption. The latter will protect files in transit, and ensure that simply powering up and logging onto a system doesn’t expose all files to all users.
Second, remember to encrypt laptops, thumb drives, backups and archives.
Third, set up corporate websites to offer HTTPS, and browsers to default to HTTPS sites.
Fourth, review key management as a lifecycle that includes key selection, generation, distribution, storage, escrow and backup, key rotation, accountability and audit, and key compromise and recovery.
Fifth, anticipate data breaches and encryption failures not only by deploying defenses in depth, but by scaling back altogether on certain highly sensitive electronic communications. Collect and store less, and have an appropriately aggressive destruction schedule.

Well Encryption, it’s hard to know what tomorrow will bring. When it comes to your future, please don’t mind the pun, there’s a lot left to hash out.

Steven Chabinsky is global chair of the Data, Privacy, and Cyber Security practice at White & Case LLP, an international law firm. He previously served as a member of the President’s Commission on Enhancing National Cybersecurity, the General Counsel and Chief Risk Officer of CrowdStrike, and Deputy Assistant Director of the FBI Cyber Division. He can be reached at chabinsky@whitecase.com.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

A head of state needs heart surgery at your facility. High-profile members of a national sports team are getting updated vaccinations. What do you do when you get the call?