Infosec 2017: Government Can’t Ignore ‘Technical Realities’ Of Encryption
Issues of encryption and internet regulation both tackled at InfoSecurity Europe 2017
Recent horrific terrorist attacks on UK soil have re-ignited the encryption debate between government and technology companies, adding to tensions that have already formed between the two parties.
It is a hugely sensitive topic and one that could significantly impact tech firms, the cyber security industry and, of course, the British public.
First we had Home Secretary Amber Rudd’s condemnation of WhatsApp’s “completely unacceptable” use of encryption in the wake of the Westminster attack, more recently followed by Prime Minister Theresa May stoking the flames further with calls for greater internet regulation to “deprive the extremists of their safe spaces online”.
The topic has of course been prevalent at InfoSecurity Europe 2017 this week, with James Lyne, global head of security research at Sophos and Rik Ferguson, special advisor for Europol EC3, tackling the issues from two very different perspectives.
Challenges ahead
Lets start with encryption first. Lyne got the ball rolling by taking a technical approach, highlighting that any government policies need to be consistent with the “technical reality” of actually implementing them.
“We’ve got a real challenge in taking these high level ‘is it important that intelligence people are able to do their work’ questions and taking it down to actual technical implementation that doesn’t damage people when they’re sitting in cafes and logging onto services,” he said.
“By getting into more detailed laws and regulation, other dangerous things can happen. We can end up with laws that are so severely out of step with the technical reality. While lawmakers move in the scale of years, we move in the scale of hours and days.”
His point was that the problem cannot be solved simply by throwing regulation at it. And the crux of the matter comes down to “where on the spectrum is the right balance of security, intelligence and what scale of data collection there should be. I think we’ve got a lot of work as a community to advocate the correct technical position.”
Ferguson, in comparison, took a more philosophical stance. He said: “One of the constant refrains that we hear when it comes to terrorism is that we can’t allow these kind of attacks to affect our way of life, because when we do that we’re allowing the attacker to win”
“If we begin to erode our own individual and/or corporate right to privacy, we’re letting the terrorists win and that would be, to say the very least, a very unfortunate state of affairs. We have the right to have conversations and not have them be overheard by other groups and individuals and it’s a right that we must fight to protect.”
Speaking to Silicon, Matt Little – chief product officer at PKWARE – agreed that simply weakening encryption isn’t the answer: “Ironically, if the government mandates companies like WhatsApp and Apple to create backdoors, they are asking them to undermine national security, not strengthen it.
“As we have seen with the recent WannaCry and EternalRocks malware, criminals and terrorists will be the first to exploit those weaknesses and enable them to cause physical and economical harm. True prevention of crimes comes from stronger – not weaker – encryption. Once we’ve adopted a security mindset we can stop debating whether it is good or bad and begin the difficult process of protecting ourselves from cyber and terrorist threats.”
Next, the panel moved on to the government’s comments around internet regulation. Theresa May’s comments have been widely criticised by the tech community over an apparent lack of understanding about how the internet actually works and Ferguson echoed these sentiments.
“Where I think it goes wrong is that when a government starts to talk about regulating ‘the internet’ they don’t get it,” he lamented. “We don’t own ‘the internet’, no one government owns or can influence ‘the internet’.
“So while I think that certain regulations for content online are fine, it can’t be blanket and it has to be done with the realisation that there will always be ways around.”
Again, Lyne focused on the more technical issues the accompany the “interconnected, international, borderless resource” that is the internet.
“It is a real challenge. We really have to start working out how we’re meant to dovetail that national set of policies with the realities of our interconnected world which we do not fully control.”
With the threat of terrorism growing at home and abroad, the privacy vs national security debate will continue to be a prevalent and sensitive one. The fact that it’s being talked about so openly is undoubtedly a good thing, but it’s clear there is still plenty of work to be done.
Quiz time: Test your knowledge on government and public sector IT!