I am a great advocate of clients using encryption to enhance their cyber security and I have written a number of articles explaining how encryption is an easy cyber security step to implement. Here are a couple of them:
I also think encryption is an important step in an organisation taking responsibility for its password security:
Back to Basics – One more thing about your passwords
So, in this world where the threat actors are getting more and more sophisticated in their attacks, any step that weakens the protection that encryption gives to us is something we should all think about.
Encryption makes the headlines.
Here is the BBC headline from last week:
UK government demands access to Apple users’ encrypted data – BBC News
The argument the UK Government makes is compelling. Law-abiding Governments and Law Enforcement Agencies (all over the world) do not like encryption because criminals can use it to hide evidence of their law breaking. However, vendors use encryption to keep their law-abiding users’ information secure. The good guys would like these vendors to provide a backdoor to bypass (break) this encryption so the not-so-law-abiding users can be caught. Politicians will often cite child exploitation and terrorism in their explanations as to why vendors should comply with this request.
This would not give the UK Government and its agencies the right to rifle through every UK citizen’s iCloud, Google Drive, SharePoint or OneDrive files to see what is there. The UK Government would implement a set of checks and balances, including independent judges scrutinising the evidence, before this master-key would be used.
It all sounds reasonable – who does not want to catch the bad people out there – so should we all get behind it?
But the vendors like encryption!
But no vendor has ever thought this backdoor master-key was a good idea – Apple certainly doesn’t. Apple states on its website; “Privacy is a fundamental human right” and it uses this, among several other cyber security arguments, to say no to the UK Government and any other government that requests such access.
However, vendors are also, probably, not against catching criminals.
The best argument against this request.
In my opinion, the best argument against this master-key request is that, once this backdoor has been created, the threat actors will relentlessly seek it out. If it exists, the riches it would expose to the hacker would be worth the effort of using all their considerable resources to obtain it.
I think they would succeed.
Now the encryption you were using to keep such things as your organisation’s IP, passwords etc. secure no longer works.
You have to make your own mind up. Apple has, so has the UK Government.
Just one more thing…
I have been talking about law-abiding government – what happens when these master-keys fall into the hands of a government or leaders that just ignores the rule of law…
To finish.
Here is a Back-to-Basics primer looking at how encryption can benefit your organisation:
Clive Catton MSc (Cyber Security) – by-line and other articles
Further Reading
Apple and End-to-End Encryption
Back to Basics – A Password Primer
UK Is Ordering Apple to Break Its Own Encryption – Schneier on Security
Photo by Tima Miroshnichenko
