Encryption is under attack. Here’s why that matters

whatsapp.png

(Christian Wiediger, Unsplash)

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Adrien Ogée, Project Lead, Cyber Resilience, World Economic Forum & Marco Pineda, Head of Security and Innovation, Centre for Cybersecurity, World Economic Forum


The news that Interpol is about to “condemn” the spread of strong encryption is just the latest salvo in the crypto wars, a decades-long controversy between proponents of strong encryption, law enforcement and investigative bodies over the widespread use of encryption by technology companies. The central tenet of the law enforcement argument is that strong end-to-end encryption hinders the investigation and prosecution of crimes when suspects use it on their personal devices. For their part, privacy and human rights advocates contend that there is no mechanism “that (both) protects the security and privacy of communications and allows access for law enforcement”.

What is encryption?

Encryption is the encoding of information such that only authorized parties may access it at the message’s final destination. One of the earliest examples of encryption – and the most cited in literature on the subject – is the Caesar cipher, a substitution cipher where each letter of a message is shifted 3 characters.

 

The Caesar cipher relied more on the secrecy of the method of encryption rather than the key, and can easily be cracked by observing the frequency of the letters.

In the 20th century, notable uses of encryption and – more pertinently – codebreaking have had major historical impacts. This includes the Zimmerman telegram of World War I, in which Germany urged Mexico to invade the United States if Washington were to join the war against it. The ability of the British to break the German code and the leaking of the contents of the telegram was instrumental in turning American public opinion against Germany and lead to the US entering the war on the side of the Allies.

Later, during World War Two, a British team led by mathematician Alan Turing broke Germany’s Enigma code. By some estimates this shortened the war by two years and saved 12 million lives.

While all encryption methods used up until the Enigma machine relied on the concept of security through obscurity, modern cryptography is based on the opposite: security through transparency.

The plans for Enigma were very well concealed and breaking it was not easy. Marian Rejewski at Poland’s Cipher Bureau and later Alan Turing and his team at Bletchley Park had to build a computer to help break the codes at scale. Modern cryptographic methods are based on well-known mathematical theorems that are practically unbreakable with current technologies.

For instance, multiplying two prime numbers together is an easy problem. The result is what is called a semi-prime number. Now finding out which two prime numbers were multiplied in the first place to achieve a semi-prime number is computationally difficult: the only way for the current generation of computers is a trial and error process that can take centuries, depending on the length of the semi-prime number. The widely used RSA 2048 encryption method, for example, would take a classical computer 300 trillion years to crack (although quantum computers may one day do the job a lot faster).

What’s the issue?

Facebook Messenger, WhatsApp and other communication apps use an implementation of public key cryptography called end-to-end encryption. Only the end users have access to the decrypted data; the service provider, like Facebook, doesn’t. As such, it is theoretically impossible for the company to hand over decrypted data to the authorities.

This is the crux of the debate. It is what has led law enforcement to ask that end-to-end encryption not be rolled out by Facebook, or that ‘backdoors’ be introduced to aid in surveillance or data recovery.

A first example of this was the San Bernardino terrorist attack of 2015, in which the FBI wanted Apple’s assistance to open one of the assailant’s phones. Apple’s refusal led the FBI to file a case with the US District Court for the Central District of California to compel Apple to aid FBI efforts. The request was eventually withdrawn when an Israeli company found and exploited a vulnerability in the phone to decrypt the data on behalf of the Bureau. While the data revealed nothing about the plot, the case brought widespread criticism of the company for profiting from vulnerabilities in its phone operating system that cybercriminals, terrorists and rogue nations can buy, find and exploit too. Best practice in the cybersecurity industry is for researchers to report these vulnerabilities to the software editor or device manufacturer; this is called responsible disclosure.

A second example of this was this year’s “Ghost protocol” proposed by UK intelligence agency GCHQ to avoid weakening encryption, which revolved around transferring messages sent by a suspect over WhatsApp or iMessage to a law enforcement agent without notifying the suspect. This was met with vigorous opposition from tech firms.

Privacy advocates do not argue the need for law enforcement to be able to investigate crimes such as child exploitation and terrorism. The general objection from them and other parties interested in keeping messages private is that any weakening of encryption for the benefit of investigators also benefits those with more nefarious intent. They argue that ‘backdoor’ or exceptional access by law enforcement amounts to the introduction of a weakness to security systems that can be exploited by criminals. This unintended consequence of the desire to provide better protection to, for instance, exploited children, victims of terrorism or human trafficking also exposes regular users to exploitation from cybercriminals by giving these groups a built-in way to access their information.

What leaders are saying

In 2015 at a talk at West Point, then Vice-Chairman of the US Joint Chiefs of Staff, Admiral James A. Winnefeld, said: “I think we would all win if our networks were more secure. And I think I would rather live on the side of secure networks and a harder problem for Mike [then NSA Director Mike Rogers] on the intelligence side than very vulnerable networks and an easy problem for Mike”.

What is the World Economic Forum doing on cybersecurity

The World Economic Forum Platform for Shaping the Future of Cybersecurity and Digital Trust aims to spearhead global cooperation and collective responses to growing cyber challenges, ultimately to harness and safeguard the full benefits of the Fourth Industrial Revolution. The platform seeks to deliver impact through facilitating the creation of security-by-design and security-by-default solutions across industry sectors, developing policy frameworks where needed; encouraging broader cooperative arrangements and shaping global governance; building communities to successfully tackle cyber challenges across the public and private sectors; and impacting agenda setting, to elevate some of the most pressing issues.

Platform activities focus on three main challenges:

Strengthening Global Cooperation for Digital Trust and Security – to increase global cooperation between the public and private sectors in addressing key challenges to security and trust posed by a digital landscape currently lacking effective cooperation at legal and policy levels, effective market incentives, and cooperation between stakeholders at the operational level across the ecosystem.Securing Future Digital Networks and Technology – to identify cybersecurity challenges and opportunities posed by new technologies and accelerate solutions and incentives to ensure digital trust in the Fourth Industrial Revolution.Building Skills and Capabilities for the Digital Future – to coordinate and promote initiatives to address the global deficit in professional skills, effective leadership and adequate capabilities in the cyber domain.

The platform is working on a number of ongoing activities to meet these challenges. Current initiatives include our successful work with a range of public- and private-sector partners to develop a clear and coherent cybersecurity vision for the electricity industry in the form of Board Principles for managing cyber risk in the electricity ecosystem and a complete framework, created in collaboration with the Forum’s investment community, enabling investors to assess the security preparedness of target companies, contributing to raising internal cybersecurity awareness.

For more information, please contact info@c4c-weforum.org.

In Europe, the EU Cybersecurity Agency and Europol issued a joint statement on this topic, recognizing the hurdles of strong encryption in police work, but also acknowledging that weakening encryption technologies for everyone was not the way forward. Rather, they called for research and development efforts to find technical solutions to decrypt communication, all under judiciary oversight.

As the crypto wars continue to seek to strike the correct balance between the needs of law enforcement for access to information to conduct investigations and the need for vulnerable populations to free speech and the general public to have financial and personal information protected, the ultimate decisions will be weighed by those with a view of the entire ecosystem.

the sting Milestones

Featured Stings

Can we feed everyone without unleashing disaster? Read on

These campaigners want to give a quarter of the UK back to nature

How to build a more resilient and inclusive global system

Stopping antimicrobial resistance would cost just USD 2 per person a year

Abu Dhabi is investing $250 million in tech start-ups

Energy: new target of 32% from renewables by 2030 agreed by MEPs and ministers

This German supermarket’s shelves are filled with food other stores won’t sell

Royal Navy to unveil future surveillance and reconnaissance requirements next February in Rome

Air pollution: How to end the deaths of 7 million people per year

Draghi: ECB to flood Eurozone and the world with more zero cost money; risk of drowning in cash

DR Congo Ebola centre attacks could force retreat against the deadly disease, warns UN health chief

The Shifting Rhythms of Harmonious China: Ancient, Modern & Eternal

European Semester: The Winter Package explained

This Canadian company transforms plastic waste into building materials

Ensure safety of responders UN Security Council urges, amid worsening DR Congo Ebola outbreak

The final countdown towards achieving 2030 Agenda

How man and machine can work together in the age of AI

Two EU Commissioners fire at will against the US

The why in including palliative care in Universal Health Care

Rapid growth in China post-COVID makes it ripe for investment

‘A new chapter’ dawns for democracy in Guinea-Bissau: top UN official

Coronavirus: ‘An emergency in China, but not yet a global health emergency’

‘Unconscionable’ to kill aid workers, civilians: UN Emergency Coordinator

New rules allow EU consumers to defend their rights collectively

Eritrea sanctions lifted amid growing rapprochement with Ethiopia: Security Council

Malaysia can show the way towards a holistic model for human rights

Coronavirus: Commission proposes a Digital Green Certificate

ECB money bonanza not enough to revive euro area, Germany longs to rule with stagnation

EU-U.S Joint statement on the humanitarian emergency in Tigray

UN rights chief welcomes new text to protect rights of peasants and other rural workers

State aid: Commission approves €790 million Croatian guarantee scheme for companies with export activities affected by coronavirus outbreak

How will the EU face the migration crisis when the Turkish threats come true?

Pesticides: MEPs propose blueprint to improve EU approval procedure

Hazy ‘breakthrough’ saves PM May, leaves Ireland in limbo: Brexit

European Junior Enterprises to address the significant skills mismatch in the EU between school and employment

Women in Medicine: An Equality Long Overdue

In a time of rising xenophobia, more important than ever to ratify Genocide Convention

6 ways countries can prepare for the next infectious disease pandemic

After the European Parliament elections – what happens next?

Stateless Rohingya refugee children living in ‘untenable situation’, UNICEF chief

Zero carbon by 2050 is possible. Here is what we need to do

State aid: Commission approves €511 million Italian scheme to compensate commercial rail passenger operators for damages suffered due to coronavirus outbreak

Germany’s fiscal and financial self-destructive policies

Palliative care: an indispensable component for a better quality of life

2014 will bring more European Union for the big guys and less for the weak

Parliament and Council agree drastic cuts to plastic pollution of environment

EU will not deliver on promises without democratic accountability

COP21 Breaking News: Conference of Youth Focuses on Hard Skills to Drive Greater Climate Action

The West – the EU and the US – is writing off Turkey’s Erdogan

These 3 innovative solar farms show why this renewable technology is hot right now

Idlib deal could save three million ‘from catastrophe’ says UN chief, as militants are urged to lay down arms

‘Favour dialogue’ over violence, UN chief urges all parties following clashes in Mali’s capital

Drug laws must be amended to ‘combat racial discrimination’, UN experts say

Global Citizen-Volunteer Internships

London is becoming the world’s first National Park City

MEPs want ambitious funding for cross-border projects to connect people

Voices of Afghan women ‘must be heard at the table in the peace process and beyond’ UN deputy chief tells Security Council

5 factors driving the Chinese lawtech boom

Afghanistan: UN mission condemns deadly attack near Kabul airport

Detecting online child sexual abuse requires strong safeguards

Doctors without borders

This powerful tool will help corporates make the switch to 100% renewables

Germany readies to pay for the Brexit gap in EU finance

Helping small businesses fight cybercrime benefits the global ecosystem

More Stings?

Speak your Mind Here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s