Encryption: The Cloud’s Last Line of Defence
The recent introduction of the General Data Protection Regulation (GDPR) is one of the first steps to ensuring cybersecurity is taken seriously by everyone, promising fines to those who leave themselves vulnerable. And it is not just for big companies to worry about. The concerns surrounding security have also filtered down to both small businesses and users.
Large organisations will likely have the wherewithal to comply with regulations enforced by governments, and they may even take the initiative themselves to promote a safer online environment. Such actions may not always be possible for smaller players.
Binary District Journal spoke with Linus Chang of Scram Software, a company that describes itself as engaged in ‘making the cloud a safer place’. We discussed a number of issues around cybersecurity, including potential threats, the regulatory environment, IoT security and more.
The Human Element is the Challenge
The fundamental nature of computing is such that there is interaction between man and machine. It is this combination that throws up unique challenges and makes security so difficult. Chang believes that this is where current cybersecurity measures are lacking and encryption is necessary to provide that extra layer.
He explains that, “Let's say I give you five million pounds of gold. If you lose it, you lose five million pounds. I say here, store it in your house to keep it secure. Well, the first thing you're going to do is lock your doors and lock all the windows.
“But you also know that doors and windows can be broken into fairly easily, so what you do is you buy a safe and bolt the safe to the ground and put it in. That extra level of security, where you've got a combination and another key, protects you even if there's a breach of your perimeter i.e. your doors and your windows.
“Even if you're secure today, there are new vulnerabilities being discovered all the time.”
“The challenge with IT is that most people don't do that second step of putting their data in a safe. And the data, if you lose it, can cost you millions of pounds in fines, so it's not dissimilar to saying here store some gold. 96% of data is actually not encrypted, so it's not put in an extra safe.
“The problem with IT is that it is even harder to secure all of your perimeter than it is in the physical world. Physically, you know that you have three doors and 12 windows to secure - with the IT world there's hundreds of ways to get in. Even if you're secure today, there are new vulnerabilities being discovered all the time. It also relies on everyone closing the door every time they leave the building. That's where the human error occurs.”
Keeping Up with an Evolving Threat
Linus feels that cybersecurity is an evolving threat. Even when you have legislation that is aimed to protect end users, it is only effective in the here and now. The threats of the future may vary. “Cybersecurity is a journey not a destination,” Chang notes.
“The deadline [for GDPR] has come and gone, but I think we'll still see incremental and even big improvements made in cybersecurity. The way GDPR is written, it actually makes reference to the fact that, depending on the state of the art technology and the sensitivity of the data, you shall do ABCD. So, the state of the art is always getting better and therefore it's not like you can just tick the box and say ‘yes we're GDPR compliant’.
“You may be protected from the threats of 2018, but the threats of 2019, 2020... they're going to evolve over time, and my reading of the legislation is that it's written in a way that expects that businesses will continue to improve over time.”
User Base is the Soft Underbelly of Companies
Educating users about the importance of cybersecurity is an uphill task. It is one thing to be compliant, but if you are only as strong as your weakest user then you still have a problem. Chang feels that education is an important factor in solving this. Getting people to wise up to the existing threats, such as phishing, is crucial.
“A company is only as good as its weakest link, and you're dealing with ordinary users who don't have a security mindset,” Chang says. “They don't go to work thinking ‘am I going to be hacked today?’, they go to work trying to do their job. So, I believe it is challenging, especially when resources are stretched.”
“A company is only as good as its weakest link, and you're dealing with ordinary users who don't have a security mindset.”
However, there is hope amidst the despair. Cryptography, which is enjoying something of a moment due to the popularity of blockchain technology, may literally hold the key. “Phishing exercises are successful because people don't recognize that it's actually coming from a scammer,” Chang explains.
“I see that there's a lot of hype about blockchain and AI, but it's actually the basic task of making sure you're getting a legitimate login screen. I think that's a big challenge. The technology exists to ensure that's the case, but for some reason it hasn't really been adopted.
“I think that probably the biggest challenge is trying to figure out how to marry the cryptography and the mathematics, and how to marry that with a usable solution that will be adopted and then solve some of these problems.”
We then got on to discussing the industry more generally, and Chang is optimistic about the scale of the impact crypto can have. “I think blockchain will be important,” he says. “There's a high level of hype and greed in relation to cryptocurrencies, blockchains and ICOs. I think that they are a distraction. Blockchain is certainly very powerful, it's still evolving.
“In some ways, it's a solution looking for a problem and that may actually detract or distract people from the non-sexy solutions or the more mundane things, and there's nothing more mundane than phishing. Yet that remains the number one problem we have. It’s about keeping an eye on avoiding the hype and keeping an eye on the reality. I think that is the way that we're going to move forward.”
IoT Unsafe by Design and Practice
We are on the threshold of a world in which the things that we use every day will be connected to the internet. Whether it is connected toasters or smart fridges, the dawn of the next era is almost upon us. So far, security has taken a backseat when it comes to these devices. Chang believes that there are two key issues.
“One is that they tend to be very poorly secured,” he says. “I think I read a report several years ago which said the average time between finding a vulnerability and fixing it may be several years. This is because these IoT devices are generally hard-coded with versions of the operating system, and the cycle time to update is very long.
“They tend to be used for botnets, so there's this large-scale distributed denial of service attacks using IoT cameras, for example, and these compromised devices can lay dormant for years before they get activated and then they launch an attack. I think that's another area of the whole botnet risk of IOT.
“I read a report several years ago which said the average time between finding a vulnerability and fixing it may be several years.”
“Second is the integrity of the data and the privacy of the data collected. It's not on the radar when people buy an IOT device. They're not thinking ‘where is this temperature data being stored?’ or ‘where is this video footage going to be stored and how is it secured?’. Because these are IOT devices, they generally have low CPU power.
“To cut costs, you don't want to put in a powerful CPU as you’re trying to put in the the most cost-effective solutions. Because they're low power, though, they generally don't run encryption. So, you could have video footage being transmitted over the clear - it can be intercepted, it can be read, it can even be sabotaged and replaced with substitute footage. When people are buying these devices it's not top of mind. Businesses, I think, will need to start considering this.”
Regulation Has its Scope and Role
Does the state have a role to play when it comes to cybersecurity? Who polices the vast swathes of cyberspace that transcend existing notions of borders and states? Will these regulations also have to transcend borders, like the latest GDPR laws have?
Chang thinks that the state has a role to play because companies may not always look out for those who are vulnerable. “As a citizen, GDPR puts a value on my data and companies don't, because it's not in the company's risk assessment. A company, when they're assessing risk, they think: what is the problem? What is the impact if my trade secrets get leaked or if my secret formula for the herbs and spices get it leaked? Well, that's what companies think of - they don't necessarily think ‘what is the impact if my user database gets leaked?’.
“So for many years the end consumer or the citizen was not protected. I think GDPR is a great step in the right direction. It means that our data needs to be protected, it protects against misuse and it gives us the right to request deletion. It's exactly what we need.
“I know Europe is always ahead in terms of matters of privacy. It's ahead of the the rest of the world and, because it's a worldwide law, even companies like mine - an Australian company - has had to be cognizant of this legislation. So, if this becomes adopted worldwide, that can only be good for everyone.”
Encryption is a Safety Net that Blockchain Will Empower
Hoping for the best and preparing for the worst is a tried and tested strategy when it comes to dealing with the unknown. The same applies in the case of security in the cloud as well. Chang is happy that GDPR already mentions ‘security by design and default’. Using encryption could prevent damage in the cases when things do go wrong.
“The idea of security by design is that, in the case of a failure, everything is still safe in in the context of the cloud,” he says. “Your cloud storage account gets broken into - we want to make sure that if someone else gets into it, they can't use it, they can't understand it, and they can't sabotage any of that data.
“So, taking away the human element - making sure that humans don't have to check every box and instead making that automated in a machine, done by machines, so that it's transparent to the user - absolutely that's what we aiming for.”
“With all the hype about get-rich-quick and Bitcoin prices and so on, it’s easy to get lost in the noise.”
So where are we headed in the future? Will blockchain end up being a solution? Chang thinks so. “Yes it definitely has a role to play, especially when it comes to forensics,” he says. “Let's say your system has been compromised, you need to keep logs, you need to preserve evidence for the FBI or the Federal Police to come in. I think there is a huge advance that we can make, because current evidence collection is archaic and people are doing it the same way that you would do if you were collecting physical evidence.
“So yes, there are very good uses for full blockchain technology, but with all the hype about get-rich-quick and Bitcoin prices and so on, it’s easy to get lost in the noise.”
Effortless Security is the Need of the Hour
Looking to the future, safety on the cloud will only happen when it is effortless for the user and easy to set up. In terms of the next big development in cybersecurity, Chang sees this automation as a key step. “The next big development - certainly in terms of privacy and encryption - is being able to do these simple tasks in an automated, smooth way, without thinking.
“If there was an option to do it securely and there was no extra effort, then it makes sense to do it. And what excites me is that we can make these improvements. That's the level of how hidden it needs to be and how automatic it needs to be. That's really exciting for me.”
When WhatsApp introduced end-to-end encryption in April 2016, the decision was met with both open arms and suspicion, depending on your perspective of the importance of open surveillance. Both sides of the argument had pockets of misunderstanding, though. Take the UK’s former Home Secretary, Amber Rudd.
Rudd appeared on TV following a terrorist attack in March 2017, and called for end-to-end encryption to be banned on apps like WhatsApp in an attempt to stop wrongdoers having safe places to communicate. Others suggested that governments and tech companies should be able to access the encrypted messages of selected users if it helped in a legal case or to prevent terrorism. These calls fundamentally misunderstood what encryption has to mean to succeed - it has to mean full end-to-end encryption for all. If a backdoor were created on WhatsApp, it would threaten the security of the data of millions of users. Selective encryption, currently, does not work - it must be full and unconditional to succeed.
Illustrations by Kseniya Forbender
To contact the editor responsible for this story:
Margarita Khartanovich at firstname.lastname@example.org