The battle between Apple and the FBI has ended — at least for now — but the battle over encryption is far from over. As much as security professionals love encryption as a robust method for protecting sensitive data, governments around the world loathe the tool because it hinders their ability to get to that information, even if for legit reasons.
That means the conversation about the tradeoffs between privacy and national security is only beginning — and the recent Apple case only served to bring the conversation to the forefront. The bigger question is, how will this play out as computing power is steadily moving toward the day when technology will be able to decrypt even the best encryption.
Encryption, in a nutshell
Used as far back as Ancient Greece — albeit in a lower-tech fashion — encryption works by modifying data, referred to as “plain text,” into a code, also called cipher text. It allows for large volumes of data to be decrypted simultaneously with even a small decryption key, which the recipient must possess.
The data can be encrypted both “at rest” (while being stored) and “in transit” as it travels from one device or platform to another (like the cloud). The encryption works both for structured fields, such as those in databases or CRM platforms, and for unstructured files like Word documents.
Two cryptographic methods are available: symmetric key, which means the same key is used for encryption and decryption; or asymmetric key, a stronger method because two different keys are used at each end of the process. In the asymmetric system, the key used for encrypting is “public,” meaning it can be freely distributed to anyone who needs to encrypt the data. The decryption key, however, is private to the individual recipient, and cannot be deduced simply by knowing the public key.
Benefits and use cases
One very common use for encryption is for SSL (Secure Sockets Layer) technology applied to online communication. SSL creates an encrypted link between the Web server and the “client” — like a browser — so you can securely shop, bank and otherwise communicate on the Internet. A telltale sign of SSL is the “s” in “https” when you land on a Web page.
Other than online banking and shopping, encryption is typically used for Web-based accounting, healthcare patient portals, virtual private networks, cloud file transfer and backup and email privacy. The messaging app WhatsApp is another example; its recent version includes end-to-end encryption for messages as well as attachments such as photos and documents sent through the app.
Encryption is also effective for protecting personally identifiable information (PII) that an organization stores on-premises or in the cloud because, without the key, the data cannot be read. That means that in the case of a cybersecurity breach, the stolen data is worthless to hackers and sensitive information won’t fall into the wrong hands. A great example is the case involving a stolen laptop of a Wisconsin Humana insurance company’s employee. Because the laptop was encrypted, it prevented the potential compromise of 2.7 million subscribers’ PII; the records of the 2,500 members whose PII was compromised in this theft were on hard copies, not the encrypted laptop.
Privacy vs. national security
The FBI recently backed off the pressure it had been putting on Apple to create what essentially amounted to a backdoor into the iPhone iOS. As we all know, the iPhone in question belonged to one of the two shooters who killed 14 people and injured 22 others in San Bernardino last December. The phone was encrypted and passcode enabled, so the data would have self-deleted after 10 failed attempts at the passcode.
The FBI originally argued that only Apple could provide a solution — that is, create software that doesn’t currently exist and that can circumvent security features. Eventually, the agency postponed a U.S. District Court hearing on the Justice Department’s order forcing Apple to comply. But not before a major public battle took hold, roping in everyone from the media and other tech giants to U.S. lawmakers and various cybersecurity experts.
Ironically, as the FBI tried to make the case that its request would not set a precedent, a similar case involving the agency and an encrypted iPhone was unfolding in another court. But even months before this topic became highly publicized, FBI Director James Comey told Congress that encryption was a growing concern because it obstructs access to information during law-enforcement activities. And there’s also some apprehension that encryption allows terrorists and other criminals to “go dark.”
During the recent South by Southwest (SXSW) conference in Austin, Texas, President Obama, without specifically commenting on the Apple case, acknowledged there must be a balance between Big Brother and strong encryption. But he also said, “if the government can’t get in, then everyone is walking around with a Swiss bank account in their pocket.”
The U.S. government is far from an anomaly in trying to convince people that some priorities, like national security, outweigh the need for privacy. A controversial, antiterrorism law passed by China last year requires tech companies such as telecoms and Internet service providers to assist authorities, including by handing over decryption keys.
Also last year, the United Kingdom proposed a surveillance bill requiring companies to provide intercept capabilities for encrypted communication services. Opponents of the law point out that creating a backdoor into any security product negates the efforts to improve security and protect PII. It’s certainly a step back when companies such as Microsoft are trying to compel more organizations to use effective and innovative tools like Office 365 and follow best practices for security.
How impenetrable is “impenetrable”?
Another thing that became publicly evident during the latest Apple vs. the FBI development was that the iPhone, billed by the company as practically a fortress, is really not immune to hacking (since the FBI’s solution is coming from a third party). In other words, it’s a good reminder that nothing is truly impenetrable, given the right technology and patience. So what about encryption then?
Last August, the National Security Agency quietly announced that it will move away from the current cryptographic methods to quantum-resistant algorithms in order to protect government and military data. Wired magazine quoted an email from an NSA spokesman saying, “It is now clear that current Internet security measures and the cryptography behind them will not withstand the new computational capabilities that quantum computers will bring.”
The development of quantum computers is still in early stages, with several countries funding research, including the United States and United Kingdom. Some experts believe quantum computing will become a reality as early as the end of this decade, if not in the next two or three. Using the powers of quantum physics, a quantum machine could very well be able to decrypt much of the data that’s considered secure.
Researchers have also been trying to develop cryptographic schemes that are resistant to quantum computing, with one such scheme based on so-called lattices in mathematics (the lattice has hundreds of dimensions). But the U.K.’s electronic surveillance agency cast a shadow on that idea, pointing out potential vulnerabilities in lattice-based cryptography, based on a secret cryptographic scheme called Soliloquy.
Lattice-based cryptography is not the only scheme that’s supposed to be impenetrable to quantum computers; yet this raises the question — is anything, truly?
It’s interesting that the NSA, the agency whose business is to covertly extract data, is working fast to protect its own. How would things play out, though, if we turn the tables — knowing that the government is also diligently working to get a leg up on cryptographers whose interests are focused around the protection of private consumer data?
One thing is certain: The conversation about tradeoffs between privacy and national security will remain on the table. As will the encryption debate.
Sekhar Sarukkai is a co-founder and the chief scientist at Skyhigh Networks, driving the future of innovation and technology. He has more than 20 years of experience in enterprise networking, security and cloud services development.