Encryption is a Vital Piece of Security

Posted inInformation Security, Security

As international governments argue for easier access to encrypted data for legal investigations, tech companies are fighting back. 

Encryption is a major player in Information Security. Remember, InfoSec encompasses Cybersecurity, Application Security and all aspects of securing data (information). Encryption is everywhere, it’s used by every business worldwide. This is what keeps our personal and private information, proprietary business information and anything else that is sensitive, safe from an attack. This is essentially how ransomware works, too, by encrypting information and holding it hostage until a ransom is paid.

We hear about encryption a lot, but what is it and how does it really work? According to Norton, “Encryption is the process of taking plain text, like a text message or email, and scrambling it into an unreadable format — called “cipher text.” This helps protect the confidentiality of digital data either stored on computer systems or transmitted through a network like the internet.

When the intended recipient accesses the message, the information is translated back to its original form. This is called decryption.

To unlock the message, both the sender and the recipient have to use a “secret” encryption key — a collection of algorithms that scramble and unscramble data back to a readable format.”

So, when we talked yesterday about governments wanting easier access to encrypted information for legal investigations, this is what we were talking about. Governments want the process of getting information needed for an investigation to be easier, but tech companies argue that it puts information at risk because it would create a soft spot, single point of entry for hackers. Both are legitimate arguments.

Here’s the thing, though. We should be viewing this battle over encryption differently. You don’t necessarily know what is encrypted until it’s decrypted. Think about it like this, if someone sells you a computer, they have no idea what you are going to do with it. They could tie it to a dirty bomb or use it to store social security numbers and other sensitive information. But no one would ever say that they want the manufacturer to be able to flip a switch and poke around inside a machine that was purchased. The same goes for encryption, you don’t know what you are providing access to until decryption is completed, meaning you don’t know what information you could potentially expose that isn’t the target.

The way encryption is designed and functions is to protect data. If you put in some method to access that data in a different way, it’s no longer protected. Just like the computer example above, you can sell someone a computer and tell them to do something good with it. Some people will do good things, but others will do bad. But that doesn’t mean you let the manufacturer poke around a machine whenever they want.

The countries involved in asking for a backdoor need to understand how encryption works and why they can’t just have a backdoor put in. One, it would pose a major security problem for all of the reasons we’ve already discussed. Two, putting in a backdoor requires a high level of technical complexity to either create an algorithm that can be reversed given some skeleton key, or figure out how to protect some key registry that everyone in the world will try to steal. While tech companies and businesses in general understand the need for law enforcement to access certain information at times, they also understand that this suggestion will create more problems than it will solve.

On top of that, should governments around the world find a way to make this happen, who is to say that’s where they will stop? Does it end with encryption at rest, like unlocking a phone or decrypting a hard drive? Or are we going to let them spy on internet traffic, too? Because that is going to bring up a whole host of different issues. The ask is akin to asking a lock maker to have a key that opens every lock they’ve ever made. It’s a terrible idea!

The bottom line is that we need encryption. Encryption is what keeps our sensitive information safe. Businesses are required, by law, to be compliant and protect everyone’s private information. If they don’t, or if they are breached and information is exposed, then that business is on the hook for damages on top of fixing the issue and dealing with legalities. Encryption is a vital piece of data protection. Tampering with it, even for legal reasons, is a bad idea.

About the Author

PWV Consultants is a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. Founded by 20-year software engineering veterans, who have founded or co-founder several companies. PWV experts act as a trusted advisors and mentors to numerous early stage startups, and have held the titles of software and software security executive, consultant and professor. PWV's expert consulting and advisory work spans several high impact industries in finance, media, medical tech, and defense contracting. PWV's founding experts also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY