No entity is immune from a cyber attack.
A successful, jaw-dropping cyber assault against a seemingly impenetrable target occurred again last month.
This time, the humbled target was the National Security Agency, the nation’s premier electronic eavesdropper. Three hundred megabytes of sophisticated code developed by the NSA to penetrate computer security systems was posted online for all to see. Shortly afterward, the NSA web site went down for almost a full day. In both cases, Russia is the suspected culprit.
Encryption is Crucial
I’ve argued before and today feel even more strongly that ubiquitous, top-flight encryption of data and communications is crucial to a healthy Internet, and that it should be continually strengthened, notwithstanding naysayers who say that law enforcement and other authorities should have a back-door key into systems. I respect the challenges confronting law enforcement, but this particular goal is unacceptable. The United States, its companies and its allies are being breached relentlessly, and the number of high-profile targets is rapidly escalating. We must do everything possible to mitigate this.
Nation-state actors—the world’s best-financed and most sophisticated culprits—have become extremely effective. Even presidential campaigns are being infiltrated, apparently driven by intense interest in how candidates would treat foreign countries and construct trade policies, and in who they would appoint to high-level positions. Campaigns also have lots of sensitive information on donors and internal deliberations.
Nation-State Cyber Attacks
Other prominent and successful nation-state cyber attacks, perpetrated by Russia, China and Iran, include:
* The attack on the Democratic National Committee that stole and posted emails showing that former Democratic National Chairman Debbie Wasserman Schultz undermined Bernie Sanders’ chances of garnering the Democratic presidential nomination—an unprecedented cyber intrusion into national politics.
* A breach of the Democratic National Committee earlier in the year in pursuit of the email accounts of Hillary Clinton and other luminaries as part of an intelligence-gathering operation. (Researchers say Donald Trump and the Republican National Committee weren’t targeted in this email phishing campaign because if focused on Gmail users, and the RNC doesn’t use Google for its email accounts.)
* The penetration of the State Department’s unclassified email system in 2014 by Russian hackers. The culprit remained locked in on the government server for months.
* China’s targeting last year of the United States’ Office of Personnel Management computer systems, from which it stole information about roughly 23 million current and former federal employees. In so doing, China bypassed a federal government multi-billion-dollar intrusion detection and prevention system.
* An attack by Iran in 2013 on the computerized controls of a small dam 25 miles north of New York City, a test of the quality of U.S. infrastructure protection, as well as a series of cyberattacks in 2013 and 2014 on dozens of U.S. banks.
* North Korea’s cyberattack on South Korea earlier this year, an attempt to hack into the nation’s railway control system and the computer networks of financial institutions. Separately, South Korea also accused North Korea of trying to hack into the smartphones of 300 foreign affairs, security and military officials. Forty phones were compromised.
Encryption Must Be Expanded
To more effectively combat these players and others, encryption is a necessity, not a luxury, and a technology that must be expanded and improved to protect against the sort of attacks cited above and others that target intellectual property. That’s why Mozilla, the creator of the Firefox browser, has always taken encryption seriously, and it’s why Google recently tweaked its search engine to favor web sites that encrypt. Google also changed its email system to offer users the ability to more easily encrypt email. Internet users depend on encryption every day, often without realizing it, to safely shop and bank online, among other things, and we must continue moving in this direction.
In addition, we must fight government agencies and law enforcement officials who propose policies that will harm user security through weakening encryption. They contend that strong encryption helps bad actors. The truth is that it helps everyone who uses the Internet. Their proposals to weaken encryption— especially requirements for backdoors—amounts to a big, exploitable flaw that would erode the security of everybody on the Internet.
The brouhaha between the FBI and Apple—an attempt to force Apple to open up an iPhone used in a terrorist attack—has come and gone. But the Justice Department continues to take an aggressive stance toward software companies that use end-to-end encryption. The Justice Department is debating how to resolve a similar standoff with WhatsApp, the world’s largest mobile messaging service, in a dispute similar to the FBI-Apple affair.
The Challenge: WhatsApp
In the past, WhatsApp has been adding encryption to user communications. This has made it nearly impossible for the Justice Department to read WhatsApp messages related to a criminal investigation in which a federal judge approved a wiretap but investigators have been unable to circumvent encryption. Those who say a judge should force WhatsApp to help the government get the information it wants are flat-out wrong.
Encryption is not above vulnerabilities. So financial institutions and others must remain diligent in discovering and fixing encryption implementation weaknesses that present possible attack avenues. They also must get ready for the day when the bad guys make huge strides in their ability to thwart an encryption algorithm. At that point, they will need to take new approaches to encryption. A new encryption paradigm may even be required.
The latter, in particular, would be a daunting task, but if push came to shove would have to be accomplished. At stake would be nothing less than the future of a freely used and ubiquitous Internet.