Since its inception, encryption has become a cornerstone of data privacy and regulatory compliance, protecting data in transit and at rest. It is often our first line of defence against attackers and is essential in preventing third parties from accessing confidential information.
However, despite the pivotal role it plays, encryption has come under unprecedented scrutiny this year. Most notably from the UK government’s Online Safety Bill, which explored the weakening of encryption standards to make it possible to monitor messaging apps. Subsequently, Global Encryption Day 2023 carries a higher significance than in previous years, marking a worldwide effort to protect end-to-end encryption and defeat any proposals that try to undermine it.
Here are the thoughts from six cyber security experts on why governments need to reconsider their resistance to encryption, how emerging threats are reaffirming the need for encryption and why a strong encryption strategy is not as simple as it seems.
Lawmakers must not weaken encryption
Paul Inglis, SVP, EMEA at Ping Identity, explains that “Global Encryption Day is a good moment to recognise how important it is to enable everyone to safely and securely access the connected world, and safety is of paramount importance, which is where encryption comes in.”
“The recently passed Online Safety Bill aims to offer better protection for children online, and the news that the bill would not ban end-to-end encryption on messaging apps was particularly welcome. Messaging is integral to our online identity, and keeping this data private is becoming increasingly important. While the government waits for accredited safety technologies to be developed, we must protect children online right now without delay.”
“With the current way the web works, it’s far too easy to access age-restricted content. In fact, a recent Ofcom study found that about one-third of children ages 8-17 create fake profiles to register an adult account, and nearly half of children ages 8-15 have accounts claiming they are 16 or older. This deep-rooted challenge needs to be solved as quickly as possible to create a safer internet for everyone.”
This sentiment is echoed by Jake Moore, Global Cybersecurity Advisor, ESET, who describes how “encryption is a necessary last line of defence for your data, particularly in a world where ransomware attacks are prevalent. Should the worst happen and hackers manage to get hold of your information, encryption ensures that it cannot be accessed or used against you. As a result, it is used everywhere – from financial transactions to messaging apps.”
“Global Encryption Day is an opportunity to recognise the importance of this technology for the security and privacy of millions of people. As lawmakers, albeit with good intentions, attempt to regulate against it, recognising and understanding the critical function it performs is vital.”
Next-Gen threats reinforce the need for encryption
Generative AI has thrusted its way into the mainstream over the past year and is predicted to revolutionise a plethora of industries. However, it is also set to change the security landscape significantly.
Sander Vinberg, Threat Research Evangelist, F5 explains that “we’ve already seen examples of where ChatGPT has been used by attackers or threat actors to write very basic but effective malicious software or malware. It’s a tool that massively lowers the bar for threat actors. What we see across the whole security landscape is a wide range of threat actors that are very good at writing social engineering emails, but perhaps don’t know how to write code, ransomware, or are simply not good at encryption. Those malicious actors now don’t necessarily need to go to a third party and employ a hacker – they can create their own using ChatGPT. Similarly, attackers can use generative AI to refactor malicious code endlessly, producing novel scripts and malware that accomplish the same purpose as the original, but which will be unknown to many detection systems.
Tools like ChatGPT have implemented filters to try prevent this, but Vinberg warns that there are methods to bypass them. “Security researchers have demonstrated this many times, and we’ve already witnessed threat actors discussing ways to get around them, meaning effective encryption of sensitive data is more crucial than ever.
Encryption is not a silver bullet
Encryption plays a crucial role in maintaining regulatory compliance and protecting data. However, implementing a strong strategy can prove a little bit more complicated than this.
Gareth Jehu, Chief Technology Officer at Com Laude outlines that “with cyberattacks on the rise, it goes without saying that any web service that stores or processes confidential or sensitive data should employ encryption methods. The internet is a far safer space for customers and businesses today thanks to the over 175 million SSL certificates issued to website owners, with Google estimating that 95% of all its tracked web traffic is encrypted.”
“However, owning an SSL certificate is not on its own a panacea for guaranteeing online security, and businesses should take a more proactive approach to keeping their domain assets secure. Certificate lifecycle management, correct configuration and continuous monitoring of usage, expiration and renewal are all essential to avoiding loss of customer trust, service interruptions or even data breaches.”
Similarly, Adam Marrè, Chief Information Security Officer, Arctic Wolf warns that “Global Encryption Day must serve as a strong reminder for organisations and consumers to check they are protected as, unfortunately, many aren’t. It’s a common practice to neglect encrypting data from end-to-end, instead opting to only encrypt what they deem as the most important, or sensitive, information, simply because it’s easier to do so.
“In almost all cases the benefits of end-to-end encryption greatly outweigh the negatives. Implementing it will put criminals at a distinct disadvantage, likely pushing them to seek out alternative, less lucrative, places to steal data. I urge everyone, from government, to the private sector, to citizens, to familiarise yourself with the protections end-to-end encryption affords you.”
Organisations also need to maintain visibility across their security infrastructure without compromising performance.
Paul Anderson, VP UK & Ireland, Fortinet explains that “to accomplish this, organisations need to assess the effect encryption has on security throughout. Isolated point solutions then need to be replaced with an integrated security solution that can automatically process large quantities of encrypted data. All without slowing productivity or hindering visibility, especially since the volume and percentage of encrypted data will only continue to grow.
“For encryption to work most effectively, organisations must take an integrated approach within their security strategy to make sure encryption is doing its job: providing critical security and data protection without decreasing the productivity of the security infrastructure. Encrypted data must be inspected – but at the speed of the network, and without compromising digital business requirements. The use of automation and high-performance security resources tied together to extend protection from the network edge out to the cloud and deep across the distributed network will prevent negative consequences related to protecting data, while ensuring the positive experience that today’s digital consumers demand.”
Encryption is, and will remain, an important part of organisations frontline cyber security puzzle. However, in the face of growing governmental criticism, the security industry must proactively educate the important role it plays in keeping our data safe.