This is part of a series of posts about what security experts think will happen in 2016.
2016 is right around the corner, and while many companies are gearing up for the New Year, security researchers have been busy trying to get ready for the threats that businesses need to be ready for in 2016.
F-Secure Cyber Security Advisor Erka Koivunen specializes in studying how governments and businesses can keep their data safe and secure. And Erka says some of the biggest developments that businesses need to be ready for have to do with new regulations and high-level debates about the future of encryption, but also dealing with the consequences of lax operational security.
Here’s the part that can make you crazy: As governments increasingly make new demands on the private sector to maintain customer privacy, they are also demanding more intrusive access to the same data. It’s an irony that’s enforced by law—so the best strategy is to accept the paradox of now and prepare for increasing demands from governments, even if the demands contradict themselves.
“Reforms to intelligence legislation will be the dominant security challenge in 2016.”
The future of end-to-end encryption is a hot topic at the moment, as some governments are now pressuring companies to create technical solutions that would allow them to monitor encrypted communications. The discussion is not about whether the utilization of cryptographic technologies should be banned but rather about whether the commercial products should be designed in a fashion to provide a backdoored access for government.
If e.g. the US and UK governments had it their way, some companies would potentially be forced to adjust their business models to conform to government demands for data access. Messaging products like iMessage, Signal and Whatsapp have particularly been used as examples of a product too-secure-for-you-own-good. On the other hand Facebook Messenger and Twitter Direct Messages would – by the way they are designed in the first place – be compliant as they are.
A group of some of the world’s largest tech companies, including Apple, have publically voiced their opposition to the idea that weakening encryption would be in the public’s interest. Their words have been backed by the world’s most respected cryptography researchers who also reminded us about the so-called Crypto Wars in the 90’s.
Breaking encryption is a threat to businesses because it’s basically requiring them to begin handling people’s personal data – which is a serious liability for companies as they would need to develop systems for doing this securely. And given the increasing number and severity of data breaches over the past year, this is a responsibility that companies cannot shoulder on their own.
“Legislating something like this will expose people to more threats than it will protect them from, so it’s going to sacrifice many security measures we take for granted without really yielding any tangible benefits” said Koivunen. The insistence of major intelligence services to be provided bulk access to private data and communications (instead of targeted warrants on specific data) doesn’t sound too tempting, either. “Companies want to offer end-to-end encryption because it protects them, their partners, and their customers. What you don’t have to yourself, you cannot disclose even if you were compelled to. Opening a backdoor for one government will eventually lead to foreign intelligence agencies, corporate saboteurs, and criminals sneaking through, so expect this debate to be fiercely fought by stakeholders in 2016.”
“The mandatory reporting requirements recent European legislation will be game changers in terms of liability in cyber security.”
At the same time governments are putting demands of backdoor access to businesses, they are also waking up to the fact that companies are increasingly also targets for attacks. It may sound contradictory until one realizes that governments speak on many voices, particularly in the EU.
As far as European data protection officials are concerned, all too often the costs of attacks are passed along to individuals and end users. In the EU, these concerns have been translated into new regulations (specifically, the General Data Protection Regulation and the Network and Information Systems Directive) that establish cybersecurity and data handling guidelines for companies operating in Europe, including what steps must be followed in case of a breach.
Financial penalties are going to become standardized and reporting security incidents will become mandatory. So there’s no easy way out or opportunity for companies to cover up security lapses, which makes securing that data much more significant to operations.
“Companies that are part of a data supply chain will feel the cost of business increase, but this will be a drop in the bucket compared to what will happen if they don’t comply with the legislation,” said Koivunen. “When you tally up the potential losses due to fines, loss of business and reputation damage, and other expenses, it becomes pretty clear that companies will need to get serious about security. Companies will need to start adjusting to the new reality in 2016.”
“Governments will not develop a sense of irony.”
Governments want you to secure customer data from everyone but themselves.
The United States, United Kingdom and France are just a few of the nations that want on-demand access to everybody’s private communication and personal data. At the same time they are demanding service providers take liability in ensuring “privacy by default”, as they say in the EU.
“Governments are demanding that businesses improve the security due to threats posed by online crime and foreign governments,” Koivunen said. “While at the same time they either outright hack into the very same companies or force them to backdoor or otherwise open up their systems for law enforcement or intelligence access.”
Perhaps it’s the ease that governments hack businesses with that makes them so suspicious of current security practices? That’s a scary thought. But the truth may be even more depressing than that.
“Governments do not have a sense of irony,” Koivunen said. “They have branches.”
Demands are not being weighed against each other because governments aren’t typically set up to weigh competing needs, at least when it comes to securing digital assets.
“If individuals who in government step back, they can clearly see how what they’re demanding is bi-polar,” he said, speaking from his first hand experience on Finland’s CERT team. “The problem is government authorities and their mandates are compartmentalized. The government branches exist in deep silos. Data protection people barely even talk to intelligence folks. Telecommunications regulators have hard time figuring out what the law enforcement branch will come up with next.”
What the different silos demand do not seem contradictory when your silo is tasked with resolving a specific issue and nothing else.
“If all of a government’s policy initiatives could be followed to their logical end by someone at a cabinet level,” Koivunen said, “perhaps the convoluted sum of the mixed signals the government sends would be obvious.”
But don’t bet on that happening soon.