The Security Industry Found its Dream Enemy in 2013 -- and New Technical Challenges Too
Revelations about mass surveillance will fuel encryption adoption in the next year, but implementing it will take care, security experts say
Tue, December 31, 2013
IDG News Service — 2013 was the year we learned we must encrypt our data if we don't want the likes of the U.S. National Security Agency or the U.K. Government Communications Headquarters reading it as it crosses the Internet.
The security industry has the enemy it always dreamed of to help it make the case for encryption adoption, but users looking to secure their data and communications need to be wary of claims made in marketing messages. Securing data in motion is the priority, experts say, and some large Internet firms are already making progress in this area, but encrypting data at rest without losing its usefulness will prove a greater challenge.
"The NSA's surveillance has opened the eyes of many people around the world," Lamar Bailey, director of security research and development at security firm Tripwire said via email. "Security professionals have always known that this style of surveillance is possible with the right resources, but this episode has been a big wake-up call for everyone. Many countries and companies outside the U.S. are now taking a harder, more in-depth look at software and hardware that comes from the U.S., although the silver lining is that mainstream users are now more concerned with encrypting data and reviewing how their information is being shared."
The public debate sparked by the surveillance revelations in recent months has prompted some encouraging responses already: Google has encrypted the links between its data centers; Yahoo is working to do the same and has promised to enable SSL encryption by default for webmail and other services, and Twitter has enabled an SSL feature called forward secrecy, already implemented by Google and Facebook, which makes mass decryption of SSL traffic hard even if the website operator's master private key is compromised.
Some software vendors started developing alternatives to existing communication technologies, with the goal of providing end-to-end encryption and making upstream data interception harder. Secure communications provider Silent Circle launched an effort called the Dark Mail Alliance to develop a private a secure email protocol that encrypts metadata, not just message contents; Pirate Bay co-founder Peter Sunde is working with others on a secure crowd-funded mobile messaging application called Hemlis with distributed infrastructure hosted in privacy-friendly jurisdictions, and BitTorrent, the company behind the popular file-sharing protocol of the same name, is developing a peer-to-peer instant messaging application that encrypts messages directly between users and doesn't rely on central servers.
These and other examples send a clear message: securing the data transport channels to prevent unwanted upstream interception is a priority. The Internet Engineering Task Force, an organization that develops Internet standards, is already working toward this goal. Together with other Internet infrastructure groups, IETF expressed concern that the reported mass monitoring and surveillance by government agencies undermines the trust and confidence of Internet users globally.