From the CTO’s Office: The Fallacy of End-to-End Encryption

RSA 2017 was, as always at InteliSecure, a very busy week that has the distinct possibility of disappearing into a blur of meetings, lunches, dinners and happy hours. During these events, I had the distinct pleasure of speaking with a group of smart, talented and influential people. One such discussion sparked a conversation about the disturbing trend of end-to-end encryption from any client to any destination that makes it increasingly difficult for corporate security teams to monitor their communication systems. These changes, masquerading as an effort to guarantee privacy for user communications will most definitely have a detrimental impact on information security programs, resulting in an increase in data breaches and significantly less privacy for all of us.

To be clear I think encryption is a good thing, two parties sharing information they own or have the legal right to share, in a way that makes it difficult for those communications to be intercepted by an unauthorized third party and is a fundamental tenet of information security.

However, when the encryption is from client-to-client, you are simply creating an exfiltration channel that will undoubtedly be exploited to steal information by malicious external and internal actors. The act of intentionally preventing an organization from monitoring activity and information on their networks is flawed on several different levels. Some would go so far as to say illegal. Elected government officials in both parties within the United States, not necessarily the intelligence and law enforcement community, have shown a fundamental misunderstanding of how digital communications work and of information security in general.

Implementing end-to-end encryption is akin to turning off all street lights so no one will see where people are coming from, or going to. That may be an effective way to protect the privacy of a person’s comings and goings, but thieves and violent criminals will use the cover of darkness to perpetrate their crimes with impunity. It has been proven that visibility is an astonishingly effective deterrent to crime and is especially important in the cyber world where anonymity is a key driver for increasing global crime rates.

According to research about the link between improved street lighting and crime, “results showed that improved lighting led to a significant 30 percent decrease in crime.” Note that this is simply improving street lighting and not going from complete darkness to light. It could be assumed that providing a digitally dark environment for cyber criminals to operate, without the ability for oversight from organizations on their own network, would lead to significantly more cyber crime. As an example, let’s use a conservative 30 percent estimate to relate street lighting and cyber crime. According to McAfee’s research paper of the economic impact of cyber crime, the annual impact of cyber crime on the United States economy alone is $100 billion dollars. Therefore, it could be assumed, conservatively, that this push for end-to-end encryption, or as Symantec CEO and former Blue Coat CEO Greg Clark puts it, “making the internet go dark”, would have an additional annual impact on the United States economy of $30 billion dollars. Why would we allow this to happen? Surely something must be done in order to stop this trend before it costs us all a lot of money.

It’s easy and even tempting to pretend that the crimes we see in the cyber world are radically different than the crimes we see in the physical world. They’re not. The motives are the same, it is primarily the tactics that are different. Therefore, countermeasures must be different, but deterrents that are effective in the physical world can be adapted to the cyber one to the extent that those deterrents are applicable. Maintaining visibility for organizations into the activities on their own networks is a deterrent that is certainly applicable.

In the wake of the terrorist attack on an office party in San Bernardino, CA, the U.S. government stated that they need back doors into encryption. That kind of intrusive monitoring capability, especially without a warrant, is less than optimal. However, there is a fundamental difference between allowing any government to monitor everything and allowing organizations to monitor activity on their own networks. Shutting down visibility on networks they own, where working with their data is often the only legitimate use for those networks, is akin to outlawing security cameras, silent alarms, or even door locks and vaults at banks.

There is a notoriously contentious relationship between security and privacy as initiatives as well as professions. As InteliSecure discussed in a co-produced webinar with the International Association of Privacy Professionals (IAPP), in that contentious relationship, mutual understanding and a good programmatic approach means security and privacy don’t have to be mutually exclusive. In fact, it benefits both areas to work collaboratively. We even posited that you can’t truly have privacy without security or security without privacy. It was a great “kumbaya” moment in which we came to a conclusion which seemed obvious to us, but one that hopefully helped organizations look at two essential roles from a fresh perspective as it relates to organizational structure. This initiative to darken the internet in the name of privacy would destroy several effective security controls currently in use and, by virtue of its detrimental impact to security, would have a negative impact on both security and privacy in the long run. For instance, if you have private communications that causes all of the information in those communications to be stolen by people leveraging those same channels as a point of exfiltration, you have destroyed any semblance of privacy by implementing a more stringent privacy control.

Why would manufacturers do something so detrimental to our security capabilities? Some suggest they are doing it in order to accelerate performance with respect to encrypted communications, but the more cynical among us look to advertisers’ abilities to increase revenues if they can more reliably deliver targeted advertising to consumers. Think what you will about why, I’m only speaking about the security implications of this trend, not about motives.

If you take the cynical approach, these initiatives represent a new threat to all of us, foisted upon us by technology manufacturers seeking new ways to deliver advertising content and protect revenue streams using end-to-end encryption under the disingenuous guise that it’s good for privacy. It’s not, but it is good for business, if your revenue streams are predicated on advertising.

This is a modern day Trojan horse, coming to our networks and delivering countless un-monitored exfiltration channels to the bad guys under the guise of giving us avenues of private communication on corporate networks, safe from our employer’s prying eyes. I would much prefer my employers to be able to monitor my communications while I’m on their network, understanding that anything I don’t want them to see I can do at home on my own equipment, than welcoming hackers to help themselves to my business and personal information. This is the classic case of us welcoming the fox to the hen house and we need to think about what we are doing now, before it is too late.

If this new world comes to fruition, organizations will have two bad choices if they want to maintain their security controls: move all network security stack capabilities to the endpoint, resulting in a massive proliferation of agents and processing needed for security, further crushing these devices under the massive weight of their security processing needs, or to willfully neglect their fiduciary duty to their customers, employees and shareholders by abandoning all protections for sensitive information that we’ve been building for the better part of two decades.

The worst part about the whole thing?  We’re doing it to ourselves.