Former MI5 boss Jonathan Evans claimed recently that cybersecurity, supported by encryption, is vital to the well-being of our economic and daily lives. He’s absolutely right. Yet the government seems bent on undermining encryption in services like WhatsApp, even as attacks on our critical infrastructure by cybercriminals and nation states begin to have real world impacts.
Can we be confident that those we elect to serve and protect us are doing enough to secure cyberspace, as they vacillate between outspoken critics and vehement supporters of encryption?
A digital world
Security and privacy are often described as two sides of the same coin. If you want more security, privacy will often take a hit, and vice versa. Lately Theresa May, Amber Rudd and other ill-informed politicians have been calling for providers to undermine end-to-end encryption in their services, so the likes of MI5 and GCHQ can monitor terror suspects’ communications. Privacy would undoubtedly be the loser in that case, with the state able to monitor all of our WhatsApp conversations.
Yet in reality, we’d all be less secure too.
That’s because encryption is the secure foundation on which our digital lives are built. It secures our credit card numbers, our medical records, and our most intimate personal details online, as well as providing secure communications between an increasingly important network of smart devices which power our critical infrastructure.
Start chipping away at it like this and things could start to unravel very quickly. For example, demand a backdoor be built in any encrypted system for the benefit of the security services and one day it will find its way into the wrong hands, exposing hundreds of millions of law-abiding citizens to cyber-attacks.
We often forget just how much the modern world is reliant on IT systems to function. Perhaps we choose to forget, because it’s quite frankly terrifying.
Our reliance on the secure communications between the networks forming our critical infrastructure is absolute.
Our transport infrastructure, manufacturing industries, power plants, hospitals, banks, businesses, food producers, broadcasters and even the public sector all rely to a lesser or greater extent on connected systems and the secure (encrypted) communication of information.
Data is the currency of the modern world, pushed around the planet from server to server, machine to machine. It ensures the supermarket shelves are stocked with food, our heating comes on when we turn the boiler on, and our household waste is collected on time.
The growing Internet of Things (IoT) is a relatively new part of this technology infrastructure but already it’s finding its way into all aspects of our lives. On the one hand, it includes our smart watches, home routers, Fitbits and the like.
But much more important are the huge IoT networks of sensors and smart devices embedded deep into business systems. They monitor sewage levels in our water treatment plants; keep our nuclear power stations energy efficient and resilient; and ensure our mobile phone networks are always up and running.
The IoT is undoubtedly a force for good, it makes businesses more efficient and cost-effective to run, staff more productive and us all happier, healthier people as a result. But because it’s powered by digital, data-driven systems, there’s always the risk that hackers could get in – and they can launch attacks from anywhere in the world, hidden by the anonymizing blanket of the internet.
Keeping these systems safe and secure is vital to our daily lives and economic well-being.
Imagine if a series of coordinated attacks caused a meltdown at a nuclear power station, or disrupted Network Rail or air traffic control systems, grounding planes across the country. It could even target our financial system; consider the widespread panic that would ensue if ATMs suddenly stopped working.
Encryption is not a silver bullet, but it’s a vital part of the security and resilience of these systems, without which cybercriminals or even nation states would stand a better chance of disrupting our way of life.
That’s what ex-MI5 boss Evans was alluding to when he said: “As our vehicles, air transport, our critical infrastructure is resting critically on the internet, we need to be really confident that we have secured that because our economic and daily lives are going to be dependent on the security we can put in to protect us from cyber-attack.”
In a post-Brexit world, the UK is going to need all the help it can get to market itself as a safe place in which to do business. Yet unfortunately, there are already signs that the bad guys are starting to find ways to hack and disrupt these critical systems, which could not only affect our personal lives but our country’s wider economic and national security interests.
Whether it was a nation state or financially motivated hackers who carried out the WannaCry ransomware attack in May, the result was a glimpse into just how dependent we all are on IT systems.
The NHS fared particularly badly, with around 50 Trusts hit by the malware, locking doctors and IT technicians out of their machines and forcing the cancellation of numerous operations and chemotherapy appointments. The government has since pledged £21m to improving NHS cybersecurity, but there’s no indication where, when and how that money will be spent.
Wannacry crippling the NHS was a tiny taste of the potential disruption
Even more concerning are attacks that have begun to target IoT systems. In Ukraine for two years in a row in December, Kremlin-linked hackers launched sophisticated cyber-operations against sub-stations, resulting in widespread power outages. Lack of cryptographic signing at a chip level in one case allowed the hackers to remotely tamper with key systems. It’s a chilling foretaste of what could be to come.
Make no mistake, state snoopers are gathering intelligence on our critical infrastructure IT systems all the time. In the event of a conflict, these would be one of the first targets to suffer attack. A Pentagon report on the Chinese military claimed: “China’s most recent Defense White Paper (DWP) for the first time noted cyberspace as a new domain of national security and area of strategic competition.”
Encrypt these systems, and we at least stand a good chance of disrupting these efforts.
Are we doing enough?
The cybersecurity experts I’ve spoken to actually think the government is doing not too bad a job at the moment. The problem with critical national infrastructure (CNI) is that it’s operated by a wide sweep of mainly private sector businesses, all running a huge variety of heterogeneous systems mixing legacy with cutting edge technology. However, the government does have a clear leadership role, in supporting, advising and regulating such providers according to strict standards.
Its National Cyber Security Strategy 2016-21 makes all the right noises, promising to “help industry build greater security into the CNI supply chain”. Specifically, it claims the government will share threat information across the industry; produce advice and guidance; conduct joint exercises to test systems against attack; ensure the right regulatory regimes are in place; and stimulate the introduction of training facilities, testing labs and the like.
That’s all best practice stuff, as is the creation of a Centre for the Protection of National Infrastructure (CPNI) and National Cyber Security Centre (NCSC) to help co-ordinate efforts. New European rules – the Security of Network and Information Systems Directive (NIS) – will also be incorporated into UK law, levying huge possible fines for erring CNI firms of up to £17m or 4% of global annual turnover.
Yet these efforts threaten to be undermined by the government’s growing calls for its security services to be able to read the encrypted communications of terrorists. In its National Cyber Security Strategy document, the government has the following:
“The Government is in favor of encryption. It is a foundation stone of a strong, internet-based economy: it keeps people’s personal data and intellectual property secure, and ensures safe online commerce.”
Yet in the next sentence it claims that “as technology continues to evolve, we have to ensure that there are no guaranteed ‘safe spaces’ for terrorists and criminals to operate beyond the reach of the law”.
This is a government in denial; the same government which thinks it can have its Brexit cake and eat it. You simply can’t support encryption as part of keeping your CNI safe and secure but on the other hand call for it to be broken in order to monitor a handful of terrorists.
The government is in denial over encryption. Like Brexit, they can’t have their cake and eat it.
However sickening the attacks are when they come, the truth is that the terror threat is small in comparison to the cyber-risks outlined above. Cybersecurity is rooted in trust. Consumers trust organisations to securely store and process their data, and organisations trust that their IoT and other digital systems can operate without interference. Encryption is vital to establishing this trust. Let’s not undermine the good work being done to keep our country and its economy safe from attackers in a bid to score short-term political points.
As Evans said: “It’s very important that we should be seen and be a country in which people can operate securely – that’s important for our commercial interests as well as our security interests, so encryption in that context is very positive.”