Governments covet your data... and to get it, they are even willing to destroy the foundations of trust on the Internet. The encryption debate, which has already been agitated for years, is now reaching a crescendo that may well irreversibly shake the foundations of online trust: perhaps we will never recover from the disaster scenario that is currently unfolding. From all sides - the FBI trying to force Apple to develop software to bypass its own encryption; the UK government introducing its Snooper Charter to force companies to stop encryption by disclosing the content of encrypted communications; a Brazilian judge blocking the WhatsApp application in his country, punishing the company for withholding information in an investigation of drug traffickers - the message from the administrations is crystal clear: They want to get their hands on the "sesame" that will give them access to all the data and, so desperate to get it, they are no longer aware of the dangers involved. When will a similar situation arise on French territory?
Nur online world is based on a system of cryptographic keys and digital certificates which, for the past 20 years, has formed the basis of our secure communications. By design, these keys and certificates are readily trusted by servers and other security applications to maintain confidentiality and authorizations for everything that is IP-based today: servers, clouds, mobile devices, applications and connected accessories that are part of the Internet of Things (IoT). In essence, they allow our machines to communicate with each other, determine who is and what is not trustworthy: and if you have the "key" to control these communications, you are able to subject these machines to your will and have access to the data that interests you. The government cannot be blamed for being so obsessed with the quest for this sesame; but can we really trust them, given the precedents? The facts are there: data is a form of power; power corrupts; absolute power is absolute corruption. It would be foolish to think that the administration would be safe.
Examples of abuse of administrative power are not lacking; whistleblower Edward Snowden has lifted the veil on NSA activities (with a stolen key, no less), and recently it was learned that the British secret service was spying on several million of their fellow citizens. States are already exceeding their rights by collecting data, without their knowledge, on citizens who, for the most part, have not committed any crime or offence. And the problem is not just for technology companies like Apple: today, every company operates digitally, and every institution is a repository of data. So how far will governments go? Will they require banks to have real-time access so they can monitor transactions? Or access to geolocation systems in transport?
At the moment, encryption is making it difficult for governments to know everything we produce, and they are enraged by this. How dare individuals decide to spare or deny access to their data, and for what reasons? They find this freedom quite outrageous. They must be terrorists or have something to hide. This is the discourse generally held by governments, yet there are many reasons why companies and individuals want to preserve this basic right called privacy, without making them criminals for it.
Even if you are willing to provide the administration with access to your data, this does not mean that you are prepared to grant free access to anyone. Our intellectual property, the trust our customers place in us, and our company's DNA is in our data, which is why it is so fiercely guarded. It's not so much an abuse of power by the administration vis-à-vis this sesame that we have to fear, but the incompetence of the public authorities.
Time and again, administrative security breaches have been identified. Today, if they are given the powers they are asking for, they will now be responsible for the security of our businesses: they are the ones who will hold the key that will allow a hacker to empty all our bank accounts. As a customer, I do not feel particularly reassured on this point, but as a shareholder, I think that I would be in a hurry to sell my shares in the bank in question if I learned that the State held the key.
Forcing perfectly legitimate companies to provide a "back door" to their solutions will also create tools that can fall into the wrong hands. Take the example of Stuxnet: here, the US government created a vulnerability using keys and certificates hijacked for its own purposes, which was soon hacked and exploited in the worst possible way, since it was aimed at critical infrastructures. This government attack formed the basis of an attack scenario that is now commonly used by cybercriminals.
The seal of secrecy does not last long, especially in the dark world of intelligence services. When the United States developed the atomic bomb, I'm sure it hoped to keep it secret; today, Kim Jong-un's chubby finger threatens to press the detonator. The "sesame" is likely to be even more destructive. Our universe, our strategic infrastructures, e-commerce, hospitals, everything is connected by machines now; if someone manages to take command of these machines, we are facing a "year zero" scenario that could set us back a century. It's a veritable collapse of society that could happen. And the more the number of devices grafted onto this network of machines on which we are dependent increases with the rise of the Internet of Things, the more urgent the problem becomes.
Worse, the pirates know every move we make. The Dark Web is a bustling marketplace where the "bad guys" trade and exchange keys and certificates; think what would happen if they got hold of the coveted "sesame"? In the words of Doc Brown (Back to the Future): "The consequences would be catastrophic. But what else? Well, for a start, ransom software could well proliferate in the Internet of Things, with companies at the mercy of hackers, forced to hand over several million pounds to them. And nation-states intent on wrangling a country could wipe out its electricity grid, or even change the temperature of its nuclear facilities to make them unstable. If they fall into the wrong hands, keys and certificates can become weapons of mass destruction: do we really want other such tools to flood the market?
For all these reasons, it is vital for the future of the planet that we deny access to our "sesame": otherwise, the world as we know it may well be transformed, and probably not in the right direction.
Kevin Bocek, VP Threat Intelligence and Security Strategy at Venafi