List: Today’s speech by GCHQ director Robert Hannigan failed to set straight the series of confusing contradictions regarding encryption.
At today’s Information Assurance conference, GCHQ director Robert Hannigan addressed the ‘patchy’ cyber security industry, called for the government and industry to work together and debunked three myths commonly associated with GCHQ’s snooping practices and the newly introduced Investigatory Powers Bill.
It is the latter which has fuelled industry discussion, particularly around encryption. Claiming first to advocate encryption, Hannigan then went on to say that information relating to national security should not be beyond the reach of the government.
Did Hannigan genuinely advocate encryption, or did his myth debunking actually only serve to confirm that the government wants penetrable encryption?
Looking at the issues raised in Hannigan’s speech, 5 security experts look to decode the true intentions from today’s speech.
1. The confusing contradiction
Mateo Meier, CEO of Artmotion, said:
Unfortunately, while I believe that the IT community will welcome Hannigan’s comments, the recently released Investigatory Powers Bill highlights a worrying contradiction in government thinking. In 2015 alone, David Cameron has claimed that we should ban encryption, then limit it, then regulate it, and now GCHQ is telling us that we should be looking to strengthen it through non-governmental means.
These mixed messages from the UK government are making it extremely difficult for businesses to know how to react, ultimately slowing down the process for everyone involved.
2. Only half a story told
Thomas Owen, Security Manager at Memset, said:
Hannigan’s link between super-strong encryption and the presence of hostile actors beyond the reach of government only tells half of the story though. We live in a data-proliferate age, our lives and our secrets are continually absorbed by our telecommunications providers, the developers of our smart-phone and software providers, etc. and access to these will only get easier following the eventual implementation of the Investigatory Powers Bill.
Individually strong encryption may make achieving access to deliberately hidden data harder, but it stretches credulity to believe that it places it reliably beyond the reach of our (world class) intelligence services. It might be considered foolhardy to conflate the health and viability of our economy with the perceived downsides of a single technological toolset.
3. Creating the ‘weakest link’
Cyber-expert Cameron Brown said:
Any limits on the strength of encryption, or concessions extended to investigating authorities by way of backdoors or ‘master decryption keys’ will result in a situation where the security of the international community is substantially weakened by the security posture adopted in the least trusted country.
This is literally ‘the weakest link’ phenomenon manifested at the international level. When nation-states throttle effective encryption, communication providers that comply with laws in those countries become compromised by association. Such an outcome also magnifies the problem of safe harbor for cyber crime offenders and opens the way to a burgeoning black market for crypto.
4. Cyber-criminals will just go elsewhere
Dr Guy Bunker, Senior VP Products at Clearswift, said:
When it comes to cyber-security, the UK is not an island. The internet has made it very easy for people to use and abuse cyber technologies from across the globe.
This means that if one government imposes one set of restrictions, or requirements on vendors or service suppliers, then it is relatively simple for cyber-criminals and extremists to obtain and use technologies from elsewhere, which don’t have the restrictions or constraints applied to them. Balancing citizen security and privacy is really hard, but introducing weaknesses which ultimately puts both at risk is not the answer.
Cyber-attacks are becoming more sophisticated, citizens need the greatest level of protection that vendors can provide and governments should endorse this – not a least common denominator.
5. Those in (cyber) glasshouses…..
Ian Trump, Security Lead at LOGICnow, said:
The failures in cyber security are equally placed in people, process and technology. GCHQ chief Robert Hannifin is not delusional when he identifies the trouble with the cyber security market; however, the words, "I’m from the government and I am here to help" actually do more harm than good.
The UK public has had trust issues with GCHQ since Snowden. It is fine for GCHQ to throw (cyber) bricks but I would suggest they exist in a (cyber) glasshouse and could do more. For example, publish weekly indicators of compromise in a machine readable format for real government certified threat intelligence.
It would be more constructive for GCHQ to identify and support a plan more adamantly, such as the UK Cyber Security Essentials, rather than standing behind the well-known failures of the security industry.