Govs need not break encryption to beat cybercrime

UploadsNewsArticle4505483main

American criticism of Chinese behaviour in cyberspace has a pedigree in international relations, and this week has seen the US turn its attention to its emerging rival’s request to see the source code of tech companies, criticising the move as economically damaging.

Yet the view that governments should have more control over the renegade tech sector is not confined to China. Spooks from the US and the UK have rebuked Silicon Valley recently for its insistence that customers have access to good encryption, having previously created vast cyber-espionage programmes exposed by NSA whistleblower Edward Snowden.

More recently, British prime minister David Cameron tried to hatch his own backdoor plan before jetting off to Washington to talk war games with president Barack Obama, with the former criticised within the cybersecurity industry for such a move.

"It’s difficult to say too much because there isn’t a huge amount of detail that has come out from government on the topic [of encryption]," said Simon Rice, principal policy advisor at the Information Commissioner’s Office (ICO), who added that his office promotes the use of encryption to protect people’s data.

Confidence in government has understandable been weakened after Cameron’s comments. Perhaps as a result Rice feels that more transparency could restore that. "There’s a legal framework in place [for data warrants] and it seems to work reasonably well, " he says. "But more transparency is never a bad thing."

Sharing intel and nabbing crooks

If there is a whiff of hypocrisy it is in part because the problem of untangling privacy, security and geopolitics is much bigger than the politicians who must solve it. Yet this does not excuse the error of making enemies of the tech sector – an essential ally in bringing cyberspace back under government control.

"We need to get to a point where law enforcement and government are working more closely and sharing more intelligence," says Richard Turner, VP of EMEA at security vendor FireEye. His firm, like many, has started to create frameworks by which companies can share threats, a move that cold obviously be extended to governments.

The problem is that attempts to share data have run into hurdles in the past, as most companies are reluctant to reveal their weak spots for fear of reputational damage, or being seen as an easy target for hackers. The code of silence has been a boon for hackers, allowing them to use the same tactics against multiple targets with little insight into the threat landscape.

Another problem, as evinced by a US attempt to indict five Chinese soldiers for hacking last year, is the lack of international procedure around extraditing cybercriminals. Many believe that hackers are thriving in ungoverned spaces within Eastern Europe, launching attacks into other countries without fear of reprisal.

"How can we work together to create legal relationships and create laws that understand the geography of the problem?" Turner says. "Though the number of prosecutions are going up, compared to the amount of attacks it’s not tracking."

The geopolitical tensions between the likes of the North Korea, China, Russia, the US and the EU means that countries may find it difficult to extradite crooks. If cybercrime were treated like any other breach of international laws the use of sanctions would be widely mooted, but as of yet such measures have remained off the table.

"We put sanctions through the UN to countries on countries that occupy other countries and there are things like that for states that harbour terrorists," Turner says. "Some of the tools are already available – it seems we just need to apply them to the problem."

Comments (0)

Leave a Reply

Your email address will not be published. Required fields are marked *

Favourites

  • Favorite list is empty.
FavoriteLoadingClear favorites

Your favorite posts saved to your browsers cookies. If you clear cookies also favorite posts will be deleted.