Encryption Wars™ Risk Impact Assessment

Encryption isn't the Enemy - Lack of it is the Threat

Last month, a hacker stole personal information and photos of more than six million children after breaking into the computer records of a educational toy company, VTech.

stolen-personal-data.jpg

VTech Holdings Ltd. fell to a three-year low after the Hong Kong-based company said hackers who infiltrated its online services gained access to the profiles of more than 6 million children whose files lacked encryption.

Almost half of the 4.9 million parent accounts that were accessed belonged to users in the U.S. and the rest were scattered around the globe, the maker of children’s electronic toys, smartwatches and computer tablets said in an online post. About 6.4 million children’s profiles were accessed, with almost half containing information -- names, gender and birth dates -- from kids.

Lack of Encryption in Healthcare Insurance

The FBI warned that medical devices and other hospital and healthcare systems need some serious
medical-health-data.jpg
security upgrades to weather the coming onslaught of malicious hacking. With an impending deadline to shift to electronic medical records, which fetch a high price on the black market, healthcare systems are an increasingly alluring target for cyber-criminals.

According to Wired magazine 2015 IS QUICKLY becoming (is) the year of thehealth insurance data breach. Targets have included Anthem healthcare, Premera, UCLA Health System, and CareFirst and most recently, Excellus. With 10 million victims, Excellus’ hack falls somewhere in the middle of those breaches in terms of severity, far worse than the 1.1 million records compromised in the hack of CareFirst, for instance, but with far fewer victims than the 80 million potentially leaked in the Anthem breach. Though it’s little consolation to Excellus and its customers, they’ll at least have plenty of company with well over 100 million medical record hacks this year.

Along with its customers, the Health Insurance companies also suffer from the the hacks of the records that are NOT Encrypted. Aside from the brand and reputation damage and cost of credit monitoring, the company could even be hit with fines for HIPAA violations due to failure to protect sensitive medical data. Customers face much more severe losses due to lack of encryption such as losing their benefits to imposters and the exponentiating possibility that Medical Implant devices as with millions of other Internet of Things (IoT) devices whose software lacks encryption could face personal injury or even loss of life.

Encryption and Political Rhetoric

After the recent attacks in Paris and San Bernardino, encryption has once again become a political target. Despite there still being no solid evidence the attackers benefited from or even used encryption (in at least one case, they coordinated via distinctly unencrypted text messages) in the U.S. law enforcement and national security hawks have used the tragedies to continue pressing tech companies to give the US government access to encrypted communications—even if that means rolling back security and changing the nature of their businesses.

cyber-attack.jpg

In the wake of the numerous incidents that have been traced to the Islamic State, otherwise known as ISIS or ISIL, academics and security advocates say officials are again seizing on public fear to push more aggressive surveillance legislation. This month, the French newspaper Le Monde obtained documents from the Ministry of Interior considering legislation to block the use of the Tor anonymity network, a series of virtual encryption tunnels that allow people to share information online without compromising their privacy. The documents also show discussionto “forbid free and shared Wi-Fi connections” used in public places like cafes and airports, during a state of emergency.

Similarly, the British Parliament is in the process of passing something called the Investigatory Powers Bill, which, according to its current draft, would drastically expand the government’s online surveillance privileges and require Internet and phone companies to have “permanent capabilities” that can intercept and collect data passing through their networks.

Why Encryption isn't == Terrorism

It took nearly two weeks for French officials to piece together how a team of nine terrorists planned the deadly Nov. 13 terrorist attacks in Paris that killed 130. And during that time, intelligence officials filled the media vacuum with their own theories for what happened.

A Nov. 15 New York Times story(which was later silently pulled) said the attackers were “believed to have communicated using encryption technology, according to European officials who had been briefed on the investigation.”

According to Motherboard on Dec. 9, At a Senate Judiciary Committee hearing that day, FBI director James Comey went so far as to suggest that companies providing users with end-to-end encryption might need to simply, well, stop doing that.

No government has provided a concrete example of when encryption has stopped them from getting information that they deemed necessary to investigate a terrorist attack, that they weren’t able to get through other means,
Amie Stepanovich, the U.S. policy manager for Access Now, a nonprofit dedicated to defending digital rights.

encryption.jpg

The simplest analogy for why the narrative around encryption as being anything more than enabler for the privacy and security that people and companies need comes from Whitfield Diffie who helped lead a revolution in computer cryptography decades ago.

"This is like saying, well, you know, cars are of use to bank robbers. This was at one time a very major thing," he said. "Nobody ever took seriously at that time the notion that you should cut down the abilities of cars in order to solve one particular sort of crime."

I look forward to your thoughts and inputs on the critical and timely topic of encryption and it's role in ensuring the privacy, safety and security of people, processes and technology both in your personal and professional lives.

Comments

Not to be published