Every industry goes through times of crisis. As new challenges appear, old ways of doing business become obsolete, and a new path forward must be found.
The world of cybersecurity, without a doubt, is entering a period of crisis. A new generation of threats and vulnerabilities, emerging in a chaotic regulatory environment, are forcing the industry to redefine itself and create a new model for information security.
The stakes could not be higher. With financial data, medical records, intellectual property, and even military information in constant motion around the globe, our entire way of life depends on the security of our data. The expanding internet of things opens a new realm of vulnerable systems, and raises for the first time the prospect that hackers and spies can inflict immediate physical damage on their targets.
The news gives us little cause for optimism. Recent data breaches demonstrate the ability of hackers to steal information on hundreds of millions of people at once (Yahoo) and to compromise data with implications for national security (US Office of Personnel Management). Anyone with the right technical skills and an agenda—activist hackers, corporations, nation states, terrorist cells—has the potential to wreak havoc on a worldwide scale.
Who’s Steering the Ship?
Faced with these escalating threats, corporations and government entities in the US and UK are searching for new solutions. On both sides of the Atlantic, however, a critical question remains unanswered: what is the proper role for government in cybersecurity? The issue is complex and controversial, but it must be dealt with before we see meaningful progress.
At the centre of the debate is the balance between individual privacy and national security. Recent developments, unfortunately, including high-level security failures and ill-conceived legislation, have called into question the ability of governments to protect either privacy or security. Bills like the Cybersecurity Information Sharing Act in the US and the Investigatory Powers Bill in the UK illustrate the problem. By allowing (or even compelling) corporations to collect and share data on their customers’ activities, governments are actually increasing the likelihood that personal information will be stolen or misused.
Lingering concerns about surveillance by the NSA and GCHQ add to the difficulty. When governments take advantage of security weaknesses to snoop on their own citizens, rather than disclosing and helping to eliminate those weaknesses, individuals and corporations can hardly trust them to protect their interests against hackers and spies.
Security is one of the primary promises of government, but government is failing in the fight against cybercrime. We cannot expect elected officials to take the lead. The private sector, with a larger talent pool and a less ambiguous agenda, appears better equipped to develop new technology and respond to public concerns.
A Fighting Chance
Amid the debates on policy and the constant news of security breaches, data encryption has emerged as the single most important issue in the evolution of cybersecurity. Encryption is the last and strongest defense against cybercrime, and is an absolute necessity in a world where no one is safe from data theft. Only by encrypting data can organisations ensure their information will remain protected in the event of a security breach. Today, however, many organisations (including 50 per cent of UK businesses, according to a recent survey) still leave their sensitive data unencrypted.
Rather than encouraging a broader use of encryption, legislators in the US and UK have repeatedly attempted to render it pointless by introducing bills that would mandate the inclusion of backdoors, or that would ban end-to-end encryption outright. Political leaders across the European Union have also called for restrictions on encryption, while at the same time, the EU’s new General Data Protection Regulation provides incentives for organisations that encrypt their data. While politicians continue to muddy the waters, one fact remains clear: a truly effective cybersecurity strategy must be built on a foundation of strong, uncompromised data encryption throughout the public and private sectors.
We will never be free from cybersecurity threats. Criminals and terrorists will find new ways to infiltrate our information systems. Hostile nations, realising that cyber is a cheaper way to wage war, will take aim at our data and infrastructure. Times of crisis, however, are also times of opportunity. We must begin to take security more seriously and address the fact that we are only encrypting a fraction of our sensitive information.
With strong leadership from the industry and appropriate government policies, we can reinvent cybersecurity and enjoy a safer tomorrow.
Miller Newton, President and CEO of PKWARE
Image source: Shutterstock/jijomathaidesigners