It’s Time To Shake The Cybersecurity Etch A Sketch

In reflecting on the state of cybersecurity, and specifically the cryptography (authentication and/or encryption) used in business, government and personal data eco systems, email and messaging apps, it is crystal clear that it’s time for a new plan.

Easy-to-Use and Effective Cryptography is Essential to Protect Data, and Access to Systems.

In her 2018 book entitled ‘You'll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches’, Josephine Wolff , Assistant Professor of Cybersecurity Policy at Tufts University, reviews some major data breaches, and then groups them into the following categories, according to the hackers’ motivation.

1.????For financial gain (TJ Maxx and the South Carolina Department of Revenue, and various ransomware attacks)

2.????For cyber espionage (the US OPM and DigiNotar)

3.????For online humiliation (Sony and Ashley Madison)

Dr. Wolff outlines how each breach was discovered, the mistakes made by those responsible for preventing such breaches, and what could have been done to mitigate the damage.?

In learning more about these serious security failures, I reached several conclusions.?First, today’s popular cryptography that originated in the 1970’s is far too complicated to be properly deployed.?Second, it was designed in another era for another purpose and, as such, is completely inadequate to protect our complex, connected world.?And lastly, there is such a shortage of cryptography expertise within the cybersecurity community that human error is perhaps the biggest weakness.

With that last point in mind, consider this.??In the first week of January 2021, the US National Security Agency (NSA) issued six pages of guidance on ‘Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations ’.?Additionally, the NIST four-volume SP 800-63 Digital Identity Guidelines document suite comprises 250 pages.?I’m not suggesting that these guiding organizations aren’t contributing, it’s just that if they feel that it’s realistic to expect systems administrators to follow these instructions, in my opinion they’re missing the point.??

To better understand the underpinnings of the cryptography most in use today, a clear understanding of factored prime numbers is critical.??A short four-minute YouTube video, entitled?This Number Is Illegal ,?succinctly explains the importance of prime numbers in today's ubiquitous cryptography.??It’s shocking to learn that every DVD on earth was thought to be protected by utilizing only one single-factored prime number.??And when that secret number was revealed, the expected remedy was to make the possession of that number, illegal.??When the factored primes for TLS are revealed, what will then be the magic solution???Broad adherence and trust in the Public Key Infrastructure (PKI) is additional evidence of the need for deeper understanding of cryptographic structures and processes.??My understanding of PKI’s design is that it was intended for communications and data file encryption last century.??It is ill-fitted to the 21st?century hybrid Cloud, mobile, IoT, layered-apps, blockchain, data fabric digital world we are accelerating beyond.??

What’s needed in a Modern Cryptosystem

Our digital world needs an easy-to-use, secure cryptosystem that administrators can quickly master and operationalize.?It should be as easy to learn and use as today’s most popular software applications, and should deliver the following:

• It must be easy to configure and administer.
• It must be able to secure groups (people/devices) and elegantly accommodate rules-based intra and inter-group communication (Circles of Trust).
• It must be able to secure (encrypt) data in transit (fixed or mobile) both to and from, and where it resides (i.e. data at rest), and it must be able to do so using AES or any other preferred symmetric encryption protocol.
• It must be able to authenticate both the sender and the receiver.?
• Attributes and identities need to be included in the access protocols.?
• It must function at the application layer.?
• Both legacy PKI, and the chosen future cryptosystem need to be able to co-exist (run in parallel) until everything is protected with the new system.?
• It must use split-key technology so that there is no single point of failure, and no possibility of inside jobs.?
• It must quickly accommodate an unlimited ability to easily scale, to levels required for massive IoT deployments.
• It must be capable of peer-to-peer secure communication.
• It must be a system which can serve the needs of the nation for the next few decades.

From what I have read, and heard from industry colleagues, much more money and effort has been invested in creating vulnerabilities in widely-used ‘commercial’ cryptographic systems, than has been spent developing innovative solutions that simplify and harden US cryptographic defenses.??To quote Michael Sulmeyer , a?Senior Advisor at US Cyber Command, “We live in the glassiest of the glass houses ”.?

Where is the logic in spending trillions of dollars on military hardware, if it can’t be used, for fear of an adversary using a three-year-old laptop to cripple your critical infrastructure?

If we agree that popular cryptographic systems are too complicated, and suspect that they’re fundamentally compromised, the obvious step is to produce and employ easy-to-use and secure cryptographic products that haven’t been compromised.?

It’s time to shake the cybersecurity Etch A Sketch.?

If you’re too young to have ever used an Etch A Sketch, or even heard of one, it was a very popular mechanical drawing toy in the 1960’s that allowed kids like me to create images on its screen by maneuvering an invisible stylus using two dials.?When the image was done, and the user wanted to create a new one, they’d simply shake the device and the screen would return to its blank state, ready for another image to be created.

That’s what I believe is needed to fully protect our connected world.?Shake our global digital Etch A Sketch, and start over.?Of course, that’s not realistic as it is impossible to do a flash re-start of all things Internet.?What is possible, however, is to focus on securing three key areas that can usher in an era of unparalleled security – and recall that this can only happen by using cryptographic protocols that have not been compromised.?Consider the following:

1.????Encrypt all data in transit, in flight (mobile) and at rest.?Doing this ensures that even if breaches occur, the data stolen cannot be read.?It’s useless.?

2.????Authenticate every person or thing that has access to our connected world.?Think about this.?If the US Government took a portion of its 2021 $18.7B Cybersecurity budget and used it to embark on a program to trust nothing, and authenticate everyone and everything that touches American networks (using non-compromised protocols), the nation and its citizens would be vastly safer than they are today.?All that’s needed is someone to take the bull by the horns and make this happen.

3.????Authenticate and encrypt all messaging and email platforms, ensuring user privacy and legal government access, as and when required.?An astonishing 90% of all breaches stem from networks being accessed through compromised email accounts.?So lock email (and messaging) down by only allowing communication between users whose accounts have been authenticated.?And while we’re at it, ensure citizens’ digital data privacy, while affording nations globally the ability to quickly decrypt data through lawful means (i.e. the phone companies solved this issue from day one – authenticate the user of a phone number, and allow authorities to secure court orders to legally tap into conversations of those believed by a court of law to be a person of interest).?

The SolarWinds breach has exposed a whole new level of vulnerability.?We are learning almost daily of yet more entities that have been seriously compromised.?And the names on the list include IT leaders whose digital presence is global and pervasive.?We now know with certainty that our connected world is badly broken to the point where little is secure.?It doesn’t have to be this way.

Start small, but start now.

Authenticate. Encrypt. Lock down data/messaging/email/IoT.?Use Uncompromised Protocols.?

If we keep doing what we've been doing, we'll keep getting what we've been getting.

It's Time To Shake the Cybersecurity Etch A Sketch.??