Once upon a time, the United States government made a bold attempt to control encryption.
“Uncrackable encryption will allow drug lords, spies, terrorists and even violent gangs to communicate about their crimes and their conspiracies with impunity,” said then director of the FBI Louis Freech, way back in 1997.
Speaking with Information Age, vice president security strategy and threat intelligence at global cyber security company Venafi, Kevin Bocek, explains where it all went wrong for the US government all those years ago.
“We quickly learnt that you could get the same technology for free on the internet,” he says. “We were losing out.”
More than two decades down the track and Australia now faces a similar dilemma, following the introduction of the Assistance and Access Bill late last year.
For as long as the legislation has been up for debate, critics have argued that interfering with encryption locally weakens Australia’s position globally.
Bocek, who is based in the US, believes that for encryption “to be used to its maximum benefit” it must be “free and outside the scope of government control”.
Another concern around the new Australians laws has been the idea of creating systemic weaknesses.
“Anytime that you build in weaknesses, or anytime that you require something that should be private to be made public, it has the opportunity for risk,” says Bocek on the matter.
He gives the example of Stuxnet – the American/Israeli ‘cyberweapon’ developed to target the Iranian nuclear program in the mid-2000s.
“That didn’t just affect Iranian nuclear centrifuges, it affected businesses globally, that affected infrastructure globally,” says Bocek.
“Trust me, bad guys aren’t going to use weakened methods, bad guys aren’t going to be delivering machine identities to the government.
“So [weakening encryption] only then hurts private enterprise, it only hurts innovation and that’s why what we’ve seen time and time again, which has been most successful, is government not trying to get in the way.”
Putting trust in machines
Venafi specialises in machine identity protection, meaning it helps devices identifies “if an app that’s getting installed is good or bad,” says Bocek.
He explains that this is an area that adversaries are now beginning to target.
“We saw this really start to rise in the last three or four years where they would have phishing sites that would be getting machine identities that look like real ones.
“They weren’t real, but they could trick your mobile device or browser to think they were real and when you looked at it, you wouldn’t know the difference.”
But now, the ability of malicious actors in tricking devices has further developed, he says, so much so that they can create “completely trusted” machines.
“They've now actually been able to get identities that are as real for the machines of banks and retailers and governments as the real ones are.”
The technology is there to fight against these complex attacks, Bocek reaffirms, it just needs to “be used the right way”.