Absent cryptography

Relationships often are characterized by the level of trust individuals experience between each other. From big life events, to small daily needs, the trust bond between friends, family members, and even co-workers often craft the other experiences within a person’s life. For example, confidence in a family member’s financial responsibilities impacts loans requiring a co-signer, just as faith in a neighbor’s diligence can ensure that the police are called if a residence is robbed while the homeowners are away.

As this world becomes more intertwined and individuals become more reliant on connected technologies, new trust bonds are constantly forged and broken. These relationships are established, and sometimes end, so quickly, that many individuals are unaware of all the different trust relationships they have established. These relationships go beyond the traditional individual-to-individual experience and are more regularly emerging between individuals and corporations. Yet, as these business-to-customer trust relationships have grown more frequent, only in the wreckage of cybersecurity milestones such as the Cambridge Analytica scandal and the Equifax hack has trust become a more prevalent consideration for individuals engaging in online services and activities. As a result, leveraging cryptography in everyday online interactions has become a discussion point amongst cybersecurity professionals and users alike. This implementation was analyzed at length at the recent 2019 RSA conference panel on cryptography, wherein world leaders in the field discussed the potential applications of building greater trust through implementation of cryptography.

The panelists of the cryptography discussion, which included experts such as Ron Rivest (the R in RSA), noted that, in a perfect world, cryptography would encapsulate most, if not all, of what individuals do online. This implementation, while increasing trust in the communications between the users and the services they engage, does, in fact, prove somewhat problematic in today’s world. In fact, one of the issues discussed by the panelists surrounded the question of scaling cryptography. Panelists agreed that if all communications were encrypted, the level of abstraction would potentially become overwhelming. Additionally, removing abstraction creates a greater potential for risk. Relying on one type of cryptography could result in a catastrophic concentrated failure wherein entire databases and communications channels are compromised simultaneously.

However, the ideal world of multiple cryptographic algorithms lying on top of each other does have a hope of emerging if cryptography implementation, for increased trust and privacy, is considered at the start of a project. The panelists noted that, just like secure developer operations, if cryptography is implemented at the ground level of a project, it will become a constant consideration at all stages of development. As a result, cryptographic application does not become an additional layer requiring backwards engineering part way through development, but rather something that grows with a project during its lifecycle.

However, no matter what stage of a project in which cryptography is implemented, panelists agreed that social aversion toward the technology hampers implementation substantively. Specifically, a lack of understanding the mechanisms required for implementation can sometimes lead to slower application. One example identified was the slow adoption of secure DNS by organizations and individuals alike. This case is probably best exemplified by the rather recent adoption of secure DNS by individuals through accepting the free secure offering provided by Cloudflare at 1.1.1.1.

Trust and privacy go hand-in-hand with most users online. Individuals trust organizations to protect and secure their private information. However, unless organizations take the time to implement privacy-enhancing technologies such as cryptography, that consumer trust is at risk. Through becoming more comfortable with cryptography and implementing it at the start of a project, organizations can become more secure and private, and (hopefully) gain the trust of the user.

Frank Downs, Director and SME, ISACA Cybersecurity Practice

Author

Back to top

SUBSCRIBE

SUBSCRIBE