As the President & CEO of The Penn Group, I see a lot of disturbing trends within the world of technology. One of the most disturbing is the fierce debate over encryption that is ongoing between our Government and private institutions, such as Apple, Inc. On one hand, the safety and security of the United States populous is at stake, and on the other hand the safety and security of the United States populous is at stake. Both sides are oddly fighting for the same thing. More on that later. Deeper than the moralities surrounding the unintentional protection of criminals is the theoretical weaponization of a building block of modern security, which is encryption by way of ransomware.
In 2012, I first encountered Ransomware. Ransomware is a type of malware, or malicious software, that utilizes encryption to lock up files and charges a victim some kind of fee to unlock their files. My personal computer had been infected with ransomware when a friend had watched pornography on the computer while I was gone on a trip. To my surprise, I sat down to login to my computer and found that all of my files had been encrypted. The fee to unlock my files was in the hundreds of dollars, to be paid in bitcoin. I could not afford to pay, and I lost all of my files. Ransomware has been a hot security buzzword for the past several years. Criminals have turned their attention to vulnerable targets In 2019, over 40 municipalities were hit by ransomware. In one case, 20 cities across Texas were hit simultaneously. In a high-profile case, a city in Florida had 100 years of municipal records encrypted by ransomware.
How does this happen?
The core technology that underpins ransomware is encryption. Encryption is a modern wonder that enabled the introduction of computing systems into nearly every facet of society. Let’s take a deep dive into encryption. Computers are linear in nature. At the core of modern computing is a central processor. This processor chews through literal 1s and 0s, which when strung together, formulate commands and instructions for the computer to execute. A computer will compute indiscriminately. Whatever the computer is told to do, it does. That simple fact is the reason why cybersecurity remains a tremendous challenge to this day. Once you connect several computers together, there is no way for a computer to sort of resist a bad command if given one, unless it was programed to do so. Furthermore, if a computer needed to transfer information between one computer and another, the computer would do so in cleartext. Every piece of data would be transferred along the signal path until it reached its destination as it left. But what happens when that connected signal is read by someone else?
For example: if we had a room with 6 computers in it, sitting on a table. Each computer is connected to each other in a local network. If Allice logged into computer A, Allice would expect computer A to do exactly what Allice tells it to do. Allice begins sending messages to computer B, where Jimmy is logged in. Bob doesn’t like Jimmy because he likes Allice. Bob reads each of the messages between Jimmy and Allice, because there is no protection on the data being passed between computer A and computer B. Jimmy punches Bob in the face! Not really, because Jimmy had no idea that Bob was looking. This is the precise reason why encryption is necessary. Allice and Jimmy had no assurance of privacy because Bob was eavesdropping on their communications.
Technically speaking, encryption is a set of algorithms or recipes that takes information stored within a computer and scrambles it, to make it unrecognizable to a third party. Once the information arrives at its destination, it is unscrambled (decrypted) to match the original data being sent. Encryption differs from another process called “hashing” which is a one-way scramble. Hashing is useful for storing passwords, because once you hash data, it cannot be reversed (in theory). Encryption, unlike hashing, can be reversed if you have the key(s) to do so. If you do not have the keys, encryption must be sufficiently complicated such that a computer of mighty processing power could not feasibly guess the key. Modern day encryption standards with sufficient key size could take thousands of years to decrypt. It is extremely important that the integrity of encryption algorithms remains assured. If an encryption algorithm is compromised in any way, it undermines the security of ALL services and users trusting it. There is no subjectivity in this fact.
Ransomware Owns All, Especially Our Cities
If you made it this far, you can probably imagine the consequences of using encryption nefariously. This is exactly what happens with ransomware. Using a technology that we rely on every day for nefarious purposes. With the strength of encryption, in most cases options for victims of ransomware are slim. You can pay up, which is not recommended. According to backup specialist Acronis, as much as 40% of victims who do pay end up not getting their files back. The alternative to paying the ransom is to restore from backup. Even most large-scale organizations do not have adequate backup solutions in place to prevent all data loss. To pour acid on the wound, ransomware is spread via vulnerabilities, phishing emails, and via other means like wildfire. Every 10 seconds ransomware hits the next victim. Our cities in the United States are particularly vulnerable because most municipalities do not have the resources to prevent such attacks. Most are running on old, vulnerable technology and have little protection. On the backside of an attack, little to no backups are available to recover from leaving victims in a tricky situation. In the high-profile Florida case, a $400,000 ransom loomed over their heads.
Encryption Versus Law Enforcement
Another reality to contend with is the dark side of protected communications. Like with most highly divisive subjects in society, an epically passionate debate has erupted over the usage of backdoors and encryption. A backdoor allows for a third party to access a protected (encrypted) system by purposefully designing an entry point into the system. This debate has been ongoing for years and is rife with a lack of understand on both sides of the ball over the implications of the arguments. Recently, the President of the United States offered his perspective, urging Apple, Inc. to “unlock” iPhones that were used by suspected criminals.
“We are helping Apple all of the time on TRADE and so many other issues, and yet they refuse to unlock phones used by killers, drug dealers and other violent criminal elements,” the U.S. president said on Twitter. “They will have to step up to the plate and help our great Country, NOW!” — President Trump, 2020.
The natural inclination would be to burn everyone at the stake at Apple for protecting drug dealers and killers. That would be a terrible decision, however. In fact, by the end of this article, you might thank Apple for standing up for what is right.
One of the most difficult ideas to reconcile is how a US Company could flat out refuse to aid law enforcement in their efforts to bring criminals to justice. Apple “should” unlock these phones because it is simple, and it is right thing to do. In 2016, Apple was thrust into the stage by flatly refusing to aid the FBI in unlocking an iPhone used by a criminal in California. In the ensuing legal fight, the case was ultimately thrust into oblivion when the FBI purchased an exploit to unlock the phone without Apple’s help.
One of the most interesting things to come out of this incident is the notion that, in order to assure the security of the US populous, Law Enforcement should be able to access devices to glean information about potential crimes. To put it in another way, in order to prevent crime, we must limit security. In order to give law enforcement important access to potential criminals, encryption must be weekend. If law enforcement has their access, crimes could be prevented. The fundamental problem with that notion is the method by which it is accomplished. In order to give law enforcement, the ability to access encrypted communications, a back door must be introduced. Core to Apple’s argument, which is absolutely correct, the introduction of a back door would actually undermine the security of the entire system. This is because, encryption is only valuable if its integrity can be trusted and verified. If the integrity of encryption cannot be trusted, then assurance of security is diminished or eliminated. This ultimately results in nefarious actors moving to alternative means of communication to assure their protection. In an attempt to expose a small subset of the populous, the weakening of encryption would actually expose the entire populous. Undermining trust in the security of modern computing would have adverse consequences across society at large. The unfortunate reality is that by enforcing encryption, we do enable criminals to do their bidding. However, criminals will do crime with or without encryption. Our job is to ensure that those who do right are protected without consequence. Law Enforcement job is to enforce the law. Apple did the right thing by ensuring the security of the populous, without sacrificing the integrity of the systems that we trust.
The Challenges Continue
As long as computing is indiscriminate, we will continue to grapple with these difficult challenges. To finish the conversation, I wanted to point to the realities of what ransomware can do to an organization. The following is a quote from the Department of Homeland Security’s cybersecurity division on ransomware.
Ransomware can be devastating to an individual or an organization. Anyone with important data stored on their computer or network is at risk, including government or law enforcement agencies and healthcare systems or other critical infrastructure entities. Recovery can be a difficult process that may require the services of a reputable data recovery specialist, and some victims pay to recover their files. However, there is no guarantee that individuals will recover their files if they pay the ransom. (https://www.us-cert.gov/Ransomware)
As we continue to grapple with these cybersecurity challenges, keep in mind that the ultimate goal of encryption is to assure the confidentiality of our data. Society will continue to grapple with the world, and the evil that is inherent within. At the end of the day, we must remain vigilant, and prioritize the security of the masses over the obscurity of the few.
Receive Security Insights Right In Your Inbox:
- Consultant Qualifications
- CISSP (Certified Information Systems Security Professional)
- CompTIA Security+
- Certified Ethical Hacker (CEH)
- Offensive Security Certified Practitioner (OSCP)
- Industry Experience
- Federal Government
- For-Profit Enterprise
- For-Profit Small-Medium Business
Our Commitment To You
You are not a number, but a partner
One of The Penn Group’s core values is Excellence. Our customers deserve our best, and nothing short. We are on a mission to secure our nation’s information systems, and protect our customers. We don’t take the responsibility lightly. We know that all it takes for one wrong click and reputations and lives can be ruined. We bring out best. We develop the best people, and we deliver the best results, anything less is unacceptable.
Austin Harman, President & CEO, CISSP, CAP