There is an ongoing squabble between government intelligence agencies and privacy pundits about end-to-end encryption, an encoding method whereby messages sent digitally can only be read by the intended receiving party. Wired's Andy Greenberg writes, "No eavesdropper can access the cryptographic keys needed to decrypt the conversation--not even a company that runs the messaging service."
The debate's outcome of whether end-to-end encryption will be allowed to remain as is or weakened is of concern. However, there is precious little we as users can do about it in the interim.
SEE: Essential reading for IT leaders: 10 books on cybersecurity (free PDF) (TechRepublic)
A more important consideration
Megan Squire, professor of computing sciences at Elon University, suggests it might be better for the three-plus billion internet users to focus on their own digital devices (endpoints). Squire goes on to say endpoints, historically, have been and continue to be preferred targets by cybercriminals.
"For the moment, at least, we have good, easy-to-use solutions for secure communications between computers, including end-to-end encryption of our messages," writes Squire in her The Conversation post End-to-End encryption isn't enough security for 'real people.' "End-to-end encryption is important. However, security experts have warned for years, the most vulnerable place for data is not during transit from place to place, but rather when it is stored or displayed at one end or the other--on a screen, on a disk, in memory, or on some device in the cloud."
Squire further explains it is easier to gain control of a computing or storage device than attempting to decrypt a message or file. That logic--reinforced by WikiLeaks' release of CIA hacking tools--has significant traction considering the number of data breaches making tech news that began by attackers subverting an endpoint. One example is how attackers trick individuals into visiting a malicious website designed to install spyware on their computers. Spyware, incidentally, so new that antimalware programs--if even installed--are ineffective. After gaining a foothold, attackers have multiple ways of accessing messages and data, including stealing messages as they are being typed.
As to why endpoints are vulnerable, Squire does not mince words, writing, "We do not like to be inconvenienced, and adding more protection to our devices makes them harder to use, the same way putting multiple locks on a door makes it more difficult to get in, for both the home owner and the burglar."
Blockchain tech to the rescue
To be fair, Squire admits that developing new ways to protect endpoints without hampering their usefulness is challenging. That said, one approach with potential that has Squire and other computer-security experts excited is blockchain technology.
SEE: IT leader's guide to the blockchain (Tech Pro Research)
"Blockchains create a shared governance," says Paul Fremantle, a member of the University of Portsmouth School of Computing, is quoted as saying in this TechRepublic article. "They produce an environment for IoT networks where there can be trust, anonymity, and effective contracts between parties without any single vendor being in charge, and without requiring any party to be trusted above another."
Squire suggests how endpoint security could benefit from blockchain technology:
- Verify the origin of applications
- Confirm whether data has been tampered with or not
- Improve user privacy
Blockchain may not be the end-all
Squire cautions, "As with any new technology, there is an enormous amount of hype and misinformation around blockchain and what it can do. It will take time to sift through all these ideas and develop secure tools that are easy to use."
With that in mind, she suggests the following:
- Continue to use end-to-end encryption apps whenever possible;
- Stay vigilant about password hygiene; and
- Pay attention to what apps are installed on each digital device.
SEE: Cyber Security Volume IV: End Point Protection (TechRepublic Academy)
Technology is not the only answer
Squire ended her column with a point that's not often made: "We must demand that people always have access to the best security mechanisms available, so we can decide for ourselves how and when to resist surveillance."
Gregory Michaelidis in his Slate column Why America's Current Approach to Cybersecurity Is So Dangerous builds on what Squire is saying. One of the first things that must happen, according to Michaelidis, is realigning the cybersecurity industry's opinion of what consumers think about online security.
"We assume consumers aren't willing to pay for or care about security, and so instead of thinking systemically about how to change that, we double down on technological solutions," writes Michaelidis. "This, however, invites a lot more self-inflicted pain, with real consequences for both our social and economic health, and our homeland and national security as well."
Note: Gregory Michaelidis is a TechRepublic contributing writer.
- Why cloud will help drive the endpoint security market to $27.8B by 2025 (TechRepublic)
- Trump cybersecurity advisors resign, painting bleak picture of US cyber preparedness (TechRepublic)
- Former US security advisor: Cyberattacks damage society as much as physical infrastructure (TechRepublic)
- Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse (free PDF) (TechRepublic)
- End-to-end encryption plan puts Europe on collision course with UK (ZDNet)
- The uncrackable problem of end-to-end encryption (ZDNet)
- Download: The executive's guide to implementing blockchain technology (TechRepublic)
- Quick glossary: Blockchain (Tech Pro Research)