Cryptographic ubiquity is the final side of the triangle alongside robustness and agility. And in many ways, it is the area with the most room for growth. Perhaps only for me because I'm an IT nerd, but it has become normal to read bad news every week about some major breach, new exploit, or ransomware attack. It is not a stretch to say that many of these incidents could have been prevented by adequate and more comprehensive use of cryptographic mechanisms – that are widely available today. In this last blog post on the must-have qualities of applied cryptography, I will discuss cryptographic ubiquity, meaning the fact that security must be present everywhere.
For us working in the IT security area, the need for ubiquity of security mechanisms is not a new normal but rather a modus operandi since many years. While many organizations have used cryptography for standards compliance, audits, best-practices and other conformance – in particular in certain well regulated industries, today it is a must even for online grocery stores to think about IT security.
The last decade has seen a massive explosion in internet-connected devices. Kicked off by the smartphone revolution at the turn of the millennium, it has accelerated through all kinds of consumer electronics and is now entering the world of smart cities, transportation, logistics, and manufacturing. By some measures there will be 50 billion connected devices in use this year – but estimates of how many of these devices are securely sending information, or potentially vulnerable to attack, are both difficult to gauge.
Three reasons for the lack of ubiquity today
The challenges of gaining cryptography ubiquity stems from three roots. The first issue is rooted in low-price mentality and consumer ignorance. The early wave of IoT devices were not required to have any form of security – let alone mandates that demand encrypted communications. Many of these devices are low-cost and have quite limited computing power – essentially not capable of running computing-intensive security functions. In the ultra-competitive consumer electronics markets, products that ignore adequate security to hit a lower price point relied on users’ unfamiliarity of potential security concerns. The painful truth is that such components are essentially akin to asbestos or contaminated food – and will need to be replaced and discarded.
The second issue is regulatory, or rather the lack of regulations. As the current risks become more clear, we have “Security by design” laws and regulations starting to emerge in large and regulated markets – say in the EU and the US. While these regulations give us hope that we will be able to compare products for their cybersecurity quality – we are still pretty much in infancy. There are millions of devices – including those able to capture video and audio as well as control local environments – being manufactured, purchased, and installed that only have basic security controls. Even devices with more advanced security controls are not necessarily engineered to accept upgrades in the field – meaning that if a vulnerability in an algorithm is discovered – or if quantum computing does eventually make certain cryptographic methods obsolete – these seemingly secure devices could become weak spots almost overnight.
The last issue is political or ideological. Although the benefits of cryptography are clearly witnessed as a means of preventing cybercriminals from compromising critical systems; the same ability may allow criminal groups and other adversaries to operate within a cloak of secrecy. As such, calls from politicians for the banning or weakening of encryption for certain types of communication occur regularly. This has been happening since the nineties – “the holy grail” of law enforcement to have backdoors. Although largely discussed and then ignored, there is legitimate concern that backdoors mandated by law will lead to an overall weakening of cybersecurity. This would inevitably help cybercriminals and other adversaries more than law enforcement would gain from it.
The path forward – no shortcuts, only hard work
Innovators such as Keyfactor are now leading industry efforts to ensure that cryptography ubiquity can be achieved. This is done by providing products that can integrate well into the technology stack of any device – be it an IoT gadget, an industrial controller, an app, a server in the cloud, or a car. In fact, we deliver products and services in a variety of ways: on-premises appliances, cloud software, SaaS, REST API, or a library to integrate into a product.
We continuously work to enhance the functionality and ease of deployment for commercial variants of for example our EJBCA Enterprise. A cloud deployment means that less cryptographic processes are needed inside the devices and can instead be moved to the cloud. This means that IoT devices can still use the low-cost and low-powered CPU’s they favor but gain access to much more robust and agile cryptographic functions.
Last but not least, we do not forget our open source community. Ongoing investment in EJBCA and Bouncy Castle aim to maintain them as sustainable and growing open source projects, to keep encouraging what we really want to see – more use of cryptography amongst the widest developer community.
And with that said, this blog series on the must-have qualities of cryptography has come to an end. If you missed the previous blog posts, please check them out here: