This is why personal encryption is vital to the future of business

Data encryption is threatened by government forces who haven’t yet recognized that without personal security, you cannot have enterprise security. Because attackers will exploit any available weakness to undermine protection — and if your people or your customers aren’t secure, neither is your business.

Attackers will always go where the money is. They will spend lots of it to mount attacks. They will delve deeper, and if they’re spending money, they also have the necessary resources to investigate absolutely anyone they can identify as a potential target.

Such targets could be someone who works in a company, government, or enterprise, but the attack surface could be something as simple as a link they’re tricked into clicking based on insight into their personal information (insights that would not exist if that data was protected and secured).

It could also be a link a person connected to them, including less tech-savvy relatives, is tricked into clicking. Attackers are smart enough and have the resources to develop multi-stage attack patterns to get what they want; they just need access to personal information to guide their hand.

That’s why it is vital to ensure personal data is properly protected.

But the security of personal data is precisely what shoddy laws such as the UK Online Safety Bill threatens, because when it demands a weakening of messaging encryption it also means that any government anywhere — including those we do not trust — can demand the same. It also means that the keys to these personal data kingdoms will eventually slip into the hacker mainstream — even those high-value NSO Group exploits were sold on the dark web for a while.

The weaker a system becomes, the more attacks emerge to exploit those weaknesses; this is the fundamental problem of enforcing data security weakness by design.

What that abuse of the human right to privacy means is that it becomes that much easier to exfiltrate personal information concerning a target of interest (Even if you need to bribe a couple of corrupt government officials to do so).

We already recognize that humans are the weakest link in any security infrastructure. But what isn’t sufficiently recognized is that any action that puts those humans more at risk makes anyone they work for more vulnerable.

A well-resourced attacker will simply identify who works at the company they’re aiming for and then find ways to compromise some of those individuals using seemingly unrelated tricks. That compromised data will then feed into more sophisticated attacks against the actual target.

So, what makes it easy to create those customized attacks in the first place? Information about those people, what they enjoy, who they know, where they go, and how they flow. That’s precisely the kind of data any weakening in end-to-end encryption for individuals makes easier to get.

Because if you weaken personal data protection in one place, you might as well weaken it in every place. And once you do that, you’re presenting hackers and attackers with a totally tempting table of attack surface treats to chow down on. This is not clever, nor is it sensible.

Because, sure, the data encryption laws that seem to be in circulation right now make the separation between business and personal data, but they completely ignore that businesses are made up of people and people drive business.

When you remove levels of privacy from people who run or work for a business, then you also make the business less secure.  It means legislation meant to protect against online harms makes such harms far more likely.

Surely by now most people understand that the Internet comprises a series of inter-connected nodes, and that all these nodes are connected. That connection means anything which reduces the security of any one of them compromises the security of all the others.

Again and again in discussions about encryption, we find ourselves returning to the age-old response on such matters, which is and remains, that online (and possibly across our burning world), we are only as safe as the least secure person we’re connected to.

With that in mind, we need more data encryption, not less.

This is history repeating, of course. Because if you think back a little bit to the famed slogan from nineteenth-century author Alexandre Dumas, thanks to his book, “The Three Musketeers,” the inconvenient truth on a digitally connected planet is that it’s, “All for one, and one for all.”

No one is safe until everyone is safe.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

http://www.computerworld.com/category/security/index.rss