What the Paris Attacks Mean for the Future of Cybersecurity

November 17, 2015, 6:21 PM UTC
French soldiers patrol near the Eiffel Tower in Paris as part of the "Vigipirate" security plan
French soldiers patrol near the Eiffel Tower in Paris as part of the "Vigipirate" security plan December 23, 2014. French security forces stepped up protection of public places on Tuesday after three acts of violence in three days left some 30 wounded and reignited fears about France's vulnerability to attacks by Islamic radicals. REUTERS/Gonzalo Fuentes (FRANCE - Tags: TRAVEL MILITARY POLITICS) - RTR4J2O9
Photograph by Gonzalo Fuentes — Reuters

The horrendous Paris attacks raise a number of national security issues, including one involving cybersecurity, and the debate over whether governments should have easy ways to break through technology that safeguards the privacy of our communications and transactions — all in the name of national security.

Paris thrusts this issue onto the front pages because one of the big questions that quickly emerged was how a group could execute such a complex attack while evading detection from intelligence services. Encryption is one potential answer. Indeed, experts hypothesize three different possibilities: (1) the attackers used powerful over-the-counter encryption; (2) they collaborated on the dark web; (3) they stopped using technology for coordination once they reached a certain level of operational readiness.

Let’s be sure we understand how modern encryption technologies work and why they are now springing to the forefront. Though encryption technologies have been used to securely transmit information for hundreds of years, never before have advanced encryption techniques and technology been so widely available and so sophisticated.

Simply put, encryption is the process of converting information or data into a code that obscures information so it cannot be read without the correct key (or keys) used to decipher or decrypt the message. Today, anyone around the world can easily purchase and use highly-sophisticated, 256 bit AES encryption technologies – encryption that is so strong that it has been the U.S. Government standard since 2002.

Businesses use encryption every day to prevent identity theft and other crimes. For example, it was once common to capture and transmit credit card information in an unencrypted state to process payments. Cybercriminals knew this and found ways to copy the information at specific points in the payment process lifecycle. They were then able to use the payment card information and monetize it.

Recognizing the problem, payment processors deployed a number of different encryption technologies, rendering the transmitted information far more difficult to intercept and monetize. While encrypted communications can be decrypted, doing so requires time and computing power. And encrypted devices and communications are now common throughout our personal and commercial lives.

Indeed, terrorists need not look far to find secure ways to communicate. Many apps that we use every day enable encrypted communications to protect our privacy and personal information. And, many of the devices we buy – such as our smartphones – encrypt he data on it for the same reasons. Thus, our data is encrypted at the source (our devices), as its communicated in transit, and at the receiving device. The issue is, such is the case for terrorists’ devices and communications as well.

This, of course, is just encryption. On top of it are software and services that protect privacy in other ways, such as those enabling us to use the Internet anonymously – bad actors and intelligence services alike are unable to identify a user or his location when he goes on the Internet using such software and services.

After the Paris attacks, the world is already seeing heightened attention to the way terrorists and other bad actors can use this commonly-available technology to help them inflict enormous harm. We will need to watch closely to see whether the debate and its outcomes shift.

For example, as the use of encrypted communication has spread, law enforcement and intelligence agencies have pushed for “back doors” – ways to enable law enforcement to bypass the encryption. Some technology companies and privacy advocates have opposed them, fearing government intrusion into their personal lives. And, just last month, the White House overruled law enforcement’s request to push tech companies to create such back doors.

Notably, the White House concluded that creating such back doors would increase U.S. citizens’ vulnerability to foreign government, cyber criminal, and terrorist intrusions.

Time will tell whether the Paris attacks change the White House’s calculus. More broadly, the battle over encryption and other privacy-related technologies will increasingly reflect the larger public policy debates we have seen that balance national security with civil liberties. As we move in the next decade into a world where far more powerful computing capability will come on line, specifically as quantum computing becomes widely available, the ability for every man and woman to encrypt their communications at levels that may not be able to be decrypted will only help sharpen that debate.

David Burg is the global cybersecurity leader at PricewaterhouseCoopers.

Read More

Great ResignationClimate ChangeLeadershipInflationUkraine Invasion