Recently, the world’s largest online auction house, eBay, asked 145 million users affected by a security breach to immediately change their passwords. With $4.26 billion in revenue over the past fiscal quarter alone unable to guarantee proper data safety, the current security climate has become extremely concerning. “Security is of ever increasing importance in the world. As recent security issues have shown, even systems in place for years can have fatal security bugs that are open to exploitation”, says Andrew Cerisano, Software Development Engineer in Test at Microsoft.
In the Information Technology sector, the term “Security through obfuscation” is used to describe a scenario where a system is only considered secure because others lack information regarding how the system’s security was implemented. This is equivalent to hiding a key under the front door mat: the homeowner knows the key is there, but others do not, at least until a potential intruder decides to check. Therefore the home was never really secure at all, it relied solely on the intruder not knowing where they key was hidden. Modern day encryption, despite claims to the contrary, is actually equivalent to this scenario. Fundamentally, this is due to the mathematics that underlies all modern digital data encryption methods.
Cryptography, which is the study of codes, is a rapidly expanding subfield of pure mathematics and is the basis for these secure digital communication channels. All the security used for present communications, including the internet and telephone, is based on advancements in this area. When people connect to their bank through the internet, the website automatically redirects them to use an encrypted communication channel called HTTPS (Hypertext Transfer Protocol Secure) that can be identified by a lock symbol added to the URL bar in the browser window. This differs from regular internet communication using HTTP (Hypertext Transfer Protocol) which sends all data as plaintext, the equivalent of what would be written in a Word processor. The secure protocol uses a cryptographic method called “Asymmetric Encryption”, or “Public Key Cryptography”. This method works by using a “public key” and a “private key” that allow anyone to decode a message from a sender if he or she has their public key, without ever needing to have the private key.
While this method is both quite simple and extremely effective, the issue with its widespread use is twofold. First, since it is the basis of all encryption methods used across public communication channels today, any possible vulnerability discovered can and will lead to vulnerabilities in all systems that incorporate the method. This was recently observed with the Heartbleed attack that affected countless corporations and government entities, including the Canada Revenue Agency.
If such a vulnerability exists that cannot be corrected, all systems which incorporate that method will no longer function as intended. Unfortunately, that vulnerability already exists: time. Once computing power reaches the ability to factorize prime numbers, which is the mathematical basis of most cryptographic methods, all encryption will be void. Current security systems rely on the world not having enough computing power, but that will soon change with the advent of Quantum Computing.
Although Quantum Computing may also create new encryption methods that have not been thought of before, the real issue is the crossover phase once the technology becomes available. Entities (whether individual, corporate, or national) that have access to this technology will have the ability to interfere with already existing and well established infrastructure. The number of man-hours needed to create and support existing encryption technologies will be dwarfed by the need to build entirely new systems, let alone participate in the learning curve involved with such technologies.
Instant communication through digital architecture has become a standard over the last century. However, the process of securing those communication channels is and will continue to be under threat. Canada’s Cyber Security Strategy presents three main objectives: “Securing Government Systems”, “Partnering to secure vital cyber systems outside the federal Government”, and “helping Canadians to be secure online”. Although noble in approach, it is not enough to truly guarantee secure communications, especially for government bodies. Canada as a NATO member state must focus on physical communication redundancy as well as digital communications, otherwise the strength of the NATO pact cannot truly be observed.
In general, the importance of a physical presence for member states in other countries is integral to strategic and collaborative defense. Anders Fogh-Rasmussen, NATO Secretary General, suggested in the May press conference that it may be necessary to look at a “more visible NATO presence all over NATO territories, including eastern allies.” While this is clearly integral to the current crisis in Crimea, it will actually create a stronger and more solidified NATO capable of secured and physically delivered inter-communication between member states that are truly immune to third party influence.