The starting point for a new study from the Institute for Critical Infrastructure Technology is not new: “There are only two types of networks, those that have been compromised and those that are compromised without the operator’s awareness.” Since it is impossible to defend the network, the solution is surely to defend the data. Here encryption can offer something more like a guarantee of security.
The study (PDF) is primarily directed at government networks, where it suggests “federal government breaches have eroded the public’s confidence in the federal entities’ ability to secure sensitive systems and data against adversarial compromise.”
But just as it is self-evident that networks are regularly breached, so it is self-evident that encryption is not always used. An example presented by the study, that both demonstrates the absence of encryption and the misguided argument for not using it, can be found in the massive OPM breach of 2015. Here a series of breaches led to the theft of 4.2 million personal records and 21.5 million SF-86 forms — the effect of which may be felt for many years to come.
OPM did not use best security practices. Most shockingly, the stolen data had not been encrypted. According to former OPM Chief Information Officer Donna Seymour, “Some legacy systems may not be capable of being encrypted.” It is this supposition and attitude that the report’s author, James Scott, says is not correct.
“Data,” he claims, “can be encrypted on both legacy and modern systems using advanced encryption methodologies such as the Format Preserving Encryption (FPE) derivative of the AES algorithm.”
But he takes his argument one step further: “Since agencies and other public entities have habitually failed to secure citizens’ data, legislators and regulators must intervene to ensure that local, state, and federal entities possess the resources to secure and eventually modernize their architectures, and they must mandate that organizations secure data at-rest, in-transit, and during-processing to the best of their capabilities, according to available technologies, such as Format Preserving Encryption, and according to established legislation and regulation.”
This is a complex issue. Security heads in government agencies are already required to update antiquated (legacy) systems, and to employ best security practices. Agency heads, says last month’s presidential cybersecurity executive order, will “be held accountable by the President for ensuring that cybersecurity risk management processes are aligned with strategic, operational, and budgetary planning processes, in accordance with chapter 35, subchapter II of title 44, United States Code.”
It is noticeable, that the executive order never once specifies the use of encryption. Is this an oversight; is it not considered as important as the ICIT claims; or is it simply too difficult or too costly for government agencies? Or is the use of encryption already implied in this and other existing requirements for government agencies?
Certainly, it is already required. “Federal agencies are required to use encryption by the Cybersecurity Act of 2015,” Luther Martin, distinguished technologist at HPE, told SecurityWeek. “They use it, but not in meaningful ways. The main threats that they face are APT/malware. The main types of encryption that they use are TLS, full-disk encryption and transparent database encryption, none of which do anything useful against APT/malware.”
This could have been rectified in the executive order, but was not. “For the Trump EO,” continued Martin, “remember that encryption is a niche within a niche, security being a small part of IT spending and encryption being a small part of security spending. So, the most likely explanation is that it’s just too small of a part to worry about at that level.”
This view is supported by Ted Pretty, CEO and MD at Covata. “Encryption is a very powerful security tool, but is one part of an overall regime of security controls,” he told SecurityWeek. “There may be other ways of mitigating risk that better suit some systems — for example, better authentication and policy controls — and this is probably why the executive order did not specifically reference encryption. Perhaps the reference to systems also refers to system condition at the network, infrastructure, platform and data level.”
But the two basic arguments of the ICIT paper remain. Is FPE the right and adequate solution for legacy government databases, and should comparable encryption be explicitly required by law?
The advantage of FPE, suggests ICIT, is that it can granularly encrypt individual fields without altering the basic data format. This means that data can be moved between different databases while still encrypted. Furthermore, “FPE can leave a small portion of the data deciphered so that it can be used for identification and processing, but it cannot be used to compromise the user. A familiar example of this is being able to see the last four digits of the SSN or credit card number in private sector transactions. The government sector can similarly de-identify sensitive information without necessarily overhauling existing infrastructure.”
Is this the right solution? “Yes,” says Martin. “FPE really is as good as it sounds. Legacy environments are tricky and expensive to deal with. Perhaps very tricky and very expensive. Using FPE lets you adapt the data to the network instead of adapting the network to the encrypted data. If you’re lucky enough to have an all-post-dot-com IT infrastructure then FPE may not matter to you. But to most of the world, it’s a fantastic innovation.”
“Encryption is unique,” concludes the ICIT paper, “in that it is the only solution that definitely impedes an adversary’s ability to exploit exfiltrated data… For the sake of consumers, critical infrastructure, and national security, public and private organizations must at least encrypt their data; even if legislators and regulators have to mandate encryption requirements.”
According to Martin, the existing requirements of the Cybersecurity Act of 2015 are not sufficient. “This is unlikely to change without additional legislation,” agrees Martin. A combination of FPE and explicit encryption legislation, says the ICIT, is what is needed to restore the public’s faith in government agencies’ use of personal data.
