The Canadian Centre for Cyber Security thinks it may be about to produce a new form of encryption that it describes as the ‘Holy Grail’ of data encryption.
But while seeing the main cyber-security body of a five-eyes country advocating encryption so strongly is good news, cyber-security experts are less sure about their solution.
The Canadian Centre for Cyber Security is working on a project called homomorphic encryption that seeks to address the main vulnerability is the type of encryption we use at the moment.
Current encryption is designed to protect data while it is in transit between two different devices or when it is stored on a particular device or in the cloud. It is very good at this but there is one point in the current encryption process where it is potentially vulnerable.
That is the point at which data is being either encrypted or decrypted. There are various ways that VPNs and other encrypting software protects this phase of the process but according to Scott Jones, head of the Communications Security Establishment's (CSE) Canadian Centre for Cyber Security, we can do better.
Jones is one of the leading people tasking with keeping the Canadian government and Canada’s critical national infrastructure safe from cyber-attacks. He also provides advice to Canadian businesses and individual internet users.
His team has been working with the cyber-security industry, academics, and others on a project called homomorphic encryption that is intended to address this vulnerability.
“Encryption is absolutely a critical defence,” explained Jones, in a moment of enlightenment that many US politicians would do well to listen to.
“We want encryption when it's being processed so you don't have to decrypt it to do it, and that's something called homomorphic encryption. [Its] the Holy Grail of encryption that really gets us to a point where, ‘OK, now we will be secure even [while information is] being processed.”
While Jones admits that the solution is probably a few years off, it is clear that he believes his team is making progress with an encryption development that could revolutionize the way all of us encrypt data.
Not necessarily a silver bullet
It is always encouraging to see government agencies working to make encryption more robust rather than seeking to undermine it. But not everyone is as confident as Scott Jones that homomorphic encryption is a silver bullet.
CBC quotes Brett Callow, a threat analyst from Emsisoft, an international cyber-security firm based in British Columbia.
He explained how homomorphic encryption would make data secure but it would not necessarily protect it from ransomware which is one of the biggest problems faced by Canadian public sector bodies.
A growing number of Canadian municipalities, provinces, government contractors and businesses have fallen victim to ransomware attacks in recent times and while homomorphic encryption might help to prevent them accessing data, it won’t necessarily stop them holding it to ransom.
“The company's data would be in a lockbox to which only it has key,” Callow explained. “But threat actors could place that lockbox in a second lockbox to which only they have the key.”
He also notes that there will always be someone who has admin and user credentials to access the data and these detail will also always be vulnerable to being hacked or harvested in other ways.
Then there is the issue of human error. Most people don’t realise it, but human error is actually the biggest reason for security breaches and successful hacks. Unless humans are removed from the equation altogether, this vulnerability is one that can never be removed.
Callow is sceptical about where this is a problem that will ever be completely mitigated and seems cautious about using terms such as ‘holy grail’ that Scott Jones was throwing around. His view is that online security is destined to always be a game of cat-and-mouse between hackers and the establishment.
The importance of encryption
Encryption is a fundamentally important security tool and it is refreshing to see a senior cyber-security official from a five-eyes country speaking about it so positively.
We are becoming increasingly used to seeing government’s undermining encryption and seeking to legislate against its use and this is bad news for everyone.
But while Canada is undoubtedly making the right noises with its investment in homomorphic encryption, it would unwise to put all their eggs in one basket.
Encryption technology is being innovated all the time and, with the greatest of respect to the Canadian Centre for Cyber Security, the best innovations rarely come from public sector sources.
Rather, it is important for Canada and other countries to work with the private sector to achieve enhanced encryption technology. It is also important that they advocate increased use of encryption across the internet to ensure that every business and individual can benefit from enhanced online protections.
That means rather than attacking encryption, they need to be carefully explaining its benefits and showing everyone how, far from making the internet less safe, tools like VPNs actually make us much more secure online.