GRC Viewpoint

The Move From Cyber Offense to Defense

Since the dawn of the public Internet, the US, and particularly the Justice Department, has been focused on how to gather data on the Internet. Remember Janet Reno and Carnivore?1 It was designed to collect information on electronic communications. That capability has been refined since that time. The major nation-states also have the ability to crack all standard encryption. The point of standardizing is, very clearly, to be able to crack the encryption. We can look at this particular problem historically to gain insight.

In WWII, when Polish and British Scientists cracked the German encryptor – The Enigma Machine – it was a cat and mouse game. When the Germans would update the machine, the British would have to fish the new model out of a sunken U-boat to inspect the new device, codebooks, and other pieces of information to learn the new encryption method.2 The fact remains that if you don’t know the encryption scheme or, in this case, do not know the algorithm, it would be very difficult to figure out in a reasonable amount of time. The Enigma was using math for encryption as does our current strongest standardized encryption – Advanced Encryption Standard (AES). The issue with using Algorithms for encryption is that any algorithm that works has to have a proof. That proof will defeat the encryption.

That is the mathematical reality. Putting this proof in an Application Specific Integrated Circuit (ASIC) makes decryption very fast. You only need to derive the key and you can decrypt the data. While there is a lot of purpose-built disinformation on this point, hopefully, this logical explanation helps clarify the situation. In the Military and intelligence communities, algorithm based encryption schemes are considered “Offensive” Capabilities. With Cloud computing, the risk to symmetric and public key encryption grows worse. In a cloud computing environment, you simply need to gain access to the key. In these environments, there are hundreds or thousands of engineers with this access.

You simply need to convince one to get the key for you. You could also get someone hired as an engineer specifically to steal keys. Another method is social engineering where you convince someone you should have access deceiving them into thinking you are someone you are not. This does not require technical skills or special ASIC processing. Once you have the key – whether derived or stolen – recording a copy of the encrypted data in an IP network, like say the Internet, is fairly straightforward.

The new “Post Quantum Encryption Standards” also use algorithms and are at the same level of risk. Also, rotating key schemes don’t really help as the keys are sent in the same stream of encrypted data. Once you get one key, you will get the rest. A good example of how this does not work and the US Government’s prowess at decrypting is the messaging of The Oath Keepers.

They were using Signal which is supposed to be secure because of key rotation. Well, a lot of the intelligence gathered on the group was from their Signal communications. Apparently, neither the encryption nor the key rotation stopped the Government from intercepting and decrypting that information.3 We should assume all modern Nation States have this same capability. These risks and others such as a massive distributed denial of service attack that could cripple things like VPN services and group video conferencing, prompted the US Government to pivot from Cyber offense to cyber Defense on May 12th, 2021.4

NIST dusted off the defensive playbook they had put together in the early 2000s and began moving the country to Zero Trust Architecture (ZTA).5 This is a series of “things” you need to do to remove trust in the party on the other side as well as insecure technologies like the public Internet. These are constant verifications as well as new technical approaches to replace things like VPN and algorithm-based encryption standards. The public is starting to see ZTA implemented with “two-factor” authentication. When a user logs in with your password plus a code texted to their cell phone, that is two-factor authentication.

In ZTA, this is referred to as “know something/have something”. In this case, you know your password and you can prove you have your cell phone which now typically has biometric authentication to access that passcode. As you are probably surmising, this is orders of magnitude more secure than just using a password. Changes will need to be made to encryption, data transmission, and other security measures that require trust – trust of the Internet, Cloud, and software service providers all have to be removed. The good news for the public? – Some of your privacy is coming back by executive order.

By Anthony Scott Thompson, Founder & T-CEO at Introspective Network

1: Carnivore (software). (2022, January 15). In Wikipedia. 

2: Cryptanalysis of the Enigma. (2022, August 28). In Wikipedia.

3: Federal investigators say they used encrypted Signal messages to charge Oath Keepers leader (Jan 13, 2022) In CNBC.

4: Executive Order on Improving the Nation’s Cybersecurity (May 12th, 2021) In The Whitehouse. 

5: Zero Trust Architecture (Dec. 11th, 2020) In NIST Computer Security Resource Center.

Related Articles

Latest Articles