Rising Complexity and Cost of Securing Secrecy

A broad class of people has legitimate needs for communicating in secrecy, such as politicians, high tech innovators, analysts in the military, State Department operatives, and businessmen bidding on goods or negotiating a merger. Unfortunately, secrecy that once could be achieved with modest effort is now elusive.

The Office of Personnel Management (OPM) database contains personal information for millions of US government workers and contractors. It also contains some of the highly sensitive information needed to vet people seeking official security clearances. OPM took some steps to secure it, but not enough. China was able to acquire valid security credentials for gaining access to the information for a protracted period. This security failure may leave US government workers open to extortion and covert operatives subject to being uncovered.

Duqu 2.0, a variant of Stuxnet, spied on nuclear negotiations between Iran and the U.S., Britain, China, France, Germany and Russia. It presumably reported out on the negotiation strategy and plans of each participant. Knowledge of an opponent’s intentions could be a massive advantage. On the other hand, it is unclear who installed Duqu, and it may have been someone who is not part of the talks.

The quick profits from insider trading attract criminals in the financial industry. The Securities Exchange Commission is hunting a group known as FIN4, which monitors emails or voice calls to get information on merger price negotiations or quarterly financial results before the information is made public.

Companies actively designing high tech equipment or military weapons are targets for industrial espionage via hacking into secure databases. China’s hackers stole plans for “the advanced Patriot missile system, the Navy’s Aegis ballistic missile defense systems, the F/A-18 fighter jet, the V-22 Osprey, the Black Hawk helicopter and the F-35 Joint Strike Fighter.”

Internet-based communications are generally insecure. If the information you want to send has high value, hackers and spies will be motivated to acquire a copy of what you transmit either while it resides on your computer’s hard drive or while it’s in transit across the Internet.

Digital information is safer if it is encrypted by a method that has not yet been cracked. At one time, encryption looked like a holy grail for security. With a long, randomly generated key it seemed possible to protect important information from disclosure. Unfortunately, the National Security Administration (NSA), and presumably some brainy hackers have decryption tactics for common transmission and encryption strategies such as SSH, IPSec, and PPTP. Now, the NSA hoovers up everything passing through some Internet chokepoints, stores it and then decrypts, and monitors the content as it hunts for payoffs. Voice calls are available to NSA through Mystic.

We can no longer rely on SSH, IPSec and PPTP to protect encrypted communications from exposure. SSH, Secure Shell, is a cryptographic network protocol for initiating text-based sessions on remote machines in a secure way. IPSec, Internet Protocol Security, is a protocol suite for securing Internet communications by authenticating and encrypting each IP packet of a communications session. PPTP, Point-to-Point Tunneling Protocol, is a method for implementing virtual private networks (VPNs) that uses a control channel over TCP and a GRE tunnel to encapsulate PPP packets. The loss of encryption efficacy in PPTP is serious since it was a foundation for VPNs that many businesses relied on. There are some encryption approaches that still work for Windows disk systems. Bruce Schneier mentions BitLocker, Symantec’s PGP Disk and TrueCrypt.

The challenge of protecting secrets of businesses and government seems to grow more vexing each month, and it is unlikely that government regulation will cure the problems. For those charged with conducting business or government in a competitive environment, highly skilled security experts are becoming an unavoidable expense.

As always the only people adhering to the rules will be the law abiding people. Until they feel the pain personally, malicious hackers will carry on unaffected, and the cost of protecting secrets will rise.