Cameron on a hiding to nothing if he really does want encrypted comms ban

whatsapp logoThis week, prime minister David Cameron seemed to indicate that if he is elected this May he’ll do all he can to ensure strongly encrypted communications are banned in the UK.

Well, that’s the gist of what he said. More correctly, he made it clear that no form of comms should exist where, in extremis, the security services can’t eavesdrop on private conversations – to stop criminals, terrorists etc.

His comments have been widely criticised in the media and by the technology industry, and rightly so.

Although others including the FBI, US attorney general Eric Holder and even Europol have voiced concerns about encrypted communications, none have gone as far as Cameron – who is now apparently off to the US to try and get support for his plans from Barack Obama.

A few thoughts sprung to mind as I reported on this breaking story:

  • If Cameron thinks he can take on the might of Apple, Google et al over this, he’s mistaken.
  •  His comments are at odds with European security agency Enisa which has just released a document praising encryption and calling for MORE privacy enhancing technologies (PETs), not fewer
  • There’s no evidence that the Paris attacks would have been prevented if encrypted comms were banned
  • The UK’s burgeoning tech industry will suffer
  • UK business will react angrily if they can’t use strongly encrypted comms, as will UK entrepreneurs –  it’s sending out a dreadful signal to potential investors in our supposedly liberal democratic country. Also, these are exactly the sort of traditional Tory supporters Cameron needs on side.
  • If encrypted comms were banned, or backdoors were engineered into products so the security services could access them if needed, the bad guys would eventually find a way of exploiting them too.
  • Terrorists and criminals will continue to use encrypted comms, downloaded from regions where they are still legal.

Sophos global head of security research James Lyne summed up the whole farce neatly in comments he sent me by email:

“Even if regulation was brought in to force legitimate companies to use encryption the government (in extremis) could intercept, unless they plan to build a great firewall of China (but even bigger and better – or sinister) to prevent people getting their hands on open source tools available in other countries it isn’t going to stop the darker side of the net from using it,” he told me.

“At the end of the day, terrorists will use any tools at their disposal to communicate, so this is unlikely to solve the real problem. The intention behind the statement was likely a little different to the way in which it has appeared but the suggestion as it stands would do the UK more harm than good and clearly lacks insight into how the internet works or how such controls might be implemented.”


Cameron’s Indian deal exposes outsourcing security failings

taj mahalEarlier this week David Cameron signed a deal designed to elevate the Indo-British relationship to an “unprecedented level of co-operation” on cyber security issues. It came as part of the PM’s three day trade mission to India and is certainly to be welcomed, but the agreement also implies some rather worrying things about the cyber readiness of the country’s big outsourcing firms.

The deal will essentially mean two things. Firstly, UK technical know-how and expertise in the cyber security sphere will be shared with Indian outsourcers, essentially to help protect the vast amounts of data from UK consumers and businesses which are now held on servers in the country.

Secondly, the agreement will see the two countries share relevant threat intelligence in order to thwart attacks on their systems, whether they’re coming from the UK, India or elsewhere.

Now, as mentioned, any kind of international co-operation on cyber threat protection is a step in the right direction, and Cameron certainly can’t be faulted for his assertion that “other countries securing their data is effectively helping us secure our data”.

My surprise is that big name outsourcers like Wipro, HCL, Mahindra and Infosys – firms which have built their business presumably on the quality (and security) of their BPO offerings – need an extra hand.

Any CIO worth his salt would surely relegate to the scrap heap a potential outsourcing provider who could not satisfy his or her list of pre-determined security requirements.

Sure, the smaller outsourcers will benefit most from this deal, but the big boys too?

Well, yes, according to Forrester’s New Delhi-based analyst Katyayan Gupta.

“Even larger Indian firms like Infosys, TCS, etc. will also benefit because now they will have an additional layer of security against cyber criminals,” he told me.

“This is not to say that these firms do not have good security right now. But the question really is – is it enough to keep all attackers out? Probably not.”

Now I know in this age of APTs and highly targeted attacks no firm can claim to be impervious, but it’s slightly worrying when those with huge resources – in an industry where reputational damage following a data breaches could hit hard – are apparently getting expertise flown in from the UK that they haven’t obtained anyway.

Also, as Gupta argued, the deal will still do nothing to stop perhaps the biggest threat to UK data residing on these firms’ servers: corrupt insiders.

It may be time to revisit those SLAs.