Encryption Under Siege? Governments, Cybersecurity, & Quantum - Ep 139

Show Notes

In this episode of Reimagining Cyber we  tackle two seismic shifts in digital security: the fight over encryption and the rise in quantum computing. 

First up, the UK's aggressive push against encryption. With legislation like the Investigatory Powers Act and the Online Safety Bill, the UK government is pressuring tech giants to create backdoors for law enforcement. But what happens when those backdoors fall into the wrong hands? Cybersecurity expert Tyler Moffitt doesn’t mince words: “The moment you create a backdoor for the government, you open it up to everybody—cybercriminals, rogue states, you name it.” Apple initially took a hard stance, threatening to pull iMessage and FaceTime from the UK. But in a move that sent ripples through the industry, they recently scaled back their Advanced Data Protection feature for UK users. Is the result a chilling precedent that other governments may soon follow?

If that weren’t enough, encryption’s future faces another existential threat—quantum computing. Even the strongest cryptographic methods in use today could become obsolete once quantum processors reach critical mass. To explore this, we revisit Episode 43: Inside the Fight to Protect Data from Quantum Computers, featuring veteran cryptographic engineer Terence Spies. He warns that the fundamental rules of encryption could soon change forever. “Unlike other areas of software, cryptography is about proving what can’t happen,” Spies explains. “Quantum computing changes that equation entirely.”

With quantum breakthroughs on the horizon, governments and enterprises must scramble to adopt post-quantum cryptography—before it’s too late. Transitioning away from RSA and elliptic-curve encryption isn’t just a technical challenge; it’s a bureaucratic and logistical nightmare that could take decades. And yet, with quantum attacks potentially capable of breaking today’s encryption in mere hours, the race is on to secure our digital future.

Listen to the full episode of Reimagining Cyber and stay ahead of the encryption debate. The stakes have never been higher.

Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com

Transcript

[00:00:00] Producer Ben: Hello and welcome to Reimagining Cyber. My name is Ben, I'm producer of the show and our usual host, Rob Argo is away. So I'm gonna be sitting in for him today. And the thing for this episode is encryption the backbone of digital security, protecting everything from personal messages to national secrets.

[00:00:21] And we're also going to unpack. The looming challenge of quantum computing, which of course could one day break today's strongest encryption. But first on the agenda is the UK's largest push against encryption and what it could mean for privacy worldwide. And with me to talk about this is our other cybersecurity expert, Tyler Moffitt.

[00:00:44] Tyler, how are you doing? 

[00:00:45] Tyler Moffitt: Thanks for having me on Ben. 

[00:00:46] Producer Ben: And uh, as I hinted at just then, there is an issue involving the UK government and it involves a spat with apple. Could you talk me through, if you would, what's been happening? 

[00:00:59] Tyler Moffitt: Yeah. So recently, um, the government or the UK pushed to weak, weaken. Apple's encryption, um, specifically by creating a backdoor to where they can have access to essentially what they have in the iCloud and what's stored.

[00:01:14] And it's just, uh, it's really not, um. It's a giant security incident failure waiting to happen, right? By demanding that apple build access into secure systems, they're setting a dangerous precedent that will absolutely be exploited by cyber criminals, hostile nations, rogue insiders. I mean, everything. The moment you create a backdoor for the government, you, you opened up to basically everybody, right?

[00:01:39] And security has to be absolute. There is no such thing as a back door, um, that only the good guys can use. And how are they going about putting this pressure on? Sure. The Investigatory Powers act of. 2016 gives UK authorities, uh, the power to demand access, uh, from tech companies. And more recently, the online safety bill of 2023 is putting even more pressure on encrypting messaging services services, requiring them to scan private messages for, uh, illegal content.

[00:02:12] You also have the technical capability notices that, um, allow the government to quietly force companies to build ways to access encrypted data. Apple, for instance, has fought previously very hard against this and even threatening to remove iMessage and FaceTime from uk. Uh, however, they recently pulled this, uh, a DP, the advanced data protection for iCloud backups in the uk, meaning that now U UK users specifically have weaker cloud security.

[00:02:41] And so even though Apple resisted, uh, they've now finally sort of caved and made compromises and that's exactly what is so dangerous. You know, once you start making these concessions, the governments push for more. And you know, from there it sets the precedent and we likely see other governments start to press for this against Apple as well.

[00:03:00] And so this is really a big problem that I think will escalate outta control. So for hackers, bad actors, whatever you wanna call them, like this is a, a dream scenario, right? Government mandated access points. It incentivize hackers to go after basically Apple. Now UK agencies or, or any other third parties with access to these systems, you know, cyber criminals will literally pay.

[00:03:26] Top dollar for leaked government keys. Um, they'll exploit legal access programs. They'll target insiders who hold the keys to the back door. You know, once encryption keys are leaked to the bad guys, there is literally no way to keep it exclusive to only authorized personnel or whoever you deem good guys.

[00:03:48] And I really don't. Understand what the government doesn't understand about that there, there is no way to keep this isolated only to good guys. So if, if a mechanism exists to, to break or leak encryption keys, it's gonna be used by criminals, nation states, or anyone with the resources to obtain it. So, uh, and that should be obvious to, to the government especially after their, their failures.

[00:04:12] I don't understand. After all this time, you know, have we learned nothing? Why are we still compromising the security and encryption just for more surveillance? I. Intriguingly right at the end there. You mentioned government failures. Yeah, so I mean, I'm gonna be honest here, very blunt, governments have an absolute awful track record when it comes to securing sensitive data.

[00:04:34] They can't protect their own systems, so why should we trust them with an encryption backdoor? I, I'll just give you a few examples, right? The UK Ministry of Defense 2023, they had multiple breaches exposed, sensitive military intelligence. Um, the US uh, OPM hack Chinese hackers still post personal data and security data security clearance data from millions of federal employees.

[00:04:54] Uh, the NSA cyber tools leak. Anyone remember WannaCry or not Pet Ya? That was because NSA's own hacking tools were stolen and used in global cyber attacks. Causing like huge amounts and hundreds of millions of dollars, billions of dollars in damages. Uh, even Australia Medibank breach in 20 19, 9 0.7 million citizens private health records were leaked.

[00:05:14] I mean, there's, I could keep going. Those are just the ones that initially came to mind. Uh, like the government does not have a great track record at all. You mentioned earlier that this isn't just a UK issue. What do you mean by that? So, if the UK succeeds in forcing big tech companies like Apple to weaken encryption, other GR governments are absolutely going to demand the same.

[00:05:37] Like, why should we not expect countries like China or Russia, Saudi Arabia, even the US right, will use this as justification to expand their own surveillance programs that they absolutely want. So honestly to me that sort of creates a, a two tier security system. You know, um, some nations will allow strong encryption while others will force companies to create back doors.

[00:06:01] And this result essentially is a fragmented internet where security and privacy, it depend on where you live. Right. And so even worse, like journalists, activists, dissidents, in any authoritarian regime could basically be easily targeted and found searched for using these vulnerabilities. Right? Um, so we're basically looking at it in the future, if this is.

[00:06:24] The case where encryption is, is no longer universal, but basically just dictated by government policies. And you know, once that happens, the entire cybersecurity landscape changes for the worse by far in, in my opinion. And, you know, businesses should play a role in this fight. You know, they must take a stand to sort of refuse to implement these back doors.

[00:06:46] Kind of like how Apple tried to resist initially, I, I don't know why they caved. You know, if companies cave. To this government pressure, then it, it sets the precedent that e encryption is negotiable, uh, which is a disaster honestly for cyber, just security in general, right? We, we have to push back. Strong encryption is non-negotiable, so definitely share this information.

[00:07:11] If you hadn't heard this story. Talk to other people about it. See what they feel about it. Really support companies that fight for encryption. Advocate for digital privacy. Laws that protect security rather than compromise it. And most importantly, stay informed, right? If you didn't know this was happening and you hadn't seen this news, you need to be learning a little bit more.

[00:07:29] 'cause it's, it's a big one. It's definitely making waves because 

[00:07:32] Terence Spiers: of the precedence.

[00:07:54] So 

[00:07:55] Producer Ben: we heard there from Tyler about how government mandated back doors can raise urgent concerns about weakening encryption. And there is another challenge that looms on the horizon that of quantum computing. Even if we defend encryption today, I. The rapid advancement of quantum technology could render current cryptographic methods obsolete.

[00:08:16] Back in episode 43, we welcomed veteran cryptographic engineer Terence spies onto the show in an addition called Inside the Fight to Protect data from quantum computers. I won't play it all to you if you wanna get the whole experience. Just hunt for the episode in our back catalog. It is very easy to find, but here's how Terence set the scene.

[00:08:38] Terence Spiers: The, the tragedy of security systems in general, and, and cryptography specifically, is that unlike other areas of computer science or other areas of, of, of software that people might be buying, it's one of the things where you can't demonstrate the most important properties of those systems, right? As you the, like, I love what you said is like, you know, uh, encrypted data just looks like this, this bunch of gobble.

[00:09:07] And the problem, and, and this is relevant to the discussion today, is that that well encrypted data and badly encrypted data looks exactly the same. Right? You, you can't, there's, there's no way to demonstrate to somebody that this crypto analytic, uh, algorithm is, is. It is actually strong because you're, you're looking to demonstrate sort of a negative capability, right?

[00:09:32] If I come to you with a new graphics card or a new CPU or a new database sorting algorithm, I can demonstrate the things that you care about in terms of, Hey, this is faster. This consumes less power. The rest of it, the, the tricky business about cryptography is that what you're saying is, I'm gonna encrypt this data and there's a.

[00:09:53] Can't happen right in, in, in a whole universe of possibilities, right? That there is, there is no way to derive the key that's gonna sort of unprotect or, or decrypt this data. And what that means is that. You need to be open to a whole universe of, of possible attacks, sort of, uh, known, known and unknown.

[00:10:15] Right? Uh, and this is one of the things that makes it interesting and also I think difficult for, uh, for people in the enterprise space, which is that they're being asked to, um, sort of bet part of their business or, you know, be the security of their data. On these statements often obscure and, uh, and, and subtle kinds of arguments about the, the strength of these protection mechanisms in a, in a way that can't be demonstrated.

[00:10:43] So the way that that fits into the, the discussion we're having today is that there is on the horizon, uh, potentially, uh, a bunch of discontinuous change in the way that people think about computing. And that's, that's quantum computers, right? So, um, there have. Lots of other discussions about how quantum computers, uh, work and what they can do.

[00:11:04] But the, with relevance to the crypto space, there are, there are two algorithms, um, that change fundamentally the way that people can do searches in, in, in two different spaces, um, that affect. The way that, um, that people are going to have to protect data with, uh, with cryptographic mechanisms. So if, if there comes to be a practical quantum computer that is to see something that could implement the a s algorithm or, um, something that could, uh, implement, uh, let's say RSA or elliptic curve, things like that, is that enough, enough qubits to express those algorithms?

[00:11:41] Then searches become quicker and not just quicker in a way where, uh. A traditional CPU gets faster, or you use a GPU for, for more computers. It's, uh, the, the algorithms move time from the exponent down to the bottom, which is to say it's, it's the difference between, you know, a bubble sort and a quick sort algorithm, which is, which is these, these differences are dramatic.

[00:12:09] Um, and for cryptography that's especially big because you, you need these search spaces to be big in terms of the cryptographic. Efficient encrypting data for the person that's actually using it, but the search space that for the attacker has to remain really, really. Right, because you're, you're, you're relying on it now and in the future.

[00:12:31] So what's going on now, and with people looking at what's called post quantum cryptography algorithms is that they're saying, well, we have to start now. There are no, there are no quantum computers right now that can even get close to expressing these algorithms or attacking them. But if we hypothesize that there's a real.

[00:12:53] Of this happening in say, 20 or 30 years. We might have data now that is. But we wanna keep private or we wanna, we want to, um, have some, uh, expectation of, of security of that data in the next, uh, 20 or 30 years. And also, historically, it has been, uh, a slow and arduous process to migrate from one cryptographic outlet to the other.

[00:13:19] So, you know, in, in the, in the payment space, there are still people using Triple de, which is actually a fine algorithm, but, um, that industry has been attempting to, uh. To move from Triple Des to a, for, uh, for decades. And there's still some of this around. So the, the short answer is that, that, um, the, the world is changing and one of those changes that people are anticipating is that there's going to be this fundamentally new, uh, kind of computer that's going to alter the way that we have to think about cryptography in terms of throwing away whole classes of oven.

[00:13:51] So we use now. 

[00:13:53] Rob Aragao: So, so Terence think about, um. The point you were just making as it relates to also kind of, I guess, the type of data. So as an example, when we think about, um, whether it's transactional data or let's say legacy data, you have to hold onto it for many decades as you kinda refer to, as an example.

[00:14:09] Does, does it really make a difference as kind of the, you know, specific type of information or any type of data as far as its resistance to CR QCs or not? 

[00:14:18] Terence Spiers: Um, not really. So in terms of resistance to, to quantum crypto analysis, it's fundamentally about the algorithm, not about the data. Where the type of the data becomes, uh, relevant and interesting to think about is that, um.

[00:14:34] You might have to start thinking about, do I have classes of data that the privacy of that data is gonna be relevant in, uh, a couple of decades? Right. So you're talking about a credit card transaction? Probably not. Um, if you are in the government space or you're protecting things that, um, that might realistically have privacy impacts in, in a couple of decades.

[00:14:58] Yeah. I mean, moving now is probably the, the case, but also for data that. You know, outside of the data, the algorithmic thing is we, we know that moving those algorithms is going to be tough. So there's reasons to start thinking about it now in terms of doing, doing those migrations. 

[00:15:14] Producer Ben: That was Terence Spies, and he also went on to talk about the transition to post quantum cryptography and migration challenges and timelines.

[00:15:24] So do go into episode 43 inside the fight to protect data from quantum computers and listen to the whole of the episode. Thanks for joining us on Reimagining Cyber. Please follow or subscribe to the show wherever you get your podcasts. And goodbye.