Tidal Shift - Security - Encryption's Role

I am starting to put my thoughts together on the emerging relationship between security technology and human factors. I hope this is thought provoking, and results in some discussion and debate that leads to products, and eventually companies. My goal is that this is a bit more full formed than the last bar napkin I posted. I have served in roles at the intersection of cloud, collaboration and information security. Much like previous technology shifts (mainframe, mini, PC, client server, cloud, etc.) I believe the time has come for an equivalent shift driven by the demand for improved security.

The important situational drivers of this shift include macro economic globalization and digitalization:

• Global societal digital collaboration (supported by social and mobile)
• Industrialization of other technology components (e.g. cloud)
• The changing face of trade and finance (e.g. block chain and cryptocurrency)
• Density of proven thought leaders attached to these themes (e.g Jesse Proudman is one good example)

This all makes security more important and impactful, at the same time it is become more complicated because of:

• State funded activity (this has direct and labor implications)
• Broad technology misuse and insider threats
• Immature legislation and limited/inconsistent prosecution of policies (few consequences see Ed McAndrew's work)
• Scale and speed in the broadest sense (including quantum computing implications which are difficult to fully assess at this time)
• Development and deployment of artificial intelligence and machine learning onto self regulating systems (many of which exist at the edge of secure networks)

This landscape implies the recent pace and scope of technologically enabled public disruptions will accelerate and magnify. Examples include but are not limited to; Russian participation in the politics, terrorism, attacks on critical infrastructure, public/private legal battles, and impaired healthcare operations. This was made possible in part because the number and diversity of internet collaborators has increased at such a rapid pace. In 1995 less than 1% of the worlds population (mostly acedemics) used the internet, as we exited June of 2017 it was more than 50%. Non human internet users (devices) are estimated to be more than 8 billion this year, increasing at a faster rate than new human users. The relationship between people, their digital identities (e.g. Facebook, Instagram, Bank ID) and the devices they use (own or rent) has created a complex web to operate and manage. Unfortunately this complexity also makes systems easier to compromise, remain undetected, and exfiltrate meaningful data. Systems thinking often drives us to fix bottlenecks as they become evident in the 'system'. I believe that security is the next bottleneck in the global system.

Recent advancements in identity management, end point security, network security, and the associated AI/ML remain incremental as compared to the size of the other technology tidal shifts. Furthermore there is always some foundational technology in place when these shifts occur (good podcast on this topic). For example the shift to cloud would not have been possible without TCP/IP. I feel the equivalent foundational technology for security is encryption (specifically layered encryption). These shifts also drove continual improvements in TCP/IP. While encryption requires improvements it remains one of the most effective means to protect digital assets, identities and communications.

Today encryption is faced with a crisis caused by the brute force capability of quantum computing and the impossibility of global, collaborative key management. For a tidal shift to take place in security a broader and more comprehensive use of encryption is necessary. To achieve larger adoption levels the industry needs to reduce the friction in utilizing encryption. Specifically this is required to move to layered encryption deployments across digital identities, user devices, self managed/autonomous devices, communications, and information (e.g. beyond device encryption). In short, we need to encrypt more of everything, more of the time.

This won't happen until it becomes less difficult to adopt security technology than it is to face the consequences of remaining less secure. We are quickly approaching that point for many of us. This point has arrived for nation states, corporations, critical infrastructure and healthcare already. I think the problem statement can be broken into discrete parts.

• Increase the resilience of the underlying encryption
• Make key management and distribution more robust

Ease of use enhancements (users and application developers) need to be made in conjunction with the technical improvements noted above.

I plan on investing more time in the challenge of key management and distribution. If key management were made more robust, the layering of existing encryption would immediately further our security robustness. There is an immediate need to addresses the points above in advance of broad quantum compute availability that can be used for attacks (for your consideration). Assuming advanced computing prices decline at the expected rate, and user adoption on end point devices is historically slow, the time is now to take action. Industries with the most sensitive information need universal encryption as soon as possible. There is a need to make meaningful progress on solutions to the challenges above right now. When these challenges are addressed we will see another tidal shift in how we address security.