Governments all over the world are trying to abolish encryption or force application and service providers to allow for backdoors, or having users reveal their encryption keys on demand, thus endangering all our data security. Many governments are hiding behind vague ill-informed ‘national security’ clauses to make up for their national security and law enforcement agencies lack of skills, and outright laziness to weaken our national safety and security.
Instead, they are providing hackers, cybercriminals, malfeasants, and just plain old thrillseekers with greater opportunities to create a wide range of havoc that in the end will cost users far more than just money.
Politicians and bureaucrats in their ignorance are providing hackers, cybercriminals, malfeasants, and just plain old thrillseekers with more significant opportunities to create a wide range of havoc that in the end will cost users far more than just money, and creating loopwholes for law enforcement abuses. (Hint: secret backdoors never remain secret for long, remember EternalBlue.)
Governments should promote Zero Trust systems architecture (basically, never trust; always verify), always encrypted data at rest and in motion, and Trust No One computing, while using existing laws and rules to target suspected criminals and terrorists, instead of casting as wide a net as possible for the just in case.
Smartly segmented Zero Trust networking involves an IT department verifying all users before granting access privileges. Effectively managing access to accounts is more important than ever with 58 percent of small to midsize businesses (SMBs) reporting data breaches in 2017, according to the 2018 Verizon Data Breach Investigation Report.
So Zero Trust networking with all data encrypted at rest and in motion sounds like common sense. Yet, governments only pay lip service to cyber and information security, and they are quick to deplore and point fingers to the enemy of the day when they patrons decry the theft of their data and money with a tendency to overreact. What governments should be doing is using legislative power to mandate cybersecurity at all levels, support real-world effective and enforceable cybersecurity standards (like CIS Controls, ISO/IEC 27000 series, NIST Cyber Security Framework for a start), subsidize third party information systems audits, but more importantly promote a wide range cyber and information security education programmes using cyber and information security best practices in schools and offices (like GCHQ’s National Cyber Security Center CyberFirst courses), a little bit like mandatory home economics classes.