Canada’s cyber intelligence agency says it’s working on what it calls the “Holy Grail” of data encryption to protect government information as the number of reports of privacy breaches, malware attempts and ransomware hits continues to grow.
Encryption mainly works in transit — which protects data when it’s being sent — or “at rest”, which guards information when it’s being stored. But in order to be processed and understood, that information needs to be decrypted, potentially putting it at risk.
“We want encryption when it’s being processed so you don’t have to decrypt it to do it, and that’s something called homomorphic encryption,” Scott Jones, head of the Communications Security Establishment’s (CSE) Canadian Centre for Cyber Security, told CBC News.
“That’s the Holy Grail of encryption that really gets us to a point where, ‘OK, now we will be secure even [while information is] being processed’ … That’s a relatively new phenomenon.”
The centre leads the government’s response to cyber security events, defends Ottawa’s cyber assets and provides advice to Canadian industries, businesses and citizens on how to protect themselves online. The CSE’s team can see up to two billion actions per day, including malicious infiltration attempts.
Jones said the CSE has teamed up with industry players and academics to work out how homomorphic encryption could function in a Canadian setting.
“Encryption is absolutely a critical defence,” he said, noting the agency is probably five to ten years away from achieving that goal.
“One of the problems of cyber security is we can block two billion things, but one success is what we talk about … We consider any failure something that we have to address.”
Ransomware attacks on the rise
Brett Callow, a B.C.-based threat analyst with the international cyber security firm Emsisoft, said homomorphic encryption could reduce the likelihood of data being acquired stealthily in an easily usable form, but it’s not a perfect defence against all attacks.
“To use an analogy, the company’s data would be in a lockbox to which only it has key, but threat actors could place that lockbox in a second lockbox to which only they have the key,” he said.
“I’m not sure we’ll ever find a silver bullet. Security will likely be a constant and permanently ongoing game of whack-a-mole.”
More and more Canadian municipalities, provinces, government contractors and businesses have found themselves hit by ransomware attacks — which involve malicious software used to cripple a target’s computer system to solicit a cash payment. Just last week, the province of P.E.I. acknowledged that some Islanders’ personal information may have been compromised in a recent hit.
Callow said homomorphic encryption isn’t necessarily a perfect shield against sophisticated hackers.
“Ransomware attacks typically involve the harvesting of user and admin credentials. If the attackers were able to harvest credentials that enable users to access the data, they too would be able to access the data,” he said.
“In these circumstances, the actor wouldn’t necessarily be able to exfiltrate the original data in non-encrypted from, but they could certainly view it and, perhaps, take screen grabs.”
There’s also the problem of human error.
Federal departments and agencies have recorded thousands of privacy breaches over the past two years, according to recent figures tabled in the House of Commons — many due to slip-ups or misconduct.
Even that number likely falls short since many departments reported they didn’t know how many people were affected by individual information breaches, or how many were subsequently contacted and warned.