Four years ago, the Pew Research Center, a US think tank, asked hundreds of cybersecurity experts to weigh in on a simple question: “By 2025, will a major cyber-attack have caused widespread harm to a nation’s security and capacity to defend itself and its people?” A majority of the respondents said yes(new window).
“Cyber attacks will become a pillar of warfare and terrorism,” said one tech executive.
“Current threats include economic transactions, power grid, and air traffic control,” said a NASA researcher who now runs a space robotics firm. “This will expand to include others such as self-driving cars, unmanned aerial vehicles, and building infrastructure.”
“Cyberwar just plain makes sense,” said a former general counsel for the NSA.
In the few years since that report came out, we have witnessed Britain’s National Health Service (NHS) crippled by stolen NSA ransomware(new window), the US power grid infiltrated by Russia(new window), and hundreds of millions of digital records exposed(new window) to hackers. In other words, the experts’ predictions are right on track.
Yet at the same time, governments around the world are pushing to weaken the very encryption that can help to keep our personal records, our infrastructure, and our democratic institutions safe from bad actors. Most recently, the Australian government has waged a campaign to promote encryption backdoors(new window), which would weaken the right to privacy and make us all less safe.
State security officials are sending two conflicting messages: On one hand, encryption (i.e. privacy) is dangerous; on the other, cybersecurity is the battlefield of the 21stcentury.
In fact, privacy and security go hand in hand. The widespread use of strong encryption both guarantees individuals’ right to privacy while hardening society against waves of data breaches and cyber-attacks.
Why governments don’t like encryption
In the United States(new window), Australia(new window), and elsewhere(new window), law enforcement agencies are pushing for legislation that would make it easier for them to weaken encryption in consumer devices and software.
For example, Australia’s Assistance and Access Bill(new window) would require tech companies to build vulnerabilities into their security systems that could be exploited by law enforcement. If the law passes, it could also be used by US agencies(new window) thanks to the Five Eyes intelligence-sharing agreement(new window), even though American legislators have so far refused to mandate encryption backdoors.
Proponents of these kinds of laws say encrypted services, like WhatsApp or Proton Mail, allow criminals to plan and carry out attacks beyond the reach of police.
Privacy vs. security is a false dichotomy
First of all, there is very little evidence(new window) that government surveillance prevents terrorism. For instance, in 2013, the White House reviewed the NSA’s mass phone surveillance program and determined it was “not essential to preventing attacks.” Police foiled most attacks the old-fashioned way: through informants and tips.
More importantly, it is impossible to create a backdoor that only the police can use. Last year’s WannaCry ransomware attack(new window), which hit over 300,000 computers in over 150 countries (including the UK’s National Health Services) is the perfect cautionary tale. The attack relied on a vulnerability in outdated versions of Microsoft Windows that was first discovered by the NSA. Instead of disclosing the discovery to Microsoft so it could be patched, the NSA kept it secret to be used as a future backdoor into computer systems. However, the NSA was itself hacked, and the exploit was stolen, weaponized, and ultimately unleashed on the public.
The WannaCry example shows how tools intended for “the good guys” can easily fall into the wrong hands. In the age of cyber-attacks, there is a more responsible way forward.
Privacy tools make us all safer
In the age of self-driving cars, it isn’t difficult to imagine a future cyber-attack that puts lives at risk. Although no one is known to have died as a result of the WannaCry attack, an attack targeting hospitals could have life and death consequences. So could an attack against aviation systems or a nuclear power plant. The only way to prevent these kinds of attacks is stronger cybersecurity.
Cybersecurity means many things, from enforcing good operational security within organizations to keeping software up to date with the latest security patches. Individual cybersecurity requires strong passwords and strong encryption. Every major data breach has involved unencrypted data pilfered from corporate or government servers, exposing people’s personal and financial information. In many cases, the use of end-to-end(new window) and zero-access encryption(new window), like the kind used at Proton Mail, would have drastically mitigated the damage caused by these attacks.
Privacy and security are not in opposition, despite what some politicians and law enforcement officials would have you believe. Rather, they are two sides of the same coin. A digital system that is built in a secure way is also necessarily private. By promoting cybersecurity, rather than weakening it, we can support both the right to privacy and public safety.
Best Regards,
The Proton Mail Team
Sign up and get a free secure email account from Proton Mail.
We also provide a free VPN service(new window) to protect your privacy.
Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan. Thank you for your support!