Digital Version of November/December 2014 Print Edition
Cybersecurity in the surveillance age
The collection of information generated from the online activities of citizens, by both private and public interests, has become so widespread and pervasive that it has prompted several social commentators to label today’s digital-defined culture as “The Surveillance Age.” The moniker is an apt one, in part given the fact that nearly every sovereign state with the means is conducting high-tech surveillance programs, a practice that is considered by most to be integral to national security and ensuring the safety of the state and its citizens.
For many observers, the most disconcerting component of the recently exposed data-collection activities of the National Security Agency was tied to conjecture that multiple U.S. companies may have cooperated in the surveillance activities. The possibility that trusted businesses could be leaving ajar digital backdoors through which sensitive information could slip has cast a chill across both consumer and professional market sectors.
This issue is not for us to speculate here; however, given the interest it has attracted, I felt it would be valuable to share some fundamental information about mobile security, as well as some guidance to assure that your network and its data are being guarded by a trusted partner. Leveraging my experience from over a decade at BlackBerry, which is widely recognized as the industry leader in mobile enterprise security, my intention is to arm consumers, enterprise, and government workers with a baseline familiarity of concepts and procedures associated with mobile security.
A key element of security is encryption technology, which is critical to protecting the confidentiality and integrity of a digital transaction between two endpoints, such as a mobile device and a corporate server located behind a firewall. Providing an integrated approach to mobile security, in which data is encrypted while at rest (stored on a digital device) or in transit, is the best protection against the loss of data or a security breach that could impact the profitability, competitiveness, or reputation of an organization.
Strong encryption guards against data integrity compromises in these environments, which are typically treated by network engineers or mobile security experts as hostile and untrustworthy. It’s important to note that encryption technologies differ significantly in the degrees of protection they offer. At the highest level, the AES-256 encryption, which is at the core of BlackBerry’s solution, delivers unsurpassed encryption capabilities that protect data outside the oversight of the IT department.
To gain a deeper understanding of encryption requires an introduction to a few esoteric cryptography terms. One of those terms is entropy, which plays a significant role in determining the effectiveness of a modern encryption system. At a very high level, entropy is a measure of how much randomness you have. Simply put, the more entropy you have the more effective your encryption can be. Consider the differences between seeking a needle in a haystack and looking for one hidden in an acre’s worth of haystacks. The procedures are essentially the same; it’s the level of difficulty and complexity that differs substantially between the two scenarios.
BlackBerry’s end-to-end security solution relies on multiple sources of entropy to create a dynamic and effective security environment that ensures encrypted data remains unreadable until it is decrypted at the end of its transmission. Randomly generated security keys are matched to every transmitted packet of data. That means that at the end of its journey, a one megabyte file will be composed of 500 individual packets (or transactions) -- each encrypted with a unique key.
Any discussion related to digital intrusion or surveillance has to include spyware, which is a form of malware. Businesses or organizations using mobile devices that have open development platforms are especially susceptible to attempts to exploit users through spyware. It is also a favorite tool of cyber criminals, who are increasingly targeting mobile devices as access points into the confidential data of organizations for purposes that range from nuisance to nefarious. Disguised within a consumer application, malware can be used to gain access to personal information, for anything from marketing to identity theft to compromising corporate data. This real and growing threat requires security solutions that properly safeguard the privacy of governments, enterprise workers, and individual users.
The fact that the number and utility of mobile devices will only increase means that the boundaries of the modern organization are being stretched to include hundreds or even thousands of mobile end points possessing access to the most precious assets, such as intellectual property and other sensitive information. Security in this environment cannot be an afterthought. It must be built in at every layer -- hardware, software, and network infrastructure -- to ensure end-to-end protection.
At BlackBerry, security is our core competency. Our guiding business principle is keeping data -- your data -- out of the hands of third parties. Our solutions are bereft of “backdoors” or other vulnerabilities. With the stakes so high in “The Surveillance Age,” it’s imperative that you demand the same commitment from every partner you trust with your information.
Michael Brown is vice president, security product management and research at BlackBerry.