Barely a week passes without something in the news that reminds us of the critical role encryption plays in securing our data. It is a technology that protects so much of what we rely on, as individuals protecting our privacy, as companies securing our business assets and transactions, and as governments responsible for critical national infrastructure.
As a CEO, I needed to know what questions I should be asking my technical experts about encryption and its use, so I asked my staff to produce this paper. I found it to be so useful that I thought we should share it with other executives as they try to understand and manage this complex but indispensable technology.
We believe, at the Internet Society, that encryption is a MUST for protecting what is one of the most valuable assets we manage—data. We hope this paper can be helpful to you.
— Kathy Brown, CEO, Internet Society
The request Kathy mentions came after the San Bernardino shootings in California (which reinvigorated the debate about third party access to encrypted information), and after a former Director of the UK’s Government Communications Headquarters (GCHQ) had set out his view in these terms:
“Encryption is overwhelmingly a good thing, it keeps us all safe and secure. Building in backdoors is a threat to everybody. […] It is not a good idea to weaken security for everybody in order to tackle a minority. […] Trying to weaken the system, trying to build in backdoors won’t work and is technically difficult.”
— Robert Hannigan, BBC Radio interview, 10 July 2017
I am delighted to say that, today, we are publishing the resulting paper, Cryptography: CEO Questions for CTOs, which focuses on three main topics:
- Getting a snapshot of your organisation’s crypto strategy and current status
- Practical challenges of deployment and management
- Non-technical factors around risk mitigation and law enforcement access
I have also included a brief glossary, and a short background on Public Key Infrastructure and its various quirks; I was persuaded to relegate the latter to an Appendix, in recognition of the fact that not everyone finds the ins and outs of PKI as fascinating as I do… strange as that may seem.
My hope is that you will find the paper useful in two ways:
- If you are conscious that cryptographic technology is somehow important to your organisation, but feel a certain unease about approaching such a notoriously tricky topic, then I hope this paper will help give you the confidence (even, the “permission”) to say – “I now understand the principles and issues; help me understand what we should be doing about this as an organisation”;
- If you are already comfortable with the technical aspects, to the degree you need, then I encourage you to use the document as an “annotated checklist”: each section contains a set of questions for you to think about, and to discuss with responsible executives or managers in your organisation.
I don’t imagine the debate over encryption will fade away or be resolved soon. Organisations will continue to face pressure to meet the diverse objectives of securing their enterprise, keeping customers and their data safe, and responding to government and law enforcement requests for access to encrypted information. In a data-driven society, resolving the conflicts between those objectives is a critical capability.
I hope you will find Cryptography: CEO Questions for CTOs interesting and useful – and if you have any feedback, please let us know.