Cybersecurity, Data

Encryption Plays a Key Role in Securing Our Critical Infrastructure

We are surrounded by discussions of the benefits of future technology: smart cities and new services that will ease our commutes and improve our work lives and sensor-laden smart homes that will ease our day-to-day chores through the Internet of Things (IoT).

In many ways, though, that future already is here on a much larger scale. The IoT helps direct the industrial control systems (ICS) that generate and transmit electricity, guide the mixing of reactive substances at chemical plants, and direct automated assembly lines at manufacturing plants, among other examples.

With the benefits of these sector-shifting ICS comes the need to ensure proper levels of cybersecurity in order to protect against the risk of cyberattacks. Central to that effort is ensuring that we make the proper investments in and policy environment for encryption. the BSA Foundation released an issue brief today on encryption’s vital role in ICS.

The efficiency, connectedness, and productivity that ICS provide place them at the forefront of our critical infrastructure. From the manufacturing to the energy sectors, such systems continue to rapidly expand and evolve. But the involvement of ICS in critical infrastructure means that we must now work harder to ensure that our infrastructure is safe from cyberattacks and malicious adversaries.

We must guard against the repeat of something like the December 2015 hack of Ukraine’s power grid. In that attack, hackers uploaded malicious firmware to devices used to transmit operator commands to and from substation control systems. Once the devices were under the hackers’ control, it would have been impossible for operators to address any damage remotely. The attack was unprecedented and symbolized a warning for all nation states: this can happen to you.

In 2016 alone, the Department of Homeland Security’s ICS Cyber Emergency Response Team responded to 290 cybersecurity incidents across sectors. Critical manufacturing was targeted most often, followed closely by communications and energy. Many ICS deployed today are built to last decades rather than years, and many were built before the emergence of current cyber threats. Additionally, many ICS devices built today fail to include fundamental security features or may not enable these by default.

To address these issues, we must use cryptographic techniques like encryption and authentication. Encryption is important to ICS in deploying cryptographically signed updates and patches. For devices that may not be able to support encryption, advances like lightweight cryptography offer an alternative. But for these options to be viable, continued investment, research, and development on encryption is essential.

Proper authentication is important because it enables components and devices to communicate exclusively with authenticated components and devices. Strong authentication solutions rely on the same cryptographic systems and algorithms that also power encryption.

Making these systems as secure as possible is in everyone’s best interest: government, industry, and consumers. All sides need to work together to develop not only the best technologies, but also the proper standards for hardening our infrastructure against attack today and going forward in the IoT-enabled world. Fortunately, collaborative efforts aimed at ensuring online protections are underway: The Charter of Trust, signed recently by IBM, Siemens, and other corporate leaders, is one example of efforts aimed to ensure confidence in the digital world by ensuring a proper focus on the essential elements of cybersecurity. Key among those elements: access management and encryption.

The charter and other partnerships between government and industry are essential to create an environment where encryption research can flourish, and promotion of strong encryption can be a universal goal for protecting ICS.

Cybersecurity, Privacy

It’s Common Sense: Any Encryption Solution Needs to Consider All Sides

Encryption is increasingly at the core of modern business operations and personal communications, underpinning financial transactions, critical infrastructure network security, personal text messages and emails, and sensitive military technologies. Yet, while hundreds of millions of global citizens depend on encryption for security and privacy, criminal actors take advantage of the technology to obscure their activity. … Read More >>

Cybersecurity, Data, Industry

Promoting Good Data Security Practices to Reduce the Risk of Data Breaches

Today, I testified about data security breaches before the House Financial Services Subcommittee on Financial Institutions and Consumer Credit. Prompted by a rash of high-profile data breaches, the hearing examined ways to reform current federal and state data security regulations to help close gaps and reduce vulnerabilities. The hearing was also an opportunity to discuss … Read More >>

Data, Industry, Intellectual Property

Software Policy Priorities Look to the Future

The start of the new year gives us all a valuable opportunity to think ahead, and that includes Congress.  What can be accomplished?  What impact can be made now to have a lasting impact for years to come?  As every sector of the economy, and businesses of all sizes, increasingly use software in nearly everything … Read More >>


Artificial Intelligence: How Can We Better Prepare for the Future?

Yesterday, I testified about artificial intelligence (AI) before the Senate Commerce Subcommittee on Communications, Technology, Innovation, and the Internet. The hearing examined the benefits and challenges of AI in today’s digital economy, how to build trust in AI systems, and steps the US government can take to remain a leader in AI. I focused on … Read More >>