Publication: Forbes Technology Council / Link: https://reurl.cc/3bqAp8
By: Srinivas Shekar, Founder and CEO, Pantherun Technologies.
“Shut it down! Shut it all down! And pay them what they are asking!”
It was 5:55 AM on May 7, 2021, in Alpharetta, Georgia. Minutes earlier, an employee of The Colonial Pipeline Company (CPC) discovered a ransom note placed within its IT network by a hacking group called Darkside. The criminals stole 100GB worth of corporate data before deploying ransomware that locked CPC out of key business systems across its network. To release the data and restore the systems, Darkside demanded 75 bitcoin, then worth about $4.4 million.
The attack was brisk and brazen. Colonial Pipeline CEO Joseph Blount had to act fast. To prevent the malware from spreading into the operational systems that control the physical flow of fuel, Blount and his team made the decision to proactively shut down its entire pipeline operations—responsible for supplying some 45% of the East Coast’s gasoline, diesel and jet fuel—and to pay the ransom. The shutdown lasted for six days, disrupted the industry, cost CPC tens of millions of dollars and drove regional fuel prices up to a 6.5-year high.
What went wrong here?
The Colonial Pipeline attack was successful because of a compromised password with no multi-factor authentication. CPC also failed to properly sequester their operational technology (OT) systems, which run pipeline activity, from their IT systems, administrative systems and governing accounting systems.
This created a lethal triple-threat. CPC could only recover its IT data by paying the ransom. The hackers could leak that data to the public or to competitors, causing material and reputational damage. CPC had to worry about their OT systems being compromised as well, bringing operations to a standstill indefinitely.
What if CPC had properly encrypted and backed up the data?
Had they done so, CPC could have restored the stolen data relatively easily, and the encrypted data stolen would have been of no use to the hackers. It would be as if bank robbers made off with an uncrackable safe. The thieves would be no better off, and the bank could just recover the money through FDIC insurance.
Data encryption makes the world go round.
Data encryption quietly impacts almost every part of our digital lives, from online banking transactions and customer account data, to electrical grid control data and commercial airline flight data, to e-commerce purchases, emails and text messages.
Without encryption, the consequences of hacking range from identity theft to corporate espionage to regulatory punishment—and, of course, ransomware attacks like the one against Colonial Pipeline. To keep this data safe, it must be encrypted both while being actively used (“in transit”) and while being stored for future use (“at rest”), using Advanced Encryption Standard (AES)-256, the “gold standard” of data encryption today.
AES and most other forms of encryption today make use of fixed keys—unique strings of numbers or characters—to lock (encrypt) and unlock (decrypt) data. Think of keys like digital passwords or padlock combinations: Only those who have the correct key can read the encrypted data. These keys are either symmetrical (one key locks and unlocks the data) or asymmetrical (a public key locks the data, a private key unlocks it).
Without the correct key, encrypted data is unreadable, even if stolen by hackers. In this way, data encryption makes the world go round—until it doesn’t.
Keys can be compromised.
Even when encrypted, sloppy key management, endpoint compromise, insider threats and man-in-the-middle attacks can allow bad actors access to data that they should not have. Some “safe” encryption methods are even considered at high risk due to the rapid advancement of quantum computing.
In 2018, hackers broke into one of Marriott Hotels’ reservation systems, accessing passport numbers and payment information for over 500 million guests. Although much of the sensitive data was encrypted, the keys were stored on the same server. Just like locking your house and leaving the key under the welcome mat, the hackers had no problem accessing the data.
In another key failure, dozens of U.S. Treasury email accounts were compromised when hackers stole encryption keys that allowed them to forge credentials. As Senator Ron Wyden said at the time, “Encryption keys become irresistible targets for hackers.”
Next-generation encryption is emerging.
How can we protect sensitive data in industries like financial services, healthcare, defense, critical infrastructure and sensitive edge devices without facing the inherent vulnerabilities of encryption keys?
A number of experimental new approaches now seek to evolve the world’s approach to data security. For instance, homomorphic encryption allows data to undergo computation while remaining encrypted. Post-quantum cryptography employs hard mathematical models to make encryption resistant to quantum computing deduction of decryption keys. Zero-knowledge proofs verify encryption/decryption keys without ever revealing them, making it harder for hackers to steal keys.
But there is one more method which I believe will, in fact, become the future of data encryption: keyless exchange (KLE).
With keyless exchange, no fixed encryption keys are stored anywhere. Instead, transactions are verified through a distributed network of cooperative nodes that generate short-lived mathematical values. Multiple parties—none of whom can decrypt data on their own—work together to create a dynamic, mathematically derived code that briefly unlocks the data for a single transaction. The code exists in memory only for that moment and then becomes invalid—somewhat like the temporary two-factor authentication codes most of us are familiar with. KLE offers end-to-end data protection without the inherent vulnerabilities of encryption keys, and with virtually no added latency.
This technology already exists today. However, you should carefully consider compatibility and interoperability of your chosen solution, as some KLE solutions may require workflow redesign to integrate into existing architectures. For regulated industries, KLE integration can also take time to win auditor approval, as it may not fit neatly into decades-old protocols.
Stay vigilant.
Artificial intelligence and quantum computing are growing more capable by the minute, with the potential to empower far more damaging attacks than the one experienced by Colonial Pipeline. To avoid being the next victim, you must be ever vigilant with your sensitive data.
At a minimum, I recommend conducting regular audits of your encryption standards, data privileges and key management standards, using multifactor authentication wherever possible, segmenting networks to contain breaches and encrypting sensitive data both at rest and in transit. If you are in a vulnerable industry, however, that is not enough.
The time may have come to consider keyless exchange and other next-generation data security methods.
About Pantherun:
Pantherun is a cyber security innovator with a patent pending approach to data protection, that transforms security by making encryption possible in real-time, while making breach of security 10X harder compared to existing global solutions, at better performance and price.
