The technical community should work to make eavesdropping expensive and force the NSA to abandon wholesale collection of data in favor of targeted collection, renowned cryptographer Bruce Schneier said during the technical plenary at the 88th IETF Meeting in November.
Matthew Green, a cryptography professor at Johns Hopkins University in Baltimore, thinks all communications should be encrypted by default.
"There's really no excuse for sending cleartext data over the Internet anymore," he said via email. "Almost every product is powerful enough to support encryption, and the software to do it is freely available and built into many operating systems. Aside from a few edge cases, the only reason not to encrypt is pure incompetence."
Securing data in transit is a good start, but it is mostly large companies with a lot of resources and know-how that have taken the initiative so far. The majority of efforts seem to come from cloud service providers, not packaged software developers, and the question of whether smaller vendors are able to properly implement encryption remains open.
"Finding software developers who understand IT security is rare enough, and employers don't usually hire security-skilled programmers because they're more expensive," said Raoul Chiesa, president of security consultancy firm Security Brokers and a member of the permanent stakeholders group at the European Network and Information Security Agency. "This means that speaking about built-in encryption to low-level coders is just not feasible," he said in an email.
Fortunately, the NSA's vast resources and capabilities can act as an incentive to implement encryption in a secure way.
"One way to look at the NSA is that they're the adversary we've always dreamed of," Green said. "If there's a practical exploit in a piece of encryption software, you can be pretty sure they're thinking about how to exploit it; and they have the technical capability to do so," he said.
There's a huge paradigm shift from the way things were before the surveillance leaks by former NSA contractor Edward Snowden. Then, the attitude was: "Hey, weaknesses are OK, since nobody's smart enough to exploit them," Green said.
As companies rush to implement encryption to keep up with competitors and respond to market demand, some may fail to do it properly, warned Mark Bower, vice-president of data protection vendor Voltage Security: "End users need to be careful about claims of security, especially anything proprietary in nature, or claims of 'military grade' without any actual validation." Such claims may later be found flawed and useless, he said.
"Often the implementations are not well thought through, especially the key management or the implementation of encryption and hashing," he said. One example he alluded to was that of WhatsApp Messenger. In October a security researcher reported that the popular mobile messaging application contained a basic mistake in its encryption implementation, making it possible to easily decrypt intercepted messages.
Sign up for CIO Asia eNewsletters.