Written by: Szilárd Pfeiffer, Security Engineer & Evangelist, Balasys
United Nations are preparing to negotiate a draft of a new convention on cybercrime. Szilárd Pfeiffer has shared his thoughts on data privacy and encryption at an intersessional consultation of the United Nations Office on Drugs and Crime.
The member states of the United Nations are preparing to negotiate a draft of a new convention on cybercrime. United Nations Office of Drugs and Crime have invited NGOs and other stakeholders to participate in the negotiating sessions and share their views and expertise in this field. Our colleague, Szilárd Pfeiffer, Security Engineer & Evangelist at Balasys, has shared his thoughts on data privacy, encryption, and cybercrime as a member of the Cybersecurity Tech Accord with the delegates of the member states:
The first international milestone in the fight against cybercrime was the Council of Europe's Budapest Convention. The Budapest Convention not only defined the concepts of cybercrime, but also contained procedural rules. To this day, the convention remains one of the starting points for international regulation of cybercrime. It may also serve as a good guideline for the regulation to be developed by the United Nations.
However, all regulation can contain points of debate. In the case of the Budapest Convention, the issue of privacy is one such point. It has been the subject of criticism over the last two-decade history of the convention. The convention sets out obligations for collecting, recording, and intercepting content data in real-time, transmitted by computer systems. It is important to highlight that the vast majority of the content data that is transmitted through the internet is encrypted. This means that data can only be collected and recorded in encrypted form. To break the encryption, law enforcement agencies need a backdoor in the system or a deliberate weakening of the encryption. These are theoretically and technologically feasible, but they raise practical feasibility concerns, doubts concerning proportionality and security risks.
Before continuing, I would like to emphasize that I do not intend to question the importance of fighting against cybercrime, but merely to find a way to minimize both security risks and privacy concerns.
In order to deliberately weaken any encryption algorithms, the active involvement of all the major players in the technology sector is essential, as they should implement these weakened encryption algorithms in their commercial products. At the same time, we should not forget the free software movement alongside the big tech giants. In this community, efforts to weaken encryption may be resisted because of their strong commitment to both trusted technologies and privacy. It is important to emphasize that the encryption software products we currently use in most web, cloud, and mobile technologies on our smartphones and laptops have been developed by technology companies and members of the free software movement.
Even if methods to weaken encryption can be successfully enforced, the question is what the drawbacks are alongside the benefits they bring. For law-abiding citizens, surveillance is likely to be 100% successful, but for criminals, this rate might not be significantly higher than it is now.
For instance, free software is never backed by a single organization, company, or state, but by decentralized communities that no one directly governs. The essence of free software is the right that users are free to modify the functionalities according to their needs. This means that cybercriminals can also evade the surveillance and weakened encryption that law enforcement agencies are able to break. In other words, our tools against the most dangerous cybercriminals and terrorists will be no more effective than they are today. Whatever solution we choose, let us not forget that backdoors in our security systems can be exploited not only by us, but also by our enemies – against us. Cybercriminals today are still working hard to find specific software flaws that can be used to break into computer systems to acquire or corrupt as much data as possible. These criminals, knowing that there is a backdoor in every encrypted communication on the internet, would probably devote all their resources to finding and exploiting it. If even one of these criminal groups succeeds, the impact is currently unimaginable.
Ez a blogposzt a Creative Commons Attribution-ShareAlike 4.0 International (CC-BY-SA 4.0) License feltételei mellett licencelődik.
Csaba Krasznay: Wars and Cyber Warfare in the Age of APIs
A new chapter in the security of our world opened on 24 February 2022. The term ‘our world’ must also include cyberspace, as the Ukrainian-Russian war has openly demonstrated our dependence on information systems and the vulnerability of this ecosystem. Although the news of the war is still concerned with conventional armed clashes, more and more information is available concerning the activities and tools of the various state and non-state hacker groups. Companies can prepare for the re-emphasis on cyber operations as the battles in physical space subside, with the difference that perhaps less significance will be placed on financial gain and far more on destruction. Most of enterprise IT has already migrated to the cloud and solutions that exchange data through APIs, which have have become widespread. However, the rapid transition has focused on efficiency rather than cybersecurity. It is no coincidence that, according to Gartner, APIs are expected to be the most attacked interfaces in 2022.
API security and online fraud? What is the connection?
According to Europol, online fraud is one of the major cyberthreats we face. One of the effective tools against them is a content analysis on API traffic.