To battle hackers, IBM wants to encrypt the world

The Washington Post

There are only two types of companies, it is commonly said: those that have been hacked, and those that just don't know it yet.

IBM Corp. wants to get rid of both. The Armonk, N.Y., computing giant said Monday that it has achieved a breakthrough in security technology that will enable all businesses to encrypt their customer data on a massive scale — turning most if not all of their digital information into gibberish that is illegible to thieves with its new mainframe.

"The last generation of mainframes did encryption very well and very fast, but not in bulk," Ross Mauri, general manager of IBM's mainframe business, said in an interview. Mauri estimates that only 4% of data stolen since 2013 was ever encrypted.

As the number of data breaches affecting U.S. entities steadily grows — resulting in the leakage every year of millions of people's personal information — IBM argues that universal encryption could be the answer to the epidemic of hacking.

The key, according to IBM officials, is an update to the computer chips driving the powerful mainframe servers that house corporate or institutional information and process millions of transactions a day worldwide, such as ATM withdrawals and credit card payments and flight reservations.

Cryptography, the science of turning legible information into coded gobbledygook, is already commonly used among certain email providers and storage services. But because of the enormous computational power needed to quickly encrypt and decrypt information as it passes from one entity to another, many businesses use encryption only selectively if at all. A December report by the security firm Sophos found that while three out of four organizations routinely encrypt customer data or billing information, far more do not encrypt their intellectual property or HR records. Sixty percent of organizations also leave work files created by employees unencrypted, the study found.

All of these represent opportunities for digital criminals, said Austin Carson, executive director of the technology think tank TechFreedom.

"Way too much information is stored in clear text," he said. But universal or pervasive encryption, he added, could help ensure that even if hackers broke into a company's network, any information they found would be impossible to decode. "That would be a huge step forward just in terms of protecting a much larger body of information," Carson said.

But the same technology could frustrate law enforcement, which in recent years has waged a furious battle with Silicon Valley over encryption technology and how extensively it should be used.

In a high-profile dispute last year with Apple Inc., the Justice Department argued that the company should help officials break into an encrypted iPhone used by one of the shooters in the San Bernardino terror attack. Apple refused, saying that developing tools to break encryption would undermine its customers' security, particularly if the tools were to fall into the wrong hands.

Apple's concern is not theoretical: This year's WannaCry ransomware attack, which held thousands of PCs hostage, has been linked to a Windows vulnerability that was secretly discovered and exploited by the National Security Agency long before it leaked into the wild.

In its push to expand universal encryption, IBM is taking Apple's side in the debate.

"IBM fully supports the need for governments to protect their citizens from evolving threats," the company said in a statement on the issue. "Weakening encryption technology, however, is not the answer. Encryption is simply too prevalent and necessary in modern society."

For IBM, encryption is also a massive business opportunity. Businesses spend more than $1 trillion a year making sure that their security meets government standards, according to company officials. One aspect of IBM's new approach to mainframes is the concept of automating that compliance work, using artificial intelligence to check that what's being protected passes regulatory muster in various industries.

In doing so, IBM expects to turn a chunk of that annual compliance spending into revenue for itself. And that's on top of the roughly $500,000 it expects to charge new customers for using its newest mainframe technology. Most businesses, Mauri said, will be upgrading from an existing setup, so the cost for those clients could be less.

For some small businesses, that may still be too expensive. Still, the history of technology suggests that with time, those prices may fall.

"This is the turning point. The idea here is that you can start to encrypt all data," Mauri said. But even as IBM makes encrypting everything a priority, security experts like Mauri already have their eyes set on the next holy grail: The ability to securely edit and manipulate encrypted files without ever having to decrypt them in the first place.

Fung writes for the Washington Post.

ALSO

Girl Scouts offers merit badges for making friends, painting and horseback riding. Up next: cybersecurity

Verizon customer data — including phone numbers and PINs — exposed by vendor

Their code was used to hack Sony and create 'WannaCry.' Meet the 'Lazarus Group,' the armed robbers of the Internet

Copyright © 2017, Los Angeles Times
EDITION: California | U.S. & World
67°