How the NSA's decrypting practices erodes basic trust

Jeff Hudson | Special for CyberTruth

(Editor's note: Opinions in the tech community about the key implications of the NSA's practice of weakening encryption systems, as part of its PRISM anti-terrorism surveillance – disclosed last week by Pro Publica, The Guardian and The New York Times – vary. Jeff Hudson, CEO of software company Venafi, believes they are dire. Venafi provides encryption key and certificate security and protection.)

The recent string of revelations about the activities of the NSA can only lead one to the conclusion: we are on the brink of a disaster. The disaster is the crumbling of the backbone of our digital world – the Internet.

Counterpoint: The case supporting the NSA's decrypting

Why is it crumbling? Because much of what goes on in the digital world assumes that you can authenticate and identify the entity you are communicating with and that if you use encryption, the information you exchange is safe from prying eyes.

We trust the Internet in large part because we are relatively sure that if, for example, we go to a bank's website and "https" shows up in the browser's address bar, we are in fact attached to and communicating with the bank (not some criminal's fake site). We are also certain that the information we send over the Internet through many series of ISPs, routers and firewalls is only visible to the bank.

If none of this is true then we will have a disaster on our hands. The disaster is that we will be in a digital world where nothing can be trusted.

If it is not intuitively obvious why living in a world without trust is a disaster, consider the following. Why does our society, commerce, transportation, and just about everything in the non-digital world work today? Because we trust it to work.

When you get in a taxi, you trust it will get you to your destination. In a restaurant, you trust the food is not poisoned. From a water faucet, you trust the water is free of cholera or other deadly bacteria.

In the digital world, if we do not trust that we are connected to the bank we think we are communicating with, if we do not trust that our medical records are transferred without disclosure to unknown parties, if we do not trust that our house alarms cannot be turned off remotely by a thief, and if we do not trust that the power grid cannot be shut down by terrorists, then we are living in a digital world where we can trust nothing.

That is a disaster. The consequences of a digital world without trust are not predictable, and they are very possibly catastrophic.

There is a simple reason we are on the verge of this disaster. The reason is that almost all enterprises do not protect and secure the trust that they rely upon in the digital world.

A Ponemon Institute study of the Global 2000 reports that over 50 percent of organizations do not know what type of or how many cryptographic keys and digital certificates they are using to ensure trust across the Internet, nor do they know what policies govern their use. Furthermore, on average each enterprise thinks it has around 17,000 keys and certificates in use, but isn't sure.

The NSA has collected keys and certificates, and reportedly used them to intercept and eavesdrop on the digital world. Uncle Sam has proven that this can be done, even though most people did not think it was possible.

The problem does not end with the NSA, though. Now that everyone knows what the NSA has done, that means criminals know as well. They will follow the NSA's lead and use the same techniques to steal and control anything they want. For enterprises, this means their intellectual property is at risk of being stolen.

The only solution is to protect, secure and control the foundations of trust in the digital world, which means strengthening many systems, including keys and certificates.

It's worrisome that few corporations are taking steps to avoid the disaster of a world without trust.