WavebreakMediaMicro - Fotolia

Let’s get real about decryption, says GCHQ tech director

There needs to be more “honesty” in the discussion around GCHQ’s decryption capabilities, according to the agency's Ian Levy

Perceptions that GCHQ is capable of mass decryption of data are not based on physical realities, according to the UK intelligence agency’s technical director Ian Levy.

“The best estimate for the number of bits of work to decrypt just one 1,024-bit SSL [secure sockets layer] session is 280 (1,208,925,819,614,629,174,706,176) and with the best processor we have today requiring 10 nanojoules per instruction, that works out at 3.4 terawatt hours per 50 minutes, which is the entire power generating capacity of the UK,” he told a Digital Security BT Tower Talk in London.

Levy said while it would be “awesome” to be able to do that, there needs to be more “honesty” in the discussion around GCHQ’s decryption capabilities.

He said that unfortunately all the speculation around the decryption capabilities of intelligence agencies has created the public perception that good encryption does not work properly in protecting information.

“This perception drives weird behaviour and undermines trust in technology," said Levy. "But even if an intelligence agency wants to break encryption, it is a great deal more work than anybody realises because the laws of physics still apply.”

Levy said that for a number of years, the UK has had legislation known as the Regulation of Investigatory Powers Act (Ripa) part three, which says anyone suspected of a crime who has an encrypted device, a notice can be served requiring the contents to be made intelligible on penalty of two to five depending on the type of crime involved.

“But what we are struggling with at the moment is the encryption of over-the-top services because providers are behaving like nation states in protecting their users, thereby blocking security and law enforcement officers from accessing the channels being used by criminals and terrorists,” he said.  

On the topic of the planned Investigatory Powers Bill aimed at giving police, security and law enforcement agencies greater access to communications data, Levy said people should consider how this would work and what it would enable.

He said that, for example, if a young girl is sexually abused after being groomed online, police would be able to ask mobile phone providers what mobile phones were located in the area the child was picked at the time she was picked up and which of those phones made connections to Facebook at the same time as the child, which would narrow the field of inquiry down from everybody in the country to a relatively small number.

“That is what the bill is about – it has nothing to do with content; it is all to do with metadata, and if we bring honesty to the discussion, we can start to address the issue of trust, skills and other problems in tackling this properly,” said Levy.

It is up to parliament, he said, to set limits and codes of conduct, adding that the Anderson report on the proposed Investigatory Powers Bill is “a great starting point for what a modern interception security framework should look like”.

According to Levy, the security industry has failed to give users, particularly young people, the information they need to make informed judgements when using technology. “People need to have a better understanding of the potential long-term impact of sharing their data, such as how it could affect insurance premiums in the future,” he said.

Levy also pointed out that the data the Investigatory Powers Bill seeks to access is a “lot less rich” than the data social media companies collect about their users. “It requires an act of parliament and a code of practice to determine what can and cannot be done with communications data, but social media companies are able to change their terms and conditions whenever they like,” he said.

Levy added that most people who use internet services do not read the terms and conditions, and are therefore working under an incorrect assumption of privacy on the internet.

“Google made $57bn last year, and most of the services they are offer are free. So somehow they are getting money out of their users, and that is by aggregating huge amounts of metadata about their users which can be used to make money,” he said.

Levy said a paper by US academic Paul Ohm demonstrates how population-scale anonymisation does not work using anonymised search results published by Yahoo. Ohm was able to identify many of the people behind the search results by combining the Yahoo data with public Netflix review data.

“At its heart, the internet economy is fundamentally incompatible with privacy,” he said.

On the topic of cyber security, he said while attackers are extremely capable and are targeting people in clever ways, they too are bound by the laws of physics, which means if they are going to compromise a machine they need to be able to connect to it, and if they are going to compromise a person they need to be able to manipulate that person to do something.

“In general, a lot of what is going on is mass, untargeted stuff – and we can defend against that, and in some cases it is a trivial thing to do,” said Levy.

Typically, when companies have to admit they have been compromised, they tend to describe the attack as “unprecedented” and “sophisticated”, but he said many of these attacks can be traced by to a spearphishing email that tricked someone inside the organisation into doing something to let the attackers in, which is in attack technique that has been used for the past 20 years.

“If the attack involves a vulnerability that has been patched by the vendor but the patch has not been applied by the victim, then that attack was entirely defendable, and if an organisation has a system that has been designed in such a way that someone clicking on a malicious email link can give an attacker access to the organisation’s entire credit card database, to my mind they deserve everything they get. That’s business risk management gone wrong and cyber Darwinism wins,” said Levy.  

Read more on Privacy and data protection