Professor Ueli Maurer receives two major honors from ACM and RSA
In recognition of his significant contributions to cryptography and information security, Professor Ueli Maurer has been named ACM Fellow. Professor Maurer is also the winner of the prestigious 2016 RSA Award for Excellence in the Field of Mathematics for his work and results in information theoretic-based cryptography. Many congratulations!
Over the past few years, internet users have seen viruses, trojan scams, fraud, hacking and data espionage becoming ever more pervasive. With people's lives and liberties increasingly online, do you think anonymous, hidden and private communications – recognized as vital to democratic societies – would still be possible?
Ueli Maurer: The developments in IT and its impact on society and the economy are generally very difficult to predict because the same technology enables forces in opposite directions, for example towards more surveillance or towards more counter-surveillance. Technology can provide new democratic mechanisms, but at the same time it can be misused to destroy democratic principles. Which forces will prevail is hard to predict.
Now to your specific question. My guess is that the ability to keep information private and to communicate secretly will remain important pillars of human identity, but possibly in different forms that is envisaged today. The public space, and possibly also substantial parts of the private space, might be subject to different forms of surveillance in the future, for example by tiny cameras, microphones, and drones feeding data to sophisticated software. We might have to retract to hiding places to be able to have a secret communication.
In the wake of the Charlie Hebdo murders in Paris, UK's Prime Minister David Cameron wanted the police to have access to everything. He said: "In our country, do we want to allow a means of communication between people which, even in extremis, with a signed warrant from the home secretary personally, that we cannot read? The question remains: are we going to allow a means of communication where it simply is not possible to do that? My answer to that question is: no, we must not." So, we have to ask, will it be possible to establish rules for exceptional access without generating unacceptable risks to the freedom of citizens?
The problem with Mr. Cameron's idea is that good encryption algorithms cannot be broken, neither by the secret services nor by the designer of the algorithm. Therefore, secret services, most prominently the NSA, try to infiltrate computing platforms on which data is stored and the encryption software is running. However, if one uses a non-infected platform, then the secret services cannot read the communicated encrypted data, even if they detect its existence.
Therefore, in principle, implementing Mr. Cameron's wish is not possible and could lead to an erosion of privacy for honest people while, nevertheless, failing to keep terrorists from communicating securely.
Security is a business imperative. Security threats are business risks. And the risks of tomorrow – uncertain at best and perilous at worst - will entail for instance a more comprehensive model of information security. What three key actions would you recommend to company leaders to win the battle against today's determined, highly skilled and sophisticated intruders?
Firstly, it is imperative to position information security at the top executive and board level, with substantial budget allocation, hire security specialists and grant them a clear mandate. Secondly, the business leaders should establish inter-company task forces, also among competing companies, to develop best business practices and share experience and information about vulnerabilities. Finally, the support of national and international security initiatives – politically, as well as financially – is highly important.
It is impossible to completely prevent an attack. So far though, the worst has not come to pass – the power grid, the financial system, critical infrastructure in general, and many other systems all function reliably using complex software. But still, how can citizens, entire populations and governments prepare for the advanced security threats of tomorrow?
In my opinion, society was too naive in the past decades in the way we have adopted and commercialized the benefits of IT without caring much about the downsides, like a strongly increased vulnerability. I expect that we will eventually see some major catastrophes, far beyond those seen so far. After experiencing such incidents, society will slowly agree to put dramatically more emphasis on the development of a secure information infrastructure and on a significant investment of more resources into education and software development. A required paradigm shift seems to be the introduction of liability for faulty software products.