U.S. Representative Sessions calls for stronger encryption practices
Apr 25, 2015
In a recent opinion piece for The Hill, Republican Texas Representative Pete Sessions said cybersecurity is currently one of the most important issues facing the U.S.
“The threat of of data breaches presents a serious national security risk that has already impacted financial, healthcare and government systems across the nation,” wrote Sessions.
To combat these issues, Sessions believes governments should adopt leading-edge measures to protect sensitive data. Data encryption can be described as the translation of data into a secret code, and is the safest way to achieve security. In order to read the encrypted data, one needs to have a password or secret key. The National Institute of Standards and Technology created the Critical Infrastructure Framework, but Sessions only calls that a start. Though data may be protected behind a firewall, the data itself is often not encrypted. Sessions adds, “encrypting must begin at the device level, in transit and in the cloud before it’s too late.”
Government agencies should heed Sessions’ words and thoroughly examine their data and properly secure it, with the help of government IT services.
Data encryption standards for governments differ from lower-level encryption. For instance, small business or personal encryption methods will want to focus on strong passwords, virtual private networks to hide Internet browsing history and the encryption of hard drives. These practices are used on a much larger and use methods the average computer user cannot understand. However problems may still arise due to software bugs, such as the recent revelation foreign hackers exploited a bug in Adobe Flash and the Windows operating system to infiltrate government machines. Reuters said one of the exploits is not possible for ordinary users.
See SplashData’s list of 2014’s worst passwords and ensure these are not used at any government agency.
The U.S. government currently abides by the Advanced Encryption Standard after it was ratified by the NIST in 2001.
Need for encryption
There have been many high profile data breaches in recent months, highlighting the need for strong encryption. The NIST previously released a guide in 2007 with encryption standards and techniques. The guide reads, “When selecting a storage encryption technology, organizations should consider solutions that use existing systems features (such as operating system features and infrastructure.” The department’s Advanced Encryption Algorithm Validation List is also updated regularly, with the last update April 17, 2015. This guide provides a guide for governments implementing AES. Most importantly, government agencies need to ensure cryptogenic keys are properly managed. Sessions, in his op-ed, cites worries about poor encryption practices because cryptogenic keys often are on the same server as the encrypted data.
Agencies needing help with encryption of critical assets should immediately look to federal IT services for help. The IT professionals will help with on-site and cloud encryption, identify vulnerabilities and work with agencies to establish a strong protocol to determine acceptable levels of risk.
As online attacks become more sophisticated, governments need to place a heavy emphasis on encryption to ensure important data is not stolen that may harm citizens.