Throughout the course of human history, disruptive innovation has been required to unleash higher tiers of human potential. Think of Gutenberg and movable type, Edison and electricity or Berners-Lee and the World Wide Web.
We are in need of another such breakthrough today. Cloud computing and the Internet of Things (IoT) embody vast promise for advancing civilization. But they also have given rise to seemingly intractable security exposure, including nation-state rifts, not to mention profound quandaries about the erosion of individual privacy.
The good news is that a new technological advance could unleash the full promise of cloud computing and put IoT on the verge of everyday use by U.S. intelligence agencies and in the private sector. This advance — two decades in the making — is called “homomorphic encryption,” and it allows data to be queried and analyzed without decrypting it.
Homomorphic encryption: Smashing through a technology barrier
“Homomorphic encryption is the Holy Grail of encryption,” says Ellison Anne Williams, a math PhD, former NSA senior researcher and co-founder and CEO of ENVEIL, a security startup that has fine-tuned a homomorphic encryption system for commercial use.
The explosive growth of cloud computing makes this crucial. Amazon EC2, Google Cloud and Microsoft Azure have made cloud storage and processing services a major enabler of digital commerce. An enterprise that uses one of these services is effectively extending the boundary of their trusted enterprise compute environment, owned and managed by them, to an untrusted location owned and managed by a third party.
The problem is that there is a security gap in cloud services today. Companies routinely encrypt data kept in storage and make certain only encrypted data is transported to and from cloud storage facilities. But in order to act on this data — to, say, do a simple search or perform an analytic — both the query and the stored data must be decrypted. This creates an opportunity for an alert intruder lurking on the network to steal the data in unencrypted form.
The genesis of homomorphic encryption
Threat actors are acutely aware of this “Achilles’ heel” of cloud computing and are salivating to exploit it. We know this because business networks routinely falter and briefly expose decrypted data. When this happens, security analysts at large enterprises pay close attention. In a few cases recently, network intruders have been detected doing much the same type of reconnaissance of a company’s crown jewels.
The current roots of homomorphic encryption date back to 2008, when IBM researcher Craig Gentry came up with a way to perform mathematical operations on encrypted data without first needing to decrypt the data — the first working example of homomorphic encryption.
Trouble was, it took gargantuan computing power to make Gentry’s rudimentary prototype work. Steady progress was made over time by others, however, and today we are finally on the threshold of seeing homomorphic encryption deployed in daily business use.
Speaking recently at the Billington Cybersecurity Summit in Washington, Jason Matheny, director of the government’s Intelligence Advanced Research Projects Activity (IARPA), told attendees it has taken “math magic” for this technology to arrive at this point. IARPA is in the late phase of developing a database query system based on homomorphic encryption.
Homomorphic encryption creates new investigative opportunities
The embrace of homomorphic encryption is powerful. For example, authorities, acting on evidence, will be able to search travel and financial records or telephone and email logs, while, say, hot on the trail of a terrorist. And they will be able to do so without ever exposing the underlying data — personal information that belongs to the wider citizenry, muting the possibility of abusing power.
Computer processing power, of course, has advanced steadily since IBM’s Gentry produced his prototype. But it is really the collective brainpower of a group of math geniuses who followed him that brought us to the point we are at today. Driving efforts within the federal government and in private research labs at places like IBM and Microsoft, these highly insightful experts have been pushing the envelope.
Last year, Microsoft researchers smashed a homomorphic encryption speed barrier. While there is still work to be done, Kristin Lauter, a principal research manager at Microsoft, has said that initial results look very promising and that the technology could be used, for example, on specialized devices for medical or financial predictions. “We are definitely going toward making it available to customers and the community,” she told The Register, a British technology news website.
IBM also continues to make progress. It has been granted a patent, for instance, on a particular homomorphic encryption method. This is a strong hint that it continues to work toward a practical solution, not simply continued pursuit of theoretical research. Meanwhile, ENVEIL’s Williams, who spent years at the NSA chiseling away at a practical version of homomorphic encryption, now has 10 pending customers analyzing its proof of concept.
Heightened innovation and commercial disruption will occur
It is in the commercial arena, in particular, where homomorphic encryption is destined to be truly disruptive. To start with, it shrinks the attack surface for organizations increasingly dependent on cloud services. That alone will make compliance much easier, both in meeting data handling rules and, for governments, enforcing them. Neither is a small feat. Meeting federal rules for the handling of medical and financial records or the handling of transaction data is significantly easier for companies with well-defended networks.
Meanwhile, regulatory pressure to better protect data is intensifying. There is a rising tide of state-imposed data security rules, such as those recently enacted in New York, Massachusetts, Vermont and Colorado. In addition, there is Europe’s pending new General Data Protection Regulation, one replete with exhaustive data protection requirements and onerous penalties if they are not met.
A key byproduct of the elimination of the unencrypted security gap will be heightened innovation, and at an important juncture. Consider, for example, the oceans of sensitive personal information that will be collected as IoT continues to grow. Analysts will be far more inclined to gather this broad expanse of data if they know it will be protected properly. They are keenly aware of a personal privacy line that must not be crossed in mining IoT data for marketing purposes, lest consumers revolt.
Beyond consumerism, opportunities to enhance the world of medicine could open up with the embrace of homomorphic encryption. Imagine, for example, medical researchers being able to query millions of HIPAA-protected patient records to identify disease trends by demographics and geographic location. We could enter a golden age of medical advances.
No doubt, other amazing developments are sure to spin out of the mainstreaming of homomorphic encryption. Stay tuned. This disruption can change everything for the better.