Home Tags Confidentiality

Tag: Confidentiality

Baking soda shortage has hospitals frantic, delaying treatments and surgeries

Sodium bicarbonate is used in a variety of treatments but is inexplicably scarce.

Annual Verizon security report says sloppiness causes most data breaches

Security threats are constantly evolving, but as Verizon's latest DBIR (Data Breach Investigations Report) shows, the more things change in information security, the more they stay the same.More than half (51 percent) of the data breaches analyzed i...

Man sues Confide: I wouldn’t have spent $7/month if I’d known...

Confide: "The accusations set forth in the complaint are unfounded and without merit."

6 security essentials the CIA forgot

Wikileaks’ CIA dump is the biggest secret cache released so far.
It’s embarrassing to the CIA.
It undermines our intelligence efforts.

And it didn’t need to happen. The sad fact is that the world’s computers are not configured securely enough to match the confidentiality of the data they are protecting.

As a society we allow our computers to languish in a state that almost invites attackers to access them—even at the CIA, apparently.[ Watch out for 11 signs you’ve been hacked—and learn how to fight back, in InfoWorld’s PDF special report. | Discover how to secure your systems with InfoWorld’s Security Report newsletter. ] That may finally be changing, though remediation has been slow to roll out.
In my view, the tipping point was the Sony hack, which was so embarrassing and costly that it scared execs in a way that the Target, Home Depot, and Office of Management and Budget hacks did not.To read this article in full or to leave a comment, please click here

NewVoiceMedia achieves SOC 2 Type 2 certification

Independent assessment of SOC 2 Type 2 compliance demonstrates vendor’s continued commitment to protecting customers and their data securityLONDON, February 21, 2017 – NewVoiceMedia, a leading global provider of inside sales and contact centre technology that helps businesses sell more, serve better and grow faster, has successfully completed a Service Organisation Controls (SOC) 2 Type 2 examination based on the trust principles of security, availability and confidentiality.

Accountancy firm PricewaterhouseCoopers (PwC) performed a rigorous audit... Source: RealWire

Features of secure OS realization

There are generally accepted principles that developers of all secure operating systems strive to apply, but there can be completely different approaches to implementing these principles.

Go dark with the flow: Lavabit lives again

Another shot at spook-proofing e-mail It's taken longer than first expected, but the first fruits of Lavabit founder Ladar Levison's Dark Mail Technical Alliance have landed with the relaunch of the encrypted mail service he closed in 2013. After shuttering Lavabit, Levison joined hands with Silent Circle to form the DMTA and promised Lavabit would flow again in 2014. In 2015, Levison posted a GitHub repository putting forward a protocol to support fully “dark” e-mail: the Dark Internet Mail Environment, or DIME, which has “multiple layers of key management and multiple layers of message encryption”. The Libdime implementation offered both libraries and command line utilities, which is, after all, doing it the hard way: Lavabit Mark II puts that in the hands of users with the also-open-source Magma Webmail server implementation. The Lavabit mail server, Magma first appeared on GitHub in 2016. Levison writes “DIME provides multiple modes of security (Trustful, Cautious, & Paranoid) and is radically different from any other encrypted platform, solving security problems others neglect.

DIME is the only automated, federated, encryption standard designed to work with different service providers while minimising the leakage of metadata without a centralised authority.

DIME is end-to-end secure, yet flexible enough to allow users to continue using their email without a Ph.D. in cryptology.” So what's in the protocol? Let's look at the specification, published here (PDF). DIME's message flow.
Image: The Dark Mail Technical Alliance You don't get perfect security while you've still got wetware involved.

The DIME document notes that if a user has a weak password or bad endpoint security, all bets are off. Within that constraint, the DMTA says DIME's designed to provide “secure and reliable delivery of email, while providing for message confidentiality, tamper protection, and a dramatic reduction in the leakage of metadata to processing agents encountered along the delivery path”. At the top level, the four components of the system architecture are e-mail clients; privacy processing agents; key stores (with a resolver architecture to retrieve keys, in DIME called “signets”); and the encrypted message objects. To most users, The Register will assume the only new concept here is the privacy processing agent (PPA).

There are two kinds, the organisational PPA, and the user PPA. The Organisation Privacy Agent (OPA) talks to both user e-mail clients and the Internet at large, handling user key management to create “a secure transit channel that hides all information about the message using transport layer security”.
It also “provides access to the envelope information needed for immediate handling.” The User Privacy Agent (UPA) handles user-side crypto functions, and can reside in the user's e-mail client or, in Webmail implementations, on the server. DIME has three modes of operation: Trustful – the user trusts the server to handle privacy; Cautious – the server stores and synchs encrypted data, including encrypted copies of private keys and messages.

Encryption can be carried out inside a user's browser; Paranoid – the server never sees a user's keys.

There's no Webmail, and if you want to use multiple devices, it's up to you to synch them across different keyrings. In technical terms, that means the system has to automate all aspects of key management; encrypt and sign messages without a user having to learn how to run it; and resist manipulation (including, ideally, even if a client is compromised. The layering of encryption, the standard says, is designed to protect messages, even if (for example) a server along the way is compromised. DIME relies on a concept of “signets” for keys: organisational signets, which are keys associated with a domain; and user signets, the key associated with an individual e-mail address. “The basic validation model is to obtain a signet from a credible primary source and then confirm it with another pre-authenticated source.

The two pre-authenticated sources currently available are a management record signed using DNSSEC or a TLS certificate signed by a recognised Certificate Authority (CA).

Both can be cryptographically traced by a signet resolver back to a trusted key that is shipped with the resolver. As well as the Webmail version, Lavabit says it wants to develop clients for Windows, Mac OS and iOS, Linux and Android. ® Sponsored: Customer Identity and Access Management

Pirates, pirates, whatchu gonna do? Advertisers cop a visit from PIPCU

Someone's keeping the neckbeards in Doritos Knock knock. Who's there? This Wednesday, officers from the City of London Police's Intellectual Property Crime Unit (PIPCU) trying to get your advertising agency to stop helping pirate sites generate revenue. Eight organisations – from influential brands, through to advertising agencies and ad networks – got a polite visit from the boys in blue this week as as part of a multi-agency initiative to get the creative industries to assist in the fight against piracy. Dubbed Operation Creative, the project was launched in 2013, and according to the police it "compromises several tactical options, including placing piracy sites on an Infringing Website List (IWL) which is then shared with advertisers, agencies and other intermediaries so that they can cease advert placement on these illegal websites." According to the Digital Citizens Alliance, piracy sites generate $227m from advertising alone, and advertisers have become the cops' target in attempting to deconstruct the criminal syndicates behind their operation. During the visits, the companies were "made aware of their involvement in the placement of ads on copyright infringing sites", according to the City of London police, although whether they were at risk of being considered complicit in crime is not clear. The bobbies said that all eight organisations visited were keen to support Operation Creative and have pledged to sign up to the IWL to ensure advert placement from their brand and clients do not appear on the 1,232 websites that it lists. Since its launch, Operation Creative has claimed to have seen a significant decrease (73 per cent) in advertising from the UK's top ad spending companies to websites involved in online forms of piracy. The City of London police declined to identify those "top ad spending companies" to The Register on confidentiality grounds, nor was it able to explain how much of the market share those companies' comprised.

The monetary value of the figure of 73 per cent was also unavailable. Operation Creative's lead officer, Detective Constable Steven Salway, said: "It is important we tackle this issue, not only for brands and businesses' reputation, but for consumers too. When adverts from established brands appear on these sites, they lend them a look of legitimacy.

By working with industry to discourage reputable brands from advertising on piracy sites, we will help consumers realise these sites are neither official nor legal." Director General of FACT, Kieron Sharp, said: "Consumers need to be aware that not only are the criminals behind these websites making substantial amounts of money from adverts, but simply visiting the sites can put the public at risk of malware, viruses and click-through scams." ® Sponsored: Want to know more about Privileged Access Management? Visit The Register's hub

Facebook, Google face strict EU privacy rules that could hit ad...

EnlargeGetty Images/Urich Baumgartgen reader comments 4 Share this story Online messaging services such as WhatsApp, Skype, and Gmail face a crackdown on a "void of protection" that allows them to routinely track the data of EU citizens without regulatory scrutiny—and it could be bad news for ad sales. On Tuesday, officials in Brussels proposed new measures to curb Silicon Valley players who—up until now—have been largely immune from the ePrivacy Directive, which  requires telecoms operators to adhere to the rules on the confidentiality of communications and the protection of personal data. As part of its planned overhaul, the European Commission, the executive wing of the European Union, said that it planned to beef up the measures by switching from a directive to a "directly applicable regulation" to ensure that the bloc's 500 million citizens "enjoy the same level of protection for their electronic communications." It claimed that businesses would also benefit from "one single set of rules." Over-The-Top services such as Facebook's WhatsApp and Google's Gmail can all but ignore the EU's existing rules.

The commission said that this needed to change: Important technological and economic developments took place in the market since the last revision of the ePrivacy Directive in 2009.

Consumers and businesses increasingly rely on new Internet-based services enabling inter-personal communications such as Voice over IP, instant messaging, and Web-based e-mail services, instead of traditional communications services... Accordingly, the Directive has not kept pace with technological developments, resulting in a void of protection of communications conveyed through new services. The EC is also planning to kill the heavily ridiculed cookies consent pop-up system.
It said, in an embarrassing—if long overdue—climbdown that users would be given more control to allow or prevent websites from tracking them depending on "privacy risks." Last summer, a big coalition of tech firms lobbied for the cookie law to be scrapped. Under the new proposal, the commission said: "no consent is needed for non-privacy intrusive cookies improving Internet experience (e.g. to remember shopping cart history).

Cookies set by a visited website counting the number of visitors to that website will no longer require consent." But it could also hit the bottom line of Facebook, Google, and chums because tracking consent may be harder to obtain if lots of users reject third party cookies.

The commission said that, following public consultation on the issue, 81.2 percent of citizens agreed that obligations should be imposed on "manufacturers of terminal equipment to market products with privacy-by-default settings activated." It also warned that "additional costs" could hit some Web browser makers because they would be required to develop software with privacy settings built in. The new proposals also call on consent to process electronic communications metadata, such as device location data to allow for the "purposes of granting and maintaining access and connection to the service," the commission said.
It means that telcos "will have more opportunities to use data and provide additional services." Translation: new ways to make more cash. Companies that flout confidentiality of communications rules face fines of up to four percent of their global annual turnover, under the commission's planned e-privacy measures—the same penalty that will be dished out to firms that violate the EU's General Data Protection Regulation, which comes into action in April 2018. "The European data protection legislation adopted last year sets high standards for the benefit of both EU citizens and companies," said EC justice chief Věra Jourová. "Today we are also setting out our strategy to facilitate international data exchanges in the global digital economy and promote high data protection standards worldwide." But the latest proposals cannot become law until the bloc's 28 member states and the European Parliament agree to wave them through—leaving plenty of wiggle room for industry lobbying. Separately, the commission is seeking views from the public on how to best tackle data mining as part of its Digital Single Market strategy. This post originated on Ars Technica UK

Unsecure routers, webcams prompt feds to sue D-Link

Tolbxelareader comments 38 Share this story The Federal Trade Commission on Thursday sued Taiwan-based D-link in federal court.

The FTC alleges that D-link routers and webcams left "thousands of consumers at risk" to hacking attacks. "Defendants have failed to take reasonable steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorized access, including by failing to protect against flaws which the Open Web Application Security Project has ranked among the most critical and widespread web application vulnerabilities since at least 2007," the FTC said in a complaint (PDF) filed in San Francisco federal court. The commission's move comes 11 months after the agency settled with Asus over its insecure routers that allowed attackers to remotely log in to them and, depending on user configurations, change security settings or access files stored on connected devices. The government lodged similar allegations against D-Link: Defendants repeatedly have failed to take reasonable software testing and remediation measures to protect their routers and IP cameras against well-known and easily preventable software security flaws, such as “hard-coded” user credentials and other backdoors, and command injection flaws, which would allow remote attackers to gain control of consumers’ devices; Defendant D-Link has failed to take reasonable steps to maintain the confidentiality of the private key that Defendant D-Link used to sign Defendants’ software, including by failing to adequately restrict, monitor, and oversee handling of the key, resulting in the exposure of the private key on a public website for approximately six months; and Defendants have failed to use free software, available since at least 2008, to secure users’ mobile app login credentials, and instead have stored those credentials in clear, readable text on a user’s mobile device. Reports abound about D-Link and other products being compromised with botnets and other attacks. Now the company stands accused of unfair business practices and misrepresenting its security features.

The government wants a federal judge to order D-Link to correct those alleged business practices.

How Artificial Intelligence Will Solve The Security Skills Shortage

Unlike industries that fear the intrusion of AI, the infosec world is embracing this revolutionary technology, and the seismic changes it will bring to threat detection and mitigation. I was reminded of a mathematical hypothesis called the singularity when I read Vinod Khosla’s recent interview in the Wall Street Journal and his prediction of massive job displacement and the growth of new industries due to the widespread adoption of artificial intelligence (AI). The singularity is a point and phase in the future when bio, nano, energy, robotic, and computer technology will develop at such a rate, become so advanced, and have such a profound impact on humanity, that today’s society has no means to understand or describe what life will be like at that time in the future. It made me wonder how far and fast we are heading in the same explosion of unfathomable change occurring today in information security. Just as IT revolutionized all forms of business in the last half-century, and the Internet in turn revolutionized IT in the last quarter-century, the trajectory we are on now places AI squarely at the next technology inflection point. The study of history often provides a strong predictor of human societal change. When history unexpectedly veers off course, it is usually due to a substantial technology advancement and the subsequent seismic changes it brings to business and economic systems. Our perception and use of AI today, also known as machine intelligence, is still in its infancy. New industries are learning by doing, just as we did when the Internet was in its infancy. Looking back, it’s easy to wince and laugh at interviews of experts in the mid-1990s describing the revolutionary nature of email and the world wide web and their dire predictions about the dreaded Y2K.

Their projections were both right and wrong, limited in part by what they understood at the time.

The impact of what the Internet would ultimately deliver to business and, in turn, society, could not have been foreseen. The Promise of AIAs a new swath of information security technologies deploy their first generation of AI – seeking to solve many of the security and confidentiality issues that have plagued businesses over the last 40 years – we’re already starting to feel their positive impact. The information security world is now starved for human capital.

There is a global shortage of experienced security workers across the spectrum of skills and specialties.

This is holding back advancement and exposing IT systems and Internet businesses to criminality and ransom. Unlike industries that fear the intrusion of AI, the information security industry – driven largely by a global shortage of qualified employees – is embracing it.

As networks become more sophisticated, generate more data, and are exposed to increasingly advanced threats, AI and the automation it empowers are the cure. This first generation of AI-driven security solutions are focused primarily on automatically sifting through data, hunting for threats, and facilitating a human-led remediation plan. When the first generation of security AI masters threat detection, it will be entrusted with preemptive threat mitigation and auto-remediation of known threats. Our perception of today’s 24x7 security operations center will eventually be replaced with the second generation of AI-led security technology – leaving human operators to focus on business continuity and critical support issues. However, just as AI is a boon to the defender, so too is it to the attacker.

Defense contractors and governments around the world are already using AI to sift through great lakes of network data and intelligence, and hunt for exploitable weaknesses. Just as fast as armies introduced tanks to warfare, tank-on-tank warfare became a necessity.

AI-on-AI warfare has just begun. If there’s one thing to be learned from the last century’s technology history, it’s that all the important advances are eventually consumerized.

As such, in the next 25 years, I anticipate that AI defense systems will unleash unimaginable ways to combat cyber threats. Related Content: Gunter Ollmann is chief security officer at Vectra. He has nearly 30 years of information security experience in an array of cyber security consulting and research roles.

Before joining Vectra, Günter was CTO of Domain Services at NCC Group, where he drove strategy ...
View Full Bio More Insights

Encryption in 2016: Small victories add up

Technology development seems to gallop a little faster each year.

But there's always one laggard: encryption. Why the deliberate pace? Because a single, small mistake can cut off communications or shut down businesses. Yet there are times when you take stock—only to discover the encryption landscape seems to have transformed overnight. Now is that time.

Although the changes have been incremental over several years, the net effect is dramatic. Some of those changes began shortly after Edward Snowden's disclosures of the U.S. government’s extensive surveillance apparatus. Others are the natural result of cryptographic ideas reaching the marketplace, says Brent Waters, an associate professor at the University of Texas at Austin and the recipient of the Association for Computing Machinery’s 2015 Grace Murray Hopper Award. “Many of the new tools and applications available are based on research innovations from 2005 and 2006,” Waters says. “We are just realizing what type of crypto functionality is possible.” A step closer to an encrypted world Encrypted web traffic is the first step toward a more secure online world where attackers cannot intercept private communications, financial transactions, or general online activity. Many sites, including Google and Facebook, have turned HTTPS on by default for all users. But for most domain owners, buying and deploying SSL/TLS certificates in order to secure traffic to their sites has been a costly and complicated endeavor. Fortunately, Let’s Encrypt and its free SSL/TLS certificates have transformed the landscape, giving domain owners the tools to turn on HTTPS for their websites easily.

A nonprofit certificate authority run by the Internet Security Research Group, Let’s Encrypt is backed by such internet heavyweights as Mozilla, the Electronic Frontier Foundation, Cisco, and Akamai. How ubiquitous has HTTPS become? In October, Josh Aas, head of Let’s Encrypt and former Mozilla employee, posted a graph from Mozilla Telemetry showing that 50 percent of pages loaded that day used HTTPS, not HTTP. While the graph showed only Firefox users, the figure is still significant, because for the first time, the number of encrypted pages outnumbered unencrypted pages. NSS Labs expects the trend to continue, predicting that 75 percent of all Web traffic will be encrypted by 2019. Free certificate offerings will further accelerate adoption. By next year, the number of publicly trusted free certificates issued will likely outnumber those that are paid for, says Kevin Bocek, vice president of security strategy and threat intelligence at key-management company Venafi. Many enterprises will also start using free services. With certificate cost no longer a consideration, certificate authorities will focus on better tools to securely manage certificates and protect their keys. Speaking of certificate management, after years of warnings that SHA-1 certificates were weak and vulnerable to attack, enterprises are making steady progress toward upgrading to certificates that use SHA-2, the set of cryptographic hash functions succeeding the obsolete SHA-1 algorithm. Major browser makers, including Google, Mozilla, and Microsoft, have pledged to deprecate SHA-1 by the beginning of the year and to start blocking sites still using the older certificates.

Facebook stopped serving SHA-1 connections and saw “no measurable impact,” wrote Facebook production engineer Wojciech Wojtyniak. From May to October 2016, the use of SHA-1 on the web fell from 3.5 percent to less than 1 percent, as measured by Firefox Telemetry.

Enterprises can’t be complacent, though, since recent estimates from Venafi suggest approximately 60 million websites still rely on the insecure encryption algorithm. “We look forward to the industry's movement toward greater use of stronger certificates like SHA-256,” Wojtyniak said. Crypto is still king Cryptography has taken quite a beating over the past few months, with researchers developing cryptographic attacks such as Drown, which can be used to decrypt TLS connections between a user and a server if the server supports SSLv2, and Sweet32, a way to attack encrypted web connections by generating huge amounts of web traffic. Nation-state actors also have encryption in their crosshairs. Late last year, Juniper Networks uncovered spying code implanted in specific models of its firewall and Virtual Private Network appliances. Many experts believe the NSA was involved. Shortly after the cache of hacking tools allegedly belonging to the NSA made its way to underground markets this summer, Cisco discovered a vulnerability in its IOS, IOS XE, and IOS XR software that powers many of its networking devices.

The flaw, which could be used to extract sensitive information from device memory, was similar to the vulnerability exploited by the tools and was related to how the operating system processed the key exchange protocol for VPNs, Cisco said. Even Apple’s iMessage app, the poster child for how companies can bring end-to-end encryption to the masses, had its share of issues.

Cryptography professor Matthew Green and his team of students at Johns Hopkins University were able to develop a practical adaptive chosen ciphertext attack that could decrypt iMessage payloads and attachments under specific circumstances.

The team also found that iMessage lacked the forward secrecy mechanism, meaning attackers could decrypt previously encrypted messages, such as those stored in iCloud.

Forward secrecy works by generating a new key after a set period of time so that even if the attackers obtained the original key, the previously encrypted messages can’t be cracked. One thing remains clear despite all the bad news: Cryptography is not broken.

The mathematics behind cryptographic calculations remain strong, and encryption is still the best way to protect information. “The latest attacks have not been on the math, but on the implementation,” Waters says. In fact, encryption works so well that attackers rely on it, too.

Criminals are equally as capable of obtaining keys and certificates to hide their activities inside encrypted traffic.

The fact that this attack vector is fast becoming default behavior for cybercriminals “almost counteracts the whole purpose of adding more encryption,” Bocek says. Cybercriminals are using encryption to great effect in ransomware. Once the files are encrypted, victims have to either pay up to obtain a key or wipe their systems and start over. Just as attackers target flawed implementations, security researchers have successfully developed decryption tools for ransomware variants that contained mistakes in their encryption code. Government backs down on backdoors Technology firms have always had to balance security and privacy concerns with law enforcement requests for user information.

FBI Director James Comey had been pushing hard for backdoors in technology products using encryption, claiming that increased use of encryption was hindering criminal investigations. While companies frequently quietly cooperate with law enforcement and intelligence requests, the unprecedented public showdown between the FBI and Apple showed that in recent years, enterprises are beginning to push back. The FBI backed down in that fight, and a bipartisan Congressional working group—with members of both House Judiciary and Energy & Commerce Committees—was formed to study the encryption problem.

The House Judiciary Committee’s Encryption Working Group unequivocally rejected Comey's calls for backdoors and advised the United States to explore other solutions. “Any measure that weakens encryption works against the national interest,” the working group wrote in its report. “Congress cannot stop bad actors—at home or overseas—from adopting encryption.

Therefore, the Committees should explore other strategies to address the needs of the law enforcement community.” Weakening encryption so that police can break into encrypted devices would speed up criminal investigations, but it would be a short-term win "against the long-term impacts to the national interest," the working group warned.

Alternative strategies include giving law enforcement legal methods to compel suspects to unlock their devices and improving metadata collection and analysis. While the working group report indicates Congress will not pursue legal backdoors, other encryption-related battles are looming on the horizon.

The report seemed to support letting police use "legal hacking" to break into products using software vulnerabilities that only law enforcement and intelligence authorities know about, which poses its own security implications.

The technology industry has an interest in learning about vulnerabilities as soon as they are found, and not letting the government stockpile them with no oversight. As for Comey's "going dark" claim, the working group said “the challenge appears to be more akin to ‘going spotty.’” Adding to the enterprise tech stack Governments have been trotting out the terrorists “going dark” argument for years and will always play on those fears, says Mike Janke, co-founder and chairman of encrypted communications company Silent Circle. What's changing is that the enterprises are becoming more serious about securing their communications stack and are less willing to compromise on those features. Many organizations were shocked at the extent of government surveillance exposed by former NSA contractor Edward Snowden.

They reacted by integrating secure video and text messaging tools along with encrypted voice calls into the enterprise communications stack, Janke says.

Encryption is now a bigger part of the technology conversation, as enterprises ask about what features and capabilities are available.
IT no longer treats encryption as an added feature to pay extra for, but as a must-have for every product and platform they work with. Consumers were outraged by the surveillance programs, and anecdotal evidence indicates many have signed up for encrypted messaging apps such as WhatsApp and Signal.

But for the most part, they aren't paying for secure products or changing their behaviors to make privacy a bigger part of their daily lives. The change is coming from CSOs, vice presidents of engineering, and other technical enterprise leaders, because they're at the forefront of making security and privacy decisions for their products and services. With Tesla now digitally signing firmware for every single one of its internal components with a cryptographic key, it's easier to ask TV manufacturers or toymakers, "Why aren't you doing that?" says Janke. Consumers are the ones who will benefit from encryption built in by default as enterprises change their mindset about the importance of encryption.  Riding the innovation wave Cryptography tends to go in waves, with important innovations and research from 2005 to 2006 finally coming out as practical applications. Researchers are currently looking at improving the "precision of encrpytion," instead of the current model of all or nothing, where if something is exposed, everything gets leaked. "Encrpytion can be precise like a scalpel, giving fine-grained control over the information," Waters says. Google has looked at cryptography in its experiments with neural networks. Recently, its Google Brain team created two artificial intelligence systems that was able to create their own cryptographic algorithm in order to keep their messages a secret from a third AI instance that was trying to actively decrypt the algorithms. The dawn of quantum computing will also spur new avenues of research. “If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use,” wrote the National Institute of Standards and Technology in a public notice. Once such machines become widely available, “this would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere." To prepare for that eventuality, NIST is soliciting work on "new public-key cryptography standards," which will "specify one or more additional unclassified, publicly disclosed digital signature, public-key encryption, and key-establishment algorithms that are capable of protecting sensitive government information well into the foreseeable future, including after the advent of quantum computers.” The submission deadline is Nov. 30, 2017, but NIST acknowledges the work will take years to be tested and available, noting that "historically, it has taken almost two decades to deploy our modern public key cryptography infrastructure." “Regardless of whether we can estimate the exact time of the arrival of the quantum computing era, we must begin now to prepare our information security systems to be able to resist quantum computing,” NIST said. There have been a number of intriguing advances in cryptography, but it will likely be years before they become available to enterprise IT departments, and who knows what form they will take.

The future of cryptography promises even more security.

The good news is we are already experiencing some of the benefits now.