There's an old adage which began its life back in the 1990s - and was perfectly illustrated in a New Yorker cartoon - which says: "on the internet no-one knows you're a dog." It neatly summarizes a core cyber security problem that we still face to this day: how do we know who to trust online? For the last twenty years we have taken the same approach to this problem by using cryptographic keys and digital certificates to establish trust.
By and large the system worked: ecommerce boomed and the economy and society as we know it was transformed, all thanks to a little website padlock here and there. Worryingly though, over the past five years, we are seeing cracks in the very foundation of the internet begin to emerge.
As we hurtle towards a future powered by the Internet of Things (IoT), with automated machines playing an ever-greater role in our day-to-day lives, these cracks will split into chasms that threaten our modern world. Could internet-enabled life as we know it soon be coming to a crashing halt? How can we stop the sinkholes from emerging?
The problem with trust
Cryptographic keys and digital certificates tell us whether an entity is what it says it is. We use them to authenticate web servers, code on devices, apps, and even for enterprise VPN access. It all comes back to that binary decision that machines have to make - is this thing part of "self", trusted and safe; or not trusted, and therefore dangerous - which certificates and keys provide. It's the foundation of cyber security and the whole global economy and it's built on sand.
Over the past five years, hackers have caught on to the potentially lucrative opportunity that keys and certificates offer. We have all seen the scene in a movie where the bad guy dresses up as a painter to gain access to a building, or steals someone's swipe card; this is what is happening in the cyberworld too. Bad guys are trading keys and certificates on the dark web and using them to crack into company systems - just look at Sony, Careto, the Snowden revelations and Flame or Stuxnet. They all involved stolen or misused keys and certificates.