Encryption in Crisis: UK Businesses Face Security Shake-Up Under Proposed Investigatory Powers Act Reform

The UK Government is pursuing changes to the Investigatory Powers Act, its internet snooping regime, that will enable law enforcement and security services to bypass the end-to-end encryption of cloud providers and access private communications more easily and with greater scope. It claims the changes are in the public’s best interests as cybercrime spirals out of control and Britain’s enemies look to spy on its citizens.

However, security experts think otherwise, arguing that the amendments will create encryption backdoors that allow cyber criminals and other nefarious parties to prey on the data of unsuspecting users. They urge businesses to take encryption into their own hands in order to protect their customers and their reputations, as the cloud services upon which they used to rely are no longer free from government snooping. This is apparent from Apple’s decision to stop offering its Advanced Data Protection tool in Britain following demands by British lawmakers for backdoor access to data, despite the fact that the Cupertino-based tech giant can’t even access it.

Improving Public Safety

The government hopes to improve public safety and national security by making these changes. This is because the increased use and sophistication of end-to-end encryption makes intercepting and monitoring communications harder for enforcement and intelligence agencies. Politicians argue that this prevents the authorities from doing their jobs and allows criminals to get away with their crimes, endangering the country and its population.

Matt Aldridge, principal solutions consultant at OpenText Security, explains that the government wants to tackle this issue by giving police and intelligence services more powers and scope to compel tech companies to bypass or turn off end-to-end encryption should they suspect a crime.

In doing so, investigators could access the raw data held by tech companies. They can then use this information to aid their investigations and ultimately tackle crime.

Alridge tells ISMS.online: “The argument is that without this additional ability to gain access to encrypted communications or data, UK citizens will be more exposed to criminal and spying activities, as authorities will not be able to use signals intelligence and forensic investigations to gather critical evidence in such cases.”

The government is trying to keep up with criminals and other threat actors through broadened data snooping powers, says Conor Agnew, head of compliance operations at Closed Door Security.  He says it is even taking steps to pressure companies to build backdoors into their software, enabling officials to access users’ data as they please. Such a move risks “rubbishing the use of end-to-end encryption”.

Huge Consequences For Businesses

However the government tries to justify its decision to modify IPA, the changes present significant challenges for organisations in maintaining data security, complying with regulatory obligations and keeping customers happy.

Jordan Schroeder, managing CISO of Barrier Networks, argues that minimising end-to-end encryption for state surveillance and investigatory purposes will create a “systemic weakness” that can be abused by cybercriminals, nation-states and malicious insiders.

“Weakening encryption inherently reduces the security and privacy protections that users rely on,” he says. “This poses a direct challenge for businesses, particularly those in finance, healthcare, and legal services, that depend on strong encryption to protect sensitive client data.

Aldridge of OpenText Security agrees that by introducing mechanisms to compromise end-to-end encryption, the government is leaving businesses “hugely exposed” to both intentional and non-intentional cybersecurity issues. This will lead to a “massive decrease in assurance regarding the confidentiality and integrity of data”.

To comply with these new rules, Aldridge warns that technology service providers may be forced to withhold or delay vital security patches. He adds that this would give cyber criminals more time to exploit unpatched cybersecurity vulnerabilities.

Consequently, Alridge expects a “net reduction” in the cybersecurity of tech companies operating in the UK and their users. But due to the interconnected nature of technology services, he says these risks could affect other countries besides the UK.

Government-mandated security backdoors could be economically damaging to Britain, too.

Agnew of Closed Door Security says international businesses may pull operations from the UK if “judicial overreach” prevents them from safeguarding user data.

Without access to mainstream end-to-end encrypted services, Agnew believes many people will turn to the dark web to protect themselves from increased state surveillance. He says increased usage of unregulated data storage will only put users at greater risk and benefit criminals, rendering the government’s changes useless.

Mitigating These Risks

Under a more repressive IPA regime, encryption backdoors risk becoming the norm. Should this happen, organisations will have no choice but to make sweeping changes to their cybersecurity posture.

According to Schroeder of Barrier Networks, the most crucial step is a cultural and mindset shift in which businesses no longer assume technology vendors possess the capabilities to protect their data.

He explains: “Where businesses once relied on providers like Apple or WhatsApp to ensure E2EE, they must now assume these platforms are incidentally compromised and take responsibility for their own encryption practices.”

Without adequate protection from technology service providers, Schroeder urges businesses to use independent, self-controlled encryption systems to improve their data privacy.

There are a few ways to do this. Schroeder says one option is to encrypt sensitive data before it’s transferred to third-party systems. That way, data will be safeguarded if the host platform is hacked.

Alternatively, organisations can use open-source, decentralised systems without government-mandated encryption backdoors. The downside, Shroeder says, is that such software has different security risks and isn’t always simple to use for non-technical users.

Echoing similar views to Schroeder, Aldridge of OpenText Security says businesses must implement additional encryption layers now that they can’t depend on the end-to-encryption of cloud providers.

Before organisations upload data to the cloud, Aldridge says they should encrypt it locally. Businesses should also refrain from storing encryption keys in the cloud. Instead, he says they should opt for their own locally hosted hardware security modules, smart cards or tokens.

Agnew of Closed Door Security recommends that businesses invest in zero-trust and defence-in-depth strategies to protect themselves from the risks of normalised encryption backdoors.

But he admits that, even with these steps, organisations will be obligated to hand data to government agencies should it be requested via a warrant. With this in mind, he encourages businesses to prioritise “focusing on what data they possess, what data persons can submit to their databases or websites, and how long they hold this data for”.

Assessing These Risks

Crucially, businesses must consider these challenges as part of a comprehensive risk management strategy. According to Schroeder of Barrier Networks, this will involve conducting regular audits of the security measures employed by encryption providers and the wider supply chain.

Aldridge of OpenText Security also stresses the importance of re-evaluating cyber risk assessments to take into account the challenges posed by weakened encryption and backdoors. Then, he adds that they’ll need to concentrate on implementing additional encryption layers, sophisticated encryption keys, vendor patch management, and local cloud storage of sensitive data.

Another good way to assess and mitigate the risks brought about by the government’s IPA changes is by implementing a professional cybersecurity framework.

Schroeder says ISO 27001 is a good choice because it provides detailed information on cryptographic controls, encryption key management, secure communications and encryption risk governance. He says: “This can help organisations ensure that even if their primary provider is compromised, they retain control over the security of their data.”

Overall, the IPA changes seem to be yet another example of the government looking to gain more control over our communications. Touted as a step to bolster national security and protect everyday citizens and businesses, the changes simply put people at greater risk of data breaches. At the same time, companies are forced to dedicate already-stretched IT teams and thin budgets to developing their own means of encryption as they can no longer trust the protections offered by cloud providers. Whatever the case, incorporating the risk of encryption backdoors is now an absolute necessity for businesses.