During World War Two, the Allies had a decisive information advantage over the Axis. They had broken the German and Japanese encryption! That’s an advantage that you cannot afford to cede to your enemies. That kind of one-sided intelligence advantage is unlikely to occur again due to advances in encryption and code-breaking.
Achieving strong encryption requires constant effort. To achieve consistent protection, work on adopting these practices as part of your standard operating procedures.
1) Identify What Information and Communication Requires Encryption
Adding encryption carries a cost in the form of technology, training, and oversight. That’s why you need to be thoughtful about what you protect. Start by identifying the communication systems that carry the majority of your work. Next, look for systems and assets that tend to have high vulnerability to attack (e.g., wireless networks and large scale systems exposed to the public). Prioritize encryption resources for these high-value systems.
2) Implement Encryption Standards
In encryption, you do not need to start from scratch. Based on the technologies and assets you identified
- LTE Encryption Security. Read the NIST Guide to LTE Security for a detailed overview. Specifically, look into LTE’s cryptographic algorithms: EPS Encryption Algorithms (EEA) and EPS Integrity Algorithms (EIA). The Guide also points to the variety of LTE security challenges you will face (e.g., rogue base stations, eavesdropping, and physical attacks on infrastructure).
- Radio Communications Encryption. The standard you select will depend on your equipment. As a starting point, look into the Advanced Encryption Standard (AES) 256 because the Department of Homeland Security (DHS) recommended it for first responders in 2017.
- Partner/Coalition Encryption Requirements. You need to be able to communicate reliability with your key partners, so reach out to them to understand their requirements.
Tip: Considering contributing your insights to a standards organization like NIST if you have best practices to share regarding encryption.
3) Avoid Reliance On One Communication Channel
Rely too much on a single encryption capability exposes you to increased risk. If that system is compromised like the German Enigma technology in the war, you might never recover. Finding out whether you have this vulnerability starts with a simple self-assessment. Review the last three to five significant operations your organization completed. Find out how critical commands, reports, and other information were transmitted and stored. You will probably find that most people are using one or two channels.
There are two ways to respond to the excessive use of a single communication channel. First, you can reduce the risk by guiding staff to use more channels (e.g., LTE wireless communication and conventional radio). Second, you can add additional encryption protections to the heavily used channel.
Resource: Remember to look up! Your weak point might be in the sky. To find out if satellites are your weak point, read our article: “Are Your Military Communications Too Reliant On Satellites?”
4) Use Tokenization To Reduce Data Loss Incidents
Not all data is equal when it comes to encryption. For example, field communication during a tactical operation generally needs more protection than a corporate document. However, what about personally identifiable information (PII)? If exposed, your organization will lose credibility with stakeholders and allies. That’s not all. You will also need to spend resources on emergency improvements, public relations, and more to handle the fallout.
Tokenization is one solution to this problem. Instead of transmitting PII data points like full names, phone numbers, and dates of birth, send a token instead. If the enemy captures the token during transmission or at rest, it will not tell them anything. Banks already use this process to protect PII data for customers. Other sectors need to adopt this practice, as well.
5) Practice End To End Encryption Protection
In security, you only need one weak link to suffer a significant problem. You might have reliable wireless communication in the field and more fragile protection elsewhere in the organization. To mitigate this security risk, regularly evaluate your entire information and communication infrastructure. If you use third parties and cloud providers, take the time to assess them carefully.
6) Enhance Encryption With Identity and Access Management Controls
How do you safeguard your encryption systems themselves? The databases containing keys, user IDs, and other mission-critical data deserve additional protection. To supplement encryption-based security, use identity, and access management controls. Specifically, we recommend applying the principle of least privilege to these systems. In essence, reduce the number of people who have access to your security systems as much as possible.
7) Practice Encryption Skepticism
If an enemy breaks your encryption, they will have an instant advantage over you. It might be a crippling blow! That’s why you cannot afford to get comfortable with your current state of encryption. To stay on your toes, we recommend employing third parties to help you improve your encryption.
There are a few options for selecting a third party to test your encryption. If you have a large organization, you may ask specialists in another group to conduct the test (e.g., Army intelligence tests Navy intelligence). Alternatively, reach out to coalition partners and ask to conduct the same exercise. If those options are not available, your next option is to research a cybersecurity consultant to execute the evaluation.
Putting It All Together: Two Tips To Get Started
As you review this list of encryption habits, it may feel overwhelming. Few organizations have all of these habits operating consistently. To make your life easier, there are two ways to get started.
First, benchmark your current encryption practices against best practices and standards (e.g., use the NIST standard referenced above). This effort will highlight where you have the most significant challenges. Second, get assistance from outside your organization. If your mobile communications systems are weak, you may need to purchase new equipment. Alternatively, providing greater training to your staff might be the best solution.
