Cryptographic Leaders: Don’t Expect Dramatic Security Changes Soon

After a year that recorded a record number of cyber breaches, the good news is that security awareness is higher than it’s ever been.

But you’ll be hard-pressed to find many technologists ready to weave a celebratory narrative around that silver lining. In fact, some of the technology world’s leading cryptographers speaking at an industry conference today suggested that a lingering indifference to strong security design will continue to pose problems over the course of 2018.

“As an academic, I’m bothered by the lack of preciseness in cyber security research,” said Adi Shamir, a co-inventor of the RSA algorithm and one of the computer scientists credited with making public-key cryptography useful in practice.

Shamir made his comments during a panel discussion as the annual RSA Conference got underway in San Francisco. An estimated 50,000 technologists and customers are expected to attend the conference, which lasts until this Friday.

“In cryptography, we have precise definitions, proofs and theorems. If you look at cyber security, everything is mushy,” said Shamir, who is a Professor of Computer Science at Israel’s Weizmann Institute. He noted that one way to advance the field would be to find ways that make cyber security “quantitative, not qualitative.”

But Shamir and his fellow panelists expressed caution about the near-term prospect of breakthroughs that might dramatically change the security landscape.

Indeed, Ron Rivest, one of Shamir’s co-inventors (along with Len Adleman) used the occasion to dismiss some of the more enthusiastic predictions being made about the future impact that blockchain technology will have on the security world.

“It’s often viewed as security pixy dust that any app would be improved,” he said. While blockchain “has properties that may or may not fit your apps,” he maintained that they still “fail miserably in scale, throughput and latency.”

Moxie Marlinspike, the founder of the Signal Protocol, sounded a similar judgment.

“All the blockchain stuff reminds me of the P2P craze in the early 2000 [where some people predicted] how great things would be in the future,” he said. “But they weren’t based on sound computing principles.”

Another call for a new approach came from Paul Kocher, an independent cryptographer who co-discovered the recently disclosed Spectre chip vulnerability. Kocher decried the broad acceptance of the notion that security compromises are a necessary tradeoff for greater performance speeds and said the industry needs to rethink that assumption and challenge the idea that “all value gains” necessarily come from being faster while everything else must receive “secondary” consideration.

“We need to completely change the way we look at technology and how as an industry, we can change that,” Kocher said.