Phil Zimmermann, the man who successfully battled the federal government over the issue of E-mail privacy, now faces a more formidable foe: corporate indifference. Zimmermann invented PGP (Pretty Good Privacy), an encryption program that is virtually uncrackable. The State Department spent three years rattling its legal sabers, claiming that the propagation of the code around the world (via the Internet) violated the Arms Export Control Act. Once that threat passed, Zimmermann turned his attention to private enterprise. In his darker moments, he must miss the Washington suits; they, at least, paid attention to him.
Companies have spent hundreds of millions of dollars on antivirus software and other security measures, yet almost none have bothered to encrypt E-mail. This despite the fact that it is a treasure trove of intellectual property, rich with details on new products, impending deals, executive transitions, and other critical business information. “We’ve had trouble getting PGP deployed in large enterprises,” says Zimmermann, “even though the effects of E-mail intrusion could be devastating, beyond what any insurance coverage could compensate you for.”
One problem with E-mail encryption is that it’s not always easy to use. “I presumed an opponent on the level of the NSA,” says Zimmermann. “But most threats aren’t like that, so encryption products can be made easier to use.”
Many companies are trying, including Zimmermann’s current employer, Hush Communications, makers of Hushmail. Last month, Aegis Systems announced products that use “anonymous key” technology, versus the more widely known “public key” method. Most public-key systems require that a third party manage the “keys,” or codes that encrypt and decrypt E-mails. The Aegis system allows a user to encrypt or decrypt a message by just hitting a button and entering a password, and the company says the password part of the process may be phased out soon.
Mirapoint’s new Message Director system encrypts messages between servers, rather than desktop-to-desktop, so users don’t do anything at all. In March, Tumbleweed Communications, one of the market leaders, introduced software that allows IT departments to determine which E-mails should be sent over Tumbleweed’s secure channel versus over the Internet. Companies are also bundling encryption with other forms of E-mail protection, such as virus-scanning software and secure archives. “One reason encryption hasn’t caught on,” says Bruce Schneier, co-founder and chief technical officer of Counterpane Internet Security, “is because it protects mail only in transit, and that’s not really where the threat is.”
Determining just where the threat is, or whether it exists at all, has also hampered the acceptance of encryption. Viruses and denial-of-service attacks are conspicuous, while E-mail snooping is not, so even companies that have purchased other forms of E-mail security resist encryption. CoSine Communications signed on with Mirapoint primarily for its antivirus-scanning technology. Tony Boersma, the telecommunications company’s director of IT, says that “encryption would have to approach zero cost and zero effort for us to take a look. The client-support issues pose too great a burden.”
If the latest figures from a recent FBI-Computer Security Institute survey are any indication, however, there is scarcely any aspect of computing that remains invulnerable to hackers, internal abuse, or other threats. Of the 538 companies, universities, and government agencies that responded, 64 percent said they had been the victim of some form of attack or misuse in the past 12 months. The 196 respondents willing or able to quantify their losses suffered an average $2 million in damages, double the average loss in the previous year.
Scott Leibs is the technology editor of CFO.