Microsoft's Tighter Encryption: Why Others Should Follow Its Lead

NEWS ANALYSIS: While the NSA can probably crack any method of encryption you're likely to use, it's not the NSA you should really be worried about.


The revelations in The Washington Post that Microsoft was working to encrypt all the traffic the company moves around the world because of National Security Agency (NSA) spying should only be a surprise because it wasn't already being done.

Chances are (although we can't prove this) that anything Microsoft or any other large company with sensitive information moves across the public Internet is already encrypted. However, these same large companies also have massive private network connections that connect their data centers around the world.

These networks and the global data centers they connect exist for a variety of reasons. Large companies have lots of offices that need access to data. These companies need to have secure links to disaster-recovery sites, or they need real-time mirroring to ensure data integrity.

Whatever the reason, these sites are connected using fiber-optic cables that are usually provided by a third-party. Those third parties may include major carriers such as Verizon, or data communications companies such as Level 3.

Until recently, most of this traffic has been passed as unencrypted data. Most personally identifiable information such as health records or credit card numbers would have been encrypted in any case, but the vast majority of corporate data is stuff like boring old email, calendar entries or PowerPoint slides. Of course, the email and calendar metadata are exactly what the NSA and other intelligence services want. I doubt that even the NSA is willing to sit though terabytes of PowerPoint presentations.

But that doesn't mean somebody else isn't. Emails, calendar entries and, yes, PowerPoint slides are the types of data that cyber-criminals, competitors or even foreign intelligence services are trolling for. Even though the NSA almost certainly doesn't care about Microsoft's marketing plans, the Chinese military almost certainly does. And there's the problem.

These are the reasons Microsoft is right to find a way to encrypt all traffic that travels outside the company, just as Google and Yahoo are now working to do. This is also why you should make sure that data that travels outside your company is also encrypted. It's not just the NSA that's interested in your data—it's everybody, and some people are a lot more interested than the folks in the Puzzle Palace.

But you're probably asking yourself if is it realistic to think that someone can tap into your company's fiber connection between data centers? The answer is, yes. All a cyber-criminal needs to do is bribe a data center employee to siphon off your traffic to another port, and to send the contents of that traffic stream to that someone else. Hackers from China can do the same thing, or they can simply tap the fiber-optic cable and get a copy of everything that passes over it.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...