There are only two types of companies, it is commonly said: those that have been hacked, and those that just don’t know it yet.
IBM, the computing giant, wants to get rid of both. The company said Monday that it has achieved a breakthrough in security technology that will allow every business, from banks to retailers to travel-booking companies, to encrypt their customer data on a massive scale — turning most, if not all, of their digital information into gibberish that is illegible to thieves with its new mainframe.
“The last generation of mainframes did encryption very well and very fast, but not in bulk,” Ross Mauri, general manager of IBM’s mainframe business, said in an interview. Mauri estimates that only 4 percent of data stolen since 2013 was ever encrypted.
As the number of data breaches affecting U.S. entities steadily grows — resulting in the leakage every year of millions of people’s personal information — IBM argues that universal encryption could be the answer to what has become an epidemic of hacking
The key, according to IBM officials, is an update to the computer chips driving the powerful mainframe servers that house corporate or institutional information and process millions of transactions a day worldwide, from ATM withdrawals to credit card payments to flight reservations. The company’s latest mainframe processor devotes 6 billion transistors — the digital switches that allow computers to run calculations — to encryption alone, reflecting a four-fold increase over today’s standards, said Mauri.
Cryptography, the science of turning legible information into coded gobbledygook, is already commonly used among certain email providers and storage services. But because of the enormous computational power needed to quickly encrypt and decrypt information as it passes from one entity to another, many businesses use encryption only selectively, if at all. A December report by the security firm Sophos found that while 3 out of 4 organizations routinely encrypt customer data or billing information, far more do not encrypt their intellectual property or HR records. Sixty percent of organizations also leave work files created by employees unencrypted, the study found.
All of these represent opportunities for digital criminals, said Austin Carson, executive director of the technology think tank TechFreedom.
“One of the big problems is that way too much information is stored in clear text,” he said. But universal or pervasive encryption, he added, could help ensure that even if hackers successfully broke into a company’s network, any information they found there would be impossible to decode. “That would be a huge step forward just in terms of protecting a much larger body of information,” Carson said.
But the same technology could frustrate law enforcement, which in recent years has waged a furious battle with Silicon Valley over encryption technology and how extensively it should be used. In a high-profile dispute last year with Apple, the Justice Department argued that the company should help officials break into an encrypted iPhone used by one of the San Bernardino shooters. Apple refused, saying that developing tools to break encryption would undermine its customers’ security, particularly if the tools were to fall into the wrong hands. Apple’s concern is not theoretical: This year’s WannaCry ransomware attack, which held thousands of PCs hostage, has been linked to a Windows vulnerability that was secretly discovered and exploited by the National Security Agency long before it leaked into the wild.
In its push to expand universal encryption, IBM is taking Apple’s side in the debate.
“IBM fully supports the need for governments to protect their citizens from evolving threats,” the company said in a statement on the issue. “Weakening encryption technology, however, is not the answer. Encryption is simply too prevalent and necessary in modern society.”
For IBM, encryption is also a massive business opportunity. Businesses spend over $1 trillion a year making sure that their security meets government standards, according to company officials. One aspect of IBM’s new approach to mainframes is the concept of automating that compliance work, using artificial intelligence to check that what’s being protected passes regulatory muster in various industries. In doing so, IBM expects to turn a chunk of that annual compliance spending into revenue for itself. And that’s on top of the roughly $500,000 it expects to charge new customers for using IBM’s newest mainframe technology. Most businesses, said Mauri, will be upgrading from an existing setup, so the cost for those clients could be less.
For some small businesses, that may still be too expensive. Still, the history of technology suggests that with time, those prices may fall.
“This is the turning point. The idea here is that you can start to encrypt all data,” said Mauri. But even as IBM makes encrypting everything a priority, security experts like Mauri already have their eyes set on the next holy grail: the ability to securely edit and manipulate encrypted files without ever having to decrypt them in the first place.