A report from the Quadripartite Commons Select Committee on strategic export controls last month carried an extraordinary warning:

"Given the quantity of communications in the ether, and advances in encryption which make such communications difficult to interpret even if they are successfully intercepted, on the very limited evidence available to us we conclude that it is likely to be very difficult indeed to bring successful prosecutions for illegal exports of technology by intangible means or to successfully disrupt such transfers."

We, of course, employ encryption to protect military and business secrets. But if that is broken, the task of breaking the sophisticated encryption used by the thieves in time to track and identify them is near impossible.

"It's as difficult today to detect illegal transfers of military or corporate information as it was 60 years ago during the time of the Enigma machine," stated John Stewart, chief executive of identity management company Signify.

It's a startling analogy, but pretty much in line with most expert opinion. "Although one can never underestimate the computing resources available to powerful governments, the necessary capability of machines to break even consumer level encryption is daunting," warned Phil Robinson, chief technology officer at security consultancy IRM.

"It is likely that even a brute force attack by a government on an encrypted message may not be successful in a time scale that means that the data is effectively useful."

But it would be wrong to see the level of encryption complexity as something only available to criminal masterminds.

"Strong encryption is incredibly widespread. The internet alone demonstrates this with 128-bit encryption; very common and built into every browser," explained Tim Pickard, strategic marketing director at RSA Security.

"It's almost impossible to track illegal transfers of military or corporate information as email encryption is very easily obtained, easy to use and cheap.

"Email encryption will allow the military or organisations to send information over the internet without people being able to decipher it. It will be possible to track who the information is going to and where it is coming from."

Although military monitoring systems such as Carnivore and Echelon would be able to pick up illegal information, it would take a long time to decrypt the data. If it is a 128-bit symmetrical encryption, it could take decades - too long for the information to be any use.

Information on the volume of data passing between sender and recipient is available, but decrypting it would be hard. This has presented a big challenge to legislators.

Tracking illegal transfers of encrypted information focuses more on the volume of traffic, where information is sent to, and how often certain files are accessed and routed. The very nature of encryption means that forensic experts have a hard time breaking codes.

Investigators need to find the tools that were used to encrypt the information to determine whether it was illegal. Police are unable to carry this out, according to Chris Watson, senior forensics investigator for security specialist company Ibas.

"What can realistically be done is to track suspects and suspected illegal transfers of information and confront them with the evidence which shows they've been transferring encrypted information," he said.

"If the information is not the intellectual property of the corporation the suspect should not have an issue with divulging the contents.

"It's pretty unidentifiable how widespread this is. Companies use encryption everyday, so deciphering what is legal versus illegal transfer of information is like finding a needle in a haystack."

Petri Sakkinen, product marketing manager at data encryption provider SSH Communications Security, agreed that, with the rise of encryption, there is a perception that the same technology can be used to hide illegal or threatening activities. But he added that encryption can be managed by an organisation in an integrated fashion.

"With centralised security management and enforcement, it is possible to harness encryption for risk management," said Sakkinen.

Dan Deganutti, principal director at Microsoft and Accenture joint venture Avanande, explained that key management is a big challenge when it comes to encryption, and that it isn't any easier for bad guys than good guys.

"While strong encryption gains the miscreant some cover from surveillance, it also poses a risk in terms of culpability," he said.

"If they can be shown to be in possession of a key used to encrypt or decrypt illegal material, they will have a difficult time with a 'didn't know' defence."

Bill Pepper, director for security risk management at CSC, also believes that it is more difficult for security and law enforcement to crack security unless they have a copy of the key.

"Terrorist organisations are using strong encryption via email to cover their tracks," he said. "Sophisticated encryption is relatively easy to obtain. It is becoming a global problem. I believe that organised crime and terrorist organisations are more secure than normal companies."

Graham Jones, northern Europe marketing director at security systems integrator Integralis, suggested that the security threat does not lie with encryption alone, but with poor management.

"You can implement rules that allow you to stop certain files in their tracks, regardless of content, making it a company policy that zip files, for example, cannot be sent over email," he explained.

"The bottom line is that management needs to get controls around IT systems, policies and products for this to be successful."

Ken Watt, consultancy director at email content management solution company SpheriQ, highlights the classification system used by governments to enforce control over information.

Information is classified as secret or restricted and the appropriate security level is applied to it. If it is confidential, it demands encryption.

"Although this classification system is used extensively by the government, it is less used by commercial organisations," said Watt. "Companies take a more pragmatic approach, whereas the government is able to demand more control."

Paul Meadowcroft, head of security at Thales e-Security, maintained that companies should take a 'split secrets' approach when it comes to corporate information security, resulting in each individual knowing only a part of the whole.

One reason for this is to lessen the temptation to divulge secret information. The other is for the employee's own protection: splitting secrets makes staff less of a target to criminals.

Sakkinen also pointed out that centralised management and policy enforcement is important. "Unencrypted communications can also be managed using content filtering and firewalls," he said.

"Administrators can easily set up end-to-end encrypted communications that prevent end users from sending encrypted data to un-trusted third parties outside the corporation.

"On the other hand, if there is a need to perform content filtering of the network traffic, it is possible to terminate encrypted connections to the firewall machines that are checking the content."

In the end it is essential to look at all the options available to protect data. As Deganutti said: "Anyone, good or evil, relying solely on encryption for protection, is likely to be disappointed if they ever become the focus of an electronic attack."

How to keep yourself safe:

Source: Paul Meadowcroft, Thales e-Security