The encryption battle between government agencies, law enforcement and high tech companies continues
To Encrypt or Not to Encrypt, That Is the Struggle
Reporting from last week’s National Security Council meeting in Washington DC shows us the encryption argument continues. White house officials debated whether to pursue legislative action from Congress that would block tech companies from using unbreakable encryption in their devices. No firm decision was made yet but the sides are hotly divided.
Companies such as Apple, Google and Facebook have included encryption as a built-in feature in their products and software for years. Popular messaging apps like iMessage, WhatsApp and others automatically encrypt user messages sent over IP (Internet Protocol). These features keep these conversations private between only those in the conversation - a big privacy benefit to customers.
Encryption also protects sensitive information on devices by providing an impenetrable barrier to hackers. But that barrier is also impenetrable by law enforcement, including the FBI, when they’re seeking to apprehend criminals in the form of cyber criminals, terrorists, drug or human traffickers and child pornography rings.
History Behind the Encryption Battle
The intensification of this battle goes back a few years to 2014 after NSA contractor Edward Snowden revealed massive amounts of information about the US government’s surveillance practices. That sparked heightened desire by tech companies such as Apple and Google for more privacy using end-to-end encryption. The DOJ and FBI pushed back against these efforts, claiming it inhibited their pursuits of criminal investigations.
The matter hit headlines again after the 2015 terrorist attack in San Bernardino. The DOJ took Apple to court to force its help unlocking an iPhone owned by one of the shooters. James Comey, FBI director at the time, claimed Apple wasn’t cooperating with the law. Apple was reluctant to set precedent breaking into iPhones. The matter was resolved without a legal precedent being set. But this wasn’t the first or the last case where a high tech company has been on the side of privacy, usually for its customers. But as we saw, sometimes customers can break the law. Encryption gives any user the cover of privacy.
Washington Considering Forcing the Issue While Tech Companies Resist
And so last week, the feud came to the forefront once again with senior Trump administration officials meeting on the issue. As Washington continues to hover around making a definitive decision, we can be sure Silicon Valley companies are not remaining quiet on the issue – with good reason.
Important as privacy is, the matter is not simply one of privacy. I believe we can assume companies at large don’t support crime. But the companies supporting encryption make the case that if end-to-end encryption is outlawed, or defined at the discretion of government officials who don’t understand it, such a law would fling open the doors for many more unlawful actions to occur. Without encryption to guard data, even more crimes would undoubtedly be conducted by cyber criminals. Think of all the data that would be rendered unprotected – healthcare information, banking or finance information, login credentials and much more. Government and military secrets? Would Washington apply a non-encryption standard to their own data?
Two paths were discussed last week: releasing a statement that the parties would continue to debate the issue in search of a solution, or seek legislation through Congress. The legislation route would force companies to weaken the security in their devices by mandating backdoors that could break through the encryption, leaving consumers like you and I with less than robust protection on our tablets, smartphones and other devices. The FBI and other law enforcement officials could then more easily crack into suspect’s phones and devices – as could anyone else. It's already been clearly demonstrated, nation states and other hackers and spies are quite adept at getting around weaker forms of security.
A Government Split Unto Itself: DOJ, FBI, Commerce, State & DHS at Odds
The various sides of US government have their own top priorities. For the DOJ and FBI, catching the bad guys is the #1 goal and they are willing to water down encryption to that end. The Commerce and State Departments place economic, security and diplomatic consequences as priority 1, placing their interests against creating encryption backdoors. (Arguably, at least to some degree, creating encryption backdoors could undermine the DOJ/FBI’s priority in the first place by making it easier for more cybercrime to take place.)
The DHS is split internally. The Cybersecurity and ISA (Infrastructure Security Agency) understands the critical value of protecting sensitive data through encryption (there is essentially no substitute). An industry where this is highly essential is that of critical infrastructure – one that is already vulnerable to attack and has suffered multiple cyberattacks already.
Other branches of DHS – ICE and the Secret Service – having experienced encryption barriers in their law enforcement pursuits, share the frustration of the FBI and DOJ.
Does the Government Even Understand Encryption?
One of the challenges in this complex situation is the parties involved are attempting to make decisions in areas they don’t fully understand. We’ve seen this happen before (ie, social media, Facebook, etc.). Government officials aren’t always fully knowledgeable about the technical aspects of what they are intending to legislate – posing more threats to a situation already fraught with risk.
Does It Ever Make Sense to Weaken Encryption or Create Backdoors?
By definition, end-to-end encryption must be a complicated system. For the preservation and exchange of private data, only two parties – the sender and receiver - are allowed to see the encrypted communication. If companies like Apple and Google acquiesce to what the government is threatening to enforce, they would have to provide ways to break this encrypted channel. They could do this via a creating a “backdoor” that makes the encryption breakable or by reducing the strength of the encryption.
Willy Leichter, vice president of application protection firm Virsec Systems Inc., said, “The encryption debate resurfaces frequently because it frustrates law enforcement. But banning encryption or opening back doors won’t work and can potentially undermine overall internet security.”
“Encryption is simply advanced mathematics and banning math is like banning an idea – it won’t just go away,” Leichter explained. “Practically unbreakable encryption algorithms are widely available – if a U.S.-based service can’t provide end-to-end encryption, then dozens more will pop up outside the country that are equally effective. And if one government requires ‘secret’ backdoors, then many others will follow and the encryption needed for privacy and day-to-day business will no longer be effective.”
“Banning end-to-end encryption will have one real effect – it will undermine the competitive of US tech firms, and weaken security for businesses and consumer when it is more important than ever.”
Make a Law Now, Pay a Price Later
If the government bans encryption, bad actors would have no such restrictions or mandates on their encryption practices. How ironic would it be for our own encrypted communications to be deliberately weakened and breakable while the entities that threaten us would have unbreakable encryption?
It’s not an easy issue but at the same time, some aspects are fairly straightforward. What governments impose information control on its citizens? Authoritarian ones. They may offer a variety of explanations for doing so, such as the need for ensuring safety. Everyone would agree we don’t want terrorists hiding behind encryption. But other means of catching them need to be explored that don’t come at citizens’ loss of privacy and other freedoms.
Too often, laws are made without consideration to the full ramifications or impact they will have. The area of security and encryption is not a good place to experiment with what those ramifications might be. It’s easy enough to speculate on some side effects. For instance, if the US government is able get through a mandated and manufactured back door to encrypted content, so too can other governments or hackers. Haven’t we spent decades aiming at preventing that very thing? Not to mention, once this line is crossed on the privacy of citizens, what comes next?
Solution brief: Solution Brief: ICS/SCADA Security
White paper: Triton ICS Attack
Newsletter: Latest issue