Government Officials Conflicted About Encryption
Encryption services are also vitally important to the government, said a panel of department heads in May.
“We know we need it,” said Secretary of Defense Ashton Carter during a joint press conference at Intel’s corporate headquarters in Santa Clara, California. “We know that strong encryption is part of the solution for the future.”
Carter called on companies around the country, including those in Silicon Valley, to keep investing in such technology.
“I think it’s fair to say that … globally the market for cybersecurity that should exist doesn’t yet exist,” he said. “But what that says is that there will be a big market for those innovators that get here first.”
Secretary of Commerce Penny Pritzker said encryption is critical to protecting the nation’s digital infrastructure.
“Today our entire economy rests on the back of the digital infrastructure,” she said. “It’s extremely important that we have strong encryption.”
But such technology can make it harder for law enforcement to detect criminal activity, said Secretary of Homeland Security Jeh Johnson.
The government and the private sector are “interested in finding the right solution that accommodates both strong encryption and enables us to track crime and to track potential terrorist plots for reasons of law enforcement, public safety and national security,” he said.
A cooperative agreement is possible and officials are “working very hard on this issue,” he said.
Encryption became a hot topic in the United States following a high-profile dispute between the FBI and Apple earlier this year.
Following a deadly shooting rampage in San Bernardino, California, last year the FBI acquired an iPhone 5C that was used by one of the shooters, Syed Farook. The phone — which was owned by Farook’s employer — was encrypted and 10 wrong attempts at inputting the passcode would clear the smartphone of its contents.
In February, a federal judge ordered Apple to help the FBI get around this feature and create a backdoor into the device. The company refused, claiming that could set a dangerous precedent. In the end, the FBI was able to break into the phone on its own.
The litigation in San Bernardino was not about trying to send a message or impugning Apple, said James Comey, director of the FBI.
“I don’t think anybody should be demonized in this conversation,” he said. “It was about trying to confidently investigate a terrorist attack that slaughtered innocent people at an office gathering. That’s all it was about.”
The FBI had consent from the owner of the phone, a search warrant and, according to a Justice Department lawyer, a valid basis for asking the court to force Apple to help the FBI gain access to the phone, he said.
There needs to be greater dialogue in the United States about the balance between public safety and privacy, Comey said.
“I love strong encryption,” he said. “Encryption is a very, very good thing. I also love public safety.”
Currently, the two ideas are “crashing into each other,” he said in May during an industry conference hosted by the National Defense Industrial Association.
Encryption also became a major issue in 2013 following the revelation that the National Security Agency collected enormous amounts of information about U.S. citizens via its bulk phone metadata collection program. Since then, there has been a major push for encryption on mobile phones, Comey said.
This has had major ramifications for the FBI, he said. Even with court orders, many times agents are not able to access data on encrypted phones.
“We are increasingly finding devices … that we can’t open,” he said. During the first six months of fiscal year 2016, FBI agents received about 4,000 devices it wanted to investigate. Five hundred of them couldn’t be opened. That number will only grow, Comey said.
Encryption has made it harder for the FBI to track Islamic State supporters, he said. ISIL uses social media platforms, such as Twitter, to reach out to potential sympathizers around the globe. “[For] 24 hours a day that terrorist is in your pocket,” he said.
Once ISIL finds a potential supporter through a social media platform like Twitter, they quickly move them to a mobile messaging app that is end-to-end encrypted, he said.
This model breaks the old one that the FBI used for years with al-Qaida supporters, he said. “Our task in those days was to find those watering holes on the internet where people would go to consume the poison of al-Qaida and talk to each other,” he said. “If we found that watering hole, everybody drinking out of it was of interest to us.”
Investments in encryption technology are on the rise, said Brad Curran, a senior industry analyst focusing on aerospace and defense at Frost & Sullivan.
The burgeoning market is currently valued at about $1 billion per year, he said.
“If you take the whole cybersecurity market together … it’s a good size chunk,” he said. “It’s definitely got everyone’s attention. It will continue to grow for the next few years.”
However, as the encryption debate rages in the public policy arena, such disputes could cause businesses to be wary of investing in encryption, Curran said.
“It hinders the market,” he said. “It’s something that’s going to go through the courts. It’s going to be muddy and ugly for years to come … and in the meantime it will hinder the development and sales of some products.
“It’s not going to stop it but it’s certainly a restraint,” he said.
There are companies in Silicon Valley that refuse to work with government agencies at all, he noted.
In a report by the House Homeland Security Committee’s majority staff titled “Going Dark, Going Forward: A Primer on the Encryption Debate,” the authors said if the United States placed burdensome regulations on encryption — which has now become ubiquitous — it could hurt businesses.
“Studies suggest that two-thirds of the entities selling or providing encrypted products are outside of the United States,” the report said. “Legislation might have little impact on bad actors that can obtain encryption tools outside of the United States, while irreparably harming U.S. commercial interests by driving customers to foreign competitors.”
House Homeland Security Chairman Rep. Michael McCaul, R-Texas, and Sen. Mark Warner, D-Va., have called for the creation of a national commission on security and technology challenges to study encryption, the report said.
“The best way for Congress and the nation to proceed at this critical juncture is to formally convene a commission of experts to thoughtfully examine … the matter of encryption and law enforcement’s future in a world of rapidly evolving digital technology,” the report said.
The purpose is to bring together experts “to engage one another directly and, over the course of a year, develop policy and legislative recommendations to present to Congress,” the report said. These experts would include those who work in cryptology, global commerce, federal law enforcement, the intelligence community and privacy and civil liberties activists.
Despite presenting law enforcement and intelligence officials with new challenges, it would be a mistake to say that government does not value encryption, the report said. “The FBI, the Department of Homeland Security and the wider intelligence community use strong encryption to secure their own information.”
In a closed hearing in July, Adm. Michael Rogers, commander of U.S. Cyber Command and the director of the National Security Agency, testified before the Senate on encryption challenges.
“I was testifying before the Senate Armed Services Committee predominantly in my role as U.S. Cyber Command,” Rogers said days later during remarks at the National Press Club in Washington, D.C. “One of the things the committee wanted to talk about was, ‘So what are your views of encryption? What are some of the challenges that you are working your way through?’ And I always start out by telling people, ‘Look, I don’t know what the answer is.’”
There needs to be a nationwide dialogue on the proper and legal uses of encryption. The solution cannot come from the intelligence community, he added.
“You don’t want the intelligence world telling you what the answer is here. Likewise, I don’t want a company necessarily telling me what the answer is here. I don’t want a government agency necessarily telling me that,” he said. “Can we engender a broader dialogue as a society about what are we comfortable with here? And what makes sense for us?”
The NSA is watching a world where many terrorists or other bad actors are harnessing the same technology that most U.S. citizens rely on to ensure that their personal information is not compromised, he said.
“They are using that same capability, that same technology to generate money, to coordinate attacks and to generate violence against us and other nations around the world. We got to ask ourselves, how are we going to deal with this?”
Despite the technology sometimes being used for nefarious purposes, it is critical to the nation, he said.
“Encryption is a positive thing. It’s fundamental to the future,” he said. “I don’t see a solution where we go, ‘Well, we don’t need encryption. It’s bad.’ I reject that idea.”
More and more government agencies are moving toward commercial encryption technology, said Chris Burchett, executive director of client security software at Dell.
“There are a lot of people who are going to want to use commercial products,” he said.
With an in-house system “you are stuck with the need to continue to evolve your products, to maintain them, to support them,” he said. “The benefit of going with a commercial vendor is they do that for a living … so they are going to keep up with it and give you ongoing maintenance.”
Dell — which has a number of customers in the government, including the military — offers encryption services for classified information, Burchett said. It participates in a NSA project known as commercial solutions for classified program.
The program was “established to enable commercial products to be used in layered solutions protecting classified NSS [national security systems] data,” according to the NSA. “This will provide the ability to securely communicate based on commercial standards in a solution that can be fielded in months, not years.”
Under guidance from the program, users of commercial encryption must employ a dual-cryptology system when transmitting top-secret classified data, Burchett said. There are two systems in the market, including “Dell Data Protection / Encryption” enterprise edition product and Microsoft’s BitLocker system, which Dell manages, he said.
“If you’re pulling your products from the CSfC [commercial solutions for classified program] list right now you basically need to use both of those products if you deal with top secret material,” he said.