27 June 2015

COUNTERTERRORISM, BACKDOORS, AND THE RISK OF “GOING DARK”

Walter Haydock
June 25, 2015 

The terrorist threat to the United States is evolving rapidly, especially in terms of the methods by which extremists communicate. Counterterrorism analysts and operators face a variety of technical challenges to their efforts. In Oct. 2014, Federal Bureau of Investigation (FBI) Director James Comey warned of the growing risk of “going dark,” whereby intelligence and law enforcement agencies “have the legal authority to intercept and access communications and information pursuant to court order,” but “lack the technical ability to do so.”European Police Chief Rob Wainwright has warned that terrorists are using secure communications in their operations more frequently, a technique the Islamic State of Iraq and the Levant (ISIL) is apparently pioneering. The emergence of secure messaging applications with nearly unbreakable end-to-end encryption capabilities such as surespot, Wickr, Telegram, Threema, and kik highlights how rapid technological change presents a powerful challenge to security and counterterrorism agencies.

Responding to such developments, the FBI has lobbied Congress to legislate the mandatory creation of “backdoors” in commercially available communications via an update to the Communications Assistance for Law Enforcement Act. The Director of the National Security Agency (NSA), Adm. Michael Rogers, suggested creating overt “front doors” to allow the U.S. government access to certain devices and software. This scheme would split between agencies the “key” necessary to decode encrypted information. British Prime Minister David Cameron, went as far as to recommend legislation outlawing end-to-end encryption in the United Kingdom unless the government had assured access to the data “in extremis.” President Barack Obama declared that the absence of such backdoors is “a problem” and described the ability to lawfully intercept all forms of communication as a “capability that we have to preserve.”

Such proposed steps are misguided and ill-advised. Creating backdoors in commercial communications technology is not the answer. First and foremost, in an era where state, terrorist, and criminal actors constantly strive toward — and succeed in — penetrating American commercial and government networks, legislating holes in encryption is dangerous. U.S. government networks themselves are clearly insecure, as the recently identified electronic intrusion into Office of Personnel Management records, as well as historical breaches of Department of Defense systems, indicates. ISIL has even successfully hacked American military social media accounts. Unidentified criminals stole the personal information of more than 100 million Target customers in a breach that the company discovered in 2013. Requiring software companies to weaken their encryption would provide hostile cyber actors additional vectors by which to harass, rob, and spy on American citizens.

Relying on legislation to keep pace with technological advancement is impractical and bound to fail. In Sept. 2014, Apple announced that it wasupgrading the encryption of iOS 8 to make it technically impossible for anyone but the device’s user to unlock it. This reversed a previous policy whereby Apple would unlock devices if police issued a warrant requiring the company to do so. Apple’s move avoided legal complications by making compliance with such requests impossible on a technological level.Director Comey criticized this change in Apple’s policy the following month, warning that “[s]ophisticated criminals will come to count on these means of evading detection,” such as storing incriminating information on encrypted devices. Through a relatively simple technical modification, Apple effectively locked the FBI out of all devices it manufactures. To expect Congress to adapt constantly to such changes is unrealistic. Mandating the weakening of commercially available encryption would not only threaten the security and privacy of Americans, it would also require the establishment of a bureaucracy dedicated to examining software code and deeming it “backdoor compliant.” Such needless red tape would hamstring American technology companies.

Furthermore, many of the aforementioned businesses — Telegram, Threema, and kik — are not based in the United States. Establishing the necessary regulatory regime would give foreign providers an immediate and massive competitive advantage. Companies that want to survive in the secure instant messaging market will have no choice but to leave America. If all businesses subject to U.S. law must create backdoors in their encryption protocols, would secure, “foreign” pieces of software become illegal? Would the FBI arrest those who use such programs? Would American customs authorities inspect the electronic devices of incoming travelers for such “contraband” applications? These hypothetical scenarios show how unworkable such a law would quickly become.

The Way Forward

In the face of such changes, the U.S. intelligence community, law enforcement organizations, and their allies and partners must adapt. The most important and weakest backdoor into every device is its human user. Counterterrorism authorities need to focus on exploiting the human element to keep pace with emerging threats through a series of changes. First, the United States must maintain and improve its human intelligence (HUMINT) capability. Those who argue that America should “outsource” traditional clandestine spying to allies are woefully misguided. Doing so could put the United States at grave risk as it continues to lose the ability to intercept terrorist communications. Such human intelligence operations include the penetration of terrorist networks via social media, an increasingly important tool in the age of universally available secure communications. Recruiting reliable and capable informants at home and abroad requires culturally savvy intelligence officers; recruiting, training, and retaining such professionals are vital national priorities. The CIA’s recent restructuring and Director John Brennan’s public emphasis on cyber-enabled HUMINT operations are steps in the right direction.

Second, the proliferation of biometric readers on mobile devices allows for alternate means of access to encrypted information, methods that authorities should exploit in counterterrorism investigations. There is legal precedent in the United States for allowing police to use biometric signatures to extract incriminating evidence from suspects. The Supreme Court held in 2013 in Missouri v. McNeely that police could forcibly extract blood from suspected drunk drivers, provided that a judge issued a search warrant. A Virginia Circuit Court judge took this trend a step further in Oct. 2014, ruling that police can force criminal suspects to unlock their phonesusing onboard fingerprint scanners. Although this specific issue has not reached the Supreme Court, the precedent exists for lawfully gaining access to encrypted devices through exploiting the biometric signatures of criminal suspects.

Third, counterterrorism professionals must use novel techniques that already have an established legal framework, focusing on a human element to help uncover threats to the United States and its allies. Section 206 of the USA PATRIOT Act provided authorities with the ability to conduct “roving wiretaps” on terrorist suspects, whose exact identities may be uncertain. The recently enacted USA FREEDOM Act preserves this provision until 2019. This modification to the Foreign Intelligence Surveillance Act allows authorities to “follow the target” across methods of communication, especially useful when a suspected terrorist rapidly switches between them in an attempt to thwart surveillance. The ability to conduct surveillance on phone, email, and social media accounts — which a court has not specifically identified for monitoring — has drawn criticismfrom some civil liberties groups. In a world where terrorists may transition rapidly between different media, however, such flexibility is vital. Furthermore, this method of surveillance requires a warrant from the Foreign Intelligence Surveillance Court (FISC). The USA FREEDOM Act has reformed the FISC, creating court-appointed public advocates who participate in FISC proceedings and advocate on behalf of suspects. If the intelligence community identifies a potential terrorist using encrypted communications, the ability to rapidly transition to monitoring a newly detected — but unsecure — method is a vital tool. Combining information from such intercepts would allow analysts to “pull the thread” and potentially identify and disrupt attack plotters.

Finally, the FBI must improve its Computer Network Exploitation (CNE) capabilities. By relying on legally mandated backdoors, law enforcement authorities will likely remain complacent in their ability to obtain data from criminal suspects. Rapidly evolving technology and the slow pace of accompanying legislation will continue to hamper the lawful collection of intelligence. In addition to encryption, counterterrorism efforts face challenges from anonymizing software such as Tor, which further obfuscates the true identity of computer users. Although it also drawscriticism on civil liberties grounds, the FBI’s ability to clandestinely exfiltrate data from the computers of suspected terrorists will remain a vital tool. The often unknown identity and/or location of the targets of these operations makes it even more important to extend the FBI’s reach globally, as recent Department of Justice rule changes now allow. Massive collection of “data-in-motion” through passive means, though historically useful, will soon be a thing of the past. Recent court decisions and the expiration of legislationthrough which the government justified NSA bulk telephone metadata collection have made such intelligence gathering increasingly difficult. The proliferation of end-to-end encryption presents a further challenge to these efforts. Offensive cyber operations against the computers of suspected terrorists, an example of targeting “data-at-rest,” demand greater precision and expertise on the part of counterterrorism officials. Although encryption also hinders these operations, the means exist to bypass it by inducing a degree of user cooperation through well-crafted approaches, further highlighting the need for improved cyber-enabled HUMINT capabilities. Successful CNE efforts generally yield far more useful information than bulk metadata collection. Combining roving wiretap authority with improved FBI computer exploitation capabilities would help fill the gaps that recent technological and legal changes have created.

Mandating backdoors in commercial encryption is not the solution to the challenges this technology creates. Doing so would put everyone at increased risk of exploitation by hackers of all stripes. It would also rely on legislation to keep such vulnerabilities open. Cash-rich and technologically advanced companies like Apple would likely find ways to circumvent such measures, whether through technical modifications, legal challenges, or simply relocating abroad. The U.S. Congress has a poor track record with regard to rapidly amending legislation in the face of technological change, and this trend is likely to continue. Targeting the human users of secure communications technology and improving the FBI’s technical exploitation capabilities are the best ways to ensure access by intelligence and law enforcement authorities to information of counterterrorism value.

Walter Haydock serves at the National Counterterrorism Center in Washington, D.C. He is an active duty Marine Corps Officer who has deployed twice to Afghanistan in support of Operation ENDURING FREEDOM. The views expressed in this article are those of the author and do not reflect the official policy or position of the Department of Defense, National Counterterrorism Center, or United States Government.

No comments: