12 February 2020

Weak encryption means putting our military at risk – CyberScoop

by Ari Schwartz 

Feb 4, 2020 | CYBERSCOOPLast month, a brigade of U.S. soldiers deployed to the Middle East received instructions from their superiors to use two commercial encrypted messaging applications, Signal and Wickr, on their government issued cell phones. These leadership cues trickled down from the Department of Defense’s (DoD) position that strong encryption is critical to national security. While U.S. Attorney General William Barr continues to push for a broad mandate for backdoors for law enforcement, those on the front lines of protecting America have notably decided on a different approach. Simply put, weakening encryption means putting our military service members at risk.

In a recent letter to Rep. Ro Khanna, D-Calif., DoD Chief Information Officer Dana Deasy made clear that the use of encryption to protect the mobile devices of our service members and their stored data is an “imperative.” Deasy makes clear that the use of commercial encryption and virtual private networks (VPNs) are key to DoD’s cybersecurity strategy. Therefore, “maintaining a domestic climate for state-of-the-art security and encryption is critical to the protection of our national security.”

Meanwhile, Barr continues to vilify encryption. He suggests that tech companies are refraining from building backdoors in their products because they feel that they can flaunt law enforcement’s role. Barr does not seem to consider that, if the United States asks for backdoors, other countries, including China and Russia, will do so as well. Even if tech companies decide not to do business in those countries, a backdoor becomes a known target for nation-state and criminal hackers to exploit.


By explaining the flaws in Barr’s case, I do not mean to suggest that law enforcement’s underlying concern is not valid.

The problem is that both sides of this issue have valid concerns. Law enforcement should be concerned, and has been since this argument started 30 years ago, about gaining access to data held by criminals. Technology companies should continue to make the most secure products that they possibly can make.

Last year, I had the opportunity to be part of a small working group of experts convened by the Carnegie Endowment for International Peace and Princeton University aimed at addressing this issue. The group was made up of former law enforcement officials, national security officials, privacy advocates and technology experts.

The group’s stated goals were:
to engage in and promote a more pragmatic and constructive debate on the benefits and challenges of the increasing use of encryption;
to identify specific areas where greater common ground may be possible
to propose potentially more fruitful ways to evaluate the societal impact, including both benefits and risks, of any proposed approaches that address the impasse over law enforcement access to encrypted data.

The efforts led to the release of a report last year, outlining the group’s recommendations for moving the encryption policy debate forward.

In its pursuit of a more constructive dialogue, the report recommends breaking the discussion on encryption down further and avoiding broad mandates. The report makes clear that there will be no single approach for requests for lawful access that can be applied universally, and that more work must be done to continue the work that the group initiated to separate the encryption issue into its component parts. Specifically, the report says: “Stakeholders, technologies, processes, policies, and regulatory environments are very different when it comes to protecting data in the cloud, data in motion, and data on devices. Proposals that attempt to solve every issue are unlikely to succeed.” The report also states that mobile phone proposals should be tested against a variety of use cases which will clarify the risks and benefits.

Let’s stop wasting time suggesting that we need universal solutions that may solve law enforcement’s short-term needs, but then put consumers and our military at risk. Congress has the opportunity to move this discussion forward by breaking down the issue and encouraging solutions for law enforcement that both improve their existing cooperation with technology companies and limit the risk to consumers, the military, and all users of commercial encryption.

Ari Schwartz is Managing Director for Cybersecurity Services at Venable. Schwartz is a former Special Assistant to the President for Cybersecurity on the National Security Council under President Barack Obama.

No comments: