Gunnar Assmy - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Former CIA/NSA director Hayden supports strong encryption

Former CIA and NSA director General Michael Hayden came out in favor of strong encryption but representatives in Congress and the Senate are continuing to pursue encryption backdoor legislation.

General Michael Hayden, former director of both the Central Intelligence Agency and National Security Agency, came out in favor of strong encryption and against the U.S. government's push for encryption backdoors.

Gen. Hayden, who is now a principal of the Chertoff Group, a global advisory firm focused on security and risk management, said, "America is more secure with end-to-end unbreakable encryption."

Gen. Hayden's comments came while speaking at The Wall Street Journal CIO Network Conference on Monday. He said there would always be other ways to obtain data, and the government shouldn't resort to weakening encryption. Hayden also noted the government's failed attempt at monitoring commercial communications with the proposed "Clipper chip" in the 1990s.

"We didn't get the Clipper chip, we didn't get the backdoor and we then began the greatest 15 years in the history of electronic surveillance," Hayden said.

Hayden attributed the success in electronic surveillance to the use of metadata. Experts have said metadata would still be available on encrypted communications and undermines the "going dark" argument made by current FBI Director James Comey.

Hayden had previously stated his support for strong encryption last year, but his comments this week mark the strongest and most detailed defense of encryption to date. In his statements this week, he went on to say that he has changed his view on the role of government in cyberdefense.

"In government, I had assumed that in cyber defense as in physical defense the main body was the government…I think I got that wrong," Hayden said. "I actually think in the cyber domain, [business] is the main body and what the government has to teach itself is that the government needs –in all but a few exceptional cases — to conform its movements to the movements of the main body."

"Cyberspace is the largest ungoverned space in human history," he said.  "You're going to be responsible for your own safety [in cyberspace] in a way that you haven't had to since the closing of the American frontier in 1890."

However, it appears as though representatives in Congress will continue pursuing legislation to mandate weakened encryption so companies can comply with law enforcement and provide access to user data.

The general argument from lawmakers has been that if terrorists use encrypted communications methods, law enforcement would have no way to monitor that communication. Senator Richard Burr (R-NC) has been taking the lead on potential legislation in the Senate to mandate that companies comply with court orders, even if that means breaking encryption.

Rep. Michael McCaul (R-Texas), chair of the House Committee on Homeland Security has been working since last year on legislation to create an encryption commission that he said will "bring together the technology sector, privacy and civil liberties groups, academics, and the law enforcement community to find common ground," speaking last year in what he called the first annual State of the Homeland Security Defense Address.

McCaul told SearchSecurity: "Former Director Hayden has a great point - with encryption, it isn't a question of privacy versus security but rather security versus security. The same technology that is presenting challenges to law enforcement also keeps our personally and nationally sensitive information secure, and making policy changes without looking at the full picture could have dangerous consequences. That's why I've proposed a commission on digital security to bring together experts who get the complexity and the stakes to provide us with recommendations."

Senator Burr had no comment regarding his stance on encryption in light of Gen. Hayden's comments.

Next Steps

Learn why lawmakers don't understand the encryption backdoor problem.

Read more about the origins of the "going dark" dark debate.

Find out why David Chaum's cMix network may be a better anonymity network than Tor.

Dig Deeper on Disk and file encryption tools

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Which is more important to public safety: the ability to encrypt without backdoors, or giving access to all encrypted data to law enforcement and government agencies?
If a government could assure that the backdoor could not be discovered or misused, I'd consider it. Clearly they cannot. Most governments have demonstrated an inability to protect information they are already required by law to protect. It is bad enough that citizens are forced by governments to provide information that the governments cannot/will not protect, but to have government require that business weaken the protections that the businesses can provide is entirely without merit.
Ed B. As with his earlier messages, Gen. Hayden makes good points. While I agree that there is much to be gained from analyzing Metadata, or Traffic Analysis, in selected cases, which to me means targeting adversaries, a controlled backdoor would be useful. However, given the propensity for individuals in business or government to abuse the power allocated to them, there must be checks and balances on the use of a backdoor. Because we're human, there won't be a perfect solution. However, assuming Congress approves and the President signs legislation requiring a backdoor, I lean towards establishing an IG responsible directly to the House and Senate Intelligence Committees, rather than to DoD or the Intelligence Community (IC).
Also, while I understand the General's comments about business being the main body for Cyber Defense, I don't completely agree with him. While I agree that elements of the business community will drive innovation, ours and our allies' governments have a role to play. I believe this role is primarily in providing oversight through legislation, the end goals for different areas of Cyber Defense, such as encryption systems and communication protocols (Vision), defining how specific elements will be employed, e.g. securing government and R&D Labs internal networks, to realize each vision (Strategy), and specific system requirements to build out specific components to complete tasks supporting each strategy (Tactical or Operational).
It’s a problem that affects more than one entity, which means that a security solution needs to come from all of those affected, not just the government or businesses.