A new government report released on Wednesday officially proposed the creation of a formal commission made up of...
industry experts and law enforcement to study the growing encryption debate.
The report, titled "Going Dark, Going Forward: A primer on the encryption debate," was authored by the House Homeland Security Committee, chaired by Rep. Michael McCaul (R-Texas) who has been proposing a committee to study the going dark debate since late last year.
According to the report, members and staff of the House Committee on Homeland Security have held more than 100 meetings and briefings over the past 12 months, both classified and unclassified, with key stakeholders impacted by the use of encryption.
"As a result of our robust investigation, the Committee staff has come to understand that there is no silver bullet regarding encryption and 'going dark.' While we benefited tremendously from our engagement with stakeholders, we did not discover any simple solutions. No matter what path emerged, there were always troublesome trade-offs. Thus, in our estimation, the best way for Congress and the nation to proceed at this juncture is to formally convene a commission of experts to thoughtfully examine not just the matter of encryption and law enforcement but law enforcement's future in a world of rapidly evolving digital technology."
To create this commission, Rep. McCaul and Senator Mark Warner (D-Va.) have proposed legislation to create a "Digital Security Commission" comprised of experts in the fields of commercial technology, computer science and cryptology, privacy and civil liberties, law enforcement, intelligence, and global economics. The Digital Security Commission would develop policy and legislative recommendations to present to Congress within 12 months.
CEO at Privacy Professor Rebecca Herold said the year already spent discussing and the additional 12 months it will take after the creation of this commission is too long to wait for action in the encryption debate.
"Just look at the 30-year-old Electronic Communications Privacy Act," Herold said. "When on the verge of finally having it updated, anti-encryption senators, with the backing of the FBI, once more delayed meaningful updates. They sent the message that they'd rather be able to access all our data after 180 days without a warrant than to strongly protect the data, for as long as it exists, that represents our digital selves."
Elad Yoran, executive chairman at KoolSpan, said bureaucracy must be slow and deliberate on this topic because "getting it wrong will be devastating to everyone's cybersecurity."
"Does any sensible person believe that terrorists or criminals with half a brain will use crypto systems with mandated backdoors?" Yoran asked. "The stupid ones perhaps, but then you don't need advanced backdoors to apprehend them where regular policing and detective work will do just fine."
The report suggests that both the law enforcement side and consumer privacy advocates have valid concerns in the encryption debate.
"Our extensive discussions with stakeholders, however, have led us to conclude that the issue is really about security versus security: encryption protects critical infrastructure, trade secrets, financial transactions, and personal communications and information. Yet encryption also limits law enforcement's ability to track criminals, collect evidence, prevent attacks, and ensure public safety."
Chris Pogue, CISO at Nuix, said he also agreed with both points of view, but still had concerns about who gets to make the decision between liberty and safety.
"I fully understand the need for law enforcement to have the ability to access encrypted communications in their legitimate pursuit of bad people doing bad things. But what happens when that access is abused, either by those with legitimate access, or worse yet, stolen by an external attacker?" Pogue asked. "Security and privacy is something that was so important to the founding fathers, that we have the fourth and fifth amendments to the U.S. Constitution that provide specific parameters regarding how agents of the government can interact with citizens suspected of criminal activity, and our right to not incriminate ourselves. This was done to prevent government overreach in an area with the highest likelihood of occurrence; specifically something the government deemed to be criminal in nature."
Playing both sides
While the report does note multiple times that there are no clear answers in the encryption debate, the first sentence of the report puts forth the idea that the attackers in the Paris and San Bernadino attacks "used encrypted communications to evade detection -- a phenomenon known as 'going dark.'"
Experts pointed out that there is still no solid proof this claim is true and in the cases when it can be proven, the encrypted messaging apps used were produced outside the U.S. and therefore not subject to American laws.
Later in the report this fact was addressed: "We are just beginning to understand the implications of this transformation. If the U.S. placed burdensome restrictions on encryption, American technology companies could lose their competitive edge in the global marketplace. Moreover, studies suggest that two-thirds of the entities selling or providing encrypted products are outside of the United States. Thus, bad actors could still obtain the technology from foreign vendors irrespective of U.S. legislative action."
The report appears to be referencing legislation from Sen. Richard Burr (R-N.C.), co-author of the Burr-Feinstein bill which, although not explicitly requiring encryption backdoors, would require companies to comply with court orders for plaintext data even if that data is encrypted.
The report said, "Initially, lawmakers and some among law enforcement personnel believed the solution was simple: statutorily authorize law enforcement access to obtain encrypted data with a court order. Unfortunately, this proposal was riddled with unintended consequences, particularly if redesigning encryption tools to incorporate vulnerabilities -- creating what some refer to as 'backdoors' -- actually weakened data security. Indeed those vulnerabilities would naturally be exploited by the bad guys -- and not just benefit the good guys."
Yoran said that there would be plenty of options outside of the U.S. for companies who want secure software.
"Informed companies and businesses globally will also not choose to use backdoored encryption to protect themselves. Encryption is not the exclusive domain of U.S. technology companies. If businesses cannot find what they need provided by U.S. cybersecurity companies, then they will source their protection elsewhere."
Because the report at least attempts to give both sides of the encryption debate, experts were somewhat split on how useful the Digital Security Commission could be.
"I am not optimistic based upon their recent activities and comments. Quite frankly, I do not think any more of these commissions will help, at least not with the current players involved," Herold said. "I believe the only thing that will help is getting more lawmakers and FBI leaders that possess accurate technology understanding. Our current government leaders are demonstrating how [a] lack of technology knowledge in our always-connected digital age [causes] bad decisions that do nothing to help protect us from terrorists, but instead put all the public's personal information at risk."
Pogue said some form of legislation is likely the only outcome.
"From a technologies perspective, brute forcing encryption algorithms is becoming increasingly less plausible. The time and resources it would take would render the data useless by the time it was eventually decrypted," Pogue said. "So, any solution to the 'problem' of decryption will have to be legislated. My only hope is that our lawmakers will use an abundance of caution, and carefully think through the unintended consequences of their actions. Things like this are always far more complicated than they appear on the surface."
Herold and Yoran noted that the encryption debate itself may be the biggest hurdle to overcome, because the focus on encryption has overshadowed other tools that could be used to gather data about terrorist activities, like metadata.
"It is time for lawmakers to understand and realize that requiring backdoors in security technology, including encryption, is a bad idea," Herold said. "It was a bad idea in the 1990s, demonstrably so, and is still a bad idea. And while the lawmakers continue to push for this, U.S.-based businesses are losing clients who need and want strong encryption to businesses in other countries that provide such services and products. They are not only not improving homeland security with their futile initiatives, they are causing thousands of U.S. businesses to lose clients, and revenues, through their stubborn-headed pursuit. It is time to finish these anti-encryption efforts once and for all and instead look at the more effective ideas that technology experts have for helping to identify communications that is likely to be shared that involves terrorists."
Learn more about the FBI's continued efforts to bypass encryption.