by Mark MacCarthy

A shortsighted call for softening encryption

Dec 01, 2015
EncryptionGovernmentMobile Security

The Paris attacks have given the government an excuse to renew efforts to gain access to encrypted private communications. It's a bad idea

The Paris attacks have given the government an excuse to renew efforts to gain access to encrypted private communications. In the face of well-planned terrorist activity, such a move sounds like a reasonable step towards greater security — but it is not. And, in fact, there is no evidence that the attacks were coordinated using encrypted technology — the opposite may actually be the case, with the terrorists’ communication occurring over unencrypted telephones.

Regardless, the argument that secure networks are hard for intelligence agencies to penetrate is true — and that means they are hard for everyone to penetrate, most especially those with evil intent. If the government can access our networks through a “backdoor,” there is very little we can do to stop a sophisticated terrorist organization, authoritarian governments, or other intruders from doing the same.  

Those calling for law enforcement access to encrypted communications believe it will help disrupt terrorist planning. Such a view is shortsighted, ignoring the fact that enhanced network security through tough encryption strengthens overall national security. In addition, any U.S. mandate giving law enforcement access to encrypted devices will likely divert terrorist traffic to non-U.S. services, which have no obligation to work with law enforcement and be even more difficult to monitor.

The fact is, encryption protects not just government and commercial databases, but also critical national infrastructure such as hospitals, airlines and power stations — exactly the targets terrorists would attempt to hack and destroy, with potentially huge economic and human costs.

Vice Chairman of the Joint Chiefs of Staff, Admiral James A. Winnefeld, agrees, recently telling those at a Cybersecurity Summit at West Point “…I think we would all win if our networks are more secure.  And I think I would rather live on the side of secure networks and a harder problem for [NSA Director Mike Rogers] on the intelligence side than very vulnerable networks and an easy problem for Mike … we are more vulnerable than any other country in the world, on our dependence on cyber.”

Responsible organizations — from the U.S. Defense Department to financial institutions to power companies — understand the enormous risks of unsecured networks. A hint of what could go wrong emerged from a hack of a German steel mill earlier this year.  Attackers disrupted the mill’s control systems, making it impossible to properly shut down a blast furnace and causing massive damage. The hackers gained access to the production operations by evading network access controls.

Government security officials have been warning of possible attacks on the U.S. power grid, and Congress has held hearings on this concern. Intruders have never gained access to the power grid, but it’s a thin line — the Department of Energy’s (DOE) computers were hacked over 150 times between 2010 and 2014.

The message is clear: guarding computer networks from intrusion prevents disruption to infrastructure, safeguards vital data, and perhaps most importantly, protects human life.  While much was made of the attacks aimed at Sony Pictures and the Office of Personnel Management, in which valuable proprietary information was stolen, we can only imagine the potential for destruction if a similar attack took place against a nuclear plant or municipal water supply.

An assault on our critical infrastructure with casualties in the thousands is not an idle fantasy of security engineers. The U.K. is aiming to spend almost 2 billion pounds on mitigating the threat of infrastructure attacks. It makes no sense to expend resources to meet this threat while simultaneously undermining the encryption that protects critical infrastructure.

It’s important to understand that weakening encryption cannot be done piecemeal — such as for personal devices but not for access controls to corporate networks. Once it is known that systems have built-in security vulnerabilities, every outlaw hacker in the world will seek ways to exploit these weaknesses.  

While the call for weaker encryption is understandable following a devastating terrorist attack, Congress’ leading voices on security understand the dangers and are speaking up in favor of encryption. In recent remarks rejecting “proposals to undo encryption,” Representative John Conyers urged the intelligence community to “focus on the most effective tools in our toolbox: targeted surveillance, targeted investigations, and smart policing.”

At a recent SIIA event, Representative Michael McCaul, Chairman of the House Committee on Homeland Security, waved his phone and declared, “You don’t want to put a backdoor in this device, because then you open it up to hackers.”  At the same event, Representative Will Hurd, Chairman of the House Subcommittee on Oversight and Government Reform and a former CIA officer, added, “Encryption is good and we shouldn’t do anything to weaken it.”

If we weaken encryption, the world will be a more dangerous place. Keeping our encryption strong is the way to keep us safer and more secure.