Encryption & Key Management , Governance , Privacy
Trump Administration Reportedly Weighs Forcing Tech Firms to Use Weak Crypto(euroinfosec) • July 1, 2019 Encryption comes in two forms: Strong or weak. (Photo: Mathew Schwartz)Faster than you can say "end-to-end encrypted messaging," the debate over whether the U.S. government should have the right to weaken the world's crypto by default has returned.
See Also: Webinar | Passwords: Here Today, Gone Tomorrow? Be Careful What You Wish For.
Politico reports that on Wednesday, the deputy heads of multiple U.S. government agencies gathered before a White House National Security Council meeting to discuss whether the Trump administration should push for new legislation that would require technology firms to only use weak encryption for messaging applications.
The impetus, as usual, is law enforcement and intelligence agencies' concern over "going dark." In other words, suspects in an investigation - centering on child abuse, terrorism, drug trafficking or any other type of criminality - might be using communications techniques on which investigators cannot easily eavesdrop.
The NSC advises the president on national security matters and coordinates policies across government departments.
Last week's gathering of the NSC's Deputies Committee, three unnamed people with knowledge of the meeting told Politico, does not appear to result in any decision to change current policies. "The two paths were to either put out a statement or a general position on encryption and [say] that they would continue to work on a solution, or to ask Congress for legislation," one of the people told Politico.
One of the chief proponents for anti-crypto legislation was Deputy Attorney General Rod Rosenstein, but with his departure, the appetite for legislation meant to tackle the "going dark" problem has appeared to wane, Politico reports.
Congress and Cybersecurity: Good Luck
Any attempt by President Donald Trump to get Congress to pass such legislation would likely be opposed by many in the Democratic-controlled House who are against mandating weak encryption in the name of law enforcement investigations.
Following the 2015 San Bernardino shootings, the FBI took Apple to court in an attempt to force it to create an easy-to-hack version of its iOS mobile operating system so that investigators could access a smartphone used by one of the shooters, who was dead. But the FBI abruptly dropped the court case, reportedly because it found a third-party supplier able to crack the device (see The Great Crypto Diversion).
At the time, Senators Richard Burr, R-N.C., and Dianne Feinstein, D-Calif., introduced draft legislation that would compel technology providers to turn over their customers' information when they receive a court order and aid law enforcement and intelligence agencies in decrypting data when necessary. But the measure failed to advance (see: Why Decryption Legislation Is a Bad Idea).
Investigators Have Other Options
Whatever policy moves the White House might pursue, anyone warning that investigators must be able to access encrypted data, and thus strong crypto must be outlawed, is ignoring at least two other realities: other investigatory tactics, as well as mathematics itself.
First, the "going dark" argument perpetually fails to acknowledge the use of "device interference," which is a law enforcement euphemism for being able to directly hack suspects' devices, sometimes by gaining physical access to them, thus allowing investigators to eavesdrop on all communications. Investigators have also used other tactics, such as the FBI gaining access to the Playpen child abuse site being hosted on the Tor anonymizing network and infecting users with malware that revealed their IP addresses, thus helping to unmask them.
The Opposite of 'Going Dark' is Disaster
Second, when warning about "going dark," officials often portray the solution as being the ability to build backdoors into systems. Unfortunately, backdoors and strong encryption don't mix. Either something is strong or it is weak.
Building a system to facilitate the ability to eavesdrop on communications with a warrant requires weak encryption. And weak crypto is something that anyone - from unfriendly nation-states, to organized crime syndicates, to advanced persistent teenagers - can exploit to spy on and steal from individuals and businesses alike.
As Dublin-based cybersecurity consultant Brian Honan, who advises the EU's law enforcement intelligence agency Europol, has told me: "Do we want strong encryption to protect our businesses, to protect our online privacy and prevent mass surveillance by rogue states?" Because the alternative is that governments mandate that all encrypted communications use weak cryptography, thus imperiling our collective security.
After Snowden, Trust Ain't Cheap
How did we get to the point where many Western governments regularly float the idea of making our collective security weaker?
Thanks goes in large part to the U.S. surveillance and the Five Eyes apparatus.
The availability of end-to-end encrypted messaging surged following former U.S. National Security Agency contractor Edward Snowden's leaks, which revealed that the agency was running a mass surveillance campaign that attempted to collect the communications of all non-Americans by monitoring technology giants' data centers (see: Report: Apple Building iPhone It Can't Hack).
In response, technology giants began rolling out messaging apps that end-to-end encrypt all communications by default, which now include Facebook's WhatsApp and Apple's iMessage and FaceTime. Other options include standalone apps such as Signal and Wickr.
Also, the U.S. doesn't hold a monopoly on encryption technology. In 2016, for example, security researchers Bruce Schneier, Kathleen Seidel and Saranya Vijayakumar, found that there were a variety of options available worldwide. Cataloging encryption products, they found 304 of U.S. origin, 112 built in Germany, 54 in the U.K., 41 in France and 19 in the pro-encryption Netherlands (see: Crypto Review: Backdoors Won't Help).
Passing new laws won't magically stop bad guys from procuring already available technology to encrypt their data or messaging.
In the words of cryptographer Matthew Green, an associate professor of computer science at the Johns Hopkins Information Security Institute: "If we outlaw encryption, then only ransomware developers will have encryption."