Leaked Intelligence Document Calls For More, Not Less Encryption To Protect Companies And Citizens From Cybercriminals

from the and-yet,-everyone-seems-to-be-calling-for-less dept

Everyone from FBI Director James Comey to UK Prime Minister David Cameron is calling for an end to encryption. The FBI is afraid it won’t be able to catch criminals if it can’t immediately access content and communications. David Cameron is afraid it will be nothing but constant terrorist attacks from here on out if authorities don’t have access to “every means of communication.”

Considering many of these voices decrying encryption presumably have access to top secret briefings and documents otherwise unseen by the general public, it’s rather surprising they’ve ignored previous advice from intelligence officials to the contrary.

A secret US cybersecurity report warned that government and private computers were being left vulnerable to online attacks from Russia, China and criminal gangs because encryption technologies were not being implemented fast enough.


The document from the US National Intelligence Council, which reports directly to the US director of national intelligence, made clear that encryption was the “best defence” for computer users to protect private data.

This document comes from The Guardian’s stash of Snowden leaks. What it says runs completely contrary to the panicked assertions of officials. It even runs contrary to the NSA’s own actions, like its active attempts to weaken NIST standards. The report recommends strong encryption, coupled with multi-factor authentication, which would make data and communications wholly inaccessible to the NSA (and GCHQ, its steady surveillance partner).

But this recommendation doesn’t come from an outside source. It’s an intelligence council that reports directly to the head of national intelligence. And yet, the word didn’t spread very far. The NSA isn’t thrilled with encryption because it keeps what it wants out of reach. Law enforcement has the same “problem.” Both have actively worked to undermine encryption for their own aims and both are perfectly willing to open up citizens and companies to outside attacks in order to preserve the status quo.

And it’s not just American agencies that have ignored these recommendations. The GCHQ is engaged in the same cognitive dissonance.

Another newly discovered document shows GCHQ acting in a similarly conflicted manner, despite the agencies’ private acknowledgement that encryption is an essential part of protecting citizens against cyber-attacks.

The 2008 memo was addressed to the then foreign secretary, David Miliband, and classified with one of the UK’s very highest restrictive markings: “TOP SECRET STRAP 2 EYES ONLY”….

The memo requested a renewal of the legal warrant allowing GCHQ to “modify” commercial software in violation of licensing agreements. The document cites examples of software the agency had hacked, including commonly used software to run web forums, and website administration tools. Such software are widely used by companies and individuals around the world.

The document also said the agency had developed “capability against Cisco routers”, which would “allow us to re-route selected traffic across international links towards GCHQ’s passive collection systems”.

GCHQ had also been working to “exploit” the anti-virus software Kaspersky, the document said. The report contained no information on the nature of the vulnerabilities found by the agency.

Again we see agencies charged with protecting nations walking away from this responsibility in order to pursue their own ends. Sure, some safety may have resulted from the collection of unencrypted communications, but both agencies are willing to compromise corporate hardware and consumer software in order to grab just a little more hay for the haystacks.

You can’t make a nation safer by destroying its safety features. There’s a bigger picture that these agencies refuse to see — even when internal guidance puts it front and center. If you weaken protections, seek legislation to prevent encryption, collect and stash exploits and install backdoors in hardware and software, you make the nation’s cybersecurity that much harder to maintain. The NSA and FBI both want a piece of the cyberwar action but they want to leave everyone that isn’t them defenseless. Over on the other side of the pond, the GCHQ is doing the same thing and it has the support of a Prime Minister who feels no communication should be able to escape the agency’s notice.

And behind it all, there are documents touting the protective powers of encryption. But that makes intelligence gathering and law enforcement too difficult, so I guess we’ll all have to do without.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Leaked Intelligence Document Calls For More, Not Less Encryption To Protect Companies And Citizens From Cybercriminals”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re:

Not a very good metaphor given that most hamburgers contain ground beef, not ham, and the name commonly gets shortened to just “burger”.

A better one would be something more like…

Security without encryption is like a doorway without a door. It’s just a big hole a wall that people, wild animals and the weather can just go right through. Sure you can do some things to keep the hole “secure” like not telling anyone it’s there and praying no one and nothing finds it, or constantly stationing someone (more like several someones given the need for shifts and bathroom breaks) there with a gun to keep people and animals out. But none of that really beats having a stout door with a solid lock. Something that leaves anyone or anything wanting to get in two options; 1) spend an hour cutting it open with a lightsaber, 2) find the guy that has the key and start hitting him with a wrench.

John Fenderson (profile) says:

Re: Re:

I think that what they want is for people to have strong security against attackers who aren’t them, while at the same time have the ability to easily decrypt everything themselves.

It’s an impossible dream, but I think that they really believe it’s achievable because from a mathematical point of view, it is. From a practical or realistic point of view, it’s not.

That One Guy (profile) says:

Re: Re: Re:

I imagine the lower ranked workers in the agencies do know that ‘NSA only back-doors’ are nothing more than fantasy, but assuming they even care, odds are their bosses are just ‘smart’ enough to understand some technology(in this case backdoors into programs), yet not smart enough to grasp the entire picture(namely that backdoors work for everyone, just just a select few).

Alternatively, and honestly at this point I would say more likely, they know full well that backdoors allow anyone access to a program/system/network, and they just don’t care as long as it makes their immediate job easier.

(Not to mention they have a vested interest in other systems and networks being hacked, as, much like the Sony hack, it allows them to push for even more power and laws in their favor, meaning they have yet another reason to not care about weakening security)

That One Guy (profile) says:

No contradictions, just the usual double-standards

There’s actually not a contradiction here at all, the NSA and others like them are in favor of strong encryption for their systems. It’s the encryption employed by everyone else that they want to undermine and destroy.

As they have shown, they don’t care what happens to the rest of us, but they treasure their security and privacy very highly indeed.

This attitude is very widespread, from the NSA/GCHQ, all the way down to the police and local politicians, the idea of “Your privacy and rights can and will be sacrificed for ‘public safety’/’National Security’, but mine are untouchable because I’m one of the elite.”

Anonymous Hero says:

Re: No contradictions, just the usual double-standards

The docs say that encryption is the best defense for US govt computers, as well as commercial, financial, private, etc, computers.

The problem is that people who don’t understand the technical aspects of computer security don’t understand that they are asking to have their cake and eat it too. The “backdoor all the things!” policy will not happen for a few reasons:

1. People don’t like it because it’s govt overreach (though govt doesn’t much care about people).

2. Companies don’t like it because it hurts their sales (and thus hurts campaign donations).

3. It’s impossible to implement (people who don’t understand the technical aspects also don’t understand this point).

Anonymous Coward says:

very sensible too, unless of course, you live in the UK where the incompetent and internet illiterate idiot who is Prime Minister, wants there to be NO encryption, so his security forces can join with the USA security forces and be able to spy on everyone, everywhere, doing everything! the fact that there would be so many breeches at just about everything doesn’t matter!
i have to ask myself how the hell does someone get a job like this? the brain power is staggeringly lacking!!

Call me Al says:

Re: Re:

Terrorism with bombs and bullets is louder and more scary then hacking of personal information and it receives more column inches. The politicians therefore take the view that shouting about that is more likely to get them votes then to take a measured and reasonable response which includes explanation of complicated technical issues.

They live in fear of an attack which leads to deaths and the immediate shouts from people and the media to say “You are to blame for not taking action earlier!”

Essentially they think the electorate is dumb. Mostly it is.

Anonymous Coward says:

Encryption is not foolproof, but you should use it anyway

TBH I didn’t read David Cameron’s speech as calling for an end to encryption. He said there “shouldn’t be a message we aren’t able to read”, not “we should be able to read all messages from anyone, all the time”. They may seem similar, but there is a distinction. Intelligence agencies are very adept at getting around encryption. One of the few places where encryption actually has a chance is for individuals who aren’t known to law enforcement and don’t communicate with other known individuals. For instance if you have an encrypted volume on a hardware that hasn’t been backdoored and a sufficiently strong passpharase committed to memory.

Once individuals are identified, there are a number of methods that could be and are employed to circumvent the encryption (mal/spyware, MitM, black bag jobs, etc). In these cases, encryption works not as a total protection for users, but only up until they are targeted by intelligence agencies.

I believe this is a reasonable tradeoff as long as the capabilities to compromise hardware remain limited to some degree. By no means a given in the changing world of technology, but enough to review and conduct oversight of the surveillance of a relatively small number of targets rather than trying to keep collected plaintext data private from analysts.

GEMont (profile) says:

Encryption would prevent spying on the Adversay!!

Rant Warning

“… that encryption is an essential part of protecting citizens against cyber-attacks.”

When the vast majority of “cyber” attacks on 5-Eyes citizens are coming directly from those governments’ own Spy Agencies, encryption can only be perceived by those governments as an effective and therefor undesirable deterrent to their clandestine surveillance activities and the associated lucrative criminal enterprises those activities make possible.

Since it has been shown repeatedly that almost no real effort is being spent in the actual pursuit of real criminals or real terrorists – usually to insure that crime and terror remain an effective excuse for demanding bigger and bigger budgets – and that the lion’s share of all Five Eyes governments’ efforts in this area are specifically spent spying on their own citizens, it should come as no surprise at all that any recommendation of implementing strong encryption nationwide in any Five Eyes nation will be perceived as counter productive by all current Five Eyes Governments and be buried as Top Secret.

To put this in a simpler way, No Five Eyes Government has any desire whatsoever to initiate any process that might protect their citizens from Cyber Attacks, because those governments ARE the primary Cyber Attackers of their citizens.

The simple truth, so obvious yet so hard to swallow that 99.9 % of the population simply refuse to see it, is that there is no government in any nation on earth today.

Instead, members of organized crime and minions of multi-billionaire tycoons from Oil, Medicine, Tobacco, Booze, Insurance, Illegal Drugs and other massively wealthy industries, have usurped the halls of power for fun and profit, and have quietly rewritten the laws of the land to benefit only themselves and their friends.

However, I have complete faith in the willing ignorance and self delusion capabilities of the general populations of earth and expect that this reality will continue to be unanimously and purposely avoided until such time as it too late to effectively reverse the process.

After all, human civilization has always failed in the past from this exact came state of affairs between the rich and poor. I see no reason to expect a change, just because nearly 50% of the world’s population is now literate.

On the other hand it is always fun to poke the beast with a sharp pointy stick, when you know there is no way to avoid the fact, that the beast will eventually eat you anyway.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...