CIA Director John Brennan Says Non-US Encryption Is 'Theoretical'

from the central-ignorance-agency? dept

You would think that someone in charge of the Central Intelligence Agency would have some knowledge about what he’s discussing while at a Senate Hearing on intelligence. Perhaps not so much. CIA Director John Brennan completely incorrectly said last week that non-US encryption was “theoretical” despite there actually being hundreds of such products on the market.

This happened during an open Senate Intelligence Committee hearing, where Senator Ron Wyden got to ask Brennan a couple of questions. The first was about whether anyone at the CIA was being held accountable for failures during the CIA torture program, and the second was on the future of Section 702 of the FISA Amendments Act. Specifically, he asked whether or not the CIA could live without being able to do “backdoor searches” on 702 data — basically asking what would happen if the CIA had to get a warrant to search that data. Director Brennan more or less dodged both questions, promising to get back to Wyden later and/or “in a different setting” (i.e., a classified one). However, as part of the preamble before asking questions, Wyden briefly touched on the issue of requiring US companies to backdoor encryption — the plan put forth by Senators Burr and Feinstein (Feinstein is sitting right next to Wyden while discussing this) — saying that it won’t work and is dangerous. He points out that putting restrictions on US companies won’t much matter, because those who wish to do us harm will just use non-US encryption. Despite no question being asked on that topic, Brennan decided to weigh in anyway. You can see the exchange here:

Here’s what Brennan says:

I respectfully disagree with your opening comments. First of all, US companies dominate the international market as for… as encryption technologies that are available through these various apps. And I think we will continue to dominate them. So although you’re right that there’s the theoretical ability of foreign companies to be able to have those encryption capabilities that’ll be available to others, I do believe that this country and this private sector is integral to addressing these issues. And I encourage this committee to continue to work on it.

Beyond being a bit jumbled, the idea that the issue is “theoretical” is flat out wrong. A recent paper by the Open Technology Institute looked at the 9 top encryption products recommended as “safe” to use by ISIS and pointed out that only one would be impacted by US regulation.

And then there was the second study, done by the Berkman Center and led by Bruce Schneier, that was a worldwide study of encryption products and noted that there are 865 encryption products worldwide from 55 different countries — and 546 of those products are non-US. It’s true that the US has the most, but there’s a pretty wide variety of other options. And the foreign products cover all different kinds of encryption. They found: “47 file encryption products, 68 e-mail encryption products, 104 message encryption products, 35 voice encryption products, and found 61 virtual private networking products.”

To argue that this is somehow “theoretical” is beyond ridiculous. Even if it were true (and it doesn’t appear to be) that those planning to do us harm currently use US products, it’s pretty obvious that they would quickly move to foreign-based products if it became clear that the US products were required to provide a backdoor to law enforcement. Again, the only end result would be to make those who use the encryption for lawful purposes less safe.

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “CIA Director John Brennan Says Non-US Encryption Is 'Theoretical'”

Subscribe: RSS Leave a comment
That One Guy (profile) says:

Idiot or liar

I’d say it’s pretty likely he upheld the time-honored tradition of making a ‘least untruthful statement’ to congress, as the alternative, that he’s really so clueless that despite his position, and despite what he’s arguing about he honestly doesn’t know about non-US encryption alternatives is I’d say extremely unlikely.

Or put simply, he knows full well that what he’s supporting would be both dangerous and useless at it’s stated purpose, but he’s willing to lie to defend it anyway.

DannyB (profile) says:

Re: Idiot or liar

Maybe he is confused.

First of all, US companies dominate the international market as for… as encryption technologies that are available through these various apps. And I think we will continue to dominate them.

Maybe he is thinking of Google, Apple, Facebook, Twitter, Microsoft and doesn’t really understand those complicated words like:
* encryption
* technologies
* apps
* think

Chris-Mouse (profile) says:

As I recall, the USA has tried this before. In the 1980s, encryption was covered under the same export laws as munitions, and export of high strength (>40 bit keys) encryption was banned. The result? Since importing full strength encryption was legal, almost all encryption development moved offshore.
If the USA starts to require backdoored encryption, the exact same thing will happen again.

Anonymous Coward says:

Re: Re:

But the other nations will just require backdoors too.

The new game will be hunting and pecking for the next unbroken encryption that will likely become illegal in each nation, unless you are using theirs.

Yep, it will become a shit show. We are likely going to begin seeing more “Information Freedom” uprisings in the future, which is inevitable anyways. Greedy interests will always seek to artificially control markets.

John Fenderson (profile) says:

Crypto "domination"

Brennan said

First of all, US companies dominate the international market as for… as encryption technologies that are available through these various apps. And I think we will continue to dominate them.

In saying this, he is either ignorant of or deliberately misrepresenting history.

Back when it was illegal for the US to export effective crypto, the effect was that outside of the government itself there was almost no serious crypto development being done in the US at all. The reason was obvious: if you developed it in the US, you couldn’t sell it outside the US. If you developed it outside the US, however, the world was your oyster.

The result was that the US fell behind in crypto (Israel was the top dog in that realm instead).

The only reason that crypto development returned to the US in later years was the elimination of that law. However, excellent crypto development continues across the entire world as well.

If the US were to make effective crypto illegal by mandating back doors, there is no question what the effect would be: individuals will simply use imported crypto, and crypto development in the US will once again grind to an effective halt.

Anonymous Coward says:

Re: Crypto "domination"

“Israel was the top dog in that realm instead”

They really only need to tour their own racks to verify this. My guess is they will still find Checkpoint being used in a wide number of critical systems infrastructure applications, and still being patched regularly without source code audits.

Dan (profile) says:

What about the software that has been cracked?

It may very well be that Brennan has no clue. But when he runs his own numbers, he’s not counting the ones the NSA has cracked. The implication is that the U.S. has cracked a significant majority, if not all, of the non-U.S. products in discussion here.

If there is a ‘preferred list of products’ put out by the terrorists, our government would have put the effort into cracking those first.

Ninja (profile) says:

It’s amusing to see these people thinking they can make things happen anywhere through laws and tolls that are only valid in their own territory. I mean, obviously Americans should be fighting such idiocy tooth an nail but as an outsider, I’d love to see these things being passed then watch tech companies flee and avoid the US like the plague.

Anonymous Coward says:

Re: Re:

No man, we Americans LOVE our idiots. Once you put an R or a D on someone A drove of fucking fundies are at beck and call.

And the locals… if a corrupt politicain gets shit for their locals they are not going anywhere.

The first sign of a corrupt politician is one that says vote for me and I will provide welfare!

Median Wilfred says:

Re: Wyden 20202

Sure, right now Wyden has solid support in Oregon. let me remind you that Mark Udall had pretty solid support right up until the 2014 Senate race in Colorado. Russ Feingold was solid in Wisconsin until 2010. We’ll have to see how he does this year.

My point is that every Senator that’s tried to cope with the “Intelligence Community” in the last 5-10 years has ended up going down in flames at their next re-election. Senators who cozy up to the IC have done a lot better. Is this coincidence? I think not. We’ll never know, but I bet there’s “Intelligence Community” interference in elections.

JBDragon (profile) says:

Lets say the U.S. Got it’s way and demanded back doors. Do you think other countries would want or allow U.S. created phones sold in their country where the U.S. Government had backdoor access to citizens phones?

The U.S. government wised up back in the 90’s when they wanted to force company’s to install the Clipper Chip into everything to gain backdoor access. Of course later it was hacked. But the point was, it would have made American’s insecure’s and who would want to buy American Products?

While bad things happen, that’s a tiny percentage of people, to the millions that would be screwed because of weak security. If you gain backdoor access, how does that STOP anything? Looking at a device after the fact stopped something. It’s really simple to destroy phones before you do anything, if there was anything on the phone to begin with that would have been any help.

The police, FBI, whoever NEVER get 100% of the info they want. We have these things call Paper Shredders. Do those company’s have to piece together documents for the FBI if they want something? Good luck with that one.

I the end, anyone with half a brain and wanted to do criminal things, maybe wouldn’t trust a American Company and encryption anyway. You would install your own Encryption software, maybe something open sourced and vetted. Cheap Android phones you can toss, destroy at any time with your own Encryption software installed would be the smart move.

Uriel-238 (profile) says:

Re: I'd be curious...

…how our officials and representatives would respond if it turned out that China was installing pre-backdoored OSes on the smartphones they exported to the US.

I suspect they’d have a conniption right there.

And yet they are incapable of seeing that scenario, or how this one is comparable to that one from the eyes of the rest of the world.

JBDragon (profile) says:

Re: Re: I'd be curious...

Which is what I said above. What country would allow U.S. made products sold in their country when there’s a U.S. created backdoor program in all those devices? They don’t want the U.S. Government spying on their Citizen’s. China being one of them. In fact for Apple to sell the iPhone in China they got to sit is a room with Apple and check out the source Code to make sure there was no such back door in iOS.

Putting a backdoor into something means at some point someone will hack it. In the end the only people it hurts is Most of the Population of normal, everyday users, just trying to mind their own business. The Criminals with install any number of 3rd party Encryption software created outside of the U.S. and there’s not a single thing the U.S. Government could ever do to stop it.

We are a Global Economy. These Governments trying to get their ways to spy on people and using the same weak excuse of Terrorists or Child Molesters. If that works for you, you might as well throw whatever rights you have left right out the window. It’s such a TINY part of the General population and yet screws over the 99.9% of everyone else.

Joel Coehoron says:

Slight Mistake Here

I need to lead by saying I am not fan of these collection programs and I believe strongly they should be ended and the data destroyed.

That out of the way, there is a slight mistake in this rebuttal to Mr Brennan’s comments. Mr Brennan is not arguing these foreign and open source products are not out there. He is arguing that even though all these other products exist, it’s the US products like gmail and hotmail, US equipment like Cisco, and US software like MS Windows, Apple iOS, or Google Android, that everyone actually uses. These platforms “dominate the international market”. Requiring these services to backdoor their encryption WOULD open up a lot of people to government and other searches. Pointing out all those other services is just knocking over your own straw man.

A much stronger argument that we should not do this comes in two parts:

1) That undermining encryption from these services may push users away from American business to foreign and open source options, ultimately hurting the American economy and driving users to even less-accessible options.
2) For the most part, terrorists can already use the foreign and more-strongly-encrypted services. Pushing mainstream users into those services increases the noise side of the signal/noise problem, making it harder to identify actionable intelligence when it’s there.

The Wanderer (profile) says:

Re: Re: Slight Mistake Here

I actually read him as saying something different even from that.

When he says that

US companies dominate the international market as for… as encryption technologies that are available through these various apps

I read him as saying not that the programs, etc., which people use for encrypted communication, are made in the US, but that the “encryption technologies” which underlie those programs are made in and/or come out of the US.

And to the extent that worldwide encryption technologies are based on accepted standards, which were standardized in the US (and, in at least some prominent cases, which were developed into standards in cooperation with and/or with input from the NSA), he may even be right.

Uriel-238 (profile) says:

Re: Re: Re: If that's what he's saying it doesn't support his argument.

Maybe, but the argument he’s making is that we can just change those standards like poof.

Suppose for a second you are a Brazilian developer working with some Italians on a Russian app that allows the user to encrypt his phone data.

Do you use the AES version 2009 which is pretty much unbreakable with current technologies?

Or do you use the AES version 2017 which the US government has backdoored?

Both are available to you. The 2009 version is free and open source.

The Wanderer (profile) says:

Re: Re: Re:2 If that's what he's saying it doesn't support his argument.

Unless the 2009 version is already backdoored, just not publicly so… which may seem unlikely at the moment (for multiple reasons), but which we can’t entirely rule out.

Mind, I’m not saying that this is the case, just looking for ways to parse what he said such that it could make sense and be accurate (even if misleadingly so)…

John Fenderson (profile) says:

Re: Re: Re: Slight Mistake Here

Most of of crypto technologies in use today were either developed entirely or partially outside the US.

As to accepted standards, I’m not sure of the point. There is no need for people to adhere to the accepted standards unless they want other existing software to be able to decrypt it.

If those standards are backdoored (as some are found to be from time to time), what happens is that everyone stops using them, standard or not. Even if, for some reason, that didn’t happen, that’s still only a minor irritation. Everyone can still use nonstandardized crypto for their own needs — they’d just have to supply the decryption code to anyone else who they want to be able to decrypt it.

If they don’t want anyone else to be able to decrypt it, then there’s not even that minor problem.

Uriel-238 (profile) says:

Scientific theory?

Maybe by theoretical ability Brennan was suggesting that it was scientifically proven. Otherwise he would have suggested a hypothetical ability

Regardless, it doesn’t matter even if the US had a total monopoly on world encryption, backdooring it would still open communications up to hackers (among uncountable other unintended consequences).

Anonymous Coward says:

Re: Re: Re:3 flat earth society

I don’t expect that members of any of these groups would get into office.

They have a better chance than anyone who would represent their electorate, as the ability to ignore actual evidence, and what most people are saying, seems to be a prime requirement for being a politician.

Zem (profile) says:

This guy is an amateur

To quote Donald Rumsfeld

“Reports that say that something hasn’t happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know. And if one looks throughout the history of our country and other free countries, it is the latter category that tend to be the difficult ones”

And the best Brennan could come up with is to label something “theoretical”. Lazy FUD is lazy.

bsg says:

Bennan just did you all over.

Your all arguing about whether he is right or not. It simply doesnt matter.

He doesnt care about external surveillance. He wants backdoors for internal purposes.

“Look over here, the US dominates worldwide encryption”. And everyone scrambles to prove him wrong. Then what? How is proving that going to stop Congress from mandating domestic backdoors?

MrTroy (profile) says:

Re: Re:

Your all arguing about whether he is right or not. It simply doesnt matter.

You may be correct that it doesn’t matter, though that’s a symptom of a much larger systematic failure… but who is arguing about Brennan being right?

As for “everyone scrambl[ing] to prove him wrong”, that’s not happening. Everyone is merely pointing out that Brennan has ALREADY been proven wrong. The work was done months ago, because everyone knew that this kind of lie was inevitable and wanted to have the data ready to prove it.

Do you have any suggestions for how better to fight against Congress pushing bad mandates other than pushing back on invalid assertions?

Max Lundgren (profile) says:

CIA John Brennan

Close your eyes, and take a deep breath, What you can not see do not exist. No invention or technologies outside US, dose not exist. If you are in any doubt, take your dark company glasses on, and every thing disappear. CIA never lies, we just can not see it. Opps Or OPS Europe suddenly disappeared. If every one take on the glasses ISIS will disappear too, come on every one, Close your eyes, and take a deep breath. The world do not exist.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...