Defense Department To Congress: 'No, Wait, Encryption Is Actually Good; Don't Break It'

from the seems-important dept

As Senate Judiciary Committee Chair Lindsey Graham has continued his latest quest to undermine encryption with a hearing whose sole purpose seemed to be to misleadingly argue that encryption represents a “risk to public safety.” The Defense Department has weighed in to say that’s ridiculous. As you may recall, the DOJ and the FBI have been working overtime to demonize encryption and pretend — against nearly all evidence — that widespread, strong encryption somehow undermines its ability to stop criminals.

However, it appears that other parts of the government are a bit more up to date on these things. Representative Ro Khanna has forwarded a letter to Senator Graham that he received earlier this year from the Defense Department’s CIO Dana Deasy, explaining just how important encryption actually is. The letter highlights how DoD employees rely on the kind of strong encryption found on mobile devices and in VPN services to protect the data of their employees, both at rest (on the devices) and in transit (across the network).

All DoD issued unclassified mobile devices are required to be password protected using strong passwords. The Department also requires that data-in-transit, on DoD issued mobile devices, be encrypted (e.g. VPN) to protect DoD information and resources. The importance of strong encryption and VPNs for our mobile workforce is imperative. Last October, the Department outlined its layered cybersecurity approachto protect DoD information and resources, including service men and women, when using mobile communications capabilities.

[….]

As the use of mobile devices continues to expand, it is imperative that innovative security techniques, such as advanced encryption algorithms, are constantly maintained and improved to protect DoD information and resources. The Department believes maintaining a domestic climate for state of the art security and encryption is critical to the protection of our national security.

So, there you have it. The Defense Department believes that strong, unbroken encryption is critical to national security, as opposed to the DOJ which appears to think (incorrectly) that it undermines national security. At the very least, this should mean that politicians should stop uncritically claiming that encryption is some sort of “debate” between privacy and national security. It is not. Encryption protects both of those things. Breaking encryption harms both privacy and national security… in the hopes that it might make law enforcement’s job marginally easier.

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Defense Department To Congress: 'No, Wait, Encryption Is Actually Good; Don't Break It'”

Subscribe: RSS Leave a comment
29 Comments
Anonymous Anonymous Coward (profile) says:

A rose by any other name

At a minimum there is a conflict as to what constitutes ‘national security’.

For the DoJ it’s anything they feel like pursuing or that they can’t readily commit to surveillance within the bounds of the Constitution, or might make them work harder, even if the information they pass around is co-opted by those they pursue. For the DoD it is all the information they pass around that might benefit enemies of the United States, probably including but not limited to security arrangements, operational plans, etc..

I have heard some things being referred to as ‘national security’ or related to such that I have a very hard time discerning what it is about those things that is in fact related to our ‘national security’. Some of our post WWII conflicts meet this criteria, depending upon how one feels about the domino effect. Many of our state department/CIA interventions in foreign countries meet this criteria. Some law enforcement actions (the sale or gift of military equipment to local law enforcement departments) definitely meet this criteria. Calling some definitely criminal actions ‘terrorism’ when it is merely criminal might meet that criteria.

In the end, the term ‘national security’ really depends upon the intent of the speaker, no matter how much their rhetoric attempts to lead one in another direction. Too often that phrase is wielded to achieve ends that don’t require the means.

This comment has been deemed insightful by the community.
Agammamon says:

"The Defense Department believes that strong, unbroken encryption is critical to national security, as opposed to the DOJ which appears to think (incorrectly) that it undermines national security."

There’s no conflict here. Both agencies believe strong, unbroken encryption is critical to national security – when only the government has it – and undermines national security when the proles can get up to things outside of the view of their betters.

Scary Devil Monastery (profile) says:

Re: Re:

"Republicans no longer care about national security. Arguably never did. They want to lord over a captive population, no matter what it costs. Full stop."

…as do the democrats. You can argue that the dems are more concerned with liberal values and individual liberty than republicans and you’d be right…

…but take it from someone coming from a nation which prides itself on liberal values; It doesn’t take long before you get a spokesperson for the liberals standing up and saying stuff like "for the benefit of society as a whole we can not afford luxuries like personal integrity".

Basically every politician who comes to power WILL try to jettison as many of the citizenry’s freedoms as possible, the very second they turn out to be an inconvenience to the current agenda. Obama’s war on whistleblowers closely mimicked GWB’s – and for the exact same reason.

The only safeguard we have is that as soon as a politician tries to go down that road the voters need to ensure that politicians party will no longer be in power after the next election.

And that’s hard to get the lazy voter to do because even outside of the US people tend to stick to their chosen parties come hell or high water.

Wendy Cockcroft (profile) says:

Re: Re: Re:

Yeah… Obama basically governed as Bush III lite. The Establishment Dems are no different from the Reagan and Bush-era Republicans. Why? They’ve moved hard to the right to ward off the threat of being associated with socialism, thereby making actual socialism increasingly popular. There’s only so much scare-mongering you can do till it ultimately backfires.

This comment has been deemed insightful by the community.
K`Tetch (profile) says:

earlier this year, I moderated a panel with AccessNow’s (now Silkicon Flatiron’s) Amie Stepanovich, and EFF General Counsel Kurt Opsahl on this topic (although looking at it working from Australia (at the time of the panel submission, they were the only one although a week or two before the panel was held, Barr came out in favor)
You can see it here
https://www.youtube.com/watch?v=rI3uEATDxIk

And yes, Strong Encryption is good. One of the other panels is hosted by a friend of mine, Elonka Dunin, and she has cryptography as a hobby. And by Hobby I mean ‘she’s writing a book on it, has social engineered her way into CIA HQ to see the Kryptos statue in the past, and filmed a documentary on it earlier this year’. She has a list of other encryptions, still not broken today – Beale, Elgar, voynich Manuscript, and of course, Kryptos. (for those that don’t know, Kryptos is a sculpture in the grounds of the CIA HQ put there in 1991, and has 4 codes on it. 3 have been broken, the 4th hasn’t. The CIA and NSA have been working on it (in competition) for almost 30 years now, even with those who made it dropping clues.
Video here
https://www.youtube.com/watch?v=h1Mb74yGbX4

Encryption can be hard to break, unless you know there’s a key that’s always going to work, so you can attack that key. After all, why attack a key that can only unlock that one thing, when you can go for a key that unlocks that thing AND everything else.
And as soon as that key leaks, thats it, there’s no security at all. Prime example are the travelsafe TSA locks. They have as much security as a velcro loop, because anyone can unlock them with an easily available key.
Excelent video by Lockpick lawyer here.
https://www.youtube.com/watch?v=GhESSMvf_to

Anonymous Coward says:

Re: Re:

After all, why attack a key that can only unlock that one thing, when you can go for a key that unlocks that thing AND everything else.

Well, not everything else. Criminals will double-encrypt so it looks like they’re using the "standard" escrowed crypto. (Or, like the brute-force attack on the Clipper chip’s LEAF, there may be a more direct way to fake it.)

This comment has been deemed insightful by the community.
Anonymous Coward says:

Ask Lindsey Graham, just how well it worked with Fitbit with no encryption. Using the data from Fitbit, they were able to reconstruct the paths that military members wearing the device made.

If we can reconstruct so can anyone else, including what are deemed the enemy.

Lets not forget that without encryption, banking on line would all but cease to function. Making holes in that encryption will only open the path up for more scammers and hackers to find a way in. There is no such thing as a little bit pregnant. Nor is there any such thing as a little bit of encryption. It is either secure or it is not.

So what happened to all the cop methods and spy methods long before encryption spread to catch the bad guys? I mean encryption has been with us for a long long time. Certainly going back to the days of Roman messengers carrying encoded message canisters requiring you to know the key to make sense of the message. This is not a new thing just started happening during the internet days.

It appears to me that the LEO forces want to have everything handed to them so they don’t actually have to do their jobs. No one said that putting effort into finding and capturing the bad guys was easy.

K`Tetch (profile) says:

Re: Re: Re:

other way around.

Battlefield comms only have a limited window of utility. like a week, then they’re no good.
They’re also all collectively controlled by effectively the same entity, so so changing it is feasible.

Banking has a LONG window of utility. MY bank account now is still my bank account next year. And good luck getting Granny Midnight-flasher to upgrade her browser to allow a new encryption system. She has IE4 and it’s always worked in the past so why won’t it work now?

Scary Devil Monastery (profile) says:

Re: Re:

"If encryption is a munition, why isn’t it protected by the 2nd amendment?"

It is. Encryption is THE defensive weapon in the digital venue. If the NRA was indeed into citizen defense rather than just a spin department for large gun manufacturers then they’d be backing encryption the same way they did physical guns and not a single republican would ever dare raise the issue of backdoors.

But as things stand the NGO’s advocating encryption tend to be less…malicious…than the NRA and tend not to engage in large mudslinging campaigns against hostile senators and congressmen so they don’t have the same impact.

Anonymous Coward says:

Re: Re:

If encryption is a munition, why isn’t it protected by the 2nd amendment?

Banned in certain states, requiring governmental approval in others?

Also, isn’t it my 1st amendment right to communicate any series of characters or codes I see fit?

Under Junger v. Daley, maybe. (That case said ciphersystems were protected speech, without considering ciphertext.)

Scary Devil Monastery (profile) says:

Re: Re:

"Most encryption over the internet isn’t very strong."

That depends on what the heck you mean by "most". HTTP? Yea, that’s basically cleartext. HTTPS? Secure enough for most purposes, which is why there isn’t a russian crime consortium emptying the bank accounts of everyone trying to do online transactions.

Encryption, by default, is always strong enough.

What makes this less secure would be the disturbing amount of cracked end points. Your bank vault is secure all the way until the combination and key is compromised.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...