White House Urges Companies To Protect Data From Russian Hacks With Encryption; While Congress Looks To Effectively Outlaw Encryption
from the protect-yourself-against-congress dept
Earlier this week, the Biden administration urged companies to protect against potential cyberattacks from Russia, which seems like pretty good advice:
The Biden-Harris Administration has warned repeatedly about the potential for Russia to engage in malicious cyber activity against the United States in response to the unprecedented economic sanctions we have imposed. There is now evolving intelligence that Russia may be exploring options for potential cyberattacks.
The announcement lists a variety of ways in which companies should defend themselves against such cyberattacks including things like making use of multi-factor authentication and backing up your data. But then there’s this very wise suggestion:
Encrypt your data so it cannot be used if it is stolen;
And, this is a good idea, and it’s great that the White House is urging others to follow it. However, it does seem worth noting that this is happening at the exact same time that Congress is still considering the EARN IT Act, which is a clear attack on encryption. And while supporters of the bill like to pretend that the EARN IT Act is not attacking encryption, the bill’s main sponsor, Senator Richard Blumenthal directly admitted to a Washington Post reporter that of course the point of the bill was to attack encryption and to make sure companies couldn’t “hide” behind it.
All this does is highlight one of the many ways in which the EARN IT Act is so dangerous and so problematic. At a time when encrypting our data is more important than ever, as even the White House acknowledges, the idea that Congress is moving forward with plans that will deliberately weaken the ability of companies to offer encrypted services seems not just preposterously short-sighted, but downright dangerous.
Filed Under: cyber attacks, earn it, encryption, hacks, joe biden, russia, white house
Comments on “White House Urges Companies To Protect Data From Russian Hacks With Encryption; While Congress Looks To Effectively Outlaw Encryption”
Rules for me and not for thee.
No no no. Only not-“big tech” is supposed to (finally) encrypt and secure their (and your) stuff. Finally. Maybe.
Everything else should be open to attack in case some government crim wants at it.
To wonder
But, but.
Hacking has many ways and means, including Backdoors into the OS. A Name/password + verification may help most. But Data?
What data do they want, that isnt already out there?
They could just Ddos attack the major servers, at the interlinks that connects Each system to the next.
Just go after the Main Hub that the ISP/Tier 1, system is at.
Speech
Couldn’t encryption be seen as a type of protected speech? if you speak to a friend in a language the police don’t understand while being listened in on, are you committing a crime? No. If I send a letter to a friend in a code I created and don’t provide the government a code, am I breaking the law?
Can the government mandate I provide a backdoor to private communication be inferred as compelled speech?
Re: Protected speech? Maybe.
Bernstein v United States is close to being on point, but the case wasn’t actually resolved because the government loosened the regulations right before it would have lost. That keeps the case from being binding precedent, so the Government succeeded in its mission to punish those who have the temerity to speak freely with ruinous legal costs. By the time the case wound down, four judges had already ruled that prohibiting the export of encryption was an infringement upon the freedom of speech.
Apple cited Bernstein in its refusal to hack the iPhone belonging to the San Bernardino shooter. Once again, the Government delayed the case until the key question was moot. Once again, the Government was going eventually to lose – every judge who reviewed it said that the order to decrypt the phone was indeed compelled speech.
I don’t think it’s actually possible to answer such a question in the US court system. The government effectively has the ability to prolong a case beyond a single human lifetime. Justice moves so slowly that if nothing else resolves a case, it will simply end with the natural death of a litigant.
expectations
What (?) … you expected sober, rational, well coordinated behavior from those brilliant folks in Washington DC, in the true public interest ??
How totally foolish and ignorant of history and modern experience.
Expect the worst from the DC crowd and you will rarely be disappointed.
Like everything, when it suits, it’s the best thing ever, ehen it doesn’t, it’s the worst thing, especially ehen it can be used to forward the aim of someone in power who has no knowledge themselve of what they’re doing
Simple solution, the companies just need to Nerd Harder(tm) so that only Good Guys have on-demand/whim access and Bad Guys are stopped cold by encryption.
Just ask any of those gunning for encryption, they’ll be happy to tell you that if the tech companies just tried harder they’d be able to easily create Good Guy Only encryption and it’s only their laziness that keeps them from doing so.
Re:
The tech companies can use their own encryption on there own servers, as they can decrypt that data at a drop of a warrant or subpoena. What the security services hate is personal decryption, as they cannot serve a warrant without warning the target of their interest, as they cannot get the decrypted data from big tech, but only from the target.
Encryption comes in different flavors. Encryption for transmission is different from encryption for storage. Encrypting your own data is different from encrypting data for third parties, and different from handling data encrypted BY third parties. And a lot of discussion of encryption just sorta lumps all of that into one category.
The White House recommendation mostly lumps it all under one heading, but is (probably) thinking only of the storage encryption.
EARN IT attacks one category (currently) – data handled for third parties.
So… hypocritical, yes. Perverse (in the sense of being in direct opposition), not so much.
Re:
Yeah, I guess. But it also (potentially and [un]intentionally) affects these:
-The legal fabric of the Internet
– Minorities who use the internet (I.e. LGBTQ, etc.)
-First and Fourth Amendment Protections
-Making it harder to catch actual CP offenders
-the relation between websites, states, and the national level.
-E2E Encryption
-And of course, blowing a hole into Section 230 just because it’s easier to find scapegoats than it is to solve complex problems.
But yeah, just data for third-party. Let’s go with that.
The standards exist
Internet standards already provide a technical way to resolve this seeming contradiction: https://datatracker.ietf.org/doc/html/rfc3514
Congress simply needs to demand that it be enforced.
Your naive if you think the nsa can’t acess txt messages, browsing data and non encrypted messages. Us Companys are constantly being hacked users banks financial services government agency’s need to use encryption to protect users and the users customers data and privacy this is especially important when so many workers work from home and have acess to company servers to do work
There’s 100s of government agency’s they do not all have one voice or opinions on data security and privacy its obvious some Politicans have always wanted to outlaw encryption for the public or for services and apps used by the public even if it puts the public security and privacy at risk
Is there any indications when they could try and vote on the bill?
Doesn’t your President have the power to veto batshit crazy bills coming out of Congress?
Re:
Kind of. The veto can be overruled with a 2/3 vote from both House and Senate.
High bar, but somehow both parties can agree on the worst things at times.
Re: Re:
Well, I guess if they can agree enough on something to actually pass it, they can veto-proof it.