National Security Officials Offer Hedged Support For Strong Encryption

from the we-like-it,-but-just-for-us dept

As Dianne Feinstein and Richard Burr mount another attempt to legislate holes in encryption, national security officials are offering testimony suggesting this is no way to solve the perceived problem. Another encryption hearing, again hosted by a visibly irritated John McCain (this time the villain is Twitter), featured testimony from NSA Director Michael Rogers [PDF] and Undersecretary of Defense for Intelligence Marcel Lettre [PDF] -- neither of whom offered support for mandated backdoors.

As nice as that sounds, the testimony wasn't so much "We support strong encryption," as it was "We support strong encryption*."

Lettre's testimony follows statements of support for encryption -- and opposition to legislated backdoors or "golden keys" -- with the veiled suggestion that the government will be leaning heavily on tech companies to solve this problem for it.

We need to strengthen our partnership with industry to find ways to protect against the national security threats to the United States. We will continue to work closely with our industry partners to find innovative ways to outmaneuver malicious actors' adoption of strong encryption, while ensuring that individual privacy interests are protected.

The problem here is that encryption isn't so much a privacy issue as it is a security issue. Approaching it from this incorrect angle suggests Lettre isn't opposed to backdooring encryption as long as access isn't abused by the government. But that limitation isn't going to stop malicious actors from abusing backdoors or other security holes built at the government's behest. It could be that Lettre misspoke, but that misreading of the real issue casts doubt on the sincerity of the rest of that paragraph.

I believe any steps we take as a government must be carefully considered to avoid introducing unintentional weaknesses in the protection of our commercial networks and national security systems. We should also be careful not to negatively affect our economic competitiveness as a world leader in technology, which could unintentionally drive technology innovation outside the United States.

This isn't quite as supportive as it might look at first glance either. Lettre wants to protect "commercial networks" and "national security systems." This wouldn't appear to cover computers, cellphones, or other personal devices that utilize encryption to protect their contents. Nor does it appear Lettre wants to extend his "hands off" approach to communications platforms that offer end-to-end encryption.

The NSA director's testimony is a bit better. There's far less hedging in Roger's statement than in Lettre's. Then again, it's far more vague in terms of the NSA's intentions. His statement poses more questions than answers (both figuratively and literally -- it ends with a "where do we go from here" question), but it does hint at being aligned with Lettre's suggestion that partnering with tech companies is a better solution than legislative mandates.

However, in the NSA's case, its "partnerships" with tech companies often don't appear to include approaching them directly. If anything, the "way forward" is the way things have been done for years by the NSA's Tailored Access Operations. Why ask for mandated backdoors when you can just intercept hardware shipments to install your own? Or reroute server traffic with man-in-middle attacks that grab content before encryption is applied?

While it is heartening to see natsec leaders refusing to back legislation pushed by Security Committee members, the fact is that there's still a powerful law enforcement lobby that can't be ignored -- one that begins with James "My god, it's full of darkness" Comey and runs all the way down to local-level district attorneys.

These entities may not offer much vocal support for mandated backdoors and do actually realize the harm they'll cause, but as long as their own stuff stays relatively protected, they're not necessarily opposed to anything that makes it easier to access communications and data.



Filed Under: admiral michael rogers, encryption, going dark, marcel lettre, privacy


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Padpaw (profile), 15 Sep 2016 @ 12:03pm

    I always though of making mandataory security holes akin to making body armour with intentional holes scattered across it.

    reply to this | link to this | view in chronology ]

    • identicon
      Dheneb, 15 Sep 2016 @ 12:16pm

      Re:

      I always though of making mandataory security holes akin to making body armour with intentional holes scattered across it.

      That's OK. All you have to do is label those holes on the outside with something like "HOLE FOR LAW ENFORCEMENT USE ONLY" so that the bad guys will know not to aim there.

      reply to this | link to this | view in chronology ]

  • icon
    afn29129 (profile), 15 Sep 2016 @ 12:39pm

    a visibly irritated John McCain

    "a visibly irritated John McCain" Excellent! Most excellent.

    The shakes, weak knees, stutter, and bloodshot eyes are next.

    reply to this | link to this | view in chronology ]

  • icon
    TheResidentSkeptic (profile), 15 Sep 2016 @ 1:11pm

    Unfortunately

    McCain will keep holding these meetings until someone says what he wants to hear - and then he'll push that into a Bill.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 15 Sep 2016 @ 1:26pm

      Re: Unfortunately

      Yes. And if he can't do it before he leaves the senate, his replacement will.

      They've got time, they just need to keep leaning and will eventually push this (or something worse).

      reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 15 Sep 2016 @ 1:16pm

    Just a suggestion...

    We need to strengthen our partnership with industry to find ways to protect against the national security threats to the United States.

    If you want to 'strengthen [your] partnerships with industry', have you perhaps considered not treating them as idiots, adversaries, or both?

    Ignoring the tech sector when they tell you that something's not just difficult it's impossible, going around their backs to undermine their products when you're not slapping them with insane demands coupled with gag clauses, arguing that tech companies should be forced to implement government demands that stand to cost the company serious cash and public goodwill, for no real gain...

    So long as the government continues to treat the tech sector as idiotic adversaries they will respond in kind, and the idea of a 'partnership' in any sense beyond 'Do it or we'll make you do it' will remain a pipe dream.

    reply to this | link to this | view in chronology ]

  • icon
    DannyB (profile), 15 Sep 2016 @ 1:28pm

    Privacy and Security

    Privacy and Security are more similar than the congress critters and national security buffoons would like to admit.

    Consider these issues:
    * I don't want you to break into my ${thing}
    * I don't want you to remove items from my ${thing}
    * I don't want you to add items to my ${thing}
    * I don't want you to see what is in my ${thing}

    Are the above items Privacy issues or are they Security issues?

    They seem to be Privacy issues when ${thing} = Computer / Phone

    They seem to be Security issues when ${thing} = Home / Car

    But why is Computer / Phone so different than Home / Car? Why does Warrant Required and Unreasonable Search And Seizure, and be Secure in Papers and Effects suddenly mean something different for Home / Car / Papers than it does for Computer / Phone?

    To make it seem like they are different, the words Security or Privacy are used to categorize them.

    It's also amusing that one applies to us while other applies to them:
    * It's no big deal if we hack you even though it invades your Privacy but doesn't cause any actual harm
    * It's a major crime for you to hack us and violate our Security even though you didn't cause any actual harm

    When it's us, it's just our privacy. When it's them, it's their security.

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 15 Sep 2016 @ 1:39pm

      Re: Privacy and Security

      But why is Computer / Phone so different than Home / Car? Why does Warrant Required and Unreasonable Search And Seizure, and be Secure in Papers and Effects suddenly mean something different for Home / Car / Papers than it does for Computer / Phone?

      Because they really, really don't like the limitations the law (theoretically) imposes on them with regards to home/car/papers, and while ideally they'd like those limitations removed entirely, they'll settle, for now, for making sure that the limitations don't exists with regards to anything else.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Sep 2016 @ 1:32pm

    We won't learn until it's too late....

    It's a bad idea to build technologies with capabilities you wouldn't want your worst case enemy to be able to use as well.

    Dear Congress: What happens to the US if the boogey-man du jour somehow manages to get control of this capability? Leave aside the "how" and focus on the result. Is that what you want? Are you sure?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Sep 2016 @ 1:36pm

    I can only hope these two do quit their day job. The pox on any person that voted them into office, and continues to do so every election cycle.

    reply to this | link to this | view in chronology ]

  • identicon
    I.T. Guy, 15 Sep 2016 @ 1:42pm

    "a visibly irritated John McCain"

    Um... is it just me, but he ALWAYS looks irritated.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Sep 2016 @ 11:46am

    They want to make encryption like justice: encryption for the elite, cleartext for the people.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.