from the we-like-it,-but-just-for-us dept
As Dianne Feinstein and Richard Burr mount another attempt to legislate holes in encryption, national security officials are offering testimony suggesting this is no way to solve the perceived problem. Another encryption hearing, again hosted by a visibly irritated John McCain (this time the villain is Twitter), featured testimony from NSA Director Michael Rogers [PDF] and Undersecretary of Defense for Intelligence Marcel Lettre [PDF] -- neither of whom offered support for mandated backdoors.
As nice as that sounds, the testimony wasn't so much "We support strong encryption," as it was "We support strong encryption*."
Lettre's testimony follows statements of support for encryption -- and opposition to legislated backdoors or "golden keys" -- with the veiled suggestion that the government will be leaning heavily on tech companies to solve this problem for it.
We need to strengthen our partnership with industry to find ways to protect against the national security threats to the United States. We will continue to work closely with our industry partners to find innovative ways to outmaneuver malicious actors' adoption of strong encryption, while ensuring that individual privacy interests are protected.
The problem here is that encryption isn't so much a privacy issue as it is a security issue. Approaching it from this incorrect angle suggests Lettre isn't opposed to backdooring encryption as long as access isn't abused by the government. But that limitation isn't going to stop malicious actors from abusing backdoors or other security holes built at the government's behest. It could be that Lettre misspoke, but that misreading of the real issue casts doubt on the sincerity of the rest of that paragraph.
I believe any steps we take as a government must be carefully considered to avoid introducing unintentional weaknesses in the protection of our commercial networks and national security systems. We should also be careful not to negatively affect our economic competitiveness as a world leader in technology, which could unintentionally drive technology innovation outside the United States.
This isn't quite as supportive as it might look at first glance either. Lettre wants to protect "commercial networks" and "national security systems." This wouldn't appear to cover computers, cellphones, or other personal devices that utilize encryption to protect their contents. Nor does it appear Lettre wants to extend his "hands off" approach to communications platforms that offer end-to-end encryption.
The NSA director's testimony is a bit better. There's far less hedging in Roger's statement than in Lettre's. Then again, it's far more vague in terms of the NSA's intentions. His statement poses more questions than answers (both figuratively and literally -- it ends with a "where do we go from here" question), but it does hint at being aligned with Lettre's suggestion that partnering with tech companies is a better solution than legislative mandates.
However, in the NSA's case, its "partnerships" with tech companies often don't appear to include approaching them directly. If anything, the "way forward" is the way things have been done for years by the NSA's Tailored Access Operations. Why ask for mandated backdoors when you can just intercept hardware shipments to install your own? Or reroute server traffic with man-in-middle attacks that grab content before encryption is applied?
While it is heartening to see natsec leaders refusing to back legislation pushed by Security Committee members, the fact is that there's still a powerful law enforcement lobby that can't be ignored -- one that begins with James "My god, it's full of darkness" Comey and runs all the way down to local-level district attorneys.
These entities may not offer much vocal support for mandated backdoors and do actually realize the harm they'll cause, but as long as their own stuff stays relatively protected, they're not necessarily opposed to anything that makes it easier to access communications and data.