House Committee Seeks Crypto CalmBut Legislative Group Hug Won't Change Encryption Facts
Would access to better information pertaining to encryption help Congress pass good crypto-related laws?
That's the impetus behind the U.S. House of Representatives Homeland Security Committee this week releasing a new report, Going Dark, Going Forward: A Primer on the Encryption Debate. The report is based on more than 100 meetings and briefings that the committee has had over the past year "with key stakeholders" and is meant to represent all sides of the encryption debate.
The report springs from House Homeland Security Committee Chairman Michael McCaul, R-Texas, and Sen. Mark Warner, D-Va., a member of the Senate Intelligence Committee, advocating for a National Commission on Security and Technology Challenges (see Report: Apple Building iPhone It Can't Hack). This "Digital Security Commission" would "forge a general concurrence of opinions, informed by a common understanding of the underlying facts." The top-level goal, they say, is to educate Congress on the contentious - and complex - crypto debate.
Given the anti-intellectual ethos seemingly espoused by many legislators, and crypto's hot-button "law and order" crossover, that may be an overly optimistic goal.
Paris, San Bernardino: No Crypto
Regardless, the report includes factual errors in its first paragraph that inadvertently highlight common - but erroneous - "going dark" rhetoric:
"Public engagement on encryption issues surged following the 2015 terrorist attacks in Paris and San Bernardino, particularly when it became clear that the attackers used encrypted communications to evade detection - a phenomenon known as 'going dark.' While encryption provides important benefits to society and the individual, it also makes it more difficult for law enforcement and intelligence professionals to keep us safe."
In fact, all information released to date about the attacks suggests that attackers in Paris used disposable burner phones, not encryption. Likewise, the iPhone 5c issued to San Bernardino shooter Syed Rizwan Farook by his employer - San Bernardino County - was set to require a passcode to unlock the phone. Hence both attacks are notable in part because attackers did not use encryption.
Security vs. Security
Thereafter, however, the report makes some notable points, noting, for example, that this debate isn't about "security versus privacy," but rather "security versus security," meaning that weak crypto demanded by the "good guys" can be easily abused by the bad guys, be they criminals, unfriendly nation-states or unscrupulous competitors.
The report also surveys responses to the increased use of encryption in society, including at least 63 confirmed cases involving the Justice Department attempting to use the 1789 All Writs Act in court to force Google or Apple to provide it with access to data (see Apple Accuses DOJ of Constitutional, Technical Ignorance ).
The report also touches on crypto discussions underway in some other countries:
- Britain: The draft Investigatory Powers bill currently being debated in Parliament would allow the government to compel any organization to decrypt data or build backdoors into their products. In the face of criticism, however, the House of Lords has included a provision saying such requests must be "technically feasible and not unduly expensive," although exact definitions continue to be debated.
- France: Legislators have been pursuing legislation that would punish any company that doesn't decrypt data when the government demands that it do so.
- Germany and the Netherlands: Both have promised to enshrine individuals' access to strong crypto.
Strong Crypto: Can't Stop It
When it comes to the Digital Security Commission being proposed by McCaul and Warner, they say it's got the backing of everyone from CIA Director John Brennan and Apple CEO Tim Cook to former House Speaker Newt Gingrich, R-Ga. and former House Intelligence Committee member Jane Harman, D-Calif.
Cook, for example, has said: "Our country has always been strongest when we come together. We feel the best way forward would be for the government to ... form a commission or other panel of experts on intelligence, technology and civil liberties to discuss the implications for law enforcement, national security, privacy and personal freedoms. Apple would gladly participate in such an effort."
By all means, dialog is good. But the result of any crypto fact-finding mission should already be clear: Anyone who wants to use crypto will be able to do so, and there's no law Congress can pass to magically change that reality (see Why 'Cryptophobia' Is Unjustified).
Beware Weak Crypto Prophets
Earlier this month, Brennan tried to claim otherwise to a Senate committee asking if mandatory crypto backdoors would hurt U.S. businesses by suggesting that strong crypto only exists in the United States. "U.S. companies dominate the international market as far as encryption technologies that are available through these various apps, and I think we will continue to dominate them," Brennan said. "So although you are right that there's the theoretical ability of foreign companies to have those encryption capabilities available to others, I do believe that this country and its private sector are integral to addressing these issues."
Brennan's statement was quickly dismantled by cryptography experts such as Bruce Schneier, who notes that "strong foreign cryptography hasn't been 'theoretical' for decades." Indeed, a report he co-authored, released earlier this year, counted 865 hardware or software products that use encryption, developed in 55 different countries. Two-thirds of those products hail from outside of the United States (see Crypto Review: Backdoors Won't Help).
Congress: Don't Change Now
When it comes to cybersecurity matters - such as a national data breach notification law - Congress has already carved out a niche: Do nothing (see Presidential Candidates All But Ignore Cybersecurity).
Where crypto is concerned, that's exactly what Congress should continue to do, lest legislators undermine our collective security by inflicting us with weak crypto.