A Lack of Cooperation Between Tech Giants and the U.S. on Encryption Makes Us Less Secure

Fears about allowing law enforcement to gain access to encrypted data for criminal investigations — that it would put us on a slippery slope to massive digital privacy intrusion — are well-intentioned, but misguided.

While Americans care deeply about privacy, we also expect law enforcement agencies to fully investigate and prosecute terrorist or other criminal activities. Faced with these expectations, law enforcement cannot simply give up on trying to acquire the data they need for criminal and terrorism investigations. They will need to find other means to access that data — data that a court has deemed important to an investigation.

Establish an International Precedent for Sharing Encrypted Data

People and companies don’t get to choose when to obey the law. If a company is served with a lawful order to assist with an ongoing criminal investigation and it is possible for that company to assist, it has to comply. Apple was served a warrant. If it can comply, it has to service the warrant. If it can’t comply, it can ask a judge to vacate the warrant.

Apple says it can’t open the iPhone’s encrypted passcode. If this is true, they are off the hook, but if they can build the technology to comply (or already have), they need do what the warrant asks.

Posturing and Politics for Encryption

The encryption debate has been largely unencumbered by facts. That deserves a separate discussion, but for now, let us consider Apple’s stout refusal to cooperate with the FBI in gaining access to data stored on the phone of one of the San Bernardino murderers.

Apple’s motives are clear, if not clearly expressed. The Snowden revelations damaged the brand of all American technology products. To assuage their customers, some companies offer “end-to-end” or unrecoverable encryption. It is the growth of these commercial encryption services offering unrecoverable encryption to a mass market that is of the greatest concern to law enforcement and intelligence agencies. To reassure a global market, these companies announce they will not cooperate with American authorities. This is a reasonable response to rebuild credibility, but it is not sustainable.

Moving Forward with the Obama-Xi Cybersecurity Agreement

Moving Forward with the Obama-Xi Cybersecurity Agreement

China’s leaders often talk about the need for a “new model of great power relations.” The agreement on cybersecurity between President Xi and Obama is a first step in defining it. The agreement does not mean we are done with cybersecurity. It is the start of a long journey to define both cyberspace and the larger relationship.

Serious discussions on how to respond to China’s cyber espionage began several years ago. A strategy that combined pressure and accommodation seemed the best alternative to passivity, and U.S. concerns were raised many times, including in a December 2013 non-paper given to Chinese officials that discussed sanctions, indictments and other measures if matters did not improve. At the time, there were objections that this approach wouldn't work because Chinese culture and attitudes worked against reaching any agreement and that we could not influence their decision-making. These criticisms were wrong. If there are grounds for criticism, they would be that it was wrong to let so many months pass between indictments (which, contrary to much of the public discourse, had a powerful effect) and any follow on action.

Measuring Cybersecurity Success at the Summit

Measuring Cybersecurity Success at the Summit

If press reports are accurate, it is a welcome development that the United States and China (in response to the threat of sanctions) have begun negotiations on cyber security in preparation for the upcoming summit. The Obama administration has a unique moment of leverage on cyber security with China and must be careful not to squander it. We cannot expect the summit to “fix” the problem – this will be a long process if it is serious – but we can look for certain outcomes that can demonstrate whether these presidential talks point to progress or are just another gesture.

Friends Don't Let Friends...

Friends Don't Let Friends...

Recent leaks reporting that the United States might sanction China reflects growing – but not universal - agreement in Washington that the United States needs to respond forcefully to rampant Chinese cyber espionage and that the authorities established by April’s Executive Order on cyber sanctions are the best option. There are several reasons for this. First, nothing has worked when it comes to economic espionage. According to data collected by the FBI and NSA, China is responsible for more economic espionage directed at U.S. companies than any other country – perhaps more than all other countries combined. This has been true for years.

The amount of economic espionage is troubling, but even more troubling is China’s decision to ignore hints, suggestions and direct requests from the United States. This indicates a certain disrespect and is a disturbing indicator for the bilateral relationship. Cyber espionage has been raised at senior levels repeatedly since 2009. President Obama made it agenda item number one at the Sunnylands Summit. The Chinese ignored all this. The only U.S. action that got their attention was the indictment of five PLA officers in 2014. Some Americans greeted the indictments with misgiving (and other with confusion), but the indictments remain the most effective public action the United States has taken to date. The chief criticism of the indictments is that the United States has been slow to follow up. If any sanctions are a “one-off,” not followed with concrete proposals for reducing tensions, we will not gain much at all.

Encryption: Roars from Stage Left

Let us subject today's Times Story "13 Aged Cryptographers Lament" to a little scrutiny.  It (or its subject) looks  like something sculpted up to fit an agenda, not a complete assessment of the problem.  Start with two reference points:

  • No system is unpenetrable.  We are talking about how much it costs to get in.  Raising the cost of hacking is a good goal, but this will never be a risk free environment.
  • Nobody will use encryption when they know a third party can get access to their communications.  Most people don't know what happens to their data now, and I'm not sure most of them care.
  • Much of what drives the debate is not keeping government out, it's keeping the US government out, reflecting a larger distrust (and willful ignorance of foreign activities and intentions).

An Abbreviated History of Recent Foreign Intelligence Disasters

This is not the other side collecting military, political, or economic, intelligence on us.  This is the other side collecting intelligence on how we collect intelligence.  More later.

2015 - Sequence of hacks of health care companies, background investigators, culminating (so far) in OPM.  Chinese obtain security clearance background information on millions of Feds.

2015 - State Department and unclassified White House networks penetrated again, probably by Russians.

2014 - State Department and unclassified White House networks penetrated.

OPM Hack - causes not symptoms

Listening to NPR this morning reminded me how much of the cyber security discussion is like classic crime reporting, focused very much on symptoms rather than causes.  Let's take a step back and ask what the OPM hack tells us:

1.  This kind of hack is what people do to those they regard as opponents.  The PLA, the security services and the Party leadership, regard the US as their primary opponent.   Some of this is vestigial Maoism - you can't have thirty years of bellowing about hegemony with it leaving some trace.  Some of this is an immature approach to great power politics tinged with Lenin's theory of imperialism.  If China at large is ambivalent about peaceful rise, the military and security services are not.  They believe that the US is their opponent and seeks to defeat them.  The US doesn't help with its various half-hearted efforts (like internet freedom) that the Chinese leadership sees as intended to undermine the regime.  The internet is a mortal threat to the Party's rule and they justify their actions by saying that what the US seeks is regime change.  We also spy like crazy on them, which they knew and resented even before Snowden.

Electronic Surveillance After Section 215 of the USA Patriot Act

Last night, Section 215 of the USA Patriot Act, the law authorizing the U.S. government to collect a broad variety of business records for national security investigations expired after Congress failed to pass the USA Freedom Act, a straight reauthorization of the provision, or any alternative bill that would have extended the authority. Current and former intelligence community officials and FBI Director James Comey have said that Section 215 provides an essential tool and losing the authority will “severely” impact terrorism investigations, but the truth is that the government can most likely access the same information through other surveillance statutes that did not expire.

What Happens on June 1?

...when Patriot Act provisions expire, including the infamous 215 metadata program?

If we are lucky, not a lot, at least not right away.  Big terrorist operations take a few months to plan and potential attackers probably won't believe the US will do something this dumb to itself until it actually happens.  A lone wolf may feel emboldened, but organized groups will initially be cautious. 

Identity Technologies: Trends, Drivers, and Challenges

Unclassified version of NIC report on identity released today.  Finished in August, but took months to clear. Here's the Executive Summary:

All developed nation states are proceeding with physical identity programs, particularly with research and development (R&D) in academic institutions. Besides the United States, some other major players are China, Germany, and the United Kingdom. Privacy concerns are not as prevalent in some other countries, so they have the potential of outpacing the technological developments of the United States.  

Being Candide About Cyber Security

Being Candide About Cyber Security

One of the funnier parts of the Sony hack was all sorts of people opining why it couldn’t be North Korea when their first-hand knowledge of intelligence activities could be inscribed on an index card with room to spare. I see something similar in this recent blast for a DC event:

"In 2009, 60 Minutes reported that cyber attacks had shut down the electric grid in parts of Brazil. Around the same time, the NSA’s General Keith Alexander told reporters about a destructive cyber attack at a Russian dam. And just a year ago, a flock of renegade parrots allegedly caused a power outage for thousands of Californians. One of these stories was actually true – the wild parrots in California. The other events happened, too, only faulty equipment or poor maintenance was ultimately to blame."