Between the FBI and the NSA, arguments against encryption that locks bad guys out (and, consequently, the government) have filled the air over the past several months. “Going dark” is the repeated concern, as if encryption would leave the nation’s intelligence and investigative agencies without any options to pursue terrorists/child pornographers. It’s all FUD and it’s all dangerous, because carving small holes in encryption CARVES HOLES IN ENCRYPTION. Never mind the intended uses of golden keys/backdoors. A hole is a hole. The Department of Defense seems to recognize this fact, making it one of the only government entities involved in fighting worldwide terrorism to openly do so. Bruce Schneier asked Admiral James Winnefeld Jr. (vice-chairman of the Joint Chiefs of Staff) a question about encryption during a recent cybersecurity summit (video here — relevant part at 32:52) and received something almost entirely removed from the current party line.
Bruce Schneier: I’d like to hear you talk about this need to get beyond signatures and the more robust cyber defense and ask the industry to provide these technologies to make the infrastructure more secure. My question is, the only definition of “us” that makes sense is the world, is everybody. Any technologies that we’ve developed and built will be used by everyone — nation-state and non-nation-state. So anything we do to increase our resilience, infrastructure, and security will naturally make Admiral Rogers’s both intelligence and attack jobs much harder. Are you okay with that? Admiral James A. Winnefeld: Yes. I think Mike’s okay with that, also. That’s a really, really good question. We call that IGL. Anyone know what IGL stands for? Intel gain-loss. And there’s this constant tension between the operational community and the intelligence community when a military action could cause the loss of a critical intelligence node. We live this every day. In fact, in ancient times, when we were collecting actual signals in the air, we would be on the operational side, “I want to take down that emitter so it’ll make it safer for my airplanes to penetrate the airspace,” and they’re saying, “No, you’ve got to keep that emitter up, because I’m getting all kinds of intelligence from it.” So this is a familiar problem. But I think we all win if our networks are more secure. And I think I would rather live on the side of secure networks and a harder problem for Mike on the intelligence side than very vulnerable networks and an easy problem for Mike. And part of that — it’s not only the right thing do, but part of that goes to the fact that we are more vulnerable than any other country in the world, on our dependence on cyber. I’m also very confident that Mike has some very clever people working for him. He might actually still be able to get some work done. But it’s an excellent question. It really is.
Fittingly, the Department of Defense recognizes the importance of defense. Adding backdoors to encryption weakens defenses, including those used by government agencies and operatives. You can’t simply introduce circumvention and pray that nobody other than approved parties make use of it. The FBI/NSA’s obsession with government-ordered peepholes makes everything worse for everyone, not just their intended targets. But these agencies are wholly unconcerned about collateral damage. It’s clearly evident from their bulk surveillance programs and use of intercepts that gather everything before searching the data haul for incriminating material or useful intel. Encryption is at odds with haystacking, which these agencies continue to prize highly (and defend heatedly) despite clear evidence that intelligence gathering like this is inefficient at best, and wholly useless at worst. Schneier goes on to point out that Admiral Mike Rogers, the head of the NSA, continues to push a narrative at odds with the DoD official’s answer. Two weeks after this conference, Rogers gave a keynote address at CyCon, repeating his unfounded belief that encryption can be “safely” bypassed without compromising it.
Rogers said a framework to allow law enforcement agencies to gain access to communications is in place within the phone system in the United States and other areas, so “why can’t we create a similar kind of framework within the internet and the digital age?” He added: “I certainly have great respect for those that would argue that the most important thing is to ensure the privacy of our citizens and we shouldn’t allow any means for the government to access information. I would argue that’s not in the nation’s best long term interest, that we’ve got to create some structure that should enable us to do that mindful that it has to be done in a legal way and mindful that it shouldn’t be something arbitrary.”
So, the Dept. of Defense says one thing, Mike Rogers (who was in the audience at the first conference) nods in agreement, and then goes on to contradict the stance of those helming the department directly above it in the government’s organizational chart. Rogers’ nod to privacy is every bit as meaningless as his faux nod in agreement to Winnefeld’s statement. There’s very little being done by the NSA to “ensure” the “privacy” of American citizens. One only has to look at its purposeful weakening of NIST standards to see evidence of that. The FBI and NSA are more than willing to respect citizens’ rights, but only if doing so doesn’t make their intelligence gathering any more difficult. Privacy is always subservient to these agencies’ ends, no matter how many statements they offer up that begin with lip service to privacy before adding, “but…”
Originally posted at TechDirt