A think tank effort led by a former top cybersecurity official at the Department of Homeland Security will try to unlock one of cybersecurity’s most intractable policy problems: Balancing the needs of law enforcement against personal privacy when it comes to encrypted communications.
“We will suggest balanced approaches, so it’s guaranteed to be unsatisfactory to every party,” joked EastWest Institute Vice President Bruce McConnell, the one-time DHS cyber chief. The institute is led by industry, academic, and former government leaders, and deals with economic and security issues. “It’s not a solution,” McConnell said, “but we are suggesting approaches.”
The EastWest report, expected to be released at the annual Munich Security Conference in February, “will pick winners and losers,” McConnell acknowledged, “and have more of an international focus” than other works on the topic.
FBI Director Christopher Wray, much like his predecessor James Comey, has repeatedly called on the tech community to come up with a solution allowing the FBI to access smartphones and other encrypted devices with a warrant. The bureau, along with state law enforcement and some in the intelligence community, say criminals and terrorists are using encryption to plan their activities and then cover their tracks. The issue came to a head in 2016, when the FBI paid professional hackers to crack into the iPhone belonging to Syed Farook, one of the two San Bernardino attackers.
“We have to find a responsible solution fast,” Wray said at an FBI-Fordham University event in New York this month. He suggested emerging technologies such as quantum computing could provide answers.
Wray said the FBI does not want a “back door” to devices, but tech industry representatives and civil liberties groups believe that is exactly what the FBI is asking for.
These groups and their allies in Congress have said the FBI’s call for dialogue and compromise misses the point about the nature of encryption. Requiring companies to provide a way into their encrypted devices will undermine security because such access amounts to a back door that bad actors eventually will exploit, opponents say.
“The laws of mathematics have not changed, so our position on encryption remains the same,” one tech industry source said last week.
Former Estonian President Toomas Hendrik Ilves, who is a leading voice internationally on cybersecurity and now a distinguished visiting fellow at Stanford’s Hoover Institute, called a back door “the worst thing you can have” and said “whoever has the key has the key to the kingdom.”
He said it would be impossible to regulate encrypted devices, particularly across international borders, saying “people will come up with encryption, no matter what.” He also questioned how companies or government agencies would protect a key. “Insider threats make the idea of a key too dangerous,” he said, pointing to the Edward Snowden affair as just one example of the potential risk.
Against that backdrop, former DHS official McConnell agreed that “the conversation continues to be fractious” and that “balancing of equities is something every government has to wrestle with.”
The group will offer two potential paths out of the encryption policy stalemate, McConnell said, proposing “two different, contrasting national policy regimes, with both including some access to some plain text in some cases, under strict legal and policy controls.”
To date, Senate Intelligence Chairman Richard Burr, R-N.C., and other congressional supporters of requiring tech companies to ensure that law enforcement can access encrypted data have been frozen in place, fully aware that opponents of “back doors” can block any legislative movement.
Wray and others in law enforcement have stressed they want to see a compromise, preferably one generated by the techies themselves. The tech community says the issue doesn’t lend itself to splitting differences.
The upcoming EastWest Institute report could jump-start efforts to legislate on the issue by offering an out-of-box solution that compels both sides to recalibrate their positions. In any case, reactions to the report will likely signal whether a solution to this policy dilemma is even possible.
