On Monday, Paul Rosenzweig suggested a number of areas in which the recently formed Commission on Enhancing National Cybersecurity should focus in charting the US government’s path forward. While I agree the government must rethink strategic policy choices, Rosenzweig is putting the cart before the horse. Before we can construct an effective long-term policy agenda, the government must first repair a number of critical relationships.
The Commission will actually be most useful if it generates a set of concrete recommendations on how to remediate rifts with the technology community, the international community, and US citizens. Only then can we turn to the more substantive matters of US cybersecurity policy.
Surrendering the Crypto Wars
Nearly every cybersecurity policy directive of the past decade has included an emphasis on building “public-private” partnerships. And yet, the relationship between government and private industry has evolved—or devolved—in the opposite direction. Increasingly, my own customers in Silicon Valley, the New York financial sector, and overseas view the United States government as the chief adversary in information security. This sentiment must be changed if public-private partnerships are to be the cornerstone of US cybersecurity policy.
The first step in repairing the relationship with Silicon Valley? Find a way to gracefully surrender the crypto war. Surrender, in this case, is the right word. This is not an area where a lot of compromise is available, and the situation has become so hostile that an orderly “retrograde movement” is the best option.
The importance of this is illustrated by Rosenzweig’s own suggestion to designate NIST as the institution to oversee a “public/private/global inquiry for the purpose of identifying ... engineering vulnerabilities.” The irony, of course, is that NIST’s reputation in the information security community has been severely compromised by revelations of NSA’s undue and convert influence in developing cryptographic standards. Sustained public litigation over issues of law enforcement and intelligence community access to encrypted information will only serve to further heighten tensions over the government’s role in potentially hindering strong information security standards.
It may be a bitter pill for the FBI to swallow, but there are graver security threats facing the nation. Surrendering the crypto wars will allow us to move forward to focus on solving the bigger problems ahead.
The government cannot develop meaningful strategic policy without productive engagement from the private sector on a host of issues. Only the participants in a market can fully understand the incentive structures and nuance of technical issues.
Take for example, the issue of buffer overflows which Rosenzweig addresses in his piece. While buffer overflows are often championed as a systemic risk which we could end with sufficient technical effort, in reality they represent a bug class resulting from common sense design decisions. The physics of the problem is clear: to make things fast you need a language (the C programming language) which is also supremely flexible. The result is subtle flaws which have major security impact. Outside the technology community, fixing these flaws seems simple: move to using a secure language like Java or simply avoid mistakes when writing code! But in the context of complex and performance-critical applications using a secure (“managed”) language is not a reasonable trade off. That’s why the core of the browser you are reading this article on is written in C. Rosenzweig rightly notes that buffer overflows are a market choice and not a technical requirement. But, compared to the alternatives, they are the sane choice.
Recognizing that a decade of cyber policy recommendations have not been wrong--that private sector participation really is critical—the initial focus has to be on creating an environment where that kind of productive private sector exchange can thrive. Once those conditions are achieved, we can get to finding solutions.
Ending the crypto wars by making a clear executive policy determination to preference strong encryption over law enforcement access does not just result in the benefits championed by encryption advocates. It also creates a space to begin to heal some of the damage inflicted by the Snowden disclosures and the counterproductive rhetoric in the wake of “Apple v. FBI,” and critically, provides a bulwark for American industry against Chinese Government requests that mirror this argument.
FBI Director Comey and others in the government tend to focus on the specific legal dimensions of government access. Applying an exclusively legal framework to these issues results in Comey’s claims that a lawsuit is just about “one iPhone,” or sillier statements by prosecutors regarding potential ”cyber pathogens.” As a matter of political maneuvering before the general public, these statements might be useful. But they are deeply alienating to the information security community. This reaction is not because that community is reflexively hostile to law enforcement. In reality engineers for Google, Facebook, Apple, Microsoft, and financial services are largely individuals who previously served in the intelligence community. These communities do not perceive the FBI’s statements as savvy political moves; they deeply understand the technical workings of government and law enforcement and consider the statements blatant and insulting lies.
Beyond alienating the very people the US government needs to partner with most, the crypto wars are creating a deeper divide between information security within the government and in the private sector. The loss of talent from our top intelligence agencies to the private sector is of grave strategic national security consequence.
Currently, Congress and the courts are in a stalemate over various encryption issues. As the Obama Administration draws to a close, there is a window to make a bold statement to resolve the matter before the next president takes office. The apparent alternative is for the White House to continue to avoid taking any clear position. But absent the unlikely passage of highly unpopular legislation (Burr-Feinstein was an obviously empty threat that served to only cause ill-will), the industry will increasingly introduce end-to-end encryption. Therefore, silence equates to a tacit acceptance of end-to-end encryption as the norm. Avoiding the issue might seem like the convenient path, but in reality the current strategy fails to deliver what law enforcement is asking while also permanently damaging relations between the technical community and US government. It is a lose-lose.
Once the government has addressed encryption as a core rift, it can begin to take affirmative steps toward building constructive partnerships. One area ripe for reform is clearances and classification. Through its intelligence services and law enforcement resources, the US government has critical information regarding cyber security threats that are simply not available to a broader community. But there is increasing recognition that critical infrastructure is owned and operated by the private sector. “Public-private partnership” does not mean only sharing the costs of securing our infrastructure - it also means sharing the risks, including the risk that classified information may become compromised.
Whatever industry we designate as operating “critical infrastructure,” their security staffs, consulting teams, and executives are critical as well.
The CSO of every major US bank should have a Top Secret clearance and the government should develop mechanisms to securely share information and indicators. The recently passed Cybersecurity Information Sharing Act directs the government to establish such a process, but without setting specific standards for the kinds of information to be shared. The Commission should make recommendations aimed at highlighting the importance of achieving this goal, and encourage the government to be forward-leaning in bringing cleared industry partners into the classified space.
The problem, of course, isn’t limited to banks. Small companies are critical to much of the work being done in information security, yet they are essentially precluded—by resources and bureaucracy—from sponsoring employee clearances. The rules and regulations of the classification system were not designed to accommodate information “at-scale,” and the magnitude of our current cybersecurity threats demand a new approach.
Another area of important relationship reconstruction is the international community, particularly Germany. What the US views through an information security lens, the Germans consider privacy issues. German officials frequently reference “human rights” as code for disapproval over US SIGINT practices against Europeans.
As important as repairing relationships with allies, the US must set a clear tone for our adversaries. The Commission should not shy away from making recommendations on broader international cyber norms and enforcement. After all, these global norms will be foundational to the “national” cybersecurity the commission is tasked to improve. To demonstrate we are serious about repercussions for economic espionage, we must enforce our threatened actions against China. Fuzzy agreements with President Xi that the PLA will not hack US companies for economic benefit are insufficient. Whatever we do in this area must also scale—we cannot leave it as a policy only for the largest and richest US companies.
Strengthening international norms through robust enforcement is an area in which the US can generate significant goodwill with domestic companies and international partners, especially since virtually all major US companies are “international” at some level. The US government is positioned to have a significant impact and is able to wield tools, like legal enforcement actions and sanctions, which are unavailable to private industry and less effective in the hands of non-US powers. In other words, this is an area where there is an aligned community of interest and the US government is uniquely able to represent the equities of its industry and allies. To not do so would forfeit a significant opportunity to heal rifts.
Rules of the Road for Domestic Law Enforcement
Last but certainly not least, the Commission should focus on making recommendations aimed at repairing trust between the government and US citizens in online law enforcement. Increasingly, domestic law enforcement will be using hacking tools to find suspects and evidence of criminal activity on the Internet. The Playpen case has brought into focus a number of issues regarding the authority for particular judges to issues warrants, the application of Fourth Amendment protections in online activity, as well as discovery obligations to provide defendants with access to the tools used against their machines. The much maligned, but indisputably useful, “National Security Letter” may have to be a casualty of this process.
Ultimately, these complex issues will be decided by Congress and the courts. But they are playing out against the backdrop of a public which is at best confused, and at worst deceived regarding law enforcement activity undertaken in cyberspace. A Commission on Enhancing National Cyberspace should recognize the importance of trust to cybersecurity overall. They should develop recommendations aimed at ensuring that the public and judges have a baseline technical understanding of the issues. And recommendations should also account for mechanisms to incorporate broader cyber security equities into government decision-making.
The policy community has a lot of work to do. But if we are going to implement effective policy, we must be honest about the need to settle the major rift between government and industry on cryptography, intelligence, and privacy. What is at risk is larger than “Going Dark” or any particular law enforcement or national security tool. At stake is the fundamental trade-offs—various parties engaged in give and take—that allow many of our policies and regulations to work at all.