Encryption

Why the Support for Crypto

By Susan Landau
Monday, September 21, 2015, 1:39 PM

No one could miss the Washington Post story on the options the Obama administration is considering regarding cryptography. They are, in varying degrees, in favor of keeping the status quo ante. Option 1: Disavow Legislation and Other Compulsory Actions; Option 2: Defer on Legislation and Other Compulsory Actions; and Option 3: Remain Undecided on Legislation or Other Compulsory Actions --- and, if not all exactly what Apple, Google, and the other Internet behomouths have been arguing for, close enough to look like industry won over the FBI's wishes. At least that's how Ben sees it. I agree in part with Ben, and disagree in part.

Ben is absolutely correct on the political analysis that Silicon Valley won this round. I also agree with him that any attempt to legislate or regulate the use of encryption this late in the administration is unlikely to really work. But I split with Ben on the why of the decision. It's an argument that we have had before, but it is worth repeating here.

For the FBI, the arguments about the easy availability of difficult-to-break cryptography appear to be that cryptography that impedes law-enforcement investigations needs to be controlled even if those same tools help secure communications and data. Securing data is, of course, of great concern, whether we are talking about the OPM hack or the Sony attack. As my co-authors and I noted in our Keys Under Doormats report, enabling exceptional access — cryptography that secures the data but nonetheless enables access to law enforcement under legal authority — breaks forward secrecy (which would have protected all Sony communications conducted before the North Korean access happened) and authenticated encryption, both critical tools for security. The FBI seems not to understand the importance of these security concerns.

But if the FBI doesn't understand the importance of these concerns, it seems that the national security community does. Here's why my interpretation of the issues splits from Ben's. I don't think it's that Silicon Valley won this fight — though it certainly benefits. It's that our national security interests argue for broader use of encryption throughout the infrastructure.

This was true in 1996, when the National Academies issued its report on Cryptography's Role in Securing the Information Society, it was true in 2000, when the US government loosened its export-control rules on cryptography, and it was true in 2001, when just two months after the terrorist attacks, the government approved the strong Advanced Encryption Standard as a Federal Information Processing Standard (the algorithm's broad domestic and international use has strongly benefitted security).

The rationale, which I have discussed at length in an article (in the Journal of National Security and Policy), has to do with a combination of factors in US defense policy. These include our government's increased reliance on Commercial-off-the-Shelf communications and computer equipment, its increased use of ad-hoc military coalitions in war fighting (which means that NATO-style interoperable communications systems cannot be developed), and the speed of Silicon Valley innovation (with which Pentagon procurement systems can't really compete).

It's an awkward dance for the DoD to publicly state that it is splitting with the FBI on the encryption issue. But the National Security Council draft options paper never mentions national-security threats as a concern in the option of disavowing legislation controlling encryption (it does acknowledge potential problems for law enforcement). The draft says that no-legislation approach would help foster "the greatest technical security." That broad encryption use is in our national security interest is why the administration is heading to support the technology's broad use. That's the story here — and not the one about Silicon Valley.