Cybersecurity

Lawful Hacking and the Case for a Strategic Approach to “Going Dark”

By Susan Hennessey
Thursday, October 13, 2016, 12:01 PM

As part of a series on "," I recently released a Brookings policy brief on a strategic approach to “Going Dark” for the next administration. Recognizing the current deadlock—and need for a new approach—I recommend that the executive branch adopt a policy of fully exploring alternatives to legislative mandates, with lawful hacking as the central component. Below is an excerpt of my case for a strategic approach and the components of a National Strategy on Lawful Hacking necessary to making it work. The is available here.

A STRATEGIC APPROACH TO MOVING FORWARD

Thus far, the Federal Bureau of Investigation has been the public face of the government’s engagement in the going dark debate. This has created ambiguity as to whether FBI Director Jim Comey speaks on behalf of the federal government, on behalf of law enforcement, or only for himself. The federal government is not monolithic, after all, and technological developments have uneven effects on the equities of different agencies. Therefore, it is not surprising that there is no consensus view even within government on the best way to address the problem. But the lack of any clear government position gives the impression of internecine battles and masks shared principles.

Stronger leadership is needed in order to clarify the government’s interests and goals. A coordinated interagency position does not require reaching agreement on the ultimate solution. Instead, the White House should coordinate a position that articulates the government’s view regarding the general scope and severity of the impact of going dark on law enforcement specifically.

Some forms of communication will always remain inaccessible, and the proper balance of information security and law enforcement needs will require trade-offs. But the government must be clear that the American people expect law enforcement to prevent, investigate, and prosecute crimes. It would be unacceptable and intolerable for the executive branch to simply accept that police function be significantly impaired, especially in the context of serious offenses. However, where experts agree that the most direct and comprehensive solution—a legislative decryption mandate—would have significant security downsides and potentially wide-ranging unintended consequences, prudence requires investigating potential alternatives.

The executive branch should deliberately set itself to solving as much of going dark as is possible before resorting to costly and controversial legislation, especially since it is clear that a legislative solution is unlikely to become politically feasible any time soon. Under the best outcome, a genuine investment in varied alternative strategies—possibly coupled with technological developments favoring law enforcement equities—would create a stable situation moving forward. But even if it does not, exhausting alternatives is useful in demonstrating the necessity of comprehensive mandates.

Adopting a strategic position of pursuing alternatives also has the benefit of clarifying the opposition. Many companies and advocacy organizations state that they support law enforcement action and believe crimes should be fully investigated; their objection is only to making imprudent security sacrifices to that end. This strategy would present a good-faith attempt to reconcile those views by pursuing “least bad” alternatives. But those who oppose not only performance standard legislation, but also all feasible alternatives, in effect endorse a view that it is tolerable for law enforcement to be unable to detect, prevent, investigate, or prosecute certain offenses.

A NATIONAL STRATEGY ON LAWFUL HACKING

Lawful hacking is a necessary, though possibly not sufficient, element of a workable solution without mandated exceptional access. Therefore, lawful hacking should be viewed as the central element of a comprehensive alternative strategy, which includes investments in using metadata and the emerging Internet of Things to offset the losses to communication content that make up the going dark problem.

The ultimate utility of lawful hacking will depend as much on legal developments as technological ones. This series of complex and interrelated legal questions is central to the future of law enforcement and U.S. national security. Those questions should not be answered haphazardly or based on the expedient incentives of individual criminal cases, and instead must be given adequate thought.

To achieve this, the administration should direct the Department of Justice to develop a national strategy on lawful hacking. Below are recommendations for elements of an effective national strategy.

1.       Coordinate lawful hacking investigations and prosecutions.

  • Categories of cases related to lawful hacking should be coordinated by Main Justice, including those involving the use of sensitive government tools, novel network investigative techniques, or where a single warrant is expected to result in prosecutions in numerous but unidentified jurisdictions. Coordination ensures consistent representation of the government’s position on the legal questions central to the success of this alternative strategy.

  • The Department’s litigation strategy should focus on obtaining the clearest possible answers, and not fear establishing unfavorable precedents. Here, the resolution of legal questions may be more important than the answers themselves. For example, one controversy currently being litigated is whether a defendant is entitled to review sensitive computer code related to law enforcement techniques. Hacking tools are necessarily perishable, but an obligation to disclose in court would dramatically reduce the useful lifespan. While some proponents advocate for law enforcement to temporarily exploit and then quickly disclose a vulnerability for patching, this is infeasible in practice and would significantly limit the efficacy of lawful hacking as a broader solution. The sooner the executive knows whether such code must be disclosed, the sooner it can strategically invest resources in further pursing the strategy or instead seeking legislation in Congress.

2.       Support a technologically-informed judiciary.

  • The executive branch should call on the Federal Judicial Center to develop a reference manual on computer science aimed at empowering the federal judiciary to independently evaluate the relevance and materiality of evidence involving computer code and information technology systems. The executive branch has a significant interest in ensuring correct, technologically informed judicial decisions related to lawful hacking and should provide technical support, and expertise to aid the development of such a guide.

  • The executive branch should, to the extent possible, support the designation of independent court-appointed experts. Pursuant to federal evidence rules, courts are entitled to appoint experts of its choosing. In the context of lawful hacking investigations, this would be valuable to assist judges in determining the relative credibility of defense and prosecution expert testimony. And where tools related to lawful hacking contain classified or highly-sensitive information, the government should seek to designate specially-cleared, impartial experts. This is a limited solution, but similar strategies have been successful mechanisms for independent assessment of highly-sensitive materials in the context of Foreign Intelligence Surveillance Court.

3.      Develop Ethical Use Guidelines for federal investigatory agencies

  • Policy guidelines should specify the circumstances in which the use of lawful hacking is permitted. Broadly, policies should ensure that hacking techniques are deployed only after less intrusive means have been exhausted, as is required when wiretapping.

  • Policy should also set guidelines, similar to those for undercover operations, governing lawful hacking that temporarily facilitates criminal activity. Standards should be set to balance probable harms and benefits and to ensure criminal activity is only facilitated where strictly necessary to prevent ongoing harm.

4.      Invest resources in investigating the most serious offenses.

  • Lawful hacking is resource intensive, both to develop or purchase the necessary tools and to properly coordinate investigations. Consequently, executive policy should invest these limited resources in investigations of the most serious offenses—violent crime, sexual offenses against children, large-scale narcotics trafficking, and terrorism. Limiting lawful hacking to serious cases ensures appropriate allocation of research and development resources, better protects tools, and facilitates coordinated prosecution strategies.

5.       Embrace Mass Hacking

  • Lawful hacking often, though not always, constitutes a search under the Fourth Amendment and thus requires law enforcement to obtain a search warrant. Opponents of lawful hacking warn of the government’s ability to target thousands of computers pursuant to a single warrant, calling it “mass hacking.” But the government should embrace mass hacking as an paradigm shift necessary for investigations to respond to going dark and the Justice Department should clearly articulate how warrants for such operations can satisfy all constitutional requirements. Individuals who use computers to facilitate the most serious offenses, particularly those related to child sexual exploitation, avail themselves of the most sophisticated available technologies to hide their identities and crimes. Because of better tools and stronger defaults, those offenders make fewer mistakes which limits available opportunities for law enforcement intervention. When opportunities to uncover serious crimes and rescue victims present—and warrants can be obtained—law enforcement should be encouraged to unmask as many offenders as possible.

6.       Demand security in exchange for disclosure.

  • The government should clearly articulate the vulnerabilities equities process applicable to law enforcement hacking tools that rely on undisclosed flaws in commercial software. The public should have a clear understanding as to the considerations and safeguards in developing such tools and be confident that the balance between disclosure and use maximizes overall security benefits.

  • The government should mandate that technology companies that are notified of a vulnerability pursuant to the equities process either patch the flaw within a reasonable time period or provide periodic updates detailing the reason for their failure to protect consumers. This policy maximizes security benefits. The reason to disclose a vulnerability is so that it can be patched to eliminate the threat that bad actors will discover and exploit it, but disclosure represents some degree of loss to the security interests served by government use. Typically, that loss is more than offset by the ubiquitous information security gains of patching, but we should avoid the net harm that results when a vulnerability is disclosed and no patch is deployed.

7.       Develop empirical data to inform long-term decision making.

  • The government should seek to develop data regarding the precise scope of going dark and the impact on law enforcement. This includes tracking instances in which law enforcement was unable to effectuate a court order to view communications content and the disposition of cases where such content could not be obtained.

  • The government should also support empirical research regarding the probable consequences of legislative options and lawful hacking methods. For example, while software updates might provide an existing mechanism to push, in effect, malicious updates to the target of a warrant, experts fear this could result in fewer individuals updating software and create widespread insecurity. Where probable behavioral responses are measurable propositions, the government should seek evidence to inform policy that promotes cybersecurity benefits—by avoiding more drastic and potentially harmful solutions—and minimizes harm. Similarly, research is needed into the genuine consequences of law enforcement retaining vulnerabilities, which is the most controversial element of lawful hacking.