In 1999, the US government approved a change in cryptographic export-control regulations, a change many security types imagined would herald a time of secure communications and secured data. As we all know, that did not come to pass. What did, instead, come to pass, was a long delayed recognition was that data that was not saved was more secure than data that was, that end-to-end encryption had value even when you weren't talking to your bank, and that securing data on your phone keeps it safe.
The OPM hack, ISIS recruitment via Twitter, and securing an iPhone were not necessarily anticipated by NSA when the agency gave its concurrence, and perhaps even encouragement, to the 2000 export-control changes. But surely situations like that were. So it is not surprising that NSA has not loudly joined the chorus when FBI Director Comey presses for "exceptional access" to encrypted communications.
What the Aspen Security Summit brought this year were strong words by former Secretary of Homeland Security Michael Chertoff and former Director of the National Counterintelligence Center Michael Leiter about the "Going Dark" problem and proposed solutions.
Secretary Chertoff said,
"First of all, there is when you do require a duplicate key, or some other form of back door, there is an increased risk and increased vulnerability. You can manage that to some extent, but it doesn't prevent you from certain kinds of encryption, so you're basically making things less secure for ordinary people."
"The second thing is that the really bad people are going to find apps and tools that are going to allow them to encrypt everything without a back door. And these apps are multiplying all the time. The idea that you're going to build to stop this — particularly given a global environment — I think is a pipe dream. So what will wind up happening is people who are legitimate actors will be taking somewhat less secure communications, and the bad guys will still not be able to be decrypted."
"The third thing is what are we going to tell other countries? When other countries say great, we want to have a duplicate key too [say] in Beijing, or Moscow or someplace else. The companies are not going to have a principled basis to refuse to do that. So that's going to be a strategic problem for us."
"Finally, I guess I have a couple of overarching comments. One is we do not historically organize our society to make it maximally easy for law enforcement even with court orders to get information. We often make tradeoffs ... I also think that experience shows we're not quite as dark sometimes as we fear we are. In the 90's when encryption first became a big deal, there was a debate about a Clipper Chip, that would be embedded in devices or whatever your communications equipment was to allow court ordered interception. Congress ultimately and the President did not agree to that. And it dawned on the people in the community afterwards, you know what, we collected more than ever."
Former NCIC Director Leiter observed that,
"The place where I come down really is technologically this is a problem. And it's a problem because we are clearly going to a world where end-to-end encryption with temporary keys that disappear immediately after any communication occurs, that is the future. There is no way around that; we are not going to stop that. And, because of that, for the technology issues, I don't think there is a long term way to preserve the US government's ability to intercept or get access to those. And I also do think that societally, we have to accept that the degree to which we undermine our national security by having that back door or front door, depending upon how you define it, is very real. We have seen that because of the cyberthreat. So I tend to think that both technology and the balance of these probably falls on the side of — you can try to design it now, but reality is going to overtake you and it's a funny thing that when technology and law conflict, law's not going to challenge that technology for long, it's going to overtake it. And you have to have a law which addresses reality, and not what you hope reality will be."
Providing security for ordinary people makes law enforcement's job harder, but Secretary Chertoff says that's the right trade-off. Director Leiter says that government has to face reality, and "not what you hope reality will be." But see for yourself; listen to the session. Chertoff's and Leiter's experiences in national security and law enforcement are recent — and deep. They know whereof they speak.
Acknowledgement: I am grateful to Henry Baker for bringing these comments to my attention.