Security, Surveillance And The Truth About Going Dark
Getty
On June 26, 2019, senior administration officials met and discussed whether the executive branch should or would ask the United States Congress to ban the public availability of end-to-end encryption technology. In the end, the meetingâs goal, which was to decide whether to produce a general policy statement on encryption or to seek legislative action, wasnât met and no decision was produced.
Such meetings arenât new or news. American administrations have grappled with public encryption policy decisions since at least 1972, when the National Bureau of Standards (now called the National Institute of Standards and Technology or NIST) began work on what was to become the Data Encryption Standard or DES. DES was to be a public standard, meaning that it was to be freely available for use by both the government and the private sector. The National Security Agency (NSA) insisted, in the name of national security, that DES be limited to a 56-bit key. (A 56-bit key was barely adequate in 1976 when the DES standard was approved and is laughably insecure today.) The NSAâs insistence was based on the premise that it needed the capability to break DES encryption in matters of, well, national security.
And therein lies the rub. The NSA in particular, and the government in general, isnât interested in information security. Itâs interested in national security, the definition and priorities of which vary by year and administration. Whatâs been constant is the conflation of security and surveillance. The relationship between the two is inversely proportional. A state of information security prioritizes and preserves data sovereignty and privacy. Surveillance, conversely, is about monitoring behavior or activities for purposes of influence, coercion or protection.
Surveillance doesnât correlate to improved security -- it actually weakens it. The Communications Assistance for Law Enforcement Act (CALEA) is a 1994 law mandating that phone companies build wiretapping mechanisms into their call switching mechanisms so that the U.S. government could more efficiently conduct domestic surveillance (e.g., âlawful intercept,â or LI). Unfortunately, CALEA caused unintentional vulnerabilities in internet switches made by Cisco. Indeed, when CALEA-compliant switches were assessed by the NSA for use in Department of Defense (DoD) networks, significant vulnerabilities were found in switches used for testing.
The vulnerabilities arenât just theoretical. Over a 10-month period (and possibly much longer) ending in 2005, the phones of over 100 senior members of the Greek government were bugged due to an LI capability in Ericsson switches used by Vodafone Greece, the countryâs largest cellular communications provider. The LI capability was co-opted and exploited by one or more malicious actors.
Despite many examples of how built-in legislatively mandated surveillance vulnerabilities will go terribly wrong, and the fact that the world has not yet imploded due to a lack of such measures, proponents of the surveillance state keep demanding more.
In 1997, FBI Director Louis Freeh characterized strong encryption as a âlooming spectreâ that would paralyze the nationâs ability to combat terrorism and crime. In 2011, FBI General Counsel Valerie Caproni cast government inability to break standard cryptography as an enabler for child pornography and exploitation, organized crime, the narcotics trade, terrorism and espionage. And in 2017, Deputy Attorney General Rod Rosenstein noted that encryption made evidence of criminality undetectable and upset the constitutional balance. There are many other such examples that seem to confirm that security is the bedfellow of the Four Horsemen of the Internet Apocalypse (i.e., terrorists, drug dealers, child pornographers and organized crime).
Reality just doesnât support that perspective. We live in what Peter Swire and Kenesa Ahmad called âthe golden age of surveillance.â When compared to the past, law enforcementâs surveillance capabilities have become significantly more robust. Indeed, itâs not just law enforcement thatâs become more adept and capable with respect to surveillance. Thereâs an entire business model called surveillance capitalism that has made companies such as Google and Facebook wildly successful.
Weâre willing accomplices in this capability enhancement. Most of us opt to carry sophisticated tracking devices that continuously broadcast our locations -- we call them mobile phones. We voluntarily tell the world about our contacts and confederates through our use of social networks. And we compile voluminous digital dossiers about our lives, which, again, we broadcast. Little, if any, of this information is encrypted, and it can all be made available to the government.
The encryption phenomenon, which the government refers to as âgoing dark,â isnât really a phenomenon. Before the advent of mobile devices and social networks, a personâs words were ephemeral, disappearing forever as soon as they were spoken. Despite this, law enforcement had many tactics it could bring to bear to lawfully develop the information it needed.
During the Second World War, a large part of the information that won battles for the Allies came from techniques like traffic analysis, which examined time, location, sender, recipient and other âenvelopeâ information associated with communications -- not content. Today, we call this âmetadata analysis.â Thatâs important, because metadata canât be hidden if the communication mechanisms are to function. According to Bruce Schneier's book Click Here to Kill Everybody, the government can always learn who the participants in a conversation are, and when and where itâs taking place, even if the contents are hidden.
The real issue is one of training and perspective. From the mid-1990s forward, data from cellular communications has been routinely captured (it was, and still is, poorly protected). With the advent of ubiquitous email and the smartphone, the river of information coming from cell phones became a deluge. At the same time, much of the institutional knowledge with respect to earlier metadata investigative techniques was lost to attrition and retirement. Itâs not so much that the Four Horsemen have gone dark as that the organs of national security have willfully donned dark glasses.
Doffing those glasses in the form of institutional reform is critical if we are to adequately address the threats inherent to a hostile cyberspace without sacrificing the foundation of technological trust that underpins the global economy. The new dark age will be marked by the sacrifice of security on the altar of surveillance.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives.
Do I qualify?
Do I qualify?
">
On June 26, 2019, senior administration officials met and discussed whether the executive branch should or would ask the United States Congress to ban the public availability of end-to-end encryption technology. In the end, the meetingâs goal, which was to decide whether to produce a general policy statement on encryption or to seek legislative action, wasnât met and no decision was produced.
Such meetings arenât new or news. American administrations have grappled with public encryption policy decisions since at least 1972, when the National Bureau of Standards (now called the National Institute of Standards and Technology or NIST) began work on what was to become the Data Encryption Standard or DES. DES was to be a public standard, meaning that it was to be freely available for use by both the government and the private sector. The National Security Agency (NSA) insisted, in the name of national security, that DES be limited to a 56-bit key. (A 56-bit key was barely adequate in 1976 when the DES standard was approved and is laughably insecure today.) The NSAâs insistence was based on the premise that it needed the capability to break DES encryption in matters of, well, national security.
And therein lies the rub. The NSA in particular, and the government in general, isnât interested in information security. Itâs interested in national security, the definition and priorities of which vary by year and administration. Whatâs been constant is the conflation of security and surveillance. The relationship between the two is inversely proportional. A state of information security prioritizes and preserves data sovereignty and privacy. Surveillance, conversely, is about monitoring behavior or activities for purposes of influence, coercion or protection.
Surveillance doesnât correlate to improved security -- it actually weakens it. The Communications Assistance for Law Enforcement Act (CALEA) is a 1994 law mandating that phone companies build wiretapping mechanisms into their call switching mechanisms so that the U.S. government could more efficiently conduct domestic surveillance (e.g., âlawful intercept,â or LI). Unfortunately, CALEA caused unintentional vulnerabilities in internet switches made by Cisco. Indeed, when CALEA-compliant switches were assessed by the NSA for use in Department of Defense (DoD) networks, significant vulnerabilities were found in switches used for testing.
The vulnerabilities arenât just theoretical. Over a 10-month period (and possibly much longer) ending in 2005, the phones of over 100 senior members of the Greek government were bugged due to an LI capability in Ericsson switches used by Vodafone Greece, the countryâs largest cellular communications provider. The LI capability was co-opted and exploited by one or more malicious actors.
Despite many examples of how built-in legislatively mandated surveillance vulnerabilities will go terribly wrong, and the fact that the world has not yet imploded due to a lack of such measures, proponents of the surveillance state keep demanding more.
In 1997, FBI Director Louis Freeh characterized strong encryption as a âlooming spectreâ that would paralyze the nationâs ability to combat terrorism and crime. In 2011, FBI General Counsel Valerie Caproni cast government inability to break standard cryptography as an enabler for child pornography and exploitation, organized crime, the narcotics trade, terrorism and espionage. And in 2017, Deputy Attorney General Rod Rosenstein noted that encryption made evidence of criminality undetectable and upset the constitutional balance. There are many other such examples that seem to confirm that security is the bedfellow of the Four Horsemen of the Internet Apocalypse (i.e., terrorists, drug dealers, child pornographers and organized crime).
Reality just doesnât support that perspective. We live in what Peter Swire and Kenesa Ahmad called âthe golden age of surveillance.â When compared to the past, law enforcementâs surveillance capabilities have become significantly more robust. Indeed, itâs not just law enforcement thatâs become more adept and capable with respect to surveillance. Thereâs an entire business model called surveillance capitalism that has made companies such as Google and Facebook wildly successful.
Weâre willing accomplices in this capability enhancement. Most of us opt to carry sophisticated tracking devices that continuously broadcast our locations -- we call them mobile phones. We voluntarily tell the world about our contacts and confederates through our use of social networks. And we compile voluminous digital dossiers about our lives, which, again, we broadcast. Little, if any, of this information is encrypted, and it can all be made available to the government.
The encryption phenomenon, which the government refers to as âgoing dark,â isnât really a phenomenon. Before the advent of mobile devices and social networks, a personâs words were ephemeral, disappearing forever as soon as they were spoken. Despite this, law enforcement had many tactics it could bring to bear to lawfully develop the information it needed.
During the Second World War, a large part of the information that won battles for the Allies came from techniques like traffic analysis, which examined time, location, sender, recipient and other âenvelopeâ information associated with communications -- not content. Today, we call this âmetadata analysis.â Thatâs important, because metadata canât be hidden if the communication mechanisms are to function. According to Bruce Schneier's book Click Here to Kill Everybody, the government can always learn who the participants in a conversation are, and when and where itâs taking place, even if the contents are hidden.
The real issue is one of training and perspective. From the mid-1990s forward, data from cellular communications has been routinely captured (it was, and still is, poorly protected). With the advent of ubiquitous email and the smartphone, the river of information coming from cell phones became a deluge. At the same time, much of the institutional knowledge with respect to earlier metadata investigative techniques was lost to attrition and retirement. Itâs not so much that the Four Horsemen have gone dark as that the organs of national security have willfully donned dark glasses.
Doffing those glasses in the form of institutional reform is critical if we are to adequately address the threats inherent to a hostile cyberspace without sacrificing the foundation of technological trust that underpins the global economy. The new dark age will be marked by the sacrifice of security on the altar of surveillance.
Gloss