Today, I testified before the United States House of Representatives Energy and Commerce Subcommittee on Oversight and Investigations hearing entitled “Deciphering the Debate Over Encryption: Industry and Law Enforcement Perspectives.” While this is a complicated, nuanced issue, there are some key points that I feel very strongly help frame the discussion. I’ve recently covered these in my keynote at RSA Conference, a panel at the South by Southwest Interactive festival in Austin last month, and again in my testimony today.
The ongoing debate over law enforcement access to encrypted communications is one of the defining issues for our security community. There’s a need to balance the equities of, on the one hand, the needs of law enforcement to prosecute crimes, sometimes heinous crimes, and, on the other hand, our security, privacy, and economic competitiveness.
Although law enforcement already has access to a wealth of insightful surveillance data, so much so, that it cannot efficiently manage nor fully leverage what it has access to already, recent events have reinvigorated policy makers to call for “exceptional access” mechanisms. Simply put, these are calls to create “back doors” into all encryption for the benefit and ease of law enforcement in prosecuting unsophisticated criminals. While this request sounds simple, it is not only impossible to achieve, but it also would have the unintended consequence of fundamentally weakening the security of the Internet infrastructure we all rely on, impacting both national security and public safety.
With any cryptosystem, the greatest challenges exist in implementation and in maintaining effective operational security. Both of these dimensions increase in complexity and substantively increase risk of failure. Flaws are constantly being detected in how algorithms are implemented, in key exchange mechanisms, in shared memory or storage, and where keys can be found. Even when good cryptography is readily available, protecting information is incredibly hard to do. There are inevitably flaws in the other moving parts, such as hardware, protocol implementations, operating systems, authentication mechanisms and other components of the computing platform that can compromise information, even if such information is properly encrypted.
Good encryption is the fundamental building block for good cyber security; without the availability of good encryption, those defending vital U.S. networks and systems would be at a massive disadvantage. Exceptional access increases complexity and introduces new vulnerabilities we may have yet to fully understand. It means purposefully undermining the integrity of internet infrastructure that we all seek to make safe, and instead introduces more risk, not less. Creating a “back door” into all encryption for law enforcement means creating opportunity for a much broader set of people with nefarious intentions to harm us.
We cannot justify a policy that undermines the challenging and frequently failing efforts of our cybersecurity practitioners and expect industries and our society to be safe. The negative impacts of such a policy would affect tech companies, and every industry, including our critical infrastructure, power and utilities, automotive, manufacturing, healthcare, legal, banking and financial industries.
I hope you join me in making your voice heard on this important topic. Weakening encryption would catastrophically weaken our nation.
If you weren’t able to watch the hearing, Deciphering the Debate Over Encryption: Industry and Law Enforcement Perspectives, you can take a look here (my section is about 3 hours into the webcast):