Encryption and the path forward

While the president clearly stated his policy position on encryption last October, somehow the FBI and the Department of Justice (DOJ) missed the memo. In the wake of the San Bernadino, Calif., and Brussels terror attacks and other recent events, it is necessary for Congress to step forward with a similar directive for the FBI and law enforcement entities around the globe.

{mosads}The White House correctly chose not to support a position based on panic, politics or public opinion, but instead adopted a coherent and forward-thinking position on the subject of encryption and its place in our society. It was not a decision made lightly nor made in isolation, but rather as part of a comprehensive strategy taking into account the entirety of cybersecurity — including encryption — both domestically and internationally. Accordingly, later that same month came the announcement of an overall strategy to strengthen the cybersecurity of federal networks, systems, communication and data via the Cybersecurity Strategy and Implementation Plan. This was a necessary and worthwhile piece within the need of a consistent, global effort to make our government networks more resilient, reduce ease of intrusion and provide a base layer of cybersecurity for all state and local governments to follow.

Sometimes it can be easy to forget the many benefits each of us has enjoyed through the use of robust encryption. Over the past two decades, our culture has rapidly evolved from a paper-based, in-person series of relationships into an Internet-enabled mobile economy where relationships are not simply digital, but often faceless and remote, dependent on secure and yes, encrypted, communication.

Banking and insurance, travel and dinner reservations, even children’s afterschool activities and report cards — nearly everything can now be accessed virtually and each of these already requires some level of security. As innovations to everyday consumer goods and services continue to evolve, our society will only require greater — not fewer — levels of encryption as part of an overall strategy to ensure the cybersecurity of each individual and business. Each network must work to harden its cybersecurity, whether public or private — and as the White House expressed, the federal government will lead by example.

One of the key reasons the evolution into the digital mobile environment happened so smoothly was the constant effort in the 1990s by both finance and commerce companies to increase confidence in the secure digital consumer experience. This struggle continues today and every day. The recent settlements by large retail chains have only reaffirmed that even inside physical storefronts, our society’s networks require the same robust and secure systems — ones without any virtual doors left open by third parties.

Our world continues to shift ever further into an Internet-connected society. The “Internet of Things” has already successfully connected items as esoteric as the control of home heating systems or even a juicer. However, reports of security vulnerabilities in an Internet-connected home security system give yet another demonstrable reason why every connected device requires more cybersecurity, not less, and that means greater encryption.

During the March 1 hearing before the U.S. House Committee on the Judiciary, Chairman Bob Goodlatte (R-Va.) got FBI Director James Comey to admit that the FBI’s attempt to compel Apple to divert the security of its own product was not for simply just one phone.

Goodlatte: Now, if the FBI is successful in requiring Apple to unlock this phone, that won’t really be a one-time request, correct?

Comey: Well, the issue of locked phones, certainly not, because it’s become a —

Goodlatte: Well, it will set a precedent for other requests from the Federal Bureau of Investigation and all — and any other law enforcement agency to seek the same assistance in many, many, many other cases.

Comey: Sure, potentially.

This much is obvious from Comey’s testimony. Now that the FBI is capable of bypassing the security of a previously inaccessible set of consumer devices, they will use the technique for investigating more than just the one phone.

Unfortunately, there was no understanding that this action has cast into doubt the public’s confidence in the security of one of the most widely used tools of the economy. Perhaps FBI and DOJ personnel should revisit legislation introduced to the U.S. House the last time encryption was publicly discussed by lawmakers on Capitol Hill. The Security and Freedom through Encryption (SAFE) Act was first introduced by Goodlatte during the 104th Congress. While at one time it garnered the bipartisan support of 250 members of the House of Representatives, the relevant point is the legislation attempted to put forward solutions for the then-vexing challenge law enforcement found when faced with encryption based on the 1996 version of cutting-edge encryption.

One of the solutions proposed within the legislation was the creation of an office within the FBI tasked with addressing innovations in encryption and the challenges the government would face as encryption increased in strength and use. This office would have quietly established a public-private partnership to address challenges such as today’s crisis.

It is unfortunate that this legislation was not able to become law. It is perhaps more unfortunate that a public-private working group, led by the federal government, was not established in the mid-1990s. Fortunately, we have the opportunity to do so today. If the Obama administration would organize such a working group, stakeholders within the community would likely be happy to help keep our society safe while developing a realistic encryption policy.

Chances are that the international development of encryption will not suddenly freeze any time in the near future. To the contrary, it is necessary for governments and businesses at every level to develop good encryption standards of sensitive material in order to support a cyber-secure environment.

Horowitz is a senior fellow with the Center for Cyber and Homeland Security at George Washington University in Washington, D.C.