The Cybersecurity 202: We surveyed 100 experts. A majority rejected the FBI's push for encryption back doors.

0
8

THE KEY

The FBI has said that its inability to access encrypted cellphones during investigations leaves the country less safe. But a strong 72 percent majority of digital security experts surveyed by The Cybersecurity 202 disagree. 

The Network is a panel of more than 100 cybersecurity leaders from government, academia and the private sector who weigh in on some of the more pressing issues in the field in an ongoing, informal survey. (You can see the full list of experts here. Some were granted anonymity in exchange for their participation.) 

Our latest survey revealed broad opposition to the FBI’s demand that device and software-makers give law enforcement a built-in way to access encrypted data with a warrant. In fact, many experts said Americans would be just as secure — if not more so — without any kind of “back door.”

“Strong encryption is absolutely critical for keeping our data safe from criminals. This is especially important for mobile devices such as cellphones, which are easily lost or stolen,” said Matt Blaze, a cryptographer and computer science professor at the University of Pennsylvania. “Weakening encryption might make the FBI's job easier in some cases … but that would be a very shortsighted policy that would create far more crime than it would solve.”

The FBI has pushed for legislation to require tech companies to make all cellphones accessible to law enforcement with a warrant. The agency insists that widespread encryption — so strong that even tech companies can’t unlock the devices because they don’t have the encryption key — prevents investigators from conducting critical and often time-sensitive searches. 

But several experts said that giving law enforcement a special way to access encrypted data would actually create a whole new avenue for hackers and foreign governments to exploit Americans. 

“The idea of the ‘golden key’ — access that only the ‘good guys’ can use — is a myth,” said Jamie Winterton, director of strategy for Arizona State University’s Global Security Initiative. “Once that access has been created, it could be used by the FBI, or it could be used by foreign adversaries.”

Vikram Phatak, chief executive of the cybersecurity firm NSS Labs, said: “How long would it take for the backdoor ‘key’ to be stolen? Even if the possibility is remote (it isn’t), having the backdoor key stolen would be catastrophic.” 

As the FBI seeks to convince Congress, where legislative efforts to guarantee their access to encryption have stalled, The Washington Post's report last month that the bureau repeatedly cited inflated statistics about the extent of the problems will likely only hamper their case further. The FBI had said investigators were locked out of 7,800 devices last year, when the actual figure was between 1,000 and 2,000. 

“The number of inaccessible devices is quite low in a relative sense and the risk of missing a threat indicator is extremely low, while the digital security risks would be incredibly high if encryption were weakened,” said Chris Finan, who served as director for cybersecurity legislation and policy on the National Security Council during the Obama administration. “This is a no-brainer when you examine the actual data: Strong encryption increases our well-being.” 

Many experts also said that the FBI has tools at its disposal to address what it calls the “going dark" problem. As Blaze noted, it’s unclear how much weakening encryption would actually help law enforcement “given that forensic tools are quite powerful when used on seized handsets.” 

"Third-party tools such as Cellebrite and GrayKey, combined with other sources of data such as cloud backups, metadata, the Internet of Things, and so-called 'lawful hacking,' mean law enforcement still has a wealth of information available to it for investigations and prosecutions," said Riana Pfefferkorn, cryptography fellow at the Stanford Center for Internet and Society. 

Just last week we saw an example of the FBI getting access to encrypted messages without breaking into a cellphone. Agents investigating Paul Manafort, President Trump's former campaign chairman, got ahold of messages sent in encrypted apps by working with potential witnesses in the case and getting a court order to search Manafort’s iCloud account, where the messages were backed up because Manafort did not enable the strongest protections, as I reported. 

“When the FBI can't get at evidence necessary to investigate crimes, THAT is a risk to our safety,” said Daniel Weitzner, who served as the White House’s deputy chief technology officer for Internet policy in the Obama administration. “But as this latest incident shows, there are generally many paths to data, and many copies of any given piece of data.” The real problem, Weitzner said, “is when law enforcement doesn't have the expertise to look for the data in all possible places.”

Dave Aitel, president and chief executive of Immunity Inc. and a former National Security Agency security scientist, said the FBI has failed to show that investigators didn’t have other tools they could turn to that avoided the technically difficult and legally complicated work of prying into an encrypted device. 

“If someone invented telepathy, does the FBI think it has a right to everyone's brain waves?” Aitel said. “The reality is that we are in the golden age of surveillance and digital evidence, and while yes, some investigations will be hindered by encrypted storage and communication, there is no sign we are in some sort of investigative crisis that would require a massive legal effort to enforce cryptographic back doors.” 

Mark Weatherford, a former deputy undersecretary for cybersecurity at the Department of Homeland Security, agreed: “It seems absurdly backwards that law enforcement is now using encryption to defend weaker security and using a ‘safety of the nation’ narrative as justification.” 

“Given that [the FBI] seemed to have been a bit too exuberant -- by a mere 500% -- in their estimation of the number of cell phones that were actually beyond their reach due to being encrypted, I don't think it hurts to be skeptical,” said Weatherford, now vice president and chief cybersecurity strategist at vArmour.  

Yet 28 percent of experts said they agreed with the FBI’s arguments about the risks posed by widespread encryption. 

“When dealing with a potential terrorist threat, speed and accuracy to circumvent those threats are critical,” said Charles Brooks, a cybersecurity strategist at General Dynamics Mission Systems and a former legislative director of the Department of Homeland Security's Science and Technology directorate. “Data on a cellphone could provide timely and lifesaving options. There is a balance between privacy and security, but protocols can be worked out by circumstances and scenarios.”

The threat posed by terrorists and other criminals who use encryption to conceal their activities outweighed many of the consumer security and privacy concerns, several experts said.

“Without lawful access to communications content — provided by a federal judge [and] supported by a probable cause warrant — investigators will have a much harder time finding those who wish to do our nation harm, from terrorists to spies,” said Jamil Jaffer, vice president for strategy and business development at IronNet Cybersecurity who formerly served as a congressional staffer and associate counsel to President George W. Bush.

Dan Geer, chief information security officer at In-Q-Tel, a nonprofit venture capital firm funded by the CIA, said the spread of encryption made Americans “considerably less safe” from sophisticated actors and “marginally less safe” from unsophisticated actors. 

“The degree to which both the hard left and the hard right unite in ‘don't trust this or any government,’ we are poorer," Geer said. "Of course, that is not the fault of the cryptographers, but when someone steps up on the soapbox to say ‘I don't want this or any government to be able to read my XYZ,’ then it would be appropriate to finish the sentence with ‘nor do I expect this or any government to protect me from digital thugs of any stripe.’ ” 

Still, some experts who agreed with the FBI’s arguments that encryption posed public safety risks still said it doesn't justify guaranteeing them access. 

The FBI would have an easier time with “unfettered access to encrypted communications,” said Melanie Teplinsky, an adjunct professor at American University’s Washington College of Law and former National Security Agency analyst. But there would be a serious cost, she said: “We can build back doors for FBI access, but back doors would weaken security at the very moment we should be fortifying it against an array of sophisticated cyberthreat actors including criminal syndicates and nation-state actors engaged in espionage, cyber sabotage, and/or influence operations.”

Yet Steve Weber, director of the Center for Long Term Cybersecurity at the University of California at Berkeley, said it's up to the opponents of back doors to offer other solutions: “The real question to ask is this: If the FBI can't access encrypted cellphones, what will it do instead?" he said. "If you want to resist the politics of encryption-breaking, then you need to offer some alternatives for law enforcement that are more than just 'good old fashioned shoe-leather investigation.' ”

THE NETWORK

— More reactions from The Network's group of cybersecurity experts on the FBI's arguments about encryption:

  • “The question is more fit for a courtroom debate, not a national security or privacy consideration. It is not a black-and-white issue. The argument has been focused on just one aspect of encryption, U.S. law enforcement being able to access data to assist in investigations. Mandating a 'back door' (which the FBI supports) into encryption opens up not just cell phones, but what about servers, laptops and other devices where encryption is crucial? Once this ‘back door’ is allowed, who has the job of making sure it's not abused by bad actors? This very quickly could significantly damage U.S. national security. Everything from intellectual property to defense to national security data could be compromised. — Geoff Hancock, principal at Advanced Cybersecurity Group
  • “While I am very sympathetic to hardworking FBI agents wanting to crack tough cybercrime, terrorism, and trafficking cases, making mobile devices more vulnerable will likely simultaneously put people like abuse victims and targets of hostile states at more risk. In my personal opinion, cellphones are such an integral part of global modern life that encryption back doors are not worth the risk.” — Lesley Carhart, principal threat hunter, Dragos Inc.
  • “The U.S. Chamber of Commerce supports robust encryption for information, including data at rest and data in motion. We believe that policies need to uphold strong encryption, which is an integral part of both individuals' and enterprises' cybersecurity. The U.S. government, along with privacy stakeholders, should resist the urges of countries — particularly authoritarian ones — to limit users' choice of encryption technology to protect their information and devices.” — Matthew Eggers, vice president for cybersecurity policy in the Cyber, Intelligence, and Security Division at the U.S. Chamber of Commerce
  • “Almost every criminal and nation/state actor utilizes wireless devices of some kind. In hundreds of documented public cases alone, cellphone forensics has been the only source of evidence that solved the crimes, and saved lives and property. And in many cases have protected the US from attacks. The inability to access encrypted phones with appropriate court orders is already resulting in an increasing file of cases where criminals and adversaries are evading detection, and committing avoidable crimes as a result.” — Respondent who answered on condition of anonymity
  • “Lack of access means the FBI often cannot tell who a suspect has been communicating with or the contents of those communications. In a terrorism investigation, finding everyone who was involved in the attack is crucial. Taking that ability off the table is likely to reduce Americans' security in the long run.” — Stewart Baker, former Department of Homeland Security assistant secretary for policy and former general counsel for the National Security Agency
  • “Effective law enforcement is critical to deterring and prosecuting criminals. We should recognize that strong encryption can pose obstacles to legitimate investigations and lawful searches when there is no alternative means of obtaining information, such as an unencrypted backup or an endpoint hack. However, we must also respect the crucial role of tools like strong encryption to secure communications and protect sensitive data — tools on which government, commerce, and individual users all rely. Users are much more safe, and crimes are prevented, when communications services, commercial products, and critical infrastructure are trustworthy and resilient.” — Harley Geiger, director of public policy at Rapid7

PINGED, PATCHED, PWNED

PINGED: A group of Chinese hackers stole more than 600 gigabytes of highly sensitive data about submarine warfare in January and February from a Navy contractor working for the Naval Undersea Warfare Center in Newport, R.I., The Washington Post's Ellen Nakashima and Paul Sonne report. “Taken were 614 gigabytes of material relating to a closely held project known as Sea Dragon, as well as signals and sensor data, submarine radio room information relating to cryptographic systems, and the Navy submarine development unit’s electronic warfare library,” they write. The contractor had been storing the information on an unclassified network and officials told Nakashima and Sonne that the data could be considered classified when aggregated.

Investigators say the hack was carried out by the Chinese Ministry of State Security, a civilian spy agency responsible for counterintelligence, foreign intelligence and domestic political security,” Nakashima and Sonne report. “The hackers operated out of an MSS division in the province of Guangdong, which houses a major foreign hacking department.” Defense Secretary Jim Mattis asked the Defense Department inspector general's office to review cybersecurity issues related to the Pentagon's contractors. “There are measures in place that require companies to notify the government when a 'cyber incident' has occurred that has actual or potential adverse effects on their networks that contain controlled unclassified information,” said Cmdr. Bill Speaks, a Navy spokesman.

PATCHED: Sens. James Lankford (R-Okla.) and Amy Klobuchar (D-Minn.) on Friday introduced provisions from their election cybersecurity bill as an amendment to the National Defense Authorization Act. The bill, titled Secure Elections Act, aims to improve how federal and state authorities share information about cyberthreats to elections and give state election officials security clearances, according to a statement from Lankford's office. A portion of the bill that directed $380 million in federal funds to strengthen state election systems passed as part of a massive funding bill in March, but the other measures from Lankford and Klobuchar's legislation have not made it into law, according to the statement.

“The security of our election systems is a major national security issue, and it is appropriate for this legislation to be included in the National Defense Authorization Act,” Lankford said in a statement. “This legislation will help states prepare our election infrastructure for the possibility of interference from Russia, Iran, North Korea, or a domestic hacktivist group.” Klobuchar said in a statement that securing elections is a national security issue. “We must do everything in our power to protect our democracy from future attacks,” she said. “That is why Congress should pass our Secure Elections Act amendment that will improve information about cyber attacks so states can respond in real time. With only 151 days until the next election, we must act now.” The bill was introduced in December and a revised version was reintroduced in March.

PWNED: Newark wants residents to watch its video surveillance feeds. Under a program that the city started in April, the public can watch footage online from dozens of surveillance cameras and report anything suspicious to authorities, the New York Times's Rick Rojas reports. “The Citizen Virtual Patrol, as the program is called, has been hailed by officials as a move toward transparency in a city where a mistrust of the police runs deep, rooted in long-running claims of aggressive enforcement and racial animosity,” Rojas writes. “The cameras, officials said, provide a way to recruit residents as Newark tries to shake a dogged reputation for violence and crime.” The program runs 62 cameras and more are expected in coming months, and police said people will eventually be able to watch the footage on their smartphones, according to Rojas.

Yet Amol Sinha, the executive director of the American Civil Liberties Union of New Jersey, in April said Newark should drop the program. “Calling on civilians to patrol the video streams and call in any suspicions of criminal activity from their living room amounts to outsourcing policing to people who most likely haven't been trained in recognizing criminal activity or in the contours of the law,” Sinha said in a statement.

— More cybersecurity news from The Post:

PUBLIC KEY

— The House on Friday defeated an amendment by Democratic lawmakers to revive Congress's dormant Office of Technology Assessment in a 217-to-195 vote, Nextgov's Aaron Boyd reports. “The amendment called for restarting the office with a starting budget of $2.5 million,” Boyd writes. “That funding would be taken from an administrative account within the Architect of the Capitol's budget, according to the amendment.”

From Rep. Bill Foster (D-Ill.):

The push to restore the office came as lawmakers face increasingly complex issues about science and technology, The Post's Tony Romm wrote last week. “Lawmakers earned ridicule in April when they grilled Facebook chief executive Mark Zuckerberg over charges that he had failed to protect 2 billion users’ personal information,” Romm wrote. “At times, Democrats and Republicans alike seemed mystified by the inner workings of a multibillion-dollar American corporation that they’re supposed to regulate.”

— Trump adviser Peter Navarro on Sunday warned Chinese tech giant ZTE against breaking the rules again, just days after the U.S. administration announced a deal to alleviate sanctions against the firm, Reuters's Michelle Price reports. “It’s going to be three strikes you’re out on ZTE,” Navarro said on “Fox News Sunday." “If they do one more additional thing, they will be shut down.” (I wrote on Friday about efforts in Congress to block Trump's deal to salvage ZTE.)

More public sector cybersecurity news: 

PRIVATE KEY

— A group of hackers dedicate their time and energy exclusively on devising breaches against Windows — and they work for Microsoft, Wired's Brian Barrett reports. “Many companies have a red team, or several, and they generally share the same purpose — to play the role of an attacker, probing releases new and old for vulnerabilities, hoping to catch bugs before the bad guys do,” Barrett reports. “Few of them, though, focus on a target as ubiquitous as Windows, an operating system that still boasts nearly 90 percent market share for laptop and desktop computers worldwide.”

In between Tesla's boss and Facebook's chief executive, there is a debate among tech professionals and academics about the potential consequences of AI, the New York Times's Cade Metz writes. On the one hand, there's Elon Musk, who has said artificial intelligence is “potentially more dangerous than nukes.” On the other hand, there's Mark Zuckerberg, who told Congress that AI could help combat hate speech and terrorist content online. “The creation of 'superintelligence' — the name for the supersmart technological breakthrough that takes A.I. to the next level and creates machines that not only perform narrow tasks that typically require human intelligence (like self-driving cars) but can actually outthink humans — still feels like science fiction,” according to Metz. “But the fight over the future of A.I. has spread across the tech industry.”

— More cybersecurity news about the private sector:

THE NEW WILD WEST

— Australia wants to protect its elections from cyberattacks. The Australian government on Saturday announced that it has assembled an Electoral Integrity Task Force to mitigate the risks to the country's election system, Reuters's Will Ziebell reports. “This is a precautionary measure, which in the age of increasing levels of cyber-enabled interference and disruption, will need to become the norm,” a representative from Australia's Department of Home Affairs said in an email to Ziebell. “The Australian task force announcement comes only weeks before five federal by-elections, held to fill seats outside a general election, and amid concerns in Australia about Chinese interference in its political processes,” according to Ziebell.

— More cybersecurity news from around the world:

SECURITY FAILS

ZERO DAYBOOK

Today

Coming soon

EASTER EGGS

Trump advisers bash Canadian Prime Minister Justin Trudeau over G-7 row:

What does the upcoming meeting between Trump and Kim Jong Un mean to these North Korean defectors?

Post staffers attempt soccer tricks: