Compromised encryption is a threat to national security

Following recent security breaches that exposed the personnel records of as many as 14 million U.S. government employees, Federal officials launched a “30-day cybersecurity sprint” to beef up information security controls. The effort includes a mandate for the use of strong encryption on all U.S. government “public websites and web services by the end of 2016.”

So the government appears to get it. Encryption is needed to protect sensitive information on government websites. Of course, encryption is not always needed to provide good data security — it is a risk-based decision, whether to use encryption or not. But when it is needed it has to be strong and effective in order to secure data, prevent cyber-attacks and make us safer.

Unfortunately, the politics of security and surveillance is never quite that simple. In recent testimony before Congress, an Obama administration official asked tech companies to work with them to “prevent encryption above all else.” He urged companies to weaken the security of their products and services so that the government can access encrypted material without the knowledge of the user. The administration is floating a trial balloon suggesting that national security requires giving up the protection provided by strong encryption.

This approach gets the issue wrong. When the situation calls for encryption, using strong encryption strengthens our national security. Using weak encryption weakens us.

The tech industry understands this, and companies are continually working to provide products and services with the highest level of security protection, including, when needed, strong encryption. For instance, Google announced in 2014 that it would encrypt its email traffic with the same strong encryption that the administration has mandated for its websites by 2016. And Apple provides end-to-end encryption for their users’ communications and information stored on its devices. 

The industry is united in rejecting any proposal to deliberately weaken product security.  Companies are supportive of efforts in Congress to move legislation that would “ban the government from forcing tech companies to build weaknesses into their security systems.”

A coalition of industry and civil liberties groups recently endorsed the advantages of strong encryption, saying it “protects billions of people every day against countless threats—be they street criminals trying to steal our phones and laptops, computer criminals trying to defraud us, corporate spies trying to obtain our companies’ most valuable trade secrets, repressive governments trying to stifle dissent, or foreign intelligence agencies trying to compromise our and our allies’ most sensitive national security secrets.”

Despite this, Michael Hayden, who previously led the National Security Administration (NSA), says the agency feels “legally and ethically” free to exploit security vulnerabilities when “nobody but us” knows about them. But vulnerabilities intended for the U.S. government’s use will sooner or later be used by others. Inserting vulnerabilities into a secure system makes it less secure.

As a recent United Nation’s report says, “compromised encryption cannot be kept secret from those with the skill to find and exploit the weak points… …States should avoid all measures that weaken the security that individuals may enjoy online, such as back doors, weak encryption standards and key escrows.”

The current head of the NSA argues that a “split-key” proposal to require technology companies to create a digital key with separate pieces that could be held by different agencies is a “front door, not a back door.” But, as the Center for Democracy and Technology notes, this split-key proposal is just a different way to introduce vulnerabilities into a secure system. 

Any requirement to provide the government with technical access to otherwise secure systems would harm our national interest not only by reducing security, but also by pushing international customers of U.S. businesses to look to foreign providers. The Information Technology & Innovation Foundation (ITIF) recently reported that “the economic impact of U.S. surveillance practices will likely far exceed ITIF’s initial $35 billion estimate.”  A new mandate to ensure U.S. government access to U.S. technology products and services would only accelerate the flight of international customers to alternative providers.

The proposal could also harm the nation by equalizing security down. Once the U.S. government legitimizes a mandate for weakened encryption, other countries will follow, resulting in a security nightmare in which encryption keys for all ICT products and services are held by all major countries, including the most repressive regimes.

Computer and information networks and devices cannot provide perfect security. Indeed, today’s Internet still contains security vulnerabilities from the misguided policies of the last century. But our information infrastructure is far more secure than it would be in the absence of the availability of strong encryption. 

Rather than seeking to undermine data security for everyone except itself, the administration should ask companies to follow its own example — use strong encryption when it is needed.