In January, President Obama made public comments suggesting encryption could hinder investigations by law enforcement and other entities leaving many to wonder loudly about privacy concerns. His comments were more recently echoed by the Department of Justice in their case against Microsoft, in which the government essentially argues that all emails sent on the Outlook system are business records of Microsoft in an effort to get the company to turn over email data housed offshore.
All of this comes from the same government issuing cybersecurity guidelines like the ones issued by the SEC, which argue that security and encryption are in effect the fiduciary duty of financial firms. If we build on the financial firms example – the leadership of a financial firm could face criminal charges and fines if the SEC finds that customer data or money were compromised by not staying up to date on encryption and security. These same managers could find themselves facing criminal charges and fines if another branch of the government decides it wants into customer data, hits an encrypted stack and gets no key. And that’s just one industry. Consider the competitiveness of an American company claiming to sell secure services that are known to be compromised by order of the US government in a country that actually values individual privacy. Good luck.
The value of encryption is immediately obvious – privacy, security of sensitive data, maintaining business continuity, etc. But when government takes the approach it does in the financial firms example, things get murky.
“It seems clear that what we’re seeing is the government try to play both sides of the street here,” says Kurt Rohloff, an expert on encryption technology, and professor at the New Jersey Institute of Technology’s computer science program in an interview with CivSource. “If the government wants something and they can’t go after the individual, they go after the provider.”
That kind of approach may be successful at first in terms of getting data, but as it becomes more commonplace businesses may start looking toward solutions like moving offshore, Rohloff warns.
Moves against encryption within the US government are increasingly out of step with the international community – both the UN and the World Bank have supported encryption as a method for providing security and privacy worldwide. In a recent report, the UN went so far as to say that encryption is crucial to human rights and free speech. The World Bank for its part is working with both governments and private companies through the OASIS initiative to build a framework for cybersecurity. In that work, the World Bank cites the need to protect critical infrastructure, financial data, and the public with strong security standards.
“What we are trying to do with OASIS is move the security conversation out of the hands of specific governments and toward a more global framework,” explains Eric Hibbard, Chief Technology Officer, Security and Privacy, Hitachi Data Systems (HDS). HDS is taking part in the OASIS project and Hibbard leads Hitachi’s security strategy activities as well as the storage security strategy for Hitachi Data Systems. “We’re actively looking at new protocols and working toward common standards,” he adds.
So far the OASIS consortium has more than 5,000 participants representing over 600 organizations and individual members in more than 65 countries. Participating countries vary in terms of their approach toward individual privacy, but based on presentations at the organization’s recent Borderless Cyber conference held in Washington D.C., the desire for a common framework around cybersecurity is strong.
“When it comes to encryption, the government often argues that criminals are enabled in their activities. That may be true, but criminals are already using these tools and doing it quite well. We need to put the same training in the hands of the good guys who have data to protect,” Hibbard says.
A petition filed by Access Now and the Electronic Frontier Foundation, posted on the White House’s We The People platform calling for strong encryption standards recently reached the 100,000 signature threshold required to prompt a response from the White House on this issue. While there is no timeline on when the White House will respond, there is growing pressure from privacy and free speech advocates to stop the creeping surveillance state in the US.
Efforts like OASIS have as many worrying as helpful parts – typical to any consortium between private companies and world governments, but if the focus is on sound encryption and security there could benefits.
“Encryption and security are so difficult to design and implement correctly on their own, that embedding bugs in these systems to provide access could have unintended consequences,” Rohloff adds. “It makes a system more vulnerable to the adversaries you may be trying to protect yourself from.”
Rohloff finds it unlikely we will see a strong policy stance from government in the US in the near future. If the Senate’s recent passage of the Cybersecurity Information Sharing Act (CISA) is any indication, he’s right. That bill effectively streamlines the information pipeline to organizations like the NSA and does little for free speech or personal privacy.
“We’re all going to have to wait and see where this shakes out. The liabilities in this conversation are complex for the government and for those outside of it,” he says.