nettime's_undo_undo on Thu, 30 Jul 2015 16:40:41 +0200 (CEST)


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

<nettime> Wash Post pubs/unpub/repubs ex-intel heads' pro-crypto op-ed


(1) Techdirt: Washington Post Publishes... And Then Unpublishes... Opinion Piece 
     -- Tim Cushing
(2) Wash Post: Why the fear over ubiquitous data encryption is overblown
     -- Mike McConnell, Michael Chertoff, William Lynn 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(1) Techdirt: Washington Post Publishes... And Then Unpublishes... 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

<https://www.techdirt.com/articles/20150729/09460731789/washington-post-publishes-then-unpublishes-opinion-piece-ex-intelligence-industry-brass-favor-strong-encryption.shtml>

Washington Post Publishes... And Then Unpublishes... Opinion Piece by
Ex-Intelligence Industry Brass, in Favor of Strong Encryption

from the what-happened? dept
by Tim Cushing
Mon, Jul 20th 2015 5:46am

Update: And... the article has been republished at the Washington Post's
site with a note claiming that it was accidentally published without
fully going through its editing process. Extra points if anyone can spot
anything that's changed...

Earlier this week, we noted with some surprise that both former DHS boss
Michael Chertoff and former NSA/CIA boss Michael Hayden had come out
against backdooring encryption, with both noting (rightly) that it would
lead to more harm than good, no matter what FBI boss Jim Comey had to
say. Chertoff's spoken argument was particularly good, detailing all of
the reasons why backdooring encryption is just a really bad idea. Last
night, Chertoff, along with former NSA boss Mike McConnell and former
deputy Defense Secretary William Lynn, published an opinion piece at the
Washington Post, doubling down on why more encryption is a good thing
and backdooring encryption is a bad thing.

Yes, the very same Washington Post that has flat out ignored all of the
technical expertise on the subject and called for a "golden key" that
would let the intelligence community into our communications. Not only
that, but after being mocked all around for its original editorial on
this piece, it came back and did it again.

Of course, you may note that I have not linked to this piece by
Chertoff, McConnell and Lynn at the Washington Post... and that's
because it's gone. If you go there now you get oddly forwarded to a 2013
story (as per the rerouted URL), with a 2010 dateline, claiming that
---this file was inadvertently published."

Of course, this is the internet, and the internet never forgets. A
cached version of the story can be found online. The title really says
it all: Why the fear over ubiquitous data encryption is overblown. Of
course, technical experts have been saying that for decades, but it's
nice to see the intelligence community finally coming around to this.
And here's a snippet of what was said in the article before it
disappeared.

     <...>

The op-ed also points out that "smart bad guys" will still figure out
plenty of ways to use encryption anyway and all we're really doing is
weakening security for everyone else. And, of course, it raises the fact
that if the US demands such access, so will China and other companies.

     <...>

These are the same basic arguments that experts have been making for
quite some time now. What's also interesting is that the three former
government officials also point out that the "threat" of "going dark" is
totally overblown anyway. It raises the original crypto wars and the
fight over the Clipper Chip, and notes that when that effort failed,
the sky did not fall, and we did not go dark and deaf."

    <...>

This is an important bit of input into this debate, and one hopes that
the Washington Post only "unpublished" it because it forgot to correct
some grammar or something along those lines. Hopefully it is republished
soon -- but even if it was published briefly, this kind of statement
could be a necessary turning point, so that hopefully we can avoid
having to waste any further effort on the wasteful idiocy of a second
crypto war.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(2) Wash Post: Why the fear over ubiquitous data encryption is overblown
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

<https://www.washingtonpost.com/opinions/the-need-for-ubiquitous-data-encryption/2015/07/28/3d145952-324e-11e5-8353-1215475949f4_story.html>

Why the fear over ubiquitous data encryption is overblown

By Mike McConnell, Michael Chertoff and William Lynn July 28 at 8:01 PM

Mike McConnell was director of the National Security Agency under
President Clinton and director of national intelligence under President
George W. Bush. Michael Chertoff was homeland security secretary under
Bush. William Lynn was deputy defense secretary under President Obama.

More than three years ago, as former national security officials, we
penned an op-ed to raise awareness among the public, the business
community and Congress of the serious threat to the nation's well-being
posed by the massive theft of intellectual property, technology and
business information by the Chinese government through
cyberexploitation. Today, we write again to raise the level of thinking
and debate about ubiquitous encryption to protect information from
exploitation.

In the wake of global controversy over government surveillance, a number
of U.S. technology companies have developed and are offering their users
what we call ubiquitous encryption -- that is, end-to-end encryption of
data with only the sender and intended recipient possessing decryption
keys. With this technology, the plain text of messages is inaccessible
to the companies offering the products or services as well as to the
government, even with lawfully authorized access for public safety or
law enforcement purposes.

The FBI director and the Justice Department have raised serious and
legitimate concerns that ubiquitous encryption without a second
decryption key in the hands of a third party would allow criminals to
keep their communications secret, even when law enforcement officials
have court-approved authorization to access those communications. There
also are concerns about such encryption providing secure communications
to national security intelligence targets such as terrorist
organizations and nations operating counter to U.S. national security
interests.

Several other nations are pursuing access to encrypted communications.
In Britain, Parliament is considering requiring technology companies to
build decryption capabilities for authorized government access into
products and services offered in that country. The Chinese have proposed
similar approaches to ensure that the government can monitor the content
and activities of their citizens. Pakistan has recently blocked
BlackBerry services, which provide ubiquitous encryption by default.

We recognize the importance our officials attach to being able to
decrypt a coded communication under a warrant or similar legal
authority. But the issue that has not been addressed is the competing
priorities that support the companies' resistance to building in a back
door or duplicated key for decryption. We believe that the greater
public good is a secure communications infrastructure protected by
ubiquitous encryption at the device, server and enterprise level without
building in means for government monitoring.

First, such an encryption system would protect individual privacy and
business information from exploitation at a much higher level than
exists today. As a recent MIT paper explains, requiring duplicate keys
introduces vulnerabilities in encryption that raise the risk of
compromise and theft by bad actors. If third-party key holders have less
than perfect security, they may be hacked and the duplicate key exposed.
This is no theoretical possibility, as evidenced by major
cyberintrusions into supposedly secure government databases and the
successful compromise of security tokens held by the security firm RSA.
Furthermore, requiring a duplicate key rules out security techniques,
such as one-time-only private keys.

Second, a requirement that U.S. technology providers create a duplicate
key will not prevent malicious actors from finding other technology
providers who will furnish ubiquitous encryption. The smart bad guys
will find ways and technologies to avoid access, and we can be sure that
the "dark Web" marketplace will offer myriad such capabilities. This
could lead to a perverse outcome in which law-abiding organizations and
individuals lack protected communications but malicious actors have
them.

Finally, and most significantly, if the United States can demand that
companies make available a duplicate key, other nations such as China
will insist on the same. There will be no principled basis to resist
that legal demand. The result will be to expose business, political and
personal communications to a wide spectrum of governmental access
regimes with varying degrees of due process.

Strategically, the interests of U.S. businesses are essential to
protecting U.S. national security interests. After all, political power
and military power are derived from economic strength. If the United
States is to maintain its global role and influence, protecting business
interests from massive economic espionage is essential. And that
imperative may outweigh the tactical benefit of making encrypted
communications more easily accessible to Western authorities.

History teaches that the fear that ubiquitous encryption will cause our
security to go dark is overblown. There was a great debate about
encryption in the early '90s. When the mathematics of "public key"
encryption were discovered as a way to provide encryption protection
broadly and cheaply to all users, some national security officials were
convinced that if the technology were not restricted, law enforcement
and intelligence organizations would go dark or deaf.

As a result, the idea of "escrowed key," known as Clipper Chip, was
introduced. The concept was that unbreakable encryption would be
provided to individuals and businesses, but the keys could be obtained
from escrow by the government under court authorization for legitimate
law enforcement or intelligence purposes.

The administration and Congress rejected the Clipper Chip based on the
reaction from business and the public. In addition, restrictions were
relaxed on the export of encryption technology. But the sky did not
fall, and we did not go dark and deaf. Law enforcement and intelligence
officials simply had to face a new future. As witnesses to that new
future, we can attest that our security agencies were able to protect
national security interests to an even greater extent in the '90s and
into the new century.

Today, with almost everyone carrying a networked device on his or her
person, ubiquitous encryption provides essential security. If law
enforcement and intelligence organizations face a future without assured
access to encrypted communications, they will develop technologies and
techniques to meet their legitimate mission goals.


#  distributed via <nettime>: no commercial use without permission
#  <nettime>  is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: http://mx.kein.org/mailman/listinfo/nettime-l
#  archive: http://www.nettime.org contact: nettime@kein.org