Now’s an opportune moment to talk about encryption with non-techies

Tech-savvy individuals inevitably have friends and family who don’t spend a great deal of time in our world and have less-developed opinions on important matters like the role of encryption in our personal lives.

Knowing that leadership in government has been advised to make strong arguments against pervasive encryption in the immediate aftermath of acts of terrorism, now is a good time (with a brief reprieve from horrible, headline-dominating mass shootings around the world) to take a minute and have a less reactionary conversation with our non-techy friends.

I took a break from project work to reframe the narrative. Here’s the email I sent to my family:

The role of encryption in our security and privacy

I wanted to revisit the great question dad asked over Thanksgiving about whether warrants should still be required (as is at least the spirit of US wiretapping law) to see into our digital lives.

It’s an important question because there’s an inseparable technological component to it: should lawmakers mandate that US companies weaken their encryption to the point that law enforcement can see anything they want on our personal devices?

FBI Director James Comey has made the rounds after the Charlie Hebdo attacks and then after the second Paris attacks, hitting major media outlets like CBS’s 60 Minutes and speaking before congress, making the case that encryption is an imminent national security concern because, if the terrorists can plot in privacy, we can’t foil their plots. That’s, on the surface, a reasonable claim.

Here’s what’s not a part of James Comey’s narrative:

• Well-implemented encryption (on personal devices as well as back-end infrastructure) is vital to national security.
• Universally disallowing rock-solid encryption is not feasible: the computer code is in the public domain, the bad guys have it, and the code will continue to work whether the US passes a law or not. “You can’t argue with math” is the inside joke among cryptographers.
• The US has already been down this road, they developed a “Clipper Chip” under the Clinton administration which was later found to be hopelessly insecure (for cyber criminals to defeat) and, consequently, not pushed on the private sector.
• The private sector already has its hands full updating decades-old infrastructure, revamping their own major capital investments to fend-off cyber hacks (implementing encrypted protocols at many points in their tech stack, in many cases). Implementing a new encryption scheme (what’s known as a key escrow system) would introduce Byzantine complexity into systems that benefit from elegant solutions and small attack surface areas.
• We, as citizens of this country, are under persistent attack by cyber criminals, who see the venture as a low risk/high reward opportunity to steal our identities and financial information. Encrypted, end-to-end protocols are absolutely necessary to prevent our secrets from being stolen and malware from being injected mid-stream as we conduct our daily business.
• Cybersecurity is hard. And it has to be perfect (one flaw can lead to a totally compromising situation).
• The government has an abysmal track record with technology, and our state of cybersecurity stands to be weakened incredibly by government intervention.

The greatest national security disaster in recent times was the Office of Personnel Management hack, where all federal employees including those with top security clearance had all of their personal information (background checks, biometric data (fingerprints), disciplinary action (writeups)… everything) exfiltrated by a nationstate, likely China, maybe Russia — we’re not 100% sure. The CIA had to pull agents from the field. It is a complete, unmitigated disaster and its impact will not quickly diminish over time. The (now resigned) OPM Director admitted the records had not been encrypted.

Cybersecurity is the blind spot in our country’s defense. One must have a holistic approach to cybersecurity, securing endpoint devices (including our smartphones) is vital to network security at large.

Hundreds of encryption and infoSec experts and leaders from the private sector have discredited James Comey’s anti-encryption stance, notably Apple’s CEO Tim Cook has been outspoken. Today, NSA Director Adm. Mike Rogers added his voice to the debate, joining former NSA boss Mike McConnell, saying encryption was part of the foundation we want, cautioning against a government-mandated encryption policy. President Obama has yet to make a clear public statement in support of encryption for our personal devices.

I’ve decided to send this email now because we’re not in the immediate aftermath of a terrorist act (it’s been over a month since the San Bernardino massacre), so we can assess things in a slightly less reactionary way. The White House is advised by top government lawyers to make the case against encryption immediately after a terror event, a reckless strategy that could leave us all very vulnerable one day.

Cheers, Spence