Leaked Intelligence Document Calls For More, Not Less Encryption To Protect Companies And Citizens From Cybercriminals

from the and-yet,-everyone-seems-to-be-calling-for-less dept

Fri, Jan 16th 2015 6:11am — Tim Cushing

Everyone from FBI Director James Comey to UK Prime Minister David Cameron is calling for an end to encryption. The FBI is afraid it won't be able to catch criminals if it can't immediately access content and communications. David Cameron is afraid it will be nothing but constant terrorist attacks from here on out if authorities don't have access to "every means of communication."

Considering many of these voices decrying encryption presumably have access to top secret briefings and documents otherwise unseen by the general public, it's rather surprising they've ignored previous advice from intelligence officials to the contrary.

A secret US cybersecurity report warned that government and private computers were being left vulnerable to online attacks from Russia, China and criminal gangs because encryption technologies were not being implemented fast enough.

[...]

The document from the US National Intelligence Council, which reports directly to the US director of national intelligence, made clear that encryption was the “best defence” for computer users to protect private data.

This document comes from The Guardian's stash of Snowden leaks. What it says runs completely contrary to the panicked assertions of officials. It even runs contrary to the NSA's own actions, like its active attempts to weaken NIST standards. The report recommends strong encryption, coupled with multi-factor authentication, which would make data and communications wholly inaccessible to the NSA (and GCHQ, its steady surveillance partner).

But this recommendation doesn't come from an outside source. It's an intelligence council that reports directly to the head of national intelligence. And yet, the word didn't spread very far. The NSA isn't thrilled with encryption because it keeps what it wants out of reach. Law enforcement has the same "problem." Both have actively worked to undermine encryption for their own aims and both are perfectly willing to open up citizens and companies to outside attacks in order to preserve the status quo.

And it's not just American agencies that have ignored these recommendations. The GCHQ is engaged in the same cognitive dissonance.

Another newly discovered document shows GCHQ acting in a similarly conflicted manner, despite the agencies’ private acknowledgement that encryption is an essential part of protecting citizens against cyber-attacks.

The 2008 memo was addressed to the then foreign secretary, David Miliband, and classified with one of the UK’s very highest restrictive markings: “TOP SECRET STRAP 2 EYES ONLY”....

The memo requested a renewal of the legal warrant allowing GCHQ to “modify” commercial software in violation of licensing agreements. The document cites examples of software the agency had hacked, including commonly used software to run web forums, and website administration tools. Such software are widely used by companies and individuals around the world.

The document also said the agency had developed “capability against Cisco routers”, which would “allow us to re-route selected traffic across international links towards GCHQ’s passive collection systems”.

GCHQ had also been working to “exploit” the anti-virus software Kaspersky, the document said. The report contained no information on the nature of the vulnerabilities found by the agency.

Again we see agencies charged with protecting nations walking away from this responsibility in order to pursue their own ends. Sure, some safety may have resulted from the collection of unencrypted communications, but both agencies are willing to compromise corporate hardware and consumer software in order to grab just a little more hay for the haystacks.

You can't make a nation safer by destroying its safety features. There's a bigger picture that these agencies refuse to see -- even when internal guidance puts it front and center. If you weaken protections, seek legislation to prevent encryption, collect and stash exploits and install backdoors in hardware and software, you make the nation's cybersecurity that much harder to maintain. The NSA and FBI both want a piece of the cyberwar action but they want to leave everyone that isn't them defenseless. Over on the other side of the pond, the GCHQ is doing the same thing and it has the support of a Prime Minister who feels no communication should be able to escape the agency's notice.

And behind it all, there are documents touting the protective powers of encryption. But that makes intelligence gathering and law enforcement too difficult, so I guess we'll all have to do without.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cybersecurity, encryption, fbi, gchq, nsa, privacy

22 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 16 Jan 2015 @ 6:30am

It's so strange to hear them say they want cybersecurity yet at the same time say they want weak encryption or no encryption at all, if possible.

Security without encryption is like a hamburger without ham. And either case, it's a sham.
[ link to this | view in chronology ]
- Anonymous Coward, 16 Jan 2015 @ 6:47am
  
  Re:
  Not a very good metaphor given that most hamburgers contain ground beef, not ham, and the name commonly gets shortened to just "burger".
  
  A better one would be something more like...
  
  Security without encryption is like a doorway without a door. It's just a big hole a wall that people, wild animals and the weather can just go right through. Sure you can do some things to keep the hole "secure" like not telling anyone it's there and praying no one and nothing finds it, or constantly stationing someone (more like several someones given the need for shifts and bathroom breaks) there with a gun to keep people and animals out. But none of that really beats having a stout door with a solid lock. Something that leaves anyone or anything wanting to get in two options; 1) spend an hour cutting it open with a lightsaber, 2) find the guy that has the key and start hitting him with a wrench.
  [ link to this | view in chronology ]
  - Anonymous Anonymous Coward, 16 Jan 2015 @ 7:12am
    
    Re: Re:
    Or maybe having several shifts of swat teams protecting the door and shooting at anything that moves, the weather still gets in.
    [ link to this | view in chronology ]
- Anonymous Coward, 16 Jan 2015 @ 7:12am
  
  Re:
  A hamburger with ham is a sham, as the name means beef in the Hamburger (Herman city) style.
  [ link to this | view in chronology ]
- John Fenderson (profile), 16 Jan 2015 @ 7:44am
  
  Re:
  I think that what they want is for people to have strong security against attackers who aren't them, while at the same time have the ability to easily decrypt everything themselves.
  
  It's an impossible dream, but I think that they really believe it's achievable because from a mathematical point of view, it is. From a practical or realistic point of view, it's not.
  [ link to this | view in chronology ]
  - That One Guy (profile), 16 Jan 2015 @ 8:20am
    
    Re: Re:
    I imagine the lower ranked workers in the agencies do know that 'NSA only back-doors' are nothing more than fantasy, but assuming they even care, odds are their bosses are just 'smart' enough to understand some technology(in this case backdoors into programs), yet not smart enough to grasp the entire picture(namely that backdoors work for everyone, just just a select few).
    
    Alternatively, and honestly at this point I would say more likely, they know full well that backdoors allow anyone access to a program/system/network, and they just don't care as long as it makes their immediate job easier.
    
    (Not to mention they have a vested interest in other systems and networks being hacked, as, much like the Sony hack, it allows them to push for even more power and laws in their favor, meaning they have yet another reason to not care about weakening security)
    [ link to this | view in chronology ]
all your p3nis is belong to NSA, 16 Jan 2015 @ 6:35am

from hackers with love
please keep it weak ...no really
[ link to this | view in chronology ]
That One Guy (profile), 16 Jan 2015 @ 6:57am

No contradictions, just the usual double-standards
There's actually not a contradiction here at all, the NSA and others like them are in favor of strong encryption for their systems. It's the encryption employed by everyone else that they want to undermine and destroy.

As they have shown, they don't care what happens to the rest of us, but they treasure their security and privacy very highly indeed.

This attitude is very widespread, from the NSA/GCHQ, all the way down to the police and local politicians, the idea of "Your privacy and rights can and will be sacrificed for 'public safety'/'National Security', but mine are untouchable because I'm one of the elite."
[ link to this | view in chronology ]
- Anonymous Hero, 16 Jan 2015 @ 7:25am
  
  Re: No contradictions, just the usual double-standards
  The docs say that encryption is the best defense for US govt computers, as well as commercial, financial, private, etc, computers.
  
  The problem is that people who don't understand the technical aspects of computer security don't understand that they are asking to have their cake and eat it too. The "backdoor all the things!" policy will not happen for a few reasons:
  
  1. People don't like it because it's govt overreach (though govt doesn't much care about people).
  
  2. Companies don't like it because it hurts their sales (and thus hurts campaign donations).
  
  3. It's impossible to implement (people who don't understand the technical aspects also don't understand this point).
  [ link to this | view in chronology ]
Anonymous Coward, 16 Jan 2015 @ 7:02am

So, where's this document?
"A secret US cybersecurity report"

"The document from the US National Intelligence Council"

"The advice, in a newly uncovered five-year forecast written in 2009"
[ link to this | view in chronology ]
Anonymous Coward, 16 Jan 2015 @ 7:07am

Have you ever seen a gate with no fence?
This is like the farmer who built a cow pasture and then put up a gate with no fence.
[ link to this | view in chronology ]
Anonymous Coward, 16 Jan 2015 @ 7:13am

very sensible too, unless of course, you live in the UK where the incompetent and internet illiterate idiot who is Prime Minister, wants there to be NO encryption, so his security forces can join with the USA security forces and be able to spy on everyone, everywhere, doing everything! the fact that there would be so many breeches at just about everything doesn't matter!
i have to ask myself how the hell does someone get a job like this? the brain power is staggeringly lacking!!
[ link to this | view in chronology ]
- Call me Al, 16 Jan 2015 @ 8:12am
  
  Re:
  Terrorism with bombs and bullets is louder and more scary then hacking of personal information and it receives more column inches. The politicians therefore take the view that shouting about that is more likely to get them votes then to take a measured and reasonable response which includes explanation of complicated technical issues.
  
  They live in fear of an attack which leads to deaths and the immediate shouts from people and the media to say "You are to blame for not taking action earlier!"
  
  Essentially they think the electorate is dumb. Mostly it is.
  [ link to this | view in chronology ]
- Anonymous Coward, 16 Jan 2015 @ 8:27am
  
  Re:
  You are the one that doesn't understand. Without encryption and security, the hacks will take place at an alarming rate. This in turn will further justify the existence and expansioin of global monitoring. Rinse, repeat.
  [ link to this | view in chronology ]
  - Anonymous Coward, 16 Jan 2015 @ 9:13am
    
    Re: Re:
    Even with widespread encryption we would still be dealing with plenty of national security hacks. No matter what they'll always call for more pow- oh wait you meant the other type of hack
    [ link to this | view in chronology ]
Pixelation, 16 Jan 2015 @ 8:00am

Bears repeating
When encryption becomes illegal, only criminals use encryption.
[ link to this | view in chronology ]
- Anonymous Coward, 16 Jan 2015 @ 8:23am
  
  Re: Bears repeating
  >Implying the state's behavior is criminal
  [ link to this | view in chronology ]
Anonymous Coward, 16 Jan 2015 @ 8:23am

I was wondering... can Cameron go one month without bringing out the pedo card?
[ link to this | view in chronology ]
Anonymous Coward, 16 Jan 2015 @ 9:22am

Encryption is not foolproof, but you should use it anyway
TBH I didn't read David Cameron's speech as calling for an end to encryption. He said there "shouldn't be a message we aren't able to read", not "we should be able to read all messages from anyone, all the time". They may seem similar, but there is a distinction. Intelligence agencies are very adept at getting around encryption. One of the few places where encryption actually has a chance is for individuals who aren't known to law enforcement and don't communicate with other known individuals. For instance if you have an encrypted volume on a hardware that hasn't been backdoored and a sufficiently strong passpharase committed to memory.

Once individuals are identified, there are a number of methods that could be and are employed to circumvent the encryption (mal/spyware, MitM, black bag jobs, etc). In these cases, encryption works not as a total protection for users, but only up until they are targeted by intelligence agencies.

I believe this is a reasonable tradeoff as long as the capabilities to compromise hardware remain limited to some degree. By no means a given in the changing world of technology, but enough to review and conduct oversight of the surveillance of a relatively small number of targets rather than trying to keep collected plaintext data private from analysts.
[ link to this | view in chronology ]
Eric Stein, 16 Jan 2015 @ 12:59pm

If this is sanctioned by our government, our course will be clear.
[ link to this | view in chronology ]
Anonymous Coward, 16 Jan 2015 @ 3:26pm

It appears the NSA and GCHQ are making us all less safe and secure. By undermining encryption standards and commercial software/hardware. This is a direct threat to our national security interests.
[ link to this | view in chronology ]
GEMont (profile), 17 Jan 2015 @ 6:56pm

Encryption would prevent spying on the Adversay!!
Rant Warning
============

"... that encryption is an essential part of protecting citizens against cyber-attacks."

When the vast majority of "cyber" attacks on 5-Eyes citizens are coming directly from those governments' own Spy Agencies, encryption can only be perceived by those governments as an effective and therefor undesirable deterrent to their clandestine surveillance activities and the associated lucrative criminal enterprises those activities make possible.

Since it has been shown repeatedly that almost no real effort is being spent in the actual pursuit of real criminals or real terrorists - usually to insure that crime and terror remain an effective excuse for demanding bigger and bigger budgets - and that the lion's share of all Five Eyes governments' efforts in this area are specifically spent spying on their own citizens, it should come as no surprise at all that any recommendation of implementing strong encryption nationwide in any Five Eyes nation will be perceived as counter productive by all current Five Eyes Governments and be buried as Top Secret.

To put this in a simpler way, No Five Eyes Government has any desire whatsoever to initiate any process that might protect their citizens from Cyber Attacks, because those governments ARE the primary Cyber Attackers of their citizens.

The simple truth, so obvious yet so hard to swallow that 99.9 % of the population simply refuse to see it, is that there is no government in any nation on earth today.

Instead, members of organized crime and minions of multi-billionaire tycoons from Oil, Medicine, Tobacco, Booze, Insurance, Illegal Drugs and other massively wealthy industries, have usurped the halls of power for fun and profit, and have quietly rewritten the laws of the land to benefit only themselves and their friends.

However, I have complete faith in the willing ignorance and self delusion capabilities of the general populations of earth and expect that this reality will continue to be unanimously and purposely avoided until such time as it too late to effectively reverse the process.

After all, human civilization has always failed in the past from this exact came state of affairs between the rich and poor. I see no reason to expect a change, just because nearly 50% of the world's population is now literate.

On the other hand it is always fun to poke the beast with a sharp pointy stick, when you know there is no way to avoid the fact, that the beast will eventually eat you anyway.

---
[ link to this | view in chronology ]