Dept. Of Defense Defends Strong Encryption While Its Impetuous Child -- The NSA -- Continues To Lament The Coming Darkness
from the somewhat-admiral-able-(I-AM-SO-SORRY) dept
Between the FBI and the NSA, arguments against encryption that locks bad guys out (and, consequently, the government) have filled the air over the past several months. "Going dark" is the repeated concern, as if encryption would leave the nation's intelligence and investigative agencies without any options to pursue terrorists/child pornographers. It's all FUD and it's all dangerous, because carving small holes in encryption CARVES HOLES IN ENCRYPTION. Never mind the intended uses of golden keys/backdoors. A hole is a hole.
The Department of Defense seems to recognize this fact, making it one of the only government entities involved in fighting worldwide terrorism to openly do so. Bruce Schneier asked Admiral James Winnefeld Jr. (vice-chairman of the Joint Chiefs of Staff) a question about encryption during a recent cybersecurity summit (video here -- relevant part at 32:52) and received something almost entirely removed from the current party line.
Bruce Schneier: I'd like to hear you talk about this need to get beyond signatures and the more robust cyber defense and ask the industry to provide these technologies to make the infrastructure more secure. My question is, the only definition of "us" that makes sense is the world, is everybody. Any technologies that we've developed and built will be used by everyone -- nation-state and non-nation-state. So anything we do to increase our resilience, infrastructure, and security will naturally make Admiral Rogers's both intelligence and attack jobs much harder. Are you okay with that?Fittingly, the Department of Defense recognizes the importance of defense. Adding backdoors to encryption weakens defenses, including those used by government agencies and operatives. You can't simply introduce circumvention and pray that nobody other than approved parties make use of it. The FBI/NSA's obsession with government-ordered peepholes makes everything worse for everyone, not just their intended targets.
Admiral James A. Winnefeld: Yes. I think Mike's okay with that, also. That's a really, really good question. We call that IGL. Anyone know what IGL stands for? Intel gain-loss. And there's this constant tension between the operational community and the intelligence community when a military action could cause the loss of a critical intelligence node. We live this every day. In fact, in ancient times, when we were collecting actual signals in the air, we would be on the operational side, "I want to take down that emitter so it'll make it safer for my airplanes to penetrate the airspace," and they're saying, "No, you've got to keep that emitter up, because I'm getting all kinds of intelligence from it." So this is a familiar problem. But I think we all win if our networks are more secure. And I think I would rather live on the side of secure networks and a harder problem for Mike on the intelligence side than very vulnerable networks and an easy problem for Mike. And part of that -- it's not only the right thing do, but part of that goes to the fact that we are more vulnerable than any other country in the world, on our dependence on cyber. I'm also very confident that Mike has some very clever people working for him. He might actually still be able to get some work done. But it's an excellent question. It really is.
But these agencies are wholly unconcerned about collateral damage. It's clearly evident from their bulk surveillance programs and use of intercepts that gather everything before searching the data haul for incriminating material or useful intel. Encryption is at odds with haystacking, which these agencies continue to prize highly (and defend heatedly) despite clear evidence that intelligence gathering like this is inefficient at best, and wholly useless at worst.
Schneier goes on to point out that Admiral Mike Rogers, the head of the NSA, continues to push a narrative at odds with the DoD official's answer. Two weeks after this conference, Rogers gave a keynote address at CyCon, repeating his unfounded belief that encryption can be "safely" bypassed without compromising it.
Rogers said a framework to allow law enforcement agencies to gain access to communications is in place within the phone system in the United States and other areas, so "why can't we create a similar kind of framework within the internet and the digital age?"So, the Dept. of Defense says one thing, Mike Rogers (who was in the audience at the first conference) nods in agreement, and then goes on to contradict the stance of those helming the department directly above it in the government's organizational chart.
He added: "I certainly have great respect for those that would argue that the most important thing is to ensure the privacy of our citizens and we shouldn't allow any means for the government to access information. I would argue that's not in the nation's best long term interest, that we've got to create some structure that should enable us to do that mindful that it has to be done in a legal way and mindful that it shouldn't be something arbitrary."
Rogers' nod to privacy is every bit as meaningless as his faux nod in agreement to Winnefeld's statement. There's very little being done by the NSA to "ensure" the "privacy" of American citizens. One only has to look at its purposeful weakening of NIST standards to see evidence of that. The FBI and NSA are more than willing to respect citizens' rights, but only if doing so doesn't make their intelligence gathering any more difficult. Privacy is always subservient to these agencies' ends, no matter how many statements they offer up that begin with lip service to privacy before adding, "but…"
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: admiral mike rogers, bruce schneier, defense department, encryption, going dark, igl, james winnefeld, nsa, strong encryption
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
Do these guys play deliberately dumb?
He's talking about physical intercept of phonecalls - something that it seems the NSA still have on the internet more-or-less as they hoover up all passing traffic at some of the key nodes.
This has nothing to do with encryption - in his phone scenario; sure you can intercept the call, but if the guy on the other end says, "The Pork-chop Express rides when the Ptarmigan flies South" you're still not going to be any the wiser.
[ link to this | view in thread ]
[ link to this | view in thread ]
With the phone system, capturing the data is provided by CALEA et al. Converting captured data into information is easy, because almost all data sent over the phone system is voices, rarely in code, and rarely in anything other than a major human language (English, Spanish, German, Arabic, etc.). Thus, once the data is captured, playing it back as sound to someone who speaks the relevant language lets that person (or machine, in the case of machine transcription of voices) convert the data into information. It may be a bit slow if transcribed by hand, but it is not a difficult problem, and it can scale easily by assigning additional transcribers.
With the Internet, capturing data is a bit harder, but still easily done with a court order or a bit of unlawful entry. Converting the data to information may be easy or may be difficult, depending on whether it was sent "in the clear" (e.g. HTTP, POP3) or encrypted and depending on whether it is some esoteric format (Navajo) or something common (English).
Rogers confuses the idea of capturing data with the idea of converting it into information. Converting it to information has always depended on the target's (probably unintentional) compliance with the surveillance. A CALEA tap will yield data, but will not yield usable information if the target does everything in a code that the eavesdropper cannot understand. The phone system makes that too much trouble for most people to do, so CALEA taps tend to yield information easily.
Incidentally, he also makes the mistake of assuming that because something can be easy, that it therefore should be done. By that token, I could argue that it is easy for most NSA employees to quit their jobs, therefore they can and should do so.
[ link to this | view in thread ]
Hmmmmmmmmmmmm
[ link to this | view in thread ]
Re:
I'd love to see that. Considering the agency is actively ignoring the Constitution anybody that works under it that's not corrupted should go Snowden.
[ link to this | view in thread ]
I wouldn't say that. "Useless" implies that its utility value is 0, but didn't the 9/11 Commission discover that having too low of a signal/noise ratio was part of the reason that the hijackers were never apprehended before they got on those planes?
Seems to me the appropriate term for the "at worst" case is "actively harmful"...
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Bad sentence
That sentence has problems. Perhaps a missing "they".
[ link to this | view in thread ]
Re:
There's a story out of the Desert Storm campaign during the 'left hook' that moved faster that their support couldn't keep up, though not fast enough for the senior command. One US tank company had a M1 mechanically fail, and since they were on an exposed flank they didn't want to leave it. But because their supporting companies were still catching up to them and they needed to press on their attack they decided to shoot the tank and destroy it. Supposedly everybody watched as a 'sabot' shot ricocheted straight up into the air; none of them had seen that before. Then everybody realized that round was going to come back down somewhere, thus everybody rushed to go somewhere else fast.
A second 'sabot' successfully destroyed the broken tank.
[ link to this | view in thread ]
I hate to admit this..........
(Hi Travis)
[ link to this | view in thread ]
Re: I hate to admit this..........
[ link to this | view in thread ]
Haystacking = bad
If you gather data in a computer, they will steal it.
And this goes double for the NSA piling a gold mine of info in one spot and then expecting china or russia won't hack it, bribe some guy at the front desk , bribe or lean on some cleaner , etc etc.
Most places are secure against ordinary hacking.
But are you secure against a nation state ready to drop a billion dollars on the project ?
I seriously doubt it.
What you gather, they will take.
[ link to this | view in thread ]
Re: Hmmmmmmmmmmmm
You Americans need to learn to extend you human rights globally. To quote Jean Luc Picard:
“When children learn to devalue others, they can devalue anyone - including their parents.”
[ link to this | view in thread ]
Well, how do I put this? It is YOU that we need protecting from above all else!
Put Clapper in prison and then come talk to us.
[ link to this | view in thread ]
Re: Haystacking = bad
[ link to this | view in thread ]
Setec Astronomy
The problem is, it's going to be prohibitively expensive for all the precincts that want to use it.
And the bad guys will figure out how to emulate one cheaply.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Haystacking = bad
They don't care.
They don't care if, after gathering all the data, they get hacked and all that data is grabbed by a random third party, so long as they still have it, and as long as the data grabbed doesn't impact them in some way.
Always remember, they don't care one bit about the lives or rights or privacy of the citizenry, so why should they care if those things are negatively impacted, whether through their actions directly, or someone else's actions thanks to them?
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Everyone has a price.
The US had to secure data based on what they expected the enemy (Soviet or otherwise) would spend to acquire it. Cheap spies and traitors are easy to dissuade. When the price goes up, higher-ranking officers and hackers and thieves with skill start entering the pool.
And yeah, the NSA has created such a very big jewel, and is leaving it open to so many technician potentials.
[ link to this | view in thread ]
NSA selling our private data
It's absolutely the terrible reveal of some cyberpunk political horror thriller.
[ link to this | view in thread ]
Backdoors
[ link to this | view in thread ]
Re: Hmmmmmmmmmmmm
"... have no right to be secure in their person and papers..."
Gotta keep up with the time man - progress and all that ye know.
---
[ link to this | view in thread ]
Re: Bad sentence
Combined with the previous sentence, it's saying:
"From their bulk surveillance programs, and from their use of intercepts that gather everything before searching the data haul for incriminating material or useful intel, it's clearly evident that these agencies are wholly unconcerned about collateral damage."
[ link to this | view in thread ]
Re: Re: Bad sentence
[ link to this | view in thread ]
Re: Re: Re: Bad sentence
[ link to this | view in thread ]
Strong encryption is still a first amendment right. Most encryption over the internet isn't very strong.
[ link to this | view in thread ]