Dept. Of Defense Defends Strong Encryption While Its Impetuous Child -- The NSA -- Continues To Lament The Coming Darkness

from the somewhat-admiral-able-(I-AM-SO-SORRY) dept

Between the FBI and the NSA, arguments against encryption that locks bad guys out (and, consequently, the government) have filled the air over the past several months. "Going dark" is the repeated concern, as if encryption would leave the nation's intelligence and investigative agencies without any options to pursue terrorists/child pornographers. It's all FUD and it's all dangerous, because carving small holes in encryption CARVES HOLES IN ENCRYPTION. Never mind the intended uses of golden keys/backdoors. A hole is a hole.

The Department of Defense seems to recognize this fact, making it one of the only government entities involved in fighting worldwide terrorism to openly do so. Bruce Schneier asked Admiral James Winnefeld Jr. (vice-chairman of the Joint Chiefs of Staff) a question about encryption during a recent cybersecurity summit (video here -- relevant part at 32:52) and received something almost entirely removed from the current party line.

Bruce Schneier: I'd like to hear you talk about this need to get beyond signatures and the more robust cyber defense and ask the industry to provide these technologies to make the infrastructure more secure. My question is, the only definition of "us" that makes sense is the world, is everybody. Any technologies that we've developed and built will be used by everyone -- nation-state and non-nation-state. So anything we do to increase our resilience, infrastructure, and security will naturally make Admiral Rogers's both intelligence and attack jobs much harder. Are you okay with that?

Admiral James A. Winnefeld: Yes. I think Mike's okay with that, also. That's a really, really good question. We call that IGL. Anyone know what IGL stands for? Intel gain-loss. And there's this constant tension between the operational community and the intelligence community when a military action could cause the loss of a critical intelligence node. We live this every day. In fact, in ancient times, when we were collecting actual signals in the air, we would be on the operational side, "I want to take down that emitter so it'll make it safer for my airplanes to penetrate the airspace," and they're saying, "No, you've got to keep that emitter up, because I'm getting all kinds of intelligence from it." So this is a familiar problem. But I think we all win if our networks are more secure. And I think I would rather live on the side of secure networks and a harder problem for Mike on the intelligence side than very vulnerable networks and an easy problem for Mike. And part of that -- it's not only the right thing do, but part of that goes to the fact that we are more vulnerable than any other country in the world, on our dependence on cyber. I'm also very confident that Mike has some very clever people working for him. He might actually still be able to get some work done. But it's an excellent question. It really is.
Fittingly, the Department of Defense recognizes the importance of defense. Adding backdoors to encryption weakens defenses, including those used by government agencies and operatives. You can't simply introduce circumvention and pray that nobody other than approved parties make use of it. The FBI/NSA's obsession with government-ordered peepholes makes everything worse for everyone, not just their intended targets.

But these agencies are wholly unconcerned about collateral damage. It's clearly evident from their bulk surveillance programs and use of intercepts that gather everything before searching the data haul for incriminating material or useful intel. Encryption is at odds with haystacking, which these agencies continue to prize highly (and defend heatedly) despite clear evidence that intelligence gathering like this is inefficient at best, and wholly useless at worst.

Schneier goes on to point out that Admiral Mike Rogers, the head of the NSA, continues to push a narrative at odds with the DoD official's answer. Two weeks after this conference, Rogers gave a keynote address at CyCon, repeating his unfounded belief that encryption can be "safely" bypassed without compromising it.
Rogers said a framework to allow law enforcement agencies to gain access to communications is in place within the phone system in the United States and other areas, so "why can't we create a similar kind of framework within the internet and the digital age?"

He added: "I certainly have great respect for those that would argue that the most important thing is to ensure the privacy of our citizens and we shouldn't allow any means for the government to access information. I would argue that's not in the nation's best long term interest, that we've got to create some structure that should enable us to do that mindful that it has to be done in a legal way and mindful that it shouldn't be something arbitrary."
So, the Dept. of Defense says one thing, Mike Rogers (who was in the audience at the first conference) nods in agreement, and then goes on to contradict the stance of those helming the department directly above it in the government's organizational chart.

Rogers' nod to privacy is every bit as meaningless as his faux nod in agreement to Winnefeld's statement. There's very little being done by the NSA to "ensure" the "privacy" of American citizens. One only has to look at its purposeful weakening of NIST standards to see evidence of that. The FBI and NSA are more than willing to respect citizens' rights, but only if doing so doesn't make their intelligence gathering any more difficult. Privacy is always subservient to these agencies' ends, no matter how many statements they offer up that begin with lip service to privacy before adding, "but…"

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: admiral mike rogers, bruce schneier, defense department, encryption, going dark, igl, james winnefeld, nsa, strong encryption


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 6 Jul 2015 @ 8:51am

    I think the war on encryption is mostly a foil to hide the fact that they're so good at compromising endpoints.

    link to this | view in thread ]

  2. icon
    Not an Electronic Rodent (profile), 6 Jul 2015 @ 9:07am

    Do these guys play deliberately dumb?

    Rogers said a framework to allow law enforcement agencies to gain access to communications is in place within the phone system in the United States and other areas, so "why can't we create a similar kind of framework within the internet and the digital age?"
    Is it artful or dumb to mistake infrastructure for data like this?
    He's talking about physical intercept of phonecalls - something that it seems the NSA still have on the internet more-or-less as they hoover up all passing traffic at some of the key nodes.

    This has nothing to do with encryption - in his phone scenario; sure you can intercept the call, but if the guy on the other end says, "The Pork-chop Express rides when the Ptarmigan flies South" you're still not going to be any the wiser.

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 6 Jul 2015 @ 9:10am

    repeating his unfounded belief that encryption can be "safely" bypassed without compromising it.

    That's like saying design our tank armour so that we can defeat it if our tanks are captured, but the enemy cannot while we control them.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 6 Jul 2015 @ 9:12am

    Rogers said a framework to allow law enforcement agencies to gain access to communications is in place within the phone system in the United States and other areas, so "why can't we create a similar kind of framework within the internet and the digital age?"
    Rogers confuses two problems, whether due to ignorance or malice. One problem is acquiring a copy of the transmitted data in the form it was sent. The other problem is converting captured data into usable information.

    With the phone system, capturing the data is provided by CALEA et al. Converting captured data into information is easy, because almost all data sent over the phone system is voices, rarely in code, and rarely in anything other than a major human language (English, Spanish, German, Arabic, etc.). Thus, once the data is captured, playing it back as sound to someone who speaks the relevant language lets that person (or machine, in the case of machine transcription of voices) convert the data into information. It may be a bit slow if transcribed by hand, but it is not a difficult problem, and it can scale easily by assigning additional transcribers.

    With the Internet, capturing data is a bit harder, but still easily done with a court order or a bit of unlawful entry. Converting the data to information may be easy or may be difficult, depending on whether it was sent "in the clear" (e.g. HTTP, POP3) or encrypted and depending on whether it is some esoteric format (Navajo) or something common (English).

    Rogers confuses the idea of capturing data with the idea of converting it into information. Converting it to information has always depended on the target's (probably unintentional) compliance with the surveillance. A CALEA tap will yield data, but will not yield usable information if the target does everything in a code that the eavesdropper cannot understand. The phone system makes that too much trouble for most people to do, so CALEA taps tend to yield information easily.

    Incidentally, he also makes the mistake of assuming that because something can be easy, that it therefore should be done. By that token, I could argue that it is easy for most NSA employees to quit their jobs, therefore they can and should do so.

    link to this | view in thread ]

  5. identicon
    theOtherDude, 6 Jul 2015 @ 9:24am

    Hmmmmmmmmmmmm

    Doesn't it say somewhere we have a right to be secure in our person and papers, cant remember where I read that.

    link to this | view in thread ]

  6. icon
    Ninja (profile), 6 Jul 2015 @ 10:37am

    Re:

    By that token, I could argue that it is easy for most NSA employees to quit their jobs, therefore they can and should do so.

    I'd love to see that. Considering the agency is actively ignoring the Constitution anybody that works under it that's not corrupted should go Snowden.

    link to this | view in thread ]

  7. icon
    Mason Wheeler (profile), 6 Jul 2015 @ 11:23am

    Encryption is at odds with haystacking, which these agencies continue to prize highly (and defend heatedly) despite clear evidence that intelligence gathering like this is inefficient at best, and wholly useless at worst.

    I wouldn't say that. "Useless" implies that its utility value is 0, but didn't the 9/11 Commission discover that having too low of a signal/noise ratio was part of the reason that the hijackers were never apprehended before they got on those planes?

    Seems to me the appropriate term for the "at worst" case is "actively harmful"...

    link to this | view in thread ]

  8. icon
    John Fenderson (profile), 6 Jul 2015 @ 11:36am

    Re:

    Also, whether or not it's useless depends on the purpose of the collection. At this point, I think it's pretty clear that detecting terrorism is not the primary purpose.

    link to this | view in thread ]

  9. icon
    nasch (profile), 6 Jul 2015 @ 12:27pm

    Bad sentence

    It's clearly evident from their bulk surveillance programs and use of intercepts that gather everything before searching the data haul for incriminating material or useful intel.

    That sentence has problems. Perhaps a missing "they".

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 6 Jul 2015 @ 1:13pm

    Re:

    ...design our tank armour so that we can defeat it...but the enemy cannot...

    There's a story out of the Desert Storm campaign during the 'left hook' that moved faster that their support couldn't keep up, though not fast enough for the senior command. One US tank company had a M1 mechanically fail, and since they were on an exposed flank they didn't want to leave it. But because their supporting companies were still catching up to them and they needed to press on their attack they decided to shoot the tank and destroy it. Supposedly everybody watched as a 'sabot' shot ricocheted straight up into the air; none of them had seen that before. Then everybody realized that round was going to come back down somewhere, thus everybody rushed to go somewhere else fast.

    A second 'sabot' successfully destroyed the broken tank.

    link to this | view in thread ]

  11. identicon
    Digitari, 6 Jul 2015 @ 1:23pm

    I hate to admit this..........

    My Nephew works at the NSA, he is quite a bright kid. We have not spoken or communicated in about a decade....I "think" he's a data analyst.






    (Hi Travis)

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 6 Jul 2015 @ 2:10pm

    Re: I hate to admit this..........

    I think it is a couple years past time to reopen communications and exert a bit of family pressure for him to go get a more upstanding job, like spamming or telemarketing. If he's bright, and can find someone not too jaded, he may even be able to get honest work relevant to his expertise (e.g. private IT).

    link to this | view in thread ]

  13. identicon
    Kevin, 6 Jul 2015 @ 2:59pm

    Haystacking = bad

    Again, I re-iterate.
    If you gather data in a computer, they will steal it.

    And this goes double for the NSA piling a gold mine of info in one spot and then expecting china or russia won't hack it, bribe some guy at the front desk , bribe or lean on some cleaner , etc etc.

    Most places are secure against ordinary hacking.
    But are you secure against a nation state ready to drop a billion dollars on the project ?

    I seriously doubt it.

    What you gather, they will take.

    link to this | view in thread ]

  14. identicon
    ADW_d5kL, 6 Jul 2015 @ 3:07pm

    Re: Hmmmmmmmmmmmm

    Agreed, however…

    You Americans need to learn to extend you human rights globally. To quote Jean Luc Picard:

    “When children learn to devalue others, they can devalue anyone - including their parents.”

    link to this | view in thread ]

  15. identicon
    wgfgGE3, 6 Jul 2015 @ 3:10pm

    "why can't we create a similar kind of framework within the internet and the digital age?"

    Well, how do I put this? It is YOU that we need protecting from above all else!

    Put Clapper in prison and then come talk to us.

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 6 Jul 2015 @ 7:43pm

    Re: Haystacking = bad

    In my view, the real problem is that the collected information is ALREADY taken as or before it gets "haystacked". The real professionals have already grabbed it.

    link to this | view in thread ]

  17. icon
    Uriel-238 (profile), 6 Jul 2015 @ 7:44pm

    Setec Astronomy

    I think they want a robust unbreakable encryption, and then want a fancy magic box that is prohibitively expensive for the alleged bad guys that can decrypt it.

    The problem is, it's going to be prohibitively expensive for all the precincts that want to use it.

    And the bad guys will figure out how to emulate one cheaply.

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 6 Jul 2015 @ 9:25pm

    Admiral James A. Winnefeld gave a very intelligent answer to Bruce's question. I'm glad we at least have some smart people working in government. We need more Admiral Winnefelds.

    link to this | view in thread ]

  19. icon
    That One Guy (profile), 6 Jul 2015 @ 10:03pm

    Re: Haystacking = bad

    Ah, but you see you forgot something important:

    They don't care.

    They don't care if, after gathering all the data, they get hacked and all that data is grabbed by a random third party, so long as they still have it, and as long as the data grabbed doesn't impact them in some way.

    Always remember, they don't care one bit about the lives or rights or privacy of the citizenry, so why should they care if those things are negatively impacted, whether through their actions directly, or someone else's actions thanks to them?

    link to this | view in thread ]

  20. identicon
    Pragmatic, 7 Jul 2015 @ 3:15am

    Re: Re:

    I bet they're selling our data.

    link to this | view in thread ]

  21. icon
    Uriel-238 (profile), 7 Jul 2015 @ 10:43am

    Everyone has a price.

    It was a known issue in the cold war (though I don't remember the term for it), that even your patriotic spy-plane engineer at Lockheed would sell designs and specs at a price. It was just an enormous price beyond the benefit gained.

    The US had to secure data based on what they expected the enemy (Soviet or otherwise) would spend to acquire it. Cheap spies and traitors are easy to dissuade. When the price goes up, higher-ranking officers and hackers and thieves with skill start entering the pool.

    And yeah, the NSA has created such a very big jewel, and is leaving it open to so many technician potentials.

    link to this | view in thread ]

  22. icon
    Uriel-238 (profile), 7 Jul 2015 @ 11:53am

    NSA selling our private data

    That is so scary a possibility that it begs to be true.

    It's absolutely the terrible reveal of some cyberpunk political horror thriller.

    link to this | view in thread ]

  23. icon
    WillSee (profile), 7 Jul 2015 @ 6:53pm

    Backdoors

    A backdoor into encryption is like passing a law that all houses have to have a key hidden under the doormat, with a note "only for use of the good guys" on it -- we all know the criminals will honor that and not use it.

    link to this | view in thread ]

  24. identicon
    GEMont, 7 Jul 2015 @ 8:10pm

    Re: Hmmmmmmmmmmmm

    That would be your old "con-stitution" methinks, but since 911, its now called your new "pro-stitution" and it says pretty much the opposite of what the old document used to say, so that line would now read something like:

    "... have no right to be secure in their person and papers..."

    Gotta keep up with the time man - progress and all that ye know.

    ---

    link to this | view in thread ]

  25. icon
    The Wanderer (profile), 25 Sep 2015 @ 9:12am

    Re: Bad sentence

    No, the sentence is valid; it's just using some slightly unintuitive grouping.

    Combined with the previous sentence, it's saying:

    "From their bulk surveillance programs, and from their use of intercepts that gather everything before searching the data haul for incriminating material or useful intel, it's clearly evident that these agencies are wholly unconcerned about collateral damage."

    link to this | view in thread ]

  26. icon
    nasch (profile), 25 Sep 2015 @ 9:40am

    Re: Re: Bad sentence

    I see, it was an ambiguous pronoun. The sentence could have been written better to make it clear what "it" was referring to.

    link to this | view in thread ]

  27. icon
    The Wanderer (profile), 25 Sep 2015 @ 12:00pm

    Re: Re: Re: Bad sentence

    I'll agree on that point.

    link to this | view in thread ]

  28. identicon
    Anonymous Coward, 12 Dec 2019 @ 1:51am

    Strong encryption is still a first amendment right. Most encryption over the internet isn't very strong.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.