CIA Director John Brennan Says Non-US Encryption Is 'Theoretical'
from the central-ignorance-agency? dept
You would think that someone in charge of the Central Intelligence Agency would have some knowledge about what he's discussing while at a Senate Hearing on intelligence. Perhaps not so much. CIA Director John Brennan completely incorrectly said last week that non-US encryption was "theoretical" despite there actually being hundreds of such products on the market.This happened during an open Senate Intelligence Committee hearing, where Senator Ron Wyden got to ask Brennan a couple of questions. The first was about whether anyone at the CIA was being held accountable for failures during the CIA torture program, and the second was on the future of Section 702 of the FISA Amendments Act. Specifically, he asked whether or not the CIA could live without being able to do "backdoor searches" on 702 data -- basically asking what would happen if the CIA had to get a warrant to search that data. Director Brennan more or less dodged both questions, promising to get back to Wyden later and/or "in a different setting" (i.e., a classified one). However, as part of the preamble before asking questions, Wyden briefly touched on the issue of requiring US companies to backdoor encryption -- the plan put forth by Senators Burr and Feinstein (Feinstein is sitting right next to Wyden while discussing this) -- saying that it won't work and is dangerous. He points out that putting restrictions on US companies won't much matter, because those who wish to do us harm will just use non-US encryption. Despite no question being asked on that topic, Brennan decided to weigh in anyway. You can see the exchange here:
I respectfully disagree with your opening comments. First of all, US companies dominate the international market as for... as encryption technologies that are available through these various apps. And I think we will continue to dominate them. So although you're right that there's the theoretical ability of foreign companies to be able to have those encryption capabilities that'll be available to others, I do believe that this country and this private sector is integral to addressing these issues. And I encourage this committee to continue to work on it.Beyond being a bit jumbled, the idea that the issue is "theoretical" is flat out wrong. A recent paper by the Open Technology Institute looked at the 9 top encryption products recommended as "safe" to use by ISIS and pointed out that only one would be impacted by US regulation. And then there was the second study, done by the Berkman Center and led by Bruce Schneier, that was a worldwide study of encryption products and noted that there are 865 encryption products worldwide from 55 different countries -- and 546 of those products are non-US. It's true that the US has the most, but there's a pretty wide variety of other options. And the foreign products cover all different kinds of encryption. They found: "47 file encryption products, 68 e-mail encryption products, 104 message encryption products, 35 voice encryption products, and found 61 virtual private networking products." To argue that this is somehow "theoretical" is beyond ridiculous. Even if it were true (and it doesn't appear to be) that those planning to do us harm currently use US products, it's pretty obvious that they would quickly move to foreign-based products if it became clear that the US products were required to provide a backdoor to law enforcement. Again, the only end result would be to make those who use the encryption for lawful purposes less safe.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cia, encryption, encryption backdoors, going dark, john brennan, non-us encryption, ron wyden
Reader Comments
Subscribe: RSS
View by: Time | Thread
Idiot or liar
Or put simply, he knows full well that what he's supporting would be both dangerous and useless at it's stated purpose, but he's willing to lie to defend it anyway.
[ link to this | view in chronology ]
Re: Idiot or liar
[ link to this | view in chronology ]
Re: Re: Idiot or liar
[ link to this | view in chronology ]
Re: Re: Re: Idiot or liar
[ link to this | view in chronology ]
Re: Idiot or liar
* encryption
* technologies
* apps
* think
[ link to this | view in chronology ]
Re: Re: Idiot or liar
* ethical
[ link to this | view in chronology ]
If the USA starts to require backdoored encryption, the exact same thing will happen again.
[ link to this | view in chronology ]
Re:
The new game will be hunting and pecking for the next unbroken encryption that will likely become illegal in each nation, unless you are using theirs.
Yep, it will become a shit show. We are likely going to begin seeing more "Information Freedom" uprisings in the future, which is inevitable anyways. Greedy interests will always seek to artificially control markets.
[ link to this | view in chronology ]
Re:
I remember in the late 90's using openSSH/OpenBSD with all its crypto developed outside of the USA because of the US crypto export laws.
Had me scratching my head wondering why the land of the free was forced to import free software from other countries just to be secure.
[ link to this | view in chronology ]
Crypto "domination"
In saying this, he is either ignorant of or deliberately misrepresenting history.
Back when it was illegal for the US to export effective crypto, the effect was that outside of the government itself there was almost no serious crypto development being done in the US at all. The reason was obvious: if you developed it in the US, you couldn't sell it outside the US. If you developed it outside the US, however, the world was your oyster.
The result was that the US fell behind in crypto (Israel was the top dog in that realm instead).
The only reason that crypto development returned to the US in later years was the elimination of that law. However, excellent crypto development continues across the entire world as well.
If the US were to make effective crypto illegal by mandating back doors, there is no question what the effect would be: individuals will simply use imported crypto, and crypto development in the US will once again grind to an effective halt.
[ link to this | view in chronology ]
Re: Crypto "domination"
They really only need to tour their own racks to verify this. My guess is they will still find Checkpoint being used in a wide number of critical systems infrastructure applications, and still being patched regularly without source code audits.
[ link to this | view in chronology ]
Ransomware says he's wrong
[ link to this | view in chronology ]
What about the software that has been cracked?
If there is a 'preferred list of products' put out by the terrorists, our government would have put the effort into cracking those first.
[ link to this | view in chronology ]
Hey, he's not being that unreasonable.
Damn, I need to take a techdirt break, I didn't use to be so cynical...
[ link to this | view in chronology ]
Re: Hey, he's not being that unreasonable.
Their obvious bias makes for a good laugh
[ link to this | view in chronology ]
Then there's the venerable Blackberry
[ link to this | view in chronology ]
Re: Then there's the venerable Blackberry
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
It's kinda hard to be more wrong! He is wrong cubed!
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
superscript
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
And the locals... if a corrupt politicain gets shit for their locals they are not going anywhere.
The first sign of a corrupt politician is one that says vote for me and I will provide welfare!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: Wyden 20202
My point is that every Senator that's tried to cope with the "Intelligence Community" in the last 5-10 years has ended up going down in flames at their next re-election. Senators who cozy up to the IC have done a lot better. Is this coincidence? I think not. We'll never know, but I bet there's "Intelligence Community" interference in elections.
[ link to this | view in chronology ]
Re: Re: Wyden 20202
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
The U.S. government wised up back in the 90's when they wanted to force company's to install the Clipper Chip into everything to gain backdoor access. Of course later it was hacked. But the point was, it would have made American's insecure's and who would want to buy American Products?
While bad things happen, that's a tiny percentage of people, to the millions that would be screwed because of weak security. If you gain backdoor access, how does that STOP anything? Looking at a device after the fact stopped something. It's really simple to destroy phones before you do anything, if there was anything on the phone to begin with that would have been any help.
The police, FBI, whoever NEVER get 100% of the info they want. We have these things call Paper Shredders. Do those company's have to piece together documents for the FBI if they want something? Good luck with that one.
I the end, anyone with half a brain and wanted to do criminal things, maybe wouldn't trust a American Company and encryption anyway. You would install your own Encryption software, maybe something open sourced and vetted. Cheap Android phones you can toss, destroy at any time with your own Encryption software installed would be the smart move.
[ link to this | view in chronology ]
Re:
Which, honestly, is what everyone should have been doing already.
[ link to this | view in chronology ]
I'd be curious...
I suspect they'd have a conniption right there.
And yet they are incapable of seeing that scenario, or how this one is comparable to that one from the eyes of the rest of the world.
[ link to this | view in chronology ]
Re: I'd be curious...
Putting a backdoor into something means at some point someone will hack it. In the end the only people it hurts is Most of the Population of normal, everyday users, just trying to mind their own business. The Criminals with install any number of 3rd party Encryption software created outside of the U.S. and there's not a single thing the U.S. Government could ever do to stop it.
We are a Global Economy. These Governments trying to get their ways to spy on people and using the same weak excuse of Terrorists or Child Molesters. If that works for you, you might as well throw whatever rights you have left right out the window. It's such a TINY part of the General population and yet screws over the 99.9% of everyone else.
[ link to this | view in chronology ]
Re: Re: I'd be curious...
Those countries who have signed trade treaties with ISDS clause included.
[ link to this | view in chronology ]
Slight Mistake Here
That out of the way, there is a slight mistake in this rebuttal to Mr Brennan's comments. Mr Brennan is not arguing these foreign and open source products are not out there. He is arguing that even though all these other products exist, it's the US products like gmail and hotmail, US equipment like Cisco, and US software like MS Windows, Apple iOS, or Google Android, that everyone actually uses. These platforms "dominate the international market". Requiring these services to backdoor their encryption WOULD open up a lot of people to government and other searches. Pointing out all those other services is just knocking over your own straw man.
A much stronger argument that we should not do this comes in two parts:
1) That undermining encryption from these services may push users away from American business to foreign and open source options, ultimately hurting the American economy and driving users to even less-accessible options.
2) For the most part, terrorists can already use the foreign and more-strongly-encrypted services. Pushing mainstream users into those services increases the noise side of the signal/noise problem, making it harder to identify actionable intelligence when it's there.
[ link to this | view in chronology ]
Re: Slight Mistake Here
[ link to this | view in chronology ]
Re: Re: Slight Mistake Here
When he says that I read him as saying not that the programs, etc., which people use for encrypted communication, are made in the US, but that the "encryption technologies" which underlie those programs are made in and/or come out of the US.
And to the extent that worldwide encryption technologies are based on accepted standards, which were standardized in the US (and, in at least some prominent cases, which were developed into standards in cooperation with and/or with input from the NSA), he may even be right.
[ link to this | view in chronology ]
If that's what he's saying it doesn't support his argument.
Suppose for a second you are a Brazilian developer working with some Italians on a Russian app that allows the user to encrypt his phone data.
Do you use the AES version 2009 which is pretty much unbreakable with current technologies?
Or do you use the AES version 2017 which the US government has backdoored?
Both are available to you. The 2009 version is free and open source.
[ link to this | view in chronology ]
Re: If that's what he's saying it doesn't support his argument.
Mind, I'm not saying that this is the case, just looking for ways to parse what he said such that it could make sense and be accurate (even if misleadingly so)...
[ link to this | view in chronology ]
Re: Re: Re: Slight Mistake Here
As to accepted standards, I'm not sure of the point. There is no need for people to adhere to the accepted standards unless they want other existing software to be able to decrypt it.
If those standards are backdoored (as some are found to be from time to time), what happens is that everyone stops using them, standard or not. Even if, for some reason, that didn't happen, that's still only a minor irritation. Everyone can still use nonstandardized crypto for their own needs -- they'd just have to supply the decryption code to anyone else who they want to be able to decrypt it.
If they don't want anyone else to be able to decrypt it, then there's not even that minor problem.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
slightly might not mean what you think it does either.
[ link to this | view in chronology ]
It might be good for society
[ link to this | view in chronology ]
Scientific theory?
Regardless, it doesn't matter even if the US had a total monopoly on world encryption, backdooring it would still open communications up to hackers (among uncountable other unintended consequences).
[ link to this | view in chronology ]
Re: Scientific theory?
[ link to this | view in chronology ]
Re: Re: Scientific theory?
I'd have hoped that would have bled out to the rest of the public. Guess not.
[ link to this | view in chronology ]
Re: Re: Re: Scientific theory?
[ link to this | view in chronology ]
flat earth society
[ link to this | view in chronology ]
Re: flat earth society
They have a better chance than anyone who would represent their electorate, as the ability to ignore actual evidence, and what most people are saying, seems to be a prime requirement for being a politician.
[ link to this | view in chronology ]
I think everybody is taking this too seriously.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
"Theoretical" means that other companies are LA LA LA NOT LISTENING!
Or: Americans use encryption, non-Americans use... something else. We don't know what it is, but it's bad and we should probably ban it.
[ link to this | view in chronology ]
This guy is an amateur
"Reports that say that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don't know we don't know. And if one looks throughout the history of our country and other free countries, it is the latter category that tend to be the difficult ones"
And the best Brennan could come up with is to label something "theoretical". Lazy FUD is lazy.
[ link to this | view in chronology ]
Your all arguing about whether he is right or not. It simply doesnt matter.
He doesnt care about external surveillance. He wants backdoors for internal purposes.
"Look over here, the US dominates worldwide encryption". And everyone scrambles to prove him wrong. Then what? How is proving that going to stop Congress from mandating domestic backdoors?
[ link to this | view in chronology ]
Re:
You may be correct that it doesn't matter, though that's a symptom of a much larger systematic failure... but who is arguing about Brennan being right?
As for "everyone scrambl[ing] to prove him wrong", that's not happening. Everyone is merely pointing out that Brennan has ALREADY been proven wrong. The work was done months ago, because everyone knew that this kind of lie was inevitable and wanted to have the data ready to prove it.
Do you have any suggestions for how better to fight against Congress pushing bad mandates other than pushing back on invalid assertions?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
CIA John Brennan
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]