Defense Department To Congress: 'No, Wait, Encryption Is Actually Good; Don't Break It'
from the seems-important dept
As Senate Judiciary Committee Chair Lindsey Graham has continued his latest quest to undermine encryption with a hearing whose sole purpose seemed to be to misleadingly argue that encryption represents a "risk to public safety." The Defense Department has weighed in to say that's ridiculous. As you may recall, the DOJ and the FBI have been working overtime to demonize encryption and pretend -- against nearly all evidence -- that widespread, strong encryption somehow undermines its ability to stop criminals.
However, it appears that other parts of the government are a bit more up to date on these things. Representative Ro Khanna has forwarded a letter to Senator Graham that he received earlier this year from the Defense Department's CIO Dana Deasy, explaining just how important encryption actually is. The letter highlights how DoD employees rely on the kind of strong encryption found on mobile devices and in VPN services to protect the data of their employees, both at rest (on the devices) and in transit (across the network).
All DoD issued unclassified mobile devices are required to be password protected using strong passwords. The Department also requires that data-in-transit, on DoD issued mobile devices, be encrypted (e.g. VPN) to protect DoD information and resources. The importance of strong encryption and VPNs for our mobile workforce is imperative. Last October, the Department outlined its layered cybersecurity approachto protect DoD information and resources, including service men and women, when using mobile communications capabilities.
[....]
As the use of mobile devices continues to expand, it is imperative that innovative security techniques, such as advanced encryption algorithms, are constantly maintained and improved to protect DoD information and resources. The Department believes maintaining a domestic climate for state of the art security and encryption is critical to the protection of our national security.
So, there you have it. The Defense Department believes that strong, unbroken encryption is critical to national security, as opposed to the DOJ which appears to think (incorrectly) that it undermines national security. At the very least, this should mean that politicians should stop uncritically claiming that encryption is some sort of "debate" between privacy and national security. It is not. Encryption protects both of those things. Breaking encryption harms both privacy and national security... in the hopes that it might make law enforcement's job marginally easier.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: backdoors, dana deasy, defense department, dod, encryption, lindsey graham, ro khanna
Reader Comments
Subscribe: RSS
View by: Time | Thread
A rose by any other name
At a minimum there is a conflict as to what constitutes 'national security'.
For the DoJ it's anything they feel like pursuing or that they can't readily commit to surveillance within the bounds of the Constitution, or might make them work harder, even if the information they pass around is co-opted by those they pursue. For the DoD it is all the information they pass around that might benefit enemies of the United States, probably including but not limited to security arrangements, operational plans, etc..
I have heard some things being referred to as 'national security' or related to such that I have a very hard time discerning what it is about those things that is in fact related to our 'national security'. Some of our post WWII conflicts meet this criteria, depending upon how one feels about the domino effect. Many of our state department/CIA interventions in foreign countries meet this criteria. Some law enforcement actions (the sale or gift of military equipment to local law enforcement departments) definitely meet this criteria. Calling some definitely criminal actions 'terrorism' when it is merely criminal might meet that criteria.
In the end, the term 'national security' really depends upon the intent of the speaker, no matter how much their rhetoric attempts to lead one in another direction. Too often that phrase is wielded to achieve ends that don't require the means.
[ link to this | view in chronology ]
Re: A rose by any other name
It is because of this disparity in definition that we need strong encryption with a backdoor for government use only! Our government, of course, because we all know that nothing leaks from any part of the US government.
[ link to this | view in chronology ]
There's no conflict here. Both agencies believe strong, unbroken encryption is critical to national security - when only the government has it - and undermines national security when the proles can get up to things outside of the view of their betters.
[ link to this | view in chronology ]
Re:
Except the DOD is worried about use of mobile phones and the Internet by service people keeping in touch with their families.
[ link to this | view in chronology ]
Loose lips sink ships
[ link to this | view in chronology ]
Re:
Weak encryption breaks transmission
[ link to this | view in chronology ]
Republicans no longer care about national security. Arguably never did. They want to lord over a captive population, no matter what it costs. Full stop.
[ link to this | view in chronology ]
Re:
Really? That's beyond a laughable statement.
[ link to this | view in chronology ]
Re: Re:
No, no - there are a lot of people here who seriously think this is a GOP thing alone.
[ link to this | view in chronology ]
Re: Re: Re:
I’m no cobbler bro. But if the shoe fits...
[ link to this | view in chronology ]
Re:
"Republicans no longer care about national security. Arguably never did. They want to lord over a captive population, no matter what it costs. Full stop."
...as do the democrats. You can argue that the dems are more concerned with liberal values and individual liberty than republicans and you'd be right...
...but take it from someone coming from a nation which prides itself on liberal values; It doesn't take long before you get a spokesperson for the liberals standing up and saying stuff like "for the benefit of society as a whole we can not afford luxuries like personal integrity".
Basically every politician who comes to power WILL try to jettison as many of the citizenry's freedoms as possible, the very second they turn out to be an inconvenience to the current agenda. Obama's war on whistleblowers closely mimicked GWB's - and for the exact same reason.
The only safeguard we have is that as soon as a politician tries to go down that road the voters need to ensure that politicians party will no longer be in power after the next election.
And that's hard to get the lazy voter to do because even outside of the US people tend to stick to their chosen parties come hell or high water.
[ link to this | view in chronology ]
Re: Re:
Yeah... Obama basically governed as Bush III lite. The Establishment Dems are no different from the Reagan and Bush-era Republicans. Why? They've moved hard to the right to ward off the threat of being associated with socialism, thereby making actual socialism increasingly popular. There's only so much scare-mongering you can do till it ultimately backfires.
[ link to this | view in chronology ]
earlier this year, I moderated a panel with AccessNow's (now Silkicon Flatiron's) Amie Stepanovich, and EFF General Counsel Kurt Opsahl on this topic (although looking at it working from Australia (at the time of the panel submission, they were the only one although a week or two before the panel was held, Barr came out in favor)
You can see it here
https://www.youtube.com/watch?v=rI3uEATDxIk
And yes, Strong Encryption is good. One of the other panels is hosted by a friend of mine, Elonka Dunin, and she has cryptography as a hobby. And by Hobby I mean 'she's writing a book on it, has social engineered her way into CIA HQ to see the Kryptos statue in the past, and filmed a documentary on it earlier this year'. She has a list of other encryptions, still not broken today - Beale, Elgar, voynich Manuscript, and of course, Kryptos. (for those that don't know, Kryptos is a sculpture in the grounds of the CIA HQ put there in 1991, and has 4 codes on it. 3 have been broken, the 4th hasn't. The CIA and NSA have been working on it (in competition) for almost 30 years now, even with those who made it dropping clues.
Video here
https://www.youtube.com/watch?v=h1Mb74yGbX4
Encryption can be hard to break, unless you know there's a key that's always going to work, so you can attack that key. After all, why attack a key that can only unlock that one thing, when you can go for a key that unlocks that thing AND everything else.
And as soon as that key leaks, thats it, there's no security at all. Prime example are the travelsafe TSA locks. They have as much security as a velcro loop, because anyone can unlock them with an easily available key.
Excelent video by Lockpick lawyer here.
https://www.youtube.com/watch?v=GhESSMvf_to
[ link to this | view in chronology ]
Re:
Well, not everything else. Criminals will double-encrypt so it looks like they're using the "standard" escrowed crypto. (Or, like the brute-force attack on the Clipper chip's LEAF, there may be a more direct way to fake it.)
[ link to this | view in chronology ]
yep
DOD: BRO THEY FOUND THE NUDES.
[ link to this | view in chronology ]
Ask Lindsey Graham, just how well it worked with Fitbit with no encryption. Using the data from Fitbit, they were able to reconstruct the paths that military members wearing the device made.
If we can reconstruct so can anyone else, including what are deemed the enemy.
Lets not forget that without encryption, banking on line would all but cease to function. Making holes in that encryption will only open the path up for more scammers and hackers to find a way in. There is no such thing as a little bit pregnant. Nor is there any such thing as a little bit of encryption. It is either secure or it is not.
So what happened to all the cop methods and spy methods long before encryption spread to catch the bad guys? I mean encryption has been with us for a long long time. Certainly going back to the days of Roman messengers carrying encoded message canisters requiring you to know the key to make sense of the message. This is not a new thing just started happening during the internet days.
It appears to me that the LEO forces want to have everything handed to them so they don't actually have to do their jobs. No one said that putting effort into finding and capturing the bad guys was easy.
[ link to this | view in chronology ]
Re:
Not really, security is a continuum. What is secure enough for online banking may not be sufficient for, say, battlefield communications or top secret documents.
[ link to this | view in chronology ]
Re: Re:
other way around.
Battlefield comms only have a limited window of utility. like a week, then they're no good.
They're also all collectively controlled by effectively the same entity, so so changing it is feasible.
Banking has a LONG window of utility. MY bank account now is still my bank account next year. And good luck getting Granny Midnight-flasher to upgrade her browser to allow a new encryption system. She has IE4 and it's always worked in the past so why won't it work now?
[ link to this | view in chronology ]
Re: Re: Re:
No, your bank account becomes worthless if enough battlefield communications fail because failing battlefield communications can lead directly to failing central banks, and failing FDIC insurance.
[ link to this | view in chronology ]
Re: Re: Re:
I was referring to encryption in transit. If the enemy is listening to your radio traffic, that's seriously no bueno.
[ link to this | view in chronology ]
If encryption is a munition, why isn't it protected by the 2nd amendment? Also, isn't it my 1st amendment right to communicate any series of characters or codes I see fit?
[ link to this | view in chronology ]
Re:
"If encryption is a munition, why isn't it protected by the 2nd amendment?"
It is. Encryption is THE defensive weapon in the digital venue. If the NRA was indeed into citizen defense rather than just a spin department for large gun manufacturers then they'd be backing encryption the same way they did physical guns and not a single republican would ever dare raise the issue of backdoors.
But as things stand the NGO's advocating encryption tend to be less...malicious...than the NRA and tend not to engage in large mudslinging campaigns against hostile senators and congressmen so they don't have the same impact.
[ link to this | view in chronology ]
Re:
Banned in certain states, requiring governmental approval in others?
Under Junger v. Daley, maybe. (That case said ciphersystems were protected speech, without considering ciphertext.)
[ link to this | view in chronology ]
Re: Re:
Are you saying there are states where guns are banned?
[ link to this | view in chronology ]
Strong encryption is still a first amendment right. Most encryption over the internet isn't very strong.
[ link to this | view in chronology ]
Re:
The fundamental algorithms aren't the problem, the massive expansion of hacking and distributed computing resources to solve the difficult problems is the issue.
[ link to this | view in chronology ]
Re:
"Most encryption over the internet isn't very strong."
That depends on what the heck you mean by "most". HTTP? Yea, that's basically cleartext. HTTPS? Secure enough for most purposes, which is why there isn't a russian crime consortium emptying the bank accounts of everyone trying to do online transactions.
Encryption, by default, is always strong enough.
What makes this less secure would be the disturbing amount of cracked end points. Your bank vault is secure all the way until the combination and key is compromised.
[ link to this | view in chronology ]
Encryption for the powerful, plaintext for the weak.
[ link to this | view in chronology ]
National Security vs Notional Security
[ link to this | view in chronology ]