Should we wait for an attack to define U.S. encryption policy?

on September 17 | in cyber, NSA, surveillance

Print Friendly

The Washington Post ran a fascinating article yesterday about the Obama Administration’s internal deliberations regarding the “Going Dark” problem. The story includes a draft National Security Council memo that considers various options for the Administration’s strategic approach to the growing use of encryption. I’m not going to comment here on the substance of the memo, which stands on its own and which I encourage everyone to read. I do, however, want to comment on one specific issue raised by the Post article.

Among the options listed in the NSC memo is the possibility of taking a firm public stance against any legislative proposal for compelled access to encrypted data. The article includes quotes from an email sent from ODNI General Counsel Robert Litt about this option. Here is the text from the article:

Privately, no rx law enforcement officials have acknowledged that prospects for congressional action this year are remote. Although “the legislative environment is very hostile today,” the intelligence community’s top lawyer, Robert S. Litt, said to colleagues in an August e-mail, which was obtained by The Post, “it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”

There is value, he said, in “keeping our options open for such a situation.”

Assuming the article is accurate and that the quotes are not taken too far out of context, it is fair to say this email was written rather inartfully. Most of the emails I write are equally as inartful and are similarly not intended to be leaked to major news outlets. Nonetheless, it is worth commenting on the substance of Litt’s argument. It is certainly true that, in the event of some type of terrorist attack or significant criminal event, the politics of this issue would change and proposals for exceptional access would become more tenable in Congress. That is essentially the narrative we have seen play out in France with respect to similar exceptional access proposals following the Charlie Hebdo attack.

This is why I believe it is incumbent upon both opponents and supporters of the FBI to think hard about the challenges the Bureau faces and about solutions to those challenges that might ease burdens on law enforcement without introducing widespread security vulnerabilities. Dismissing the FBI’s concerns entirely invites policymaking at a moment of crisis down the road.

The problem with Litt’s argument is that this issue is not one that lends itself well to the whims of a reactionary Congress. Rather, it requires a careful, technically sophisticated analysis that weighs national security and public safety considerations against the security benefits of the widespread use of strong encryption. Further, of equal and growing probability to a terrorist attack is the possibility of a catastrophic cybersecurity event that further catalyzes support for strong encryption and causes policymakers to ignore the public safety concerns of law enforcement.

Thus, today is actually the right time for the Obama Administration to articulate a clear policy regarding encryption. Waiting for a crisis moment would be irresponsible.

Pin It

related posts

Comments are closed.

« »