CISA had just passed out of the public’s eye during the first half of November. But in light of the terrorist attacks on Paris, encryption—and how much—has taken center stage in U.S. politics.
It’s not like The Cybersecurity Information Sharing Act (CISA) was suddenly winning over its critics, but in the weeks since Paris it’s become a bit of a shorthand for government bodies who want easier access to communication. In the week following the attacks, CIA director John Brennan said he hoped the terrorist activities would serve as a “wakeup call” to anyone opposed to surveillance.
“There are a lot of technological capabilities that are available right now that make it exceptionally difficult both technically as well as legally for intelligence security services to have insight that they need to uncover it,” he said in Wired, adding that terrorists are well versed in how to evade intelligence officials.
It’s a sentiment that’s been quoted by plenty of politicians, including Senators John McCain and Dianne Feinstein. 2016 candidates are changing their stance. The move is a stark contrast to only two months ago, when President Obama seemed to see encryption backdoors as a non-starter. The intelligence community’s top lawyer Robert Litt was quoted in The Washington Post as saying that although the legislative environment was hostile at that time, “it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”
But while politicians seem to see Paris’ devastating attacks as an opportune moment to move the dial on encryption law, it’s important to remember that this isn’t that time.
Any evidence that the terrorists who coordinated the attacks did so behind a wall of encryption that the government couldn’t get through has been debunked: The attackers did not use Playstations to hold encrypted meetings (nor, it should be noted, are Playstations encrypted end-to-end), and there was no evidence they favored encrypted devices at all. In fact, more and more sources point to unencrypted communications between the terror suspects. As far as the evidence stands, decryption, or some sort of government-created facsimile, wouldn’t seem to be a worthwhile solution. As Techdirt writes:
Does this mean some bad people can use encryption? Yes. But it’s not as “impenetrable” as she seems to think (we’ll get to her knowledge of technology and encryption in a moment). Even if you’re using encryption, there is still plenty of metadata revealed. Furthermore, there have always been ways to communicate in less-than-understandable or less-than-trackable way — and the terrorist community has used them forever. They don’t need to rely on “Silicon Valley” giants.
But, more to the point, undermining encryption makes everyone significantly less safe. The whole idea that weakening encryption makes people more safe is profoundly ignorant.
And Techdirt has some evidence there. So far there has been no Encryption works so long as the information is encrypted. A backdoor—any backdoor—would provide an access point, and hackers love an access point.
As Byte Back’s Deborah Juhnke writes, encryption is only as strong as its weakest link:
Because encryption is a complex mathematical topic that is Greek to most laypersons, the methods by which keys are used to encrypt and decrypt data are seldom discussed outside of IT, and the absolute necessity of protecting those keys is often overlooked.
Leaving encryption keys unprotected invites theft in the same way as leaving your car key in the car. Who has access to the keys to your encrypted data? Where are the keys stored? Are there copies? How often are they changed or updated?
….Just as we try never to leave our keys in the car, we should take special care to protect our data encryption keys. That starts with knowing where they are stored, by whom, and with what controls.
The government having the keys to encryption backdoors isn’t exactly inspiring considering their track record, another factor that makes privacy advocates wary to get on board with any sort of information legislation.
What CISA could potentially do is open the dialogue around more garden-variety attacks. Stewart Baker discussed on Steptoe’s Cyberblog, noting that the disadvantage for companies is that their cyberinformation—threats and all—is shrouded in shadows. CISA could provide a way to get that dialogue out in the open and start working towards some real solutions:
Our conclusion? The main value of the bill is that it frees some companies from aging privacy rules that prevented information sharing with groups that include the government. It also enables companies to monitor their networks without fear of liability under even older privacy laws preventing interception of communications without all parties’ consent.
Dragging cybersecurity into the public discourse so that encryption itself isn’t as stark is a valiant goal. Whether or not CISA is the answer to the nation’s growing (and already dismal) cybersecurity woes is unclear. But it clearly isn’t the answer to the unrest following terrorist attacks. That solution still needs to be deciphered.