FBI, CIA, NSA want “backdoor” access to data, yet they can’t keep their own data safe.

The U.S. Can’t Keep Its Own Data Safe. How Dare It Demand a Back Door to Yours.

The U.S. Can’t Keep Its Own Data Safe. How Dare It Demand a Back Door to Yours.

Decoding the tech world.
Sept. 16 2015 4:54 PM

Why the U.S. Doesn’t Deserve a Back Door to Your Data

Because it can barely keep its own data safe.

The J. Edgar Hoover FBI Building in Washington, DC.
If sensitive information is a house, the government wants surveillance cameras yet can’t be bothered to lock the door.

Photo illustration by Juliana Jiménez. Photos by Photo by Bonnie Jo Mount/The Washington Post via Getty Images and Thinkstock.

1_123125_2267723_futuretense_logo_allabbrevoneline

The  U.S. intelligence apparatus still wants a key to your private data. Specifically, it wants “backdoor,” or “exceptional,” access to encrypted data when a court order is obtained for it. Last week, the nation’s intelligence heads—FBI Director James Comey, CIA Director John Brennan, Director of National Intelligence James Clapper, National Security Agency Director Michael Rogers, and Defense Intelligence Agency Director Vincent Stewart—went before the House Intelligence Committee to lay out the threats and make their asks. After raising the specter of crippling large-scale cyberattacks, Clapper said the more pressing concern was persistent, ongoing small attacks, or as Foreign Policy put it, “Get Ready for Everything to Be Hacked All the Time.” To fight these attacks, Clapper wants streamlined access to the private accounts of Americans—an idea that is unnecessary at best and counterproductive at worst. And the intelligence leaders’ bad ideas didn’t end there.

David Auerbach David Auerbach

David Auerbach is a writer and software engineer based in New York, and a fellow at New America.

While the increasing regularity of both computing and security breaches makes Clapper’s concerns very real, the approach the intelligence agencies want to take is sorely inadequate. While they spent a long time discussing deterrence and surveillance, Clapper et al. practically ignored the most crucial and central aspect of fighting cyberattacks: security. In light of the recent, catastrophic Office of Personnel Management data breach, which compromised the sensitive personal data of more than 20 million people, Clapper’s sense of priorities, as evidenced by his refusal to call the OPM breach an “attack,” is clearly warped. (“There was no destruction of data or manipulation of data,” he said. “It was simply stolen.”) If sensitive information is a house, then the government wants surveillance cameras everywhere and stiff sentences for thieves, yet can’t be bothered to lock the door.

Advertisement

Instead, Clapper and Comey stressed the need for greater deterrence of cyberattacks: not securing systems, but creating incentives against hacking. Regarding the OPM breach, Clapper said, “Until such time as we do create both the substance and the mindset of deterrence, this sort of thing is going to continue.” There are two things wrong with this statement. First, it’s not easy to attribute these attacks to their perpetrators. Even if the U.S. government is convinced that the OPM attacks originated from China, it likely hasn’t figured out whether they were state-sponsored. The government’s attribution of last year’s Sony Pictures hack to North Korea remains dubious and inconclusive, as I pointed out shortly before everyone forgot about it. In the absence of reliable attribution, deterrence is impossible, because the actor will always have plausible deniability.

Second, while a crippling, major cyberattack may demand harsh sanctions or some other major response, what sort of deterrence could work for ongoing smaller attacks? The Washington Post covered several incredibly weak suggestions from the Pentagon, including “strong statements” (“We condemn this attack!”), “denial” (“Your attack didn’t hurt us a bit!”), and “resilience” (“I get hacked down, but I get up again!”). While this method is preferable to the cyber equivalent of the Cuban Missile Crisis, it doesn’t raise deterrence much beyond the level of rhetoric. The “permissive environment” Clapper cites will no doubt continue.

As a consequence, Clapper and Comey’s accompanying request for encryption back doors demands a refusal. For several years now, intelligence agencies have asked that the government be provided with a skeleton key so that under a court order, it can decrypt anything. As New America cyberfellow Peter Swire has explained in Slate, such “exceptional access” compromises security while failing to aid law enforcement. That hasn’t dissuaded the government; President Obama himself has demanded back doors. Raising the specter of terrorists “going dark” through encryption, Comey repeated his demand last week: “I’ve heard from a lot of folks that it’s too hard, and my reaction to that is: Really? Have we really tried? Have we really tried?” Apart from the technical infeasibility of doing exactly what Comey wants, the idea is a nonstarter anyway. Former NSA Director Mike McConnell, former Homeland Security Secretary Michael Chertoff, and former Deputy Defense Secretary William Lynn (hardly civil libertarians) wrote in the Washington Post that fears over encryption are overblown and that encryption back doors are pointless: If secure encryption is criminal, only criminals will use secure encryption. Either this rather obvious possibility hasn’t occurred to Comey (unlikely), or else he wants to use the back doors to spy only on dumb terrorists—not to mention ordinary citizens.

Beyond that, Comey must realize that U.S. intelligence doesn’t need back doors to do good investigative work. There are already effective, more primitive ways to get around the encryption problem. Consider the Silk Road investigation, in which FBI agents caught mastermind Ross Ulbricht by intercepting him while his laptop was open and unencrypted. And allowing American individuals and companies to retain airtight encryption will prevent more data breaches, not enable them—the number of breaches due to non-encryption far outweighs the number of law enforcement requests to defeat it. Encryption is a better form of “deterrence” than anything the Pentagon has suggested.

Meanwhile, the sheer ineptitude of OPM’s security systems still goes unaddressed, with only the weakest of plans for improvement. No one has been held to account for allowing a contractor like Edward Snowden to gain access to pretty much the entirety of the NSA’s systems. As I said before the OPM hack, attacks like this will continue happening until the United States gets serious about protecting its own data. And protecting its own data is the first step to take, not the last. The U.S. government, we have seen, is less secure than Apple or Google, even though its data—on intelligence, personnel, and systems—is far more sensitive for national security.

When asked how he would build bridges to technology companies, Comey said, “Our responsibility is to talk to folks and explain to them; we’re not maniacs, right?” I don’t think anyone thinks that the FBI or the other agencies are maniacs—merely that they overreach on matters of privacy, and are incompetent when it comes to security. I don’t use these words lightly. My criticism over the past two years has focused on a series of very significant mistakes, from allowing Snowden to steal the keys to the city to letting OPM data sit with known security vulnerabilities for years. Consequently, increased deterrence and surveillance appears pointless in the wake of our government being unable to protect the data in the first place. Now, the government asks citizens to make ourselves as insecure as they are by compromising our encryption. The citizen’s response to the government should be: Do your job better, and then we’ll talk.

This article is part of Future Tense, a collaboration among Arizona State UniversityNew America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.