Al-Nashiri #6: Encryption or an Enclave?

By Benjamin Wittes & Ritika Singh

The Commission then takes up defense motion AE016, which objects to government monitoring of defense computers for purposes of cybersecurity. Speaking for the defense, Michel Paradis asks for, as the defense does in its brief, an electronic “enclave” set up within DoD’s computer systems. He argues that this is a simple issue technically, and it is necessary for the defense to conduct itself ethically. Judge Pohl asks why not simply encrypt the files, but Paradis argues that this is merely the appearance of confidentiality without the reality--since the government keeps the decryption keys. Lockhart responds that the enclave idea is not really a remedy for the problem Paradis identifies and that encryption really is. The government does not keep the keys, she says, and the enclave idea does not prevent the basic filtering to which the defense objects. Paradis argues that encryption is a very weak form of protection, one the government can easily break. Judge Pohl asks him why he doesn’t have the same problem with the firewall. Paradis responds that the question is the degree of his confidence that the communications are secure and the supervision and control necessary to proceed ethically. His concern, he says, is that by using the government’s computers--which he has to do--he is destroying any expectation of confidentiality in his communications. What do the other defense counsel using government computers do, Judge Pohl asks? There are very few civilians of that type, Paradis argues, and it has been a big issue among military lawyers. He cites a case in which a military judge ordered the creation of a non-government, non-monitored computer and internet connection. But Paradis says that if he set up such a connection, he would be violating federal law. Paradis says he has asked for an enclave because it seems like the simplest way to go, and that he has been talking to government computer people for more than a year about how to do this. Without an enclave, anyone with privileged access can lurk behind the system and watch what the defense does. Judge Pohl points out that if one uses a government computer, there’s always some chance that someone will be looking at your computer. Paradis concedes the point, but he notes that with an enclave, the number of people who can do this is dramatically smaller. The goal is not perfection, he says. Judge Pohl then asks Lockhart whether--despite her misgivings that an enclave won’t work--there’s any reason not to give the defense what it wants. She responds that it would be difficult to set up; it takes time and resources and money. And understanding that the defense shares Paradis’s concern, he misstates a lot of facts, she argues. At Judge Pohl’s urging, she then calls her witness, a computer guy named Adam William Bennett. After describing his responsibilities and background, Bennett describes basic encryption technology, the differences between encryption and password protection, and how a document that has been encrypted can be accessed by someone with the decryption password. Lockhart repeatedly asks him if the government can access an encrypted document, and he says it cannot. He describes the cybersecurity issues and cyberthreats now facing the government as one of the most critical issues facing government systems. Lockhart and Judge Pohl then ask him about the concept of an enclave, which he describes as a protected zone or network within a larger network. In response to questioning from the judge, he says it would not obviate the need for encryption and would not be as secure as encryption use. Judge Pohl asks whether the email will still be monitored if someone within the enclave emails someone outside the enclave on the DOD network. Bennett says that it will. Under questioning from Lockhart, Bennett makes clear that material is monitored even within an enclave, that using an enclave is no substitute for using encryption, and that encryption is the one true way to protect material. She asks him whether there’s any need for an enclave if privileged files are encrypted. He says no. Paradis then asks him about privileged access to DOD systems, and Bennett explains that they have access that normal users do not have. Paradis asks a series of questions designed to show how invasive privileged access can get. Judge Pohl gets impatient and says the government has proposed a remedy for the defense’s problem. The issue isn’t government opposition to unfettered monitoring. The issue is the remedy. Paradis takes the point and asks Bennett whether encryption can protect an open file on someone’s computer. Bennett says a DoD administrator could not conduct a screen capture on an open computer file. In fact, he says, DoD administrators do not even have the capacity to do screen captures at all. Not even in investigating internet porn, Paradis  asks? Normal administrators can’t do that. Only investigators can following a process when a specific situation arises and they have need. In response to questioning from Judge Pohl, Bennett testifies that nobody from the outside can see that document in real time. Paradis says that Bennett has testified that the encryption is essentially uncrackable. Does DoD never open encrypted files, he asks? Bennett backs off saying he doesn’t really know whether DoD ever cracks encryption or has that capability. Judge Pohl here breaks in and says to Paradis that the government is giving him a remedy--one that the witness says is more effective than the one he wants. He and Paradis have an extended back and forth over which remedy is better, encryption or enclaves. Paradis asks Bennett a few more questions. Lockhart then has one more question: Does OSD copy and crack encrypted files? Bennett says no. Is it possible? Bennett says he is unaware of anyone who can crack encryption of this strength. The witness then steps down. Judge Pohl and Paradis then have another extended back-and-forth about the strength of encryption and the relative benefits of encryption and enclaves. Lockhart then gives some closing arguments. Judge Pohl then rules: As framed, he says, the defense motion for secure communications is granted and not really disputed. The question is the remedy. The defense wants an enclave, the government wants it to use encryption. The remedy, he rules, will be that the defense should use the encryption method to protect its confidential communications. If in the future, this proves overly burdensome, the defense can raise it again. But at this time, the defense’s concerns seem more than entirely met by the remedy the government has proposed.