End-to-End Encryption Is a Critical National Security Tool

For the past 50 years, governments have carried out a campaign against end-to-end encryption (E2EE), a technology that secures communications so that only the message endpoints (the sender and receiver of the message) can see the unencrypted communication. From the 1970s to the late 1990s, the fight against widespread use of E2EE was carried out largely by the National Security Agency (NSA), with the FBI joining the battle in the early 1990s. By the late 1990s, strong encryption was increasingly being adopted by nations around the world. At the same time, export controls were becoming increasingly bothersome to the computer industry. Members of Congress began introducing bills to liberalize the cryptographic export regime.

Two changes occurred in response. With increasing use of strong encryption by foreign governments, NSA increased efforts in computer network exploitation, extracting information from computer networks. The executive branch offered an olive branch to the computer industry by loosening export controls on encryption. Though not all controls ended, the ones that mattered most to the industry were lifted. The latter enabled U.S. products with strong encryption to be exported—and also made it much simpler for such products to be sold domestically.

But if NSA was comfortable with this change, law enforcement was definitely not. Within a decade, the FBI began speaking about “Going Dark”—being unable to access legally authorized wiretaps. FBI leadership repeatedly argued that it was increasingly unable to wiretap terrorists, organized crime, drug dealers, and child sexual abuse and exploitation cases. Law enforcement in the U.S. and abroad pressed hard to prevent widespread public access to E2EE.

Though the wiretap targets of interest changed over the years, the argument about the threat of encryption to wiretaps did not. And for decades, cryptographers, computer scientists, privacy experts, journalists, and human rights workers responded by pointing out the importance of ubiquitous E2EE for public safety, business security, and personal and national security. By the 2010s, members of the defense establishment were publicly voicing this argument as well.

Former NSA Director Mike McConnell, former Secretary of Homeland Security Michael Chertoff, and former Deputy Secretary of Defense William Lynn III wrote, “We believe the greater public good is a secure communications infrastructure protected by ubiquitous encryption at the device, server and enterprise level without building in means for government monitoring.” Similarly, Michael Hayden, former director of NSA and of the CIA, stated, “American security is better served with end-to-end unbreakable encryption.” And Robert Hannigan, former head of the British General Communications Headquarters, said, “I am not in favour of banning encryption. Nor am I asking for mandatory ‘back doors.’”

Increasing cybersecurity threats also led some law enforcement officials—who had in the past strongly pressed for controls on E2EE—to shift their viewpoints. Notable among them was Jim Baker, who had been FBI general counsel during the period in which the FBI and the Department of Justice were pressing hard about Going Dark. In 2019, Baker wrote:

One of the most important cybersecurity risk factors is that digital isolationism is not possible. Governments, corporations and individuals in the United States and other democratic societies communicate regularly with people all over the world. Civilian and military governmental organizations operate worldwide, as do all major transnational corporations.

As a result, many communications vital to the security and well-being of the United States are, and increasingly will be, transmitted via telecommunications equipment that is manufactured and operated by foreign companies over which the U.S. government has insufficient control in light of the risks involved.

Baker concluded:

In light of the serious nature of this profound and overarching [cybersecurity] threat, and in order to execute fully their responsibility to protect the nation from catastrophic attack and ensure the continuing operation of basic societal institutions, public safety officials should embrace encryption. They should embrace it because it is one very important and effective way—although certainly not the only way and definitely not a complete way—to enhance society’s ability to protect its most valuable digital assets in a highly degraded cybersecurity environment.

The risks that Baker was writing about have come to pass, although not exactly as Baker described. Last week, the FBI and the Cybersecurity and Infrastructure Security Agency announced that, “PRC-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders.” According to the New York Times, the targeted individuals included “President Donald J. Trump’s family, as well as Biden administration and State Department officials.”

As I described last week, this breach appears to be a result of wiretapping capabilities built into telecommunications networks as required by the Communications Assistance for Law Enforcement Act (CALEA). That the Chinese exploitation of U.S. telecommunications was through CALEA does not obviate Baker’s argument. Our computer and communications systems are under constant attack. These are complex systems, and like all complex systems, they have vulnerabilities. This bears repeating: Complexity means the systems are insecure. Baker’s point is spot on. Communications—whether between campaign managers and presidential candidates, chip engineers and software designers, or members of a research team investigating a new virus—must be protected.

For decades, technologists have been making the point that the strongest and best form of communications security is provided by end-to-end encryption; it is well past time for law enforcement to embrace its widespread public use. Anything less thwarts the nation’s basic security needs.