Cybersecurity & Tech Surveillance & Privacy

Rethinking Encryption

Jim Baker
Tuesday, October 22, 2019, 2:06 PM

I. Embrace Reality and Deal With It

Map of real-time cyberattacks, Warfield Air National Guard Base, Middle River, Md., June 2017. (Source: U.S. Air Force photo by J.M. Eddins Jr.)

Published by The Lawfare Institute
in Cooperation With
Brookings

I. Embrace Reality and Deal With It

From 2012 to 2014, I worked for Bridgewater Associates, a hedge fund located in Connecticut. Bridgewater seeks to operate consistent with a set of principles articulated by its founder, Ray Dalio. Over the years, Dalio has written hundreds of principles and has now put them into a book. The first principle described in the book—one that has had a significant impact on me even after leaving Bridgewater—is “[e]mbrace reality and deal with it.”

What follows are reflections on my efforts to embrace reality with respect to some aspects of several interrelated subject areas that have comprised a substantial part of my career: national security, cybersecurity, counterintelligence, surveillance, encryption and China. Those efforts have caused me to rethink my prior beliefs about encryption and to better align those beliefs with the reality that (a) Congress has failed to act—and is not likely to act—to change relevant law notwithstanding law enforcement’s frequent complaints about encryption, and (b) the digital ecosystem’s high degree of vulnerability to a range of malicious cyber actors is an existential threat to society.

In the face of congressional inaction, and in light of the magnitude of the threat, it is time for governmental authorities—including law enforcement—to embrace encryption because it is one of the few mechanisms that the United States and its allies can use to more effectively protect themselves from existential cybersecurity threats, particularly from China. This is true even though encryption will impose costs on society, especially victims of other types of crime.

II. Going Dark and Encryption

I have worked on the encryption issue for more than 10 years, both inside and outside the government, from a variety of operational, policy and legal perspectives. Sometimes the encryption debate is equated with the “going dark” problem. But going dark is broader than encryption; it involves the decreasing ability of the government to conduct effective lawful surveillance for many technical reasons, including but not limited to the widespread adoption of encryption technology. In this piece, I’m focusing on going dark only as it pertains to encryption.

During the Federal Bureau of Investigation’s very public disagreement with Apple over encryption in 2016, I was the bureau’s general counsel and responsible for leading its legal efforts on that matter. I fought hard for the government to obtain access to the contents of an iPhone used by one of the perpetrators of the San Bernardino terrorist attack. I stand by that work. As many may remember, the legal dispute between the government and Apple ended abruptly and without a clear judicial resolution when the FBI found a different way to access the iPhone.

In that case, the FBI found a specific technical solution through a third party to access the San Bernardino iPhone, but that solution is inadequate to address the larger going dark encryption problem. Going dark involves, in part, a wide range of electronic devices and communications services that use strong encryption to protect the confidentiality and integrity of stored data as well as data in transmission. Of particular concern for the government are products and services that use encryption systems where the manufacturer or service provider does not retain the capability to decrypt the data, such as is the case with iPhones, iMessage and WhatsApp. This concern persists today: The United States, the United Kingdom and Australia recently asked Facebook directly to delay implementation of such encryption technology more broadly across its platforms.

The FBI and other federal, state and local government authorities—as well as foreign governments—have made clear to the public and to the U.S. Congress that going dark is a persistent problem for public safety officials. See here and here. Congress provided partial relief for a number of the United States’s international partners in the Clarifying Lawful Overseas Use of Data (CLOUD) Act with respect to some aspects of going dark, and the U.S. and U.K. governments are now poised to begin implementing the act. Although this process took years to complete, it does not address the encryption problem or many other aspects of going dark.

In a recent speech, Attorney General William Barr highlighted the challenges that encryption presents to law enforcement and national security officials. His speech seems to be part of a renewed effort by the Trump administration to address the encryption issue.

The attorney general discussed at length how encryption makes it harder for law enforcement to fight a range of criminal actors, including international narcotics organizations, terrorists and violent gangs. I understand Barr’s argument as essentially saying that, even though Americans are highly dependent on a vulnerable digital infrastructure that encryption helps protect (more on that later), in order to have a functioning civil society, we should not tolerate “law-free zones” where encryption facilitates and protects a wide range of threat actors and imposes huge costs on public safety officials, crime victims and society in general. He rejects the notion that a technical solution to the problem does not exist and, instead, proposes what strikes me as a risk-based model where society accepts increased cybersecurity risks resulting from enhanced government access to communications in exchange for decreased risks to society from other types of threat actors (e.g., drug cartels, terrorists and criminals who exploit children).

To emphasize the point, the Justice Department recently held a symposium on the impact of encryption on child exploitation cases. Crimes against children are horrific. Encryption clearly affects the ability of law enforcement officials to investigate and apprehend criminals who engage in heinous crimes involving children. Recent reporting, however, indicates that the substantial increase in offenses against children over the years and the inability of law enforcement to effectively address the problem represents a complex systemic failure with multiple causes and many responsible parties, not the least of which are the producers and consumers of such material. There is plenty of blame to go around for society’s colossal collective failure to protect children; encryption is only one of the challenges. Alan Rozenshtein discusses the impact of encryption of child exploitation more deeply here.

In his July speech, the attorney general also said he would like to engage with the private sector to find solutions to the problem that he lays out, but added ominously:

While we remain open to a cooperative approach, the time to achieve that may be limited. Key countries, including important allies, have been moving toward legislative and regulatory solutions. I think it is prudent to anticipate that a major incident may well occur at any time that will galvanize public opinion on these issues. Whether we end up with legislation or not, the best course for everyone involved is to work soberly and in good faith together to craft appropriate solutions, rather than have outcomes dictated during a crisis. As this debate has dragged on, and deployment of warrant-proof encryption has accelerated, our ability to protect the public from criminal threats is rapidly deteriorating. The status quo is exceptionally dangerous, unacceptable, and only getting worse. The rest of the world has woken up to this threat. It is time for the United States to stop debating whether to address it, and start talking about how to address it. [Emphasis in original].

The attorney general’s perspective on encryption is far from universal. A range of individuals and groups—including some tech companies, computer scientists, engineers, cybersecurity experts, and privacy and human rights organizations—think that encryption protects both our security and our privacy. See here and here for examples. Well-designed and well-implemented encryption makes it harder for malicious cyber actors to unlawfully hack and steal our communications, personal data and intellectual property. In their view, weakening encryption through the installation of “back doors” on smartphones or in communications systems, or providing law enforcement with “golden keys” to allow them access to encrypted data, jeopardizes all of us. Many would disagree strongly with the attorney general’s assessment that an acceptable technical solution to law enforcement’s problem—one that appropriately balances all of the equities at issue—actually exists.

Another critique of the position apparently supported by Barr is that people all over the world already know how to build encrypted systems. If the United States, for example, mandated back doors and golden keys for law enforcement, it would harm the ability of American technology companies and telecommunications providers to compete globally and it could stifle innovation at home. Many consumers want access to encrypted devices and apps, and they could simply use the products and services of foreign competitors if they cannot purchase American-made ones. That would hurt the U.S. economy. Moreover, U.S. law enforcement can obtain traffic analysis and other metadata from U.S.-based providers to help investigations; it is difficult or impossible in some instances to obtain such metadata from non-U.S. providers. The United States has an advantage in this regard: Foreign law enforcement agencies are much worse off than are their American counterparts because many of the biggest communications service providers are in the United States and subject to U.S. law, although, as noted above, the CLOUD Act is an effort to address that issue.

In addition, law enforcement’s position on encryption is commonly criticized for failing to recognize that some governments around the world pose varying degrees of threats to the freedom and privacy of individuals. Encryption, these critics say, helps people exercise their internationally recognized human rights in countries with authoritarian regimes.

Further, the situation for law enforcement may not actually be as bad as some claim. In fact, some argue that society is in a “golden age of surveillance” as substantially more data—especially metadata—than ever before is available for collection and analysis by law enforcement. Finally, critics charge that law enforcement agencies have not provided the public with comprehensive and reliable data to explain exactly how many encrypted devices or communications those agencies encounter as well as the number and type of investigations that encryption negatively impacts.

* * *

In my work at the FBI, I encountered directly how encryption makes it harder for law enforcement to detect, prevent and solve certain types of crime in specific instances. When law enforcement can’t find out what is on a suspect’s smartphone or lawfully intercept communications between two or more criminals, it is harder to understand what the bad guys have done or are plotting and to identify their co-conspirators and victims. Thus, I agree with the attorney general that one of the costs of encryption is that law enforcement, in some instances, is less effective and less efficient. Real people—the victims of crime—bear those costs.

Law enforcement’s core complaint about encryption is that it prevents authorities from gaining timely access to the plain text of data for which they have obtained proper legal authorization. After working on the going dark problem for years, I’m confident that this problem can be addressed from a technical perspective. In most cases, it’s just software, and software can be rewritten. But a solution that focuses solely on law enforcement’s concerns will have profound negative implications for the nation across many dimensions. I am unaware of a technical solution that will effectively and simultaneously reconcile all of the societal interests at stake in the encryption debate, such as public safety, cybersecurity and privacy as well as simultaneously fostering innovation and the economic competitiveness of American companies in a global marketplace.

The core of the encryption debate today, then, is disagreement over how best to balance the various costs and benefits associated with encryption and potential ways for law enforcement to access encrypted communications. Public safety officials simply disagree with others—companies, cybersecurity experts, academics and civil society groups—about how best to reconcile those costs and benefits.

There seems to be general agreement that public safety officials cannot force manufacturers and service providers to unlock devices and decrypt communications—that is, to rewrite software—under current U.S. law. Provisions such as the Wiretap Act (also known as Title III), the Electronic Communications Privacy Act, the Foreign Intelligence Surveillance Act, Rule 41 of the Federal Rules of Criminal Procedure and the All Writs Act do not appear to give government the authority to require companies to decrypt their customers’ data even when law enforcement officers have obtained a warrant under the Fourth Amendment or other applicable law authorizing them to search and seize such data.

Put differently, the legal problem for law enforcement is not the Fourth Amendment. Investigators and prosecutors can and do obtain warrants to authorize searches, seizures and surveillance of encrypted digital evidence. The problem is that there is no law that clearly empowers governmental actors to obtain court orders to compel third parties (such as equipment manufacturers and service providers) to configure their systems to allow the government to obtain the plain text (i.e., decrypted) contents of, for example, an Android or iPhone or messages sent via iMessage or WhatsApp. In other words, under current law, the most the government can do with respect to encrypted systems where the manufacturer or service provider does not hold the encryption keys is to demand that companies provide it with an encrypted blob for which they have no mechanism to decrypt.

So, encryption has not, as the attorney general complained in his speech, really created a “law free zone.” It’s just that the law that applies in this area is not what Barr or the Justice Department want the law to be. To be sure, the attorney general was probably thinking more about a zone of criminality that is increasingly immune from government search and surveillance using traditional legal tools. But there is law that governs in this area; it just does not provide a mechanism to compel service providers to decrypt communications for law enforcement.

* * *

Congress has been on notice for many years that going dark is a major issue for law enforcement and national security agencies, both for the United States and for our foreign partners. Several congressional committees have focused specifically on going dark at times. See here and here. But in the years since the FBI-Apple dispute, Congress has done nothing to provide law enforcement with clear legal authority to address its encryption issues. There are probably many reasons for this. By failing to provide enough data or compelling examples, law enforcement has not made a persuasive case to motivate members of Congress to legislate. Tech companies are powerful because they are well resourced, well connected and highly motivated (although the tide may have begun shifting against them recently to some unknown degree). Civil liberties, privacy advocates and human rights groups are also influential on Capitol Hill. Additionally, until recently the president and his administration have not made encryption a top priority. Still, federal law enforcement and intelligence agencies seem unable to come up with persuasive proposals or arguments in support of their cause, so the executive branch’s efforts under both the Obama and Trump administrations have so far fallen short.

Perhaps most importantly, what many people on all sides of the debate will admit in private is that the United States has not experienced a terrorist or other attack of sufficient magnitude where encryption clearly played a key role in preventing law enforcement from thwarting it so as to change the contours of the public debate and motivate Congress to act. And such an attack is exactly what the critics of law enforcement’s position on encryption fear the most because that is what will prompt Congress to act (although probably hastily and not as thoughtfully as it should). The attorney general raised the specter of the political impact of such an attack in his speech. In 2016, I thought that the San Bernardino case provided Congress with ample basis to change the law to help resolve the larger problem because of the number of victims and the direct connection to terrorism. Obviously, I was wrong.

As Barr also stated, certain technical folks have put forward a few proposals in an effort to bridge the divide between law enforcement officials and their critics, to mixed results. Some of these proposals show promise and highlight that no system is completely secure even with encryption. The attorney general correctly noted that there is always cybersecurity risk; it just depends on how much risk one is willing to tolerate in a particular instance and how effectively one thinks it can be mitigated (more on this below). But none of these proposals has really caught fire as the clear solution to the dilemma. I recently participated in a working group under the auspices of the Carnegie Endowment for International Peace and Princeton University that was convened to help find a way forward on encryption and evaluate proposed solutions. The group recently released a report that focused on addressing device encryption first. But we found no clear solution to the encryption conundrum that would be acceptable to all concerned.

Notwithstanding the legislative stalemate in the United States, other countries have taken some actions. Both the United Kingdom and Australia, for example, have passed laws that, if implemented fully, could theoretically force manufacturers and providers to unlock and decrypt devices and communications. But these legal regimes are relatively new and untested, and it is unclear whether they will be effective in their own jurisdictions or potentially provide models for the United States to use in the future.

So, where does the going dark issue stand now in the United States?

Congress knows there is a problem for law enforcement, yet it has not acted. Although the executive branch recently seems to have found new energy to address encryption, it doesn’t really have any new technical solutions to put forward. The attorney general seems still to want to work with the private sector to find a sub-legislative way to resolve the issue, but in his speech he appeared to threaten to go to Congress for relief that the legislature has not seen fit to provide.

Companies that operate in the United States will follow applicable law. If Congress enacts a statute that clearly requires companies to provide a mechanism for law enforcement and national security authorities to always be able to gain access to devices and communications, I’m confident that they will comply. But if such a statute does not properly address cybersecurity risks, strong encryption might not adequately protect those devices and communications any more. The responsibility for the negative consequences of such a reality—which I discuss below—will fall on Congress and the American people.

III. Cybersecurity Risks

I have also worked on cybersecurity for many years at the Justice Department and the FBI as well as in the private sector, academia and think tanks. My assessment is that one of the greatest threats today to free societies is the poor state of our collective cybersecurity. The cybersecurity status of the United States and its allies is woefully subpar. Malicious cyber actors—including individuals, chaos actors, organized crime syndicates, terrorist groups and nation-states (such as China, Russia, Iran and North Korea)—pose a multifaceted existential threat.

Today, digital technology is pervasive and society relies on a range of devices, networks and services to conduct its most important affairs. The political, economic and military power of the United States, as well as the health, safety and welfare of Americans, depend heavily on the secure and reliable operation of a complex digital ecosystem. We have connected our most vital international, national, regional and local systems to an inherently vulnerable network of networks. Glenn Gerstell, the general counsel of the National Security Agency, recently wrote a compelling piece about the complexities of the global digital network and the many challenges it presents to the United States.

It is, therefore, essential that we safeguard the confidentiality, integrity and availability of data on those networks. But we have not done so. The failures are systemic and involve poor design, poor implementation and poor risk management. The cybersecurity problems of the United States and its allies are profound.

In my view, if society were to experience a catastrophic failure in a substantial part of the digital ecosystem for a prolonged period, there is a significant risk that it would have great difficulty functioning effectively. Some unknown amount of chaos and disorder would ensue until drastic steps were taken to restore general order and minimal functionality to critical infrastructure and key resources. I’m not trying to be alarmist, but I do want to sound an alarm because I think it is a realistic possibility based on an objective analysis of the current state of affairs. How probable is such a catastrophe? I don’t know, but no one else really does either. One of the key problems in the cybersecurity field is that there is no universally accepted quantitative framework of metrics and measures to assess reasonably accurately cyber risk and performance. My colleague Paul Rosenzweig has written about that problem for Lawfare.

One of the most important cybersecurity risk factors is that digital isolationism is not possible. Governments, corporations and individuals in the United States and other democratic societies communicate regularly with people all over the world. Civilian and military governmental organizations operate worldwide, as do all major transnational corporations.

As a result, many communications vital to the security and well-being of the United States are, and increasingly will be, transmitted via telecommunications equipment that is manufactured and operated by foreign companies over which the U.S. government has insufficient control in light of the risks involved. As society moves toward widespread adoption of 5G wireless technology, for example, it is important to understand that much of the telecommunications equipment that will comprise global 5G networks is being produced by foreign companies like Nokia, Ericsson and Huawei, the latter of which is a Chinese company that is the world’s largest telecommunications manufacturer.

IV. China and the Global Zero-Trust Network

Over the years, I’ve spent a lot of time thinking about the threat that China poses to the national security of the United States. I have approached that threat mainly from an intelligence and counterintelligence perspective. Although some will disagree with me, I think that the threat from China—like the cybersecurity threat that the United States faces—is profound. China’s aim is to overtake the United States this century as the leading global power across all dimensions—political, military, economic and cultural. Although China faces many internal and external constraints on its ability to achieve its aims, it certainly has substantial financial, technological, human and data resources upon which to draw. The poor cybersecurity posture of the United States and other liberal democracies has helped China immensely in its drive to power, especially through China’s wanton looting of their intellectual property. See here, here and here for examples. As I’ve noted before, Chinese President Xi Jinping has said that “[w]ithout cybersecurity, there is no national security.” He is correct.

As I have learned more about Huawei and especially technologies such as 5G, I’ve grown even more worried about the ability of the United States to protect itself from China’s malfeasance regarding the security and reliability of critical communications. Over the course of my career, I’ve spent a lot of time thinking about electronic surveillance in lots of different ways. China is a surveillance state and it aspires to replicate its domestic information dominance on a global scale, including by leveraging the foreign commercial activities of Chinese companies such as Huawei and ZTE.

A few things have become clear to me about Huawei. First, Huawei equipment is already installed in networks around the world. Any individual, company or government that operates or communicates globally likely will have its communications processed on Huawei equipment at some point. Second, Huawei equipment is relatively high quality and is improving. To be sure, Huawei is not perfect, and it ships products with software flaws, but the equipment generally does what most of its customers want. Third, its products are relatively cheaper than those of some of its competitors. This makes it attractive and hard for network providers to ignore. Fourth, Huawei has consistently gained market share over time. It is not clear how well and for how long its competitors can keep up. Finally, and relatedly, I just don’t know how long U.S.-based telecommunications providers can continue to keep Huawei equipment completely out of their networks. Huawei equipment is already present in parts of the U.S. telecommunications backbone and parts of foreign networks that are owned and operated by some U.S.-based providers.

Elements of the U.S. government have recognized this as well. For example, the Defense Innovation Board of the U.S. Department of Defense recently released a report that discussed the “zero-trust” 5G network problem for the department.

In general, a zero-trust network is, as the name implies, one that you do not trust. A network operator that employs the zero-trust network concept presumes that one or more adversaries have successfully penetrated the network’s perimeter defenses and are present inside the network. The operator also presumes that it will be difficult or impossible to ever be sure that the adversaries have been identified and removed. Accordingly, they treat their internal systems as zero-trust networks, which will include consistently challenging all users, applications and devices and encrypting data as much as possible.

The Defense Innovation Board discussed the fact that even if the United States and its allies keep Huawei equipment out of their domestic networks for a sustained period of time—which increasingly will be difficult to do—they will eventually encounter it somewhere in the world. Therefore, they will need to figure out how to operate in a zero-trust interconnected world, especially after the widespread deployment of 5G networks globally, much of which (at least abroad) will include Huawei equipment. They need to think about the reality of operating in a degraded communications security environment and never trust the internet, applying the zero-trust network concept on a global scale.

This strikes me as eminently sensible. The widespread deployment of Huawei and other Chinese equipment in the backbone of the internet increasingly provides China with the technical capability (whether utilized or not) to copy, corrupt or disrupt substantial portions of data traffic transmitted on Huawei equipment. In a crisis, China could direct Huawei and other companies to degrade key network elements of its adversaries and/or render them inoperable. Huawei denies that it would cooperate with the Chinese government in such activities, and some observers question the logic of Huawei ever doing so. But from a national security perspective it is prudent to focus on the capabilities of an adversary, not just stated intent. Living in a Huawei world means there are substantial risks to the confidentiality, integrity and availability of data that is essential to our effective functioning as a society.

As mentioned above, China is not the only cyber threat actor. But China and Huawei exemplify the nature and scope of the pervasive cybersecurity risks that the United States and its allies face from many adversaries.

How does the U.S. government best protect the nation in such a threatening and zero-trust environment?

V. Rethinking the Public Safety Mission

The mission of the FBI is to simultaneously protect the American people and uphold the Constitution. It seems to me that other law enforcement—federal, state, local and tribal—and national security agencies in the United States have essentially the same mission. Foreign law enforcement and security officials in liberal democratic societies have analogous obligations to their own populations.

As a result, law enforcement and national security officials have to deal effectively, efficiently and simultaneously with a wide range of threat actors. Collectively and, in some cases, individually (such as in the case of the FBI), they have to deal with everything from street crime to international terrorism, from child exploitation to international organized crime, from narcotics trafficking to espionage, from public corruption and fraud to murder-for-hire, from individual criminal actors to nation-states. They have to deal with adaptive adversaries who are often highly motivated and, in some cases, very sophisticated and well resourced. Many of those adversaries understand the applicable law well and know how to use it to their advantage. They also understand technology and look for ways to exploit known or expected weaknesses and gaps in surveillance coverage by governmental authorities.

Public safety officials—that is, the combination of law enforcement, national security and intelligence officials who safeguard society—must strive to constantly protect everyone all at once. They must deploy their resources as effectively as possible and have to continually prioritize and reprioritize their work to address the most pressing threats. But they cannot—and should not—be expected to be successful at everything at all times. They are not omniscient, omnipresent or omnipotent. Nor should they be in a free society; Americans don’t want to live in a totalitarian police state under constant government surveillance and monitoring.

At the end of the day, in democratic countries the people ultimately are responsible for their own fates. They must decide what powers they want their public safety organizations to have, what limits on those powers best protect their safety and liberty, and what costs they are willing to bear—or force others to bear—to have that safety and those liberties. As I discussed above, nothing is cost-free.

If I’m correct about the existential nature of cyber threats and about the risks that nation-states such as China, in particular, pose to the United States and its allies, then federal, state and local governments should be doing everything they can to enhance the cybersecurity status of the nation. All public safety officials should think of protecting the cybersecurity of the United States as an essential part of their core mission to protect the American people and uphold the Constitution. And they should be doing so even if there will be real and painful costs associated with such a cybersecurity-forward orientation. The stakes are too high and our current cybersecurity situation too grave to adopt a different approach.

Of course, I recognize that the nation faces many other serious national security threats—hostile foreign military forces, espionage (including economic espionage), domestic and international terrorism, weapons of mass destruction (including chemical, biological, radiological and nuclear weapons), hypersonic weapons, climate change and so on. But cybersecurity is a cross-cutting issue that is relevant to many of those other domains, in addition to being a threat area on its own. Moreover, compared to other methods of attack, malicious cyber activity is appealing to adversaries for many reasons, including the ability to conduct operations from off-shore, often in a nonattributable fashion; the lack of technical sophistication required to trigger significant consequences; and the relatively low barriers to entry—including lower costs and expertise—to become a cyber threat actor. Moreover, the cybersecurity threat pervades most elements of society and is imminent. It is a clear and present danger to society.

In light of the serious nature of this profound and overarching threat, and in order to execute fully their responsibility to protect the nation from catastrophic attack and ensure the continuing operation of basic societal institutions, public safety officials should embrace encryption. They should embrace it because it is one very important and effective way—although certainly not the only way and definitely not a complete way—to enhance society’s ability to protect its most valuable digital assets in a highly degraded cybersecurity environment.

Encryption can help the government protect the confidentiality and integrity of data within critical public- and private-sector networks as well as on the internet as it is transmitted on devices—such as Huawei equipment—that can’t be trusted. That said, encryption alone does not address the risks to the availability of data transmitted via Huawei and other untrusted devices. There are some ways to mitigate the data availability risk (such as relying on a diversity of service providers and equipment), but I have not heard of fully effective ways to deal with that problem in zero-trust public networks. More work is required to mitigate the data availability risk in a Huawei world. Thus, the use of encryption alone will not implement fully a global zero-trust network model.

The government should also recognize that it has a substantial vested interest in protecting and enhancing the security status of the digital infrastructure. Too often in the past, government has overemphasized—through the dedication of financial resources and human talent—finding and exploiting flaws in security architecture rather than helping to fix them. Although the federal government has had a vulnerabilities equities process to weigh the relative pros and cons of disclosing to manufacturers or service providers a vulnerability that the government discovers, the incentive structure is such that the government may lean toward concealing the existence of an important vulnerability that it can exploit. This is because “really good” ones that they can use to surveil an adversary are valuable and hard to find. At least that is my thinking. See here and here on the vulnerabilities equities process in general. Although some elements of the government think of themselves as custodians of the health of the digital ecosystem, not enough of them do. In that regard, the government should not, for example, use the means through which companies update software as a way to install surveillance software (something the attorney general seems to suggest in his recent speech). Updating software promptly is an important way to enhance cybersecurity, and people might not do it if they thought that the government was using that mechanism as a way to install surveillance software.

Public safety officials clearly will continue to engage in “lawful hacking,” a strange term that refers to those officials obtaining lawful process to discover and exploit vulnerabilities in networks and devices in order to access data to support their investigations and intelligence collection. But they also need to reorient themselves toward more actively seeking out ways to protect the security of the internet even as they exploit its weaknesses to effect surveillance. It is a matter of degree and orientation.

If, in fact, governments more aggressively support encryption, they will have to focus even more on collecting and analyzing noncontent metadata, increasingly aided by advanced data analytics driven by machine learning and other artificial intelligence tools. I know full well that obtaining noncontent metadata, while useful, is not the same as collecting the full content of communications and documents. It is hard to use metadata, for example, to prove criminal intent or to understand exactly what a spy or a terrorist is plotting. But we are in a world where content is increasingly unavailable and there is a wealth of metadata. So, the government should focus on collecting the right data and developing or buying top-notch analytical tools. In doing so, of course, it needs to make sure that such metadata collection and analysis is consistent with the Fourth Amendment. Admittedly, that will be more complicated in light of the U.S. Supreme Court’s decision in Carpenter v. United States. And it will be harder to do all this in the face of efforts by some companies to further anonymize public internet metadata. Nevertheless, this is where law enforcement finds itself since it has not persuaded Congress to act.

* * *

Part of the attorney general’s July speech can be read to agree with me on the importance of cybersecurity, although he ultimately arrives at a different assessment of the relative risks that society faces today. For example, he acknowledges:

As individuals and as a nation we have become dependent on a vast and expanding digital infrastructure. That, in turn, has made us vulnerable to cybercriminals and foreign adversaries that target that infrastructure. The danger cannot be overstated, and enhancing cybersecurity is a national imperative—one shared by the private sector whose networks, data systems and products are at risk, as well as the government agencies charged with securing our critical national infrastructure and guarding our citizens against criminal activity. [Emphasis added.]

Even though Barr says that “[t]he danger cannot be overstated,” in the following sentence he proceeds to understate it significantly by focusing only on the need to protect our systems against threats from “criminal activity” when, as I outlined above, the threat is much worse than just criminal activity. He adds, “While encryption protects against cyberattacks, deploying it in warrant-proof form jeopardizes public safety more generally. The net effect is to reduce the overall security of society.” In subsequent passages, the attorney general focuses on the societal harms that flow from the use of encryption technology by a range of criminal actors, and, to a limited extent, he discusses individual terrorists and international terrorist groups.

As Bruce Schneier has pointed out, perhaps “Barr’s latest speech signals that we can finally move on from the fake security vs. privacy debate and to the real security vs. security debate.” I agree that the attorney general does adopt a security-focused framework in which he endeavors to engage in a comparative analysis of the relative costs and benefits to society of widely available strong encryption. I also think Barr is miscalculating the relative costs and benefits and potentially putting the country at greater risk as a result.

VI. Conclusion

Public safety officials should continue to highlight instances where they find that encryption hinders their ability to effectively and efficiently protect society so that the public and lawmakers understand the trade-offs they are allowing. To do this, the Justice Department should, for example, file an annual public report describing, as best it can, the continuing nature and scope of the going dark problem. If necessary, it can also file a classified annual report with the appropriate congressional committees.

But, for the reasons discussed above, public safety officials should also become among the strongest supporters of widely available strong encryption.

I know full well that this approach will be a bitter pill for some in law enforcement and other public safety fields to swallow, and many people will reject it outright. It may make some of my former colleagues angry at me. I expect that some will say that I’m simply joining others who have left the government and switched sides on encryption to curry favor with the tech sector in order to get a job. That is wrong. My dim views about cybersecurity risks, China and Huawei are essentially the same as those that I held while in government. I also think that my overall approach on encryption today—as well as my frustration with Congress—is generally consistent with the approach I had while I was in government.

I have long said—as I do here—that encryption poses real challenges for public safety officials; that any proposed technical solution must properly balance all of the competing equities; and that (absent an unlikely definitive judicial ruling as a result of litigation) Congress must change the law to resolve the issue. What has changed is my acceptance of, or perhaps resignation to, the fact that Congress is unlikely to act, as well as my assessment that the relevant cybersecurity risks to society have grown disproportionately over the years when compared with other risks.

Moreover, certain presidential tweets and news stories about me prevented tech companies and law firms that represent them from hiring me after I left the FBI, so that ship has sailed. To be sure, I used to work for a big telecommunications company (Verizon). My current employer (R Street) has connections to the tech sector, and I am a contributor at CNN, which is ultimately owned by AT&T. But no one at any of those entities has ever told me what to say on this or any other topic. I also think that people who know me well would believe that I speak my mind, for better or worse.

All that said, I still found it painful to write this piece, especially since I worked for so many years in the Justice Department and the FBI on the going dark problem without ever finding a viable solution. I have no choice but to admit that I failed in that regard.

But we all need to deal with reality. And in my experience, that’s what the people who have dedicated their lives to protecting all of us—such as the employees of the FBI—usually do best. How else do you stop the bad guys but by living in reality and aggressively taking the fight to them based on an accurate assessment of the facts? I am most certainly not advocating surrender, but public safety officials need to take a different approach to encryption as a way to more effectively thwart our adversaries, protect the American people and uphold the Constitution in light of the existential cybersecurity threat that society faces. If law enforcement doesn’t want to embrace encryption as I have suggested here, then it needs to find other ways to protect the nation from existential cyber threats because, so far, it has failed to do so effectively.


Jim Baker is a contributing editor to Lawfare. He is a former Deputy General Counsel of Twitter, the former General Counsel of the FBI, and the former Counsel for Intelligence Policy at the U.S. Department of Justice. In that latter role, from 2001-2007, he was responsible for all matters presented to the U.S. Foreign Intelligence Surveillance Court. The views expressed do not necessarily reflect those of any current or former employer.

Subscribe to Lawfare