NSA chief: anti-encryption arguments 'waste of time' as new reports note 'chill' effect
The long-running encryption dispute between law enforcement officials and the private sector took an unexpected turn Thursday when the director of the NSA changed his stance on encryption.
The long-running encryption dispute between law enforcement officials and private sector industry professionals took an unexpected turn Thursday when the National Security Agency's (NSA) director, Admiral Mike Rogers, changed his stance on encryption technologies.
“Encryption is foundational to the future,” Rogers said, speaking at the Washington D.C.-based think tank the Atlantic Council. He said he sees arguments against encryption as “a waste of time.” The comments have left industry pros wondering what prompted the abrupt change in strategy.
This shift signals that Rogers is coming to agree with former intelligence directors and security professionals who have argued that the task of securing private data on government servers is at least as important to intelligence agencies as having a strong cyber offensive strategy.
For example, Gen. Michael Hayden, a former NSA director and currently a principal at the Chertoff Group, at an event hosted by the Council on Foreign Relations in December, called building backdoors for government “a weak security position." He made similar comments in October, when he argued that the U.S. is “better served by stronger encryption, rather than baking in weaker encryption”.
And in July, former homeland security secretary Michael Chertoff, former homeland security secretary William Lynn, and former NSA Director Mike McConnell wrote an Op-Ed in the Washington Post arguing for end-to-end encryption of data. “The smart bad guys will find ways and technologies to avoid access, and we can be sure that the ‘dark Web' marketplace will offer myriad such capabilities,” the former intelligence officials wrote. “This could lead to a perverse outcome in which law-abiding organizations and individuals lack protected communications but malicious actors have them.”
Of course, government agencies also have an extensive arsenal of malware and zero-day exploits that enable intelligence agencies to bypass encrypted communications.
Recent studies have cast doubts on the approach of keeping information security weak in order to have access to more information about criminals and nation-state enemies. Arguments against encryption miss the point that Americans are less concerned with the possibility of terrorists “going dark,” as Federal Bureau of Investigation (FBI) Director James Comey stated than by a lack of information security.
In a study published Wednesday by NCC Group and IDG Research Services, 63 percent of consumers said they expect their financial information would be breached within the next year. The report also found that 60 percent of respondents were more worried than ever about protecting their personal and financial information and 87 percent said they see a need for a secure community of safe websites.
These consumers have good cause for alarm; it isn't only government agencies that have difficulty securing information. The private sector also displays a casual approach to private data. In another study published this week, Sophos found that only 57 percent of companies encrypt private employee HR data, and employee healthcare information is encrypted by just 53 percent of companies.
Mike Echols, director of the Department of Homeland Security's Cyber Joint Program Management Office, reinforced this view. “The speed at which we are rolling out our programs and aligning our value systems between small businesses, federal agencies and big businesses is moving a lot slower than the people who are trying to attack us,” he said this week, at the Association of Government Accountants' Financial Systems Summit. He said neither the government agencies nor private enterprise has done enough to prevent hackers from successfully attacking critical systems.
A survey published by Ponemon Institute and IID in November found that 47 percent of companies and government agencies have been breached in the last two years.