The House Homeland Security committee on Wednesday issued an encryption policy report that supported establishing a commission to study implications of encryption and effects on law enforcement and economic development.
The report, titled, ‘Going Dark, Going Forward: A Primer on the Encryption Debate,' is the result of 100 meetings with industry professionals, intelligence officials, law enforcement, privacy groups, cryptologists, regulators, and researchers. The report supported a national dialogue related to encryption policy.
The report suggested that the best approach would involve establishing “a commission of experts to thoughtfully examine not just the matter of encryption and law enforcement, but law enforcement's future in a world of rapidly evolving digital technology.”
Industry pros were cheered by the nuanced approach to encryption. The report “highlights the key pitfalls associated with trying to weaken encryption,” wrote Will Ackerly, CTO and founder of encrypted email provider Virtru, in an email to SCMagazine.com. “It is particularly encouraging to see the report acknowledge the importance of strong encryption in ensuring American values and competitiveness, and that weakening encryption with back doors is bad for security and privacy.”
Homeland Security committee chairman Rep. Michael McCaul (R-TX) co-sponsored legislation earlier this year to create the National Commission on Security and Technology Challenges. Industry pros initially opposed the legislation, but it came to be seen as the better option, after Senate Intelligence Committee co-chairs Richard Burr (R-NC) and Dianne Feinstein proposed the maligned Burr-Feinstein encryption bill.
“A national Commission would bring key players and leading minds to the table to develop recommendations for maintaining privacy and digital security, while also finding ways to keep criminals and terrorists from exploiting these technologies to escape justice,” said Rep. McCaul, in a statement. “Encryption is too central to our country's future to answer without a robust dialogue with all the key stakeholders.”
Industry sources echo these sentiments. Earlier this month, shortly after the terror attack in Orlando that killed 49, Nok Nok Labs president and CEO Phil Dunkelberger told SCMagazine.com, “When the rhetoric is calmer, we need a broader, open debate about all the manifestations and associated unintended consequences with all parties present heard and then voted.” A few days after the deadly attack, the House voted down an amendment barring warrantless surveillance. Prior to the attack, the amendment had widespread support.
However, some industry and policy professionals doubt whether legislators are capable of implementing a complex technical solution that will achieve the dual goals of strong information security while making some data available to law enforcement upon request – especially in light of federal agencies' ongoing security and cyber-hygiene challenges that led to the OPM breach last year and, most recently, an attack against House members' websites.
Kevin Bocek, VP of security strategy and threat intelligence at Venafi said the report was “refreshingly correct” in identifying that cryptographic keys and digital certificates are essential to the global economy and critical infrastructure. However, he also found it ironic that the government is “utterly failing at enabling encryption and providing trust.”
“Congress has a ‘Do as I say, not as I do' mentality,” Leamer told SCMagazine.com, referring to the recent attack that took 19 House member's official websites offline for nearly a week. (As of press time, the lawmakers' websites are not yet back online.)
“We don't need a committee to know that back doors for encryption are bad policy because it is not possible to limit back doors to the ‘good guys,'” wrote Tim Edgar, Brown University's Watson Institute and Executive Master in Cybersecurity program to SCMagazine.com. “Although strong encryption means that the government won't always get access to everything, much data is likely to remain available. This includes data that is not encrypted or improperly encrypted, metadata, and data from the ‘internet of things.'”
“The problem of enabling encryption and looking for bad guys inside of encrypted traffic is one that can be solved but only if resources and attention to the problem are directed to it, Bocek added. “Unfortunately, this is not a problem that U.S. House Homeland Security Committee is spending its time on and an area of arguably much more immediate threat to the U.S. government and citizens.”