The section got less attention than sexier items in the report, such as plans to counter foreign influence campaigns into U.S. politics. But it signals that DOJ is gearing up for another coordinated push for an encryption-breaking mandate. "They're really looking to answer this question for once and for all,” said Jamie Winterton, director of strategy for Arizona State University’s Global Security Initiative.
That's significant, since embarrassing disclosures this year have undercut law enforcement's arguments lately -- including that FBI cited grossly inflated statistics about the scope of the problem and was not using the full range of tools at its disposal to break into locked phones before trying to force companies to re-engineer their products. Legislation has stalled in Congress, and the department has ever since been struggling to publicly make the case for such a bill.
Indeed, some of the points in DOJ's step-by-step plan seem to allude to past missteps -- and show the department is coming to terms with them. For instance, the report says DOJ will focus on "collecting accurate metrics and case examples that demonstrate the scope and impact of the problem." In May, my colleague Devlin Barrett reported that the FBI far oversold the problem when it repeatedly claimed to be locked out of 7,800 encrypted cellphones last year, when the real figure was between 1,000 and 2,000.
Another part of the plan: "Working to use technical tools more robustly in criminal investigations." An inspector general report in March revealed that the FBI hadn’t fully determined whether it could break into a terrorist’s locked iPhone before seeking a court order in 2016 to force Apple to help. Still, while the report notes that investigators had “lawfully exploited” security flaws to gain access in some cases without a back door, it cautions that it was no panacea. Finding encryption workarounds is expensive and “may not be a scalable solution” if developers are quick to fix vulnerabilities, according to the report.
Yet cryptography experts insist the report merely pays lip service to the department's recent past problems while rehashing old arguments.
“It recommends essentially the exact same strategy the FBI has been pursuing since Going Dark began,” Matt Green, a cryptography professor at Johns Hopkins University, told me. “It makes you wonder whether there’s any set of circumstances that might cause the DOJ and the FBI to reconsider their strategy.”
Green continued: "We have one reason to believe the problem is less serious than the FBI’s data indicates. We have a second reason to believe that the FBI had more technical capability than they indicated in court and to the public... And a third reason to strongly believe that they continue to have capability [to access information they need] with software exploits. And yet this new report... doesn't capture any of this."
The encryption push may be harder now that the public knows about law enforcement's errors. “DOJ has had years to 'collect accurate metrics' on encryption's impact on investigations on prosecutions, but the only number it has ever provided to the public is the one the DOJ had to admit was inaccurate,” said Riana Pfefferkorn, cryptography fellow at the Stanford Center for Internet and Society. “If they're serious about this, they should release those metrics once they have them, plus info about how they arrived at those numbers.”
What is clear: The DOJ still believes the spread of strong encryption is “one of the most significant” and “vexing” challenges hindering criminal investigations. “In the past, only the most sophisticated criminals encrypted their communications and data storage,” the authors wrote. “Today the average consumer has access to better technology than sophisticated criminals had twenty years ago.”
Just before the report’s release, FBI Director Christopher A. Wray also suggested that officials would turn to Congress if they can't break the encryption deadlock with private companies reluctant to give agents a built-in way to access their products.
“I really believe that this is the kind of thing that if people go into the conversation with a goal of trying to solve the problem as opposed to trying to exacerbate the problem, we’ll get there,” he said in remarks at the Aspen Security Forum in Colorado. “And if we can’t get there, there may be other remedies, like legislation.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: “President Trump moved to retaliate against some of his strongest critics Monday, threatening to revoke the security clearances of former top officials who have raised alarms about Russian interference in the 2016 election or questioned the president’s fitness for office,” The Washington Post's Shane Harris, John Wagner and Felicia Sonmez reported. “White House press secretary Sarah Huckabee Sanders said Trump is 'looking to take away' the clearances of half a dozen former senior national security and intelligence officials who served in the administrations of George W. Bush or Barack Obama. Sanders accused them of profiting off their public service and making 'baseless accusations' against the president.”
Here are the former officials that Sanders listed on Monday, my colleagues reported:
- former CIA director John O. Brennan,
- former FBI director James B. Comey,
- former CIA director Michael V. Hayden,
- former national security adviser Susan E. Rice,
- former director of national intelligence James R. Clapper Jr.,
- former FBI deputy director Andrew McCabe.
Earlier Monday, Sen. Rand Paul (R-Ky.) had tweeted that he would ask Trump to take Brennan's security clearance away. “Is John Brennan monetizing his security clearance?” Paul wrote on Twitter. When asked at a White House news briefing whether Trump would heed Paul's advice, Sanders replied that the president was “not only” thinking about removing Brennan's clearance but that of other former officials, as well.
“The president is exploring the mechanisms to remove security clearance because they've politicized and, in some cases, monetized their public service and security clearances,” Sanders said. “Making baseless accusations of improper contact with Russia or being influenced by Russia against the president is extremely inappropriate, and the fact that people with security clearances are making these baseless charges provides inappropriate legitimacy to accusations with zero evidence.”
However, Comey and McCabe do not hold security clearances at the moment, my colleagues reported. Benjamin Wittes, editor in chief of Lawfare and senior fellow at the Brookings Institution, also said on Twitter that Comey told him he does not have a clearance.
“It’s routine for the former directors of intelligence agencies and other senior officials to maintain their security clearances, so they can share their expertise with current leaders or be called in for consultations on how a prior administration handled an issue or crisis, current and former officials said,” Harris, Wagner and Sonmez reported. “Some former officials also have jobs that require a security clearance.”
PATCHED: Google says its decision to have employees use USB devices called Security Keys instead of two-factor authentication has helped curb phishing, the computer security blog KrebsonSecurity.com reported Monday. The tech giant has not encountered any case of phishing among its employees since rolling out Security Keys in early 2017, according to Brian Krebs, the author of the blog and a former Post reporter. “We have had no reported or confirmed account takeovers since implementing security keys at Google,” a Google representative told Krebs. “Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.”
Instead of entering a unique code sent to a mobile device after a user has typed their password as is generally the case under two-factor authentication, Security Keys rely on a process that “allows the user to complete the login process simply by inserting the USB device and pressing a button on the device,” according to Krebs. “Once a device is enrolled for a specific Web site that supports Security Keys, the user no longer needs to enter their password at that site (unless they try to access the same account from a different device, in which case it will ask the user to insert their key),” Krebs wrote.
PWNED: The Department of Homeland Security said Monday that Russian hackers infiltrated American energy utilities last year and the number of victims is in the hundreds, rather than dozens as previously reported, The Wall Street Journal’s Rebecca Smith wrote. “The Russian hackers, who worked for a shadowy state-sponsored group previously identified as Dragonfly or Energetic Bear, broke into supposedly secure, ‘air-gapped’ or isolated networks owned by utilities with relative ease by first penetrating the networks of key vendors who had trusted relationships with the power companies, said officials at the Department of Homeland Security,” according to the Journal.
Russian hackers first targeted smaller vendors with spearphishing and watering-hole attacks and later moved on to utility companies, Smith reported. “Then they began stealing confidential information,” she wrote. “For example, the hackers vacuumed up information showing how utility networks were configured, what equipment was in use and how it was controlled.” Jonathan Homer, chief of industrial-control-system analysis for DHS, said the hackers “got to the point where they could have thrown switches,” Smith wrote. The hacking campaign dates back to the spring of 2016, carried on in 2017 and officials said it is probably still going, according to the Journal.
— More cybersecurity news:
— U.S. intelligence agencies have a way to find out what Trump and Russian President Vladimir Putin said to each other last week in Helsinki even though the two leaders met one-on-one, according to Politico's Josh Meyer. “Privately, sources familiar with U.S. intelligence capabilities expressed confidence that the so-called Special Collection Service scooped up not only Putin’s readout of the two-hour meeting, but what the Kremlin’s top spymasters really think about it — and how they’re spinning it to their foreign counterparts,” Meyer reported on Monday. “That means the National Security Agency and CIA are at less of a strategic disadvantage than U.S. intelligence officials have acknowledged publicly.”
— A measure by Sen. Ben Sasse (R-Neb.) that would create a Cyberspace Solarium Commission to develop a cybersecurity strategy for the United States was included in a compromise defense bill, according to a statement issued Monday by Sasse’s office. The commission, whose name would echo President Dwight D. Eisenhower’s Project Solarium, would consist of 14 members and would be tasked with submitting a report on cybersecurity strategy by Sept. 1, 2019. “Washington is late to the game – we don’t have a playbook and our enemies are already on offense,” Sasse said in a statement. “This is the new frontier of warfare and America cannot fall behind. The hardest work is still ahead.”
— Ali Charaf Damache, an Algerian man with Irish citizenship, pleaded guilty on Monday to conspiring to provide material support to terrorists after being indicted in 2011, the Justice Department announced in a statement. According to the indictment, Damache and others recruited men online to engage in jihad in South Asia and Europe, the statement said. “At a time when radical terrorist groups use the Internet to recruit new members and coordinate attacks against innocent people, the National Security Division remains committed to investigating all possible threats to our country aggressively — including those that take place online,” John C. Demers, assistant attorney general for national security, said in a statement.
— More cybersecurity news from the public sector:
Trump’s long-running fiery rhetoric toward Iran:
Does Sean Spicer have regrets?
Why Sacha Baron Cohen’s “Who is America?” has people divided: