The ultimatum from the Five Eyes group of intelligence agencies takes the U.S. government’s efforts to address the spread of encrypted technologies to the international stage, allowing officials to project unity in their demands to be able to break through encryption with a warrant. And it could deepen the schism between the governments and tech giants such as Apple and Facebook, which have firmly opposed calls to weaken encryption.
“I certainly see this banding together as a way for the U.S. government to try to exert more gravitas in the U.S. debate,” said Riana Pfefferkorn, cryptography fellow at the Stanford Center for Internet and Society.
“Many of the tech companies that are in the Five Eyes' sights are U.S.-based, and it naturally exerts more pressure on those companies to have five countries (most of which presumably provide significant user bases for those companies), not just the U.S., band together to press them on encryption,” she told me in an email.
Signing onto the statement is largely a symbolic move — there’s nothing in the Five Eyes memo that requires any action of the governments involved — but it raises the stakes for the tech industry. “This statement signifies a switch to a more aggressive stance on ‘going dark’ by the Five Eyes countries, both in terms of presenting a unified front and in the not-very-veiled threats to tech companies to do what the government wants them to or else,” Pfefferkorn said.
Major tech industry players haven't commented on the move. But Facebook recently staked out its opposition to “back doors” into encryption in a blog post. “Proponents of so-called 'backdoors' imagine a hidden way of bypassing encryption, somehow accessing only the conversations of suspected criminals or terrorists while continuing to protect everyone else,” Gail Kent, Facebook's global public policy lead on security, wrote in May. “But cybersecurity experts have repeatedly proven that it’s impossible to create any back door that couldn’t be discovered — and exploited — by bad actors. It’s why weakening any part of encryption weakens the whole security ecosystem.”
Top law enforcement officials argue that the spread of encryption hinders high-stakes criminal investigations, and they say legislation requiring a workaround to encryption may be necessary if tech companies don’t voluntarily help out. Efforts to move an encryption-breaking bill have stalled in Congress, but the Department of Justice signaled last month that it may be mounting another push in the near future. The FBI also currently locked in a court fight with Facebook over access to a gang suspect's encrypted voice conversations on the company's Messenger app, in a case that echoes the bureau's epic legal battle with Apple in 2016 to break the encryption on a terrorist's cellphone.
There's already legislation on the table in Britain and Australia, which have led the charge in crafting policies to compel companies to help law enforcement bypass encryption. A U.K. law passed in 2016 requires communications providers to create encryption workarounds when called on by the government's security services. And Australian lawmakers are debating new legislation that would force tech companies to help investigators decrypt data.
The language in the Five Eyes statement will sound familiar to anyone who has followed the encryption debate in the United States. Law enforcement’s inability to access encrypted data in investigations is a “pressing international concern that requires urgent, sustained attention,” the governments said in the memo, which was issued by the Australian government on the group’s behalf.
To help solve the problem, tech companies should “create customized solutions, tailored to their individual system architectures that are capable of meeting lawful access requirements,” the coalition said. It concluded with a warning: “Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.”
“Privacy laws must prevent arbitrary or unlawful interference,” the memo read, “but privacy is not absolute.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Tech giants will face questions from lawmakers today during hearings on Capitol Hill amid concerns over online foreign influence and allegations of censorship on social media platforms. “The back-to-back House and Senate hearings scheduled for Wednesday illustrate the new political reality for Silicon Valley, as Democrats and Republicans alike increasingly seem willing to regulate how the industry moderates content online — and eager to subject its once-untouchable executives to intense public scrutiny,” The Washington Post's Tony Romm reported. “The political gantlet begins in the Senate, where the Intelligence Committee will host Sheryl Sandberg, the chief operating officer of Facebook, and Jack Dorsey, the chief executive of Twitter. They'll testify — their first time on Capitol Hill — at a hearing on foreign governments that spread misinformation on social media.”
Sandberg's prepared statement shows that she plans to tell the Senate Intelligence Committee that Facebook's efforts to fight off inauthentic actors on its platform have improved. “We’re getting better at finding and combating our adversaries, from financially motivated troll farms to sophisticated military intelligence operations,” Sandberg plans to say, as quoted by my colleague Tony. However, no representative for Google will appear before the Senate panel. “Senators formally invited Larry Page, the chief executive of Google's parent company, to their Sept. 5 hearing,” Tony wrote. “Google responded with an offer for Kent Walker, the company's senior vice president of global affairs and chief legal officer, to testify, which Senate leaders rejected. In a statement, Google said Walker would still come to Washington, D.C., share written testimony and meet with interested lawmakers this week.”
On Tuesday, Facebook chief executive Mark Zuckerberg wrote in an opinion piece for The Washington Post that private companies and public authorities ought to work together to combat interference. “The investments we continue to make in people and technology will help us improve even further,” Zuckerberg said. “But companies such as Facebook face sophisticated, well-funded adversaries who are getting smarter over time, too. It’s an arms race, and it will take the combined forces of the U.S. private and public sectors to protect America’s democracy from outside interference.”
PATCHED: The United States has not shown that it will respond to foreign adversaries seeking to sow discord in American politics -- and online propaganda campaigns may only get worse as a result, according to Facebook's former chief security officer Alex Stamos. “We have the risk of turning our elections into the World Cup of information warfare, where everybody wants to have a piece in it, because we have not demonstrated that we will punish countries that do this to us and we have not addressed the fundamental issues that caused us to get here in the first place,” Stamos told CNN's Laurie Segall.
Stamos, now an adjunct professor at Stanford University, expressed dismay that some people still question whether interference occurred in the past presidential election. “Two years after Pearl Harbor, the United States had quadrupled the size of our Navy. We were already on an unstoppable path to the Japanese home islands in the Pacific theater,” Stamos told Segall. “Two years on from the election and people are still arguing whether we were even attacked and I find that amazing.” Additionally, Stamos told CNN that partisanship is hampering efforts to counter foreign interference in U.S. elections. “The political polarization on election hacking is a horrible, horrible problem for the country,” he said. “It's the reason why we are in not much better shape in 2018 than we were in 2016.”
PWNED: Some experts worry that wireless connectivity weakens the security of election systems even if it can help administer elections faster. “Securing the vote is a tradeoff like any other, and the wireless debate exposes a perennial tension: The easier we make it to run an election, the easier we may make it to meddle in that election,” the Intercept's Sam Biddle wrote on Tuesday.
Jurisdictions where election systems include wireless connectivity may be reluctant to discard the technology. “According to one former federal election official who spoke to The Intercept on the condition of anonymity because he was not permitted to speak to the press, many states already employ wireless connections in one form or another and are loath to give them up now, even in the name of making the vote harder to hack,” Biddle wrote. The former official told the Intercept that it would be “arduous” for election officials to get rid of wireless connectivity in an election year even though they understand that it is “a security issue.”
“Tammy Patrick, a former Arizona election officer and current senior adviser at the Democracy Fund, which, like The Intercept, is funded by eBay founder Pierre Omidyar, said that although she isn’t aware of a jurisdiction that ‘connects their voting equipment using Wi-Fi,’ other wireless technologies are sometimes built in,” Biddle reported. “Additionally, computers only one degree removed from the digital ballot boxes themselves will often connect to the internet, Patrick explained.”
— More cybersecurity news:
— “The House on Tuesday passed a bill that would allow the Homeland Security secretary to block the agency from working with foreign tech companies whose products or services are believed to pose a potential threat to the U.S.,” the Hill's Jacqueline Thomsen reported. “The legislation, sponsored by Rep. Pete King (R-N.Y.), would give the Department of Homeland Security (DHS) chief the authority to review and ban agreements with foreign contractors over supply chain concerns. Lawmakers and experts fear that the technology or software included in the imported products could be manipulated by hackers for future cyberattacks.”
— The House also passed a bill by Rep. John Ratcliffe (R-Tex.) to codify the Continuous Diagnostics and Mitigation program at DHS. “I’m grateful for the strong, bipartisan support of my House colleagues in passing my CDM codification bill today, and I’m hopeful the Senate will act swiftly to advance this important measure on behalf of our national security,” Ratcliffe said in a statement on Tuesday.
— “The Commerce Department division that developed a 2014 cybersecurity framework for industry will begin work on a privacy framework to help companies protect the personal information of customers and employees,” Nextgov's Joseph Marks reported on Tuesday. “The National Institute of Standards and Technology, or NIST, will be gathering public feedback for the effort beginning with an Oct. 16 public workshop in Austin, Texas, according to a news release.”
— More cybersecurity news from the public sector:
Police arrest 70 at first day of Kavanaugh hearings:
“Just Do It”: Colin Kaepernick stars in new Nike ad campaign
Starbucks's Pumpkin Spice Latte is back earlier than ever, and not everyone is excited: