THE KEY

Attorney General William Barr dramatically revived the long-simmering encryption debate yesterday with his charge that such communications were allowing terrorists to plan attacks with impunity and criminals to run free. 

Barr, in his first significant speech on the issue that has long divided law enforcement and technologists, also warned yesterday that drug cartels were using “warrant-proof” encryption to plan police assassinations and to transport loads of deadly opiates from Asia to Mexico and the United States. 

“If our law enforcement agencies do not recover the ability to gain lawful access to encrypted communications and platforms, the prospects of successfully prosecuting the drug war by traditional law enforcement means are dim,” Barr said during a speech at a cybersecurity conference hosted by the FBI and Fordham University.

The remarks drew rapid blowback from privacy advocates and security pros who have argued there’s no way to give law enforcement special access to encrypted communications without creating vulnerabilities that hackers and criminals could exploit. They sprang into fight mode, creating a flashpoint in tensions that have been at a low simmer since 2015. That’s when the FBI tried — but ultimately backed away from — an effort to force Apple to help it crack into an encrypted iPhone used by Syed Farook, one of two shooters in an attack at a San Bernardino, Calif., office that killed 14 people. 

Matt Blaze, a cryptography expert and Georgetown University computer science professor, slammed Barr and other law enforcement officials for proposing to weaken encryption but not making any specific proposals or addressing how they’d deal with the consequences of weakening data security for the broader public.

“The absence of a specific proposal makes this an extremely frustrating discussion to have,” Blaze told me. “I understand why law enforcement would like this. If it were possible to do, it might solve some real problems. But we don’t know how to do it. … We rely on encryption for increasingly critical functions for our society and for our economy.”

Sen. Ron Wyden (D-Ore.), a longtime advocate for online privacy, called Barr’s speech “a tired, debunked plan to blow a hole in one of the most important security features protecting [the] digital lives of the American people.”

And Thomas Rid, a Johns Hopkins University political scientist, warned it could seriously damage public trust in American tech companies' independence from the government – and might compel some of them to relocate outside the U.S. government’s reach.

Technologists also seized on Barr's apparent attempt to minimize the damage if people’s personal data and communications became more vulnerable to hackers. He noted at one point, “After all, we are not talking about protecting the nation’s nuclear launch codes.” 

Security experts countered that digital breaches — which would become more common with weaker encryption — can not only be immensely costly, but can also damage national security if hackers compromise a government agency or major company.

“That shows disregard for the data security of citizens and really misapprehends how indispensable strong encryption is to Americans and to the economy of the country,” Riana Pfefferkorn, an associate director at Stanford Law School’s Center for Internet and Society, told me.

Here’s another take from Mathew Green, a Johns Hopkins cryptographer:

The timing of Barr’s speech was also curious. It comes after encryption was discussed at a meeting of top Trump administration officials in June, according to Politico. But the tech and security community remains almost uniformly opposed to weakening encryption, and there’s little appetite in Congress to tackle the issue.

The House Judiciary and Energy and Commerce committees even warned against any legislative efforts to weaken encryption in a joint report in late 2016. And the Justice Department’s reputation on encryption was deeply damaged by a series of internal investigations in 2018 that showed the FBI overstated how many investigations were foiled by encryption and rushed into its legal battle with Apple without exploring other options.

Pfefferkorn suggested the Trump administration may be reacting to a new Australian law that loosened encryption protections, hoping to use that example to demonstrate a global push against encryption.

The administration may also be trying to keep the encryption debate alive while expecting to make an example out of some future unsolved crime or attack that might have have been averted by access to encrypted communications, Pfefferkorn suggested.

Barr made a similar suggestion during his speech, noting that “a major incident may well occur at any time that will galvanize public opinion on these issues” and saying “the best course for everyone involved is to work soberly and in good faith together to craft appropriate solutions, rather than have outcomes dictated during a crisis.”

PINGED, PATCHED, PWNED

PINGED: FBI Director Christopher Wray endorsed a series of election security best practices during a Senate Judiciary Committee hearing yesterday -- including paper ballots and post-election audits -- echoing talking points from Democrats who want to mandate those reforms before the 2020 contests. 

“My limited understanding in that space is, paper ballots would be a good thing and seems redundancy would be in everybody's interest in this — such an important space for the country,” Wray told Sen. Amy Klobuchar (D-Minn.). Wray’s testimony coincided with a news conference from Democrats in the Senate and House who are trying to use today's hearings with former Special Counsel Robert S. Mueller III to pressure Republican leadership into allowing votes on election security bills.

Wray also told lawmakers that Russia remains “absolutely intent” on trying to influence U.S. elections and interfere with voting technology.

PATCHED: The National Security Agency will create a new cybersecurity directorate in an attempt to better sync up the agency’s offensive and defensive digital operations, Dustin Volz at the Wall Street Journal reports. The new directorate signals a shift in the intelligence community toward taking a more coordinated approach on cybersecurity. 

The new directorate will replace a previous system that largely separated NSA missions guarding sensitive information on national security systems and those intercepting intelligence on foreign operations. It will be led by Anne Neuberger, who was the NSA’s first chief risk officer and recently led the agency’s task force to thwart Russian influence and cyberattacks on U.S. elections.

The new directorate will build on the Russia group’s success in operationalizing intelligence to “defeat our adversaries in cyberspace,” according to a news release from the NSA. It will also help the NSA share more intelligence with other agencies, including the Department of Homeland Security, and the private sector.

PWNED: Wray also told lawmakers on the Senate Judiciary Committee that China poses “a more severe counterintelligence threat” to the United States than any other country — including Russia. 

“I would say that there is no country that poses a more severe counterintelligence threat to this country right now than China,” Wray said. “That is saying a lot, and I don’t say it lightly.”

The bureau has dealt with more than 1,000 federal investigations into attempted theft of U.S. intellectual property connected to Chinese citizens, Wray testified. Concern over economic espionage by China has fueled a number of economic penalties by the Trump administration, including a ban on selling software supplies and parts to Chinese tech giant Huawei.

“As long as they keep committing crimes and threatening our national security, they are going to keep encountering the FBI,” Wray said.

PUBLIC KEY

-- Trump administration officials are discussing sharing their classified policy for offensive hacking operations with a bipartisan group of lawmakers who've spent the past four months demanding the document — but they haven't delivered the goods yet, Rep. Jim Langevin (D-R.I.), one of the lawmakers, told me. 

Langevin and the other lawmakers have been pushing the Trump administration to share the policy — called National Security Presidential Memorandum 13 — through multiple channels, including adding an amendment to a major defense policy bill that would have required the White House to turn it over. They generally support the Trump administration getting tougher on U.S. adversaries in cyberspace but say that sort of aggressiveness requires strong congressional oversight.

“More than four months after we first sent it, the White House has finally responded to our request to see NSPM 13,” Langevin told me in a statement. “It is unfortunate it took an NDAA amendment to jump-start this conversation, but I am hopeful that an agreement can be reached soon.”

— More cybersecurity news from the public sector:

Senate Democrats labeled Senate Majority Leader Mitch McConnell (R-Ky.) as “the lead opponent” to election security efforts in a report released Tuesday.
The Hill
The Consumer Financial Protection Bureau hasn’t comprehensively assessed risks prior to deploying new cloud systems, according to a recent report. As a result, CFPB hasn’t issued a Federal Risk and Authorization Management Program provisional authority to operate (P-ATO) for a cloud system supporting its Consumer Response Call Center.
FedScoop
PRIVATE KEY

— Cybersecurity news from the private sector:

Apple Inc. has asked the Trump administration to exclude components that make up the forthcoming Mac Pro high-end desktop computer from import tariffs.
Bloomberg
Researchers have found several security flaws in popular corporate VPNs, which they say can be used to silently break into company networks and steal business secrets.
TechCrunch
Computer scientists have developed an algorithm that can pick out almost any American in databases supposedly stripped of personal information.
The New York Times
THE NEW WILD WEST

— Cybersecurity news from abroad:

Police investigating Bulgaria's biggest-ever data breach have detained a ma...
Reuters
The effort, called “Hack_Right,” is aimed at first-time offenders who may be skirting the law from behind their keyboard and not even realize it.
CyberScoop
Brazilian Economy Minister Paulo Guedes is urging the justice minister to consider opening a criminal investigation into the possible hacking of his cellphone.
Roger Faligot’s history of spying in the Chinese Communist party highlights the turbocharged growth in the nation’s intelligence services.
The Financial Times
ZERO DAYBOOK

Today:

  • The International Conference on Cyber Security will take place at Fordham University in New York City through July 25.
  • The House Appropriations Committee will host a hearing on the budget and oversight of the White House Office of Science and Technology Policy at 10:15 a.m.
  • Former special counsel Robert Mueller will go in front of the House Intelligence Committee to testify about the investigation into Russian interference in the 2016 presidential election at noon.
  • The House Appropriations Committee will host a hearing on U.S. Customs and Border Protection Border Patrol Oversight at 2 p.m.
  • The House Select Committee on the Modernization of Congress will host a hearing on lessons from states in modernizing information technologies at 2 p.m.