The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Cybersecurity pros are uniting in a battle to save encryption

Cybersecurity and privacy advocates are rallying to defend strong encryption, which is facing its harshest assault in decades from the Trump administration and Congress.

A coalition of dozens of top cybersecurity and Internet freedom groups, academics and experts sent a blistering letter this morning to the sponsors of an anti-encryption Senate bill they say would make hundreds of millions of Americans more vulnerable to hacking. 

The bill, called the Lawful Access to Encrypted Data Act, is the harshest among a number of efforts to weaken encryption across the Justice Department and Congress

It would effectively require tech companies to weaken access to their secure systems to ensure law enforcement with a warrant can track terrorists, sexual predators and other criminals. But that would also make it far easier for cybercriminals and adversary nations to hack into troves of government, financial and health records, the authors write. They include the Internet Society, the Wikimedia Foundation and the Center for Democracy and Technology as well as experts at the American Civil Liberties Union, Stanford University and the Massachusetts Institute of Technology.

The bill “states that strong encryption is dangerous and it facilitates ‘criminal activity,’ without acknowledging that end-to-end encryption protects all people and is vital to many sectors of the economy, from banking to healthcare,” the letter states. End-to-end is the strongest form of encryption in which communications are completely garbled as they travel between the sender and recipient and can’t be deciphered even by the company that owns the platform. 

The bill’s sponsors are Senate Judiciary Chairman Lindsey Graham (R-S.C.), and Sens. Marsha Blackburn (R-Tenn.) and Tom Cotton (R-Ark.). 

The calls reflect a dramatic shift during the past six years as lawmakers and officials have grown increasingly skeptical that strong encryption is as important as experts say. Cybersecurity experts, meanwhile, have grown more concerned they may lose a fight they view as vital to the future of the Internet. 

The letter also points to the dramatic shift to telework during the pandemic. 

That has opened up a bevy of new opportunities for hackers and made strong encryption even more vital, they say. 

Weakening encryption “would put the safety and security of Internet users in danger at a moment when a devastating pandemic has made secure technologies more critical than ever to the everyday lives of Americans,” they write. 

Law enforcement also isn't exploring ways it can track criminals online without breaking encryption, experts argue.

Those methods include using legally authorized hacking to exploit errors in how criminals use encryption. In rare cases, investigators have also used previously unknown bugs to break into encrypted devices and services.

“Interviews with hundreds of federal, state, and local law enforcement officials have shown that the largest barrier to law enforcement when dealing with modern communications systems is not encryption,” the authors write. “Rather, it is an inability to leverage the data they currently have or could have access to.”

That argument got a major boost this week when European law enforcement revealed an investigation that led to hundreds of arrests by cracking an encrypted service called Encrochat used by drug traffickers and other criminals. By hacking into the networks, police said they were able to read millions of messages in “real time, over the shoulder of the unsuspecting senders.”

U.S. law enforcement has also successfully broken into encrypted devices in major cases. 

In two high-profile cases where Apple refused to help the FBI crack into encrypted iPhones, investigators ultimately gained access by working with secretive hacking tool brokers. 

Those phones belonged to Syed Farook, who killed 14 people and injured others during a workplace shooting San Bernardino, Calif., in 2015 and Ahmed Mohammed al-Shamrani, who killed three people and injured eight others in a shooting at a Pensacola, Fla., military base in 2019. 

In the San Bernardino case, then-FBI Director James B. Comey suggested the price tag for the access was more than $1 million. 

Facebook also paid more than $100,000 for a hacking tool that revealed the messages of notorious sexual predator Buster Hernandez as part of an effort to help the FBI build a case against him, Vice reported recently. 

Facebook has been a major target in Justice's push against encryption because of plans to expand end-to-end encryption across its messaging platforms — a move that Attorney General William P. Barr says will lead to a major expansion in sharing child pornography. 

The letter comes just days after encryption advocates notched a partial victory against another encryption-threatening Senate bill.

That bill, called the EARN IT Act, threatens to remove tech companies’ liability protections for what users share on their platform unless they get far better at stemming the spread of child pornography. 

The companies feared that would force them to stop using end-to-end encryption, but a last-minute amendment from Sen. Patrick Leahy (D-Vt.) went a long way toward assuaging those concerns. It basically bars civil and criminal cases against companies for violating the bill’s rules merely because they use encryption. 

Encryption advocates still have heartburn about the bill, though. 

They worry it will open the door for lengthy litigation in which firms must prove that it’s just encryption that’s preventing  them from combating the spread of child sexual abuse material and not something else, the Center for Democracy and Technology’s Greg Nojeim notes.

The amendment also fails to exempt other cybersecurity protections beyond encryption that make data more secure but might also inhibit law enforcement investigations, Riana Pfefferkorn, associate director of surveillance and cybersecurity at Stanford's Center for Internet and Society, writes.

The keys

Delaware’s primary today marks a mini-test for Internet-based voting. 

Delaware initially offered residents the option of casting their primary ballots using a mobile app but quietly reversed itself last month after ballots started arriving. The decision was largely driven by a Massachusetts Institute of Technology and University of Michigan study that found significant cybersecurity weaknesses in the app called OmniBallot, Delaware Public Media reports

State Election Commissioner Anthony Albence defended offering the app and then removing it, saying the state “had no problems with the system” but “want[s] everyone to be fully confident in anything that we do.”

Delaware was one of three states that launched pilots of OmniBallot this year, but it was the only state offering it broadly to voters quarantining because of the coronavirus. West Virginia and New Jersey offered the app only to voters with disabilities that made it unfeasible to vote by mail. Several states already used the app for military and overseas voters. 

New Jersey piloted the app during primary elections for local offices in a handful of counties. It agreed not to pilot it in its presidential primary, which is also being held today, as part of a broader lawsuit.

Delaware and New Jersey both also substantially expanded mail voting for today’s primaries. 

Some cybersecurity companies drew Paycheck Protection Program money to weather the pandemic.

Most prominent among those companies was IronNet Cybersecurity, founded by former National Security Agency chief Gen. Keith Alexander. IronNet received between $5 million and $10 million worth of loans, according to records released by the Small Business Administration yesterday.

That went toward “protecting over 250 employee jobs in Maryland, Virginia, and North Carolina during the initial phase…of the pandemic,” Chief Marketing Officer Russ Cobb told my colleague Cat Zakrzewski. The company plans to pay back the loan rather than try to convert it into a grant, Cobb said. 

Other PPP recipients include Fidelis Cybersecurity, which provides services to numerous government and military clients, and the cybersecurity news service CyberWire, according to SBA data.

The U.K. appears poised to block Huawei from its 5G networks in a major blow for the Chinese telecom. 

Prime Minister Boris Johnson has yet to make a formal decision but has increasingly signaled he’s likely to bar the firm, William Booth reports. The likely move comes after a series of increasingly severe U.S. restrictions on Huawei, including barring foreign computer chip suppliers that sell to U.S. companies from working with the telecom.

“I’m very determined to get broadband into every part of this country,” Johnson said. “I’m also determined that the U.K. should not be in any way vulnerable to a high-risk state vendor, so we have to think carefully about how we handle that.” U.S. officials have said Huawei can’t be trusted not to spy for the Chinese government, a charge Huawei denies. 

The French government, meanwhile, appears poised to recommend against telecoms using Huawei in their 5G networks but will stop short of an outright ban, the French newspaper Les Echos reported as translated by Reuters.

Government scan

The United States is looking at banning China-based TikTok over security concerns. 

The possible move, floated by Secretary of State Mike Pompeo, comes after India banned TikTok and numerous other Chinese apps. 

“We’re certainly looking at it,” Pompeo said, adding that the administration was taking the issue “very seriously,” Timothy Bella reported

Pompeo said Americans should download TikTok “only if you want your private information in the hands of the Chinese Communist Party,” Reuters reports. TikTok has denied sharing any information with the Chinese government. 

More cybersecurity news from the public sector:

Woman pleads guilty in scheme to offer information to Russia (John Raby | AP)

Senate Democrats urge Pompeo to ensure Americans living overseas can vote in November (The Hill)

Global cyberspace

An explosion and fire at an Iranian nuclear plant was likely sabotage, intelligence officials say.

But signs are pointing away from a cyberattack, Joby Warrick, Souad Mekhennet and Steve Hendrix report. “A Middle Eastern security official said in an interview that the damage was caused by a ‘huge explosive device’ planted by Israeli operatives to ‘send a signal’ to Tehran,” they report. 

The move could nevertheless prompt retaliatory cyberattacks from Iran. 

More international cybersecurity news:

WSJ News Exclusive | Google, Facebook and Twitter Suspend Review of Hong Kong Requests for User Data (Wall Street Journal)

UN chief warns COVID-19 provides opportunity for terrorists (Edith M. Lederer | AP)

Looks Like Russian Hackers Are on an Email Scam Spree (Wired)

Chat room

Here's a stunning visual from MIT And Prof. Charles Stewart III of the increase in voting by mail between the 2016 and 2020 primaries:


  • A House Appropriations Committee panel will debate funding for the Homeland Security Department at 9 a.m. today.
  • The House Energy and Commerce Committee will host a hearing on consumer risks during the covid-19 pandemic at noon Thursday.

Secure log off

In memoriam: