After Paris Attacks: What Is the Future of Encryption?

The recent round of global terrorist attacks have reignited the homeland security versus personal privacy debate. Law enforcement officials point to the apparent use of encryption by ISIS terrorists as proof that encrypted communications need “back doors” to protect the public. But many security experts disagree. So what is the future for encrypted communication as we head into 2016?

by / November 21, 2015
credit Shutterstock/blurAZ

Where next for encryption?

That is just one of the many security and privacy questions asked this week by a long list of business and technology professionals and media outlets. And the diverse viewpoints and differences of opinion run very deep.

For example, Bloomberg highlighted renewed calls for government access to certain encrypted communications:

The bloodshed in Paris led U.S. officials Monday to renew calls for limits on technology that prevents governments from spying on phone conversations, text messages and e-mails.

Senator Dianne Feinstein, a California Democrat, said she asked Silicon Valley companies to help law enforcement and intelligence agencies access communications that have been encrypted — or scrambled to evade surveillance — if terrorists are using the tools to plan attacks.

“I have asked for help. And I haven’t gotten any help,” Feinstein said Monday in an interview with MSNBC.

As the French parliament gave broad new emergency authority, including online surveillance permissions, to police to track down and capture terrorists, Fortune magazine pointed to the immense cybersecurity implications of recent events:

Paris thrusts this issue onto the front pages because one of the big questions that quickly emerged was how a group could execute such a complex attack while evading detection from intelligence services. Encryption is one potential answer. Indeed, experts hypothesize three different possibilities: (1) the attackers used powerful over-the-counter encryption; (2) they collaborated on the dark web; (3) they stopped using technology for coordination once they reached a certain level of operational readiness.

And Wired magazine presented the response from intelligence community leaders like CIA director John Brennan, who hoped that Paris would serve as a global “wake-up call” to people who oppose government surveillance in the name of personal privacy. Brennan said, “There are a lot of technological capabilities that are available right now that make it exceptionally difficult both technically as well as legally for intelligence security services to have insight that they need to uncover it.”

Technology and Security Experts Speak Out

Nevertheless, the majority of technology and security professionals as well as media organizations disagree. Here are three examples:

InfoWorld: “In place of reasoned proposals that might actually improve security, knee-jerk reactions have centered on two areas: increasing government surveillance powers and banning encryption because terrorists use it to communicate.”

TechCrunch:Terrorists can use encryption tools that are freely distributed from countries where your anti-encryption laws have no jurisdiction. Terrorists can (and do) build their own securely encrypted communication tools. Terrorists can switch to newer (or older) technologies to circumvent enforcement laws or enforced perforations. They can use plain old obfuscation to code their communications within noisy digital platforms like the Playstation 4 network, folding their chatter into general background digital noise (of which there is no shortage). …”

National Public Radio: “After months of debate, in October, the Obama administration appeared to back down from the push for encryption back doors.

Some of the considerations were these: If America asked for back doors, what would stop China, Russia or any other country from demanding the same kind of access? Or, in light of massive hacks of government data, what would convince the companies that the federal agencies could properly protect the keys they'd be given?

"The reality is that if you have an open door in your software for the good guys, the bad guys get in there, too," Apple CEO Tim Cook told NPR's Robert Siegel in October. "I don't support a back door for any government, ever."

 

Clear Support by Security Practitioner Experts for “No Tampering” With Encryption

While this security versus privacy debate has been going on for a while, and the Snowden situation has been debated for several years, I was surprised this week by the force by which security experts openly urged no government back doors for encryption. When I posted the first Bloomberg article on this topic on LinkedIn on Tuesday, the comments rolled in from all over the world.

Here are a few of those comments that I received permission to reference. (Note the name and title of the person is in bold above the comment.)

Todd Bell Global CISO | Executive Board Advisor | Speaker | Writer

I'm concerned a forthcoming law is coming to mandate a back door for every encryption product that is used in the USA and abroad. If this does occur, old forms of encryption messaging will become the new norm such as amateur radio to stenography. 

Jay Harmon Information Protection, HIPAA & Supply Chain Security Management Consultant

The potential for this type of legislation is definitely there though it would have a negative impact on other regulations such as the use of encryption as a safeguarding component of ePHI/PII protection. Risk of target and attack vectors, physical, electronic, radio, etc., would hopefully be considered before any impromptu rules were rushed through legislation. 

Michael Oberlaender CSO / CISO MS CGEIT CISM CISSP CRISC CISA GSNA ACSE / Global security executive

The future of encryption is not in doubt. If at all, the legal use of it in those countries that tend to overreact — but we would be foolish if we would allow that to happen. No one has asked yet to ban weapons (try the NRA ;-)) although those were the tools that were used to kill in the Paris ISIS massacre. 

Dan Lohrmann  Chief Strategist & Chief Security Officer at Security Mentor, Inc. Author, Blogger, Keynote Speaker

Todd, Jay and David — Do you think there is any middle ground here? For example: Could certainly encrypted platforms (such as games) have back doors for law enforcement with a warrant? Or, is that problematic as well, in your view?  

David O'Berry  CCSP,CRISC,CSSLP,CISSP-ISSAP/MP - Worldwide Technical Strategist oCTO Intel Security Group

"Here there be Dragons." Gggrrreeatttt big'uns. Like Solomon moment size...

Bill Corbitt  Director of Cyber Security Incident Response (CIS) at Nike

Those who trade Liberty for Security deserving neither.

Simon Hunt  Chief Technology Officer  Secure Home Gateways at Intel Security

Since backdoor-free crypto exists, how does regulation on technology help? Are they suggesting making the use of backdoor-free crypto a crime?

Matt Dunn  System Administrator at Akron Brass Company

The problem with laws is that criminals, especially terrorists, don't follow them. Strong and free crypto is already widely available, so if commercial products are forced to implement backdoors, terrorists will just switch to something else. Everyday law-abiding people and unsophisticated criminals will be the only ones impacted by this type of law. How would you even enforce a ban/backdoor requirement on encryption? Sure it would be easy to do with Apple or Snapchat, but you can't stop people from knowing math really well and creating something new, or using an existing algorithm to implement their own encrypted messaging system. Steve Gibson mentioned that point on a recent podcast.  

When something bad happens humans want a quick and simple solution to make us feel safe, but there isn't a quick and easy solution to terrorism. Anybody that intentionally goes after innocent civilians and does the type of things ISIS does needs to be dealt with. I appreciate what the militaries and police of the world do to that end and want them to keep doing it. But all of these measures, even bulk surveillance, are only going after the problem after it exists. What can we do as societies to decrease the level of terrorism?

Sid Vanderloot  Cyber Security Specialist, United Arab Emirates

Dan very interesting debate indeed, but it seems the point is missed here. Reporters should have specialists reviewing such posts before publishing. The problem is not the back door nor the encryption, it is the diversification of the medium used 20 billion connected devices, is a number that is not necessarily difficult to control, but gives more overhead when encrypted, bypassing encryption will just speed the analysis process of the data, but cannot necessarily eavesdrop on a realtime conversation.

Curt Aubley  VP/CTO Data Center Group & GM Innovation, Pathfinding, & Architecture Group at Intel Corporation

If our privacy is given up, do we actually win or lose against evil or do they win?

David O'Berry  CCSP,CRISC,CSSLP,CISSP-ISSAP/MP Worldwide Technical Strategist oCTO Intel Security Group

Absolutely valid Curt. They win. Also great points by everyone ... Simon makes another valid point ... are we now going to outlaw crypto unless it's backdoor enabled? Get ready to build about 50 GitMos if so ... Nasty rock and hard place here but in the end intelligence and detective work ... correlation and anomaly detection has to win out over shortcuts that are fraught with extreme peril not just to life but to liberty as well. 

Simon Hunt  Chief Technology Officer  Secure Home Gateways at Intel Security

Haven't we been down this road before? https://en.wikipedia.org/wiki/Clipper_chip

Sid's point is prescient as well ... the very radical connectivity we so crave creates a situation whereby just the security by obscurity of fragm…

Michael Lester, MSEE, MBA, CIPP/US, CISM  Chief Information Security Officer / Vice President

Matt is right. We've had the same argument with guns, alcohol, drugs, etc. Criminals don't follow laws.

Jay Harmon - Information Protection, HIPAA & Supply Chain Security Management Consultant

For that matter, it has long been the law that certain encryption technologies cannot be exported. Yet, they are regularly exported to less-than-friendly countries. Dan, there is always a middle ground for the law-abiding community. That middle ground tacitly serves as a boundary marker for those less and less inclined to abide by the law simply because it exists in statute. 

Backdoor encryption is essentially a description of no encryption as the avenue through the back door will become public knowledge to the attacker community. The fact that this kind of encryption exists will become a search parameter as a viable cache of secrets fooling those that believe in it to feel safe while all along they are being plundered without their awareness. And, encryption technology is widely available. Other than for show, you cannot put that genie back in the bottle. 

Dan Srebnick  Executive IT and Infosec Strategist

Phil Zimmerman was persecuted for three years by the US government for simply releasing a personal encryption capability to the public back in 1991. Each new incident reignites the call from the law enforcement and intelligence communities to scare folks into giving up the fundamental capability of the right to communicate in private without government interference. 

Michael Oberlaender  CSO / CISO MS CGEIT CISM CISSP CRISC CISA GSNA ACSE / Global security executive

Dan Srebnick — I couldn't agree more with you — see my prior posting above. Time to focus on the real issues, why the intel community is not better at revealing threats before they take action. 

Dan Lohrmann  Chief Strategist & Chief Security Officer at Security Mentor, Inc.  Author, Blogger, Keynote Speaker

More from Bloomberg this morning on this issue. This article discusses new (and potential) UK surveillance laws.

Jhon Jairo Murillo Giraldo SAM Consultant Colombia, Echez Group

I don't know what is more insane. Being against math or encourage the creation of vulnerable systems. This kind of wording is making the war against terrorism something similar to the period of witch hunts. Our we losing our minds?  

Final Thoughts

As I watched several different talk shows on Friday morning, this encryption topic came up again and again. The feeling was that we are now in a tug-of-war which is a part of the wider debates on surveillance and online monitoring by law enforcement.

After reading through dozens of articles and opinion pieces on this topic this week, it is seems as if just as public opinions changed regarding emergency powers for the French government following the Paris terrorist attacks, the societal views on this encryption topic will likely evolve based on global terrorist events. New legislation will almost certainly be introduced in this area if terrorist attacks strike soon in the U.S.

Nevertheless, after hearing from dozens of industry experts, it is also clear to me that most security professionals believe governments should leave encryption alone.