Published on December 17, 2015
The encryption debate keeps raging on
And while its entertainment value cannot match Republican presidential debate, both sides mean well and bring up compelling (for each side) arguments. Technical aspect of this debate is interesting, and political one is unavoidable, but as FBI director James Comey said at a Senate hearing last week, “It is a business model question.” Would weaker encryption or backdoors help detect and prevent terrorist attacks?
Proposed measures will not solve the monitoring problem, as there will always be someone (in fact, many someones) not playing by the rules and capable of creating hardware or software solution with strong encryption and no backdoors for a very lucrative market of people concerned about their privacy - and not necessarily terrorists. On the other hand, bad guys would be happy to exploit weaker encryption and backdoors to turn the tables on the spying, and if the past results are any indication of the future, they are more likely to succeed than not.
And is the prize even worth the race? Breaking the encryption – assuming that the intercepted communication is the right one in the first place - is only part of the problem. We cannot just demand that terrorists communicate in plain English. Understanding the content - considering the many ways terrorists could obfuscate the true meaning - is a lot more difficult. Doing it at scale and being able to separate in an automated fashion true threats from the significant volume of hate messages filling the cyberspace is nearly impossible.
The world doesn’t stay still either. If any of the communication channels is suspect of being compromised, nothing prevents bad guys from splitting the message into multiple channels to secure communication. It can be done manually - like sending part of the message via SMS, posting another part in a chat room, and calling in with the key phrase for deciphering the whole message - or it can be all automated using an approach similar to “Secret Double Octopus”.
On top of all these issues, having been able to get at the content of the message only helps if the suspect is already known. To identify the suspect, surveillance metadata, communication patterns and web of relationships are a lot more useful. In the same testimony, Mr. Comey brings up a great example: one of the terrorists in Garland, Texas “exchanged 109 messages with an overseas terrorist” on the morning of the attack. That’s a clear threat indicator that should have been correlated with other behavioral anomalies – since the subject was already under surveillance – and acted upon. While the U.S. government can put enough pressure on Silicon Valley to make our communications less secure, it’s naïve to expect such demands being honored outside of U.S., where the top 5 encryption apps recommended by the Islamic State tutorial are made.
Cybersecurity industry should definitely cooperate with the intelligence community in the fight against terrorism, but not by simply giving in to unreasonable and shortsighted demands. We should work together to develop better algorithms and technologies to detect malicious intent, analyze behavior anomalies, and pinpoint stress indicators.