Regulating Encryption: Can it be done? Yes.

by Stephen Bryen

NIST Scanner

The Director of the FBI in a warning to Congress points out that ISIS is now using encryption to mask messages it is sending to thousands of Americans favorable to the ISIS cause, exhorting them to kill military and police and other hated targets. He, along with others in the Obama administration are urging “Silicon Valley” to consider building backdoors into encryption products they sell so that law enforcement can tap encrypted phones or computers and properly “do its job.”

But the question is, is there a practical solution?

I have been in the encryption business, or more clearly I have built commercial products that use encryption. In the early 1990’s I founded a company called SECOM (for Secure Communications). We developed a computer chat program that provided a secure, encrypted chat. In those days the Internet was only just getting underway and everyone was using modems (there was no WIFI or data connections except for big business and banks). Nor were there smartphones. The PC, however, was very popular and we built our product to run on PC’s running MSDOS or Windows. And because computers were slow, we built a little plug in computer card which did the actual encryption and decryption work.

Then the fun began. NSA did not like our solution because it was too hard to crack, so they “recommended” reducing the key size. It got to the point where the key size was too small to assure security, and after thinking it over (and investing a lot of development money), we decided we could not sell a product that failed in its critical mission: to protect the users from intercepts. We closed the company.

It was a bad outcome for us. And, as we pointed out at the time, because we used hardware and software we could have controlled who the end users were and assured that only bona fide users, not criminals or terrorists, would have access to the product.

What we went through was nothing new. A few years before IBM had proposed building encryption into all PCs so that all the data stored by them would be secure. NSA again objected, and despite IBM bringing rather heavy guns to bear on the problem, in the person of a direct appeal from the chairman of IBM to the head of the NSA, IBM had to stand down. No encryption chips would live on the IBM circuit board.

NSA and its counterpart the National Institute of Science and Technology (NIST) wear two different hats: on the one hand NSA is charged with carrying out spying in support of its US government “customers”; on the other NSA and NIST produce guidelines for security and even sponsor encryption solutions such as the Advanced Encryption Standard (AES) which has replaced the old Data Encryption Standard (or DES). These sponsored products can be used without any licenses and can be exported abroad.

It may seem odd, therefore, that the government is worried about encryption if it is also facilitating its development and export.

We can add to that known efforts by NIST to actually publish a random number generator for so-called elliptical curve encryption was found to be buggered. The buggered product found its way into corporate security systems in the US and around the world.

The latest alarm in our government is more a consequence of the embarrassing and dangerous leaks by Edward Snowden then anything directly to do with ISIS. Terrorists have been using encryption for a number of years, and they easily get it on the open market. The Russians, Chinese, Europeans, Israelis as well as many companies in the United States develop and sell a wide range of security products that use encryption. And the “Dark Web” on the Internet is also a source of supply for covert type programs and applications.

My own thought is that the government is trying very hard to cut a deal with Snowden so that he will serve a little jail time and then shut up. It seems he still has a large bagful of information that exposes US spying activities. In fact that is the only logical way to interpret statements by our former attorney general Eric Holder who says a deal is possible with Snowden. He should know.

Whatever the case, the availability of encryption on a global scale seems to suggest that trying to control it is a furtive exercise. But that is what the government is saying. So the question is what can the government actually do to mitigate the situation?

Many in Silicon Valley (and here we are talking about most of the really big high tech computer and mobile players in the United States) worry that the government will insist on putting a back door into their encryption schemes, or some other way where the government can get into encrypted communications and data transfers. Clearly this is a scheme the government has pursued for a long time, but it brings with it two risks: either the “security” is so weak as to be meaningless, pushing users to outside solutions or the backdoor or hole in the system is uncovered, as Snowden has already proven. But there is even a third risk: that the backdoor or hole is uncovered by a professional adversary such as China or Russia, meaning that everything you thought was safe is out the window. Given the plethora of escalating exponential cyber attacks on our government and on corporate America, this “solution” is far more dangerous than abandoning encryption altogether, largely because it creates a false expectation of security.

An alternative solution the government could pursue is simply to make the use of encryption in the United States illegal. Such a thing would be very hard to enforce, but in the mobile world it can be done basically by shutting down any encrypted communication that is unauthorized. The technology for this certainly exists today in the form of network sniffers and scanners.

A modified form of the no encryption approach is to allow encryption only on authorized devices that US industry and licensed political and social organizations can use. To me this makes a lot of sense, and in fact I proposed an alternative idea back in the 1980’s when I dealt with export controls.

The idea propounded then was a sort of Gold Card for industry allowing them to get around the red tape and delays that hurt their business performance.

The idea has merit. We are using it today at American airports, either to have more rapid treatment in security processing (the so called “PRE” benefit) or as part of the Global Access Program to allow Americans who travel a lot to get past long lines at border crossings, especially airports.

Such a scheme would make sense in protecting America and allowing us to secure our communications and data. Naturally it would not stop terrorists from using encryption, but they would not be able to use it with their clients and wannabes in the United States. Such communications would be taken down by scanners.

I think this is an excellent solution for law enforcement because it forces the bad guys out into the open. Then it is law enforcement’s job to put them out of business here. And it is the job of the DOD and CIA to shut them down beyond our borders.

Above all else it is vastly important to make America safe, and it is vital that our communications can be secure and our data repositories free from exploitation. This the government itself should understand from its gross mishandling of sensitive but unclassified information, like the millions of non-encrypted records recently stolen by the Chinese.

Let’s hope we can arrive at a sensible solution to security for America.

Advertisements
Tagged , , ,

One thought on “Regulating Encryption: Can it be done? Yes.

  1. oogenhand says:

    Reblogged this on oogenhand and commented:
    The best encryption is using obscure languages, like Albanian, Gaelic or Tibetan.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: