Breaking encryption technology used by terrorists and criminals poses a frustrating dilemma for intelligence agencies and, most recently, congressional lawmakers.
Bipartisan legislation to create a commission to study U.S. encryption policies and practices is still weeks away from being introduced as discussions continue, congressional aides familiar with the plan told Computerworld.
The commission approach, backed by Sen. Mark Warner (D-Va.) and House Homeland Security Committee Chairman Michael McCaul, (R-Texas) is intended to bring experts together to dive into the differing points of view, where tech companies want to protect privacy with encryption, while the FBI and other law enforcement agencies want to prevent acts of terrorism and crime by monitoring encrypted communications.
Meanwhile, Senate Intelligence Committee Chairman Richard Burr (R-N.C.) and Sen. Dianne Feinstein (D-Calif.) are working on a separate bill that would guarantee law enforcement access to encrypted data, aides said Thursday. The terror attacks in Paris and San Bernardino, Calif., have ignited the debate in Congress over encryption.
The Burr-Feinstein approach is seen as taking a harder line on breaking encryption tech, although policymakers appear to have moved away from language calling for mandating a "back door" to break encrypted apps and communications.
The McCaul-Warner commission approach, meanwhile, is not intended to delay, deflect or bury the planned Burr-Feinstein bill, as some critics have claimed, aides working on the commission legislation contended. Whatever work the commission eventually recommends is expected to have an impact for decades to come, so a deliberate approach is needed, they added.
Both McCaul and Warner and their aides have repeatedly said there's "no silver bullet" legislative approach for solving the encryption dilemma. The lawmakers have pointed out that any U.S. law would only apply to U.S. companies, while many encryption apps and technologies are designed by companies outside the U.S. For example, some terrorists in the Paris attacks used Telegram, a messaging app with end-to-end encryption that was built by a Belgian-based company.
In addition, tech companies have argued that third-party access to decryption keys or other means of breaking encryption could only create a hole for criminals and terrorists to sneak through.
Recent reaction by other policymakers
The debate over encryption policy in Washington was addressed by two other top officials speaking before think tanks in recent days.
On Thursday, Senate Homeland Security Chairman Ron Johnson (R-Wis.), said that legislating encryption standards might "do more harm than good" in the fight against terrorism, according to The Hill website.
"Is it really going to solve any problems if we force our companies to do something here in the U.S.?" he asked at a presentation at the American Enterprise Institute, a conservative think tank. "It's just going to move offshore."
Johnson also said that encryption helps protect personal information, a position strongly backed by Apple CEO Tim Cook and other tech companies. Apple has been among the most vocal in defending its privacy policies with end-to-end encryption.
On Jan. 21, National Security Agency Director Adm. Michael Rogers told an audience that "encryption is foundational to the future." In remarks at the Atlantic Council, an international affairs think tank, Rogers said that spending time arguing that encryption is bad and should be done away with is a "waste of time." Rogers' comments are recorded in video at The Intercept.
Crypto experts weigh in
Professor Darren Hayes, director of cybersecurity at Pace University, said he supports the idea of a congressional commission to review encryption laws and policies.
"The whole idea of government access to communications is nothing new," Hayes said in an interview. "Every telecom company has to set up their infrastructure so that law enforcement can set up a wiretap" subject to a court order.
He also said that some type of legal step may be needed to gain greater access. "The vast majority of companies will never hand over data without any kind of warrant or subpoena. The idea that companies will help out law enforcement is not true at all."
Hayes has served as a forensics encryption specialist in more than two dozen criminal cases in the New York area since 2008 to help prosecutors bring cases against people accused of being pedophiles and other crimes who have resorted to hiding criminal activity with encrypted data.
Hayes is well aware that any U.S. law on encryption wouldn't apply to other countries, but said a broad-based discussion "is a good discussion to have …The list is growing of potential prosecutions held up by [not having] a full disclosure of encrypted data." In any event, he added, "I'm a big proponent that you have to have a warrant to gain access."
Two representatives for tech companies based in Silicon Valley said recently in interviews that they were open to the idea of creating a congressional commission, but would want to review the final legislation before signing on.
Conversely, Kevin Bocek, vice president of cybersecurity for Venafi, called the idea of creating an encryption commission "very concerning." Venafi works with 250 large banks and retailers in setting up encryption and authorization software to protect their data.
In an interview, Bocek said he is worried that creating the commission could turn into an entity that is powerful and ominous. "I don't understand how an encryption commission is going to deal with encryption already being widely used," he said. "It's counterproductive and more productive to talk about how to live in a world with encryption and how to safeguard national security."
Bocek said there was a broad national discussion about cryptography policy that was fought in the 1990s. "The crypto wars of the 1990s won freedom and there's no sense in moving backwards," he said. "Encryption controls were very painful years ago and here we are again, facing the same problem which can harm American business. Encryption, keys and certificates must be free … Blanket legislation will do nothing but cause more problems."
In 1996, the National Academy of Sciences published a 688-page document entitled Crytography's Role in Securing the Information Society. In the executive summary, the authors wrote a preamble that seems to summarize the ongoing encryption debate in 2016: "U.S. policy should be changed to promote and encourage the widespread use of cryptography for the protection of the information interests of individuals, businesses, government agencies and the nation as a whole, while respecting legitimate national needs of law enforcement and intelligence for national security and foreign policy purposes to the extent consistent with good information protection."