Sanchez on Encryption

Sanchez-KOCE0214

The first time I met Congresswoman Loretta Sanchez, I was working with an Irvine-based cybersecurity company and she was a ranking Democrat on the House Homeland Security subcommittee.  I remember the detail of her questions and her obvious knowledge of the issues.  And she reminds me again of her in-depth knowledge on the issues concerning complex technology with this post on Medium.com.

Here it is:

In this era of ubiquitous reliance on technology and cloud systems in all aspects of our government, businesses, and personal lives, frequent and dangerous cyberattacks have become a profound national security threat. Cybersecurity is one of the most pressing issues facing our country, and encryption technology is our most effective and reliable defensive tool against cyberattacks.

The current dispute between the Federal Bureau of Investigation (FBI) and Apple raises critical cybersecurity issues that go far beyond the case at hand. The FBI is seeking a court order that will force Apple to create new technology that will bypass iPhone encryption in order to access encrypted data on an iPhone for the FBI investigation into the San Bernardino terrorist attack. While the importance of that investigation can’t be disputed, we must also pause to consider the broader national security implications of dismantling the integrity of encryption technology.

Civil rights organizations like the American Civil Liberties Union (ACLU) argue that this case could set dangerous legal precedent for the government to expand and abuse surveillance and damage privacy rights. FBI Director James Comey has admitted that federal, state, and local law enforcement will want to use this technology on a regular basis. There’s also speculation that Immigration and Customs Enforcement (ICE) could use these expanded powers to target immigrants.

The FBI wants to frame this as a choice between privacy and security. This is a false choice. Viewed in the broader context, privacy and security interests are aligned in this matter. Creating backdoor access in pursuit of short-term investigative goals poses serious risks to cybersecurity while undermining the right to privacy. Instead, this dispute is a fork in the road between more security and less security.

The FBI is demanding ‘exceptional access’ — a backdoor tool to access data regardless of the level of encryption or security mechanisms. But ‘exceptional access’ systems have inherent risks and create broad and far-reaching implications that frighten some of the most knowledgeable experts and industry leaders in cybersecurity and computer science.

Anticipating the current controversy, a coalition of technology industry leaders sent a letter to President Obama in June 2015 expressing deep concerns and strong opposition to any government actions that would undermine encryption security. And in July 2015, a team of experts from the Massachusetts Institute of Technology detailed the potential catastrophic repercussions of ‘exceptional access’ in a paper, “Keys Under Doormats: Mandating Insecurity by Requiring Government Access To All Data and Communications.”

These experts insist that forcing the creation of encryption ‘work-arounds’ or the weakening of encryption makes technologies much more vulnerable to cyberattacks. The unfortunate but fundamental truth of this technology is that any backdoor or master key compromises the integrity and effectiveness of encryption which could create a domino effect that broadly weakens cybersecurity infrastructure in all sectors.

As a senior member of the Homeland Security Committee, I know the complex and evolving cybersecurity threats that face our government. In the last two years, foreign hackers were able to break into our government’s cybersecurity infrastructure and steal 21.5 million personal files. If the FBI successfully mandates ‘exceptional access’ systems going forward, the U.S. Government may be responsible for unraveling the cybersecurity of their own data and communications systems.

The FBI’s proposal to create master keys for backdoor access to encryption creates vulnerabilities that could be exploited by hackers, hostile governments, or even ISIS. If the U.S. government can order Apple to create a backdoor it could invite China, Russia and other foreign governments to demand that Apple provide the same access for potentially nefarious purposes. Countries with histories of human rights violations could exploit this technology to target political dissidents and spy on their citizens.

The scope and complexity of the problems raised by the FBI vs. Apple dispute go far beyond the immediate issue before the courts. Courts lack the investigative resources and institutional mandate required to appropriately and comprehensively consider the long-reaching implications of this issue. Instead, this case raises broader policy issues that should be addressed by Congress. The path forward will require thoughtful deliberation and consensus from experts and stakeholders in the cybersecurity and computer science fields.