LAW ENFORCEMENT OFFICIALS, tech executives, and privacy advocates have been calling for Congress to set the rules of the road for the increasingly widespread use of unbreakable encryption. But as Sens. Richard Burr, R-N.C., and Dianne Feinstein, D-Calif., illustrated just last week by releasing a draft bill to basically ban the technology, that might not be the best idea.
Attempts to regulate math are nonsensical. Encryption is here to stay. Arguing about it is a waste of time.
At a House Energy and Commerce subcommittee hearing on Tuesday, a few members of Congress pivoted away from that tired and ultimately fruitless policy argument to discuss instead what could be considered the next phase of the Crypto Wars.
In that phase, the questions are about how law enforcement can get around encryption rather than break through it.
The answers involve “lawful” hacking — exploiting devices through known and unknown security flaws — rather than trying to created new ones, or “backdoors.”
But what rules should apply to government hackers? Should they disclose the flaws they find to companies so they can be patched, to the benefit of all users? Or should they keep them secret to maybe catch the next criminal with the same trick? Should the government build its own hacking resources, or outsource the job?
Rep. Diana DeGette, D-Colo., asked Amy Hess, the FBI’s head of science and technology, if hiring a team of highly skilled hackers might be helpful.
“Like in the San Bernardino case, the FBI hired a third party to help them break the code. … Why can’t we bring more capabilities in house in the government to be able to do that?” DeGette asked.
Hess described the FBI’s hacking attempts as time consuming, successful on a case-by-case basis, and fragile — solutions that “may not be scalable” if more and more devices have stronger and stronger security.
And to bring those skills completely under the government’s roof? Hess totally ruled it out. “No ma’am, I don’t see that as possible. We need the cooperation of industry, we need the cooperation of academia, and we need the cooperation of the private sector in order to come up with solutions.”
Hess manages the FBI’s controversial high-tech tools, including its hacking capabilities. The FBI has been relatively tight-lipped about its ability to exploit vulnerabilities in digital devices and platforms, but it’s been doing it for nearly two decades, and in some cases, with tools that were developed in-house. Most recently, the bureau has been in the limelight for hacking over a thousand computers to ensnare consumers of child pornography.
Rep. John Yarmuth, D-Ky., told the panel of law enforcement experts that he was having trouble coming up with new questions about encryption that might elicit any new information. So instead, he chose to ask what the FBI planned to spend the $38 million it’s asking for this year to fight the “going dark” problem the agency says encryption is posing.
Hess told him that the FBI would try to use that money to “get around the problem.” Some things on her list included training employees to become better “password guessers,” purchasing tools to “exploit some technical ability,” and finding a way to “make better use of metadata.” She didn’t explain any further.
A panel of technology experts included Matt Blaze, associate professor of computer science at the University of Pennsylvania, Apple general counsel Bruce Sewell, Daniel Weitzner, a research scientist at MIT, and Amit Yoran, the president of RSA Security.
They generally agreed that the government could and should beef up in-house hacking — as long as the government is willing to engage in conversations about when it should disclose the tools it uses so companies can repair them. Sewell said the topic “has not been well explored,” and that Apple didn’t have a position on it.
With lawful hacking now on the table, privacy and security advocates called for a public discussion on the rules of the game, before the government starts building — or buying — an exploit army in Washington.
Why doesn't Apple have a position on "lawful hacking"? Because there's not enough transparency to have an informed stance— Andrew Crocker (@agcrocker) April 19, 2016
Since we're still having serious/difficult debates over whether/when LE hacking *is* lawful, calling it "lawful hacking" seems premature.— Megan Graham (@meganmcgraham) April 19, 2016