Unbreakable Encryption and Potential Impact on US Intelligence Community

Introduction

Advancements and innovations in the aspect of information technology, in particular in the utilization of encryption in order protect confidentiality of information, have greatly enhanced as well as improved the security for both businesses and consumers[1]. However, as products and services have become safe and secured, the consequence of this is that national security agencies and law enforcement have been experiencing difficulty in accessing information that can assist them in investigating and preventing terrorism and crimes. This fact then has made of the most challenging dilemma of this modern digital era considering the opportunity of encryption improves security for businesses and consumers yet at the same time created a harder situation for the government security agencies in protecting them from dangers and threats.

According to Daniel and McQuinn, there is “no way to square this circle, so any choice will come with tradeoffs”[2]. Yet, the ITIF came to suggest that the U.S. government, in particular, ought not to weaken or restrict encryption due that any effort in this line can reduce the general security of businesses and law-abiding citizens, create a more difficult situation for U.S. firms in competing in the global markets, and make limitations in the advancement in the information security. Furthermore, any efforts to weaken or restrict encryption can be unsuccessful at keeping this advanced technology from landing on the hands of terrorists and criminals.

Cyber security is typically depicted as a never-ending race that pits those who wish in securing their networks and computers against attackers with the intention of breaking into their networks. However, as these two sides engage in constant back and forth, in particular around new technologies, it cannot be said that cyber security has arrived at a stalemate. Researchers have continuously improved their expertise in effectively securing electronic data. And during the past couple of decades, there have been impressive improvements in terms of encryption and many firms have integrated these security innovations into their products as well as services in order to improve security both for businesses and consumers. Encryption then has turned into an essential component in the improvement of cyber security, civil society, and law enforcement that security experts as well as the president of the United States are in unison in terms of its benefits[3].

However, as the encryption methods that both businesses and the citizens employ in securing their digital information have advanced and greatly evolved, the foremost question now that befalls the intelligence community including the security agencies responsible for protecting the citizenry against criminals and terrorists threats, is how this affects them. This on the other hand can be answered by a discussion on how the intelligence and security community has responded to such encryption advancement. This paper then will discuss how the intelligence and security agencies reacted to the unbreakable encryption during these past years. The response of this sector to such unbreakable encryption thus can directly suggest how this technology affects them[4].

Recent Events and Updates on Debate in the Intelligence Community

As of lately, the some law enforcement agencies have revived the arguments regarding security, privacy and the rule of law in digital information age. This was done after several cloud-based service and mobile providers decided to upgrade their controls of security in order for the customers to retain the key utilized to encrypt data thus preventing other parties that includes companies and law enforcement from getting access their data. Consequently, there is now a renewed urgency in the side of law enforcement as well as the intelligence community to put limitation into the spread of encryption. During the past years, employing encryption was not as prevalent compared to how it is used today. This was partly due to on the computing power necessity in securing encrypt and decrypt was largely expensive. However, with the clandestine techniques that is less tolerable today and the prevalent brute-force techniques in decrypting data, a number of members of the law enforcement like the Federal Bureau of Investigations (NBI) are calling the attention of firms and companies in regards to the control of a different set of encryption keys that is separate from the keys used by customers so as the former can gain access to customer data employing a court order.

Additionally, the FBI has also requested for these companies to assist law enforcement have the ability to hack into these said devices. The most notable example of this was when the FBI requested Apple in modifying the features of security in regards to the software installed in the iPhone of a recently killed suspected terrorist so that the investigators can be successful in breaking into the device. this proposal then have been challenged by strong opposition from security experts, civil liberties organizations, the technology industry and including a number of intelligence community and law enforcement agencies.

Regrettably, some supporters of both parties in the debate have become entrenched, grabbing upon vague arguments in order to justify their respective view points. Opponent  on one side conflate most of the law enforcements’ proposals and needs into a single kneejerk assertion that anything these agencies do will eventually limit encryption thus destroying privacy and cyber security while at the same time on the other side made claims that weakening or limiting encryption does not really lead any cost to businesses and consumers.

Given that unbreakable encryption cannot be avoided due to the progress in information technology, the U.S. government ought not to limit or weaken the commercialization of innovations in cybersecurity (such as unbreakable encryption). If the government follow the policy to limit or weaken encryption, this will not ensure in any way that it can have a significant effect and impact in terms of the ability of sophisticated criminals and terrorists in engaging in encrypted communications, but rather this policy will only create for the average business and consumer alike to be less secure, harm the competitiveness of U.S. firms, and preclude the advancement in system architecture and information security something that can cost jobs. According to Periroth et al.[5] policy makers ought to encourage digital security both at home and abroad by following these suggestions:

  • Congress should limit or bar the NSA from intentionally limiting or weakening encryption standards but rather strengthen transparency instead.
  • Congress should create a law banning all government attempt to install encryption backdoors or put requirements for firms in changing the design of the system they sell to permit government agencies access to customer’s data, thus preempting actions of the state on these issues.
  • Congress should pass law making it a requirement that all federal agencies and departments that discovered security flaws should be disclosed in a responsible and timely manner and that these agencies should work alongside the private industry so as to fix them.
  • Congress also should look closely whether the justice systems, in particular the judicial court, can improve taking care of the interests of the individual as well as the state in terms of permitting law enforcement to hold suspects in contempt for failure in disclosing encryption key regarding their own unbreakable encrypted data.
  •  Congress ought to give additional resources also to state, federal and local enforcement in terms of cyberforensics
  • Congress should be able to create clear rules and regulations pertaining on how and when law enforcement can break into private systems as well as how and when law enforcement can force companies in assisting in investigations.
  • The U.S. trade negotiators ought also fight foreign government’s attempt in introducing backdoors in their software as well as initiating the weakening of encryption. This includes regulations that require companies selling products with limited encryption.
  • The U.S. government should encourage cybersecurity throughout the world by supporting strong encryption in worldwide internet and technology forums on policies.

How Unbreakable Encryption Interrupt Investigations

According to National Security Agency[6], U.S. intelligence agencies and law enforcement departments exert a lot of effort in protecting the safety of U.S. residents and citizens. The latest development in encryption, in particular those that are unbreakable, along with increased adoption of businesses and consumers, have impacted how the government agencies do their work in fighting crime and protecting natural security by limiting their access to digital information and data. Yet, law enforcement as well as security agencies perform different forms of investigations. Considering national security agencies mostly make surveillance of large amounts of information, the law enforcement work of investigating generally target specific data for investigations. Figure 1 illustrates how law enforcement as well as the intelligence community is affected by unbreakable encryption in their access to data-at-rest and data-in-motion.

Figure 1. How Government Law Enforcement and Intelligence Communities by Unbreakable Encryption

For purposes of investigations, information and data can be group as “data at rest” or “data in motion”. The data and information at rest pertains to any type of electronic storage, whether in cloud or in device. In order to get access to this form of data, the law enforcement ought to get a court order, which is a procedure that needed them to make identification of the data’s owner and to offer rationale so for the judge to permit them to have access to these data. Yet, even if they obtained access to the data, law enforcement officials will still unable to break into the device or make a sense of the encrypted data if these data have been unbreakably encrypted or if they do not have the key. Just the same, if companies in the Internet do not have in their possession their client’s encrypted data, then consequently they would still unable to fulfill with the request of the intelligence agencies in searching through these digital data and information.

On the other hand, data in motion pertains to data moving between two or multiple endpoints. Law enforcement may attempt to obtain access to data in motion by obtaining a court-ordered wiretaps in order to monitor particular communications. A good example is that law enforcement can be able to gain access to the messages passed through a messaging provider if only the provider can decrypt the said exchange of communications. Yet, if the communications are said to be unbreakably encrypted from end-to-end so that only the end-points possess the key, law enforcement agencies will have no change of deciphering these messages.

As of this present time, this still is not a prevalent problem. According to Robert Ellis Smith, Federal wiretap data indicates that out of over “32,000 wiretaps conducted to intercept wire, oral, or electric communications from 2001 to 2014, law enforcement only encountered encrypted communications 132 times”[7]. Yet, this number is expectably going to grow as unbreakable encryption becomes more prevalent. Additionally, when the national security agencies seize large amounts of online information and data in transit in order to search for trigger terms, they still will fail to gain access to the information is the data is unbreakably encrypted. If the data is unbreakably encrypted, the intelligence agencies can only have a view of the metadata, which are usually information that provides description about a communication like information of the source including the destination of packets and how much and when the data were transmitted.

Considering there is a widespread approval of unbreakable encryption, this makes it difficult if not impossible for law enforcement as well as intelligence agencies in doing their job as they can do today, yet the general impact it will have on them in the future in unknown. Future techniques and tools may also have an effect on their capability to perform investigation, and this impact is also considered still unknown and can change over time[8].

Methods for Breaking Unbreakable Encryption

Given that the intelligence communities and law enforcement are having challenges in terms of facing unbreakable encryption in performing their job, the following now are the suggested methods on how to face this daunting challenge. Table 1 illustrates these methods and succeeded by discussion.

Weakening Encryption Standards

The intelligence agencies has the ability to secretly manipulate as well as weaken the national standards for encryption, with the objective of limiting encryption services and products  that employ those standards. While these procedures are public, the intelligence community can clandestinely manipulate them. This typically requires a cross-government involvement. In some instances, the intelligence community can limit the encryption strength of the national standard like the NSA’s revisions to U.S. National Bureau of Standards’ final DES algorithm[9]. In some cases, the intelligence community can manipulate national standards in leaving security flaws in the final algorithm. A good example is the Snowden leak that has exposed that the NSA clandestinely circumnavigated the encryption employed in securing digital communications through manipulation of cryptography standard which the National Institute of Standards and Technology (NIST) issued in 2006[10]. This permitted the NSA to gain access to information and data on a service or product utilizing this standard yet also exposed these services and products to abuse of unscrupulous attackers. Consequently, NIST published guidelines discouraging firms and companies from utilizing these standards and assured to provide the public an opportunity in providing input in the revision of new standards[11].

Banning Strong and Unbreakable Encryption

Government can obtain an access to unbreakable encrypted data by basically banning encryption above a particular strength or by permitting only weakened forms of encryption that it possesses the resources to break into. What this means is that all services, products, and devices sold or even imported into the United States can provide a means for the intelligence community to gain access to stored data by utilizing brute force attacks. Considering law enforcement frequently does not possess the resources to perform this sort of time-consuming technique of breaking encryption, this method is typically reserved for the intelligence communities. A good example is when the United Kingdom pass a law that prohibit unbreakable encryption stronger than 64-bit keys, considering its intelligence community posses the resources in cracking any form of legal encryption in the country.

The ramifications of this in terms of security can be dire. This can weaken the security of all services and products manufactured and imported into the country, in particular against malicious attacks from sophisticated nation states or hackers. As of the present, countries have observed this form of banning narrowly, wherein giving direction at devices or services that employ encryption that their own intelligence agencies cannot bypass. A good example is the countries of United Arab Emirates and Saudi Arabia wherein the two countries banned and prohibited the secure messaging function of the mobile device Blackberry in 2010. Just the same, in 2011, Pakistan prohibited all encryption software and compelled Pakistani Service Providers in telling government if they caught customers employing virtual private networks – networks employing the use of unbreakable encryption that allows users to browse the Internet privately.

Creating Hardware and Software Backdoors

In response to the reality of unbreakable encryption, the intelligence community can request for the creation of backdoors or gateways providing a third party special access in order to secure products, both for software (such as code in the computer program) and hardware (such as physical access port). Governments then can make an effort for the creation of backdoors in order to permit direct access to those unbreakable encrypted communications or even storage in the absence of tipping off their targets in their surveillance. Once these backdoors are installed, these can be very effective in being applied to the jobs of the intelligence community wherein they can readily obtain secret access to devices as well as systems. Yet, backdoor ought to be kept secret. What this means is that these backdoors can be generally available to the intelligence community but not in the general law enforcement agencies.

Moreover, the intelligence community can also make a backdoor in products by utilizing encryption, either compelling firms in building backdoors in their products for the direct accessibility or a clandestine installation of encryption in these devices. A good example is the Showden leak that revealed NSA was intercepting servers, routers, and networking equipments manufactured by Cisco while the device was moving move from point to point in order to secretly install backdoor surveillance tools in the absence of knowledge of the firm[12].

Government Hacking

In this response to the unbreakable encryption, the government agencies can perform attacks in order to break the encryption, with or in the absence of help from firms. Although this is generally done by the intelligence community, this can also be used for activities of the law enforcement. When government through their intelligence agencies tries to break into a device or product, it is expected that there is no guarantee of success for it. Thus, various types of attacks differ in their effectiveness basing on the type of encryption the target is employing.

The law enforcement agencies as well as the intelligence community have utilized different forms of hacking in order to find criminals, in particular wherein unscrupulous people employed software in encrypting or obscuring their activities online. In reality, the FBI owns a proprietary surveillance software besides the popular hacker tools that it usually employ in its works[13], [14]. One example of this activity was philshing, wherein the law enforcement agency acted as a trustworthy source in regards to an electronic communication where a user is encouraged to download a surveillance software. This actually occurred in 2007 when FBI agents sent fake news article to an unknown email address connected with repeated bomb threats – by downloading the article installed, the FBI can find the identity of the suspect[15]

Mandatory Key Escrow

The government, through its intelligence community, can make a requirement for key-recovery mechanisms that is generally referred as “key escrow”. In this process, besides the original key utilized in encrypting and decrypting information, there exists another key that is in the possession of the third party. With this key escrow, there exists no portal for direct access, like secret backdoor. Rather, the software is designed in creating an extra key for the third party, such as the product provider or the government. When the intelligence community needs to intercept these unbreakable encrypted data, they can gain access into them through this key escrow.

If this technique is generally adopted, it would be proven to be an effective tools for the intelligence community in gaining access to unbreakable information and data. Through the acquisition of a court order or warrant, law enforcement can force and compel a company in decrypting communication in the absence of the knowledge of these suspected people.

 

Prohibiting Client-side Encryption

In reaction to the unbreakable encryption of data, the government through its intelligence community can also prohibit firms from adopting a client-based encryption, wherein consumers can control their own encryption keys. By not permitting consumers in encrypting unbreakably their data utilizing their own keys, third-party service providers can be able to gain access into the consumer data in order to fulfill court orders and warrants. This form of limitation on the encryption can successfully compel companies in implementing their own key escrow processes. Thus, not allowing client-side unbreakable encryption can results for the benefits of the intelligence community yet put risks on consumers given mandating key escrow system.

Table 1. Usefulness of Various Methods the Government can utilize in Increasing Access to Encrypted Information

Method Usefulness to Intelligence Community Impact on Security
Banning Strong Encryption Banning strong encryption of services and products sold in the country permits the intelligence community to employ brute-force attacks in obtaining access to encrypted data Banning unbreakable encryption weakens the security of all services and products, especially from nation-state threats
Weakening Encryption Standards Clandestine weakening of encryption standards permits the intelligence community in employing secret attacks in order to access encrypted data Weakening the standards for national encryption in the U.S. will weaken the products that employ those standards, permitting bad actors or unscrupulous actors to exploit the vulnerabilities of the access
Creating Hardware and Software Backdoors Surreptitiously installing backdoors can permit the intelligence community in circumventing encryption, frequently without notifying the user If these backdoors are discovered by unscrupulous actors, then they can take advantage of these vulnerabilities
Government Hacking The government agencies can have the ability to hack into services and products, yet there is still no guaranteed of success Government hacking can lead to creation of vulnerabilities by which attackers can take advantage
Mandatory Key Escrow Key escrows permits the government in using court orders in unlocking encrypted information by compelling firms, a neutral third party, or even the government itself in storing an extra key to all unbreakable encrypted information Requirements for key escrow exposes consumers and businesses to further risks from security breaches and precludes particular security features like perfect forward secrecy
Prohibiting Client-Side Encryption By not permitting users in encrypting data employing their own keys, the government can gain access to data through third party service providers The consumers’ and business data can be exposed if leaked or stolen by a third party. Finally, the security of consumer’s data relies on the actions of the service provider
Traditional Methods in Getting Information Conventional and traditional methods like witnesses, surveillance, confessions, and physical searches in order to learn encryption keys may differ effectiveness. This has less or minimal effect on security

Table 1. Usefulness of Various Methods the Government can Utilize in Increasing Access to Encrypted Information

Proposals and Justifications for Access on Unbreakable Encrypted Data

A number of law enforcement agencies reject companies offering any products or services allowing users in maintaining full control over the keys of encryption. Rather, these agencies want firms operating key escrow system that will permit them in giving government access to any data of the customer. These requests can only be permitted if allowed and authorized by court. In this regards, some law enforcement agencies have suggested for firms and companies in building these system on their own accord while others suggested legislations.

The national security and law enforcement agencies has proposed five main arguments in justifying their opposition in permitting users in maintaining full control over their encryption keys thereby making the data secured by unbreakable encryption:

    • Considering law enforcement agencies have always had the capability to obtain or access information without warrants, firms ought not to allow technology that circles this process.
    • With the ability to access unbreakable encrypted data, the government will have less capability in stopping or solving terrorism and crimes.
    • Firms and companies decided to stop retaining a duplicate of their customer’s encryption keys for business reasons alone, not in improving security.
    • Technologies can make a way for the security agencies and intelligence communities in accessing encrypted data without compromising security if they attempt harder in solving the problem.
    • At the least, companies ought to permit law enforcement officials to hack into specific unbreakable encrypted systems.

Conclusion

This paper discussed the advancement in today data encryption. With the advent of unbreakable encryption becoming standard possibilities provided to businesses and consumers, this then take a consequence in terms of how to effectively perform the jobs of the U.S. intelligence community. This paper then discussed these implications by dissecting the different types of data the intelligence community has to monitor or even break into in order to safeguard the residents of United States. In this regards, there are many available form of response the government, through the intelligence community and law enforcement, can do to counteract the reality of unbreakable encryption.

 

 

 

 

 

 

 

 

 

Bibliography

Castro, D. and McQuinn, A. (2015). “Beyond the USA Freedom Act: How U.S. Surveillance Still Subverts U.S. Competitiveness,” Information Technology and Innovation Foundation”. Retrieved from https://itif.org/publications/2015/06/09/beyond-usa-freedom-act-how-us-surveillance-still-subverts-us-competitiveness.

Chaffetz, J. (2015). Encryption technology and potential U.S. policy responses. Homeland Security Digital Library.

Gallagher, s. (2014). Photos of an NSA ‘upgrade’ factory show Cisco router getting implant. Ars Technica, May 14. Retrieved from http://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/

Hsu, D. F. and Marinucci, D. (2013). Advances in cyber security: technology, operation and experiences. New York: Fordham University Press.

Knibbs, K. (2015). The FBI has Its Own Secret Brand of Malware,” Gizmodo, April 02. Retrieved from http://gizmodo.com/the-fbi-has-its-own-secret-brand-of-malware-1694821520

Poulsen, K. (2014). The FBI Used the Web’s Favorite Hacking Tool to Unmask Tor Users. Wired, December 16. Retrieved from http://www.wired.com/2014/12/fbi-metasploit-tor/.

Matt Olsen et al. (2016). Don’t Panic. Making Progress on the ‘Going Dark’ Debate, Berkman Center for Internet & Society, Harvard University. Retrieved from https://cyber.law.harvard.edu/pubrelease/dont-panic/Dont_Panic_Making_Progress_on_Going_Dark_Debate.pdf.

National Security Agency (2015). Discovering IT problems, Developing Solutions, Sharing Expertise. Retrieved from https://www.nsa.gov/public_info/news_information/2015/ncsam/discovering_solving_sharing_it_solutions.shtml.

Perlroth, N., Larson, J. and Shane, S. (2013). N.S.A. Able to Foil Basic Safeguards of Privacy on Web,” New York Times, September 5. Retrieved from http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?_r=0.

Smith, R. E.  (2000). Ben Franklin’s Web Site: Privacy and Curiosity from Plymouth Rock to the Internet.(Maryland: Sheridan Group

Stowsky, J. (n.d.). “Secrets or Shields to Share? New Dilemmas for Dual Use Technology Development and the Quest for Military and Commercial Advantage in the Digital Age.”

Trevor, T. (2015). “The FBI used to recommend encryption. Now they want to ban it,” The Guardian. Liz Gannes, “Obama: ‘There’s No Scenario in Which We Don’t Want Really Strong Encryption.” Retrieved from http://recode.net/2015/02/13/obama-theres-no-scenario-in-which-we-dont-want-really-strong-encryption/

National Institute of Standards and Technology  (2014). NIST Initiating Review of Cryptographic Standards Development Process. Retrieved from http://csrc.nist.gov/groups/ST/crypto-review/index.html.

National Institute of Standards and Technology (2016). “NIST Solicits Comments On Its Revised Cryptographic Standards and Guidelines Development Process.” Retrieved from http://csrc.nist.gov/groups/ST/crypto-review/process.html

[1] Hsu, D. F. and Marinucci, D. (2013). Advances in cyber security: technology, operation and experiences. New York: Fordham University Press.

[2] Castro, D. and McQuinn, A. (2015). “Beyond the USA Freedom Act: How U.S. Surveillance Still Subverts U.S. Competitiveness,” Information Technology and Innovation Foundation, June 9, 2015, https://itif.org/publications/2015/06/09/beyond-usa-freedom-act-how-us-surveillance-still-subverts-us-competitiveness.

 

[3] Trevor, T. (2015). “The FBI used to recommend encryption. Now they want to ban it,” The Guardian, March 28, 2015; Liz Gannes, “Obama: ‘There’s No Scenario in Which We Don’t Want Really Strong Encryption. ” Retrieved from http://recode.net/2015/02/13/obama-theres-no-scenario-in-which-we-dont-want-really-strong-encryption/

[4] Chaffetz, J. (2015). Encryption technology and potential U.S. policy responses. Homeland Security Digital Library.

 

[5] Perlroth, N., Larson, J. and Shane, S. (2013). N.S.A. Able to Foil Basic Safeguards of Privacy on Web,” New York Times, September 5. Retrieved from  http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?_r=0.

 

[6] National Security Agency (2015). Discovering IT problems, Developing Solutions, Sharing Expertise. Retrieved from https://www.nsa.gov/public_info/news_information/2015/ncsam/discovering_solving_sharing_it_solutions.shtml

[7] Smith, R. E.  (2000). Ben Franklin’s Web Site: Privacy and Curiosity from Plymouth Rock to the Internet.(Maryland: Sheridan Group

[8] Matt Olsen et al. (2016). Don’t Panic. Making Progress on the ‘Going Dark’ Debate, Berkman Center for Internet & Society, Harvard University. Retrieved from https://cyber.law.harvard.edu/pubrelease/dont-panic/Dont_Panic_Making_Progress_on_Going_Dark_Debate.pdf.

[9] Stowsky, J. (n.d.). “Secrets or Shields to Share? New Dilemmas for Dual Use Technology Development and the Quest for Military and Commercial Advantage in the Digital Age.”

[10] Ibid

[11] National Institute of Standards and Technology  (2014). NIST Initiating Review of Cryptographic Standards Development Process. Retrieved from http://csrc.nist.gov/groups/ST/crypto-review/index.html

[12] Gallagher, s. (2014). Photos of an NSA ‘upgrade’ factory show Cisco router getting implant. Ars Technica, May 14. Retrieved from http://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/

[13] Knibbs, K. (2015). The FBI has Its Own Secret Brand of Malware,” Gizmodo, April 02. Retrieved from http://gizmodo.com/the-fbi-has-its-own-secret-brand-of-malware-1694821520

[14] Poulsen, K. (2014). The FBI Used the Web’s Favorite Hacking Tool to Unmask Tor Users. Wired, December 16. Retrieved from http://www.wired.com/2014/12/fbi-metasploit-tor/.

[15] Ibid

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: