After Paris Attacks, Here’s What the CIA Director Gets Wrong About Encryption
It’s not surprising that in the wake of the Paris terrorist attacks last Friday, US government officials would renew their assault on encryption and revive their efforts to force companies to install backdoors in secure products and encryption software.
Just last month, the government seemed to concede that forced decryption wasn’t the way to go for now, primarily because the public wasn’t convinced yet that encryption is a problem. But US officials had also noted that something could happen to suddenly sway the public in their favor.
Robert S. Litt, general counsel in the Office of the Director of National Intelligence, predicted as much in an email sent to colleagues three months ago. In that missive obtained by the Washington Post, Litt argued that although “the legislative environment is very hostile today, it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”
In the story about that email, another US official explained to the Post that the government had not yet succeeded in persuading the public that encryption is a problem because “[w]e do not have the perfect example where you have the dead child or a terrorist act to point to, and that’s what people seem to claim you have to have.”
With more than 120 people killed last week in Paris and dozens more seriously wounded, government officials are already touting the City of Light as that case. Former CIA deputy director Michael Morell said as much on CBS This Morning, suggesting that recalcitrant US companies and NSA whistleblower Edward Snowden are to blame for the attacks.
“We don’t know yet, but I think what we’re going to learn is that [the attackers] used these encrypted apps, right?,” he said on the show Monday morning. “Commercial encryption, which is very difficult, if not impossible, for governments to break. The producers of this encryption do not produce the key, right, for either them to open this stuff up or for them to give to governments to open this stuff up. This is the result of Edward Snowden and the public debate. I now think we’re going to have another public debate about encryption, and whether government should have the keys, and I think the result may be different this time as a result of what’s happened in Paris.”
CIA Director John Brennan said something similar at a security forum this morning (.pdf).
“There are a lot of technological capabilities that are available right now that make it exceptionally difficult, both technically as well as legally, for intelligence and security services to have the insight they need to uncover it,” he said. “And I do think this is a time for particularly Europe, as well as here in the United States, for us to take a look and see whether or not there have been some inadvertent or intentional gaps that have been created in the ability of intelligence and security services to protect the people that they are asked to serve…. And I do hope that this is going to be a wake-up call.”
No solid information has come out publicly yet about what communication methods the attackers used to plot their assault.
On Sunday, the New York Times published a story stating that the Paris attackers “are believed to have communicated [with ISIS] using encryption technology.” The paper’s sources were unnamed European officials briefed on the investigation. It was not clear, however, “whether the encryption was part of widely used communications tools, like WhatsApp, which the authorities have a hard time monitoring, or something more elaborate,” the paper noted.
A Yahoo news story on Saturday added to the theme, declaring that the Paris attacks show that US surveillance of ISIS is going dark. “Over the past year, current and former intelligence officials tell Yahoo News, IS terror suspects have moved to increasingly sophisticated methods of encrypted communications, using new software such as Tor, that intelligence agencies are having difficulty penetrating—a switch that some officials say was accelerated by the disclosures of former NSA contractor Edward Snowden.”
Numerous other news stories have suggested that attackers like the ones who struck Paris may be using something other than WhatsApp. According to the Daily Mail and others, authorities in Belgium, where some of the attackers were based, have found evidence that jihadis there have been using the PlayStation 4 network to recruit and plan attacks. A source told the paper that they are using it because “Playstation 4 is even more difficult to monitor than WhatsApp.” The sources didn’t indicate if they were speaking specifically about the Paris attackers or about other jihadis in that country. But the fallacy of these statements has already been pointed out in other stories noting that communication passing through the PlayStation network is not encrypted end-to-end, and Sony can certainly monitor communications passing through its network, making it even less secure than WhatsApp.
US Law enforcement and intelligence agencies have been warning for years that their inability to decrypt communication passing between phones and computers—even when they have a warrant or other legal authority to access the communication—has left them in the dark about what terrorists are planning.
But there are several holes in the argument that forcing backdoors on companies will make us all more secure. While doing this would no doubt make things easier for the intelligence and law enforcement communities, it would come at a grave societal cost—and a different security cost—and still fail to solve some of the problems intelligence agencies say they face with surveillance.
1. Backdoors Won’t Combat Home-Brewed Encryption.
Forcing US companies and makers of encryption software to install backdoors and hand over encryption keys to the government would not solve the problem of terrorist suspects’ products that are made in countries not controlled by US laws.
“There’s no way of preventing a terrorist from installing a Russian [encryption] app or a Brasilian app,” notes Nate Cardozo, staff attorney for the Electronic Frontier Foundation. “The US or UK government could mandate [backdoors], but Open Whisper Systems is not going to put in a backdoor in their product period and neither is PGP. So as soon as a terrorist is sophisticated enough to know how to install that, any backdoor is going to be defeated.”
Such backdoors also will be useless if terrorist suspects create their own encryption apps. According to the security firm Recorded Future, after the Snowden leaks, its analysts “observed an increased pace of innovation, specifically new competing jihadist platforms and three major new encryption tools from three different organizations—GIMF, Al-Fajr Technical Committee, and ISIS.” Encryption backdoors and keys also don’t help when terrorists stop using digital communications entirely. A 2011 AP story indicated that al-Qaida had long ago ditched cell phones and internet-connected computers in favor of walkie talkies and couriers.
News reports about the Paris attacks have indicated that some of the perpetrators lived in the same town in Belgium—which would have made it very easy to coordinate their attack in person, without the need for digital communication.
2. Other Ways to Get Information. The arguments for backdoors and forced decryption often fail to note the many other methods law enforcement and intelligence agencies can use to get the information they need. To bypass and undermine encryption, intelligence agencies can hack the computers and mobile phones of known targets to either obtain their private encryption keys or obtain email and text communications before they’re encrypted and after they’re decrypted on the target’s computer.
In the case of seized devices that are locked with a password or encryption key, these devices have a number of security holes that give authorities different options for gaining access, as WIRED previously reported. A story this week pointed to vulnerabilities in BitLocker that would make it fairly easy to bypass the Windows encryption tool. And the leaks of Edward Snowden that the NSA and British intelligence agencies have a constantly evolving set of tools and methods for obtaining information from hard-to-reach systems.
“We’re still living in an absolute Golden Age of surveillance,” says Cardozo. “And there is always a way of getting the data that is needed for intelligence purposes.”
3. Encryption Doesn’t Obscure Metadata. Encryption doesn’t prevent surveillance agencies from intercepting metadata and knowing who is communicating with whom. Metadata can reveal phone numbers and IP addresses that are communicating with one another, the date and time of communication and even in some cases the location of the people communicating. Such data can be scooped up in mass quantities through signals intelligence or by tapping undersea cables. Metadata can be extremely powerful in establishing connections, identities and locating people.
“[CIA] Director Brennan gleefully told us earlier this year that they kill people based on metadata,” Cardozo says. “Metadata is enough for them to target drone strikes. And that’s pretty much the most serious thing we could possibly do with surveillance.”
Some metadata is encrypted—for example, the IP addresses of people who use Tor. But recent stories have shown that this protection is not foolproof. Authorities have exploited vulnerabilities in Tor to identify and locate suspects.
“Tor can make the ‘where’ a little more difficult, but doesn’t make it impossible [to locate someone],” Cardozo says. “And Tor is a lot harder [for suspects]to use than your average encrypted messaging tool.”
4. Backdoors Make Everyone Vulnerable. As security experts have long pointed out, backdoors and encryption keys held by a service provider or law enforcement agencies don’t just make terrorists and criminals open to surveillance from Western authorities with authorization—they make everyone vulnerable to the same type of surveillance from unauthorized entities, such as everyday hackers and spy agencies from Russia, China, and other countries. This means federal lawmakers on Capitol Hill and other government workers who use commercial encryption would be vulnerable as well.
The National Security Council, in a draft paper about encryption backdoors obtained by the Post earlier this year, noted the societal tradeoffs in forcing companies to install backdoors in their products. “Overall, the benefits to privacy, civil liberties and cybersecurity gained from encryption outweigh the broader risks that would have been created by weakening encryption,” the paper stated.
If all of these aren’t reason enough to question the attacks on encryption, there is another reason. Over and over again, analysis of terrorist attacks after the fact has shown that the problem in tracking the perpetrators in advance was usually not that authorities didn’t have the technical means to identify suspects and monitor their communications. Often the problem was that they had failed to focus on the right individuals or share information in a timely manner with the proper intelligence partners. Turkish authorities have already revealed that they had contacted French authorities twice to warn them about one of the attackers, but that French authorities never got back to them until after the massacre in Paris on Friday.
Officials in France indicated that they had thwarted at least six other attack plots in recent months, but that the sheer number of suspects makes it difficult to track everyone. French intelligence maintains a database of suspected individuals that currently has more than 11,000 names on it, but tracking individuals and analyzing data in a timely manner to uncover who poses the greatest threat is more than the security services can manage, experts there have said. It’s a familiar refrain that seems to come up after every terrorist attack.
“If Snowden has taught us anything, it’s that the intel agencies are drowning in data,” Cardozo says. “They have this ‘collect it all mentality’ and that has led to a ridiculous amount of data in their possession. It’s not about having enough data; it’s a matter of not knowing what to do with the data they already have. That’s been true since before 9/11, and it’s even more true now.”