Former FBI cyber official cautions against weakening encryption laws
- By Derek B. Johnson
- Nov 28, 2018
A former top cyber official at the FBI involved in the 2015 San Bernadino shooter investigation said he does not believe the Department of Justice needs weaker laws around encryption to do its job and that doing so would result in unacceptable collateral damage to industry and data security.
Robert Anderson, former executive assistant director for the criminal, cyber, response and services branch, said that when he was initially working on the San Bernardino shooting case, he could not understand why Apple was refusing to grant access to the shooter's iPhone. The FBI and intelligence community were worried that more attacks could be on the immediate horizon and faced intense pressure to gain access to the shooter's phone to mine it for leads on future threats.
In hindsight, Anderson, currently a principal at the Chertoff Group, called that viewpoint "myopic." After running global information security operations for a number of private-sector companies and dealing with the fallout from countless data breaches, he said he is now convinced that the economic and societal collateral damage from weakening encryption laws would far outweigh any benefits.
"The one thing that struck me immediately was the fiduciary responsibility for those companies that are being entrusted by the clients who have given them information," Anderson said at a Nov. 27 event hosted by think tank New America. "They were entrusted by those clients, whether it was a cell phone, whether it was a computer, whether it was an encrypted app … into a contract that says, 'I'm going to keep your data safe.'"
Further, he questioned whether the bureau even needed access to the shooter's phone in the first place, saying law enforcement has a number of other tools, such as subpoena power, to achieve the same goals without weakening the overall cybersecurity of devices and apps.
"When I step back and look at it three years later, I'm not sure that we couldn't have gotten that information from some other venue," Anderson said.
That argument is largely bolstered by a March 2018 report from the Department of Justice inspector general, which found that the FBI was in communication with vendors about a technical workaround to access the shooter's phone at the same time then-director Jim Comey was telling Congress that compelling Apple to provide access was the only viable option. The report also quotes Executive Assistant Director Amy Hess expressing concern that the head of the unit responsible for gaining access to the shooter's phone "did not seem to want to find a technical solution, and that perhaps he knew of a solution but remained silent in order to pursue his own agenda of obtaining a favorable court ruling against Apple."
Meanwhile, high-level officials for the FBI and DOJ continue to insist that a compromise solution, wherein law enforcement can gain access to a suspect's data when needed without building backdoors into devices and software, is possible.
"We will continue to work closely with technology companies to establish responsible practices that consider both privacy concerns and public safety imperatives," said Deputy Attorney General Rod Rosenstein in a Nov. 18 speech to the Interpol general assembly.
In January, FBI Director Christopher Wray said he doesn't "buy the claim that it's impossible" to achieve a compromise. However, cryptographers and sympathetic members of Congress have repeatedly questioned those claims. In a February hearing, Sen. Ron Wyden (D-Ore.) asked Wray for a list of cryptography experts the bureau consulted when arriving at its position. Wray declined to answer, both then and following the hearing, according to Wyden's office.
Critics of the government's push for a legislative mandate around encryption cite the need for greater education in Congress around the technical obstacles presented by DOJ's proposals. Some have called for reviving the Office of Technology Assessment, shuttered since 1995, to provide lawmakers with the kind of independent, authoritative analysis needed to cut through what has become a highly contentious debate.
A staffer for a Democratic member of the House speaking on background specifically cited the encryption debate as an area where OTA could help, telling FCW that FBI and DOJ officials tend to avoid diving into the technical details when talking to Congress or the public about the issue, leaving less technically inclined lawmakers and staffers with the impression that a compromise between government and industry is simply a matter of all sides working harder, rather than a mathematical impossibility.
"That's playing the politics, that's fine, it's a political town, that's what they're supposed to do," said the staffer. "But members don't have a way to evaluate the veracity" of competing claims from law enforcement and cryptographers, a role OTA was specifically created to fulfill.
Others caution about blowback, arguing that whatever rules a large nation like the United States establishes around encryption will have global consequences, potentially opening the door for other, more repressive governments around the world to insist on similar solutions.
"If you undermine encryption in Apple phones or in WhatsApp, every single other government is going to want to demand the same," said Cynthia Wong, senior researcher at Human Rights Watch. "And if companies have acquiesced to that [and] they've already re-engineered their systems, there's not that much they can do to really push back against those other requests."
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.
Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at firstname.lastname@example.org, or follow him on Twitter @derekdoestech.
Click here for previous articles by Johnson.