Analysis | The Cybersecurity 202: Lawmakers give Big Tech an ultimatum on encryption

By Joseph Marks

11-14 minutes - Source: The Washington Post

---

Senate Judiciary Committee Chairman Lindsey Graham, (R-S.C). (AP Photo/J. Scott Applewhite)

THE KEY
Lawmakers are giving big tech firms an ultimatum: Give police access to encrypted communications or we'll force you. 
That warning, delivered by senator after senator during a Senate Judiciary Committee hearing yesterday, reflects the fierce anti-encryption mood now reigning on Capitol Hill -- and how the Justice Department's warnings about how the digital protection allows child sex traffickers and other criminals to act with impunity seem to be moving the needle.
“It ain’t complicated for me. You’re going to find a way to do this or we’re going to do it for you,” committee chairman Lindsey Graham (R-S.C.) told representatives from Facebook and Apple. “We’re not going to live in a world where a bunch of child abusers can have a safe haven to practice their craft. Period. End of discussion."
Graham added, "You’re either the solution or you’re the problem.”
Similar warnings came from the committee’s top Democrat, Dianne Feinstein (Calif.) and Republican Sens. Joni Ernst (Iowa), John Cornyn (Texas) and Marsha Blackburn (Tenn.) who charged the companies are “creating a sanctuary” for criminals. “You all have got to get your act together or we will gladly get your act together for you,” Blackburn said.
The lawmakers’ with-us-or-against us approach marks a huge about-face from a few years ago, when Congress seemed more split on whether advanced encryption provided a dangerous haven for criminals or a vital protection for all Americans. 
Back in 2016, even Graham warned the Obama Justice Department against trying to legally force Apple to help break into an encrypted iPhone used by San Bernardino shooter Syed Farook, saying the precedent could backfire and damage national security.
“I’m a person who’s been moved by the arguments [about] the damage we may be doing to our national security,” Graham told then-Attorney General Loretta Lynch. Graham’s office didn’t respond to a query asking for details about his shifting position.
The hearing's comments make it more likely the Justice Department will double down on its pivot to focus on the dangers of child sexual exploitation and trafficking, rather than how terrorists could use encrypted communications to plan operations. 
Tech companies, meanwhile, are calling lawmakers’ bluff and arguing there’s no technical way to give police access to encryption without letting criminals in, too -- and making their users significantly more vulnerable.
As the hearing began, Facebook released a letter refusing a request from Attorney General William P. Barr to delay expanding encryption across its messaging services, as my colleague Tony Romm reported.
“People’s private messages would be less secure and the real winners would be anyone seeking to take advantage of that weakened security,” the company wrote.
Barr charged in an open letter to Facebook in October that the company’s adoption of broader encryption could cut the 16.8 million reports of child sexual exploitation and abuse content it delivered to the National Center for Missing and Exploited Children in 2018 to just 5 million or less.
Jay Sullivan, a Facebook privacy executive, countered during the hearing that the company can detect some child exploitation even when account contents are blocked by encryption by monitoring the size and nature of files. Facebook-owned WhatsApp removes about 250,000 encrypted accounts each month for child abuse, he said.
Lawmakers are also riding a wave of public anger at Facebook and other tech companies, following myriad privacy debacles that have compromised the personal information of millions of Americans.
Encryption advocates are fighting back, though, arguing that focusing on criminals fails to acknowledge the danger that billions of non-criminals who use encrypted systems from Facebook, Apple, Google and other companies would face without strong encryption.
Here’s Amie Stepanovich, executive director of Silicon Flatirons, an innovation center at the University of Colorado, Boulder:

Whitehouse asks if Apple is willing to accept liability if someone dies because of encryption.
Who accepts liability if (when) someone dies because of inadequate/lack of encryption?

— Amie Stepanovich (@astepanovich) December 10, 2019

Police also aren’t using all the tools they have to gather evidence against criminals without compromising encryption, such as getting warrants to hack into accounts, Stepanovich argued:

For example, I have asked for a focus on making actual adequate legal standards for government hacking. That would be good for CSAM and other investigations and good for people. But even if we had that, we would still fight encryption. LE wants both/all.

— Amie Stepanovich (@astepanovich) December 10, 2019

In other cases, police and prosecutors have contracted with companies to help them break into encrypted devices by exploiting secret flaws in the encryption itself. Or they’ve used unencrypted information, such as the timing of communications and who’s contacting who to build a case.
Here’s Johns Hopkins Professor of Strategic Studies Thomas Rid, who argued in advance of the hearings that protecting encryption is more important than the impeachment debate:

Unpopular, hard truth: the future of end-to-end encryption is more important than the future of this administration, and these hearings—yes, there's a low but nonzero probability of meaningful legislation—are probably more significant than this entire impeachment procedure.

— Thomas Rid (@RidT) December 6, 2019

PINGED, PATCHED, PWNED

PINGED: Secretary of State Mike Pompeo scrapped with Russian Foreign Minister Sergei Lavrov during a public appearance yesterday after Lavrov denied Russian interference in the 2016 election. Pompeo declared the United States had "shared plenty of facts to show what happened" and that the interference was "unacceptable," my colleagues John Hudson and Anne Gearan report.
“Lavrov said Russia has demanded that the United States provide evidence of election interference, but when asked by a reporter why he doesn’t simply ‘read the Mueller report,’ Lavrov dismissed the suggestion,” my colleagues reported.
President Trump, who has wavered on whether he believes Russia was involved, also warned Lavrov against interference, he said on Twitter. But Lavrov denied that the two discussed election interference during their meeting, The Hill reports.

Just had a very good meeting with Foreign Minister Sergey Lavrov and representatives of Russia. Discussed many items including Trade, Iran, North Korea, INF Treaty, Nuclear Arms Control, and Election Meddling. Look forward to continuing our dialogue in the near future! pic.twitter.com/tHecH9a9ck

— Donald J. Trump (@realDonaldTrump) December 10, 2019

Senator Elizabeth Warren REUTERS/Scott Morgan/File Photo

PATCHED: Private equity companies that own parts of the three largest voting machine companies may be squeezing their budgets in a way that produces less secure products, lawmakers allege in a letter released yesterday. The lawmakers’ warnings come amid widespread concern Russia or another U.S. adversary could exploit weaknesses in voting machines to undermine the 2020 election.
 "These problems threaten the integrity of our elections and demonstrate the importance of election systems that are strong, durable and not vulnerable to attack," the group wrote.
The letters were sent by Sens. Elizabeth Warren (D-Mass),  Ron Wyden (D-Ore.) Amy Klobuchar (D-Minn.), and Rep. Mark Pocan (D-Wis.) to private equity owners of Election Systems & Software, Dominion Voting Systems, and Hart InterCivic, which control about 90 percent of the voting machine market. Warren, a 2020 presidential candidate, and Pocan are sponsors of Senate and House bills that would impose new transparency requirements on private equity firms.
The lawmakers want to know how much the firms invest in research, development and maintenance that could improve election security.

FILE PHOTO: Former U.S. counterterrorism coordinator Richard Clarke  REUTERS/Kevin Lamarque

PWNED: The George W. Bush administration’s top counterterrorism official Richard Clarke and several other ex-White House officials were instrumental in launching a United Arab Emerates spying program that ultimately spied on the United Nations office in New York, the FIFA soccer association, and a Saudi women's rights activist Joel Schetman and Christoper Bing at Reuters report.
Reuters previously reported that former U.S. intelligence agents were involved in the project.
The idea for the agency, which would eventually operate under the codename "Project Raven," was to track terrorists, Clarke told Reuters. The participation of Clarke and other former U.S. officials was approved by the State Department and the National Security Agency, he said. Clarke's company Good Harbor Consulting gave up control of the project in 2010 but it continued to employ numerous former U.S. officials after that .
One of Clarke's former partners expressed disgust at how the program evolved.
“I have felt revulsion reading what ultimately happened,” Paul Kurts, Clarke's former partner and former senior director for national security at the White House told Reuters. He called for greater oversight of the use of U.S. cyber talent abroad, something that members of Congress have also pressed for.

PUBLIC KEY

— Cybersecurity news from the public sector:

Lawmakers are dismissing China's threat to retaliate against U.S. technology companies and vowing not to back down on limiting the use of Chinese telecom products from Huawei and ZTE, which they see as a threat to national security.

In interviews Tuesday, William P. Barr said there had been “gross abuses” at the FBI.
Matt Zapotosky and Devlin Barrett

Sen. Mike Crapo (R-Idaho) on Tuesday blocked an attempt by Democrats to pass legislation meant to prevent Russia and other countries from interfering in elections.
The Hill

A civil rights group says a database that checks whether voters are registered in multiple states has been suspended until security safeguards are put in place as part of a settlement of a federal lawsuit
AP

Dronesense, which sells a platform for controlling drones to police, left customer data including flight plans exposed.
Vice

PRIVATE KEY

— Cybersecurity news from the private sector:

Researchers found telcos are implementing the successor to SMS in ways that make text messages more vulnerable.
Vice

A new attack called Plundervolt gives attackers access to the sensitive data stored in a processor's secure enclave.
Wired

Amazon.com Inc (AMZN.O) said on Tuesday it had issued a fix to rectify security flaws in certain of its Blink home camera systems after a cyber security firm found vulnerabilities that could let hackers hijack the device.
Reuters

THE NEW WILD WEST

— Cybersecurity news from abroad:

Iran has foiled a major cyber attack on its infrastructure that was launched by ...

Whoever leaked UK-U.S. trade papers online ahead of Britain's general elect...

A new law would give the country’s 1.3 billion people more power over data collected by companies but allow the government to exempt itself from the rules.
The New York Times