With the Cybersecurity Information Sharing Act snuck into the omnibus budget bill in December, and the horrific terrorist attacks in Paris and San Bernardino, encryption has returned front and center as the next cybersecurity policy battleground. Unfortunately, like so many reactive policy issues, the encryption debate remains muddled in myopic discussions that ignore the complex realities of both technology as well as the modern international system. Since the technological challenges have been widely covered, below are just three of the key structural social challenges that further indicate that it’s time to move onto more productive discussion regarding the national security implications of the cyber domain.
- Collective Action Problem – Similar to the Wassenaar Arrangement, any policy that depends on global adherence will fail unless it is in everyone’s interest to abide by it. Digital safe havens will continue to exist with and without legislation requiring backdoor access to data. Nefarious actors will take advantage of and circumvent any legal mandates if deemed in their best interest to do so. This is why norms are so challenging in this domain. Because – whether illegal or not – encryption without backdoor access will be used by criminals, spies and terrorists if it helps them achieve their objectives. Moreover, adhering to the law would then become a self-imposed competitive disadvantage for corporations as it could weaken the security and protection of their PII and IP. Weakening encryption assists those trying to exploit the system or limit civil liberties, while hindering those trying to protect them. Given the very widespread data breaches of the last few years, if anything, we need stronger security practices around our personal and intellectual data, not weaker.
- Dictatorships – While the notion we’re entering an era of authoritarian resurgence remains highly debated, it is clear that major powers such as China and Russia as well as smaller states like Uzbekistan continue to leverage the Internet as a key source of international statecraft and domestic control. Many state and non-state actors better achieve their objectives if the Internet is not free and open. In this case, encryption becomes part of their strategy of domestic control, either by implementing encryption to protect their own communications, or by cracking into it as part of a larger surveillance strategy. Dictatorships further achieve these objectives by working with companies whose main purpose is to crack the encryption systems of companies such as Facebook and Google. As long as there are leaders who pursue domestic policies of censorship and Internet control, they will find ways to impose or crack encryption systems to their benefit. Encryption becomes part of their larger strategy, implementing impenetrable systems to safeguard their own data, thus giving them an advantage, as they are not required to provide backdoor access to their data. Dictatorships also constantly pursue vulnerabilities and weaknesses to exploit – especially among pro-democracy groups and social media companies – and therefore will devote significant resources toward gaining access to data via any backdoor channels.
- Head in the sand – Finally, as policy slowly muddles along to grasp technological realities, encryption systems are increasingly ubiquitous. The recent presidential debates demonstrated the void in comprehension of the problem and certainly did not provide viable solutions. On the one hand, the most recent Democratic debate avoided providing any coherent platform other than the need to balance security and privacy. The Republican debate similarly failed to offer viable solutions, with bewildering comments ranging from cutting off parts of the Internet to confusing statements about smartphone encryption. Unfortunately, it’s possible thatreactive policy responses may win out over more thoughtful recommendations that clearly address the core problems. The recent terrorist acts put renewed pressure on Congress to respond quickly to a dominant national security concern, elevating the risk that misguided policy will be passed.
For instance, there has been talk of a bipartisan commission that would bring both DC and Silicon Valley leadership together to explore the problem, similar to the 9/11 commission. Worried that it will take too long, the Senate may instead push forth with encryption legislation that may not be an adequate solution to the actual national security challenges. A bipartisan commission – a rare display of unity in Congress – could help Congressional leaders better grasp the technical implications of their policies, while also helping the tech community better comprehend the complexity of modern national security challenges. Until then, based on the recent level of discourse, the more likely reality unfortunately is ill-conceived, reactionary legislation.
The encryption debate – centered at its core on whether there is a security and privacy trade-off – only continues to further the wedge between DC and Silicon Valley. It would be more productive for both the tech and policy communities to look beyond encryption. Although cybersecurity was not addressed in last month’s State of Union address, hopefully meetings such as that between national security leaders and Silicon Valley CEOs last month is a sign that these two sides can work toward more innovative solutions that meet both the technological and geopolitical realities of the current era. Of course, this will require both sides to compromise. Silicon Valley needs to accept that safeguards are necessary given the national security landscape, while Congress needs to lean on Silicon Valley to optimize the way advanced technologies can simultaneously protect both privacy and national security. Until then, we’re likely to see misguided policy proposals that are ill-fitted to achieve the desired national security objectives.