There are no good options for government in the debate over encrypted communication systems, a top Washington think tank declared Thursday.
But the worst option by far would be for government to merely fret about the issue while tech companies, authoritarian nations, terrorists and cyber criminals take the lead, according to the report from the Center for Strategic and International Studies.
While the report authors stop short of endorsing a particular fix for the challenge encryption poses to law enforcement, they do conclude the risk posed by encryption “has not reached the level that justifies restrictions or design mandates” and that “the encryption issue law enforcement faces, while frustrating, is currently manageable.”
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
That conclusion, which will please technologists and civil liberties advocates, puts the report authors in line with an earlier report by the House Judiciary and Energy and Commerce committees. House Judiciary Chairman Bob Goodlatte also described not undermining encryption as his committee’s starting point this Congress.
Other possible responses posed by the report carry their own challenges, however.
If the U.S. government does nothing to respond to the encryption challenge or allows the issue to fall victim to the “usual Washington theatrics of commissions, enquiries, special committees and other mechanisms to give the appearance of movement,” it risks ceding ground to terrorists and cybercriminals, the report states.
A “laissez-faire” approach would also squander the U.S.’ opportunity to lead a global response to the global encryption challenge when there are no strong contenders to take over that leadership role, according to the report.
The long-simmering debate over end-to-end encryption systems, which shield the contents of encrypted communications even from the companies that host those communication tools, burst into the public briefly last year when Apple fought back against an FBI demand that the company help crack into an encrypted iPhone used by San Bernardino shooter Syed Farook.
The FBI ultimately withdrew its demand before the issue was settled in a courtroom when an unnamed company sold the bureau a tool to hack into the phone without Apple’s help. FBI Director James Comey, who supports a “legislative fix” to unbreakable encryption systems, has warned additional encryption showdowns are sure to arise and urged Congress to tackle the issue soberly before it must do so in crisis mode.
The CSIS report outlines numerous methods the government could use to help law enforcement crack though encryption used by terrorists and criminals without undermining that same encryption when used by average citizens. But each of those options comes with advantages and drawbacks of its own.
The easiest method would be for the FBI and law enforcement to invest in their own hacking prowess to exploit vulnerabilities in encryption systems or in the way criminals and terrorists use them. That approach, however, risks “creat[ing] an arms race dynamic between law enforcement and companies that could quickly escalate costs for both sides,” the report notes.
Police could also ramp up their reliance on metadata: information such as the date, time, sender and recipient of a message that typically cannot be encrypted and that forms the basis for much intelligence work. Metadata will remain less useful than content however, especially as evidence presented in a court of law, the report concludes.
The government could create a new organization focused solely on aiding police decryption efforts, but it’s unlikely such an agency’s decryption efforts could keep pace with companies’ encryption capabilities, the report states.
Finally, Congress could expand the legal authority for the National Security Agency, with its superior hacking skills, to help law enforcement conduct investigations. It would be very difficult, however, to admit into evidence anything NSA collected using classified tools and the nation’s premier digital spy agency would likely be unwilling to risk exposing its sources and methods—and undermining its spying capabilities—for the sake of a single conviction.