In a David Grogan interview last Oct 4th, White House Cybersecurity Coordinator Rob Joyce made remarks on law enforcement (LEOs) access to private communications and information. He encouraged Internet service firms to be ready with cooperation for law enforcement requests for access to private information. In an Aug. 22, 2017 interview, Joyce also said that the US needs an additional 300,000 cybersecurity experts, and that government and consumers should avoid use of Kaspersky Labs software due to possible ties with Russian “intelligence.”
Nowhere in the two interviews cited above did he mention that a renewal of Section 702 Foreign Intelligence Security Act (FISA) is making its way through Congress. But Section 702 FISA was the elephant in both rooms. In a separate Oct 4th longer interview, John Carlin of Forrester questioned Mr. Joyce on Section 702 FISA and other topics.
Mr. Joyce worked at NSA and he clearly knows his stuff. He offered routine cybersecurity advice — “it really comes down to doing the basics… it’s patching, having a good architecture, understanding in advance where the threats are, having logs, monitoring, watching, and dealing with it.” He also offered observations on topics such as manufacturers’ self-serving obligation to do a better job with Internet-of-Things security.
His main, cheerful ideas on encryption and on LEO access to individual’s private information are just not in line with consumers’ perspectives. Consumers are generally not persuaded that it is in their interest to have LEOs invade their privacy, even when LEOs need a court order to acquire that information.
Mr. Joyce also exhorted Internet firms to work cooperatively with LEOs, and to design their systems and networks in ways that accommodate easy access to consumers’ private information. Consumers are not ready for that.
Mr. Joyce also extols end-to-end encryption. End-to-end encryption can be very difficult to break in order to reveal the plain language it masks. That’s good for consumers and bad for the LEOs hunting for evidence. Unfortunately, Internet and communications firms are likely to incur long delays and substantial costs when complying with a court order to crack an encrypted communication. The passage of time and the substantial cost could undermine LEO’s interest in the suspect’s plain text. Furthermore, the availability of encryption “keys” at some LEO-accessible facility is the equivalent of a backdoor for LEO access.
Although Mr. Joyce explicitly says he does not want cyber backdoors fitted into private sector systems, he negates that by suggesting the design of IT devices, transmissions, and software should anticipate and accommodate industry’s compliance with court orders on handing over private information. Such a portal is an easy-open back door. Foes of the US could use the same portal as firms use when fetching items sought by the LEO.
There is a difference between Section 702 FISA court orders to collect information on foreign persons and requests for LEO domestic collection of US persons information. The FISA court must authorize the former, and a US court can authorize the latter. Some US residents object to collection of information from foreign persons (especially foreign politicians when a local reporter is nearby), but many more US consumers object to collection from US persons unless the targeted individual is a public danger or guilty of a serious crime. To change public opinion will require some thoughtful work by Congress. A sharp uptick in indictments and incarcerations of criminal hackers would help.
Both public safety and the rights of personal privacy are important, but only Congress can decide when one supersedes the other. Until that is settled by Congress and tested in enough non-partisan, publicly accessible courts, we will have to endure many more years of costly litigation and uncertain outcomes. There may never be full harmony over the issue of government access to our private information, but government needs to get a lot closer to our acquiescence than it has bothered to do before.
One issue that complicates Mr. Joyce’s suggestions for LEO access to consumers’ private data is the EU-US Privacy Shield, an agreement to safeguard each other’s citizen privacy from intrusions. The European Court appears convinced that US firms, and perhaps LEOs, have abused EU citizens’ privacy. The near-term consequence of that finding could be a blockage of data transfers between the EU and US. Any protracted blockage could become a trade calamity for the US, and it could tempt the White House to lean too far in the direction of starving LEOs of the evidence they need.
Offering sage advice to the White House on cybersecurity is a tough and tangled assignment. We wish Mr. Joyce and ourselves the best of luck, especially if most of the 300,000 newly minted cybersecurity experts work in the private sector.