Daniel Rosenthal: Why Encryption Debilitates Our National Security, at Versus 16

Fresh on the heels of yesterday’s Versus interview, I’d like to introduce you to Daniel (“DJ”) Rosenthal, Associate Managing Director at Kroll, who will be joining Cindy Cohn on stage in our encryption debate.  DJ is a former Director of Counterterrorism at the White House and will be sharing his perspective about the challenges that encryption can pose to the government’s national security efforts.  DJ is an influential counterterrorism expert, having also served as a senior national security official at the Department of Justice and the U.S. Intelligence Community.  DJ teaches an award-winning course on national security dilemmas at the University of Maryland’s Honors Program.

I sat down with DJ and asked him the same questions I asked Cindy to get a sneak preview of the debate.

Roughly 20 years ago, encryption was a listed “weapon” in the U.S. Munitions list, just like a bomb or a flamethrower. What’s the biggest change you’ve witnessed in encryption over the last two decades?

Over the past few decades, advances in technology have lowered the barrier to entry, enabling greater availability of encryption technologies to the average consumer. Encryption provides tremendous benefits but there are downsides, too, including making it far more difficult for our government to gain access to critical information that it needs to fulfill vital national security missions. The challenge we face is in finding a workable and sustainable balance that adequately accounts for each of these very vital public interests.

What is the right balance between privacy and security?

Here’s what I believe: in general terms, our system prevents the government from gaining access to private information, and we as a nation place a strong premium on individual privacy and freedom from government intrusion. But our system has also long recognized that some privacy interests must yield in cases in which the greater public good requires it – such as when necessary to enforce our criminal laws or to provide for the common defense.

The way in which we have traditionally struck that balance is through legal process; to only permit the government to gain access to an individual’s constitutionally-protected information when the government can demonstrate a high legal standard for doing so – when it is doing so pursuant to court order, supported by a showing of probable cause.  Wide scale adoption of encryption risks hindering the government’s ability to gain access to certain communications even when it meets the required legal standard – that is, even when we as a society through our laws and legal process have agreed that when those requirements are met, the public interest favors government access.  That is what concerns me; the situation where this established public interest balance is denied because of “warrant-proof encryption.”

The widespread availability of encryption comes at a time of enhanced threats from terrorist actors, who perpetrate deadly attacks, it seems increasingly, with impunity and on a far too regular basis – as recent events in Paris, San Bernardino, Nice, Orlando and New York vividly demonstrate.  Adoption of encryption protocols by terrorists makes it that much more difficult for intelligence services to gain insight into attacks before they are carried out, increasing the likelihood that more attacks will proceed uninterrupted.

National security policy is often reactive, meaning it is forged in the aftermath of a security catastrophe.  And in such times of heightened political focus and high public anxiety, my concern is that we are more prone to getting the balance wrong. In the aftermath of another significant mass casualty event, the pendulum could swing severely toward national security, and those of us who seek a compromise position that preserves government’s ability to do its job protecting the public while promoting technologies that protect the privacy of individuals and the security of the internet, will be cut out of the dialogue.  The government will be given carte blanche to do whatever it needs to do to regain access to private communications of potential or suspected bad actors in the name of protecting national security. For this reason, the best time to identify a solution that strikes the right balance is now, in the “relative calm.”  

Over the past two years, we’ve also seen an unprecedented increase in end-to-end encryption in mobile and consumer apps (e.g., Facebook’s WhatsApp, Google, and Apple’s mobile operating systems). Why is encryption on the rise?

Encryption has become commercialized, but the largest users leveraging encryption are still sophisticated, tech-savvy commercial enterprises securing customer data, not individuals. The average 20-something year old isn’t as concerned about securing his/her conversations on Gmail in comparison to a regulated company looking to protect its sensitive corporate data.   

Interestingly, as the availability of encryption has increased, private companies’ willingness to work with the government has decreased.  This creates a dangerous situation in which the private sector, particularly the technology sector, which was willingly provided following the attacks on September 11, 2001, is decreasing at the very time that its assistance is needed the most to keep up with advances in encryption technology.

The FBI has warned that terrorist groups like ISIS will leverage encryption to obscure and hide attacks, making it difficult to protect national security. Do you agree? Is encryption also a tool of terror?

Yes, I do agree it can make it more difficult to protect national security. It used to be the case that threats to our national security were identifiable because we could track the mass movement of armies and warships.  But the terrorists that we face today are born in chatrooms and on social media. And the plots that extremists conspire to commit – often with individuals on the other side of the world – take place on the internet, and in secret.

Their use of encryption makes it far more difficult for law enforcement and the intelligence community to gain critical insights into their deadly plotting.  That’s very dangerous when you’re dealing with an amorphous player like ISIS that seeks to radicalize new adherents and plans attacks in cyberspace, and that has demonstrated the continued motivation to kill civilians in malls, airports, nightclubs, and on civilian-lined streets.

In short, deadly attacks in the real world are increasingly being inspired and plotted in the virtual one.  And if our government loses its insight into the activities of terrorists in the virtual world, it will lose its ability to prevent attacks plotted there from being successfully carried out in the physical world.  That scenario concerns everyone.

What excites you most about Versus and your head-to-head debate with Cindy Cohn?

I was involved in the encryption debate long before the very public dispute between Apple and the FBI regarding the contents on the iPhone of one of the perpetrators of the San Bernardino terrorist attack.  In the heat of the argument, as we saw last spring, there isn’t much room for rational debate.  But we must find a balance between data security and national security.  The challenges posed by encryption to law enforcement and national security are very real, and we continue to face the possibility of a catastrophic attack. I think it’s valuable and timely for a rational conversation to hopefully pave the way for a workable and sustainable solution.

DJ and Cindy Cohn will discuss encryption on November 17, 2016 at the Terra Gallery. Check out the rest at Versus16.com, and register today. Get important updates and announcements by following Vera on Twitter @VeraSecurity using the hashtag #Versus16.

Written on October 6, 2016
by Veliz Perez
Tags:
  • Industry, 
  • Security