Former FBI general counsel Jim Baker, who fought Apple on the San Bernardino iPhone case, says that he has now rethought some of his views on strong encryption.
Baker left the FBI last year to join a DC-based think tank, where his role is to write for the justice-focused blog, Lawfare…
He writes in the piece, entitled Rethinking Encryption, that he now has a more balanced view of the issue. In particular, he thinks governments need to ’embrace reality’ where encryption is concerned, recognizing that it is needed to protect the US from cyber threats.
He says, however, that he stands by the position he took while FBI general counsel in the iPhone case.
In the face of congressional inaction, and in light of the magnitude of the threat, it is time for governmental authorities—including law enforcement—to embrace encryption because it is one of the few mechanisms that the United States and its allies can use to more effectively protect themselves from existential cybersecurity threats, particularly from China. This is true even though encryption will impose costs on society, especially victims of other types of crime.
Baker says that strong encryption still poses a substantial problem for law enforcement, but he now recognizes that there is no way to square the circle of protecting both personal and government data on the one hand, and allowing law enforcement to access data on the other.
He says that forcing US companies to create compromised systems would simply shift demand to foreign-made products that remain secure. Additionally, a lot can be done with metadata – that is, records of who contacted who, rather than what was said.
He says that where US infrastructure is concerned, strong encryption is the best way to tackle concerns about spyware in Chinese-made equipment. A zero-trust approach is needed.
The former FBI general counsel says law enforcement should continue to explain the challenges posed by strong encryption, but it should also advocate for the use of the same by the government.
In general, a zero-trust network is, as the name implies, one that you do not trust. A network operator that employs the zero-trust network concept presumes that one or more adversaries have successfully penetrated the network’s perimeter defenses and are present inside the network. The operator also presumes that it will be difficult or impossible to ever be sure that the adversaries have been identified and removed. Accordingly, they treat their internal systems as zero-trust networks, which will include consistently challenging all users, applications and devices and encrypting data as much as possible.
The whole piece is well worth reading.
I know full well that this approach will be a bitter pill for some in law enforcement and other public safety fields to swallow, and many people will reject it outright. It may make some of my former colleagues angry at me […]
If law enforcement doesn’t want to embrace encryption as I have suggested here, then it needs to find other ways to protect the nation from existential cyber threats because, so far, it has failed to do so effectively.
Photo: Shutterstock
