Encryption Affirmative - MichiganClassic 2015
Encryption Affirmative - MichiganClassic 2015
Encryption Affirmative - MichiganClassic 2015
1ACS
1ac cybersec
Contention 1 is CYBER SECURITY:
Attacks exploiting surveillance backdoors on critical infrastructure are imminent and inevitable
the plan is key to any effective defense
Blaze, Comp Sci Prof @ Penn, 15 (Matthew Blaze, Ph. D in computer science and associate professor at UPenn,
ENCRYPTION TECHNOLOGY POLICY ISSUES, 4/29/15,
HTTP://congressional.proquest.com.proxy.lib.umich.edu/congressional/docview/t39.d40.04292903.d94?accountid=14667)//EM
I. ROBUST DIGITAL SECURITY TECHNOLOGIES ARE VITAL TO PROTECTING OUR NATIONAL AND CRITICAL INFRASTRUCTURE It is difficult to overstate
the importance of robust and reliable computing and communications to our personal, commercial, and national security today.
every aspect of our lives , from our health records to the critical infrastructure that keeps our society and economy
running, is reflected in or supported in some way by increasingly connected digital technology. The influx of new communications and
computing devices and software over the last few decades has yielded enormous benefit to our economy as well as to our ability to connect with one
another. This trend toward digital systems, and the benefits we reap from them, will only accelerate as technology continues to improve.
Preventing attacks against our digital infrastructure by criminals and other malicious actors is thus now an essential part of
protecting our society itself. Unfortunately, modern computing and communications technologies, for all their benefits, are also
notoriously vulnerable to attack by criminals and hostile state actors . And just as the benefits of increased connectivity and more
pervasive computing will continue to increase as technology advances, so too will the costs and risks we bear when this technology is maliciously
compromised. It is a regrettable (and yet time-tested) paradox that our digital systems have largely become more vulnerable over time, even
as almost every other aspect of the technology has (often wildly) improved. New and more efficient communication technologies often
have less intrinsic security than the systems they replaced, just as the latest computers and other devices regularly suffer from unexpected
vulnerabilities that are exploited remotely by malicious attackers. Largescale data breaches and similar security failures have so become
commonplace that they now only make the news when their consequences are particularly dramatic. Serious security failures are
literally a daily occurrence, and it is not an exaggeration to characterize this situation as an emerging national crisis . Modern
digital systems are so vulnerable for a simple reason: computer science does not yet know how to build complex, large- scale software that
has reliably correct behavior. This problem has been known, and has been a central focus of computing research, since the dawn of programmable
computing. As new technology allows us to build larger and more complex systems (and to connect them together over the Internet), the
problem of software correctness becomes exponentially more difficult . As this insecure technology becomes more integrated into the systems
Virtually
and relationships upon which society depends, the consequences become increasingly dire. While a general solution to the problem of software reliability and
correctness has eluded us (and will continue to do so absent some remarkable, unexpected breakthrough), there are two tried- and-true techniques
that can, to some extent, ameliorate the inherent vulnerability of software-based systems. One is the use of encryption to protect
data stored on or transmitted over insecure media . The other is to design systems to be as simple as possible , with only those
features needed to support the application. The aim is to minimize the ``attack surface`` that any software vulnerabilities would expose. Neither the use of
encryption nor designing systems to be small and simple are perfect solutions to the software security problem. Even carefully designed, single-purpose software
that encrypts data whenever possible can still harbor hidden, exploitable vulnerabilities, especially when it is connected to the Internet. For this reason,
software systems must be exposed to continual (and resource intensive) scrutiny throughout their lifecycle to discover and fix flaws
before attackers find and exploit them. But these approaches, imperfect and fragile as they might be, represent essentially the only
proven defenses that we have. II. LAW ENFORCEMENT ACCESS REQUIREMENTS CARRY GREAT RISKS U.S. law enforcement agencies
have for at least two decades been warning that wiretaps and other forms of electronic evidence gathering are on the cusp of
``going dark``. These fears have been focused chiefly on the potential for criminal use of encryption (which, properly used, can prevent
eavesdroppers from recovering communications content), as well as emerging decentralized communications paradigms, such as peer-to-peer communication,
that are not easily intercepted with the same technique s that were used to wiretap traditional telephone calls. They call for developers to
incorporate ``lawful access`` features into products and services that facilitate wiretapping. At first blush, a ``lawful access only``
mechanism that could be incorporated into the communications systems used by criminal suspects might seem like an ideal technical solution to a difficult policy
problem. Unfortunately, harsh technical realities make such an ideal solution effectively impossible, and attempts to mandate one
would do enormous harm to the security and reliability of our nation`s infrastructure, the future of our innovation economy, and
our national security. A. Access Requirements Make Encryption Vulnerable and Expensive Let us consider first the relatively narrow problem of
ensuring law enforcement access to encrypted communication . This is perhaps the simplest part of the law enforcement access problem, but it is
dauntingly - and fundamentally - difficult to solve in practice without creating significant risk. Encryption systems encode messages in a
way that prevents their decryption without knowledge of a secret, called a key. Ordinarily, only the parties to the communication
know the key, which can be destroyed and forgotten as soon as the communication has ended and need never be sent to
anyone else. In most well designed encrypted communications systems, third parties - including the developer of the software used to
perform the encryption and the service providers who operate the infrastructure through which it traverses - do not know or have copies of these keys;
the encryption is said to be end-to-end, meaning it is conducted entirely between the communicating parties. End-to-end
encryption is an important simplifying principle that allows for secure communication even over insecure media. It means that
only the endpoints (the computers or devices being directly used by the parties) need to have access to and protect the keys, and the
compromise of any other part of the system has no effect on the security of the messages . Securing the endpoints can sometimes be
perilously difficult in practice, but it is a much simpler problem than securing the entire path over which messages are transmitted. Any law enforcement
access scheme of the kind apparently envisioned by the FBI would, necessarily, involve a mechanism for the transmission and storage of
sensitive secret keys to a third party (whether the government or some other entity that holds it). This approach is sometimes called key
escrow, key recovery or trusted-third party encryption; the secret is held ``in escrow`` by a third party. Key escrow was the widely criticized
approach incorporated into the Clipper Chip in the early 1990`s . It destroys the endto- end design of robust encryption systems without any
benefit to the application. There are several fundamental problems with such schemes. The most basic problem with law enforcement access
cryptography is simply that we do not fully understand how to design them, even at an abstract, theoretical level. Any key escrow or
lawful access cryptography system, by its very nature, increases its number of points of failure . Unfortunately, we do not understand
the problem well enough to even quantify how this reduces security, let alone identify a safe level for this reduction. The design and
implementation of even the simplest encryption systems is an extraordinarily difficult and fragile process. Very small changes
frequently introduce fatal security flaws . Ordinary (end-to-end, nonescrowed) encryption systems have conceptually rather simple
requirements and yet, because there is no general theory for designing them, we still often discover exploitable flaws in fielded systems .
Adding key escrow renders even the specification of the protocol itself far more complex, making it virtually impossible to
assure that any systems using it will actually have the security properties that these systems are intended to have. It is possible,
even likely, that lurking in any key escrow system will be one or more design weaknesses that allow recovery of data by
unauthorized parties. The commercial and academic world simply does not have the tools to analyze or design the complex systems that arise from key
recovery. This is not simply an abstract concern. Virtually all law enforcement key recovery or key escrow proposals made to date, including
those designed by the National Security Agency (the Clipper Chip), have had unanticipated design weakness discovered after the fact.
Frequently, subtle but devastating weaknesses in cryptographic systems and protocols are only discovered long after they are
deployed in products and services, which means that sensitive data was at risk from their very first day of use. Law enforcement
access requirements make such hidden flaws far more likely to exist. Aside from cryptographic weaknesses, there are significant
operational security issues. Third-party access, by its nature, makes encrypted data less secure because the third party itself
creates a new target for attack. The FBI has not stated whether the cryptographic access mechanisms they desire would be operated centrally or by the
vendors of individual products. Either approach creates its own inherent risks and costs. A centralized system becomes a large and highly
attractive target, while leaving the task to individual product vendors introduces the likelihood that some vendors will be lack the
resources to securely mange the keys for their customers or will be specialty targeted for attack by national adversaries. Importantly from a
business perspective, the infrastructure to properly support any scheme of this kind would be very expensive to operate. Further
risks arise from the operational complexity of managing access to the secrets keys. Key access centers must presumably be
prepared to respond to law enforcement requests for key data 24 hours a day, completing transactions within a short time of
receiving each request and in complete secrecy from the target of the investigation. There are thousands of law enforcement
agencies in the United States authorized to perform electronic surveillance; the escrow centers must be prepared to identify,
authenticate and respond to any of them within a short time frame. Even if we imagine relaxing these requirements considerably (e.g., one day
or even one week response time), there are few existing secure systems that operate effectively and economically on such a scale and
under such tightly constrained conditions. It is simply inevitable that lawful access systems that meet the government's
requirements will make mistakes in giving out the wrong keys from time to time or will be vulnerable to unauthorized key
requests. Nation-state adversaries could be expected to be particularly interested in, and adept at, fraudulent access to our law enforcement access services.
B. Access Requirements Make Critical Software Vulnerable to Attack The vulnerabilities introduced by the cryptographic and operational complexity of
introducing law enforcement access are significant; by itself, this should be sufficient reason to render any policy that requires access unacceptably risky. But
these are not the only problems. Even more serious, subtle, and difficult to prevent risks arise from the process of integrating the
mechanism into the end-user software itself. As noted above, computer science does not, in general, have the tools to build reliably
correct software, and any added requirements or features always increase the likelihood that the system as a whole will suffer
from unintended, and exploitable, vulnerabilities. Law enforcement access requirements are especially problematic in this regard
because of their inherent interaction with the most security-sensitive aspects of the systems that would use them. There has not
yet been a specific proposal that specifies exactly which digital products and services for which the FBI seeks surreptitious data
access mandates But even under a very conservatively applied mandate, ensuring law enforcement access in this way would be
necessarily add complex requirements to an exceptionally broad range of consumer, business, and infrastructure-support
software. We enjoy today flourishing, heterogeneous software and service marketplace. Everything from small mobile apps that provide instant messaging
services to large-scale communication and data storage platforms routinely process communication and stored data that might potentially serve as evidence.
The approach advocated by the FBI would affect software across the full range of modern computing, from small systems built
by startups and entrepreneurs to large platforms managed by multinational corporations, be engineered to incorporate the law
enforcement access features, from decentralized and standalone application to centralized, cloud-based services. In small systems,
the law enforcement access mechanism could be expected to represent almost as much design and development effort as the
underlying function of the software itself. In larger systems, depending on the specifics of the software architecture, the law enforcement access
function would have to be designed around and interact with a large number of data management, security, and communications
functions. Compounding the difficulty is the range of different application and service architectures whose designs would have to accommodate integration
with the law enforcement access features. Each application would require significant engineering effort, much of which would be highly
specific to the particular piece of software. That is, much of engineering effort required to put applications in compliance would
not be able to be re-applied to other systems, because each system has its own particular architectural and design constraints .
And because the access features are so security sensitive, this engineering work will require the highest quality assurance, testing, and validation, making it a
difficult, slow and very expensive process. Doing this properly (to the extent it can be done safely at all) will make the access feature a significant
bottleneck to many projects. Given the time and budget pressures under which many software projects operate, and because the
access feature is not directly useful to users, we can expect some developers to cut corners on the security engineering aspects of
this process, devoting only the minimum resources possible to meet the requirements. The result will be that while the features
might work in the sense that they allow law enforcement access, they can also be expected to account for a large proportion of
the potentially exploitable defects in the system as a whole. Incorporating law enforcement access features across even a subset of the most
widely used software systems is an extraordinary engineering task, the correctness of which is crucial for the security and integrity of any data that the software
might handle and of the environment in which it will run. In other words, the risks here come not just from the potential for direct misuse or
abuse of the law enforcement access mechanism itself, but from the inevitable introduction of unintentional software bugs that
can be exploited by bad actors to bypass the ``front door`` of the access mechanism to gain access to sensitive user data. An
alternative approach to requiring each software developer to design its own access mechanism is also possible, but would have even more negative effects on
the software ecosystem. This would involve the government developing approved software libraries that implement the access mechanism and requiring software
developers to incorporate them in their systems. Unfortunately, this scheme would have the effect of essentially outlawing software whose design and
architecture is incompatible with the standard official libraries. It would hugely attenuate the innovation that has driven the software economy ,
and it would still carry most of the risks discussed above. C. These Risks Would Cut Across Our Nation`s Infrastructure An important task for policymakers in
evaluating the FBI`s proposal is to weigh the risks of making software less able to resist attack against the benefits of more expedient surveillance. It
effectively reduces our ability to prevent crime (by reducing computer security) in exchange for the hope of more efficient crime
investigation (by making electronic surveillance easier). Unfortunately, the costs of the FBI`s approach will be very high. It will place our
national infrastructure at risk. This is not simply a matter of weighing our desires for personal privacy and to safeguard against
government abuse against the need for improved law enforcement. That by itself might be a difficult balance for policymakers to
strike, and reasonable people might disagree on where that balance should lie. But the risks here go far beyond that, because of the realities of how
modern software applications are integrated into complete systems. Vulnerabilities in software of the kind likely to arise from law
enforcement access requirements can often be exploited in ways that go beyond the specific data they process. In particular,
vulnerabilities often allow an attacker to effectively take control over the system, injecting its own software and taking control over
other parts of the affected system. The vulnerabilities introduced by access mandates discussed in the previous section are likely to include many in this
category. They are difficult to defend against or contain , and they current represent perhaps the most serious practical threat
to networked computer security. For better or worse, ordinary citizens, large and small business, and the government itself depend
on the same software platforms that are used by the targets of criminal investigations . It is not just the Mafia and local drug dealers whose
software is being weakened, but everyone`s. The stakes are not merely unauthorized exposure of relatively inconsequential personal
chitchat, but also leaks of personal financial and health information, disclosure of proprietary corporate data, and compromises of
the platforms that manage and control our critical infrastructure . In summary, the technical vulnerabilities that would inevitably
be introduced by requirements for law enforcement access will provide rich, attractive targets not only for relatively petty
criminals such as identity thieves, but also for organized crime , terrorists , and hostile intelligence services . It is not an
exaggeration to understand these risks as a significant threat to our economy and to national security.
Skeptics are wrong grid attacks in particular are empirical and increasing success is inevitable
Gilmour, researcher @ CSM, and Moniz, US Energy Secretary, 15 (Jared Gilmour, energy and politics
researcher and staff writer, Christian Science Monitor, citing Ernest Moniz, U.S. Energy Secretary, Climate change, cyberattacks
are growing threats to grid, says US energy chief, 4/27/15, http://www.csmonitor.com/Environment/Energy/2015/0427/Climatechange-cyberattacks-are-growing-threats-to-grid-says-US-energy-chief)RL
US energy infrastructure is vast, aging, and in need of an overhaul , Energy Secretary Ernest Moniz says, and the biggest challenges are
the most unpredictable: climate change and cyberattacks. Staggering in size, the US energy system includes 2.6 million miles of pipeline and 6.3 million
miles of electrical distribution lines. There are 414 natural gas storage facilities and 330 ports handling crude and petroleum products, plus 140,000 miles of
railway carrying crude and more from well to refinery - and that's only a small sample of the transmission, distribution, and storage systems that power the US.
But all of that infrastructure is vulnerable to growing threats , Sec. Moniz said Monday at a Monitor-hosted breakfast for reporters in Washington.
"I'm not going to single out one [threat] because we've got to address them all," Moniz said. But looking ahead, he added, "I think the two that almost
certainly will increase in risk level are cyber and extreme weather" made worse by climate change. Last week, Moniz rolled out his department's
Quadrennial Energy Review (QER), identifying weaknesses in US energy infrastructure - from inadequate natural gas distribution pipelines
to an outdated electric systems. The electric grid, the report found, is especially vulnerable. "Threats to the grid - ranging from geomagnetic
storms that can knock out crucial transformers; to terrorist attacks on transmission lines and substations ; to more flooding, faster sea-level rise, and
increasingly powerful storms from global climate change - have been growing even as society's dependence on the grid has increased ,"
according to the report. Among its recommendations for modernizing US energy infrastructure - most of which would require appropriations from the GOPcontrolled Congress - the QER requested $3.5 billion to update the electric grid, $2.5 billion to improve distribution of natural gas, and at least $1.5 billion to
shore up the Strategic Petroleum Reserve, an emergency stockpile of oil. The question is whether the Obama administration and Republicans in Congress can
agree on which energy projects to pursue and how to fund them. Some observers are hopeful that compromise is possible, particularly in light of bipartisan deals
in recent weeks that brought a Medicare "doc fix," the confirmation of Attorney General Loretta Lynch, and an anti-human-trafficking bill across the finish line.
"There is momentum and serious commitment to get some energy legislation out of Congress, and you're hearing it from all the leadership," says Margot
Anderson, executive director of the energy project at the Bipartisan Policy Center, a Washington think tank, in an interview Friday. "I think the QER can provide
some new ideas, and can be incorporated into what leadership is already talking about." The GOP response to the Obama administration's QER last week
suggested compromise between Republicans on Capitol Hill and the Democratic administration was possible - at least on some issues. "While we share our
differences with this administration regarding energy policy, when it comes to the transmission, storage, and distribution of our resources, we can all agree that
targeted changes to our laws and policies are necessary," Rep. Fred Upton (R) of Michigan and Rep. Ed Whitfield (R) of Kentucky, two top energy lawmakers,
said last week in a joint statement. What's unclear is how the Republican caucus will react to energy spending related to climate change. Many Republicans in
Congress have rejected the idea that humans are causing climate change, or that the government should take regulatory action to reduce emissions. Moniz
urged immediate action on climate change at Monday's breakfast, and noted that the QER is a part of President Obama's Climate Action Plan. "It's time to stop
debating what's not debatable," he said of global warming, referencing the broad scientific consensus that climate change is happening and is human-generated.
Climate change is a threat to energy infrastructure because planetary warming exacerbates high-intensity storms, makes water scarce, and alters weather
patterns - all of which can put unexpected strain on the US grid and can stress other critical infrastructure. Moniz said he was hopeful that efforts to curb climate
change would stall warming, diminishing the threat extreme weather poses in the future. At the same time, though, the grid is under attack from cyber
threats both domestically and around the world . Moniz emphasized that the energy sector needs to adapt to ever-changing cyber
threats, so that the industry can "stay ahead of the bad guys." As the Monitor reported in December, critical infrastructure in the US is
already under attack from hackers, and the grid would be a prime target in cyberwar . "The electric industry, in reality, has
done an inadequate job of securing the electric system," Joe Weiss, a leading expert on electric grid security, told the Monitor .
"Is cyber a household word in the electric sector? Yes. Are they trying to address cyber vulnerabilities in ways that will make sure all
systems are secure? No." "So far we have not had any major actual disruption of our energy infrastructure, but it ain't for lack of
people trying," Moniz said.
with a full scale US military response. That could include the use of nuclear weapons , if authorized by the President.
Even absent retaliation, grid failure triggers nuclear meltdowns and extinction
Huff, staff writer @ Natural News, 14 (Ethan A. Huff, staff writer and news analyst for Naturalnews.com and writer for
AlignLife.com, Natural News is a credible news source reporting on natural events, Nuclear power + grid down event = global
1ac econ
Contention 2 is ECONOMIC GROWTH:
Encryption backdoors directly risk financial attacks AND collapse the U.S. technology industry
plan is key to overall growth
Clark, economic scholar, 14 (Thomas G. Clark, economics scholar, blogger on economics, politics, and philosophy,
university level English tutor, former administrator in public and private industries, How NSA overreach has done more damage
to the US economy that Osama Bin Laden could ever have dreamed of, Thomas G. Clark, Another Angry Voice Blog,
http://anotherangryvoice.blogspot.com/2014/01/nsa-overreach-worse-than-terrorism.html)//chiragjain
Ever since the Edward Snowden leaks started it has become more and more obvious that the NSA and their Five Eyes partners (the spooks in the UK,
Canada, Australia and New Zealand) have been making a concerted effort to monitor and control the entire Internet. They've engaged in vast data stealing
exercises designed to sweep up and store the private communications data of virtually everyone; the NSA have employed a team of some 850,000 NSA staff and
paragraph, I've obviously left out a lot of the nefarious activities orchestrated by the NSA and carried out by their mercenary army of hundreds of thousands of
private sector spooks and their Five Eyes collaborators. But even so, the above paragraph is more than enough to demonstrate that the security services in
the US, and the other Five Eyes collaborator states, are running dangerously out of control. The fact that the NSA and their Five Eyes collaborators
feel entitled to trawl the Internet for whatever they can find, which is then stored in vast data centres and subjected to algorithmic analysis without the need for
any kind of judicial warrant, demonstrates that something fundamental has changed in the relationship between the state and the citizen. Due process has been
abandoned, and as far as the security services are concerned, we are all assumed to be guilty. They don't have to be able to show probable cause, they don't
have to apply for a warrant from a judge, they just steal our data and use it as they see fit, with no democratic oversight at all over many of their
data stealing operations. The fact that the US state employs a staggering 850,000 NSA staff and private sector contractors to trawl this ocean of stolen
data should be alarming to anyone with the brains to think through the logical implications of such a vast mercenary army. You would have to be a hopeless
idealist to imagine that there are no "bad apples" at all amongst all these hundreds of thousands. If we assume that just 4% of them (one in every 25) are the
kind of people that would use their access to enormous surveillance powers to do things like steal commercially confidential information to order, blackmail
people, cyber stalk people, wage petty vendettas against old adversaries ... that would mean a rogue army of some 34,000 thieves, stalkers and blackmailers
with access to the NSA's vast caches of stolen data and their extraordinary surveillance capabilities. The fact that the NSA have been using their powers to
engage in industrial espionage against various countries such as Germany, Russia, China and Brazil illustrates that "the few bad apples" narrative, although
useful from an illustrative point of view, isn't actually the main concern. The main concern is that the NSA itself is corrupt to the core. Instead of using their powers
to maintain the rule of law and to "fight terrorism" they're actually intent on using their unprecedented espionage capabilities in order to undermine global
competition for the benefit of US based corporations. One of the most worrying revelations is that the spy agencies have deliberately compromised
the encryption technology used to keep our financial transactions safe, and that they have awarded themselves the power to
hack into bank accounts anywhere in the world and simply erase money out of existence, or invent fictional transactions. They
have undermined the integrity of the financial system in order to build themselves snooping capabilities that would have blown the minds of
the East German Stasi or the Soviet KGB. Perhaps the most damning element of all (from an American perspective) is the extraordinary amount
of damage the NSA have done to the reputation of US tech nology companies , by compelling them to breech the privacy of
their own customers and infecting their products with spyware. This trashing of the reputation of countless US based technology
companies comes with an enormous price tag. It has been estimated that the reputational damage inflicted on US technology
companies by their own government could amount to $180 billion, as millions of customers are turned off the idea of investing
in buggy, insecure and spyware laden products from US companies . If you add the estimated $180 billion in reputational damage to American
companies to the staggering cost of running the NSA and employing an army of 850,000 spooks, the cost of this folly is absolutely enormous. One of the
worst things about having trashed the reputation of their own technology sector, is the fact that the technology sector is one of
the few parts of the US economy that is healthy and productive . The US financial sector is a gigantic, virtually
unregulated and desperately unstable hotbed of corruption and reckless gambling and US manufacturing power has been in
decline since the neoliberals came to power in the 1980s and allowed short-term profiteers to asset strip US productivity. The US
economy is in decline , but that decline has been offset by a remarkable period of exponential growth in the US
tech nology sector . Any American with a reasonably comprehensive view of how their economy is structured must be absolutely aghast at the damage
inflicted on the technology sector by the power crazed spooks that considered their mission to infect everything they could with spyware as far more important
than the long term success of the US technology sector. Not only does it look like the NSA's overreach is going to cost the US economy
vastly more than any terrorist attack ever has, it also looks set to crush US ambition of controlling the Internet , as ever more
people realise that the Americans can no longer be trusted to control the fundamental infrastructure of the Internet. Any
non-US corporation with the slightest regard for data security is going to move away from reliance upon the US tech nology
sector as soon as possible , and any nation that values its own industries is surely going to approve of efforts to wrest
control of the Internet away from the US . The sheer scale of NSA data theft is driving the development of new highly
encrypted technology. It is only a matter of time before spook proof browsers and encrypted communications become
commonplace, because there is an undeniable market demand for such things. The most terrible thing from a US perspective
is that US tech nology companies will be completely cut off from entry into this new market because everyone is now
aware of how the US intelligence agencies have forced US technology companies to infect their own products with spyware and
invade the privacy of their own customers. Nobody is ever going to believe US technology companies when they give
assurances about privacy, meaning that the next wave of secure communications technology is going to arise outside the US .
The NSA have been using their surveillance powers to engage in industrial espionage in order to benefit US corporations. This is a clear demonstration that they
see it as their mission to help US corporations by fair means or foul. Given that this is one of their core objectives, the fact that they have inflicted such an
extraordinary amount of damage on the most vibrant sector of the US economy must go down as one of the most spectacular own goals in
history. They built a vast data stealing operation in order to help US corporations, but in doing so inflicted more damage on the US economy than Osama Bin
Laden could ever have dreamed of. The NSA have used their scaremongering narratives about the threat of terrorism to justify the slaughter of their own golden
goose, yet they would have us believe that they are not responsible. They would have everyone believe that Edward Snowden is the guilty party; that he alone is
responsible for the damage to the US technology sector. But their case is a ludicrous one. There is clearly something dreadfully wrong with the way things are set
up if just one man (out of some 850,000 spooks) can single handedly wipe an estimated $180 billion off the value of the US technology sector simply by telling
the truth.
Growth is vital to prevent multiple scenarios for conflict escalation and extinction
Haass, President of CFR and former Director of Policy Planning @ State, 13 (Richard N. Haass, President
of the Council on Foreign Relations, former director of policy planning for the Department of State and a principal adviser to
Secretary of State Colin Powell, former US Ambassador and coordinator for policy toward Afghanistan, former vice president and
director of foreign policy studies at the Brookings Institution, former lecturer in public policy at Harvard University's John F.
Kennedy School of Government, and a research associate at the International Institute for Strategic Studies. A Rhodes scholar,
Dr. Haass holds a BA from Oberlin College and Master and Doctor of Philosophy degrees from Oxford University.
The World Without America, 4-30-2013, http://www.project-syndicate.org/commentary/repairing-the-roots-of-american-powerby-richard-n--haass)KMM
Let me posit a radical idea: The most critical threat facing the U nited States now and for the foreseeable future is not a rising China, a reckless
North Korea, a nuclear Iran, modern terrorism, or climate change. Although all of these constitute potential or actual threats, the biggest
challenges facing the US are its burgeoning debt, crumbling infrastructure , second-rate primary and secondary schools, outdated immigration
system, and slow economic growth in short, the domestic foundations of American power. Readers in other countries may be tempted to
react to this judgment with a dose of schadenfreude, finding more than a little satisfaction in Americas difficulties. Such a response should not be surprising. The
US and those representing it have been guilty of hubris (the US may often be the indispensable nation, but it would be better if others pointed this out), and
examples of inconsistency between Americas practices and its principles understandably provoke charges of hypocrisy. When America does not adhere to the
principles that it preaches to others, it breeds resentment. But, like most temptations, the urge to gloat at Americas imperfections and struggles ought to be
resisted. People around the globe should be careful what they wish for. Americas failure to deal with its internal challenges would come at a
steep price. Indeed, the rest of the worlds stake in American success is nearly as large as that of the US itself. Part of the reason is economic. The US
economy still accounts for about one-quarter of global output. If US growth accelerates, Americas capacity to consume other countries
goods and services will increase, thereby boosting growth around the world. At a time when Europe is drifting and Asia is
slowing, only the US (or, more broadly, North America) has the potential to drive global economic recovery . The US remains a unique
source of innovation . Most of the worlds citizens communicate with mobile devices based on technology developed in Silicon Valley; likewise, the Internet
was made in America. More recently, new technologies developed in the US greatly increase the ability to extract oil and natural gas from underground
formations. This technology is now making its way around the globe, allowing other societies to increase their energy production and decrease both their reliance
on costly imports and their carbon emissions. The US is also an invaluable source of ideas. Its world-class universities educate a significant percentage of future
world leaders. More fundamentally, the US has long been a leading example of what market economies and democratic politics can accomplish. People and
governments around the world are far more likely to become more open if the American model is perceived to be succeeding. Finally, the world faces many
serious challenges, ranging from the need to halt the spread of w eapons of m ass d estruction, fight climate change , and
maintain a functioning world economic order that promotes trade and investment to regulating practices in cyberspace ,
improving global health, and preventing armed conflicts . These problems will not simply go away or sort themselves out . While
Adam Smiths invisible hand may ensure the success of free markets, it is powerless in the world of geopolitics. Order requires the visible hand of
leadership to formulate and realize global responses to global challenges . Dont get me wrong: None of this is meant to suggest that the US
can deal effectively with the worlds problems on its own. Unilateralism rarely works. It is not just that the US lacks the means; the very nature of contemporary
global problems suggests that only collective responses stand a good chance of succeeding. But multilateralism is much easier to advocate than to
design and implement. Right now there is only one candidate for this role: the US. No other country has the necessary combination
of capability and outlook. This brings me back to the argument that the US must put its house in order economically , physically, socially, and
politically if it is to have the resources needed to promote order in the world . Everyone should hope that it does: The alternative to a
world led by the US is not a world led by China, Europe, Russia, Japan, India, or any other country, but rather a world that is not
led at all. Such a world would almost certainly be characterized by chronic crisis and conflict . That would be bad not just for Americans, but for
the vast majority of the planet s inhabitants.
1ac humint
Contention 3 is HUMAN INTELLIGENCE:
Capability and effectiveness are collapsing now due to overreliance on encryption backdoors
only the plan solves
Eddington, Security Prof @ Georgetown, 15 (Patrick G. Eddington, assistant professor in the Security Studies
Program at Georgetown University, policy analyst in Homeland Security and Civil Liberties at the Cato Institute, former military
imagery analyst at the CIAs National Photographic Interpretation Center, former communications director and senior policy
advisor to Rep. Rush Holt (D-NJ), spent 11 years in the U.S. Army Reserve and the National Guard in both enlisted and
commissioned service, M.A. National Security Studies, Georgetown University, B.A. International Affairs, Missouri State
University, US wants to hack your phone because it doesnt have real spies it needs. Reuters. 2/23/15.
http://blogs.reuters.com/great-debate/2015/02/23/the-fbi-was-for-encryption-before-it-was-against-it/)//ET
Last fall, when Apple and Google announced they were cleaning up their operating systems to ensure that their users information was encrypted to prevent
hacking and potential data loss, FBI Director James Comey attacked both companies. He claimed the encryption would cause the users to place themselves
above the law. The tech community fired back. The only actions that have undermined the rule of law , Ken Gude wrote in Wired, are the
governments deceptive and secret mass-surveillance programs. The battle resumed in February 2015. Michael Steinbach, FBI assistant
director for counterterrorism, said it is irresponsible for companies like Google and Apple to use software that denies the FBI lawful means to intercept data. Yet
the FBI does have a lawful means to intercept it: the Foreign Intelligence Surveillance Act. Its scope was vastly expanded by Congress in the wake of the 9/11
attacks. Its worth noting that the FBI never asked Congress to force tech companies to build back doors into their products immediately after the 9/11 attacks.
Only after Google and Apple took steps to patch existing security vulnerabilities did the bureau suddenly express concern that terrorists might be exploiting this
encryption. In fact, the bureau has a host of legal authorities and technological capabilities at its disposal to intercept and read communications, or even to
and neutralize home-grown violent extremists, including promulgating new rules on profiling that allow for the potential mapping of Arab- or Muslim-American
communities. The Justice Departments refusal to investigate the New York Police Departments mass surveillance and questionable informant-recruitment
tactics among immigrants in the Arab- and Muslim-American communities has only made matters worse. Overseas, the Cold War style of spying relying on
U.S. embassies as bases from which CIA and other U.S. government intelligence personnel operate is increasingly difficult in the areas of the
Middle East and southwest Asia undergoing often violent political change . Steinbach testified about this before the House Homeland Security
Committee earlier this month. The concern is in Syria, he explained, the lack of our footprint on the ground in Syria that the databases
wont have the information we need. Notice his reference to technology databases rather than the importance of the human element.
The U.S. intelligence communitys
emphasis should be on the spy on the ground who actually gathers critical information and
makes any penetration of a terrorist organization possible . This problem is true for Yemen as well, as a recent Washington Post story highlighted:
The spy agency has pulled dozens of operatives, analysts and other staffers from Yemen as part of a broader extraction of roughly 200 Americans who had been
based at the embassy in Sana, officials said. Among those removed were senior officers who worked closely with Yemens intelligence and security services to
target al-Qaeda operatives and
disrupt terrorism plots often aimed at the United States. The CIAs failure to field agents under
nonofficial cover, or to recruit enough reliable local informants on the ground who could communicate securely with CIA handlers outside Yemen,
is symptomatic of the agencys failure to break with its reliance on embassy-based operations throughout that part of the world.
Compromising encryption technology will do nothing to solve the intelligence communitys hum an- int elligence deficit .
This is a problem the agency must address if it is ever going to be successful in finding and neutralizing terrorist cells overseas. It
boils down to the fact that the FBI and the U.S. intelligence community have failed to adapt their intelligence-collection practices
and operations to meet the challenges of the new world disorder in which we live. As former CIA officer Philip Giraldi has noted: [I]ntelligence
agencies that were created to oppose and penetrate other nation-state adversaries are not necessarily well equipped to go after
terrorists, particularly when those groups are ethnically cohesive or recruited through family and tribal vetting, and able to operate in a low-tech
fashion to negate the advantages that advanced technologies provide. The CIA has repeatedly attempted occasionally at high cost to penetrate
militant organizations like al Qaeda and Islamic State. Nonetheless, Washingtons overall counterterrorism bias in funding and
manpower has been toward using the most sophisticated technology available as the key means of battling a relatively low-tech enemy. The
FBIs new anti-encryption campaign is just the latest phase in the governments attempt to deny Islamic State and related groups the
ability to shield their communications. If these militant groups were traditional nation-states with their own dedicated communications channels, wed all
be cheering on the FBIs efforts. But the Internet has become the primary means for global , real-time communications for individuals, nonprofits,
businesses and governments. So it should not be treated as just another intelligence target, which is certainly the FBIs and Natural Security
Agencys current mindset. Using the legislative process to force companies to make defective electronic devices with exploitable
communications channels in the hope that they will catch a tiny number of potential or actual terrorists is a
self-defeating strategy. If
implemented, the FBIs proposal would only make all Americans more vulnerable to malicious actors online and do nothing to stop the
next terrorist attack . When the FBI sabotages the efforts of consumers and businesses to secure their data through encryption, the agency is
essentially attacking the security foundations of the online world created over the past 20 years. Last year, total global online business-toconsumer sales were nearly $1.5 trillion. That figure is expected to pass $2 trillion in just a few years time. Encryption of those transactions is
vital to the long-term success of the global online marketplace. The FBIs attack on the encryption revolution is an assault on the efforts by
citizens to maintain their Fourth Amendment rights against unlawful search and seizure. Instead of fighting the modern encryption revolution, the
government should be embracing it.
HUMINT filters the probability and magnitude of all existential threats prefer consensus of experts
and empirics
Johnson, Poli Sci Prof @ Georgia, 9 (Loch Johnson, Regents Professor of Political Science, University of Georgia,
former special assistant to the chair of the Senate Select Committee House Subcommittee on Intelligence Oversight, former staff
director of the House Subcommittee on Intelligence Oversight, former visiting scholar at Yale University, won the Josiah Meigs
Prize, the highest teaching honor at the University of Georgia in addition to the Owens Award, its highest honor for research,
editor of Intelligence and National Security, Ph.D. political science, University of California at Riverside, "Evaluating "Humint":
The Role of Foreign Agents in U.S. Security", Peer reviewed conference paper. 2/15/9.
http://citation.allacademic.com//meta/p_mla_apa_research_citation/3/1/0/6/6/pages310665/p310665-14.php)//ET
Abstract Intelligence is considered the
first line of defense in U.S. security against foreign and domestic threats. A key
intelligence mission is the collection of information that can be handed on to analysts, who in turn assess its value in determining global threats and
opportunities. Among the most important method s of information collection is human intelligence, known by the abbreviation " humint ."
Surveys inside the American intelligence community, as well as interviews with leading intelligence professionals and the
top consumers of humint, indicate that this approach to intelligence gathering contributes significantly to the government's
understanding of world affairs. Introduction The world is a dangerous place, plagued by the presence of terrorist cells; failed or failing
states; competition for scarce resources, such as oil, water, uranium, and food; chemical, biological, and nuclear weapons , not
to mention bristling arsenals of conventional armaments; and deep-seated animosities between rival nations and factions. For self-protection, if
for no other reason, government officials leaders seek information about the capabilities andan especially elusive topicthe intentions of those
overseas (or subversives at home) who can inflict harm upon the nation. That is the core purpose of espionage : to gather information about threats,
whether external or internal, and to warn leaders about perils facing the homeland. Further, the secret services hope to provide leaders with data that can help
advance the national interestthe opportunity side of the security equation. Through the practice of espionagespying or clandestine human intelligence:
whichever is ones favorite termthe central task, stated baldly, is to steal secrets from adversaries as a means for achieving a more
thorough understanding of threats and opportunities in the world. National governments study information that is available in the public domain
(Chinese newspapers, for example), but knowledge gaps are bound to arise. A favorite metaphor for intelligence is the jigsaw puzzle. Many of the pieces to the
puzzle are available in the stacks of the Library of Congress or on the Internet; nevertheless, there will continue to be several missing piecesperhaps the most
important ones. They may be hidden away in Kremlin vaults or in caves where members of Al Qaeda hunker down in Pakistans western frontier. The public
pieces of the puzzle can be acquired through careful research; but often discovery of the missing secret pieces has to rely on spying , if they can
be found at all. Some things mysteries in the argot of intelligence professionalsare unknowable in any definitive way, such as who is likely to replace the
current leader of North Korea. Secrets, in contrast, may be uncovered with a combination of luck and skillsay, the number of Chinese nuclear-armed
submarines, which are vulnerable to satellite and sonar tracking. Espionage can be pursued by way of human agents or with machines,
respectively known inside Americas secret agencies as human intelligence (humint, in the acronym) and technical intelligence (techint). Humint
consists of spy rings that rely on foreign agents or assets in the field, recruited by intelligence professionals (known as case officers during the Cold War or, in
more current jargon, operations officers). i Techint includes mechanical devises large and small, including satellites the size of Greyhound buses, equipped with
fancy cameras and listening devices that can see and hear acutely from orbits deep in space; reconnaissance aircraft, most famously the U-2; unmanned aerial
vehicles (UAVs) or drones, such as the Predatoroften armed with Hellfire missiles, allowing the option to kill what its handlers have just spotted through the
lens of an onboard camera); enormous ground-based listening antennae, aimed at enemy territory; listening devices clamped surreptitiously on fiber-optic
communications cables that carry telephone conversations; and miniature listening bugs concealed within sparkling cut-glass chandeliers in foreign embassies
or palaces. Techint attracts the most funding in Washington, D.C . (machines are costly, especially heavy satellites that must be launched into
space), by a ratio of some nine-to-one over humint in Americas widely estimated $50 billion annual intelligence budget . Human
spies, though, continue to be recruited by the United States in most every region of the globe. Some critics contend that these spies contribute little
on intelligence, survey data , and the authors interviews with individuals in the espionage trade. The essay is organized in the following
manner: it opens with a primer on the purpose, structure, and methods of humint; then examines some empirical data on its value; surveys more
broadly the pros and cons of this approach to spying; and concludes with an overall judgment about the value of agents for a nations security.
1ac plan
Plan:
The United States federal government should pass the Secure Data Act.
1ac solvency
Contention 4 is SOLVENCY:
Only the plan solves vital to security and economy
McQuinn 14 (Alan McQuinn, Research Assistant, Information Technology and Innovation Foundation,
Former telecommunications fellow for Congresswoman Anna Eshoo, former Archer Fellow, University of Texas at Austin, interned
for the Office of Legislative Affairs, Federal Communications Commission, B.S. Public Relations and Political Communications,
University of Texas at Austin, The Secure Data Act could help law enforcement protect against cybercrime, The Hill, 12-192014, http://thehill.com/blogs/congress-blog/technology/227594-the-secure-data-act-could-help-law-enforcement-protectagainst)ML
Last Sunday, Sen. Ron Wyden (D-Ore.) wrote an op-ed describing the role that U.S. law enforcement should play in fostering stronger data
encryption to make information technology (IT) systems more secure. This op-ed explains Wydens introduction of the the Secure Data Act, which would
prohibit the government from mandating that U.S. companies build backdoors in their products for the purpose of
surveillance . This legislation responds directly to recent comments by U.S. officials, most notably the Federal Bureau of Investigation (FBI) Director James Comey, chastising
Apple and Google for creating encrypted devices to which law enforcement cannot gain access. Comey and others have argued that U.S. tech companies should design a way for law
AND, its net better for law enforcement consensus of experts and empirics
Bankston 15 (Kevin S. Bankston, Policy Director of the Open Technology Institute and Co-Director of Cybersecurity Initiative,
New America, Security Fellow with the Truman National Security Project, serves on the board of the First Amendment Coalition,
former Senior Counsel and the Director of the Free Expression Project at the Center for Democracy & Technology, former
nonresidential fellow with the Stanford Law Schools Center for Internet & Society, former Senior Staff Attorney and Equal Justice
Works/Bruce J. Ennis First Amendment Fellow at Electronic Frontier Foundation, former Justice William Brennan First
Amendment Fellow, litigated Internet-related free speech cases at the American Civil Liberties Union, J.D. University of Southern
California Law School, B.A. University of Texas at Austin, statement before the U.S. House of Representatives, Subcommittee on
Information Technology of the Committee on Oversight and Government Reform, Hearing on Encryption Technology and
a variety of high-level law enforcement and intelligence officials instead quickly raised concerns that such unbreakable
encryptionwhether in the context of smartphones or in the context of end-to-end encrypted Internet communicationsmay
pose a challenge to law enforcement and intelligence investigations .2 Several officials have even gone so far as to urge Congress to pass legislation to address the issue,3 presumably by
requiring companies to build their systems such that even when their users data is encrypted, the government can still obtain the plain text of that data when necessary to a lawful investigation. Put more colloquially, they seem to be
suggesting that companies build backdoors into their encrypted products and services in order to allow surreptitious access by
the government. With all due respect for the many legitimate needs of our law enforcement and intelligence agencies, I am here today to give you ten reasons why Congress should reject any such
proposal. First and most obviously 1. It was already rejected as a policy approach two decades ago , including by Congress . American policymakers
were faced with just this issue in the 90s as part of a policy debate often referred to as the Crypto Wars, where the Clinton Administration battled against privacy advocates and the technology industry on a variety of
breaches,
fronts to limit the spread of strong encryption in order to address law enforcement and intelligence concerns. 4 One conflict was over the U.S. governments attempts to promote so-called key escrow technologiessuch as the much-maligned Clipper
Chip5 whereby the government or a trusted third party would hold master keys that could decode any encrypted communications. The other conflict was over the U.S. governments attempts to restrict the proliferation of strong encryption products
and use strong encryption, bar the government from mandating the use of key escrow technologies, and allow for the export of strong encryption.7 By 1999, that bill was cosponsored by a majority of House members258 of them, including current members
circumvent such a ban; legally, constitutional issues, especially those related to free speech, would be almost certain to arise, issues that are not trivial to resolve.9 As Professor Peter Swire, the White Houses privacy czar at the time that it announced its
there is modest harm and enormous gain to be derived from using certain technology,
strong encryption was precisely that type of valuable technologyit was worth going at least slightly dark
in order to reap the many benefits of effective encryption .10 One of the most obvious benefits of encryptionthen as nowis that it ensures the security of the private communications and data of
Americans and American companies against all attackers. And if the government were to mandate backdoors into encrypted products and services 2. It would
seriously undermine our nations cybersecurity , at a time when that security is already in crisis as demonstrated by the
endless string of high profile data breaches in the past year.11 Every technical expert that has spoken publicly on this controversy since it began last September
both experts from the generation that fought in the original Crypto Wars ,12 as well as experts from the next generation 13has
concluded that it is impossible to devise a system that provides government access to data on encrypted devices, or to end-toend encrypted communications, while also ensuring that it remains secure against other attackers, be they computer criminals,
industrial spies, Chinese intelligence, or anyone else .14 Whether you want to call it a front door or a back door, mandating
guaranteed government access to encrypted data would open us up to a variety of new cyber-threats . In fact, it would be an
open invitation for attackers to focus on hacking into U.S. products and services because they would be easier targets than
products and services that are not subject to such mandated vulnerabilities . As the Chief Information Security Officer of Yahoo put it when debating the issue with the Director of the
NSA at New Americas cybersecurity conference in February, all of the best public cryptographers in the world would agree that you cant really build [secure]
backdoors in crypto That its like drilling a hole in the windshield.15 Indeed, when the White House cybersecurity coordinator was asked last week if he
could name a single respected technical expert who believed it was possible, he had no answer .16 Even one of the governments
own top experts , the chief cybersecurity adviser to the Commerce Departments N ational Institute of Standards and Technologies, has publicly
concluded that when it comes to designing a secure key escrow system where the government has access to a master decryption key that cant be subverted by other attackers, [ t]heres no way to do this where
you dont have unintentional vulnerabilities.17 Put another way, there is no way to build a secure golden key that can only be used by the
government, like that which was suggested in a recent Washington Post editorial that was immediately and roundly criticized by the Internet community.18 This fact was conclusively demonstrated in the 90s,19 and it is
equally true today.20 However, even assuming such a golden key system were feasible 3. It would cost the American economy untold billions of dollars. Experts estimated during the original Crypto Wars that building and operating the
newly liberalized encryption export policies, recently summed up the conclusion of the Crypto Wars: If
societies should logically adopt that technology. In 1999, the U.S. government concluded that
kind of key escrow infrastructure desired by the government would have cost the government and industry many billions of dollars.21 Since then, the number of computer and Internet users, and computer and Internet devices, has grown exponentially; so too
has the complexity and cost of such a scheme to give the government the universal decryption capability it apparently desires.22 Thats not even counting the many more billions of dollars that would be lost as consumers worldwide lost confidence in the
security of American computing products and online services. American technology companies, which currently dominate the global market, have already been wrestling with diminished consumer trust in the wake of revelations about the scope of the
National Security Agencys programs, a loss of trust already predicted to cost our economy billions of dollars.23 Any new requirement that those companies guarantee that the U.S. government have the technical capability to decrypt their users data would
give foreign users including major institutional clients such as foreign corporations and governments that especially rely on the security of those products and serviceseven more incentive to avoid American products and turn to foreign competitors. It
would also likely diminish trust in the security of digital technology and the Internet overall, which would slow future growth of the Internet and Internet-enabled commerce and threaten the primary economic engine of the 21st century. To put it bluntly,
foreign customers will not want to buy or use online services, hardware products, software products or any other information
systems that have been explicitly designed to facilitate backdoor access for the FBI or the NSA .24 Nor will many American users, for
Instead, they will turn to more secure products that are available for purchase or for free download from sources outside of
the United States, which is a major reason why 4. It would not succeed at keeping bad actors from using unbreakable encryption . Encryption technology and the
ability to create it was already becoming widespread during the original Crypto Wars ,25 and at this point is nearly ubiquitous . And, as was true then,
much of that technology is free and open source . For example, there are the open source versions of PGP encryption software that are still the most popular end-to-end email encryption solution, the OpenSSL software library that has
that matter.
long been used to encrypt vast amounts of every-day web traffic, open source disk encryption programs like TrueCrypt, the open source Off-The-Record instant messaging encryption protocol used by a wide variety of IM clients, and the TOR onion routing
A government mandate
prohibiting U.S. companies from offering products or services with unbreakable encryption is of little use when foreign companies
can and will offer more secure products and services, and when an independent coder anywhere on the planet has the
resources to create and distribute free tools for encrypting your communications or the data stored on your mobile devices . As former
Homeland Security Secretary Michael Chertoff recently put it, [T]hat genie is not going back in the bottle .27 The result is that a U.S. government-mandated backdoor into
the encrypted products and services of U.S. companies, while undermining the information security of millions of ordinary Americans and the
economic security of the American tech industry, would do little to prevent bad actors from taking advantage of strong encryption .
Or, as PGPs inventor Phil Zimmerman famously said in the 90s: If privacy is outlawed, only outlaws will have privacy.28 Not only is such a mandate likely to be ineffective , but also 5. Its unnecessary
in order to keep us safe from criminalsbut strong encryption is . So far, the opponents of strong device encryption have failed to offer
any compelling examples where such encryption seriously hindered a criminal investigation or prosecution . FBI Director Comey did offer, in his October
speech on the subject, four examples of cases where cellphone-derived evidence was supposedly critical to a solving a crime, but those examples were quickly debunked by the press.29 During the same
software originally developed by the Naval Research Laboratory that is now widely used to circumvent oppressive governments censorship regimes and allow for anonymous online browsing.26
event, Director Comey came up empty when asked for a real-world example where encryption actually stymied an investigation. 30 And in March he admitted to the House Appropriations Committee in March that he wasnt in a position to offer a percentage
devices makes them especially attractive targets for criminals aiming to commit identify theft or other crimes of fraud, or even to commit violent crimes or further acts of theft against the phones owner. Yet over a third of consumers fail to activate even the
the FBI itself used to advise consumers with smartphones to turn their encryption on until
abruptly changing course and deleting that advice from its website last month .43 By taking this step for their customers and turning on encryption by default, mobile operating
simplest security mechanisms on their mobile devices.42 That is why
system vendors have completely eliminated the risk of those crimes occurring, significantly discouraged thieves from bothering to steal smartphones in the first place, and ensured that those phones contents will remain secure even if they are stolen. A
necessary consequence, of course, is that the contents will also remain secure if the phone is seized by law enforcement. 6. It would undermine and turn on its head the Fourth Amendment right to be secure in our papers and effects. The Fourth Amendment
gives individuals the right to be secure in their papers and effects, prohibiting unreasonable searches and seizures and requiring that any warrant authorizing such a government invasion be issued by a court based on a showing of probable cause.44 As
indicated by recent Supreme Court cases, the need for vigorous enforcement of that right has become even more acute in the context of powerful digital technologies. Most recently, a unanimous Supreme Court in the case of Riley v. California decided to
require warrants for the search of a cellphone in the possession of an arrestee, based on the unprecedented amount of private data that may be stored on such devices even though such searches incident to arrest have traditionally been allowed without a
warrant.45 As the Court explained, many cell phones are in fact minicomputers that also happen to have the capacity to be used as a telephone. They could just as easily be called cameras, video players, rolodexes, calendars, tape recorders, libraries,
diaries, albums, televisions, maps, or newspapers.46 These devices, with immense storage capacity, can hold every picture [their users] have taken, or every book or article they have read, and even the most basic phones that sell for less than $20 might
hold photographs, picture messages, text messages, Internet browsing history, a calendar, a thousand-entry phone book, and so on.47 Ultimately, as the Supreme Court explicitly held, the search of a modern electronic device such as a smartphone or a
computer is more privacy invasive than even the most exhaustive search of a house. 48 As the Court concluded in Riley, We cannot deny that our decision today will have an impact on the ability of law enforcement to combat crime. Cell phones have
become important tools in facilitating coordination and communication among members of criminal enterprises, and can provide valuable incriminating information about dangerous criminals. Privacy comes at a cost.49 The court did not pretend that requiring
warrants for searches of cellphones seized incident to arrest did not risk diminishing law enforcements effectivenessit simply recognized that allowing such warrantless searches posed an even greater risk to our Fourth Amendment rights considering the
scope of data available on those phones. The court made a similar calculus in the 2012 case of U.S. v. Jones when it decided that the comprehensive long-term tracking of a cars movements on public roads using GPS technology constituted a search under
the Fourth Amendment, even though tracking that only reveals information that would have been visible from public space would not traditionally be considered to violate a suspects Fourth Amendment-based reasonable expectation of privacy.50 Both the
The use
of encryption on cellphones can be seen as a similar means of compensating for the governments newfound technical powers
during this golden age of surveillance, using technology instead of the law to help restore the balance between government
Jones and Riley cases can be viewed as the Courts attempt to compensate for the sharp increase in the governments surveillance capabilities thanks to digital technology by ratcheting up legal protections against government searches.51
power and individual power to something closer to what the Founding Fathers intended. Encryption opponents would push in the other direction and flip our Fourth Amendment rights on their head by instead casting the Fourth
Amendment as a right of the governmenta right to dictate that the contours of the physical and digital worlds be redesigned to facilitate even easier surveillance.52 But there is no precedent for such a reading of the Fourth Amendment. As former computer
crime prosecutor Marc Zwillinger recently put it, I dont believe that law enforcement has an absolute right to gain access to every way in which two people may choose to communicate And I dont think our Founding Fathers would think so, either. The fact
that the Constitution offers a process for obtaining a search warrant where there is probable cause is not support for the notion that it should be illegal to make an unbreakable lock. These are two distinct concepts.53 Zwillingers comments echoed those
made by Senator John Ashcroft during the original Crypto Wars: There is a concern that the Internet could be used to commit crimes and that advanced encryption could disguise such activity. However, we do not provide the government with phone jacks
outside our homes for unlimited wiretaps. Why, then, should we grant government the Orwellian capability to listen at will and in real time to our communications across the Web?54 Or, as a more recent commentator put it: This argument [that encryption foils
the polices right to obtain evidence with a search warrant] misunderstands the role of the search warrant. A search warrant allows police, with a judges approval, to do something theyre not normally allowed to do. Its an instrument of permission, not
compulsion. If the cops get a warrant to search your house, youre obliged to do nothing except stay out of their way. Youre not compelled to dump your underwear drawers onto your dining room table and slash open your mattress for them. And youre not
placing yourself above the law if you have a steel-reinforced door that doesnt yield to a battering ram.55 The law has never prohibited the creation of unbreakable locks, nor required us to hand our keys over to the government just in case it might need them
for an investigation, whether those keys are physical or digital. Indeed, the Founders themselves used ciphers to communicate with each other,56 and presumably would have viewed a demand that they hand over the key to their encryption scheme as
abhorrent to their rightsnot only their Fourth Amendment right against government intrusion but also their First Amendment right to speak and associate both freely and anonymously. 7. It would threaten First Amendment rights here and free expression
around the world. Repeated court challenges to export controls on encryption during the Crypto Wars illustrate how any attempt by the government to limit the distribution of encryption software code, which is itself speech, would raise serious First
Amendment concerns. As one federal district court held when considering a First Amendment challenge to 90s-era encryption export controls, This court can find no meaningful difference between computer languageand German or French. All participate in
a complex system of understood meanings within specific communities {in this case, that of programmers and mathematicians}.... Contrary to defendants' suggestion, the functionality of language does not make it any less like speech.... Instructions, do-ityourself manuals, recipes, even technical information about hydrogen bomb construction, are often purely functional; they are also speech.57 The Ninth Circuit Court of Appeals agreed, holding that the challenged encryption export regulations constituted a
prior restraint on speech that offends the First Amendment. 58 Therefore, not only would attempting to police the distribution of strong encryption code inside the United States require an endless and ineffective game of Internet whack-a-mole as old and new
encryption code proliferated across cyberspace, but the extensive censorship that would be necessary to fight that losing battle would also likely violate the freedom of speech. Similarly, a legal regime that forced individuals to cede their private encryption
keys to the government or to their communications providers for law enforcement purposes would also raise novel issues of compelled speech under the First Amendment. However, the free speech impact of a mandate against unbreakable encryption and in
favor of backdoors for government would reach far beyond just the communication of encryption code, and chill a wide variety of online expression. When individuals believe that they may be under surveillance, there is a chilling effect that can curb free
speech and the free flow of information online.59 If individuals must assume that their online communications are not secure but may instead be acquired by the U.S. government or by anyone else who might exploit an encryption backdoor, they will be much
less willing to communicate freely. By contrast, encouraging the availability of strong encryption free of surveillance backdoors can enable free expression both in the United States and around the world, 60 including by stymieing the censorship and
surveillance efforts of governments with less respect for human rights than our own. 8. It would encourage countries with poor human rights records to demand backdoor access of their own. The governments of countries like China, 61 India, 62 and the
United Arab Emirates63 have proposed a variety of measures that would require companies to implement key escrow systems or other forms of backdoors or stop doing business in those countries, proposals that the United States government has
criticized.64 Yet how can the United States credibly criticize, for example, the Chinese government for proposing an anti-terrorism bill that would require U.S. companies to hand over their encryption keys, if we impose a similar requirement here at home? And
how are U.S. companies to argue that they cannot implement such requirements and hand over the keys to foreign governmentseven those with a history of human rights abusesif they have already had to do so for the U.S. government? As Marc
Zwillinger has pointed out, if the U.S. mandates backdoor access to encrypted data, multinational companies will not be able to refuse foreign governments that demand [the same] access. Governments could threaten financial sanctions, asset seizures,
imprisonment of employees and prohibition against a companys services in their countries. Consider China, where U.S. companies must comply with government demands in order to do business. 65 Such a result would be particularly ironic considering the
U.S.s foreign policy goal of promoting Internet Freedom worldwide and in China especially, including the promotion of encryption-based tools to protect privacy and evade censorship.66 Internet Freedom begins at home, and a failure by the United States to
protect Americans ability to encrypt their data will undermine the right to encrypt and therefore human rights around the world. 67 The U.S. government supports the use of strong encryption abroad as part of our foreign policy objectives, and it should support
the same for Americans here in the United States. This is especially true considering that 9. An overwhelming majority of the House of Representatives and the Presidents own hand-picked advisors have already rejected the idea. Echoing the Houses
overwhelming support for the SAFE Act during the Crypto Wars of the 90s, an overwhelming and bipartisan majority of the House of Representatives already rejected the idea of encryption backdoors just last year. 68 Thats when, by a vote of 293 to 123,69
the House approved the Sensenbrenner-Massie-Lofgren amendment to the Defense Appropriations Act, H.R. 4870. That amendment, responding to reports of that the NSA had worked to insert surveillance backdoors into a variety of hardware and software
products, would have prohibited the NSA or the CIA from using any funds to mandate or request that a personalter its product or service to permit the electronic surveillanceof any user of said product or service for said agencies.70 Although the
amendment, which was supported by a quickly organized activist campaign71 and a broad coalition of Internet companies and civil society organizations like Google and the American Civil Liberties Union,72 did not make it into the final CRomnibus
spending bill,73 it was still a potent indicator that Congress is skeptical of U.S. government efforts that would weaken the security of American hardware and software products. Equally skeptical of encryption backdoors were the five experts hand-picked by
Internet industry and the Internet activists agree, which is why 10. It would be vigorously opposed by a unified Internet community. Decades before the massive online advocacy campaign that stopped the SOPA and PIPA copyright bills in 2012,75 The
Crypto Warsand, in particular, the battle against the Clipper Chiprepresented the Internet communitys first major political engagement. And it was a rousing success. An unprecedented alliance of Internet users, technologists, academics, the technology
industry, and newly-emerging Internet rights advocacy organizations like the Electronic Frontier Foundation, the Center for Democracy and Technology, and the Electronic Privacy Information Center, flexed its muscles for the first time and made a huge
difference in the political process. They organized experts to speak on panels, testified before Congress, and circulated electronic petitions, including one that got over 50,000 signatures an extraordinary number in the early days of Internet activism.76 That
Internet community, which won the first Crypto Wars two decades ago and more recently blocked SOPA and PIPA, has only grown larger and more vocal in the intervening years, and will certainly make its voice heard if another round of Crypto Wars were to
INHERENCY
legal avenue
through which the government can force service providers to insert backdoors into their own products . The 2008 FISA
Amendments Act194 amended the Foreign Intelligence Surveillance Act195 to state that: (1) . . . [T]he Attorney General and the
Director of National Intelligence may direct, in writing, an electronic communication service provider to (A) immediately provide the
Government with all information, facilities, or assistance necessary to accomplish the acquisition in a manner that will protect the
secrecy of the acquisition and produce a minimum of interference with the services that such electronic communication service
provider is providing to the target of the acquisition . . . . (2) . . . The Government shall compensate, at the prevailing rate, an electronic
communication service provider for providing information, facilities, or assistance in accordance with a directive issued pursuant to paragraph (1).196 Details on
the governments interpretation and use of this law are understandably impossible to find. However, some commentators have argued that the law gives the
government wide powers to order communication service providers such as cell phone companies and ISPs to make their
networks available to government eavesdroppers.197
Backdoors now
Soghoian et al 15 (Christopher Soghoian, researcher at Harvard and Yale, Kevin Bankston, Policy Director of New Americas Open Technology
Institute, Fred Cate, C. Ben Dutton Professor of Law at Indiana University Maurer School of Law, Chris Hoofnagle, Co-Director, Berkeley Center for Law &
Technology, Marcia Hofmann, senior staff attorney at the Electronic Frontier Foundation, Rob Faris, Research Director of the Berkman Center for Internet and
Society at Harvard University, Albert Gidari, partner of Perkins Coie in Privacy & Security, Jennifer Granick, Director of Civil Liberties for the Center for Internet
and Society at Stanford Law School, Orin Kerr, professor of law at the George Washington University , Susan Landau, Professor of Social Science and Policy
Studies at Worcester Polytechnic Institute, Paul Ohm, Professor of Law at the Georgetown University Law Center, Nicole Azer, Technology & Civil Liberties Policy
Director in ACLU California, John Palfrey, previous executive director of Harvard's Berkman Center for Internet & Society, Marc Rotenberg, President and
Executive Director of the Electronic Privacy Information Center, Adam Schostack, expert in security, Ryan Singel, journalist of technology at WIRED, Adam
Thierer, senior research fellow with the Technology Policy Program at the Mercatus Center at George Mason University, Jonathan Zittrain, professor of Internet
law and the George Bemis Professor of International Law at Harvard Law School, Privacy And Law Enforcement: Caught In The Cloud: Privacy, Encryption, And
Government Back Doors In The Web 2.0 Era, 12/16/13,
http://www.researchgate.net/publication/228365094_Privacy_And_Law_Enforcement_Caught_In_The_Cloud_Privacy_Encryption_And_Government_Back_Door
s_In_The_Web_2.0_Era, page 416-417)//EM
ENCRYPTION CAN BE CIRCUMVENTED Let us now go back to our earlier hypothetical scenario in which all cloud services have switched to data encryption
with a key private to the user. In this situation, the government will not be able to use a subpoena to force the revelation of a users private files, since the service
provider will only possess encrypted data. However, it may be possible for the government to force that company to place a backdoor in its
web-based product in order to steal the users encryption key . As an example, when the user enters her password in to the
encryption enhanced Google Docs web application, instead of keeping the password in local memory on her computer, a copy of it will be
silently recorded and later transmitted to a FBI server. While market forces might be able to neutralize the privacy problems associated with the
third party doctrine by encouraging the use of encryption, there are no readily available market forces or technology that can protect a
company from a lawful order compelling that firm to insert a backdoor into its own products . To make matters worse, the move to cloud
computing increases the amount of private information available at risk of covert government capture, and , as this next section will
explain, also makes it significantly easier for companies to deploy these compelled backdoors.
The biggest battle has always been about encryption. From the 1980s, public-key cryptography gave the technically savvy the
ability to protect the privacy of their messages using military-grade encryption, which meant the state could no longer monitor all
online communications. The first response was to outlaw dissemination of the technology. When that failed, in 1993 the Clinton
administration tried a new tack the Clipper chip proposal. This involved two things: the installation of a doctored chip in
mobile phones; and (later) mandating that all encryption systems should lodge a copy of decryption keys with a trusted third
party who would turn them over to the cops on production of a warrant (key escrow). The chip idea collapsed under the weight
of its own absurdity, and in 1997 key escrow idea examined and demolished by a group of leading computer security experts and
eventually Clinton quietly buried the idea. Result: Technology 1, Establishment 0. But now its back, with a vengeance. Stung by
the fact that, post-Snowden, Apple, Google and Facebook are implementing strong encryption, governments are starting to
panic. Over in Washington, FBI director, James Comey, is infuriated that applications such as Facebooks WhatsApp and Apples
iMessage are now providing end-to-end encryption, a technology that Comey claims is being exploited by guess who? Isis.
Comey wants companies to be forced to insert a backdoor for law enforcement into encryption software. Over here, David
Cameron has been drinking the same Kool Aid. In our country,he asked in January, do we want to allow a means of
communication between people which we cannot read? My answer to that question is: no we must not. Which either means
either that he wants to ban services such as WhatsApp or iMessage or that he will demand a backdoor into them. Advertisement
Since banning them is a non-starter, weve arrived at Clipper chip v2.0. And, as luck would have it, the same group of experts
who demolished the original proposal have now had a look at the prospects for v2.0. Their report, Keys Under Doormats:
Mandating insecurity by requiring government access to all data and communications, is worth reading in full. It concludes that
proposals for backdoors are unworkable in practice, raise enormous legal and ethical questions, and would undo progress on
security at a time when internet vulnerabilities are causing extreme economic harm. In case youre wondering what could be
wrong with entrusting secret keys to the government for use in exceptional circumstances, just ponder this: a few months ago,
hackers (suspected to be Chinese) stole the personnel records of 21.5 million US federal employees, including the records of
every person given a government background check for the last 15 years.
agencies or hackers, pirates and terrorists wont discover and exploit them? The
government can get a warrant and break into the communications or data of any individual or
company suspected of breaking the law. But crippling everyones ability to use encryption is going too
far, just as the N.S.A. has exceeded its boundaries in collecting everyones phone records
rather than limiting its focus to actual suspects. Representative Rush Holt, Democrat of New
Jersey, has introduced a bill that would, among other provisions, bar the government from requiring
software makers to insert built-in ways to bypass encryption. It deserves full Congressional support. In
the meantime, several Internet companies, including Google and Facebook, are building encryption
systems that will be much more difficult for the N.S.A. to penetrate, forced to assure their customers
that they are not a secret partner with the dark side of their own government.
Intelligence agencies have bypassed encryption using a variety of methods, including backdoors
Zetter 13 (Kim, award-winning, senior staff reporter at Wired covering cybercrime, privacy, and security, NSAs Decade-Long
Plan to Undermine Encryption Includes Backdoors, Stolen Keys, Manipulating Standards, 9/5/13,
http://www.wired.com/2013/09/nsa-backdoored-and-stole-keys/) WZ
Without the ability to actually crack the strongest algorithms that protect data, the intelligence agencies have systematically worked to thwart or bypass
encryption using a variety of underhanded methods, according to revelations published by the New York Times and Guardian newspapers and the journalism
non-profit ProPublica, based on documents leaked by NSA whistleblower Edward Snowden. These methods, part of a highly secret program codenamed Bullrun,
have included pressuring vendors to install backdoors in their products to allow intelligence agencies to access data , and obtaining encryption keys
by pressuring vendors to hand them over or hacking into systems and stealing them. Most surprising, however, is the revelation that the agency has worked to
covertly undermine the encryption standards developers rely upon to build secure products. Undermining standards and installing backdoors dont just allow the
government to spy on data but create fundamental insecurities in systems that would allow others to spy on the data as well. The encryption technologies that
the NSA has exploited to enable its secret dragnet surveillance are the same technologies that protect our most sensitive information, including medical records,
financial transactions, and commercial secrets, Christopher Soghoian, principal technologist of the ACLUs Speech, Privacy and Technology Project, said in a
statement about the revelations. Even as the NSA demands more powers to invade our privacy in the name of cybersecurity, it is making the internet less secure
and exposing us to criminal hacking, foreign espionage, and unlawful surveillance. The NSAs efforts to secretly defeat encryption are recklessly shortsighted and
will further erode not only the United States reputation as a global champion of civil liberties and privacy but the economic competitiveness of its largest
companies. The revelations are the latest in a trove of documents obtained by Snowden earlier this year that detail extensive spying operations on the part of
the NSA and foreign partners like the Government Communications Headquarters in the UK. Past revelations have disclosed the extensive amount
of data encrypted and unencrypted that the agencies siphon from land and undersea cables. Previous documents have discussed how the NSA
retains encrypted traffic with an eye toward researching methods to crack it. According to todays media reports, the NSA maintains an internal
database, called a Key Provisioning Service, of encryption keys for specific commercial products to automatically decode communications. If the
necessary key is missing from the collection, a request goes out to the so-called Key Recovery Service to obtain it. How keys are acquired is shrouded in
secrecy, but independent cryptographers say many are probably collected by hacking into companies computer servers, where they are stored, the Times
writes. To keep such methods secret, the N.S.A. shares decrypted messages with other agencies only if the keys could have been acquired through legal
means. Approval to release to non-Sigint agencies, a GCHQ document says, will depend on there being a proven non-Sigint method of acquiring keys. It
should be noted that these methods dont involve cracking the algorithms and the math underlying the encryption, but rather rely upon circumventing and
otherwise undermining encryption. Properly implemented strong crypto systems are one of the few things that you can rely on, Snowden said in an interview
with the Guardian earlier this year. He warned, however, that the NSA often bypassed encryption altogether by targeting the endpoint computers in order to grab
communications before and after they were encrypted. The most shocking revelation involves the NSAs efforts to deliberately weaken international encryption
standards developers use to make their encryption secure, thereby undermining systems that human rights organizers, Third World activists and others depend
upon to protect their communications from corrupt and oppressive regimes and U.S. companies rely upon to keep their trade secrets secret. One of the agencys
stated goals in its 2013 budget was to influence policies, standards and specifications for commercial public key technologies. According to a classified NSA
memo obtained by the Times, a fatal weakness in a 2006 standard, discovered by two Microsoft cryptographers in 2007, appeared to have been engineered by
the NSA. The agency wrote the standard and aggressively pushed it on the international group, the paper writes, privately calling the effort a challenge in
finesse. The NSA managed to became the sole editor on the standard, ensuring that its underhanded efforts paid off. The ten-year Bullrun program began
after the U.S. government failed in its plan to place a backdoor, the so-called Clipper chip, into encryption that would have allowed it to eavesdrop on
communications at will. Without the Clipper chip, the government launched a systematic plan using trickery and other methods to circumvent encryption and
achieved an unspecified breakthrough in 2010. In the wake of this, according to one document, vast amounts of encrypted Internet data which have up till now
been discarded are now exploitable. Some of the methods involved the deployment of custom-built, supercomputers to break codes in addition to collaborating
with technology companies at home and abroad to include backdoors in their products. The Snowden documents dont identify the companies that participated.
The program, according to the documents, actively engages the U.S. and foreign IT industries to covertly influence and/or overtly leverage their
commercial products designs to make them exploitable. By this year, the Times reports, the program had found ways inside some of the
encryption chips that scramble information for businesses and governments, either by working with chipmakers to insert back doors or by surreptitiously
exploiting existing security flaws. The agency also expected to gain full unencrypted access to an unnamed major Internet phone call
and text service; to a Middle Eastern Internet service; and to the communications of three foreign governments, the paper notes. In one case, after the
government learned that a foreign intelligence target had ordered new computer hardware, the American manufacturer agreed to insert a backdoor into the
product before it was shipped, a source told the Times Basically, the NSA asks companies to subtly change their products in undetectable
ways: making the random number generator less random, leaking the key somehow, adding a common exponent to a public-key exchange protocol, and so on,
cryptographer Bruce Schneier notes in a story by the Guardian. If the backdoor is discovered, its explained away as a mistake . And as we now
know, the NSA has enjoyed enormous success from this program.
hatted" as the commander of US Cyber Command, which oversees computer warfare operations. Those operations, by the way,
rely on breaking encryption. In some respects, the NSA is torn between two competing missions. It breaks codes. But it also makes them, mostly for the
purpose of protecting the government's information. In a recent interview with the national security blog Lawfare, Anne Neuberger, the senior official who
manages the NSA's relationships with technology companies, was asked about news reports that the agency had secretly included a vulnerability
into an encryption standard that was developed by the N ational Institute of Standards and Technology and then adopted by more than
160 countries. Neuberger called NIST an "incredibly respected close partner on many things", including setting encryption standards, some of which the
agency itself uses. But, she added, NIST "is not a member of the intelligence community". "All work that they do is... pure white hat," Neuberger said, meaning
not malicious and oriented solely on defending encryption. "Their only responsibility is to set standards" and "to make them as strong as they possibly can be".
That left out the work that NSA does to defeat those standards, which has included buying privileged access into encryption products sold commercially. Last
week, Reuters reported that the agency paid RSA, a major computer security vendor, $10 million to promulgate an encryption weakness the NSA had developed.
- Foreign Policy
The NSA has mandated high-tech vendors to build backdoors into their hardware
Adhikari 15 (Richard, The Fallout From the NSA's Backdoors Mandate, 1/13/15,
http://www.ecommercetimes.com/story/81530.html) WZ
NSA) is widely believed to have mandated high-tech vendors build backdoors into their hardware and software .
Reactions from foreign governments to the news are harming American businesses and, some contend, may result in the breakup of the Internet. For example,
Russia is moving to paper and typewriters in some cases to move certain types of information, Private.me COO Robert Neivert told the E-Commerce Times. Governments are pushing to enact
laws to force the localization of data -- generally meaning they won't allow data to be stored outside their borders to protect citizens against NSA-type surveillance -- a move that's of particular
The United States National Security Agency (
concern to American businesses, according to a Lawfare Research paper. That's because they deem U.S. firms untrustworthy for having provided the NSA with access to the data of their users. Revisiting the Tower
of Babel? "There's an increased use of networks on behalf of Europe and other allies that do not pass through U.S. companies or U.S.-controlled networks," Neivert said. Some countries are even proposing to break
up the Internet. However, "people who say these things threaten the Internet itself are misunderstanding things," Jonathan Sander, strategy & research officer of Stealthbits Technologies, told the E-Commerce Times.
"The Internet produces too much wealth for too many people and organizations for anyone, including the U.S., to threaten it." The U.S. economy "is one of the best weapons we have in the technology war," Sander
continued. The U.S. market "is too big for foreign governments to ignore," which is why foreign companies continue doing business with the U.S. Concern has been expressed about invasions of privacy through
surveillance, but this issue is "a matter of policy" and there are differences in how citizens of different countries approach it, Sander pointed out. "In the EU and, to a lesser extent [Australia and New Zealand], privacy
is an issue at the ballot box so there are laws reflecting that." In the U.S., however, privacy "has yet to seriously break through as an issue, so there has been less motion," Sander remarked. Massive Cost to U.S.
Businesses In August of last year, the German government reportedly warned that Windows 8 could act as a Trojan when combined with version 2.0 of the Trusted Platform Module (TPM), a specification for a secure
cryptoprocessor. The TPM is included in many laptops and tablets, and the concern is that TPM 2.0 makes trusted computing functions mandatory rather than opt-in as before, meaning it can't be disabled. Further, it
policy counsel at New America's Open Technology Institute, told the E-Commerce Times. It's difficult to establish an exact dollar amount, but "experts have estimated that losses to the U.S. cloud industry alone could
reach (US)$180 billion over the next three years," Greene said. "Additionally, major U.S. tech companies like Cisco and IBM have lost nearly one-fifth of their business in emerging markets because of a loss of trust."
Foreign companies are using their non-U.S. status to advertise themselves as more secure or protective of privacy, Greene remarked. The Other Side of the Story On the other hand, Cisco's share of the service
provider router and carrier Ethernet market bounced back strongly after an unusually weak Q2, primarily because of a strong performance in the Asia-Pacific and the EMEA regions, SRG Research reported. "Cisco is
in a league of its own, with a global presence, credibility and product range that cannot be matched by its competitors," John Dinsdale, managing director and chief analyst at SRG, told the E-Commerce Times.
"When demand increases, there is only a rather short list of vendors who can satisfy it, and Cisco clearly has the strongest story to tell." In addition, the allegations that U.S. high-tech firms built backdoors into their
its backdoors, the NSA "broke the foundational element of trust, and that's something very difficult to recover from. [It has] in effect destroyed the trusted and secure reputation of U.S. companies," said Neivert. "More
and more we will see U.S. tech companies focusing on distinguishing their products and services with heightened security offerings and working to achieve legislative reforms that would rein in [surveillance
practices]. That's the case with the Reform Government Surveillance Coalition and tech industry trade associations that represent thousands of companies," New America's Open Technology Institute's Greene
added.
Companies are being pressured into building backdoors into their products
Guiliani 15 (Neema Singh, legislative counsel with the American Civil Liberties Union Washington Legislative Office, focusing
on surveillance, privacy, and national security issues, Chief of Staffs Office at DHS, concentrating on national security and civil
rights issues, adjudicator in the Office of the Assistant Secretary for Civil Rights in the Department of Agriculture, graduate of
Brown University where she earned a BA in International Relations with a focus on global security and received her JD from
Harvard Law School in 2008, 7/9/15, https://www.aclu.org/blog/washington-markup/should-companies-be-forced-enablesurveillance-and-compromise-security) WZ
At a congressional hearing yesterday, the Department of Justice urged Congress to pressure companies to weaken encryption by creating a socalled backdoor into products. Thats in response to the increasing use of strong encryption in commercial technology that makes your information
inaccessible even to the companies whose tools you use. While the DOJ said they are not pursuing a mandatory backdoor for now they left the door open to this type of proposal in
the future.
security experts accused them of attacking the internet itself and the privacy of all users. "Cryptography forms the basis for trust online," said Bruce Schneier, an
encryption specialist and fellow at Harvard's Berkman Center for Internet and Society. "By deliberately undermining online security in a short-sighted effort to
eavesdrop, the NSA is undermining the very fabric of the internet." Classified briefings between the agencies celebrate their success at "defeating network
security and privacy". "For the past decade, NSA has lead [sic] an aggressive, multi-pronged effort to break widely used internet encryption
technologies," stated a 2010 GCHQ document. "Vast amounts of encrypted internet data which have up till now been discarded are now exploitable." An internal
agency memo noted that among British analysts shown a presentation on the NSA's progress: "Those not already briefed were gobsmacked!" The breakthrough,
which was not described in detail in the documents, meant the intelligence agencies were able to monitor "large amounts" of data flowing through the world's
fibre-optic cables and break its encryption, despite assurances from internet company executives that this data was beyond the reach of government. The key
component of the NSA's battle against encryption, its collaboration with technology companies, is detailed in the US intelligence community's top-secret 2013
budget request under the heading "Sigint [signals intelligence] enabling". Funding for the program $254.9m for this year dwarfs that of the Prism program,
which operates at a cost of $20m a year, according to previous NSA documents. Since 2011, the total spending on Sigint enabling has topped $800m. The
program "actively engages US and foreign IT industries to covertly influence and/or overtly leverage their commercial products' designs", the document states.
None of the companies involved in such partnerships are named; these details are guarded by still higher levels of classification. Among other things, the
program is designed to "insert vulnerabilities into commercial encryption systems ". These would be known to the NSA, but to no one else,
including ordinary customers, who are tellingly referred to in the document as "adversaries".
obligation of electronic communications service providers to provide the Government with all information, facilities, or assistance
necessary to accomplish the acquisition under section 702 of the FISA Amendments Act. Is the government is using that rather generic
provision of law to force creation or maintenance of technological vulnerabilities in communications networks? If so, Congress ought to know, and so should the
public which relies on these facilities for secure communications. The Lavabit case gives the public some idea of how the government has relied on
similar assistance provisions in the criminal pen register statute to force disclosure of master encryption keys , despite the absence
of any explicit obligation to do so. There, the FBI wanted secure email provider Lavabit to install a pen register to identify Internet traffic
addresses for one of the companys users. The system was engineered so that that information was encrypted and could not be obtained via pen
register. The government then asked Lavabit for its SSL key. However, disclosing the key would give the government access to
communications of all other Lavabit customers, as well as the targeted user. Lavabits owner, Lavar Levison, offered to collect the data for
the government, a compromise that would get the FBI the information it wanted without impacting the security of its other customers. Unappeased, the
government obtained a court order commanding Levison to travel from Texas to personally appear in a district court in Virginia to explain
his refusal to produce the key. It further secured a grand jury subpoena, which explicitly commanded Levison to appear before the
grand jury and bring with him Lavabits private keys. While Levison was traveling to appear pro se in district court, the government obtained a third
order, this time a search warrant, which again commanded Lavabit to hand over its private keys and also gagged Levison and the company
from telling anyone that the government had done so. The District Court ruled against Levison and gave him 24 hours to comply. At that point,
Levison closed down Lavabits services. Lavabit has now retained appellate attorneys and challenged the Court orders in the Fourth Circuit. Thanks to Levisons
decision to shut his doors rather than comply, we may one day get a public hearing on the legitimacy of this underground government practice. It appears there
was no secret review in the FISC or in Congress.
The NSA paid the RSA $10 million for backdoor access
Glaser 14 (April, writer and activist who works on a wide range of digital rights issues, After NSA Backdoors, Security Experts
Leave RSA for a Conference They Can Trust, 1/30/14, https://www.eff.org/deeplinks/2014/01/after-nsa-backdoors-securityexperts-leave-rsa-conference-they-can-trust) WZ
We thought we won the Crypto Wars, the fight to make strong encryption accessible to all, in the 1990s.1 We were wrong. Last month, Reuters broke news about
a deal struck between the popular computer security firm RSA and the National Security Agency. RSA reportedly accepted $10 million from
NSA to make Dual_EC_DRBGan intentionally weakened random number generatorthe default in its widely used BSAFE
encryption toolkit. RSA encryption tools are an industry standard used by large tech companies and individuals alike, to protect hundreds
of millions of people by encrypting our daily online interactions . We trust RSAs encryption every time we rely on the security of our
communications, including our email, financial and e-commerce transactions, medical and legal records, web searches, airplane traffic communications, text
messages, and phone calls. Without trustworthy encryption, safe business transactions are impossible and speech is chilled . The
allegation of the $10 million RSA/NSA deal compounded with leaks earlier in the year about NSAs efforts to sabotage global cryptography has lead some
speakers to withdraw from the 2014 RSA Conference in San Francisco, which attracts some 25,000 attendees each year. Nine speakers have canceled their
coveted slots and many have chosen to speak instead at TrustyCon, an alternative conference started this year to provide a platform for speakers who protest
RSA and NSA's long-standing collaboration. At the same time and around the corner from the RSA Conference in San Francisco, TrustyCon is a Trustworthy
Technology Conference organized by DEF CON, EFF, and iSEC Partners. All proceeds from TrustyCon will be donated to the Electronic Frontier Foundation to
support our work against illegal and unethical government surveillance all over the world.
Data encryption can be bypassed through backdoors Government coerces companies for key
Christopher Soghoian Ph.D 06 (Principal Technologist with the Speech, Privacy, and Technology Project at the American
Civil Liberties Union. He is also a Visiting Fellow at Yale Law School's Information Society Project. Caught in the Cloud: Privacy,
Encryption, and Government Back Doors in the Web 2.0 Era Privacy and Law Enforcement pg. 417
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1421553)CK
Let us now go back to our earlier hypothetical scenario in which all cloud services have switched to data encryption with a key
private to the user. In this situation, the government will not be able to use a subpoena to force the revelation of a users private
files, since the service provider will only possess encrypted data. However, it may be possible for the government to force that
company to place a backdoor in its web-based product in order to steal the users encryption key. As an example, when the user
enters her password in to the encryption enhanced Google Docs web application, instead of keeping the password in local
memory on her computer, a copy of it will be silendy recorded and later transmitted to a FBI server. While market forces might be
able to neutralize the privacy problems associated with the third party doctrine by encouraging the use of encryption, there are
no readily available market forces or technology that can protect a company from a lawful order compelling that firm to insert a
backdoor into its own products. To make matters worse, the move to cloud computing increases the amount of private
information available at risk of covert government capture, and, as this next section will explain, also makes it significantly easier
for companies to deploy these compelled backdoors.
Cloud computing allows encryption to be bypassed new software updates enable backdoor installation
Christopher Soghoian Ph.D 06 (Principal Technologist with the Speech, Privacy, and Technology Project at the American
Civil Liberties Union. He is also a Visiting Fellow at Yale Law School's Information Society Project. Caught in the Cloud: Privacy,
Encryption, and Government Back Doors in the Web 2.0 Era Privacy and Law Enforcement pg. 420
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1421553)CK
Finally, most cloud providers know a significant amount more about their customers than traditional software companies. Unless
a customer has given a false name, email providers and social networking companies know who their customers are as well as
the names and contact information for their friends. As a result, if law enforcement agencies serve a subpoena in order to obtain
the files for a specific customer, most cloud computing providers know exactly which account to target. This shift in the
effectiveness of software updates and the ease of customer identification significantly weakens the ability of cloud providers to
protect their customers privacy with encryption. While Google could add encryption to its Docs application, the company could
just as easily be forced to add a back door in to the browser code which would steal the users key. As I have just explained, this
would be automatically downloaded and executed the next time that the user logged in, with no way for her to avoid the update,
or even know that it was applied. Furthermore, because of the fact that Google typically knows which particular user account an
individual is using, it can issue the backdoor-laced update to only that user. Essentially, cloud computing makes it far easier for
companies to force out covert backdoors with surgical precision to only those persons who the government has targeted.
new proposal reportedly allows the FBI to listen in on any conversation online, regardless of the technology used, by mandating
engineers build "backdoors" into communications software. We urge EFF supporters to tell the administration now to stop this
proposal, provisionally called CALEA II. The rumored proposal is a tremendous blow to security and privacy and is based on
the FBI's complaint that it is "Going Dark," or unable to listen in on Internet users' communications. But
the FBI has offered few concrete examples and no significant numbers of situations where it has been stymied by communications technology
like encryption. To the contrary, with the growth of digital communications, the FBI has an unprecedented
level of access to our communications and personal data; access which it regularly uses. In an age
where the government claims to want to beef up Internet security, any backdoors into our
communications makes our infrastructure weaker.
security and protect the public from criminals and terrorists, followed by members in over 130 nations, Will Apple iOS 8
Encryption Spur Demand for Lawful Intercept? 10/17/14, http://insidersurveillance.com/will-apple-ios8-encryption-spur-demandlawful-intercept/) WZ
When FBI Director James Comey took the podium in a recent public forum on going dark, all in attendance agreed that Apple iOS 8 encryption and other
measures designed to render mobile devices impenetrable will make it far more difficult for law enforcement to gather evidence essential to prosecuting
criminals. But the one point no one, including Comey, thought to address: how the near impossibility of cracking mobile devices may drive police to rely more
heavily on the tried and true alternative: more frequent recourse to court orders for lawful intercept under the Communications Assistance for Law Enforcement
Act (CALEA). Comeys appearance in a special event held Oct. 16, 2014 at the Brookings Institution in Washington, D.C. was triggered by the recent moves of
Apple and Google to add stronger encryption to operating systems for iOS and Android mobile devices. The companies decision, widely interpreted in many
quarters as the latest tech sector reaction against surveillance in the post-Snowden era, has for weeks fueled protests from the FBI and other law enforcement
agencies. Comey led the chorus Thursday, citing examples of how the ability to comb data from phones seized during arrests has led to the successful
prosecution of murderers, drug lords, pedophiles, kidnappers and other bad actors. Apples and Googles new strong encryption padlocks on iPhones and
Androids, he added, will essentially eliminate the possibility of conducting forensics on mobile devices, taking LEAs from dark to black in the struggle to keep
pace with criminals that leverage technology to stay one step ahead of the police. However, as a solution, Comey called for a change in CALEA that will most
assuredly be a non-starter with the tech industry, consumers and lawmakers alike: a new statute requiring equipment manufacturers to provide
front doors in mobile devices, allowing law enforcement agents to unlock encrypted iPhones, iPads and Android devices, when needed, to find evidence.
Comey further suggested that the encryption keys for each device sold be stored by mobile operators. There are inherent back doors, tech jargon for a builtin weakness, in both arguments. Confusion over Smart Device Encryption During his presentation, Comey repeatedly made reference to the front door concept
before conceding that he didnt care whether theyre called front doors or back doors he simply wanted lawful intercept capability built-in to all
mobile devices. That cleared the air a bit, but also exposed the basic flaw in his line of reasoning. To wit, there is no distinction between a front
and back door. They are one and the same: the ability to install a deliberate weakness in a system that can be readily hacked or accessed.
But no experts were invited to testify, a fact that several intelligence committee members brought up, demanding a second hearing to hear from them.
Comey got little pushback from the panel, despite his lack of any formal plan and his denial of science. Sen. Martin Heinrich, D-N.M., thanked him for his display
of humility in not presenting a solution, while Committee Chairman Richard Burr, R-N.C., said I think you deserve a lot of credit for your restraint. Comey at
one point briefly considered the possibility of a world not like the one he imagined, then concluded: If thats the case, then I think were stuck.
communications products have "end-to-end" encryption, meaning even the company that produces the software can't break the encryption on messages sent
between its customers. Apple's iMessage network and Facebook's WhatsApp both use end-to-end encryption, for instance, while Google's competing Hangouts
product does not. Steinbach's comments echo those of his boss, FBI director James Comey, who in March asked Congress to pass a law that would force tech
firms to create a backdoor in any tool that uses encryption. "Tech execs say privacy should be the paramount virtue," Comey said then, "When I hear that I close
my eyes and say try to image what the world looks like where paedophiles can't be seen, kidnapper can't be seen, drug dealers can't be seen." "To have a zone
of privacy that's outside the reach of law is very concerning," Comey added. In May, Apple, Google and other tech firms wrote an open letter to the Obama
administration urging it to preserve strong encryption against pressure from agencies like the FBI. The letter argued that " strong encryption is the
cornerstone of the modern information economy's security," and that the government should "fully support and not undermine efforts to create
encryption standards [nor] in any way subvert, undermine, weaken or make vulnerable" commercial software.
SDA solves
The Secure Data Act is key to both cybersecurity and tech industry growth
McQuinn 14 (Alan, Research Assistant with the Information Technology and Innovation Foundation. His research areas
include a variety of issues related to information technology and Internet policy, such as cybersecurity, privacy, virtual currencies,
e-government, Internet governance, and commercial drones. The Secure Data Act could help law enforcement protect against
cybercrime, 12/19/2014, http://thehill.com/blogs/congress-blog/technology/227594-the-secure-data-act-could-help-lawenforcement-protect-against)ML
Last Sunday, Sen. Ron Wyden (D-Ore.) wrote an op-ed describing the role that U.S. law enforcement should play in fostering stronger data encryption to make
information technology (IT) systems more secure. This op-ed explains Wydens introduction of the the Secure Data Act, which would prohibit the
government from mandating that U.S. companies build backdoors in their products for the purpose of surveillance. This legislation
responds directly to recent comments by U.S. officials, most notably the Federal Bureau of Investigation (FBI) Director James Comey, chastising Apple and
Google for creating encrypted devices to which law enforcement cannot gain access. Comey and others have argued that U.S. tech companies should design a
way for law enforcement officials to access consumer data stored on those devices. In this environment, the Secure Data Act is a homerun for
security and privacy and is a good step towards reasserting U.S. competitiveness in building secure systems for a global market .
By adopting its position on the issue the FBI is working against its own goal of preventing cybercrime as well as broader government efforts to improve
cybersecurity. Just a few years ago, the Bureau was counseling people to better encrypt their data to safeguard it from hackers. Creating backdoor access
for law enforcement fundamentally weakens IT systems because it creates a new pathway for malicious hackers, foreign
governments, and other unauthorized parties to gain illicit access . Requiring backdoors is a step backwards for companies
actively working to eliminate security vulnerabilities in their products . In this way, security is a lot like a ship at sea, the more holes
you put in the systemgovernment mandated or notthe faster it will sink. The better solution is to patch up all the holes in the system
and work to prevent any new ones. Rather than decreasing security to suit its appetite for surveillance, the FBI should recognize
that better security is needed to bolster U.S. defenses against online threats . The Secure Data Act is an important step in that
direction because it will stop U.S. law enforcement agencies from requiring companies to introduce vulnerabilities in their products. If this bill is enacted, law
enforcement will be forced to use other means to solve crimes, such as by using metadata from cellular providers, call records, text messages, and even oldfashioned detective work. This will also allow U.S. tech companies, with the help of law enforcement, to continue to strengthen their systems,
better detect intrusions, and identify emerging threats. Law enforcement, such as the recently announced U.S. Department of Justice
Cybersecurity Unita unit designed solely to deter, investigate, and prosecute cyber criminals, should work in cooperation with the private
sector to create a safer environment online. A change of course is also necessary to restore the ability of U.S. tech companies to
compete globally, where mistrust has run rampant following the revelations of mass government surveillance . With the 113th
Congress at an end, Wyden has promised to reintroduce the Data Secure Act again in the next Congress. Congress should move expediently to
advance Senator Wydens bill to promote security and privacy in U.S. devices and software. Furthermore, as Congress marks up the
legislation and considers amendments, it should restrict not just government access to devices, but also government control of those
devices. These efforts will move the efforts of our law enforcement agencies away from creating cyber vulnerabilities and allow electronics manufacturers to
produce the most secure devices imaginable.
data security technologies if they are required to compromise them from the outset. Mandating weak security would further erode
trust in American products and services. Information technology companies are working to regain the trust of consumers upset by
revelations of government intrusions into their personal communications. A mandate requiring companies to facilitate additional
government surveillance would undermine those efforts. Senator Wydens legislation builds on a bipartisan effort in the U.S. House of
Representatives, which approved an amendment by Reps. Thomas Massie, R-Ky., and Zoe Lofgren, D-Calif., to prohibit electronic vulnerability mandates on a
293-123 vote in June 2014.
major security flaws have been found in these "backdoors" that put the data security of every person and business using the
internet at risk. For example, a software testing firm found serious backdoor vulnerabilities in wiretapping software for law enforcement made by Israeli
software firm NICE Systems in 2013 that allowed hackers to completely compromise their system and listen to intercepted phone calls. If a backdoor is
created for law enforcement and intelligence surveillance, past experience has shown it's only a matter of time before hackers
exploit it too. These "backdoors" can also be detrimental to American jobs. Other countries buy less American hardware and
software and favor their domestic suppliers in order to avoid compromised American products. The Secure Data Act fixes this by
prohibiting any agency from requesting or compelling backdoors in services and products to assist with electronic surveillance.
the hands of the intelligence community. But unwarranted, backdoor surveillance is indefensible. The Secure Data Act is an
important step in rebuilding public trust in our intelligence agencies and striking the appropriate balance between national
security and civil liberty. They also point out that such backdoors could hurt the economy, saying that other countries would buy
less hardware and software to avoid the back door-compromised products.
using the Internet at risk." If a backdoor is created for law enforcement and intelligence surveillance purposes, "past experience has shown it's only a matter of time before hackers exploit it too," they said. They also
said the backdoors can be detrimental to American jobs, by prompting other countries to buy less American hardware and software in order to "avoid compromised American products."
The Secure Data Act is an important step to rebuilding trust prevents backdoor mandates
Whippy 15 (Peter, Communications Director for the House of Representatives, Sensenbrenner, Massie & Lofgren Introduce
Secure Data Act, 2/4/15, https://lofgren.house.gov/news/documentsingle.aspx?DocumentID=397873) WZ
Bipartisan lawmakers today reintroduced the Secure Data Act to protect Americans privacy
and data security by prohibiting surveillance agencies from requiring or compelling
surveillance backdoors in products and services. A similar amendment to the Department
of Defense Appropriations Act last year passed the House of Representatives by an
overwhelming 293-123 vote. This amendment was not included in the CRomnibus. U.S.
Reps. Jim Sensenbrenner (R- Wis.), Thomas Massie (R- Ky.), and Zoe Lofgren (D-Calif.),
sponsors of the Secure Data Act of 2015, issued the following statement: Congress has
allowed the Administrations surveillance authorities to go unchecked by failing to enact
adequate reform. Last Congress, the Massie-Sensenbrenner-Lofgren amendment garnered
support from an overwhelming bi-partisan majority in the House as a provision to the
Defense Appropriations bill, but unfortunately, was not included in the CRomnibus. With
threats to our homeland ever prevalent, we should not tie the hands of the intelligence
community. But unwarranted, backdoor surveillance is indefensible. The Secure Data Act is an
important step in rebuilding public trust in our intelligence agencies and striking the appropriate balance
between national security and civil liberty. It has been widely reported that US intelligence
and law enforcement agencies have requested or required individuals and organizations
build a backdoor into their product or service to assist in unwarranted electronic
surveillance. However, on more than one occurrence, major security flaws have been found
in these backdoors that put the data security of every person and business using the
internet at risk. For example, a software testing firm found serious backdoor vulnerabilities
in wiretapping software for law enforcement made by Israeli software firm NICE Systems in
2013 that allowed hackers to completely compromise their system and listen to intercepted
phone calls. If a backdoor is created for law enforcement and intelligence surveillance, past
experience has shown its only a matter of time before hackers exploit it too. These
"backdoors" can also be detrimental to American jobs. Other countries buy less American
hardware and software and favor their domestic suppliers in order to avoid compromised
American products. The Secure Data Act fixes this by prohibiting any agency from requesting or compelling
backdoors in services and products to assist with electronic surveillance.
used-to-spy-on-americans.html)CK
Last fall, I served on a five-member Review Group that was charged by the president with making recommendations about reforming
the nation's foreign intelligence programs. [Our report is here: (PDF)] After reviewing this issue, we recommended that the law should
be changed as follows: "The government may not search the contents of communications acquired under section 702... in an
effort to identify communications of particular United States persons, except... when the government obtains a warrant based on
probable cause to believe that the United States person is planning or is engaged in acts of international terrorism ." In effect, the
Review Group recommended that backdoor searches for communications involving American citizens should be prohibited
unless the government has probable cause and a warrant . This is essentially what the recently enacted House amendment
endorsed. The Review Group concluded that the situation under section 702 is distinguishable from the situation when the government lawfully intercepts a
communication when it has probable cause and a warrant. This is so because, in the section 702 situation, the government is not required to have either
probable cause or a warrant to intercept the communication. Because section 702 was not intended to enable the government to intercept the communications of
American citizens, because our recommended reform would leave the government free to use section 702 to obtain the types of information it was designed and
intended to acquire--the communications of non-U.S. citizens, and because the recommended reform would substantially reduce the temptation the government
might otherwise have to use section 702 impermissibly in an effort intentionally to intercept the communications of American citizens, we concluded that this
reform was both wise and essential. Now that the House of Representatives has agreed, it is time for the Senate and the president to
move forward to make this recommendation a reality. This change would be an important step forward in our nation's effort to
strike the right balance between liberty and security in a changing world.
days before easy wiretaps at the phone company, law enforcement agencies had to send an agent out to tap the line at the
suspects home, or perhaps scale a nearby telephone pole. The widespread use of encryption brings us back to a form of
surveillance dependent upon manual labor. The Scarfo case provides a fantastic example of this, in which a suspccts use of disk encryption was
defeated by the FBI. A team of agents snuck into Scarfos home, planted microphones and other recording devices in his computer, which then captured a copy
of his password as he typed it on the keyboard.116 No matter how strong the encryption, the human is always the weakest link, and the black bag job exploits
this. What this article proposes is not the end to the lawful acquisition of investigative data, merely that law enforcement no longer be able to deputize
service providers into quietly disclosing their customers data. If a suspect is important enough, let the police dedicate the
significant manpower to break into her home in order to install bugs. Given the finite limit to the financial and human resources
available to law enforcement agencies, such a change in the balance of power, by raising the effective cost of such surveillance,
would force investigators to prioritize their targets, and shy away from fishing expeditions.117 Furthermore, such a dependence
on black bag jobs would also bring a further (and significant) benefit long sought by privacy activists: The return of the Fourth
Amendment. If police need to break into a suspects home in order to try and install a password-stealing bug, they must first
obtain a search warrant, and thus find themselves firmly back in the familiar domain of the Fourth Amendment. This would lead
to at least some judicial oversight of investigations, something that is almost entirely absent under the current subpoena
standard.
must comply with FISA if the information is sent by or intended to be received by a particular, known U.S. person who is
intentionally targeted. This is why the WaPos sources second comment is important. Overseas collection may result in massive amounts of surveillance on
Americans, but the NSA could believe that these common and voluminous mistakes are neither known nor intentional and therefore not
seek to comply with FISA. Another NSA argument might be that the contact lists are collected via vacuum cleaner surveillance, and no person is
targeted. Since no one is targeted, even if Americans information is routinely sucked in, the collection falls outside the scope of electronic surveillance as FISA
defines it. Again, if all you care about is U.S. persons privacy, then Congress decision to limit regulation of electronic surveillance to situations Americans are
targeted might make sense if NSA collection consisted solely of traditional particularized surveillance. But once you shift to wholesale acquisition, nothing is
targeted, and that limitation stops protecting Americans and instead serves no purpose. I dont mean to suggest that, in 1978, Congress intended to leave foreign
collection unregulated. FISAs legislative history suggests Congress believed such surveillance affects the privacy interests of Americans and deserved to be
limited, but that Congress did not want to hold up the passage of FISA to resolve those more difficult issues. For a variety of reasons, Congress never really got
back to the problem. Initially, the price to be paid in American privacy may not have been high, but that has changed, and the bill for neglecting foreign
intelligence collection is now coming due. Our current information regarding other NSA bulk collection practices suggests that broad collection techniques will
inevitably incidentally acquire Americans information, that the information will not be limited to information in address books and buddy lists, and that at least
some of this data, everyone will agree is content. The NSAs view appears to be that even pervasive unintentional collection that would otherwise be regulated or
prohibited does not affect the legality of its programs. For example, under Section 702, NSA official guidelines say that if the agency collects an Americans
records while targeting a foreigner, even if the accidental collection is pervasive, it does not constitute a ... violation and does not have to be reported to the
NSA inspector general for inclusion in quarterly reports to Congress. NSA conducts this contact list surveillance outside of the FISA regime and without FISC
oversight. The American people deserve to know more about this collection program, how many Americans are affected, and why the NSA believes it is legal.
Congressional oversight of these kinds of programs is even more anemic than usual, and may be non-existent. The President amends E.O. 12333 without input
from Congress. The NSA was not reporting to the Intelligence Committees abuses that take place under E.O. 12333 authorized programs. For example, in the
October 2, 2013 FISA oversight hearing chaired by Sen. Patrick Leahy (D-VT), Director of National Intelligence James Clapper told Senator Amy Klobuchar that
the Administrations false assurances there had been no abuses of the Section 215 phone records collection were not false because the abuses identified in an
internal audit had occurred under E.O. 12333 and need not be reported. (after 1:25, hat tip to Marcy Wheeler). In late September, Intel Committee Chair
Feinstein acknowledged that, E.O. 12333 programs receive far less congressional oversight, and less protections for U.S. person privacy. The Senator ordered
that the NSA report further on its intelligence collection outside of FISA. Specifically regarding the contact list collection, the Washington Post quotes a senior
Intelligence Committee staffer: In general, the committee is far less aware of operations conducted under 12333, said a senior committee staff member,
referring to Executive Order 12333, which defines the basic powers and responsibilities of the intelligence agencies. I believe the NSA would answer questions if
we asked them, and if we knew to ask them, but it would not routinely report these things, and in general they would not fall within the focus of the committee.
One major revelation of the Washington Post piece is that there isnt even Intel Committee oversight of 12333 overseas activities, even though Americans data is
collected via that authority, and our privacy substantially effected. We have also learned that the NSA subverts encryption standards, collaborates
with technology companies in the United States and abroad to build backdoors into their products, and coerces businesses into handing
over their master encryption keys. These practices impact the privacy of average people by making the systems we rely on for the transmission and
storage of sensitive data less secure. Both the NSA and thieves can defeat weak encryption standards and find hidden backdoors. Turning over encryption keys
government to demand it. In 1994, Congress adopted the Communications Assistance for Law Enforcement Act (CALEA). CALEA was intended to preserve but
not expand law enforcement wiretapping capabilities by requiring telephone companies to design their networks to ensure a certain basic level of government
access. The Federal Bureau of Investigation pushed its powers under CALEA, however, and the law was expanded in 2005 by the Federal Communications
Commission to include broadband Internet access and interconnected VoIP services which rout calls over the traditional telephone network. Pure Internet
services, however, are not subject to CALEA. The FBI will seek to change that, but for now, nothing in CALEA prohibits these companies from building robustly
secure products that will protect their customers data from attacks. Yet, the Guardian reported that some companies have built or maintained backdoors allowing
government access to their services, and specifically identified Microsoft and its VoIP service, Skype. To the extent Skypes VoIP service operates peer-to-peer
independent of the traditional phone network, it is not subject to CALEA obligations. Yet, Microsoft said, in response to the Guardian report, when we
upgrade or update products legal obligations may in some circumstances require that we maintain the ability to provide information
in response to a law enforcement or national security request. Its unclear what those legal obligations might be, though some have
pointed to the general obligation of electronic communications service providers to provide the Government with all information,
facilities, or assistance necessary to accomplish the acquisition under section 702 of the FISA Amendments Act. Is the government is
using that rather generic provision of law to force creation or maintenance of technological vulnerabilities in communications networks? If so, Congress ought to
know, and so should the public which relies on these facilities for secure communications. The Lavabit case gives the public some idea of how the government
has relied on similar assistance provisions in the criminal pen register statute to force disclosure of master encryption keys, despite the absence of any explicit
obligation to do so. There, the FBI wanted secure email provider Lavabit to install a pen register to identify Internet traffic addresses for one of the companys
users. The system was engineered so that that information was encrypted and could not be obtained via pen register. The government then asked Lavabit for its
SSL key. However, disclosing the key would give the government access to communications of all other Lavabit customers, as well as the targeted user. Lavabits
owner, Lavar Levison, offered to collect the data for the government, a compromise that would get the FBI the information it wanted without impacting the security
of its other customers. Unappeased, the government obtained a court order commanding Levison to travel from Texas to personally appear in a district court in
Virginia to explain his refusal to produce the key. It further secured a grand jury subpoena, which explicitly commanded Levison to appear before the grand jury
and bring with him Lavabits private keys. While Levison was traveling to appear pro se in district court, the government obtained a third order, this time a search
warrant, which again commanded Lavabit to hand over its private keys and also gagged Levison and the company from telling anyone that the government had
done so. The District Court ruled against Levison and gave him 24 hours to comply. At that point, Levison closed down Lavabits services. Lavabit has now
retained appellate attorneys and challenged the Court orders in the Fourth Circuit. Thanks to Levisons decision to shut his doors rather than comply, we may one
day get a public hearing on the legitimacy of this underground government practice. It appears there was no secret review in the FISC or in Congress. NSA
activities, either those overseas which target foreigners or those which tamper with encryption or commercial security, arguably fall outside of
FISC review because of FISAs parsed definitions of electronic surveillance and may elude Congressional oversight because they are
mistakenly considered to impact only foreigners. Now we know this is a mistake. The NSA is acquiring information about Americans from
overseas collection. Additionally, American disregard for the privacy of innocent foreigners has a direct impact on American companies, which depend upon
global trust to operate. Senator Feinstein is right; its time for Congress to find out exactly what the NSA is doing under which legal authorities, and why. Given
what we now know, its time to rein the NSAs practices in by expanding the categories of collection, surveillance, and other activities for which the NSA needs to
seek judicial and Congressional approval, since E.O. 12333 activities are causing collateral damage to American interests, civil liberties, and human rights.
Addressing the problem of NSA surveillance occurring outside of FISA and Congressional oversight will be complicated by arguments that the president would
have independent authority under Article II, even if FISA specifies that it is the exclusive means for conducting surveillance. Its time to have those arguments.
their web pages or products, all unbeknownst to the companies. These stories suggest that the government is creating and sneaking through a
back door to take the data. As one tech employee said to me, the back door makes a mockery of the front door. As a result of these allegations,
companies are moving to encrypt their data against their own government; they are limiting their cooperation with NSA; and they are pushing for
reform. Negative international reactions to media reports of certain kinds of intelligence collection abroad have resulted in a backlash
against American technology companies, spurring data localization requirements, rejection or cancellation of American contracts, and
raising the specter of major losses in the cloud computing industry. These allegations could dim one of the few bright spots in the
American economic recovery: tech. Without commenting on the accuracy of these media reports, the perception is still a problem even if the
media reports of these government collection programs are not true---or are only partly true. The tech industry believes them to be true, and more
importantly, their customers at home and abroad believe them to be true, and that means they have huge impact on American business and huge impact as well
on the relationship between these businesses and an intelligence community that depends on their cooperation. So, how should we think about reforms in
response to this series of allegations the Executive Branch cant, or wont, address? How about making the FAA the exclusive means for conducting
electronic surveillance when the information being collected is in the custody of an American company ? This could clarify that the
executive branch could not play authority shell-games and claim that Executive Order 12333 allows it to obtain information on overseas non-US
person targets that is in the custody of American companies, unbeknownst to those companies. As a policy matter, it seems to me that if the
information to be acquired is in the custody of an American company, the intelligence community should ask for it, rather than take it
without asking. American companies should be entitled to a higher degree of forthrightness from their government than foreign companies, even when they are
acting overseas. Under the FAA, we have a statutory regime that creates judicial oversight and accountability to conduct electronic
surveillance outside the US for specific purposes: foreign intelligence (or traditional espionage), counter-terrorism, and prevention of WMD proliferation. It
addresses protections for both non-US and US persons. It creates a front-door, though compelled, relationship under which the intelligence
community can receive communications contents without individual warrants but with programmatic judicial oversight. FAA exclusivity would say to the
rest of the world that when the US conducts bulk electronic surveillance overseas, we are doing so for a particular, national security
purpose. The FAA structure with FISC review provides an independent check that the statutory purposes are met. Through
transparency agreements with the government, the American companies are able to provide their customers with some sense of how many
requests are made. This would not change the 12333 authorities with respect to non-US companies. It would also not change 12333 authorities when the
Executive Branch seeks to obtain the information in some other way than through the US company (i.e. breaking into the targets laptop, parking a surveillance
van outside their house, sending a spy, etc.). Some have asked me what would happen if foreign companies tried to set up shop here in the US to seek these
protections. I need to refine this part further, but would look to other statutory regimes that need to define the nationality of companies, like the Foreign Corrupt
Practices Act, or the CFIUS process. Executive Order 12333 itself offers a partial answer, defining a US person to include a corporation incorporated in the
United States, except for a corporation directed and controlled by a foreign government or governments. Others may argue that FAA provides inadequate civil
liberties protections. This proposal says nothing about the adequacy of that statute. What it says is that for data held by an American company about a target that
is not a US person, the checks within FAA are stronger than those under 12333 acting alone. Im also not suggesting that this reform will shut down all
surveillance activities something Id personally oppose---nor will it address the full range of civil liberties concerns. Its not intended to. It simply aims to
restore the belief that when American companies are acting overseas, they bring with them American values, including those of privacy
protections.
ADV CYBERSECURITY
or digital world. Any lawful intercept or access solution should not lower the overall security . (emphasis supplied)19 The heart of the
problem is this: the Review Group and the vast majority of technical experts do not think the FBIs hopes are possible to
achieve , for the sorts of access suggested in CALEA II proposals. Even if they assist law enforcement in some respects, the proposed
lawful intercept and access solutions lower overall security . Repeated blue-ribbon panels of technical experts have come to the same
conclusion. In the 1990s, Representative Bob Goodlatte summed up the lessons that Congress was learning: Strong encryption prevents crime. Just
as dead-bolt locks and alarm systems help people protect their homes against intruders, thereby assisting law enforcement in
preventing crime, strong encryption allows people to protect their digital communications and computer systems against criminal
hackers and computer thieves. The blueribbon National Research Council said it best, concluding that strong encryption supports both law
enforcement efforts and our national security, while protecting the proprietary information of U.S. businesses. 20 An influential group
of encryption experts issued a 1997 report on The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption.21 Among the key findings of this
technical group: The deployment of key-recovery-based encryption infrastructures to meet stated specifications will result in substantial sacrifices in security and
greatly increased costs to end users. The report made numerous, telling criticisms of key recovery approaches. From my participation in the policy debates of
the era, there was no effective technical response by supporters of government key recovery approaches. In May, 2013, just prior to the first Snowden
revelations, the Center for Democracy and Technology gathered a different group of technical experts to write CALEA II: Risks of Wiretap Modifications to
Endpoints.22 The conclusions about the harms of mandated vulnerabilities were clear: The U.S. government is proposing to
expand wiretap design laws broadly to Internet services, including voice over Internet protocol (VoIP) services and other peer- to-peer tools that
allow communications in real-time directly between individuals. This report explains how mandating wiretap capabilities in endpoints poses serious
security risks. Requiring software vendors to build intercept functionality into their products is unwise and will be ineffective, with the result being serious
consequences for the economic well-being and national security of the United States . An impressive new technical study by a group of
experts was released on July 7, just before this hearing, entitled Keys Under Doormats: Mandating Insecurity by Requiring Government Access to All Data and
Communications.23 It states: We have found that the damage that could be caused by law enforcement exceptional requirements would be even greater today
than it would have been twenty years ago. In the wake of the growing economic and social cost of the fundamental insecurity of todays
Internet environment, any proposals that alter the security dynamics online should be approached with caution . Exceptional access
would force Internet system developers to reverse forward secrecy design practices that seek to minimize the impact on user privacy when systems are
breached. The complexity of todays Internet environment, with millions of apps and globally-connected services, means that new law enforcement requirements
are likely to introduce unanticipated, hard to detect security flaws. The new study highlights three general problems. First,
practices now incorporate forward secrecy, where decryption keys are deleted immediately after use, so that stealing the encryption key used by a
communications server would not compromise earlier or later communications. If law enforcement requires
of Internet and mobile computing applications could be particularly problematic because their typical use would be surreptitious
making security testing difficult and less effective . Third, exceptional access would create concentrated targets for bad
actors to target : Security credentials that unlock the data would have to be retained by the platform provider, law enforcement agencies, or some other
trusted third party. If law enforcements keys have guaranteed access to everything, an attacker who gained access to these keys
would enjoy the same privilege. Moreover, law enforcements stated need for rapid access to data would make it impractical to store keys offline or split
keys among multiple keyholders, as security engineers would normally do with extremely high-value credentials. Recent attacks on the United States
Government Office of Personnel Management show how much harm can arise when many organizations rely on a single
institution that itself has security vulnerabilities. In the case of OPM, numerous federal agencies lost sensitive data because OPM had insecure
infrastructure. If service providers implement exceptional access requirements incorrectly, the security of all of their users will be at risk. At a practical level, there
are thousands of police departments spread across the United States. Providing online access to these police departments, while having iron-clad assurances
that no hackers can get in, ignores the lessons of the recent OPM breach and the numerous other data breaches in the public and private sectors. Let me add
my personal observations on these studies about the technical obstacles to safe key recovery by law enforcement. I have engaged with a wide range of technical
encryption experts for two decades, both inside and outside of government, often as the only person with legal training at a conference. I have an appointment in
the College of Computing at Georgia Tech, and teach cybersecurity there, with a majority of the class in graduate studies in information security. Based on this
engagement with technical experts, they say the same things in private as are written in the blue-ribbon reports. The passion that the most eminent technical
experts show here is due to their conviction based on hard-fought experience, and not as a lobbying ploy. Quite simply, the technical experts I trust believe that
the FBI is asking for the impossible. CALEA II-style proposals hurt security.
1.
It would seriously undermine our nations cybersecurity, at a time when that security is already in crisis as
demonstrated by the endless string of high profile data breaches in the past year.11 Every technical expert that
has spoken publicly on this controversy since it began last Septemberboth experts from the generation that fought in the original
Crypto Wars,12 as well as experts from the next generation13has concluded that it
privacy. It's about security. Encryption is something we should be encouraging all citizens, companies and our own government
to be using to mitigate against everything from criminals stealing your iPhone to the many massive data breaches
conducted by faceless foreign criminal operations that have made national headlines in the past year. The
government knows this even if not admitting it; a classified document in the Snowden archive details how encryption is
vital to security. Yet the agency is in the midst of a push to force tech companies to install backdoors in encryption, the fastest
way to weaken America's cybersecurity. FBI director Jim Comey first started making the push last year, and it has been
widely ridiculed by technical experts, but the chorus inside government seems to have only gotten louder even as
officials claim cyberattacks are the number one threat the nation faces . The idea that terrorists will stop using end-to-end
encryption - where a message is unintelligible from when it leaves the sender until it reaches its recipient - if the US
bans companies from using it is preposterous. As Johns Hopkins cryptography professor Matthew Green tweeted,
"You could strangle the whole U.S. tech industry, and ISIS would *still* be able to communicate with their followers using
encryption." There are plenty of open-source encryption programs that have been around for 20 years and are too
prevalent to rein in, plus the code itself is protected by the First Amendment. Forcing big companies to backdoor their
products will just hurt the millions of ordinary people worldwide who depend on encryption for protection from snoopers, criminals
and foreign governments. That includes tech companies' Chinese users, who can use encryption to protect themselves
from their own authoritarian government. Just weeks after the FBI unveiled its anti-encryption plans last year, China
announced it too wants to pass a "counter-terrorism" law that would force companies like Apple and Google to hand over
encryption keys. Without a hint of irony, the Obama administration condemned the move. Here's how Reuters
reported it in March : In an interview with Reuters, Obama said he was concerned about Beijing's plans for a farreaching counterterrorism law that would require technology firms to hand over encryption keys, the passcodes that
help protect data, and install security "backdoors" in their systems to give Chinese authorities surveillance access.
"This is something that I've raised directly with President Xi," Obama said. "We have made it very clear to them that
this is something they are going to have to change if they are to do business with the United States." Read that
opening paragraph again and try to explain how it's any different than what the US is proposing. Yes, China will
almost certainly use its "counter-terrorism" powers for all sorts of things beyond terrorism . But we'd be kidding ourselves if we
didn't think the US will use its own "backdoor" powers to do the exact same thing, as they've done over and over again with the
Patriot Act in the last decade. The FBI is going to have to decide which is more important: strong cybersecurity, or the ability
to read every message that's sent all of the time . Because attempting to force backdoors into encryption compromises the
safety of its own citizens and gives authoritarian powers like China and Russia an excuse to force Apple and Google and
whomever to hand them the keys to the encrypted communications too . Apple CEO Tim Cook has commendably been
speaking out in public on this issue, forcefully defending the use of encryption on iPhones as essential in the 21st
Century. It's time for the other tech company CEOs to step up and ask the FBI why it's saying cyberattacks are the greatest
threat we face on one hand, and then saying they want to make us all even more vulnerable to attacks on the other.
Encryption is crucial to prevent identity theft and protect against cyber attacks
Swire 7/8 <Peter, Huang Professor of Law and Ethics at Georgia Tech Scheller College of Business, 7/9/15, Going Dark:
Encryption, Technology, and the Balance Between Public Safety and Privacy, Senate Judiciary Committee Hearing,
http://www.judiciary.senate.gov/imo/media/doc/07-08-15%20Swire%20Testimony.pdf>//wx
Although encryption issues have become the subject of greater public debate since the beginning of the Snowden revelations, there has been an ongoing
trend to deploy effective encryption for consumer and business applications . The central importance of encryption to cybersecurity was a
major theme in the Review Group report, as discussed above. Strong encryption is essentially the broadest-spectrum antibiotic against cyberinfections. In our era of pervasive cyber-attacks, encryption is crucial to preventing identity theft, reducing the harmful
effects of data breaches, and providing myriad other protections against attacks. The necessary and pervasive spread of encryption
was the topic of my 2012 article why encryption drives the government to seek access to the cloud, cited above. That article gave a 2012 list of examples of
widespread encryption: Corporate and government users have widely adopted Virtual Private Networks (VPNs) for remote users. VPNs are strongly encrypted,
thus protecting the organizations emails and other communications. Electronic commerce, including credit card numbers, is overwhelmingly conducted today
using SSL (Secure Sockets Layer). Facebook now supports SSL. If it enables SSL by default [which is true in 2015], then its social networking communications
would not be readable at the ISP level. Research in Motions Blackberry products use strong encryption, and RIM itself does not have the keys for corporations
who manage keys themselves. Major web locker services, such as Dropbox, use SSL by default. Skype, the leading VoIP provider, encrypts end-to-end. Many
international calls are made using Skype. VoIP enables voice communications to be encrypted at scale. Many Internet games and other services use encryption,
often with accompanying voice and chat channels.17 This trend has continued since 2012, including for the device encryption of smartphones that the FBI has
criticized.18 Although it might seem that the widespread use of encryption is a reason to mandate vulnerabilities in software to enable law enforcement access,
The growing and pervasive use of encryption is recognition of its centrality to defending against cyberattacks the ongoing debates about cybersecurity legislation in Congress show a consensus that customers need this
protection, and companies need to supply it. In addition, CALEA II-style mandates run up against the pervasive use of encryption. Such mandates
my view is different.
would be a regulatory nightmare, affecting so many applications and implementations as to be unmanageable and enormously costly.
law enforcement and intelligence agency leaders argue that such efforts thwart their ability to monitor kidnappers, terrorists and
other adversaries. In Britain, Prime Minister David Cameron threatened to ban encrypted messages altogether. In the United States, Michael S. Rogers,
the director of the N.S.A., proposed that technology companies be required to create a digital key to unlock encrypted data, but
to divide the key into pieces and secure it so that no one person or government agency could use it alone. The encryption debate has
left both sides bitterly divided and in fighting mode. The group of cryptographers deliberately issued its report a day before James B. Comey Jr., the director of
the Federal Bureau of Investigation, and Sally Quillian Yates, the deputy attorney general at the Justice Department, are scheduled to testify before the Senate
Judiciary Committee on the concerns that they and other government agencies have that encryption technologies will prevent them from effectively doing their
jobs. The new paper is the first indepth technical analysis of government proposals by leading cryptographers and security thinkers, including Whitfield Diffie, a
pioneer of public key cryptography, and Ronald L. Rivest, the R in the widely used RSA public cryptography algorithm. In the report, the group said any
effort to give the government exceptional access to encrypted communications was technically unfeasible and would leave
confidential data and critical infrastructure like banks and the power grid at risk . Handing governments a key to encrypted
communications would also require an extraordinary degree of trust. With government agency breaches now the norm most recently at the United
States Office of Personnel Management, the State Department and the White House the security specialists said authorities could not be
trusted to keep such keys safe from hackers and criminals. They added that if the United States and Britain mandated backdoor keys to
communications, China and other governments in foreign markets would be spurred to do the same. Such access will open doors through
which criminals and malicious nationstates can attack the very individuals law enforcement seeks to defend , the report said. The costs
would be substantial, the damage to innovation severe and the consequences to economic growth hard to predict. The costs to the
developed countries soft power and to our moral authority would also be considerable. A spokesman for the F.B.I. declined to comment
ahead of Mr. Comeys appearance before the Senate Judiciary Committee hearings on Wednesday. Mr. Comey recently told CNN, Our job is to find needles in a
nationwide haystack, needles that are increasingly invisible to us because of endtoend encryption. A Justice Department official, who spoke on the condition of
anonymity before the hearing, said that the agency supported strong encryption, but that certain uses of the technology notably endtoend encryption that
forces law enforcement to go directly to the target rather than to technology companies for passwords and communications interfered with the governments
wiretap authority and created public safety risks. Paul Kocher, the president of the Rambus Cryptography Research Division, who did not write the paper, said it
shifted the debate over encryption from how much power intelligence agencies should have to the technological underpinnings of gaining special access to
encrypted communications. The paper details multiple technological reasons why mandatory government back doors are technically unworkable, and how
encryption regulations would be disastrous for computer security, Mr. Kocher said. This report ought to put to rest any technical questions about Would this
work? The group behind the report has previously fought proposals for encryption access. In 1997, it analyzed the technical risks and shortcomings of a
proposal in the Clinton administration called the Clipper chip. Clipper would have poked a hole in cryptographic systems by requiring technology manufacturers
to include a small hardware chip in their products that would have ensured that the government would always be able to unlock scrambled communications. The
government abandoned the effort after an analysis by the group showed it would have been technically unworkable. The final blow was the discovery by Matt
Blaze, then a 32yearold computer scientist at AT&T Bell Laboratories and one of the authors of the new paper, of a flaw in the system that would have allowed
anyone with technical expertise to encode Clipperencrypted communications so that even the government could not crack it. Now the group has convened again
for the first time since 1997. The decisions for policy makers are going to shape the future of the global Internet and we want to make sure
they get the technology analysis right, said Daniel J. Weitzner, head of the MIT Cybersecurity and Internet Policy Research Initiative and a former deputy chief
technology officer at the White House, who coordinated the latest report. In the paper, the authors emphasized that the stakes involved in encryption are
much higher now than in their 1997 analysis. In the 1990s, the Internet era was just beginning the 1997 report is littered with references to electronic
mail and facsimile communications, which are now quaint communications methods. Today, the governments plans could affect the technology
used to lock data from financial and medical institutions, and poke a hole in mobile devices and countless other critical systems
that are moving rapidly online, including pipelines, nuclear facilities and the power grid. The problems now are much worse than they were
in 1997, said Peter G. Neumann, a coauthor of both the 1997 report and the new paper, who is a computer security pioneer at SRI International, the Silicon
Valley research laboratory. There are more vulnerabilities than ever, more ways to exploit them than ever, and now the government wants to dumb everything
down further. Other authors of the new paper include Steven M. Bellovin, a computer science professor at Columbia University; Harold Abelson, a computer
science professor at MIT; Josh Benaloh, a leading cryptographer at Microsoft; Susan Landau, a professor of cybersecurity at Worcester Polytechnic Institute and
formerly a senior privacy analyst at Google; and Bruce Schneier, a fellow at the Berkman Center for Internet and Society at Harvard Law School and a widely
read security author. The governments proposals for exceptional access are wrong in principle and unworkable in practice, said Ross Anderson, a professor of
security engineering at the University of Cambridge and the papers sole author in Britain. That is the message we are going to be hammering home again and
again over the next few months as we oppose these proposals in your country and in ours. Correction: July 14, 2015 An article on Wednesday about a warning
from leading security technologists that granting American and British governments special access to encrypted communications would put the worlds most
confidential data and critical infrastructure in danger described incorrectly a technical flaw in an ef ort by the Clinton administration to read encrypted
communications. The flaw would have allowed anyone with technical expertise to encode the encrypted communications so that even the government could not
read it, not allow anyone with technical expertise access to the encrypted communications.
complex systems (and to connect them together over the Internet), the problem of software correctness becomes exponentially more
difficult . As this insecure technology becomes more integrated into the systems and relationships upon which society depends, the consequences become
increasingly dire. While a general solution to the problem of software reliability and correctness has eluded us (and will continue to do so absent some
remarkable, unexpected breakthrough), there are two tried- and-true techniques that can, to some extent, ameliorate the inherent vulnerability of software-based
systems. One is the use of encryption to protect data stored on or transmitted over insecure media . The other is to design systems to be
as simple as possible, with only those features needed to support the application. The aim is to minimize the ``attack surface`` that any software vulnerabilities
would expose. Neither the use of encryption nor designing systems to be small and simple are perfect solutions to the software security problem. Even carefully
designed, single-purpose software that encrypts data whenever possible can still harbor hidden, exploitable vulnerabilities, especially when it is connected to the
Internet. For this reason, software systems must be exposed to continual (and resource intensive) scrutiny throughout their lifecycle to discover and fix flaws
before attackers find and exploit them. But these approaches, imperfect and fragile as they might be, represent essentially the only proven defenses that we
have.
Computer and Information Science at the University of Pennsylvania Whitfield Diffie, American cryptographer; one of the founders of the Electronic Frontier Foundation, the
Cypherpunks mailing list, and Cygnus Solutions; Assistant Research Professor of Computer Science at Johns Hopkins University; a computer-science researcher who has
worked on the Multics operating system in the 1960s. He edits the RISKS Digest columns for ACM Software Engineering Notes and Communications of the ACM; American
mathematician and engineer, and Professor of Social Science and Policy Studies at Worcester Polytechnic Institute; Vannevar Bush Professor at MIT's Department of Electrical
Engineering and Computer Science and a member of MIT's Computer Science and Artificial Intelligence Laboratory; Enterprise Architect at Massachusetts Institute of
Technology (MIT); American cryptographer, computer security and privacy specialist, and writer; Michael Specter, staff writer at the at the New Yorker; Director of the MIT
meet law enforcements call for exceptional access without causing large-scale security vulnerabilities. We take no issue here with law enforcements
desire to execute lawful surveillance orders when they meet the requirements of human rights and the rule of law. Our strong recommendation is that
anyone proposing regulations should first present concrete technical requirements, which industry, academics, and the public can analyze for technical
weaknesses and for hidden costs. Many of us worked together in 1997 in response to a similar but narrower and better defined proposal called the
Clipper Chip [1]. The Clipper proposal sought to have all strong encryption systems retain a copy of keys necessary to decrypt information with a
trusted third party who would turn over keys to law enforcement upon proper legal authorization. We found at that time that it was beyond the
technical state of the art to build key escrow systems at scale. Governments kept pressing for key escrow, but Internet firms successfully resisted on the
grounds of the enormous expense, the governance issues, and the risk. The Clipper Chip was eventually abandoned. A much more narrow set of law
enforcement access requirements have been imposed, but only on regulated telecommunications systems. Still, in a small but troubling number of
cases, weakness related to these requirements have emerged and been exploited by state actors and others. Those problems would have been worse had
key escrow been widely deployed. And if all information applications had had to be designed and certified for exceptional access, it is doubtful that
companies like Facebook and Twitter would even exist. Another important lesson from the 1990s is that the decline in surveillance capacity predicted
by law enforcement 20 years ago did not happen. Indeed, in 1992, the FBIs Advanced Telephony Unit warned that within three years Title III wiretaps
would be useless: no more than 40% would be intelligible and that in the worst case all might be rendered useless [2]. The world did not go dark. On
the contrary, law enforcement has much better and more effective surveillance capabilities now than it did then. The goal of this report is to similarly
analyze the newly proposed requirement of exceptional access to communications in todays more complex, global information infrastructure. We find
that it would pose far more grave security risks, imperil innovation, and raise thorny issues for human
rights and international relations. There are three general problems. First, providing exceptional access to
communications would force a U-turn from the best practices now being deployed to make the Internet
more secure. These practices include forward secrecy where decryption keys are deleted immediately after use, so that
stealing the encryption key used by a communications server would not compromise earlier or later
communications. A related technique, authenticated encryption, uses the same temporary key to guarantee confidentiality and to verify that the
message has not been forged or tampered with. Second, building in exceptional access would substantially increase
system complexity. Security researchers inside and outside government agree that complexity is the enemy of
security every new feature can interact with others to create vulnerabilities. To achieve widespread exceptional access, new
technology features would have to be deployed and tested with literally hundreds of thousands of developers
all around the world. This is a far more complex environment than the electronic surveillance now deployed in telecommunications and Internet
access services, which tend to use similar technologies and are more likely to have the resources to manage vulnerabilities that may arise from new
features. Features to permit law enforcement exceptional access across a wide range of Internet and mobile computing applications could be
Third,
exceptional access would create concentrated targets that could attract bad actors. Security credentials that unlock the data
would have to be retained by the platform provider, law enforcement agencies, or some other trusted third party. If law enforcements keys
guaranteed access to everything, an attacker who gained access to these keys would enjoy the same
privilege. Moreover, law enforcements stated need for rapid access to data would make it impractical to store keys offline or split keys among
particularly problematic because their typical use would be surreptitious making security testing difficult and less effective.
multiple keyholders, as security engineers would normally do with extremely high-value credentials. Recent attacks on the United States Government
Office of Personnel Management (OPM) show how much harm can arise when many organizations rely on a single institution that itself has security
vulnerabilities. In the case of OPM, numerous federal agencies lost sensitive data because OPM had insecure infrastructure. If service providers
implement exceptional access requirements incorrectly, the security of all of their users will be at risk.
Opinion of top experts and empirics flow aff encryption backdoors deck cybersecurity
Yegulalp 7/7/15 <Serdar Yegulalp, senior editor at InfoWorld, cites study written by top encryption experts, Encryption
backdoors: A bad idea then, a bad idea now, InfoWorld, http://www.infoworld.com/article/2945033/encryption/encryptionbackdoors-bad-idea-then-bad-idea-now-say-scientists.html>//wx
Should governments be allowed to keep the keys to encryption backdoors? The short answer, according to a group of computer
scientists who helped created modern encryption, is not only no, but resoundingly no, no, a thousand times no . Providing
encryption backdoors in any form weakens encryption across the board for everyone -- including the good guys, argue the authors of a new
research paper released today. Keys under doormats In "Keys Under Doormats: Mandating insecurity by requiring government access to all data and
communications," 14 computer scientists and encryption experts fiercely rebut the latest attempts to make encrypted information more
accessible to law enforcement. Among the paper's authors are pivotal names in their respective fields: MIT computer science professor
Harold Abelson; security researcher Bruce Schneier; computer scientist Peter G. Neumann; Ronald Rivest, co-creator of the RSA encryption algorithm; and
Whitfield Diffie, one of the co-creators of public-key cryptography. So-called key escrow schemes "force a U-turn from the best practices now
being deployed to make the Internet more secure;" make encryption systems more difficult to build and debug; and would create known weaknesses
in encryption that would simply attract concentrated efforts to break them, according to the paper. "If law enforcement's keys guaranteed access to
everything, an attacker who gained access to these keys would enjoy the same privilege ," the paper argues. Blasts from the past
Government's previous efforts to weaken encryption -- both above- and below-board -- ended badly. The Clipper chip, a key escrow system for voice
communications created in the 1990s, met with strong resistance from both privacy advocates and cryptograph ers, with the latter
demonstrating that the chip was demonstrably insecure on its own terms. In 2013, word surfaced that the NSA had subtly weakened NIST-supported encryption
standards to make them more amenable to automated attack -- a strategy that would only serve the NSA as long as no one else knew of the weakness. Today's
renewed calls for law-enforcement access to encryption keys proffer the same arguments as earlier efforts -- mainly, that encryption enables criminals to evade
law enforcement. However, the crucial question to ask about key escrow scheme s, the authors argue, is whether granting such access
creates problems at least as large as the ones they claim to solve. The stakes involved in weakening encryption today are far
higher than they were in the 1990s, the paper insists. Far more real-world infrastructure depends on encryption than ever before, and switching
those systems over to key-escrow encryption makes them more vulnerable to attackers. "Lawmakers should not risk the real economic,
geopolitical, and strategic benefits of an open and secure Internet for law enforcement gains that are at best minor and tactical ,"
the paper's authors write.
encrypted data. "These proposals are unworkable in practice, raise enormous legal and ethical questions, and would undo
progress on security at a time when Internet vulnerabilities are causing extreme economic harm," the experts said in the paper. "We find that it would
pose far more grave security risks, imperil innovation, and raise thorny issues for human rights and international relations ." The
cybersecurity experts argue that creating these backdoor keys would require tech companies to avoid using the best security practices, making the sensitive data
they store for their users vulnerable to hackers. Additionally, creating these kinds of systems would require complex configurations, which typically create more
loopholes that can be exploited by hackers. What's more, if agencies like the FBI or NSA were breached, those backdoor keys could be used by
hackers to access the consumer data stored by tech companies . Those are now plausible scenarios following recent breaches
into the systems of the U.S. Office of Personnel Management and the Interior Department. Finally, giving backdoor access to agencies in the U.S. or
the United Kingdom could set a bad precedent and lead countries like China and Russia to demand similar access from American companies that offer services
within their borders, the security experts said. "Such access will open doors through which criminals and malicious nation-states can
attack the very individuals law enforcement seeks to defend . The costs would be substantial, the damage to innovation severe, and the
consequences to economic growth difficult to predict," the paper reads.
Eliminating NSA backdoors key to cybersecurity and national security firewall protections
Center for Democracy and Technology 11/10/14 CDT is a non-profit organization that works to find solutions to pressing
internet policy challenges. (CDT, Issue brief: A backdoor to encryption for government surveillance, Center for Democracy and
Technology. https://d1ovv0c9tw0h0c.cloudfront.net/files/2014/11/issuebrief-backdoorencryption.pdf)//ET
Encrypting smartphones and other tech products will help protect against malicious hacking , identity theft , phone theft, and other crimes .
However, a government mandate requiring companies to build a backdoor through encryption to facilitate surveillance would put
consumers at grave risk and impose heavy costs on US businesses. The government can obtain information for investigations from other sources and may
be able to compel an individual to decrypt information with a search warrant. What companies have done recently: Apple and Google recently announced
that their newer smartphones will be encrypted by default. This means that all the data stored on the phone itself will be unreadable to anyone who
accesses the phone without knowing the owners password or key to unlock the encryption. Weak encryption (or obvious passwords) can be broken by widely
available cracking programs, but Apple and Google announced they will apply strong encryption to their devices. Prior to this announcement, many other
companies and nonprofits have long offered products and services, including phones, secured by strong encryption to the public. The primary impact: The
primary impact of this change will be to increase security from cybercriminals for regular smartphone users. Encryption by default ensures
that if criminals steal or attempt to hack into a phone, they will be unable to access the owners sensitive data stored on the device, such as
credit card information, photos, emails, medical records, social media accounts, and more. Millions of American smartphone users are targets of
identity theft, phone theft, and cybercrime, and the principle objective of securing smartphones with strong encryption is to protect against these problems. What
the FBI wants: The FBI wants a backdoor into encrypted products not just phones, but other communications services as well. In a recent speech, FBI
Director Comey called for companies to build security flaws into their encrypted products so that the government can break through and wiretap consumers or
seize data stored on their devices. Director Comey suggested that Congress should enact legislation to impose this requirement on all communications service
providers. A backdoor for government surveillance: During his speech, Director Comey stated the FBI was not actually seeking a backdoor because he is
proposing that companies intentionally build a means of breaking encryption for the purpose of government access into their products and services. However,
this conflates a legal backdoor with a technical one: as a technical matter, creating a path through encryption to provide access that the user does not authorize
is, by definition, a backdoor security vulnerability into the device. It is impossible to build encryption that can be circumvented without creating a technical
backdoor. Backdoors create major problems: Backdoors severely weaken cybersecurity, leaving users exposed to malicious hacking and crime.
A government-mandated security vulnerability in tech products would also be a huge burden on businesses and an obstacle to innovation. User security
undermined: A fundamental problem with a backdoor is that there is no way to control who goes through it. If the US government can exploit
a backdoor security vulnerability to access a consumers device, so will malicious hackers, identity thieves, and foreign governments. This
will devastate the security of not just individual consumers around the world, but also the many businesses that use American commercial tech
products day-to-day. Ultimately, this mandate would have the effect of actually enabling cybercrime and undermining national
security. US businesses harmed: Consumers outside of the US may be much less inclined to purchase American tech products that facilitate government
surveillance. Consider, for example, the difficulty US companies would have selling smartphones or network servers in the EU that are built to enable easy
access for the NSA. As a technical matter, it is difficult and expensive to both build a backdoor security vulnerability and then defend that vulnerability against
unauthorized use. This burden would be heaviest on small businesses and innovators of new communications services, which may create a disincentive to
encrypt their products and reduce the overall security of users.
could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20
years ago. In the wake of the growing economic and social cost of the fundamental insecurity of today's internet environment,
any proposals that alter the security dynamics online should be approached with caution ." The coauthors do not mince words, ending the
paper's executive summary with, "Many of us worked together in 1997 in response to a similar but narrower and better defined proposal called the Clipper Chip."
What are exceptional access mechanisms? The term backdoor is normally used, but as academics will do, they chose a new one:
exceptional access mechanisms. Susan Landau, professor of cybersecurity policy at Worcester Polytechnic Institute and one of the paper's authors, in
this Lawfare Institute blog defines exceptional access mechanisms as, "Some form of technology that will enable government access to content even if the
content is encrypted." Three problems with the government's request The scientists state they analyzed the government's request for
exceptional access to communications, and they feel there are three challenges. The first issue is providing exceptional access to
communications would negate many best practices now being deployed to make the internet more secure, including forward secrecy,
where decryption keys are deleted right after being used. The second issue is adding exceptional access would increase the complexity of
already complex security systems, which in turn increases the likelihood of vulnerabilities . The authors make the point, "Features to
permit law enforcement exceptional access across a wide range of internet and mobile computing applications could be
particularly problematic because their typical use would be surreptitious making security testing difficult and less effective." The
third issue is, just as databases of credit-card information interest digital criminals more so than the information from one individual's credit card, exceptional
access will allow bad actors to focus on fewer targets to get the same results. The third problem is especially troubling. "Recent attacks
on the United States Government Office of Personnel Management (OPM) show how much harm can arise when many
organizations rely on a single institution that itself has security vulnerabilities, " write the coauthors. "In the case of OPM, numerous federal
agencies lost sensitive data because OPM had insecure infrastructure. If service providers implement exceptional access requirements
incorrectly, the security of all of their users will be at risk." Cory Doctorow speaks to this in his book Information Doesn't Want to Be Free (page 126): "If you
weaken the world's computer security the security of our planes and nuclear reactors, our artificial hearts and our thermostats, and, yes,
our phones and our laptops, devices that are privy to our every secret then no amount of gains in the War on Terror will balance out the costs
we'll all pay in vulnerability to crooks, creeps, spooks, thugs, perverts, voyeurs, and anyone else who independently discovers
these deliberate flaws and turns them against targets of opportunity."
Backdoor encryption is bad hurts economic growth, innovation, cybersecurity, and political
authority
Page 15 editor for the inquirer (Carly, Crypto experts slam government encryption backdoor demands, 7/8/15,
http://www.theinquirer.net/inquirer/news/2416875/crypto-experts-slam-government-encryption-backdoor-demands)
A GROUP OF CRYPTOGRAPHERS AND COMPUTER SCIENTISTS has blasted demands from US and British governments for
backdoors to encryption systems, saying that it would cause a "major security risk". The report from the Massachusetts Institute
of Technology (MIT) Computer Science and Artificial Intelligence Lab criticises plans to allow law enforcement agencies
unfettered access to encrypted data, following in the footsteps of Apple and Google. UK prime minister David Cameron, for
example, said recently that services such as iMessage and WhatsApp should be banned if British intelligence services cannot
access them, while the FBI has argued that access to encrypted communications is crucial in the fight against terrorism. MIT said
in a 34-page paper, compiled by the likes of security expert Bruce Schneier and professor Ross Anderson from Cambridge
University, that this is a bad idea and will create a major security risk. "Such access will open doors through which criminals and
malicious nation states can attack the very individuals law enforcement seeks to defend, the paper said. "The costs would be
substantial, the damage to innovation severe and the consequences to economic growth hard to predict. The costs to the
developed countries soft power and to our moral authority would also be considerable." The paper noted that granting
governments backdoors to encryption systems will also make them a more appealing target to hackers and increase the risk of
data breaches. "Security credentials that unlock the data would have to be retained by the platform provider, law enforcement
agencies, or some other trusted third party," it said. "If law enforcement's keys guaranteed access to everything, an attacker who
gained access to these keys would enjoy the same privilege. "Recent attacks on the US Government Office of Personnel
Management show how much harm can arise when many organisations rely on a single institution that itself has security
vulnerabilities."
Back door encryption creates vulnerabilities leaves room for bad actors
Kassner 15 Freelance writer and editing professional with 15 years of experience covering technology, science,
and business. (Michael, Why government-mandated encryption backdoors are bad for US businesses, 7/14/15,
http://www.techrepublic.com/article/why-government-mandated-encryption-backdoors-are-bad-for-us-businesses/)
The scientists state they analyzed the government's request for exceptional access to communications, and they feel there are
three challenges. The first issue is providing exceptional access to communications would negate many best practices now being
deployed to make the internet more secure, including forward secrecy, where decryption keys are deleted right after being used.
The second issue is adding exceptional access would increase the complexity of already complex security systems, which in turn
increases the likelihood of vulnerabilities. The authors make the point, "Features to permit law enforcement exceptional access
across a wide range of internet and mobile computing applications could be particularly problematic because their typical use
would be surreptitious making security testing difficult and less effective." The third issue is, just as databases of credit-card
information interest digital criminals more so than the information from one individual's credit card, exceptional access will allow
bad actors to focus on fewer targets to get the same results. The third problem is especially troubling. "Recent attacks on the
United States Government Office of Personnel Management (OPM) show how much harm can arise when many organizations
rely on a single institution that itself has security vulnerabilities," write the coauthors. "In the case of OPM, numerous federal
agencies lost sensitive data because OPM had insecure infrastructure. If service providers implement exceptional access
requirements incorrectly, the security of all of their users will be at risk."
communications was technically unfeasible and would leave confidential data and critical infrastructure like banks and the power
grid at risk. Handing governments a key to encrypted communications would also require an extraordinary degree of trust . With
government agency breaches now the norm - most recently at the United States Office of Personnel Management, the
State Department and the White House - the security specialists said that the authorities could not be trusted to keep such
keys safe from hackers and criminals. They added that if the United States and Britain mandated backdoor keys to
communications, China and other governments in foreign markets would be spurred to do the same. ''Such access will open
doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend ,'' the
report said. ''The costs would be substantial, the damage to innovation severe and the consequences to economic
growth hard to predict. The costs to the developed countries' soft power and to our moral authority would also be
considerable.'' A spokesman for the F.B.I. declined to comment ahead of Mr. Comey's appearance before the Senate
Judiciary Committee hearings on Wednesday. Mr. Comey recently told CNN, ''Our job is to find needles in a
nationwide haystack, needles that are increasingly invisible to us because of end-to-end encryption.'' A Justice
Department official, who spoke on the condition of anonymity before the hearing, said that the agency supported
strong encryption, but that certain uses of the technology - notably end-to-end encryption that forces law
enforcement to go directly to the target rather than to technology companies for passwords and communications interfered with the government's wiretap authority and created public safety risks. Paul Kocher, the president of the
Rambus Cryptography Research Division, who did not write the paper, said that it shifted the debate over
encryption from how much power intelligence agencies should have to the technological underpinnings of gaining
special access to encrypted communications. The paper ''details multiple technological reasons why mandatory
government back doors are technically unworkable, and how encryption regulations would be disastrous for computer security ,''
Mr. Kocher said. ''This report ought to put to rest any technical questions about 'Would this work?''' The group behind the
report has previously fought proposals for encryption access. In 1997, it analyzed the technical risks and
shortcomings of a proposal in the Clinton administration called the Clipper chip. Clipper would have poked a hole in
cryptographic systems by requiring technology manufacturers to include a small hardware chip in their products
that would have ensured that the government would always be able to unlock scrambled communications. The
government abandoned the effort after an analysis by the group showed it would have been technically
unworkable. The final blow was the discovery by Matt Blaze, then a 32-year-old computer scientist at AT&T Bell
Laboratories and one of the authors of the new paper, of a flaw in the system that would have allowed anyone with
technical expertise to gain access to the key to Clipper-encrypted communications. Now the group has convened for
the first time since 1997. ''The decisions for policy makers are going to shape the future of the global Internet and
we want to make sure they get the technology analysis right,'' said Daniel J. Weitzner, head of the Cybersecurity
and Internet Policy Research Initiative at the Massachusetts Institute of Technology and a former deputy chief
technology officer at the White House, who coordinated the latest report. In the paper, the authors emphasized that
the stakes involved in encryption are much higher now. In the 1990s, the Internet era was just beginning. Today,
the government's plans could affect the technology used to lock data from financial and medical institutions, and poke a hole in
mobile devices and countless other critical systems that are moving rapidly online, including pipelines, nuclear facilities and the
power grid. ''The problems now are much worse than they were in 1997,'' said Peter G. Neumann, a co-author of both
the 1997 report and the new paper, who is a computer security pioneer at SRI International, the Silicon Valley
research laboratory. ''There are more vulnerabilities than ever, more ways to exploit them than ever, and now the government
wants to dumb everything down further. '' ''The government's proposals for exceptional access are wrong in principle and
unworkable in practice,'' said Ross Anderson, a professor of security engineering at the University of Cambridge and
the paper's sole author in Britain. ''That is the message we are going to be hammering home again and again over
the next few months as we oppose these proposals in your country and in ours.''
has not yet provided any specifics, arguing that private vendors should do it. At the same time, the vendors wont do it, because
its customers arent demanding such features. Indeed, many customers would see such features as a reason to avoid a given
vendor. Without specifics, there will be no progress. I believe the government is afraid that any specific proposal will be subject to enormous criticismand
thats truebut the government is the party that wants NOBUS access, and rather than running away from such criticism, it should embrace any resulting
criticism as an opportunity to improve upon its initial designs. Exactly the same issues came up in the 1990s, only then the government did propose a specific
mechanism. When the National Academies studied the problem then, it made a recommendation that still makes sense todaya prerequisite for going down
this path is for the government to gain experience about how to properly operate a governmentonly system allowing NOBUS access. Without such experience ,
large scale deployment of any access mechanism across the entire nation is asking for trouble . A final point is asking the major
vendors to provide NOBUS access is only the first step , as Director Comey implied in his comments regarding endtoend encryption to CNN on
June 18. The next step is to impose access requirements on small app and open source developers , because they can build apps that
bypass NOBUS mechanisms built into the platforms. And then you have to prevent people from bringing into the U.S. apps from abroad
that dont have NOBUS access, which means an Internet firewall around the United States that blocks such apps and border inspections
and import controls. Second, a partial alternative to NOBUS access is for law enforcement authorities to obtain legal authorization to take advantage of
the vulnerabilities that already exist in all software. With proper legal authorization, law enforcement could hack the devices of bad guys to obtain unencrypted
information when the bad guys themselves accessed it, and they do this to some extent today. Third, criminals are just like the rest of us in that they also
forget passwords, and if they have not saved them somewhere, certain crimes will not happen because the wouldbe perpetrators will not be able to get the
information needed to commit them. Remember also that data is often backed up to the cloud by default. So criminals will want mechanisms that enable them to
retrieve inaccessible data, and if they do, thats a way that law enforcement can gain access. I hope that these comments are helpful and Im ready to answer
questions. I ask that a number of relevant documents that support my testimony be entered into the record. These documents have already been provided to
Committee staff.
companies to develop more secure products at the time people need them most; if you're building a wall with a hole in it, how much are you going
invest in locks and barbed wire? What these officials are proposing would be bad for personal data security and bad for business and
must be opposed by Congress. In Silicon Valley several weeks ago I convened a roundtable of executives from America's most innovative tech companies. They
made it clear that widespread availability of data encryption technology is what consumers are demanding . It is also good public policy.
For years, officials of intelligence agencies like the NSA, as well as the Department of Justice, made misleading and outright inaccurate
statements to Congress about data surveillance programs not once, but repeatedly for over a decade . These agencies spied
on huge numbers of law-abiding Americans, and their dragnet surveillance of Americans' data did not make our country safer .
Most Americans accept that there are times their government needs to rely on clandestine methods of intelligence gathering to protect national security and
ensure public safety. But they also expect government agencies and officials to operate within the boundaries of the law, and they now know how
egregiously intelligence agencies abused their trust. This breach of trust is also hurting U.S. technology companies ' bottom line,
particularly when trying to sell services and devices in foreign markets . The president's own surveillance review group noted that concern about
U.S. surveillance policies can directly reduce the market share of U.S. companies. One industry estimate suggests that lost market share will cost just the U.S.
cloud computing sector $21 billion to $35 billion over the next three years. Tech firms are now investing heavily in new systems, including
encryption, to protect consumers from cyber attacks and rebuild the trust of their customers . As one participant at my roundtable put it, I'd
be shocked if anyone in the industry takes the foot off the pedal in terms of building security and encryption into their products.
of Standards and Technologies chief cyber- security adviser agreed, saying, Theres no way to do this
where you dont have unintentional vulnerability. I worry about those unintentional vulnerabilities. We
have a wide variety of experts on the panel today to help us examine some of the potential economic, privacy, security, and
geopolitical consequences of introducing a vulnerability into the system.
Second, we already
live in what some experts have referred to as the golden age of surveillance for law
enforcement. Federal, state, and local law enforcement have never had more tools at their disposal to help
detect, prevent, and prosecute crime. It seems we hear every day there is a new and often startling story about the U.S.
governments ability to track its own citizens. I recognize technology can be a double-edged sword and may pose
challenges for law enforcement as well, but we are certainly not going dark, and in many ways have never been brighter.
Third, strong encryption prevents crime and is a part of the economy. People keep their lives on their mobile phones.
A typical mobile phone might hold a persons pictures, contacts, communications, finances, schedule, and much more personal
information in addition to my Words with Friends which is critical to my daily sanity. If your phone is lost or stolen you
want to know your information is protected. Encryption does that. There is a reason the worlds largest
technology companies are increasingly developing stronger and more user-friendly encryption techniques. Its
not because they are anti-law enforcement. On the contrary, its because sophisticated cyber hacks are
near daily events. No one is immune from digital snooping - from the White House to corporate America to private citizens.
The opportunities brought to us by modern technology are nearly limitless but not if the system is compromised. Strong
encryption helps ensure data is secure and allows companies and individuals to operate with confidence
and trust. I look forward to hearing from our witnesses today. We have choices to make. Do we allow the 99 percent of Americans
who are good, honest, decent, hardworking and patriotic people to have encrypted phones? Or do we need to leave a backdoor open
and create vulnerability for all of them? Because vulnerability is all or nothing folks. Its not just a little bit. Its not
just for the good guys. And thats why we are having this hearing today.
Backdoors cause security concerns and attacks- anyone can get access
Gold 9/15/2014, Staff Writer for Engineering and Technology Magazine (Steve Gold, Engineering and Technology Magazine,
Volume 9 Edition 9 Communications device cyber-security: 'backdoors' http://eandt.theiet.org/magazine/2014/09/backdoors-tothe-future.cfm)NF
On the mobile front, phone operator Three launched the UK's first 3G network with an array of battery-hungry handsets mainly
from Chinese manufacturer Huawei in 2003, but it took until the late 2000s before the first dedicated 3G modems and USB sticks
(aka '3G dongles') appeared to kick-start in earnest the world of mobile data communications for mass consumption. Security
had always been an issue. Rumours of 'backdoors' in 3G modems had been bouncing around in
information security circles for years before a revealing presentation at Black Hat Europe 2013 raised more general
awareness of the possibility and, for many, confirmed the topic as a legitimate cause for concern . Nikita
Tarakanov, an independent IT researcher from Russia, presented a paper entitled 'From China with Love' co-written with fellow
industry colleague Oleg Kupreev which detailed some startling 'features' of a wide range of Huawei cellular broadband dongles.
Tarakanov explained that, in the preceding 12 months or so, he and Kupreev had been researching socalled 'backdoors' into the company's 3G dongles and even though Huawei is a major supplier of mobile broadband dongles,
and there are dozens of models available in different markets around the world they are mostly based around a single
chassis. This chassis, the researcher said, has a number of 'vulnerabilities' (or 'features', depending on who you
talk to and what they're willing to divulge) that allow all manner of remote feeds and access to the device.
Because of this, Tarakanov reckons that a typical Huawei USB modem can be used for a number of
security attack vectors. These include: a flash memory attack on the host computer, DNS (Domain Name
System) poisoning, auto-update poisoning, rogue XML re-configuration and Wi-Fi auto-connect-based
attacks using a pre-set approach to compromising the modem itself.
Backdoors are open for anyone to attack- no magic key for government
Wyden, Senator of the United States 12/14/2014 (Ron Wyden, senior United States Senator for Oregon since 1996,
Previous member of the United States House of Representatives from 1981 to 1996, Juris Doctor degree from the University of
Oregon School of Law. Los Angeles Times Newspaper, With hackers running rampant, why would we poke holes in data
security? http://www.latimes.com/opinion/op-ed/la-oe-1215-wyden-backdoor-for-cell-phones-20141215-story.html)NF
The leaders of U.S. intelligence agencies hold a different view. Most prominently, James Comey , the FBI director, is lobbying
Congress to require that electronics manufacturers create intentional security holes so-called back doors
that would enable the government to access data on every American's cellphone and computer, even if it is
protected by encryption. In attack on encryption, FBI director ignores those who need protection Unfortunately, there are no
magic keys that can be used only by good guys for legitimate reasons. There is only strong security or
weak security. Americans are demanding strong security for their personal data. Comey and others are suggesting that
security features shouldn't be too strong, because this could interfere with surveillance conducted for law
enforcement or intelligence purposes. The problem with this logic is that building a back door into every
cellphone, tablet, or laptop means deliberately creating weaknesses that hackers and foreign governments
can exploit. Mandating back doors also removes the incentive for companies to develop more secure products at the time people
need them most; if you're building a wall with a hole in it, how much are you going invest in locks and barbed wire? What these
officials are proposing would be bad for personal data security and bad for business and must be opposed by Congress.
In Silicon Valley several weeks ago I convened a roundtable of executives from America's most innovative tech companies. They
made it clear that widespread availability of data encryption technology is what consumers are demanding.
Unfortunately, there are no magic keys that can be used only by good guys for legitimate reasons. There is only
strong security or weak security.- It is also good public policy. For years, officials of intelligence agencies like the NSA, as well as
the Department of Justice, made misleading and outright inaccurate statements to Congress about data surveillance programs not
once, but repeatedly for over a decade. These agencies spied on huge numbers of law-abiding Americans, and their dragnet
surveillance of Americans' data did not make our country safer. Most Americans accept that there are times their government needs
to rely on clandestine methods of intelligence gathering to protect national security and ensure public safety. But they also expect
government agencies and officials to operate within the boundaries of the law, and they now know how egregiously intelligence
agencies abused their trust. This breach of trust is also hurting U.S. technology companies' bottom line, particularly when trying to
sell services and devices in foreign markets. The president's own surveillance review group noted that concern about U.S.
surveillance policies can directly reduce the market share of U.S. companies. One industry estimate suggests that lost market share
will cost just the U.S. cloud computing sector $21 billion to $35 billion over the next three years . Tech firms are now
investing heavily in new systems, including encryption, to protect consumers from cyber attacks and rebuild
the trust of their customers. As one participant at my roundtable put it, I'd be shocked if anyone in the industry
takes the foot off the pedal in terms of building security and encryption into their products. Was Apple's
FairPlay worse for the record labels than for consumers? Built-in back doors have been tried elsewhere with
disastrous results. In 2005, for example, Greece discovered that dozens of its senior government officials' phones had been
under surveillance for nearly a year. The eavesdropper was never identified, but the vulnerability was clear: built-in wiretapping
features intended to be accessible only to government agencies following a legal process. Chinese hackers have proved how
aggressively they will exploit any security vulnerability. A report last year by a leading cyber security
company identified more than 100 intrusions in U.S. networks from a single cyber espionage unit in
Shanghai. As another tech company leader told me, Why would we leave a back door lying around?
Backdoors dont know the difference between FBI and hackers- extremely vulnerable to attacks
Geller 7/10/2015, (Eric Geller, Editor overseeing Daily Dots morning shift and staff writer, awarded the P.F. Kluge Collegian
Prize, Socrates Award for Academic Inquiry, English Achievement Award, Journalism Achievement Award, Highly educated in the
American political system and Public Policy process, the Daily Dot The Rise of the new Crypto War
http://www.dailydot.com/politics/encryption-crypto-war-james-comey-fbi-privacy/)NF
The starting point for any analysis of backdoor security is the indisputable fact that a backdoor is a new entry point into a secured
system. Adding a backdoor, Heninger said, increases the attack surface of the system. Foreign governments
and cybercriminals are constantly studying the encrypted systems of banks and email providers, looking
for any weak point. By virtue of its very existence, a backdoor increases their options. What worries researchers and
tech companies the most about a backdoor is the fact that it adds a vulnerability to a system that the systems
operator cannot fully manage. When companies implement their own encryption, they scrutinize every aspect of it to ensure
that it functions properly. They monitor attempted breaches and respond accordingly. They can fully evaluate their encryption
because it is theirs and theirs alone. A backdoor robs companies of that total control and awareness . It is not just that
a backdoor is another way into a system; it is that a backdoor is a way into a system that cannot be guarded by the
systems operators. You have this backdoor out there thats run by other people who arent telling you what kind of security
measures theyre taking, what kinds of protections they have, said Schoen. If you think that theres some precaution that they
ought to be using, you have no ability to get them to take that precaution. Imagine that you own a home with locks on all your doors
made by a trusted, respected company. Then the police ask you to add a new door to your house, protected by a lock whose key you
dont have. The police say they are the only ones with the key, but they wont tell you how theyre guarding that key, and they have a
history of being hacked and losing sensitive data. They wont even promise to tell you if someone steals their key. Would you agree to
add that door? You have this whole set of security risks about the people who administer the backdoor, and
their security and their security measures and their defenses against attacks , Schoen said. Backdoor opponents
love pointing out that, in the words of Sen. Ron Wyden (D-Ore.), Theres no such thing as a magic door that can only
be used by the good people for worthwhile reasons. Nearly every security expert interviewed for this story
stressed the fact that backdoors have no way of distinguishing between lawful and unlawful uses of their
secret access. A vulnerability is a vulnerability, Tien said. It doesnt know whether youre the FBI or
China. China, a major state sponsor of cyberattacks, allegedly used a government backdoor in Gmail to hack the
email provider in January 2010. Confirmed backdoor exploits extend beyond state actors. In 2007, a government backdoor in
the Greek wireless carrier Vodafone-Panafon allowed hackers to steal the data of Athens mayor and more than 100 Greek and
international officials. And in 2006, the Italian government began investigating a spy ring hidden inside Telecom Italia that taped
the phone conversations of politicians, industrialists, and even footballers. Hall described the Greek and Italian incidents as cases
where dormant wiretapping functionality that was essentially a backdoor was activated. Security researchers repeatedly pointed to
the technical lessons learned from the most famous hardware backdoor ever proposed: the so-called Clipper chip. The NSA
developed the chip, which used an encryption scheme called Skipjack, to be a one-size-fits-all backdoor module that could be
inserted into computers, phones, and other devices. Each Clipper-chipped device would carry a unique encryption key that the
government could access with a warrant. But in 1994, a year after the NSA proposed the chip, a cryptography expert named Matt
Blaze published a paper laying bare the Skipjack algorithms many security flaws. The government abandoned the chip two years
later, and its cryptographic design now serves as a textbook example of the dangers posed by poorly configured backdoors. Jake
Laperruque, a fellow on privacy, surveillance, and security at CDT, said that a government-only backdoor was simply not
technologically feasible. He offered a timely pop-culture analogy: The Avengers: Age of Ultron. The FBI, what theyre
basically asking for is a Thors hammer that only a good guy can pick up. By setting up a system in which
it can access a backdoor, the government turns itself into a huge target for foreign governments and other
malicious actors. Backdoors would be concerning enough from a civil-liberties perspective if they truly were limited to
lawful use by the government. But the governments own security vulnerabilities, laid bare by years of
cyberattacks and leaks, show that even a well-intentioned FBI couldnt prevent a backdoor from being
exploited. All an attacker has to do is to obtain the master key and they can now compromise everything,
Nicolas Christin, assistant research professor in electrical and computer engineering at Carnegie Mellon University, told the Daily
Dot via email. It doesn't matter if you split the master key in halfdetermined attackers will look for both halves. Because keyescrow systems are triggered by the authorities inserting their piece of a key into a backdoor, exploitation would be as simple as
acquiring that key. As Heninger put it, referring to the Snowden leaks, We have some examples of how the government hasnt been
doing such a good job of keeping that information secret. A single master key that can decrypt every single message
sent by anybody in America to anybody else in America becomes an incredible target, both for theft and
also for abuse, said Matthew Green, assistant research professor at the Johns Hopkins Information Security Institute. On
March 17, 2011, RSA Data Security, one of the oldest and most trusted security companies, announced that it had been the
victim of an extremely sophisticated cyberattack. Hackers had stolen the master keys to the companys
SecurID authentication devices, which the worlds largest companies used to add a second layer of security to employee
logins. A few months later, Lockheed Martin, a major U.S. defense contractor, announced that hackers had stolen military secrets
from it by exploiting the SecurID system. Even sophisticated security companies who have been building systems
to protect military secrets have not managed to keep their keys from getting hacked, Green said of the
RSA hack. And [a backdoor master] key would be a million times more sensitive than that.
issue: The National Security Agency has been for two decades a powerful behind-
the-scenes lobby for weak internet encryption and privacy protocols . I dont know enough of the details of how
Sony was hacked to be able to prove that specific weaknesses derived from the NSA anti-privacy lobbying and bribing. But it is
certainly the case that the US government is implicated in exposing millions of consumers to such
invasions of privacy. Just this year, I wrote of a Reuters story: Reuters gets the scoop: the National Security
Agency gave internet security firm RSA some $10 million to use an NSA encryption formula in its
BSafe software. RSA is now a subsidiary of the EMC corporation, and they have urged customers not to use
BSafe since the revelations by Edward Snowden made clear that the NSAs formula in fact allowed the agency
access to all the information supposedly encrypted with it. This story should be a huge scandal, but I fear it wont
This is like the FDA paying a pharmaceutical company to carry a drug that does not
work and could therefore leave patients open to dying from an untreated illness after
taking medication they are assured will cure it. If the NSA could exploit weaknesses in
the encryption formula, so could hackers. The NSA subverted the will of millions of customers around
be.
the world who used RSA software precisely in a quest to be safe from the prying eyes of government officials and
other peeping Toms. Moreover, the $10 million has to be seen as a bribe (it was a third of that RSAs income
that year). Isnt it illegal for government officials to bribe private companies? Isnt it moreover
illegal for intelligence officials to give out money like candy to a private company in order to spy on Americans on
American soil? Id like to know what NSA official or officials were involved in this sting operation on the American
people. Id like to know if Barack Obama knew about it. Id like to know if the corporate officials who accepted the
contract with these strings attached knew they were screwing us all over. This Reuters story makes sense of the
allegation emerging from the Snowden leaks three months ago that the NSA had spent $250 million on keeping
access to encrypted data by working with firms that provided encryption services. Presumably they have just
been ensuring that no ones encryption formula actually shields things from them .
Increasingly, firms and governments abroad would be crazy to buy encryption products
from American companies. Likewise, getting cloud services from US corporations is a way to ensure that the
US government can steal your trade secrets. And here is Pratap Chatterjee: There are three broad ways that these
software companies collaborate with the state: a National Security Agency program called Bullrun through which
that agency is alleged to pay off developers like RSA, a software security firm, to build backdoors into our
computers; the use of bounty hunters like Endgame and Vupen that find exploitable flaws in existing software like
Microsoft Office and our smartphones; and finally the use of data brokers like Millennial Media to harvest personal
data on everybody on the Internet, especially when they go shopping or play games like Angry Birds, Farmville, or
Call of Duty. ProPublica has also been reporting
--a2 unlikely
Encryption backdoors undermine cybersecurity
Sasso 4/29/14: Technology Correspondent for The National Journal, Covered tech for The Hill, researcher and writer for
Almanac of American Politics 2012, Graduated from Claremont McKenna College BA in government. (The NSA Isn't Just Spying
on Us, It's Also Undermining Internet Security, Brendan Sasso, The National Journal, April 29, 2014,
http://www.nationaljournal.com/daily/the-nsa-isn-t-just-spying-on-us-it-s-also-undermining-internet-security20140429)//chiragjain
Bolstering the nations defenses against hackers has been one of the Obama administrations top goals.
Officials have warned for years that a sophisticated cyberattack could cripple critical infrastructure or
allow thieves to make off with the financial information of millions of Americans. President Obama pushed
Congress to enact cybersecurity legislation, and when it didnt, he issued his own executive order in 2013. The
cyber threat to our nation is one of the most serious economic and national security challenges we
face, Obama wrote in a 2012 op-ed in The Wall Street Journal. But critics argue that the National Security Agency has
actually undermined cybersecurity and made the United States more vulnerable to hackers. "Surveillance
at the scale they want requires insecurity." At its core, the problem is the NSAs dual mission. On one hand, the agency is
tasked with securing U.S. networks and information. On the other hand, the agency must gather intelligence on foreign threats to
national security. Collecting intelligence often means hacking encrypted communications. Thats nothing new for
the NSA; the agency traces its roots back to code-breakers deciphering Nazi messages during World War II. So in many ways, strong
Internet security actually makes the NSAs job harder. This is an administration tha4t is a vigorous defender of surveillance, said
Christopher Soghoian, the head technologist for the American Civil Liberties Union. Surveillance at the scale they want
requires insecurity. The leaks from Edward Snowden have revealed a variety of efforts by the NSA to
weaken cybersecurity and hack into networks. Critics say those programs, while helping NSA spying, have made
U.S. networks less secure. According to the leaked documents, the NSA inserted a so-called back door into at least
one encryption standard that was developed by the National Institute of Standards and Technology. The NSA
could use that back door to spy on suspected terrorists, but the vulnerability was also available to any other
hacker who discovered it.
rejected the idea that humans are causing climate change, or that the government should take regulatory action to reduce emissions. Moniz urged immediate
action on climate change at Monday's breakfast, and noted that the QER is a part of President Obama's Climate Action Plan. "It's time to stop debating what's not
debatable," he said of global warming, referencing the broad scientific consensus that climate change is happening and is human-generated. Climate change is a
threat to energy infrastructure because planetary warming exacerbates high-intensity storms, makes water scarce, and alters weather patterns - all of which can
put unexpected strain on the US grid and can stress other critical infrastructure. Moniz said he was hopeful that efforts to curb climate change would stall
warming, diminishing the threat extreme weather poses in the future. At the same time, though, the grid is under attack from cyber threats both
domestically and around the world. Moniz emphasized that the energy sector needs to adapt to ever-changing cyber threats, so that
the industry can "stay ahead of the bad guys." As the Monitor reported in December, critical infrastructure in the US is already under
attack from hackers, and the grid would be a prime target in cyberwar. "The electric industry, in reality, has done an inadequate
job of securing the electric system," Joe Weiss, a leading expert on electric grid security, told the Monitor . "Is cyber a household word in
the electric sector? Yes. Are they trying to address cyber vulnerabilities in ways that will make sure all systems are secure? No ." "So far
we have not had any major actual disruption of our energy infrastructure, but it ain't for lack of people trying," Moniz said.
More susceptible to attacks now more than ever- OPM breach proves
Johnson 15 (Steve Johnson, graduate from Auburn, reporter for WHNT news, WHNT news O.P.M. data breach affects
thousands of workers in north Alabama 7/22/15 http://whnt.com/2015/07/22/o-p-m-data-breach-affects-thousands-of-workers-innorth-alabama/)
REDSTONE ARSENAL, Ala. On any given weekday, some 40,000 people go to work at Redstone Arsenal. Its a safe bet that most of
them have had their personal information stolen. The same goes for contractors, and even families. Its scary, says Luereen Phillips.
Luereen is an Internet Technology Specialist at Redstones Aviation and Missile Command. Its her job to answer the questions from
fellow workers, and to even reassure them. But Luereen has her own questions, too. What happened? Whats the breakdown? There
are rules, there are policies all the way up to Congress level that mandate certain things have to happen, and they didnt happen, said
Luereen. The right things didnt happen at the Office of Personnel Management . OPMs website is covered with information
about the data breach, calling it two separate but related incidents. However its described, it involves the
personal information from more than 21 million Americans . The most serious data stolen was that contained
on security clearance forms that are required for many types of government work. Everything from Social
Security numbers, to information on family and friends is included on the forms . People like retired Army test pilot
Pablo Herrera say theyre angry. I am, because I was under the impression I was under the belief that we were better than that, that
our security was better than that, said Pablo, who hasnt been notified yet that his information was part of the breach. Retired Lt.
General Jim Link, a former Commander for AMCOM at Redstone, is also waiting on his notification. General Links information was
compromised because of a security clearance form filled out as a defense contractor in 2005. When we federal employees give
all the information they ask for, with that comes trust. Trust that its going to be protected, and when its not
protected, we do feel violated, says General Link. The General believes what many other people believe. The OPM
database was hacked by Chinas government. You know, I dont think in this particular instance its trying to steal identity
for financial gain. I think its more espionage, said General Link. The Office of Personnel Management makes no claim on who
might be to blame for the hack, but there is a recommendation for those affected to sign up for credit monitoring. Thats the sort of data
theft people understand. I am concerned that Im going to look at my bank account one day, and there wont be
any money there, or somebody is going to try and steal my identity do some things that are going to affect me for a
long time, said AMCOM worker Lucinda Edwards. OPM recommends a service that covers everything from credit monitoring, to a
Social Security number trace. Unfortunately, you have to also do your own monitoring. Youve got to look at your bank accounts, even
your medical records because somebody could be using your information to go to the doctor, or in case of a crime, give them your
information instead of theirs, says Luereen Phillips. Millions of Americans now have this worry, which is likely to last
for years. They know about the hack, and they know their identity has been stolen. They just dont know who did it or why. There is a
thought they do share, though. Somebody needs to be accountable, said Lucinda Edwards. Katherine Archuleta resigned under
pressure from her job as head of the Office of Personnel Management. Unfortunately, that doesnt change the breach, or the fact that
the affected workers will have this as part of their lives for years to come. For more information about the data hack, and
recommendations on action you can take, visit opm.gov/cybersecurity.
PLCs cause the grid to be easily vulnerable to cyber attacks and airgaps fail Stuxnet proves
McElfresh, a Ph.D. in Physics, M.A. in chemistry and a B.S. in Biochemistry, 6/18/15
(Michael McElfresh is an Adjunct Professor of Electrical Engineering at Santa Clara University where he teaches the
foundation course in the Sustainable Energy program and courses in wind power and energy storage. He is also the
Interim Lead for Power Grid R&D at Argonne National Laboratory. For the past several years he has led the Power
Grid Simulator effort and advised the Energy and Global Security directorate on power grid and other energy related
issues., published in the Conversation reprinted at scientific American,
http://www.scientificamerican.com/article/power-grid-cyber-attacks-keep-the-pentagon-up-at-night/) // RL
Why the grid so vulnerable to cyberattack Grid operation depends on control systemscalled Supervisory Control
And Data Acquisition (SCADA)that monitor and control the physical infrastructure.
systems are specialized computers known as programmable logic controllers (PLCs). Initially developed by the automobile
industry,
PLCs are now ubiquitous in manufacturing, the power grid and other areas of critical infrastructure , as well as
various areas of technology, especially where systems are automated and remotely controlled. One of the
most well-
known industrial cyberattacks involved these PLCs: the attack, discovered in 2010, on the centrifuges the Iranians were
using
to enrich uranium. The Stuxnet computer worm, a type of malware categorized as an Advanced Persistent Threat
reprogramming them in order to speed up the centrifuges, leading to the destruction of many , and yet displaying a
normal operating speed in order to trick the centrifuge operators. So these new forms of malware can not only shut things
down but can alter their function and permanently damage industrial equipment . This was also demonstrated at the now
famous Aurora experiment at Idaho National Lab in 2007. Securely upgrading PLC software and securely reprogramming
PLCs has long been of concern to PLC manufacturers, which have to contend with malware and other efforts to
defeat encrypted networks.
The oft-cited solution of an air-gap between critical systems , or physically isolating a secure
network from the internet, was precisely what the Stuxnet worm was designed to defeat .
to hunt for predetermined network pathways, such as someone using a thumb drive, that would allow the malware to move
from an internet-connected system to the critical system on the other side of the air-gap.
The IoT and Smart Grid allows tons of grid access points easier cyberattacks
McElfresh, a Ph.D. in Physics, M.A. in chemistry and a B.S. in Biochemistry, 6/18/15
(Michael McElfresh is an Adjunct Professor of Electrical Engineering at Santa Clara University where he teaches the
foundation course in the Sustainable Energy program and courses in wind power and energy storage. He is also the
Interim Lead for Power Grid R&D at Argonne National Laboratory. For the past several years he has led the Power
Grid Simulator effort and advised the Energy and Global Security directorate on power grid and other energy related
issues., published in the Conversation reprinted at scientific American,
http://www.scientificamerican.com/article/power-grid-cyber-attacks-keep-the-pentagon-up-at-night/) // RL
The growth of smart grid the idea of overlaying computing and communications to the power grid
has created many more access points for penetrating into the grid computer systems . Currently knowing the provenance of
data from smart grid devices is limiting what is known about who is really sending the data and whether that data is legitimate
or an attempted attack. This concern is growing even faster with the Internet of Things (IoT), because there are many different
types of sensors proliferating in unimaginable numbers. How do you know when the message from a sensor is legitimate
or part of a coordinated attack?
customers lowering their thermostat settings in a short period on a peak hot day . Defending the power grid as a whole is
challenging from an organizational point of view. There are about 3,200 utilities, all of which operate a portion of the
electricity grid,
but most of these individual networks are interconnected . The US Government has set up numerous
efforts to help protect the US from cyberattacks. With regard to the grid specifically, there is the Department of
Energys Cybersecurity Risk Information Sharing Program (CRISP) and the Department of Homeland Securitys
National Cybersecurity and Communications Integration Center (NCCIC) programs in which utilities voluntarily share
information that allows patterns and methods of potential attackers to be identified and securely shared. On the
technology side, the National Institutes for Standards and Technology (NIST) and IEEE are working on smart grid and
other new technology standards that have a strong focus on security. Various government agencies also sponsor
research into understanding the attack modes of malware and better ways to protect systems. But the gravity of
the situation really comes to the forefront when you realize that the Department of Defense has stood up a new
command to address cyberthreats, the United States Cyber Command (USCYBERCOM). Now in addition to land, sea,
air, and space, there is a fifth command: cyber. The latest version of The Department of Defenses Cyber Strategy
has as its third strategic goal, Be prepared to defend the US homeland and US vital interests from disruptive or
destructive cyberattacks of significant consequence. There is already a well-established theater of operations
where significant, destructive cyberattacks against SCADA systems have taken place. In a 2012 report, the National
Academy of Sciences called for more research to make the grid more resilient to attack and for utilities to
modernize their systems to make them safer. Indeed, as society becomes increasingly reliant on the power grid and
an array of devices are connected to the internet, security and protection must be a high priority.
South and East China seas, its expanding military assets and its use of economic clout for political ends is part of a deeply
troubling pattern. Unfortunately, President Obama's response is also apparently part of a pattern of sustained inaction. The Pentagon may be working
hard to develop offensive and defensive countermeasures , but the administration has done precious little to articulate what
America's strategy should be in response to these challenges. The president's policy silence is chilling and inexcusable. To be sure,
silence before or after a particular clandestine operation is often necessary to protect operational methods and information sources. For example, Washington
did not take direct credit indeed did not confirm or deny its probable role in temporarily taking down Pyongyang's Internet after
North Korea hacked into Sony Pictures six months ago. But protecting clandestine methods and sources is one thing; Obama's
policy silence is another. Americans understand how important information technology is, and society's increasingly computerized
complexity and interdependence. But they require leadership to understand how seriously we could be hurt if our IT infrastructure is
compromised. In China's case, based on a long history amply documented by the Pentagon, the People's Liberation Army is almost certainly the perpetrator of
the federal hacking, which means, to state the obvious, that Beijing sees penetrating U.S. government computers as a military capability .
Right now, our enemies are faced mostly with rhetoric mere hand-wringing not clear deterrence. This vacuum must be replaced by a
stated strategy, and quickly. Fortunately, once Washington concludes to its satisfaction that Beijing conducted the recent attack, the
response can include building blocks for a more comprehensive cyberwarfare strategy . First, America must create structures of
deterrence. Starting now, America's cyber response should be disproportionate . The justification for such a response is all too clear: Without it we
are facing repeated cycles of cyber incursions. To persuade Beijing and others to desist, they must believe their conduct will result in costs
that are unacceptable and unsustainable. Mere tit-for-tat responses indicate an inability or unwillingness to react more strongly and may simply tempt
aggressors into more ambitious operations. The White House considered the sanctions it ordered in response to North Korea "proportional," but compared with
the decades-old U.S. sanctions regime against the Pyongyang government, the incremental new sanctions were trivial. Nor does Obama's April 1 executive order
authorizing sanctions against other cyberattackers augur anything beyond the North Korean example. Second, U.S. retaliation must include political
and economic measures beyond the cyber realm. The latest hack was motivated by something more than theoretical curiosity about how to
penetrate foreign computer networks. China might intend to use the government personnel files for blackmail, or to understand our security clearance methods
so as to better conceal its own covert agents. Accordingly, Washington's response must go well beyond simply inflicting pain on China's computer networks.
Beijing's ambassador, and other Chinese diplomats in America (especially anyone connected with Chinese intelligence), should be declared persona non grata
and sent home. Travel restrictions should be imposed on those remaining, and on personnel at Beijing's United Nations mission. All
military-to-military programs should be terminated or suspended indefinitely. Economically, the U.S. must retaliate strongly
against entities that support or are controlled by the PLA, especially those related to computers and communications. The latest
attack exposes a related U.S. vulnerability: the extent to which our cyber infrastructure derives from components manufactured in
China. That supply chain must now come under scrutiny, with greater reliance, for example, on companies that keep their production facilities elsewhere. There
is obviously risk in any strong response to a cyberattack. But if America is unwilling to defend itself when the costs and risks are relatively low, there is no reason
for Beijing and others to think it will do so when the potential consequences are far greater. North Korea's attack on Sony Pictures was a wake-up call. China's
apparent capture of U.S. government personnel records is like being upended out of bed to the floor. What else is it going to take?
national security challenges we face. So far, no one has managed to seriously damage or disrupt our critical infrastructure
networks. But foreign governments, criminal syndicates and lone individuals are probing our financial,
energy and public safety systems every day. Last year, a water plant in Texas disconnected its control system from the
Internet after a hacker posted pictures of the facility's internal controls. More recently, hackers penetrated the networks of
companies that operate our natural-gas pipelines. Computer
The Islamic State in Syria and Iraq (ISIS) could make the leap to serious cyberattacks in the coming month s, said
a retired top lawmaker and former high-ranking intelligence official. Ive been surprised it hasnt happened yet, said
Michael Hayden, a previous director of both the CIA and National Security Agency. Theyre really good on the net.
Theyre on the cutting edge of using social media, said former House Intelligence Committee Chairman Mike Rogers
(R-Mich.), who just retired from Congress. The two men were speaking at a Bipartisan Policy Center event . A pro-ISIS hacking
group has been linked to Monday's takeover of the U.S. Central Command (Centcom) Twitter and
YouTube accounts. For 30 minutes, digital vandalizers tweeted out stolen military documents and posted
ISIS propaganda videos. The incident highlighted the extremist groups developing cyber abilities. ISISs
digital savvy separates it from al Qaeda, which was mostly aspirational when it came to the cyber arena, Rogers said. We saw that
al Qaeda groups were advertising for people with the capability to conduct cyberattacks, he said. Which told us they had the
aspiration to do it. You see something different in ISIS, he added. Rogers said the group has already successfully pulled off a
number of pretty simple distributed denial of service (DDoS) attacks, in which hackers overwhelm a website with traffic to shut it
down. The next step would be a destructive cyberattack, in which data or physical equipment is destroyed.
The recent Sony Pictures hack, which destroyed the company's internal data, dramatically revealed the
widespread ramifications of a destructive cyber hit. The FBI blamed North Korea for the Sony incident. Can ISIS get
from that aspirational stage to that operational stage? Rogers asked. I dont think they're there yet. However, they could do it, he
added. You can make this leap pretty easily. Hayden wondered why ISIS hasnt already taken the leap. He speculated, it may not
be the kind of heroic destruction that fits the model. Hayden pointed to ISIS criticism of the U.S. for using remotely operated drones,
which ISIS sees as an unheroic and unmanly way of fighting ones enemies. A cyberattack would be the ultimate in
remote creation of destruction, Hayden added. Maybe it just doesnt fit the style. But both former government
leaders agreed the group will eventually make the transition to destructive digital assaults. I worry about
that, Rogers said. I would begin to worry about it in the weeks and months ahead.
Major cyber-attack on health agencies this year results in more than 84.5 million people effected
Terhune, healthcare researcher and writer, 7/27/15
(Chad Terhune, LATimes, http://www.latimes.com/business/la-fi-ucla-medical-data-20150717-story.html)RL
Marking another high-profile data breach, hackers broke into UCLA Health System's computer network and may have accessed sensitive
information on as many as 4.5 million patients, hospital officials said. This cyberattack at UCLA comes on the heels of a major breach of
federal employee records and a massive hack at health insurance giant Anthem Inc. affecting 80 million Americans this year . The
intrusion is raising fresh questions about the ability of hospitals, health insurers and other medical providers to safeguard the vast troves of electronic medical
records and other sensitive data they are stockpiling. The revelation that UCLA hadn't taken the basic step of encrypting this patient data
drew swift criticism from security experts and patient advocates , particularly at a time when cybercriminals are targeting so many big players in
healthcare, retail and government. "These breaches will keep happening because the healthcare industry has built so many systems with thousands of weak
links," said Dr. Deborah Peel, founder of Patient Privacy Rights in Austin, Texas. UCLA said Friday that it's working with the FBI and had hired computer forensic
experts to further secure its network. The university said there was no evidence yet that patient data were taken, but it can't rule out that possibility while the
investigation continues. "We take this attack on our systems extremely seriously," said Dr. James Atkinson, interim president of the UCLA Hospital System. "For
patients that entrust us with their care, their privacy is our highest priority. We deeply regret this has happened." Atkinson said the hospital detected unusual
activity on one of its computer servers in October and began investigating with help from the FBI. It wasn't until May 5, according to UCLA, that investigators
determined that the hackers had gained access to parts of UCLA Health's computer network where some patient information was
stored. Those parts of the network contained names, dates of birth, Social Security numbers, Medicare and health plan identification
numbers as well as some medical information such as patient diagnoses and procedures. The unauthorized access could have begun in September
2014, UCLA said, and some of the patient information dates to 1990. Atkinson said it doesn't appear that credit card and other financial information was involved.
"They are a highly sophisticated group [of hackers] likely to be offshore,w " he said. "We really don't know. It's an ongoing investigation." An FBI
spokeswoman said the agency "is looking into the nature and scope of the matter, as well as the person or group responsible" for the UCLA breach. UCLA said
that prior to the attack on its system it had been taking steps and spending tens of millions of dollars to strengthen its computer security. It added that it has
successfully thwarted hacker attacks in the past. But some security experts were unimpressed. They questioned the lack of encryption at UCLA in
light of other breaches across the country . Anthem faced similar criticism over its failure to encrypt the information that was exposed to hackers during
its cyberattack. "Despite these painful lessons, it seems that personal data compromised in the latest breach were still not encrypted," said Igor Baikalov, chief
scientist at Securonix, a data security firm in Los Angeles. "If our premium universities don't learn from experience, what can we expect from other, less-learned
organizations?" Mark Savage, a health information technology expert at the National Partnership for Women & Families, a nonprofit advocacy group in
Washington, said it's too early to assess UCLA's digital defenses until more details are known about what the hackers did and what protections were in place.
The UC system vowed Friday to learn from the UCLA incident and fortify its defenses across all of its universities and hospitals. In a statement, the university
system said President Janet Napolitano has established an external cybersecurity group that will examine the "security posture across the UC system" and
"assess emerging threats and potential vulnerabilities." Atkinson said the UCLA breach illustrates one potential drawback to the nation's push to ditch paper
records and digitize patient information in giant databases. "We live in a digital age which brings tremendous benefits," he said. "But electronic health records
come with the risk of this." UCLA said it's sending letters to affected patients, which include many of its own staff and faculty. The university is offering a year of
identity-theft protection as well as a year of credit monitoring to people who had their Social Security or Medicare ID numbers stored on the compromised
network. For more information, people can contact UCLA at (877) 534-5972 or check the website www.myidcare .com/uclaprotection. Federal health officials
investigate breaches of patient privacy and can levy significant fines for violations under the Health Insurance Portability and Accountability Act, also known as
HIPAA. The UCLA Health System found itself at the center of a scandal in 2008 involving workers who snooped into the medical records of Britney Spears,
Farrah Fawcett and Maria Shriver, among others. One former employee was convicted of selling celebrity medical information to the National Enquirer. UCLA
agreed to pay $865,500 as part of a settlement with federal regulators.
--a2 sq solves
The US is not prepared for cyberattacks, ex-NSA chief warns
Bennett, a cyber and technology researcher, quoting the ex-NSA chief, 11/14/14
(Cory Bennett, The Hill, http://thehill.com/policy/cybersecurity/224181-ex-nsa-chief-warns-us-not-prepared-for-cyber-attacks)
Destructive cyberattacks targeting the United States are a looming threat for which the country is not adequately prepared , a key
lawmaker and a former director National Security Agency (NSA) said Friday. A recent cyberattack that wiped out data on three-fourths of
the oil company Saudi Aramcos computers should stand as a wake-up call for the U nited States, said former NSA Director Keith
Alexander. This is a whole new ballgame," Alexander said at a Bloomberg event Friday. One that, quite frankly, as a country, I dont think were
prepared for. In August, Iranian hackers unleashed what is thought to be the most destructive cyberattack to date. On a day when most
Saudi Aramco employees stayed home to prepare for a religious holiday, a hacker planted a virus into the companys networks, wiping out
documents, spreadsheets and emails. In their place, the virus left an image of a burning American flag. These are the kinds of
concerns that our country as a whole needs to look at, Alexander said. House Homeland Security Committee Chairman Michael McCaul (R-Texas) said these
are the type of attacks that keep him up at night Its the ability to shut things down power grid, water supply, critical infrastructure , he told
a crowd at the Council on Foreign Relations on Thursday night. Its that ability that Irans trying to develop that concerns me . And its not just Iran.
McCaul described a recent classified briefing on cyber threats from Russia. Were seeing an evolving trend thats coming out of
countries like Russia, he said. Its not only theft or espionage, but rather a destructive threat . Any attack resembling the Saudi
Aramco sabotage would have huge consequences on any portion of our government, Alexander said. Both McCaul and Alexander have been
strong proponents of enhancing cyber threat information sharing between the government and private sector. The Senate is currently considering the
Cybersecurity Information Sharing Act (CISA), its version of a bill the House Intelligence Committee passed last year. The bill would enable critical infrastructure
companies to exchange cyber information with the NSA and other intelligence agencies. Privacy advocates have urged the White House to veto the bill,
concerned it would allow the government to collect personal information on Americans. McCaul has been pushing his own House-passed cyber information
sharing bill, developed in his Homeland Security Committee. His bill would direct the private sector to swap cyber threat information with the Department of
Homeland Security. "These are very serious issues and I dont think many members of Congress understand the gravity," McCaul said. " If a greater attack
occurs, it's going to be on the head of Congress for not acting. "
What is critical infrastructure? The National Strategy for Homeland Security deems 13 infrastructure sectors critical to the United States; see Table
1 (DHS [18]). These include sectors such as Government and Public Health, but a number, such as Transportation and Information and
Telecommunications, comprise physical systems that connect components of our economy : In essence, they enable the transfer and
distribution of our economys life forces. We focus on defending this type of infrastructure from attacks by terrorists , but we believe
almost any type of critical infrastructure deserves analysis with the techniques we describe. Any critical infrastructure system represents a huge investment of our
nations wealth, and minor disruptions to such a systems componentsthese disruptions can be random or deliberatecan severely degrade
its performance as well as the performance of dependent systems . For instance, a massive power outage can result from the failure of just a few
key lines and protective circuit breakers (U.S.-Canada Power System Outage Task Force [39]). The direct effect is to interrupt the energy supply to residential
and industrial customers, but all other infrastructure systems listed in Table 1 will be affected if the power outage lasts long enough. So, how do we carry out a
vulnerability analysis when terrorist attacks are the key concern? That is, how do we analyze the vulnerability of a critical infrastructure system to a
terrorist attack, or set of coordinated attacks, and make informed proposals for reducing that vulnerability? Most infrastructure systems are engineered to handle
disruptions that result from accidents, or from random acts of nature, with little or no degradation in performance. Real-time reliability assessment of an electric
power grid pronounces the system robust if no crippling single point of failure exists (e.g., Wood and Wollenberg [44]). Analysts of transportation systems,
power plants, and other infrastructure often use fault trees to assess vulnerability (Roberts et al. [34]). Such an assessment helps identify minimal sets of events,
or cutsets, that are most likely to disrupt the system, and pronounce the system robust if their combined probability is sufficiently low. This assessment can
suggest changes to the system to improve robustness, and the overall methodology can be used to evaluate alternative system configurations proposed by the
analyst. However, infrastructure that resists single points of random failure, or whose cutsets have low occurrence probabilities, may not survive a malicious,
intelligent attack. For example, a lone attacker with a high-powered rifle could gravely damage an entire electric power grid by targeting
highly reliable components at just a few key substations. (We reach this conclusion from our own analyses of electric power grids and from reports
of gunfire disabling a substation; see Wallace [41].) Also, cutsets that are likely to occur due to random causes may not share any similarities to the cutsets that
an attacker will likely find. An analyst might attempt a fault-tree assessment of a system subject to attack by guessing at the probability that each individual
component might be attacked. In fact, such analysis is practiced (Garcia [22]), but the results must be classified as a guesses. We require a new paradigm for
vulnerability analysis. The new paradigm must account for an adversarys ability to collect information about an infrastructure system and use that information to
identify weak spots in the systems architecture. A captured Al Qaeda training manual (Department of Justice [19]) advises: Using public
sources openly and without resorting to illegal means, it is possible to gather at least 80% of information about the enemy. We
interpret that statement to mean: It is possible to gather, from public sources, at least 80% of the information needed to plan a
highly disruptive attack on an infrastructure system. Our experience indicates that one can often find all the information necessary to plan such an
attack. Our backgrounds compel us ask how a military analyst, faced with an intelligent enemy, would approach vulnerability analysis for military infrastructure.
First, the analyst would assume that our infrastructure will be attacked and that we must take steps to protect it, i.e., harden the infrastructure or improve its
active defenses. The budget for hardening or actively defending infrastructure will always be limited. So, typically, the analyst would be instructed to create a
prioritized list of defended assets most in need of protection, along with a list of potential defensive measures, and deliver those lists to higher-level decision
makers. The latter parties would make the final decisions after balancing costs, effectiveness, and intangibles, and after determining the true budget (which may
be monetary or may be the number of aerial sorties, cruise missiles, tanks, etc., that can be spared for defensive purposes). Table 2 shows the doctrinal
components that the U.S. Army uses to guide the prioritization of its defended assets (as well as its enemies). Any person who has had a course in discrete
optimization understands the fundamental flaw in the concept and use of a prioritized list. In addition to that shortcoming of the nominal military approach, we see
that the civilian problem itself differs from the military one: almost every civilian U.S. asset is susceptible to surveillance or attack, and is
thus vulnerable; Brown et al.: Analyzing the Vulnerability of Critical Infrastructure to Attack and Planning Defenses 104 Tutorials in Operations Research, c
2005 INFORMS Table 2. Criteria for prioritizing defended assets (Department of the Army [20, 21]). Criticality How essential is the asset? Vulnerability How
susceptible is the asset to surveillance or attack? Reconstitutability How hard will it be to recover from inflicted damage, considering time, special repair
equipment, and manpower required to restore normal operation? Threat How probable is an attack on this asset? no matter how hard it is to recover from
inflicted damage, we will, eventually, reconstitute and recover; and military planners have vast experience in determining the likelihood of alternative attacks;
homeland-security planners do not. Thus, we must plan for what is possible, rather than what subjective assessments indicate is likely. In fact, normally, we do
not try to measure the importance, or value, of an asset directly. Rather, we model a complete infrastructure system, its value to society, and how losses of the
systems components reduce that value, or how improvements in the system mitigate against lost value. The exact meaning of value will depend on the system
under investigation: It may mean economic output, time to detection of a toxic subs, tance, etc., and sometimes cost, the converse of value, will be a more
convenient yardstick
action is not
enough to protect the public. We also need effective defensive measures for our critical
infrastructure , starting with the grid upon which modern life depends. Unfortunately, electric
grid security is weak, and the regulatory process is failing . The vulnerability of Americas
electric grid is well-known. In March 2014, a leaked staff analysis from the Federal Energy Regulatory
Commission (FERC) revealed that an attack on only nine critical transformer substations could
bring down our continental grid for 18 months. According to this federal grid regulator, an attack on
just four substations could black out the grid from the Rocky Mountains to the East Coast. An attack on just
three could black out California and 10 other western states. Replacing the custom-made transformers to
restore power would take months, using equipment primarily from foreign suppliers.
Mello 5/17/13: Freelance technology and security writer and editor. Government Security News Magazine , PCWorld,
TechNewsWorld Part of ECT News Network, largest e-publisher for the US, myTech blog SmallBizResource operated by CMP
Publications, Digital Shot Blog for photographic enthusiasts hosted by Creative Weblogging, white papers and special projects for
Triangle Publishing, conference calls for CBN. Managing editor for JupiterMedia --- cited for exceptional quality by CEO, Freelance
for BostonGLobe, CFO Magazine, CMP, Boston Herald. Managing editor for Boston Phoenix, Boston Business Journal. Editor for
Ca-mden Communications, Wayne Greene, Wayne Green Publciations, Reporter for State House News Service. Studies at
Northeastern University. (Nation's critical infrastructure cyber defenses weak, DHS tells hearing, John P. Mello Jr., May 17, 2013
8:00 AM PT, CSO Online, http://www.csoonline.com/article/2133462/data-protection/nation-s-critical-infrastructure-cyberdefenses-weak--dhs-tells-hearing.html)//chiragjain
The nation's
general for the U.S. Department of Homeland Security, told a Congressional committee
at a public hearing on Thursday. Since 1990, Industrial Control Systems (ICS), which are used to
manage components of the country's critical infrastructure, have been connecting to the
Internet
to improve their operations, Edwards explained in written testimony submitted to the House Subcommittee on
If hackers shut down much of the electrical grid and the rest of the critical infrastructure goes
with it ... If we are plunged into chaos and suffer more physical destruction than 50 monster
hurricanes and economic damage that dwarfs the Great Depression ... Then we will wonder why we failed to
guard against what outgoing Defense Secretary Leon Panetta has termed a "cyber-Pearl Harbor." "An aggressor nation or extremist group
could use these kinds of cybertools to gain control of critical switches," Panetta said in a speech in October. " They could derail passenger trains
or, even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water
supply in major cities or shut down the power grid across large parts of the country." And Panetta was hardly being an
alarmist. He could have added that cybersecurity experts such as Joe Weiss of Applied Control Solutions suggest a full-on cyberattack would
seek not simply to shut down systems, but wreck them[systems], using software to destroy hardware. Some believe we could
then be sent into chaos not just for days of even weeks, but for months. The mother of all nightmare scenarios would see
electric, oil, gas, water, chemical, and transit, our entire essential infrastructure, knocked
out as we sought to replace equipment that can take more than a year to manufacture and is in many cases no longer made in the U.S. Lights would
stay out. Gas stations would be unable to pump and would have nothing to pump anyway. There would be no heat, no fuel, in many places
no running water, no sewage treatment, no garbage, no traffic lights, no air-traffic control, minimal
communication, and of course, no Wi-Fi. Neighborhoods around chemical plants could become Bhopals. But Panetta was scary enough as he
issued his warning at a gathering of Business Executives for National Security, appropriately held at the Intrepid Sea, Air, and Space Museum in New
York, on a decommissioned aircraft carrier built in the immediate aftermath of the Japanese attack on Pearl Harbor. The ship was hurried into action
and survived multiple kamikaze attacks as well as being torpedoed. Panetta now spoke aboard it of a new kind of threat not on land or sea or in the air,
but in cyberspace. "A destructive cyberattack could paralyze the nation, " Panetta said. As it happens, the Intrepid is docked
directly across 12th Avenue from the consulate general of the People's Republic of China. The public was still five months away from learning via The
New York Times of another Chinese government building, this the Shanghai headquarters of the People's Liberation Army Unit 61398, which
apparently has been busy hacking extensively into American infrastructure. Panetta no doubt was well aware of 61938 and similar units at other
nations, as well as hackers in extremist groups. "We
a 2007
experiment at Idaho National Laboratory, where researchers staged an experimental cyberattack that
succeeded in commanding a power-station generator to destroy itself . He instead chose a more recent and
seeking to create advanced tools to attack these systems and cause panic, destruction, and even the loss of life." He could have spoken of
dramatic example--an actual attack using a virus called Shamoon to wreck 30,000 computers at the Saudi oil company Aramco.
Its very hard to overstate how important the US power grid is to American society and its economy . Every critical infrastructure,
from
communications to water, is built on it and every important business function from banking to milking cows is completely
dependent on it. And the dependence on the grid continues to grow as more machines , including equipment on the power
grid, get connected to the Internet. A report last year prepared for
the grid to a long-term power outage, saying For those who would seek to do our Nation significant physical, economic,
and psychological harm, the electrical grid is an obvious target. The damage to modern society from an extended power outage
can be dramatic, as millions of people found in the wake of Hurricane Sandy in 2012. The Department of Energy earlier this
year said
cybersecurity was one of the top challenges facing the power grid, which is exacerbated by the interdependence
between the grid and water, telecommunications, transportation, and emergency response systems . So what are modern griddependent societies up against? Can power grids survive a major attack? What are the biggest threats today? The
grids vulnerability to nature and physical damage by man, including a sniper attack in a California substation in 2013, has
been repeatedly demonstrated. But its
the threat of cyberattack that keeps many of the most serious people up at night ,
Cyber-attack would destroy the economy, government, and all U.S. critical
infrastructure
Palmer 8/31/13: B.A., May 2000, University of Minnesota, Duluth J.D., December 2005, Marquette Law School, Peer
Reviewed by Faculty of The George Washington University Law School in partial satisfaction of the requirements for the degree of
Master of Laws, Thesis directed by Gregory E. Maggs Professor of Law, Co-director, National Security and U.S. Foreign Relations
Law Program. Palmer serves in the U.S. Air Force Judge Advocate Generals Corps. This paper was submitted in partial satisfaction
of the requirements for the degree of Master of Laws in National Security and Foreign Relations at The George Washington
University Law School. (Critical Infrastructure: Legislative Factors for Preventing a Cyber-Pearl Harbor, Robert K. Palmer,
August 31, 2013, pp 4.)//chiragjain
Warnings about the possibility of a cyber-Pearl Harbor attack on our nations vulnerable critical
infrastructure have been promulgated with increased frequency over the past several years. In fact, the systems
vital to the everyday operation of our government, economy and well-being are already under attack, and
trends indicate they these attacks will continue to increase in number . The current state of cyber
vulnerability in critical infrastructure makes it not a matter of if a component of critical infrastructure
will be taken out, but rather a matter of when , and the possibility exists that several such attacks
could be chained together in such a way to cause destruction and death on a scale that could paralyze
the nation.
Attacks on critical infrastructure devastate the economy and national security - consensus of
defense experts
Rollins and Henning 9 <John Rollins, Specialist in Terrorism and National Security, and Anna C. Henning, Legislative
Attorney, 3/10/2009, Comprehensive National Cybersecurity Initiative: Legal Authorities and Policy Considerations, p. 2-4,
Congressional Research Service, http://www.law.umaryland.edu/marshall/crsreports/crsdocuments/R40427_03102009.pdf>//wx
Threats to the U.S. cyber and telecommunications infrastructure are constantly increasing9 and evolving as are the entities that show
interest in using a cyber-based capability to harm the nations security interests.10 Concerns have been raised since the 1990s regarding the use of the internet
and telecommunications components to cause harm to the nations security interests. Activities producing undesirable results include unauthorized
intrusion to gain access and view protected data, stealing or manipulating information contained in various databases, and attacks on telecommunications
devices to corrupt data or cause infrastructure components to operate in an irregular manner. Of paramount concern to the national and homeland
security communities is the threat of a cyber related attack against the nations critical government infrastructure s systems and
assets, physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a
debilitating impact on security, national economic security, national public health and safety, or any combination of those
matters.11 Early concerns noted attacks on components of the energy grid, infrastructure control systems, and military equipment
as examples of telecommunications based threats to physical infrastructures.12 In response, the Department of Energy conducted an experiment in
2007 in which the control system of an unconnected generator, containing similar components as that of larger generators connected
to many power grids in the nation supplying electricity, was damaged and became inoperable.13 While data from federal agencies demonstrate
that the majority of attempted and successful cyber attacks to date have targeted virtual information resources rather than physical infrastructures,14 many
security experts are concerned that the natural progression of those wishing to harm U.S. security interests will transition from
stealing or manipulating data to undertaking action that temporarily or permanently disables or destroys the telecommunication network or
affects infrastructure components. Many security observers agree that the United States currently faces a multi-faceted, technologically
based vulnerability in that our information systems are being exploited on an unprecedented scale by state and non-state actors [resulting
in] a dangerous combination of known and unknown vulnerabilities, strong adversary capabilities, and weak situational awareness.15 This , coupled with
security observers contention that the United States lacks the capability to definitively ascertain perpetrators who might unlawfully
access a database or cause harm to a network, leaves the nation increasingly at risk . It also causes acts or discussions related to deterring
cyberattacks to be ignored or negated by entities exploiting known or newly found vulnerabilities. Prominent national security experts have emphasized the
vulnerability of U.S. infrastructures. As recently as January 2009, former Director of National Intelligence (DNI) Mike McConnell equated cyber
weapons with weapons of mass destruction when he expressed concern about terrorists use of technology to degrade the nations
infrastructure. In distinguishing between individuals gaining access to U.S. national security systems or corporate data for purposes of exploitation for
purposes of competitive advantage, former Director McConnell noted that terrorists aim to damage infrastructure and that the time is not too far
off when the level of sophistication reaches a point that there could be strategic damage to the United States.16 Similarly, in elaborating on
the potential consequences of a cyber attack, newly confirmed DNI Dennis Blair offered the following statement during the Annual Threat Assessment of the
Intelligence Community for the Senate Select Committee on Intelligence: Growing connectivity between information systems , the Internet, and
other infrastructures creates opportunities for attackers to disrupt telecommunications, electrical power, energy pipelines,
refineries, financial networks, and other critical infrastructures . Over the past several years we have seen cyber attacks against
critical infrastructure abroad, and many of our own infrastructures are as vulnerable as their foreign counterparts. A successful
attack against a major financial service provider could severely impact the national economy , while cyber attacks against physical
infrastructure computer systems such as this that control power grids or oil refineries have the potential to disrupt services for hours to
weeks.17
facilities more efficient and more productive. But the same connectivity that managers use to collect data
and control devices allows cyber attackers to get into control system networks to steal sensitive
information, disrupt processes, and cause damage to equipment. Hackers , including those in China, Russia and
the Middle East, have taken notice. While early control system breaches were random, accidental infections, industrial
control systems today have become the object of targeted attacks by skilled and persistent adversaries.
Industrial control systems are being targeted The recently discovered Industrial Control System modules of the
HAVEX trojan are one example. The malware infiltrated an indeterminate number of critical facilities by attaching itself to software
updates distributed by control system manufacturers. When facilities downloaded the updates to their network, HAVEX used open
communication standards to collect information from control devices and send that information to the attackers for analysis. This
type of attack represents a significant threat to confidential production data and corporate intellectual
property and may also be an early indicator of an advanced targeted attack on an organizations
production control systems. Other hacks represent a direct threat to the safety of U.S. citizens . Earlier this
year, the FBI released information on Ugly Gorilla, a Chinese attacker who invaded the control systems of utilities in the United
States. While the FBI suspects this was a scouting mission, Ugly Gorilla gained the cyber keys necessary for access to systems that
regulate the flow of natural gas. Considering that cyber attackers are numerous and persistentfor every one you see
there are a hundred you dontthose developments should sound alarms among executives at companies using industrial controls
and with the people responsible for protecting American citizens from attacks. To their credit, both businesses and the
U.S. government have begun to take action; however, neither is adequately addressing the core of the
issue.
vulnerable to the exact same meltdown situation, except at 124 separate nuclear reactors throughout
the country. If anything should happen to our nation's poorly protected electric power grid, these
reactors have a high likelihood of failure, say experts, a catastrophic scenario that would most likely lead
to the destruction of all life on our planet, including humans. Though they obviously generate power
themselves, nuclear power plants also rely on an extensive system of power backups that ensure the constant flow of
cooling water to reactor cores. In the event of an electromagnetic pulse (EMP), for instance, diesel-powered backup
generators are designed to immediately engage, ensuring that fuel rods and reactor cores don't overheat and melt ,
causing unmitigated destruction. But most of these generators were only designed to operate for a maximum
period of about 24 hours or less, meaning they are exceptionally temporary in nature. In a real emergency situation, such as
one that might be caused by a systematic attack on the power grid, it could take days or even weeks to bring
control systems back online. At this point, all those backup generators would have already run out of fuel, leaving
nuclear reactors everywhere prone to meltdowns.
destructive as a physical attack. The constant innovations of technology is pushing the limits of progress, thus allowing computer
technology to be utilized as a destructive weapon. To provide an analogy from the realm of physical warfare, tanks and aircraft carry weapons;
likewise, malware or software can be crafted to carry weapons in the cyber (or cyber-physical) landscape (Giesen, 2013). There must also be consideration that
a cyberwar is unlike a conventional war and can be an asymmetric war. An asymmetric war can be referred to as an Irregular Warfare or Unconventional
Warfare [which] is war between a dominant force and a smaller force where the smaller force uses indirect or guerrilla tactics rather than to engage in force-onforce battles (Andress & Winterfeld, 2011, p. 10). This can occur if a surprise attack is successful and the defending party is never able to go on the offensive,
allowing the initial attacker to gain battle superiority. This dynamic is prominent in cyberspace where there exists a high probability of asymmetric war. This
occurs when two cyber armies are engaged in warfare, whether it is major super powers such as the United States, China, and Russia or non-affiliated
organizations including terrorist and hacktivist groups (Giesen, 2013). In war there exists a term called the sub rosa conflict which can be defined as a hidden
war, where the aggressor and the defender are trying to stay out of the public eye (Giesen, 2013). In the past, the Cold War and parts of Americas entry into
World War II were part of the sub rosa conflict. During World War II, U-boat attacks by Germany on the U.S. were part of this conflict known as the Battle of the
Atlantic that resulted destruction of an estimated 3,000 ships (Battle of the, n.d.). The U-boat attacks against the U.S. were concealed with little information 18
available to the media. The U.S. government attempted to devalue operations against the U.S. with the propaganda slogan Loose Lips Sink Ships (Loose Lips
Sink, 1997). There are various effects of a sub rosa conflict. First , there is the spillover effect that will occur if information of the conflict goes
public. The result of a cyber-conflict going public could lead to repercussions, possibly with a cyberwar escalating into a physical
war. Another effect is how far the conflict affects the legal limits each party is willing to stretch. This entails the degradation of legal means to end a conflict.
offensive cyber operations. The argument here is not to suggest a similarity between the weapons themselves, but to identify
correctly the very close relationship between cyber operations and nuclear weapons planning . Thus the lack of restraint in cyber
weapons might arguably affect (destabilize) pre-existing agreements that constrain nuclear weapons deployment and possible
use. The cyber superiority of the United States, while legal and understandable, is now a cause of strategic instability between nuclear armed powers. This is
similar to the situation that persisted with nuclear weapons themselves until 1969 when the USSR first proposed an end of the race for the technological frontier
of potential planetary devastation. After achieving initial capability, the U.S. nuclear missile build up was not a rational military response to each step increase in
Soviet military capability. It was a race for the technological frontier by both sides with insufficient recognition of the consequences. This conclusion was
borne out by a remarkable Top Secret study commissioned in 1974 by the U.S. Secretary of Defense, Dr James Schlesinger. By the time it was completed and
submitted in 1981, it assessed that the nuclear arms build-up by both sides was driven not by a supposed tit for tat escalation in capability of deployed military
systems but rather by an unconstrained race for the technological limits of each sides military potential and by its own military doctrinal preferences. The
decisions of each side were not for the most part, according to this now declassified study, a direct response to particular systems that the other side was
building. In 1969, the USSR acted first to propose an end to the race for the technological frontier of nuclear weapons because it knew it was losing the contest
and because it knew there was political sentiment in the United States and in its Allied countries that supported limitations on the unbridled nuclear fetish. As we
ponder the American cyber industrial complex of today, we see a similar constellation of opposition to its power emerging. This constellation includes not just the
political rivals who see they are losing in cyber space (China and Russia), but nervous allies who see themselves as the likely biggest victims of the American
race for cyber superiority, and loyal American military commanders who can see the risks and dangers of that quest. It is time for the United States to take stock
of the collateral damage that its quest for cyber military power, including its understandable quest for intelligence superiority over the terrorist enemy, has caused
amongst its allies. The loss has not yet been seen at the high political level among allies, in spite of several pro forma requests for information from countries
such as Germany. The loss of U.S. credibility has happened more at the popular level. Around the world, once loyal supporters of the United States in its war on
terrorism had a reasonable expectation to be treated as faithful allies. They had the expectation, perhaps nave, that privacy was a value the Americans shared
with them. They did not expect to be subject to such a crude distinction (you are all non-Americans now). They did not want to know that their entire personal
lives in cyber space are now recoverable should someone so decide by the running of a bit of software in the NSA. After the Prism revelations, so many of
these foreign citizens with an internationalist persuasion and solidarity for the United States now feel a little betrayed. Yet, in the long run, the most influential
voice to end the American quest for cyber military superiority may come from its own armed forces. There are military figures in the United States who have had
responsibility for nuclear weapons command and control systems and who, in private, counsel caution. They advocate the need to abandon the quest
for cyber dominance and pursue a strategy of mutual security in cyber space though that has yet to be defined. They cite military
exercises where the Blue team gets little or no warning of Red team disruptive cyber attack on systems that might affect critical
nuclear command and control or wider war mobilization functions. Strategic nuclear stability may be at risk because of
uncertainty about innovations in cyber attack capability. This question is worth much more attention. U.S. national security strategy in
cyber space needs to be brought under stronger civilian oversight and subject to more rigorous public scrutiny. The focus on Chinese
cyber espionage has totally preempted proper debate about American cyber military power. Most in the United States Congress have lined up to condemn
Snowden. That is understandable. But where are the critical voices looking at the bigger picture of strategic instability in cyberspace that existed before Snowden
and has now been aggravated because of him? The Russian and Chinese rejections of reasonable U.S. demands for Snowdens extradition may be every bit as
reasonable given their anxiety about unconstrained American cyber superiority.
military's ability to retaliate with cyber weapons, a capability he hopes will help deter attacks. The strategy
presents a potentially far more muscular role for the U.S. military's cyber warriors than the Pentagon was willing to acknowledge in
its last strategy rollout in 2011 and singles out threats from Russia, China, Iran and North Korea. " The United States must be
able to declare or display effective response capabilities to deter an adversary from initiating an
attack ," according to a copy of the document, obtained by Reuters ahead of its release. The Defense Department, it said,
must develop "viable cyber options" as part of the full range of tools available to the United States during heightened
tensions or outright hostilities. It should be able to use cyber tools to disrupt an enemy's command of networks,
military-related critical infrastructure and weapons capabilities.
(NATO agrees cyber attack could trigger military response, Adrian Croft, September 5, 2014: 8:02 am EDT, Reuters,
http://www.reuters.com/article/2014/09/05/us-nato-cybersecurity-idUSKBN0H013P20140905)//chiragjain
NATO leaders agreed on Friday that a large-scale cyber attack on a member country could be considered an
attack on the entire U.S.-led alliance , potentially triggering a military response. The decision
marks an expansion of the organisation's remit, reflecting new threats that can disable critical
infrastructure, financial systems and government without firing a shot. "Today we declare that cyber defence is
part of NATO's core task of collective defence," NATO Secretary-General Anders Fogh Rasmussen told a news
conference. In 2007, a series of crippling cyber attacks paralysed much of NATO member Estonia in an apparent
response to a dispute over the movement of a Soviet-era war memorial. Most Western experts suspected the Kremlin was
responsible but Russia denied it.
central part of virtually all crisis and conflicts, NATO has made clear that cyber attacks can potentially
trigger an Article 5 response," according to a report in Defense News. Bonus: Attend an informative panel discussion on the
new cyber paradigm at the C4ISR & Networks Conference on April 7. Panelists include: BG Kevin Nally, the Marine Corps' CIO; Tim
Rudolph, CTO and PEO C3I and Networks at the Air Force, and; Paul Seay, director of enterprise architecture and solutions at
Northrop Grumman Information Systems. Gary Winkler, president of American Cyber, will moderate. Click here to learn more and
register. Article 5 of the Washington Treaty, NATO's organizing document, holds that an attack against one member nation
is an attack against all , triggering a collective response. In a recent appearance in Brussels, Konstantin Kosachev,
chairman of Russia's Federation Council Committee on International Affairs, challenged Stoltenberg on whether NATO might
bomb countries that are involved in cyber attacksor are suspected of being. "We will do what's
necessary to do to protect all allies," Stoltenberg replied. "But I'm not going to tell you exactly how I'm going to do that ...
that's the main message."
Us is ramping up its counter cyber attack capabilities- not afraid to retaliate against attacks
Stuart 2015 (Phil Stuart, Bachelor of Science in international relations from Georgetown Universitys School of Forensic
Science, Reporter and Staff Writer for Reuters News, Reuters News Pentagons new cyber strategy cites U.S. ability to retaliate
4/23/2015 http://www.reuters.com/article/2015/04/23/us-usa-pentagon-cyber-idUSKBN0NE0AS20150423)NF
U.S. Defense Secretary Ash Carter is due to unveil an updated cyber strategy on Thursday that will stress the military's
ability to retaliate with cyber weapons, a capability he hopes will help deter attack s. The strategy presents a
potentially far more muscular role for the U.S. military's cyber warriors than the Pentagon was willing to acknowledge in its last
strategy rollout in 2011 and singles out threats from Russia, China, Iran and North Korea. "The United States must be able to
declare or display effective response capabilities to deter an adversary from initiating an attack," according to a copy of the
document, obtained by Reuters ahead of its release. ADVERTISING The Defense Department, it said, must develop "viable
cyber options" as part of the full range of tools available to the United States during heightened tensions
or outright hostilities. It should be able to use cyber tools to disrupt an enemy's command of networks,
military-related critical infrastructure and weapons capabilities . The full-throated acknowledgement of such
possibilities in the unclassified document is a major shift from 2011 and reflects the U.S. hope that it will help dissuade potential
enemies. Officials note that other tools to respond include publicly identifying nations responsible and imposing sanctions. Carter,
speaking to reporters flying with him to California, where he is due to meet Silicon Valley executives and speak at Stanford
University, said the primary focus of the cyber strategy was defense. But he acknowledged that the new strategy was "more
clear and more specific about everything, including offense." "It will be useful to us for the world to know
that, first of all, we're going to protect ourselves," Carter said, noting that deterrence included "a threat to
retaliate against those who do us harm." "We obviously have a capability to do that, not just in cyber but
in other ways." Carter's visit comes two months after President Barack Obama visited Silicon Valley, asking U.S. executives
for closer cooperation in defending against hackers after high-profile attacks on companies like Sony Pictures Entertainment. "The
North Korean attack on Sony was one of the most destructive cyber attacks on a U.S. entity to date," the document said. The
document said Russia's cyber actors were stealthy but had unclear intentions and lambasted China's theft of intellectual property.
Iran and North Korea had "less developed cyber capabilities" but overt hostile intent toward U.S. interests.
changed over the years in the technical feasibility of launching counterforce attacks. Nuclear weapons systems are much more
effective than they once were. So are conventional weapons.
White House stated plainly in a report last month that Washington would respond to hostile acts in
cyberspace "as we would to any other threat to our country" -- a position articulated in the past by U.S. officials. The
Pentagon, which is finalizing its own report, due out in June, on the Obama administration's emerging strategy to deal with the cyber
threat, acknowledged that possibility on Tuesday. "A response to a cyber incident or attack on the U.S. would not
necessarily be a cyber response ... all appropriate options would be on the table," Colonel Dave Lapan, a
Pentagon spokesman, said. The sophistication of hackers and frequency of the attacks came back into focus after a May 21 attack
on Lockheed Martin, the Pentagon's top arms supplier. Lockheed said the "tenacious" cyber attack on its network was part of a
pattern of attacks on it from around the world. The U.S. Defense Department estimates that over 100 foreign intelligence
organizations have attempted to break into U.S. networks. Every year, hackers steal enough data from U.S. government agencies,
businesses and universities to fill the U.S. Library of Congress many times over, officials say. BEHIND THE CURVE Several current
and former national security officials said U.S. intelligence agencies did not appear particularly concerned about the Lockheed
attack. One official said that similar cyber attacks directed at defense contractors and government agencies occurred all the time.
Some critics say the Obama administration is not moving fast enough to keep up with the cyber threat or to develop a strategy that
fully addresses concerns about privacy and oversight in the cyber domain. "The United States, in general, is well behind the curve,"
said Sami Saydjari, president of the privately held Cyber Defense Agency, pointing to "significant strategic advances" out of
countries like China and Russia. China has generally emerged as a prime suspect when it comes to keyboard-launched espionage
against U.S. interests, but proving Beijing is behind any future plot would be difficult because of hackers' ability to misdirect, analysts
say. China has denied any connection to cyber attacks. The Pentagon's upcoming report is not expected to address
different doomsday scenarios, or offer what Washington's response would be if, say, hackers wiped out Wall
Street financial data, plunged the U.S. Northeast into darkness or hacked U.S. warships' computers. "We're not going to necessarily
lay out -- 'if this happens, we will do this.' Because again the point is if we are attacked, we reserve the right to do any
number of things in response," Lapan said.
State of the Union address to a pledge of greater transparency with the Congress and the American public, but Mr. Clapper, a 71-year-old retired Air Force
general, made it clear that he saw few benefits of more public disclosure. An open hearing on intelligence matters is something of a contradiction in terms, he
said.
Obama already started programs to punish other groups/countries for cyber attacks
Crabtree, white house correspondent, 4/1/15
(Susan Crabtree, Washington Examiner, http://www.washingtonexaminer.com/obama-issues-cybersecurity-executiveorder/article/2562372)RL
President Obama on Wednesday issued an executive order allowing the government to impose penalties on foreign individuals or
entities that engage in cyberattacks that threaten U.S. national security or the economy . The executive action deems the recent
onslaught of cyberattacks a "national emergency" and authorizes the U.S. Treasury, in consultation with the attorney general and
secretary of state, to impose sanctions on individuals that engage in "significant malicious cyberenabled activities" against the
U.S. government or American businesses. Penalties for the illicit cyberactivity could include freezing their assets or barring commercial transactions between the
U.S. government and American businesses and the individuals or entities. "Cyberthreats pose one of the most serious economic and national
security challenges to the United States, and my administration is pursuing a comprehensive strategy to confront them, " Obama
said in a statement. "As we've seen in recent months, these threats can emanate from a range of sources and target our critical infrastructure, our companies,
and our citizens," he continued. "This executive order offers a targeted tool for countering the most significant cyberthreats that we face." The move gives the
administration more legal leverage to punish and try to prevent the avalanche of credit card data theft, corporate espionage and cyberattacks on critical
government computer systems. "This executive order supports the administration's broader strategy by adding a new authority to combat the
most serious malicious cyberthreats that we face," Obama said. The U.S. already had the power to sanction governments they deem responsible for
engaging in cyberattacks or crime. After U.S. intelligence officials blamed North Korea for the attack on Sony, the U.S. government placed sanctions on
Pyongyang and 10 individuals they believe were involved in the hack. It was the first time the U.S. has moved to punish any country for cyberattacks on a U.S.
company. After that attack, in January Obama called on Congress to pass new cybersecurity legislation that would require companies to inform clients when they
have suffered a data breach and also share information with the government about hacking threats an issue that security officials believe is essential but has
stirred fears over online privacy.
Organizations worldwide are not "sufficiently protected" against cyberattacks , says McKinsey in its "Risk and
responsibility in a hyperconnected world" report. As a result, the price tagthe material effect of slowing the pace of
technology and innovation due to a lack of cyberresiliencycould be as high as $3 trillion by 2020. That's the number
three, by the way, followed by 12 zeros. And it's a scenario, asserts McKinsey, that senior leadership in the public and private
spheres had best pay attention to. The report states that if
Emphasizing the transnational nature of cyber security issues, the last few years have seen the emergence of highly
sophisticated criminal gangs capable of exploiting vulnerabilities in business networks. Their aim is not terror, but fraud or the
collection of economically valuable information. Theft of proprietary information remains the source of the most serious losses, according to surveys
of large corporations and computer crime.17 These crimes must be differentiated from the denial of service attacks and the launching of viruses. Denial of
services or viruses, while potentially damaging to business operations, do not pose the same level of risk. Cyber crime is a serious and growing
threat, but the risk to a nation-state in deploying cyber-weapons against a potential opponents economy are probably too great
for any country to contemplate these measures. For example, writers in some of Chinas military journals speculated that cyber attacks could
disable American financial markets. The dilemma for this kind of attack is that China is as dependent on the same financial markets as the United
States, and could suffer even more from disruption. With other critical infrastructures, the amount of damage that can be done is, from a strategic viewpoint,
trivial, while the costs of discovery for a nation state could be very great. These constraints, however, do not apply to non-state actors like Al Qaeda. Cyber
attacks could potentially be a useful tool (albeit not a fatal or determinative tool) for nonstate actors who reject the global market
economy.
Society, Multiple projects at places like Slate, THE FUTURIST, American Legion Magazine, and BBC. Education: MA in Writing at
John Hopkins University, Liberal Arts at Sarah Larence University, Santa Fe Prep School, Multiple programming and technology
skills, speaking, writing, and communication skills. (Major Cyber Attack Will Cause Significant Loss of Life By 2025,
Experts Predict, Patrick Tucker, DefenseOne, October 29, 2014, http://www.defenseone.com/threats/2014/10/cyber-attack-willcause-significant-loss-life-2025-experts-predict/97688/)//chiragjain
A major cyber attack will happen between now and 2025 and it will be large enough to cause
significant loss of life or property losses/damage/theft at the levels of tens of billions of dollars ,
according to more than 60 percent of technology experts interviewed by the Pew Internet and American
Life Project. But other experts interviewed for the project Digital Life in 2015, released Wednesday, said the current
preoccupation with cyber conflict is product of software merchants looking to hype public anxiety against an eternally
unconquerable threat. Its the old phantom of the cyber Pearl Harbor, a concept commonly credited to
former Defense Secretary Leon Panetta but that is actually as old as the world wide web. It dates back to
security expert Winn Schwartaus testimony to Congress in 1991, when he warned of an electronic Pearl
Harbor and said it was waiting to occur. More than two decades later, were still waiting. The Pew report offers, if
nothing else, an opportunity to look at how the cyber landscape has changed and how it will continue to
evolve between now and 2025.
cyber attack which shuts down parts of the United States' power grid
could cost as much as $1 trillion to the U.S. economy, according to a report published on Wednesday.
Company executives are worried about security breaches, but recent surveys suggest they
are not convinced about the value or effectiveness of cyber insurance . The report from the
University of Cambridge Centre for Risk Studies and the Lloyd's of London insurance market outlines a scenario of an
electricity blackout that leaves 93 million people in New York City and Washington DC
without power. The scenario, developed by Cambridge, is technologically possible and is assessed to
be within the once-in-200-year probability for which insurers should be prepared , the
report said. The hypothetical attack causes a rise in mortality rates as health and safety systems fail, a drop in trade as
ports shut down and disruption to transport and infrastructure. "The total impact to the
U.S. economy is estimated at $243 billion, rising to more than $1 trillion in the most
extreme version of the scenario," the report said. The losses come from damage to
infrastructure and business supply chains, and are estimated over a five-year time period. The extreme scenario
is built on the greatest loss of power, with 100 generators taken offline, and would lead to insurance industry losses of more than
$70 billion, the report added. There have been 15 suspected cyber attacks on the U.S. electricity grid since 2000, the report said,
citing U.S. energy department data. The U.S. Industrial Control System Cyber Emergency Response Team said that 32 percent of its
responses last year to cyber
sector. "The evidence of major attacks during 2014 suggests that attackers were often able to exploit vulnerabilities faster than
defenders could remedy them," Tom Bolt, director of performance management at Lloyd's, said in the report. Lloyd's syndicates
offer cyber insurance but only 160 million pounds ($246.82 million) in cyber insurance premiums are written through London,
which amounts to more than 10 percent of the global market.
Weather Satellites are vital for the armed forces to pull off successful defense and attack operation
on all fronts and military readiness
Spaceflight Now Space, quoting a collection of Armed Forces directors, 4/4/15
(Spaceflight now space, quoting many directors of the armed forces and other including; Sue Strech - DMSP program director,
Col. Scott Larrimore Air Force weather program director, Mark Valerio vp of Lockheed Martins military space division, Gen.
William Shelton commander of Space Command published at space.com with cooperation from spacefilightnow.com,
http://www.space.com/25368-military-weather-satellite-rocket-launch.html) // RL
A new global weather observatory for the U.S. armed forces was lofted into orbit aboard its
Atlas 5 booster rocket from California on Thursday
Powering away from Vandenberg Air Force Base at 7:46 a.m. local (10:46 a.m. EDT; 1446 GMT), the liftoff was timed
to deliver the Defense Meteorological Satellite Program Flight 19 spacecraft into its precise orbit 530 miles high.
"Weather
guides some of the most important decisions in the armed forces, from flight
patterns to troop movements. Through DMSP, we're helping to provide safer, successful
missions," said Sue Stretch, DMSP program director at Lockheed Martin. [See photos of the DMSP-19 weather
satellite launch] "This new asset
will carry on the mission for military users and civilians who depend on it." About
18 minutes into flight, the 2,700-pound satellite separated from the Centaur upper stage, marking the 115th
successful Atlas launch in a row over the past two decades. "DMSP
locate and determine the intensity severe weather such as thunderstorms, hurricanes and
typhoons, and is used to form three-dimensional cloud analyses, which form the basis for
computer forecast models needed to meet unique DOD requirements, " said Col. Scott Larrimore,
Air Force weather program director. "DMSP
providing meteorological data to the armed forces worldwide." The $518 million observatory will be
checked out and ready for service in about two months, and joins a half-dozen older DMSPs in orbit divided into two
orbital groupings. "F19 is placed into an orbit compromised between the two planes we currently have. We are
changing our operational concept from this two-plane constellation to this single-plane constellation. We can do that
because
we can get data to the Air Force Weather Agency faster than before ," Larrimore said. The
craft carries a sophisticated suite of weather instruments to observe virtually the entire
planet twice daily. Data from DMSP satellites is used to create global weather forecasts that
military commanders and strategic planners rely upon. The satellites can track weather systems by
visible and infrared cloud-cover imagery, day and night, plus monitor ice and snow coverage, pollution and fires.
The primary sensor, one of seven aboard, is the Operational Linescan Sensor, which collects visible and infrared
cloud pictures in 1,800-mile swaths covering the globe. The microwave sounder provides storm intensity
measurements. "Weather
service. High winds limit aircraft, storms threaten ships and low visibility can alter troop
movements. The data that DMSP provides is essential to mission success," said Stretch. What comes
later is not quite clear. DMSP F20 remains on the ground, but officials may elect to keep it there in favor of moving
on to the next-generation of a smaller spacecraft. "We certainly hope they launch it. It's built, paid for, it's a capable
satellite, and we know it works, so we think that's the smart decision
president of Lockheed Martin's military space division. "You have to find a balance because if you launch too early
you might waste the on-orbit life, and if you wait too long then you run into the cost of storing it on the ground."
"What happens after that is under review, but we're confident we're in a good place," said Gen. William Shelton,
commander of Space Command. "Following the analysis of alternatives, we have gone on with a weather system
follow-on program, which will end up being a small satellite which has unique DoD requirements satisfied. We will
count on NOAA,international
partners, and commercial [providers] to provide the rest of the data that's needed to
round out the picture." Next for the Atlas program, attention returns to the East Coast and another try at launching
the NROL-67 mission as early as April 10. That flight and a SpaceX resupply mission to the International Space
Station planned for late March both were delayed due to a Range radar outage. The next space launch from
Vandenberg will be the return of the Delta 2 rocket on July 1 with NASA's Orbiting Carbon Observatory 2. Another
Atlas 5 will carry the commercial Earth-imaging spacecraft into orbit in August.
Jay Johnson, and Air Force Chief of Staff General Michael Ryan have all expressed
serious concerns about their respective services' ability to carry out a two major
theater war strategy. 5 Recently retired Generals Anthony Zinni of the U.S. Marine
Corps and George Joulwan of the U.S. Army have even questioned America's ability
to conduct one major theater war the size of the 1991 Gulf War. 6 Military readiness
is vital because declines in America's military readiness signal to the rest of the
world that the United States is not prepared to defend its interests. Therefore,
potentially hostile nations will be more likely to lash out against American allies and
interests, inevitably leading to U.S. involvement in combat. A high state of military
readiness is more likely to deter potentially hostile nations from acting aggressively
in regions of vital national interest, thereby preserving peace.
apparent that there are critical weaknesses not simply in the identification of deficiencies in particular space systems,
but also in the way that the conjunction of space and cyber-security is being organized . There are mature and internationally
respected models for the management of cyber-security, which, when applied to the ground-based parts of the space data eco-system, serve well.
What is needed, however, is an end-to-end approach based on risk management and resilience. Each and every stakeholder, from satellite
assembly through to data exploitation, via the space-based segment, needs to know his or her respective cyber-security responsibilities in
delivering assured space-based services. This applies particularly to the commercial cadre whose management instinct may be to duck the cybersecurity issue (or try and get away with the minimum effort required to check the ISO 27001 boxes) on cost grounds. There will not be a single
process applied within this complex and interlinked domain; the level of resource required for individual missions, for example, will depend on a
variety of factors, including criticality of the capability being deployed, the endurance of the craft itself, the likelihood of attack and the fall-back
options if an attack is successful. The software of spacecraft needs to be designed from the outset for the appropriate level
of security, and some systems may need to be checked for resilience before launch (and not once ensconced in orbits from
which there are now no plausible recovery options). Cyber-security in space is both a critical area and also one that is most
vulnerable to exploitation when set in the context of very complex supply chains and space-related operational
infrastructures. Satellite services are key targets for a number of cyber-security threats, as they support a critical
level of national infrastructure functionality and this is growing year by year. A single successful attack on a critical
node, if unmitigated, can have the potential to affect a significant number of important national and international
capabilities. Awareness of the potential attack on the NOAA systems was made clear in July when a report by the Office of Audit and
Evaluation in the U.S. Department of Commerces Office of Inspector General raised the alarm on the significant security deficiencies
in NOAAs information systems. NOAA is not alone in being vulnerable to cyber-security attacks. Now that the news is
out in the public domain, we can only hope that it serves as a significant wake up call.
technology helps predict and prevent future pandemic outbreaks 11/6/07 http://www.eurekalert.org/pub_releases/2007-11/asotnth110607.php)
With the help of 14 satellites
currently in orbit and the National Aeronautics and Space Administration's (NASA) Applied
Sciences Program, scientists have been able to observe the Earth's environment to help predict and
prevent infectious disease outbreaks around the world. The use of remote sensing technology aids
specialists in predicting the outbreak of some of the most common and deadly infectious diseases
today such as Ebola, West Nile virus and Rift Valley Fever. The ability of infectious diseases to thrive depends on
changes in the Earth's environment such as the climate, precipitation and vegetation of an area. Through orbiting satellites, data is
collected daily to monitor environmental changes. That
sensing technology not only helps monitor infectious disease outbreaks in highly affected
areas, but also provides information about possible plague-carrying vectors -- such as insects or rodents -globally and within the U.S. The Four Corners region, which includes Colorado, New Mexico, Arizona, and Utah, is a highly
susceptible area for plague and Hanta virus outbreaks, and by understanding the mixture of vegetation, rainfall and slope of the
area, scientists
can predict the food supply of disease transmitting vectors within the region and the
threat they cause to humans. Because plague is also considered a bioterrorism agent, NASA surveillance systems enable
scientists to decipher if an outbreak was caused by natural circumstances or was an act of bioterrorism. A particular infectious
disease being targeted by NASA is malaria, which affects 300-500 million persons worldwide, leaving 40 percent of the world at risk
of infection. The Malaria Modeling and Surveillance Project utilizing NASA satellite technology is currently in use by the Armed
Forces Research Institute of Medical Sciences in Thailand and the U.S. Naval Medical Research Unit located in Indonesia. Data
collected at these locations is combined and used to monitor environmental characteristics that effect malaria transmission in
Southeast Asia and other tropical and subtropical regions. Malaria surveillance provides public health organizations with increased
warning time to respond to outbreaks and assistance in the preparation and utilization of pesticides, which leads to a reduction in
drug resistant strains of malaria and damage to the environment. "NASA
pathogens. For those types of hostmicrobe interactions it is possible for the pathogen to kill off every last member of a species without harm to
itself, since it would return to its natural habitat upon killing its last host. Hence, from the viewpoint of existential threats environmental microbes
could potentially pose a much greater threat to humanity than the known pathogenic microbes, which number somewhere near 1500 species (Cleaveland et al.,
2001; Tayloret al., 2001), especially if some of these species acquired the capacity for pathogenicity as a consequence of natural evolution or bioengineering.
security technologies
ineffective and put organizations at risk of having the cybercrooks using those backdoors, and will make it significantly harder for
organizations to effectively protect data and systems." It's not just a philosophical bent that could determine whether one considers anyone a leader. It
could be missed opportunities to evangelize the cause.
CNCI cant solve too secretive and neglects private sector security
Rollins and Henning 9 <John Rollins, Specialist in Terrorism and National Security, and Anna C. Henning, Legislative
Attorney, 3/10/2009, Comprehensive National Cybersecurity Initiative: Legal Authorities and Policy Considerations, p. 2-4,
Congressional Research Service, http://www.law.umaryland.edu/marshall/crsreports/crsdocuments/R40427_03102009.pdf>//wx
As of the date of this report, unclassified versions of the January 2008 directives establishing the CNCI have yet to be released. While the Initiative has yet to be
legislatively recognized, presidential directives, sometimes considered types of executive orders and visa versa, have the force of law if they are supported by
constitutional or statutory authority.26 Although much remains unknown about the CNCI due to the classified nature of the presidential
directives and supporting implementation documents, federal government agency press releases and statements by government officials provide a bit of
insight regarding the program. Some security observers are concerned that because the CNCI is focused on developing and adhering to strategies and
policies to secure the federal systems, many of which rely on private sector telecommunications networks for service and
support, and identifying current and emerging threats and vulnerabilities, it is incumbent on the federal government to improve its
coordination activities with non-federal entities and undertake enhanced sharing of timely and relevant cybersecurity related plans and risk data. Few
details have been publicly released regarding the implementation activities or status of CNCI efforts since the establishment of the
initiative. According to one media account, Steven Chabinsky, Deputy Director of the Joint Interagency Cyber Task Force for the Office of the DNI, stated at an
information technology security conference that there are 12 objectives supporting the Initiatives goal of comprehensively addressing the nations cyber security
concerns. They are: 1. Move towards managing a single federal enterprise network; 2. Deploy intrinsic detection systems; 3. Develop and deploy intrusion
prevention tools; 4. Review and potentially redirect research and funding; 5. Connect current government cyber operations centers; 6. Develop a governmentwide cyber intelligence plan; 7. Increase the security of classified networks; 8. Expand cyber education; 9. Define enduring leap-ahead technologies; 10. Define
enduring deterrent technologies and programs; 11. Develop multi-pronged approaches to supply chain risk management; and 12. Define the role of cyber
security in private sector domains.27 One question often raised is whether the CNCI objectives are being pursued concurrently. Some security observers are
concerned that the governments focus to date has been on securing federal security systems at the expense of other networks that
have similar vulnerabilities. The disruption, or perceived accessing or manipulating of data in non-federal networks that contain
personal financial information or manage the control systems of the nations critical infrastructure could have significant economic , safety,
and confidence-in-government implications. It is often noted that in the homeland security and law enforcement communities, where a great deal of post- 9/11
emphasis is placed on continuous information exchange and collaboration, efforts to secure the federal technology systems, while relegating
state, local, and private sector organizations to lower standards of security, will simply
redirect
or delay
risk
increased collaboration. This concern is often expressed by non-federal governmental entities which rely on and routinely coordinate efforts with the U.S.
government but have not been apprised of the plans or resources accompanying the CNCI . Given the secretive nature of the CNCI, one of the
common concerns voiced by many security experts is the extent to which non-federal entities should have a role in understanding the
threat to the nations telecommunications and cyber infrastructure and assist with providing advice , assistance, and coordination in preparation
and response for ongoing and future intrusions and attacks.28 As telecommunications providers and internet service providers are corporate entities
residing in the private sector, and are relied upon heavily to support federal government activities and services, many cyber-security
observers suggest that a comprehensive approach to an effective monitoring, defending, and responding regime is not possible without the
collaboration and expertise of the nations cyber sector owners and operators . As evidenced in the twelve objectives of CNCI, it appears the
federal government focus is on the prevention aspects of addressing potential threats to the nations cyber and telecommunications infrastructure. In contrast, the
primary response and recovery activities associated with previous network breaches have been addressed by the private sector entity that has been the victim of
the attack. In an apparent admission of the need for further transparency and enhanced public-private partnership to better fulfill the goals of the CNCI, former
President Bushs Assistant Secretary of Cybersecurity and Telecommunications at the Department of Homeland Security (DHS), Greg Garcia, recently stated that
there was too much classified (about the CNCI) which was not helpful politically and not helpful in getting the word out. Acknowledging the balance between
incorporating the view of non-federal entities and the concern of allowing those that wish to use cyber activities to cause harm, Assistant Secretary Garcia went
on to further state that the Department had to walk the line between raised awareness of what was being accomplished and not letting out too much information
that could cause us to be targeted. Still, too much was kept secret.29 Based on the number of unknowns concerning the CNCI and the apparent
lack of inclusiveness with the private sector telecommunication and internet providers, some analysts are concerned that future
opportunities for successfully ascertaining known and future threats and developing a comprehensive set of legal and policy responses
may not be achievable . An apparent Obama Administration goal for the current 60-day cyber security review is a more transparent and coordinated
approach to the nations cyber security risks with the perceived end result being that all affected parties are consulted and given the opportunity to provide advice
and assistance in proposing changes to existing legislation, policy, and processes.30
the Comprehensive National Cybersecurity Initiative (CNCI) of 2007 , which is neither comprehensive, nor national and focuses
on securing government networks (Clarke 2010, 115). It is also classified, except for a one-page outline released in 2010. The most
recent development to cybesecurity policy is the Cyberspace Policy Review (CPR) of 2009 which does not offer much in the way of new policy, but rather
reaffirms existing efforts, and places slightly greater emphasis on public awareness-raising. Like the NSSC, it focuses on security holistically, including
government, industry, and civilian networks. However both documents are conspicuously silent on the role of the military, despite being focused on national
security and defence. They were written in very different political climates, and under different presidents who had very different expectations. The CPR gives
little attention to a description of the vulnerabilities of cyberspace and the threat this poses to the nation, while the NSSC dedicates an entire section to the case
for action. This different framing has two likely reasons; firstly, in the time that elapsed between the writing of the NSSC and the CPR, cybersecurity became an
accepted priority issue that did not require justification. Secondly, former President Bush had a fairly low approval rating prior to the 9/11 attacks, and the onus
was therefore on the administration to justify its every move. Conversely, Obama entered the presidency accompanied by an expectation of hope and change,
and so the CPR was framed as an attempt to improve existing policy, not justify its existence in the first place. The NSSC was one of the first documents of this
nature, suggesting new cooperation between industry, government, and the public to increase control over and therefore security of the national computer
networks on which the country depends. By comparison, the CPR was dealing with currently existing partnerships, policies, and protocol, giving this document
more of a bureaucratic management emphasis.
addition to increasing funding to protect our nation against cyberattacks," Obama wrote in the 2016 budget, " I continue to urge
the Congress to finally pass the legislation we need to meet this evolving threat."
lawmakers
remain leery about the departments ability to organize a cohesive plan to counter the weapons of mass destruction threat through several
different offices. That plan seems unlikely to come to fruition quickly or efficiently, given the departments track record, said Rep. John Ratcliffe, Texas Republican
and chairman of the Cybersecurity subcommittee. In September of 2013, DHS was directed by Congress to undertake an in-depth review of
its WMD programs, he said. The review also required recommendations to improve its organizational structure to be more effective. Unfortunately, the
Committee only received this report less than a month prior to this hearing, meaning that its nearly two years late. Congressional documents show that
Homeland Security Department discovered that its directorates would take leadership during a biochemical attack . A restructure
plan should have taken form that year , but department shelved the idea due to lack of leadership interest. Criticism of the
department was high that year due to chemical and nuclear threats against the U.S. and its interests by terror groups, like al Qaeda. Those threats
have evolved in recent years to include the ambitions of the Islamic State, which has called on its supporters living in America to attack U.S. citizens
wherever they are and however they can. A laptop retrieved from a Syria-based Islamic State hideout in 2014 was reportedly found to contain plans for
weaponizing the bubonic plague and a document that discussed the advantages of using biological weapons signs that the terror groups ambitions are
growing, said Rep. Martha McSally, Arizona Republican and chairwoman of the Emergency Preparedness subcommittee. Experts suggest that terrorist interest
in utilizing chemical agents has increased, she said. In fact, reports indicate that ISIS may currently be conducting attacks using chemical agents in Syria and
Iraq. Lawmaker concern over the departments lackluster interest in streamlining its w eapons of mass destruction defense plan has
continued to spike in recent years. After the 2010 internal review, both the Houses Homeland Security and Appropriations committees launch their own
reviews of that plan. Congressional documents show that two years later, in 2012, department officials still did not have a clear entry point
for weapons of mass destruction coordination with other agencies, nor consistent representation at the table in the interagency community. Now, in
2015, that problem remains the same, said Rick Nelson, senior associate of the Center for Strategic and International Studies Homeland Security and
Counterterrorism Program. The Homeland Security Department has remained unable to keep up with the security efforts of its fellow
government agencies, Mr. Nelson told lawmakers during the hearing. Not only does DHS continue to be the outlier with its fractured
approach to [chemical, biological, radiological, and nuclear] but it also, for unknown reasons, has resisted or just simply failed to prioritize efforts to
correct the issue, he said.
source versions of PGP encryption software that are still the most popular end-to-end email encryption solution, the OpenSSL
software library that has long been used to encrypt vast amounts of every-day web traffic, open source disk encryption programs like
TrueCrypt, the open source Off-The-Record instant messaging encryption protocol used by a wide variety of IM clients, and the TOR
onion routing software originally developed by the Naval Research Laboratory that is now widely used to circumvent oppressive
governments censorship regimes and allow for anonymous online browsing.26 A
government mandate
prohibiting U.S. companies from offering products or services with unbreakable
encryption is of little use when foreign companies can and will offer more secure
products and services, and when an independent coder anywhere on the planet has the resources to create and distribute
free tools for encrypting your communications or the data stored on your mobile devices. As former Homeland Security Secretary
Michael Chertoff recently put it, [T]hat genie is not going back in the bottle.27 The
attention by the victim." If the solution to significantly reduce security breaches is information
sharing, said Jeff Moss, president of DEF CON Communications, "then the market would have
addressed it years ago with a crowded field of info exchange tools, but [it] hasn't . Information
sharing allows better and faster bandaids but doesn't address the core problem." The Obama
administration's plan, designed to pool threat information and improve response times to cyberattacks, would put the
Department of Homeland Security as the central repository of the information coming from the private sector. It came on
the heels of major security breaches at companies such as Sony Pictures and Target. The plan would have helped in just a
"small subset of cases to provide information sharing and smarter defenses, but that alone won't significantly stop
attacks," said one Influencer, who chose to remain anonymous. "If private sector companies set up the infrastructure,
training, and process to defend their networks using this and lots of other intelligence then it will indeed start to
provide significantly greater protection. All that being said, the smartest and most sophisticated adversaries will
continue to penetrate what are in many cases inherently vulnerable systems. " The Passcode Influencers
Poll brings together a diverse group of more than 70 security and privacy experts from across government, the private
sector, academia, and the privacy community. To preserve the candor of their responses, Influencers have the choice to keep
their comments anonymous, or voice their opinions on the record. Relying on information-sharing to prevent
attacks "presumes that hackers will evidence the same signature over a long period of time ," wrote
Martin Libicki, senior management scientist at RAND. "If it functions at all (as a signature-passing device), its primary
effect will be to force hackers to modify their signatures. After the hackers do so, this expensively-wrought measure will be
fairly useless." There is momentum on Capitol Hill to pass a version of Obama's information-sharing plan, which did have
some defenders within Passcode's pool of experts. Thirteen percent of Influencers said the plan would significantly reduce
security breaches, even as some acknowledged it's not a panacea. "While important, information sharing wont solve
everything," said Congressional Cybersecurity Caucus co-chair Rep. Jim Langevin (D) of Rhode Island. "What it will do,
though, is enable companies to discover and respond to threats of which they may not have been aware - and provide badly
needed situational awareness to the government. Its a first step, but an important one, and will allow us to broaden the
conversation to other important cybersecurity policy matters."
Over the past 20 years, the Internet has transformed the lives of Vermonters and the
American people. We use the Internet to communicate, make financial transactions, access medical records, file taxes, and
store personal information and photographs. Critical to this digital revolution has been the
development and use of strong encryption. Encryption ensures that the digital
information we send or store electronically is protected against hackers , criminals, and spies. But
as we will hear this morning, the increased use of encryption also presents challenges for law
enforcement. Two decades ago, during the so-called Crypto Wars, the FBI and others argued that strong
encryption prevented investigators from obtaining access to information even when they
had a court order. They are voicing similar concerns today. As a former prosecutor, I am sympathetic to these public safety
concerns. Encryption can impede investigations by federal, state and local law enforcement
officials. So this is an important discussion for us to have. But as we learned in the 1990s, this is a complicated problem with no
easy solutions. Some have suggested that technology companies should build special law enforcement access into their systems. But
we also have to consider the risks of this approach. Strong encryption has revolutionized
the online marketplace and protects American businesses and consumers from
cybercrime, espionage, identity theft, stalking, and other threats on the Internet.
Undermining strong encryption could make our data more vulnerable . In the 1990s, I
opposed efforts to regulate the development of encryption technology . I sponsored and otherwise
supported legislation that authorized the use of any type of encryption technology in the United States; prohibited the government
from requiring key recovery features; and eased export restrictions limiting the sale of encryption technology abroad. I also opposed
efforts to promote the Clipper Chip, a cryptographic device for voice communications that facilitated government access to those
communications. I was concerned that regulating
ADV ECON
include an oil price shock has stalled one of Americas best-performing sectors while forcing tens of thousands of layoffs and an
appreciated dollar that makes U.S. exports pricier overseas, pinching profits of major domestic companies . Remove the trade deficit,
and the U.S. GDP grew 1.2 percent in the first quarter . Not since 1985 has trade so heavily dragged down growth . In the first quarters,
businesses also pulled back on inventories, further cutting into growth. Still, perhaps the biggest surprise of the past six months has been the muted pickup in
consumer spending, which accounts for about two-thirds of the economy. Personal consumption grew 1.8 percent in the first quarter, but thats well off the pace
from the second half of 2014. Consumers, instead, have taken the money saved at the gasoline pump and used it to pay back debt or rebuild savings, according
to government and credit card data.
its third reading of the data Wednesday. That was a sharp downward revision from the previous estimate that output fell at an
annual rate of 1%. It also represented the fastest rate of decline since the recession, and was the largest drop recorded since the
end of World War II that wasn't part of a recession. To be sure, many signs since March, including reports of growth in consumer spending, business
investment and hiring, indicate the first quarter doesn't mark the start of a new recession. And revisions in future years could alter the first-quarter figure. J.P.
Morgan Chase economist Michael Feroli described the decline as "mostly a confluence of several negative, but mostly one-off, factors." But the severity of the
drop, he said, "calls into question how much vigor there is in the pace of activity" going forward. One factor in the government's revision of first-
quarter output was difficulty in estimating the impact of the Affordable Care Act on health-care expenditures. Actual health
spending came in substantially lower than expected based on ACA enrollments and Medicaid data, declining at a 1.4%
annualized pace in the period compared with an earlier estimate of a 9.1% increase. Beyond that, consumer spending on goods,
business outlays on equipment and housing investment were all soft , a weakness that economists have attributed, at least in part, to unusually
harsh winter weather. Overall consumer spending on goods and services, which accounts for more than two thirds of economic output, increased at an annual
rate of 1%, off from the earlier estimate of 3.1% growth. The Commerce report showed businesses sharply drawing down inventories in the first quarter after
building them up to levels deemed unsustainable by economists late last year. The move subtracted 1.7 percentage points from growth. Exports in the
period fell by nearly 10%, a new sign of a challenging global economic environment. The European recovery remains anemic, while growth
in fast-expanding emerging markets such as China and Brazil has downshifted. The severity of the first-quarter downturn is at odds with other data showing
greater strength in the economy, especially a recent pickup in job creation. Since World War II, there have been 15 other quarters during which GDP contracted
by this amount or more. In 14 of those 15 quarters, hiring contracted along with output. Meanwhile, early data from the second quarter indicate the economy has
improved this spring, as warmer weather has helped release pent-up demand. Sales of new homes surged to a six-year high last month, while existing-home
sales rose to their highest level since October, data released earlier this week showed. "Things are looking very strong here in Naples," said Anthony Solomon,
owner of The Ronto Group, a land developer in Naples, Fla. "In all our communities, we're seeing great appetite from home builders and from end buyers." Still,
the depth of the first-quarter decline in output means growth during the first half of the year likely will fall below the economy's
average rate of just over 2% since it emerged from recession in June 2009 . That is below the longer-term growth rate, during recent decades,
of slightly more than 3%. "It does not sound like the economy has reached escape velocity no matter how you try to spin it," said Chris
Rupkey, an economist at Bank of Tokyo-Mitsubishi. For economic output to ratchet up to a healthier long-term trend, economists say
consumer spending must rise to its prerecession pace of about 3% growth. But five years into the recovery, high unemployment
and stagnant incomes continue to restrain the American consumer. "We just don't see consumer spending coming back to the levels that they
were before," Virginia McDowell, chief executive of Isle of Capri Casinos, Inc., recently told investors at a presentation of the company's fourth-quarter earnings.
"We continue to get pressured on the top line because our consumer spending habits have changed," Ms. McDowell said.
It would cost the American economy untold billions of dollars. Experts estimated during the original Crypto Wars that building and operating
the kind of key escrow infrastructure desired by the government would have cost the government and industry many billions of
dollars.21 Since then, the number of computer and Internet users, and computer and Internet devices, has grown
exponentially ; so too has the complexity and cost of such a scheme to give the government the universal decryption capability it apparently
desires.22 Thats not even counting the many more billions of dollars that would be lost as consumers worldwide lost confidence in
the security of American computing products and online services . American technology companies, which currently dominate the global
market, have already been wrestling with diminished consumer trust in the wake of revelations about the scope of the National
Security Agencys programs, a loss of trust already predicted to cost our economy billions of dollars.23 Any new
requirement that those companies guarantee that the U.S. government have the technical capability to decrypt their users data would give
foreign users including major institutional clients such as foreign corporations and governments that especially rely on the security of those products and
serviceseven more incentive to avoid American products and turn to foreign competitors. It would also likely diminish trust in the
security of digital technology and the Internet overall, which would slow future growth of the Internet and Internet-enabled
commerce and threaten the primary economic engine of the 21st century. To put it bluntly, foreign customers will not want to buy
or use online services, hardware products, software products or any other information systems that have been explicitly designed
to facilitate backdoor access for the FBI or the NSA.24 Nor will many American users, for that matter. Instead, they will turn to more
secure products that are available for purchase or for free download from sources outside of the United States, which is a major reason why
use strong encryption every single day. We use it on our banking sites, shopping sites, and social media sites. We protect our
credit card information with encryption. We encrypt our databases containing sensitive information (or at least we should). Our
economy relies on strong encryption to move money around in industries large and small. Many high-visibility sites, such as Twitter,
Google, Reddit, and YouTube, default to SSL/TLS encryption now. When there were bugs in the libraries that support this type of encryption, the IT world moved
heaven and earth to patch them and eliminate the vulnerability. Security pros were sweating bullets for the hours, days, and in some cases weeks between the
hour Heartbleed was revealed and the hour they could finally get their systems patched -- and now politicians with no grasp of the ramifications want to introduce
They are threatening the very foundations of not only Internet commerce, but the
health and security of the global economy. Put simply, if backdoors are required in encryption methods, the Internet would
essentially be destroyed, . Those of us who know how the security sausage is made are appalled that this is a point of discussion at any level, much less
a fixed vulnerability into these frameworks.
nationally on two continents. Its abhorrent to consider. The general idea coming from these camps is that terrorists use encryption to communicate. Thus, if there
are backdoors, then law enforcement can eavesdrop on those communications. Leaving aside the massive vulnerabilities that would be introduced on everyone
else, its clear that the terrorists could very easily modify their communications to evade those types of encryption or set up alternative communication methods.
We would be creating holes in the protection used for trillions of transactions, all for naught. Citizens of a city do not give the police the keys to their houses. We
do not register our bank account passwords with the FBI. We do not knowingly or specifically allow law enforcement to listen and record our phone calls and
Internet communications (though that hasnt seemed to matter). We should definitely not crack the foundation of secure Internet communications with a backdoor
that will only be exploited by criminals or the very terrorists that were supposedly trying to thwart. Remember, if the government can lose an enormous cache of
extraordinarily sensitive, deeply personal information on millions of its own employees, one can only wonder what horrors would be visit ed upon us if it
somehow succeeded in destroying encryption as well.
Backdoors bad Privacy issues and loss of competitiveness for US companies in EU markets
Balaganski 15 - Alexei Balaganski is an analyst at Kuppinger Cole with specific focus on cybersecurity. After graduating with
an MSc degree in Mathematics and Computer science he has worked in the IT industry for over 15 years .-(Will there be a winner in
the encryption wars?; 7/22/2015; http://www.itproportal.com/2015/07/22/will-there-be-a-winner-in-the-encryption-wars/)//pk
Read more: http://www.itproportal.com/2015/07/22/will-there-be-a-winner-in-the-encryption-wars/#ixzz3ggeaLwk3
If there is one thing that can be said about most politicians, its that they do not understand technology. This is especially true
when the technology in question is related to cybersecurity and strong encryption in particular. Governments have always considered the
ability to intercept and decrypt communications of foreign nations a matter of national security, but no other country has been as persistent in their fight against
encryption as the United States. In the previous round of the Crypto Wars in the 90s, the US government had come up with the idea of an encryption device with
a built-in backdoor to be installed into every communication device, which would allow government agencies to obtain the encryption key and intercept all data
transmitted by that device. The proposal was met with unanimous opposition, and security experts have demonstrated multiple weaknesses in both the concept
of key escrow and the actual implementation of the chip. The idea has been abandoned in the end, but export controls that restricted which encryption methods
could be exported from the USA were introduced. Although eventually those regulations were lifted, many current software products still have to support those
weakened ciphers for compatibility reasons. Just recently, nearly a third of all websites were found to be vulnerable to the FREAK attack,
which allowed downgrading the security of an encrypted session and then successfully breaking the encryption. Fast-forward twenty
years, and the US and UK governments are now discussing very similar plans. Again, claims are brought forward that without having exceptional
access to all digital communications intelligence agencies will go dark and wont be able to fight terrorism . The same idea of a
centralised body holding all encryption keys in escrow for the government agencies is being discussed again. The UK government has gone so far as to suggest
banning certain types of encryption completely. It is all as if nothing has changed since the 90s. Alas, the world we are living in is now completely different. Before
discussing technical implications of these new proposals, its worth noting that the very premise of the current debate is demonstrably wrong .
Thanks to the documents leaked by Edward Snowden, we now know that NSA has not gone dark since the 90s . In fact, their
technical, legal and clandestine arsenal of surveillance tools has expanded immensely in the last decade. Essentially, they are capable
of intercepting a vast majority of communications around the world. Unfortunately, they are yet to show any evidence that this has actually helped prevent a
single act of terrorism. In fact, if these new regulations on encryption are going to be adopted after all, criminals and terrorists wont
have any real difficulties going back to low tech communication methods. Legitimate enterprises, however, will face much bigger problems. With all
the recent trends of digitalisation of businesses, the companies are becoming increasingly interconnected. Secure communications channels are now an
essential component of every companys infrastructure. This is especially true for cloud service providers, financial, health organisations, and other companies
dealing with large amount of other peoples sensitive data. A government-mandated backdoor to their infrastructures obviously introduces a
vulnerability ready to be exploited by a malicious agent, but thats not the biggest problem. A centralised government-controlled
body holding credentials for multiple such infrastructures is an even more lucrative target for attackers , and government agencies
arent exactly known for their high cybersecurity standards. Another problem is jurisdiction: if a US company operates in another
country, should it provide exceptional access to that countrys intelligence agencies as well ? What if the country in question is a
geopolitical enemy of the free world? Does it mean that well need to maintain another export-grade backdoor, too? Just imagine how complex and
expensive addressing these technical and legal problems would be. All these efforts, however, are most likely to be in vain, since
anyone wishing to evade the mandatory surveillance can simply switch to a solution from a non-US company, and that wont be
just the criminals, but every business or individual concerned about security and privacy of their communications . This effectively
means that US and UK companies are going to lose their competitive advantage in the world markets , especially in the
E uropean U nion countries like Germany, where privacy is considered an almost sacred right . Their reputation has already been
damaged by Snowdens revelations, and with new regulations in place, their entire business models will be severely crippled. In fact, with all things
considered, its difficult to imagine a single party that would gain any advantage, political, financial or otherwise, from
these proposed regulations . To me, it seems that in the Crypto Wars, like in a nuclear war, everybody loses
Designing exceptional access into todays information services and applications will give rise to a range of critical security risks.
First, major efforts that the industry is making to improve security will be undermined and reversed . Providing access over any period of
time to thousands of law enforcement agencies will necessarily increase the risk that intruders will hijack the exceptional access mechanisms. If law
enforcement needs to look backwards at encrypted data for one year, then one years worth of data will be put at risk. If law
enforcement wants to assure itself real time access to communications streams, then intruders will have an easier time getting access in real time, too. This is a
trade-off space in which law enforcement cannot be guaranteed access without creating serious risk that criminal intruders will gain the same access. Second,
the challenge of guaranteeing access to multiple law enforcement agencies in multiple countries is enormously complex. It is
likely to be prohibitively expensive and also an intractable foreign affairs problem. Simple requirements can yield simple solutions (e.g. a
door lock). But the requirements 7We note that some pieces of malware, such as Stuxnet and Duqu 2, have relied on code-signing keys issued to legitimate
companies. When a key is compromised, it must be replaced. of law enforcement access to encrypted data are inherently complex and, as we have already
shown, nearly contradictory. Complex or nearly contradictory requirements yield brittle, often-insecure solutions. As NSAs former head of research testified in
2013: When it comes to security, complexity is not your friend . Indeed it has been said that complexity is the enemy of security. This is a point
that has been made often about cybersecurity in a variety of contexts including, technology, coding and policy. The basic idea is
simple: as software systems grow more complex, they will contain more flaws and these flaws will be exploited by cyber
adversaries. We have a very real illustration of the problem of complexity in a recent analysis of one of the most important security systems on the Internet:
SSL/TLS. Transport Layer Security (TLS) and its predecessor Secure Socket Layer (SSL) are the mechanisms by which the majority of the web encrypts its
traffic every time a user logs into a bank account, makes an electronic purchase, or communicates over a social network, that user is trusting SSL/TLS to
function properly. All a user needs to know of all of this complexity is that the lock or key icon shows up in the browser window. This indicates that the
communication between the user and the remote website is secure from interception. Unfortunately, writing code that correctly implements such cryptographic
protocols has proven difficult; weakened protections makes it harder still. For instance, OpenSSL, the software used by about two-thirds of websites to do TLS
encryption, has been plagued with systems-level bugs resulting in catastrophic vulnerabilities. The now-infamous Heartbleed bug was caused by a missing
bounds check, an elementary programming error that lurked in the code for two years, leaving 17% of all websites vulnerable to data theft. More recent
vulnerabilities, however, were caused by legacy restrictions on the exportation of cryptographic algorithms, dating back to the
Crypto Wars. The fact that there are so many different implementations of TLS, all of which have to interoperate to make the
Web secure, has proven to be a real source of security risk [37]. Website operators are reluctant to switch to more secure
protocols if this will lose them even a few percent of prospective customers who are still using old software, so vulnerabilities
introduced deliberately during the Crypto Wars have persisted to this day. Introducing complex new exceptional access
requirements will similarly add more security bugs that will lurk in our software infrastructure for decades to come. Third, there are
broader risks for poorly deployed surveillance technology. Exceptional access mechanisms designed for law enforcement use
have been exploited by hostile actors in the past. Between 1996 and 2006, it appears that insiders at Telecom Italia enabled the wiretapping of 6,000
people, including business, financial, and political leaders, judges, and journalists [38]. In a country of 60 million, this means that no major business or political
deal was truly private. The motivation here appeared to be money, including the possibility of blackmail. As we mentioned earlier, from 2004 to 2005, the cell
phones of 100 senior members of the Greek government, including the Prime Minister, the head of the Ministry of National Defense, the head of the Ministry of
Justice, and others. Vodafone Greece had purchased a telephone switch from Ericsson. The Greek phone company had not purchased wiretapping capabilities,
but these were added during a switch upgrade in 2003. Because Vodafone Greece had not arranged for interception capabilities, the company did not have the
ability to access related features, such as auditing. Nevertheless, someone acting without legal authorization was able to activate the intercept features and keep
them running for ten months without being detected. The surveillance was uncovered only when some text messages went awry. Although the techniques of how
it was done are understood, who was behind the surveillance remains unknown[19]. Next , there are the broader costs to the economy. Economic
growth comes largely from innovation in science, technology, and business processes. At present, technological progress is
largely about embedding intelligence software and communications everywhere. Products and services that used to be standalone
now come with a mobile phone app, an online web service, and business models that involve either ads or a subscription. Increasingly these are also social, so
you can chat to your friends and draw them into the vendors marketing web. Countries that require these new apps and web services to have
their user-to-user communications functions authorized by the government will be at a significant disadvantage . At present, the
world largely uses US apps and services, rather than the government-approved ones from Russia and China. This provides
enormous leverage to US businesses. Finally, this market advantage gives real benefits not just economically but in terms of soft
power and moral leadership. The open Internet has long been a foreign policy goal of the US and its allies for a lot of good
reasons. The Wests credibility on this issue was damaged by the Snowden revelations, but can and must recover. Lawmakers
should not risk the real economic, geopolitical, and strategic benefits of an open and secure Internet for law enforcement gains
that are at best minor and tactical.
exceed" $35bn. "In the short term, US companies lose out on contracts, and over the long term, other countries create protectionist
policies that lock US businesses out of foreign markets. This not only hurts US technology companies, but costs American jobs and
weakens the US trade balance," the study found. Since the publication of the documents leaked by former defence contractor Edward Snowden in 2013,
the Obama administration has been struggling to justify its bulk collection programs to an increasingly sceptical public. In May, a crucial senate vote to extend the
program - which was authorised under Section 215 of the Patriot Act - failed, followed by the passing last week of the USA Freedom Act, effectively ending bulk
data collection, at least for the time being. "We appreciate that, where appropriate, law enforcement has the legitimate need for certain information to combat
crime and threats," reads the ITIC letter. "However, mandating the weakening of encryption or encryption 'work-arounds' is not the way to address this need." The
letter was copied to US secretary of state John Kerry, attorney general Loretta Lynch and homeland security secretary Jeh Johnson, as well as the secretary of
commerce, the director of the FBI, and the director of the National Economic Council. In a press briefing on 4 June, White House press secretary Josh Earnest
addressed the problem obliquely when asked a question about the now-defunct Section 215 of the Patriot Act, which allowed the federal government's bulk
collection of data. Describing what he saw as the "tough challenge of balancing the privacy and civil liberties of law-abiding American citizens with the need for us
to try to detect and apprehend terrorists before they commit an act of violence", Earnest said the president saw an opportunity to work with the tech sector. "As
much as they value and champion the privacy and civil liberties rights of American citizens, we also know that those individuals do not want to be in a situation
where their technology is responsible for allowing somebody who is seeking to carry out an act of violence to evade detection from the federal government," he
added.
have suffered billions of dollars of losses overseas because of consumer distrust over their relationships with the NSA would lose all credibility with users around the world if the FBI and NSA succeed with their plan. The White House is supposedly coming out with an
official policy on encryption sometime this month, according to the New York Times but the President can save himself a lot of time and just apply his
comments about China to the US government. If he knows backdoors in encryption are bad for cybersecurity, privacy, and the economy, why is there even a
debate?
Top experts and empirics agree backdoors kill US credibility and econ
Adhikari 15 <Richard, writer for TechNewsWorld, ECT news, cites experts from New Americas Open Technology Institute,
1/13/15, The Fallout From the NSAs Backdoors Mandate, Ecommerce Times,
http://www.ecommercetimes.com/story/81530.html>//wx
Massive Cost to U.S. Businesses In August of last year, the German government reportedly warned that Windows 8 could act as a Trojan when combined
with version 2.0 of theTrusted Platform Module (TPM), a specification for a secure cryptoprocessor. The TPM is included in many laptops and tablets, and the
concern is that TPM 2.0 makes trusted computing functions mandatory rather than opt-in as before, meaning it can't be disabled. Further, it can let Microsoft
establish a backdoor into the device it's in. Microsoft's response was that OEMs can turn off the TPM in x86 computers. T he German government will end
its contract with Verizon; Brazil has decided to replace its fighter jets with ones made by Sweden 's Saab instead of Boeing; and Web
hosting firm Servint Corp. reported a 30 percent decline in overseas business since the NSA leaks first made news in June 2013.
"There is both diplomatic and economic backlash against these tactics," Robyn Greene, policy counsel at New America's Open Technology Institute,
told the E-Commerce Times. It's difficult to establish an exact dollar amount, but "experts have estimated that losses to the U.S. cloud industry
alone could reach (US)$ 180 billion over the next three years," Greene said. "Additionally, major U.S. tech companies like Cisco and IBM have
lost nearly one-fifth of their business in emerging markets because of a loss of trust." Foreign companies are using their non-U.S. status
to advertise themselves as more secure or protective of privacy, Greene remarked. The Other Side of the Story On the other hand, Cisco's share of the service
provider router and carrier Ethernet market bounced back strongly after an unusually weak Q2, primarily because of a strong performance in the Asia-Pacific and
the EMEA regions, SRG Research reported. "Cisco is in a league of its own, with a global presence, credibility and product range that cannot be matched by its
competitors," John Dinsdale, managing director and chief analyst at SRG, told the E-Commerce Times. "When demand increases, there is only a rather short list
of vendors who can satisfy it, and Cisco clearly has the strongest story to tell." In addition, the allegations that U.S. high-tech firms built backdoors into their
products are not true, contended Philip Lieberman, president of Lieberman Software. "I have never seen any cooperation between U.S.-owned software or
hardware manufacturers to insert backdoors into their products for the use of the NSA," Lieberman told the E-Commerce Times. "The damage
that such an inclusion would cause to the company that did so would be catastrophic and probably unrecoverable." Rebuilding
Faith and Trust With its backdoors, the NSA "broke the foundational element of trust, and that's something very difficult to recover from. [It has] in effect
destroyed the trusted and secure reputation of U.S. companies," said Neivert. "More and more we will see U.S. tech companies focusing on distinguishing their
products and services with heightened security offerings and working to achieve legislative reforms that would rein in [surveillance practices]. That's the case with
the Reform Government Surveillance Coalition and tech industry trade associations that represent thousands of companies," New America's Open Technology
Institute's Greene added.
considering is not even possible. According to the CSAI Lab experts, we do not currently have a technical capability to create a
door for law enforcement that could not be exploited by others . Many of the issues at play hark back to a Clinton-era discourse over what was
known as the Clipper chip. With the rise of the Internet, the National Security Agency was searching for a way to protect its electronic surveillance abilities. The
Clipper Chip was a microcircuit that would encrypt data but also give the government access to the keys needed to unlock the data. The chip faced backlash
from the public and was never adopted, setting an important precedent for encrypted communications. The CSAI Lab experts report requiring such an
access point almost 20 years later poses even more of a threat today due to the comparatively larger role computers play in our
economy and daily lives. With more hackers with more advanced capabilities than ever before, its not the time to limit our devices security mechanisms.
The groups conclusions mirror what private sector companies, who have been ramping up encryption efforts in the wake of the Edward Snowden revelations,
have said for months.
Pate 13, (Steve, CTO and co-founder of HighCloud Security, Special to Network world, Encryption
as an enabler: top 10 benefits, http://www.networkworld.com/article/2165740/techprimers/encryption-as-an-enabler--the-top-10-benefits.html, AL)
Encryption gives services providers a competitive edge. As a cloud service provider, you are a guardian of your customers' applications and data. Thieves are
getting smarter and regulations are getting more stringent. The good news is that security technology is also getting better. Encryption and key management software,
designed specifically for virtualized environments, can help you significantly improve your security posture, attract new customers,
and expand your business with existing clients. This allows you to: Gain competitive advantage and differentiation, Expand revenue
potential to customers with sensitive or regulated data ,Protect customer data against access by unauthorized users ,Satisfy data
residency and privacy requirements,, Reduce hardware costs through cryptographic multi-tenancy, Assure customers that they
can de-provision securely without leaving data behind Newer encryption technologies are easy to deploy and offer robust APIs that allow for transparent
integration into the CSP environment.
Yes the USA economy effects many countries even without being trade partners
Dees and Saint-Guilhem 9 (Stephane and Arthur, Professional Economic Adviser and Economist at European Central
Bank, THE ROLE OF THE UNITED STATES IN THE GLOBAL ECONOMY AND ITS EVOLUTION OVER TIME pg. 5-6)RR
The U.S. economy is very often seen as "the engine" of the world economy. As a result, any sign of slowdown in the United
States raises concerns about harmful spillovers to the other economies. The current economic recession in the United States
has questioned the ability of the global economy to "decouple" from U.S. cyclical developments. While there were some signs of
decoupling in the first quarters following the U.S. downturn, they disappeared rapidly towards the end of 2008, when the crisis
became more global and the economic cycles turned out to be more synchronous across the world. While the increasing
economic integration at the world level and the resulting emergence of large economic players, like China, is likely to have
weakened the role of the U.S. economy as a driver of global growth, the influence of the United States on other economies
remains however larger than direct trade ties would suggest. Third-market effects together with increased financial integration
tends to faster the international transmission of cyclical developments. Based on a Global VAR modelling approach, this paper
attempts to provide some answers by analysing how a change in U.S. GDP is transmitted to the rest of the world and to what
extent such a transmission has changed during the period 1979-2006. An important caveat of this approach concerns the
identification of a U.S. shock. It is clearly difficult to identify a purely U.S.-specific shock, whose nature is entirely idiosyncratic.
Moreover, the nature of the shock might also alter the way the shock is transmitted to the rest of the world. While these limits
would call for a more complex modeling of the international linkages, our approach has remained on purpose very agnostic,
while keeping as comprehensive as possible the representation of international linkages. By including a large number of
countries in the modeling of the world economy, the GVAR approach allows us to account for the complexity of global
interdependencies in a trans- parent and coherent framework and to give some idea about the dynamics of the propagation of
shocks. A more detailed modeling in terms of the nature of the shocks and their transmission channels would definitely be at the
expense of both the rich geographical coverage and the time-varying dimension. The empirical analysis shows various results.
First, the economies differ as regards their sensitivity to U.S. developments. The U.S. economy is for most economies their first
trading partner and has remained so during the last 25 years. Even for countries that do not trade so much with the U.S.. they
are influenced by its dominance through other partners trade. Of course, the economies that trade a lot with the U.S. are most
likely affected by U.S. economic shocks. At the regional level, however, such effects tend to be diluted and the transmis- sion of
U.S. cyclical developments seem to Ik* somewhat dampened by regional integration. Moreover, while no clear trend seems to
emerge, it seems that the role of the U.S. in the global economy has changed over time. Although, we are not able to identify any
structural break in the sample, we can see that a time-varying estimation shows some noticeable differences in the transmission
of U.S. shocks over time. Overall, it seems that for most countries, a change in U.S. GDP has weaker impacts during mast
recent periods than for earlier periods. However, the persistence of such shocks seem to have increased in the most recent
periods. The increase in persistence of the U.S. shocks together with the increase in the impact elasticities of non-U.S. foreign
activity for some regions (emerging in particular) emphasises the role of second-round and third partners effects, making U.S.
cyclical developments more global.
which the potential for greater conflict could grow would seem to be even more apt in
a constantly volatile economic environment as they would be if change would be steadier. In surveying
ways in
those risks, the report stressed the likelihood that terrorism and nonproliferation will remain priorities even as
resource issues move up on the international agenda. Terrorisms appeal will decline if economic growth continues
in the Middle East and youth unemployment is reduced. For those terrorist groups that remain active in 2025,
however, the diffusion of technologies and scientific knowledge will place some of the worlds most dangerous
capabilities within their reach. Terrorist groups in 2025 will likely be a combination of descendants of long
established groups inheriting organizational structures, command and control processes, and training procedures
necessary to conduct sophisticated attacks and newly emergent collections of the angry and disenfranchised that
become self-radicalized, particularly in the absence of economic outlets that would become narrower in an
economic downturn. The most dangerous casualty of any economically-induced drawdown of U.S.
military presence would almost certainly be the Middle East. Although Irans acquisition of nuclear weapons
is not inevitable, worries about a nuclear-armed Iran could lead states in the region to develop
new security arrangements with external powers, acquire additional weapons, and consider
pursuing their own nuclear ambitions. It is not clear that the type of stable deterrent relationship
that existed between the great powers for most of the Cold War would emerge naturally in the Middle East
with a nuclear Iran. Episodes of low intensity conflict and terrorism taking place under a nuclear umbrella could lead
to an unintended escalation and broader conflict if clear red lines between those states involved are not well
established. The close proximity of potential nuclear rivals combined with underdeveloped surveillance
capabilities and mobile dual-capable Iranian missile systems also will produce inherent difficulties in
achieving reliable indications and warning of an impending nuclear attack. The lack of strategic depth in
neighboring states like Israel, short warning and missile flight times, and uncertainty of Iranian
intentions may place more focus on preemption rather than defense, potentially leading to
escalating crises . Types of conflict that the world continues to experience, such as
over resources, could reemerge , particularly if protectionism grows and there is a resort
to neo-mercantilist practices. Perceptions of renewed energy scarcity will drive countries to
take actions to assure their future access to energy supplies. In the worst case, this could result
in interstate conflicts if government leaders deem assured access to energy resources, for example, to be
essential for maintaining domestic stability and the survival of their regime. Even actions short of war, however, will
have important geopoli`tical implications. Maritime security concerns are providing a rationale for naval
buildups and modernization efforts, such as Chinas and Indias development of blue water naval capabilities.
If the fiscal stimulus focus for these countries indeed turns inward, one of the most obvious funding targets may be
military. Buildup of regional naval capabilities could lead to increased tensions, rivalries, and
counterbalancing moves, but it also will create opportunities for multinational cooperation in protecting critical sea
lanes. With water also becoming scarcer in Asia and the Middle East, cooperation to manage changing water
resources is likely to be increasingly difficult both within and between states in a more dog-eat-dog world.
starting about 30 years ago, slacked on the technical requirements. USA grade schools and high schools didnt emphasize
technology, so when those students got to college, they were already behind - they couldnt compete in the technical courses, so they chose a different
profession, instead of engineering. Today the USA has a ton of MBAs. This is good, if partnered with a technical degree. But just a bunch of MBAs with no
technical backgrounds? It takes business know-how to run a successful global company now, but you have to start with technical
expertise, or you have nothing to build and sell eventually. And no engineers to create your product . What are American students doing
now? Flipping hamburgers? Dropping out of school? Taking Psychology courses? This generation is not helping the US economy. Hank Pellissier: Do the Indian
and Chinese technical workers you hire, specialize or dominate in specific fields? Are Americans the leaders in anything?
is focused on what this means for the good old US of A, but its also worth looking beyond that and seeing the declines effect
internationally. The Cringe somewhat recently predicted massive IBM layoffs , and, well, he wasnt wrong. That had him thinking about the
impact that offshoring and foreign workers using H-1B visas have on American workers and their companies. If you have US blinders on, youd agree
its not good. If you have a world view, you may have a totally different perspective. The entire world has a right to participate in
and influence high tech. Seeds sown The seeds for the decline of the American computer industry were actually sown at its
inception. The truth is that much (but not all) of the American technology industry is being led by what my late mother would have called
assholes. And these are needlessly destroying the very industry that made them rich. It started in the 1970s when a couple of obscure
academics created a creaky logical structure for turning corporate executives from managers to rock stars, all in the name of maximizing shareholder value,
Cringely wrote.
Corporate restructuring at big tech firms like Hewlett-Packard and Microsoft pushed the number of jobs eliminated in tech fields
to 100,757, a rise of 77 percent over 2013. It was the first time that number rose above 100,000 since 2009, the first full year of
the recent recession. The biggest portion of those cuts occurred in the computer industry where 59,523 jobs were eliminated .
Another 19,408 jobs were cut in the electronics industry, more than double the amount from the prior year. Cuts in the telecom
industry rose 68 percent to 21,821. Lost tech jobs accounted for 21 percent of the total number of jobs 483,171 eliminated
during 2014. Microsoft was responsible for 18,000 cut, and HP dropped 16,000 positions during the year, according to the firm.
Cisco Systems, Intel and Symantec were among the other firms who announced large-scale layoffs during the year.
meant that it faced the risk of relying on second-rate encryption for its own systems, while other countries could be developing
state-of-the-art encryption that would benefit other militaries but not the United States. Mandated vulnerabilities within the United
States, to assist law enforcement, thus repeat the 1990s syndrome of harm to U.S. industry as well as futility. Much of the growth in encryption-related
software and products could come from non-U.S. companies that serve the global market for secure communications and storage. Other growth would come
from the already-flourishing free and open source sector. As Bankston wrote: A government mandate prohibiting U.S. companies from offering
products or services with unbreakable encryption is of little use when foreign companies can and will offer more secure products
and services, and when an independent coder anywhere on the planet has the resources to create and distribute free tools for
encrypting your communications or the data stored on your mobile devices . As former Homeland Security Secretary Michael Chertoff recently
put it, [T]hat genie is not going back in the bottle.29 Stanford cybersecurity research Jonathan Mayer sums up the futility of technology controls justified by
going dark concerns: Cryptographic backdoors are, however, not a solution. Beyond the myriad other objections, they pose too much of a cost-benefit
asymmetry. In order to make secure apps just slightly more difficult for criminals to obtain, and just slightly less worthwhile for developers, the government would
have to go to extraordinary lengths. In an arms race between cryptographic backdoors and secure apps, the United States would
inevitably lose. 30
N.S.A. chief, the video appearance of Mr. Snowden at a technology conference in Texas and the drip of new details about government spying have kept attention
focused on an issue that many tech executives hoped would go away. Despite the tech companies assertions that they provide information on
their customers only when required under law and not knowingly through a back door the perception that they enabled the
spying program has lingered. Its clear to every single tech company that this is affecting their bottom line , said Daniel Castro, a
senior analyst at the Information Technology and Innovation Foundation, who predicted that the United States cloud computing industry could lose $35 billion by
2016. Forrester Research, a technology research firm, said the losses could be as high as
that previously would have included them, said James Staten, a cloud computing
analyst at Forrester who has read clients requests for proposals. There are German companies, Mr. Staten said, explicitly not inviting certain American
companies to join. He added, Its like, Well, the very best vendor to do this is IBM, and you didnt invite them. The result has been a boon for foreign
companies.
subset where the content is encrypted, law enforcement can gain access to the meta-data, linking suspects and witnesses to
their entire social graphs. For text messages, it might be tempting to say that law enforcement could call the glass half-empty (some texts are encrypted) or
half-full (some texts are in the clear). With over six trillion messages filling the cup, though, it takes chutzpah to say the glass is empty. Text messages are a
prime example of a golden age of surveillance, and not of going dark. Third, government-mandated vulnerabilities would threaten
severe harm
to cybersecurity, privacy, human rights, and U.S. technological leadership , while not preventing effective encryption by
adversaries. As occurred in the 1990s, a diverse coalition of cybersecurity experts, technology companies, privacy experts, human rights activists, and others
has expressed vociferous and united opposition to government-mandated encryption vulnerabilities.2 My testimony highlights some of these concerns:
Technology companies, even before Snowden, had multiple reasons to deploy strong encryption to enhance cybersecurity and customer trust. The ongoing
development of encryption should thus not be seen primarily as a short-term response to Snowdens revelations . Overwhelming technical problems
and costs result from mandates to create vulnerabilities in encryption . A new report issued on July 7 is just the most recent, credible explanation
of these technical issues. U.S. Government support for encryption vulnerabilities increases cybersecurity problems in the least
trusted countries and globally, and undermines U.S. human rights policies . The United States should be a strong example for cybersecurity
and human rights, rather than an excuse used by repressive regimes to surveil U.S.-based businesses and individuals and clamp down on political dissent.
Mandated vulnerabilities are bad industrial policy they threaten U.S. technological leadership without preventing bad actors
from using strong encryption. In conclusion, providing access exceptions for U.S. law enforcement and intelligence agencies will be
harmful, rather than helpful, to national security. Despite concerns of going dark, the steady increase of electronic communications
worldwide provides these agencies with an ever-growing amount of valuable data and meta-data to use in identifying and pursuing
targets of investigations. The inability to directly access the content of a small fraction of these communications does not warrant the
subsequent damage that would result to privacy and to U.S. economic, diplomatic, and security interests.
Encryption backdoors causes lack of trust in encryption companies and the government
Anthony 13 (Sebastian, ExtremeTech Senior Editor, 9/6/13, Anthony, ExtremeTech,
http://www.extremetech.com/computing/165849-nsa-and-gchq-have-broken-internet-encryption-created-backdoors-that-anyonecould-use)-SK
This is the big one: New documents released by Edward Snowden show that the NSA and its British equivalent, GCHQ
(pictured above), have cracked VPNs, SSL, and TLS the encryption technologies that keep your data secure on the internet .
The NSA program, dubbed Bullrun, took 10 years to crack the webs encryption technologies, before finally reaching a
breakthrough in 2010 that made vast amounts of previously unreadable data accessible. Perhaps more worryingly, the NSA
has an ongoing program to place backdoors in commercial products (websites, routers, encryption programs, etc.) to enable
easy snooping on encrypted communications. The documents, which contain some choice phrases such as, work has
predominantly been focused this quarter on Google due to new access opportunities being developed, almost completely
undermines the very basis of the internet, obliterating the concept of trust online. The documents outline a three-pronged plan to
ensure the NSA can access the bulk of the internets encrypted traffic: Influencing the development of new encryption standards
to introduce weaknesses, using supercomputers to break encryption, and collaborating with ISPs and tech companies to gain
backdoor access . Unfortunately, the documents dont outline exactly how the NSA and GCHQ broke the security of VPNs, SSL,
and TLS, only that they have successfully done it. There are numerous possibilities, with the two simplest being that the
intelligence agencies have either obtained the root certificates used to sign private keys, or theyve found a flaw in the standards
that can be easily exploited perhaps using a flaw that they themselves introduced into the standard. A slide detailing the
successes of the NSA and GCHQ programs to break internet encryption The final point, that the NSA has been lobbying ISPs
and tech companies to include backdoors in their products, is the most chilling. These backdoors might consist of hardware-level
access (say, in your home router or a big router at your ISP) that allows the NSA to log in and spy on any data that passes
through. These backdoors might be the NSA working with major tech companies, such as Microsoft or Facebook, to
deliberately introduce flaws into the encryption tech so that the NSA can easily crack it . (A previous leak pegged Microsoft as
helping the NSA circumvent encryption used by Outlook.com and IM services.) The main thing, though, is that these commercial
entities are working with, not against, the NSA to introduce these backdoors. At first blush, in the words of the NSA itself, these
decryption programs are the price of admission for the US to maintain unrestricted access to and use of cyberspace. The
problem is, by deliberately introducing security flaws, the NSA and GCHQ have obliterated the concept of trust online. The whole
point of VPNs and TLS is that they are impossible to crack at least within a reasonable time frame. We now know that our
secure communications can be easily snooped on by the government but more importantly, due to this plethora of backdoors,
we cant be sure that only the government is listening in . Thats the problem with a backdoor: Its great while youre the only one
who knows about it, but its game-breakingly awful if someone else an enemy government, for example stumbles across it.
(See: XKeyscore: The NSA program that collects nearly everything that you do on the internet.) This diagram shows how GCHQ
proposed to identify, intercept, and decrypt encrypted traffic in near-real time. For years the security industry has speculated that
the internet was riddled with NSA backdoors, and now it seems we have confirmation. It would be foolish to assume that these
backdoors havent been exploited by other, non-authorized entities. If you require private and secure communications, now
would be the time consider your alternatives. (Have you ever thought about physically exchanging thumb drives?) Ideally, if the
cryptographic systems behind VPN, SSL, and TLS have been broken (3DES, AES, etc.) then work needs to begin on new
industry-standard ciphers. This would likely take years. For a lot more information on the NSA and GCHQs sigint (signals
intelligence) operations,hit up the Guardian. I cant say that Im really surprised, but its still a bit depressing to see the terrifying
extent of their sigint operations laid bare and moreover, I guarantee that, due to the higher levels of classification that
Snowden couldnt access, this is still just the tip of the iceberg.
NSA BULLRUN program kills Tech industry credibility Other countries dont want to interact with
US tech companies
Timm 13 [Trevor, Journalist for the Guardian, Director/Co-founder of freedom of the press foundations, How NSA Mass
Surveillance is Hurting the US Economy, Electronic Frontier Foundation, November 25,2013,
https://www.eff.org/deeplinks/2013/11/how-nsa-mass-surveillance-hurting-us-economy, July 18, 2015] KL
Privacy may not be the only casualty of the National Security Agencys massive surveillance
program. Major sectors of the US economy are reporting financial damage as the recent
revelations shake consumer confidence and US trade partners distance themselves from
companies that may have been compromised by the NSA or, worse, are secretly
collaborating with the spy agency. Member of Congress, especially those who champion Americas
competitiveness in the global marketplace, should take note and rein in the NSA now if they want to stem the
damage. The Wall Street Journal recently reported that AT&Ts desired acquisition of the European company
Vodafone is in danger due to the companys well-documented involvement in the NSAs data-collection programs.
European officials said the telecommunications giant would face intense scrutiny in its bid to purchase a major
cell phone carrier. The Journal went on to say: Resistance to such a deal, voiced by officials in
interviews across Europe, suggests the impact of the NSA affair could extend beyond the
diplomatic sphere and damage US economic interests in key markets . In September,
analysts at Cisco Systems reported that the fallout reached another level, when the
National Institute of Standards and Technology (NIST) told companies not to use
cryptographic standards that may have been undermined by the NSAs BULLRUN program .
The Cisco analysts said that if cryptography was compromised it would be a critical blow to trust
required across the Internet and the security community. This forecast was proven true in mid-
November, when Cisco reported a 12 percent slump in its sales in the developing world due to the NSA revelations.
As the Financial Times reported, new orders fell by 25 percent in Brazil and 30 percent in Russia and Cisco predicts
its overall sales could drop by as much 10 percent this quarter. Cisco executives were quoted saying the
NSAs activities have created "a level of uncertainty or concern" that will have a deleterious
impact on a wide-range of tech companies. It is hard for civil libertarians to shed tears over AT&T
losing business because of NSA spying, considering the company allowed the NSA to directly tap into its
fiber optic cables to copy vast amounts of innocent Americans Internet traffic. AT&T was also recently
revealed as having partnered with both the DEA and the CIA on separate mass surveillance
programs. It is also hard to feel sorry for Cisco, which stands accused of helping China spy on dissidents and
religious minorities. But the fact that the spying is hurting these major companies is indicative of
the size of the problem. This summer, European Parliaments civil liberties committee was presented with a
proposal to require every American website to place surveillance notices to EU citizens in order to force the US
government to reverse course: The users should be made aware that the data may be subject
to
surveillance (under FISA 702) by the US government for any purpose which furthers US
foreign policy. A consent requirement will raise EU citizen awareness and favour growth of services solely within
EU jurisdiction. This will thus have economic impact on US business and increase pressure on
the US government to reach a settlement. [emphasis ours] Meanwhile, Telenor, Norways largest
telecom provider has reportedly halted its plans to move its customers to a US-based cloud provider. Brazil seems
to be moving ahead to create its own email service and require US companies locate an office there if they wish to
do business with Brazilian customers. Laws like this mean that companies like Google could be barred from doing
business in one of the worlds most significant markets, according to Googles director for law enforcement and
information security at Google, Richard Selgado. Google has been warning of this as far back as July, when in FISA
court documents it argued that the continued secrecy surrounding government surveillance demands would harm
its business. Many commentators have been warning about the economic ramifications for
months. Princeton technologist Ed Felten, who previously at the Federal Trade Commission, best explained why
the NSA revelations could end up hurting US businesses: This is going to put US companies at a
competitive disadvantage, because people will believe that U.S. companies lack the ability
to protect their customersand people will suspect that U.S. companies may feel compelled to lie to their
customers about security. The fallout may worsen. One study released shortly after the first Edward Snowden leaks
said the economy would lose $22 to $35 billion in the next three years. Another study by Forrester said the $35
billion estimate was too low and pegged the real loss figure around $180 billion for the US tech industry by 2016.
Much of the economic problem stems for the US governments view that its open season when it comes to spying
on non-U.S. persons. As Mark Zuckerberg said in September, the governments position isdont worry, were not
spying on any Americans. Wonderful, thats really helpful for companies trying to work with people around the
world. Googles Chief Legal Officer David Drummond echoed this sentiment last week, saying: The justification
has been couched as 'Don't worry. We're only snooping on foreigners.' For a company like ours, where most of our
business and most of our users are non-American, that's not very helpful." Members of Congress who care
about the US economy should take note: the companies losing their competitive edge due to
NSA surveillance are mainstream economic drivers. Just as their constituents are paying attention, so
are the customers who vote with their dollars. As Sen. Ron Wyden remarked last month, If a foreign enemy was
doing this much damage to the economy, people would be in the streets with pitchforks.
NSA has done more damage to reputation of U.S. tech companies than any other program
Messmer, technology and security researcher and writer, 9/10/13
(Ellen Messmer, Network World, http://www.networkworld.com/article/2169810/data-center/reported-nsa-actions-raise-seriousquestions-about-tech-industry-partnerships.html)RL
Revelations that the National Security Agency may be pressuring vendors to put hidden backdoors in their software and hardware for
espionage purposes casts a huge shadow over many programs run by the NSA to interact with the high-tech industry for
purposes of evaluating, testing and accrediting products. The NSA's actions, revealed in documents leaked by former contractor Edward Snowden and
made public by The Guardian and The New York Times, raise questions about NSA-run programs such as the Commercial Solutions for Classified
Components (CSfC), National Information Assurance Partnership, and DoD Information Assurance, Certification and Accreditation Process, as well as protocols
promulgated by the NSA, such as Suite B cryptography. Virtually every U.S.-based network and security product provider of any
significance participates in some way in these product evaluation programs because through them , they can sell to federal
agency customers and the military. To date, news sources such as The Guardian, which has worked closely with Snowden, haven't put forward
any names of companies that may have agreed to compromise their products for the NSA's behalf nor have they mentioned
these NSA-run product-evaluation programs . [TRUST NO ONE: Schneier on NSA's encryption defeating efforts] But last Friday, the Obama
Administration appeared to verify assertions made in the media the day before that the NSA works through partnership programs
with industry to undermine network and security products for espionage purposes . The Office of the Director of National
Intelligence (ODNI) didn't refute the notion that the NSA spends millions of dollars each year to subvert software and hardware by
pressuring the high-techindustry to put in backdoors for the NSA's benefit . In its official statement, ODNI said the stories published "reveal
specific and classified details about how we conduct this critical intelligence activity." Leaked documents posted by the Times and Guardian included NSA
statements such as the NSA SIGINT division "actively engages the U.S. and foreign IT industries to covertly influence and overtly leverage their commercial
products' designs. These design changes make the systems exploitable through SIGINT collection (.e.g., Endpoint, Midpoint, etc.) with foreknowledge of the
modification. To the consumer and other adversaries, however, the systems' security remains intact." One goal is said to be to "insert vulnerabilities into
commercial encryption systems, IT systems, networks and endpoint communication devices used by targets." That the NSA manages to somehow
make these modifications is considered "top secret," according to Snowden documents posted online. In its numerous product evaluation programs
with industry, the NSA would have ample opportunity to pursue these goals. Bruce Schneier, crypto expert and author of several books, including the recent
"Liars and Outliers," maintains that the revelations about the NSA constitute a fundamental betrayal of the Internet and the people that
use it. He advocates that anyone, especially engineers, with knowledge of how the NSA is subverting software and hardware should go
public with what they know. He adds that's as long as they're not bound by specific legal or confidentiality restrictions, such as a National Security Letter.
"If you have been contacted by the NSA to subvert a product or protocol , you need to come forward with your story," said Schneier in a recent
Guardian article. "Your employer obligations don't cover illegal or unethical activity . If you work with classified data and are truly brave, expose
what you know. We need whistleblowers." When yesterday asked whether China and Russia might also be working with any of their
homegrown industries to also subvert products for espionage purpose, Schneier said he had no direct knowledge about this. But
having read a slew of documents that Snowden has released, Schneier said he's convinced that the NSA is doing "everything
possible" to ensure complete access to everything it can. The influence of the U.S. and the United Kingdom on software, hardware and
the Internet gives them "a very privileged position on the Internet," he said. The NSA readily acknowledges it is always seeking to "break"
security of adversaries and encryption -- that after all, is part of its mission as America's cyber-espionage agency, which also maintains a
Cyber Command to attack adversaries via cyberspace. But the revelation that the NSA is spending millions each year to try and
get software and hardware vendors to modify their products to include backdoors for intelligence-collection purposes and
weakening of cryptographic and security systems raises the prospect of what legal ramification this will all have when more
becomes known. It's possible lawsuits from both businesses and consumers may arise if it becomes known specific products and
services were designed with backdoors for the NSA without disclosure of that to the buyer in what would be seen as a deceptive
practice. Some revelations in June from Snowden about the NSA's so-called PRISM program for intelligence collection are
starting to have legal impacts. Under PRISM, the NSA can collect e-mail, chat, videos, stored data, VoIP, file transfer and other material
from Microsoft, Google, Yahoo, Facebook, PalTalk, YouTube, Skype, AOL and Yahoo. Microsoft and Google say they provide this data to
the NSA under the Foreign Intelligence Surveillance Act order and want to disclose how many of those are received each year ,
but say so far the U.S. Department of Justice is not agreeing to that. At the end of August, Microsoft General Counsel and Executive Vice
President Brad Smith said his company and Google would "move forward with litigation in the hopes the courts will uphold our right to speak more freely." They
did that yesterday in legal filings at the Foreign Intelligence Surveillance Court, joined by Yahoo. Public prosecutors in France are said to be starting
to build a case against the NSA and the FBI for PRISM-related spying on French citizens . Overall, there's a kind of gloom in the
high-tech industry and wariness among business customers about the implications of what the NSA is said to be doing in its zeal
to be able to conduct intelligence gathering for purposes of national defense . Richard Stiennon, chief research analyst at consultancy
IT-Harvest, says given how badly the NSA's purported actions have hurt U .S. industry, lawsuits should fly. He adds, "Like many wellintentioned government efforts, the NSA has singlehandedly done more damage to the reputation of U .S. technology companies than
any other event in the brief, meteoric rise of U.S. dominance. The implication that the most powerful and well-funded intelligence
service can leverage its relationship with U.S. companies such as Microsoft, Google, Yahoo, and even Apple, to get foreknowledge of
vulnerabilities or backdoors into their information systems , is going to kick off a new era of tech mercantilism. All U.S. tech
companies are going to be asked tough questions by their global clients . I am already hearing from tech giants that they are
being asked to attest to the absence of an NSA presence in their data centers . Competing cloud services and security products from
European and Nordic states are going to see rapid growth." Ellen Messmer is senior editor at Network World, an IDG publication and website, where she
covers news and technology trends related to information security . Twitter: MessmerE. E-mail:[email protected]
The Information Technology (IT) industry is a huge economic driver for the world economy . Purchasing products and solutions are based
not only on superior technology, but also whether you have trust and confidence in a vendor. Theres no doubt that the ongoing whispering
campaign of possible trust concerns around US-based companies and the National Security Agency (NSA) is taking its toll . For
months there have been claims of unauthorized access to cloud-based data, purposefully weakened (and possibly compromised) encryption keys, and even
backdoors in hardware and software of US-based companies. The impact of this is that Forrester has claimed that the loss for US-based IT
Service Providers in overall revenue due to the highly publicized Prism Scandal could be US$180 Billion or 25 percent by
2016. While US-based companies and the NSA have dominated the news cycle around these concerns, Vodaphones report of government surveillance,
including some governments having direct access to telecommunications traffic makes clear this is really a global issue. It raises questions for companies around
be silent, and dont try to hold back information. In October 2013, after the Prism Scandal, the EFF and Bits of Freedom asked the IT security vendors to reply to
simple questions regarding requests from governments only a handful of companies responded. Trend Micro did. You can read our reply where Raimund
Genes, Chief Technology Officer, states unequivocally that we have not and would not comply with such a request. Trend Micro is truly a global company. Our
sole focus is to protect all of our customers around the world from all threats, whatever they may be and wherever they may be coming from. Yes we work with
governments and law enforcement, but always in service of protecting you, our customer. This is an issue where there should be no competitio n. All
companies should share this same, clear focus of putting the customer first. One way to do that is through transparency and honesty. Its late, but not too late for
those who have not addressed this head-on: respond the EFF and Bits of Freedom request. If you have been asked by any government to insert backdoors
talk with them and remove them. Through your words and actions stand with your peers around the world and take a clear stand putting customers first above
all else.
NSA backdoors caused the fallout of billions of dollar in contracts loss of trust
Swartz 2/28/14 Jon Swartz is a Silicon Valley based tech reporter at USA today (NSA surveillance hurting tech firms' business; Feb
14; http://www.usatoday.com/story/tech/2014/02/27/nsa-resistant-products-obama-tech-companies-encryption-overseas/5290553/)//pk
SAN FRANCISCO It used to be that tech titans such as Cisco Systems and IBM could bank on fertile markets in Asia and Europe
in their quest for worldwide financial domination. Not so much anymore. The National Security Agency, and revelations about its
extensive surveillance operations sometimes with the cooperation of tech firms have undermined the ability of many U.S. companies
to sell products in key foreign countries, creating a fissure with the U.S. government and prompting some to scramble to create "NSA-resistant"
products. The fallout could cost the tech industry billions of dollars in potential contracts, which has executives seething at the
White House. "Suspicion of U.S. vendors is running at an all-time high ," says Andrew Jaquith, chief technology officer at cloud-security firm
SilverSky. Cisco, IBM, Microsoft and Hewlett-Packard have reported declines in business in China since the NSA surveillance program was exposed. The
Information Technology & Innovation Foundation estimates the NSA imbroglio will cost U.S. businesses $22 billion through 2016 .
Forrester Research pegs potential losses at $180 billion, which includes tech firms and managed service providers The conflagration
took on political tones this month when German Chancellor Angela Merkel whose mobile phone was tapped by U.S. spy agencies said she would press
France President Francois Hollande to back a push for EU-based alternatives to the current U.S.-dominated Internet infrastructure. "We'll talk with France about
how we can maintain a high level of data protection," Merkel said in her weekly podcast in mid-February. "Above all, we'll talk with European providers that offer
security for our citizens, so that one shouldn't have to send e-mails and other information across the Atlantic." The situation is more combustible at home.
Disclosures that the NSA routinely cracked encryption, or data-scrambling, technology has heightened the anxiety of industry leaders. But in their pursuit of NSAproof products, they've alarmed some intelligence officials, who argue that without the ability to break encryption and create "back doors" to enter computer
systems abroad, the USA would be disarming at a moment of heightened cyberconflict. During a speech on NSA reforms on Jan. 17, President Obama angered
tech leaders when he did not embrace two recommendations by a panel he appointed to review the surveillance that are of pressing concern to Silicon Valley
and the business community. It had recommended the NSA "not in any way subvert, undermine, weaken or make vulnerable" commercial software, and that it
move away from exploiting flaws in software to conduct cyberattacks or surveillance. NSA-resistant products Many tech companies feel they have no
choice but to try to develop NSA-resistant products because customers from China to Germany threaten to boycott American
hardware and cloud services they view as compromised. It's already happening, with large corporate deals either lost or in danger of falling by the
wayside. The United Arab Emirates is threatening to scrap a $926 million intelligent-satellite deal with two French firms unless they
remove U.S.-built components. The UAE fears the equipment would contain digital backdoors that compromise the security of data. About 25% of
300 British and Canadian businesses surveyed by Canadian cloud firm Peer 1 Hosting said they intend to move their computerhosting operations out of the U.S. While Internet service providers question the practicalities of how e-mail between the U.S. and other countries would
work in such an undefined new service suggested by Merkel, American tech companies caution secure regional networks would fragment the Internet. With the
exception of Microsoft which says it will let overseas customers have personal data stored on servers outside the U.S. tech companies such as
Facebook and Google have opposed such private European clouds . Their fear: Regional data systems could Balkanize the Internet and
undercut its efficiency.
collection and protection policies and rolling out new technologies to protect data passing through their networks. The biggest of
these is the ongoing move to encrypt online services, which will help to stop spooks and cyber criminals getting hold of the data.
Snowden himself has listed encryption as one of, if not the, best way for people and businesses to protect their data, and for me
the rising use of anonymising services and a focus on data protection is a huge positive that governments should be promoting.
Sadly, though, many have gone the other way, arguing that mass data collection and the ability to access businesses' customer data is a necessary evil in the
fight against criminal and terrorist groups. It's a belief that has been accepted enthusiastically by the Tory government. In turn, the US and UK governments have
debated new legislation that would grant intelligence agencies yet more surveillance powers and ways to get round the encryption roadblock. These attacks on
encryption are ridiculous and foolhardy for two reasons. First, attacking or blocking encryption won't stop the bad people that the government
alleges it's fighting by weakening web users' cyber security. It'll just make general web users more vulnerable. Second, it will
destroy customer trust in online businesses that handle data and have a negative impact on the global economy. Fortunately I
am far from alone in this belief. This week over 140 businesses, researchers, government advisors and white hats sent a letter to
US president Barack Obama urging him to block proposed legislation that would let agencies legally collect and decrypt data
from "communications devices". The letter, which has been signed by tech firms including Apple, Google Microsoft, Twitter,
Yahoo, Symantec and HP, expresses my concerns nicely. "Introducing mandatory vulnerabilities into American products would
further push many customers - be they domestic or international, individual or institutional - to turn away from those
compromised products and services," it said. "[Customers] and many of the bad actors whose behaviour the government is hoping to
impact will simply rely on encrypted offerings from foreign providers, or avail themselves of the wide range of free and open
source encryption products that are easily available online ." This isn't rocket science. If you reduce overall cyber security levels and make
commonly used encryption protocols and defence tools vulnerable you won't catch the serious cyber criminals because they don't use them. The bad people
running cyber black markets dealing in arms, exploit kits, drugs, or even child pornography are smarter than that. They know how to hide their operations and will
simply move deeper underground, using even more advanced detection dodging technologies, and evolving their strategies to exploit businesses' governmentmade weaknesses. It won't make any difference to me as I am not part of the one percent that our new government cares about, but I wanted to use this column
to add my voice to the 140 companies on the letter and urge the US and UK governments to reconsider their war on encryption.
encryption product from a US company or would that customer instead purchase a security product from a company residing in a
country where robust encryption is allowed?" Dean then adds, "Demand for information security will remain with or without the policy .
It's just that US companies will be unable to service this demand, which translates into lost revenue for US tech businesses." Next
I asked Dean if exceptional access might have an effect similar to the Snowden releases. " The NSA's activities, disclosed by Snowden, involved
undermining key information security standards and technologies ," states Dean. "The severe erosion of user trust in technologies
sold by US companies has translated into revenue losses for US technology companies . Depending on what you measure and how you
measure it, loss estimates vary from $21.5-35 billion (from ITIF) through to $180 billion (from Forrester)." Dean continues, "FBI Director
Comey is proposing encryption, an important measure for information security, should be weakened. This would trigger a further erosion of trust in technologies
developed and sold by US companies. Estimating the exact losses is difficult. However, it is safe to say that this proposal would not benefit US technology
companies." As for all other businesses, exceptional access would complicate how they meet international regulations and liability
clauses. For example, assuming the paper's authors are right, if a criminal element figures out exceptional access for an encryption
product, who is liable for the damages accrued by companies using the compromised product? To put it simply Bruce Schneier, wellknown security expert and one of the paper's authors, always has interesting comments on his blog. And his post on this topic is no exception. David C
comments, "I doubt the bad guys, the FBI want, are going to use broken encryption. They'll go find good encryption and use it." An obvious point, and one, I
hope, not overlooked.
China is no longer using high-profile US technology brands for state purchases, amid ongoing revelations about mass
surveillance and hacking by the US government. A new report confirmed key brands, including Cisco, Apple, Intel, and McAfee -- among others -have been dropped from the Chinese government's list of authorized brands, a Reuters report said Wednesday. The number of approved foreign
technology brands fell by a third, based on an analysis of the procurement list. Less than half of those companies with security products remain on the
list. Although a number of reasons were cited, domestic companies were said to offer "more product guarantees" than overseas rivals in
the wake of the Edward Snowden leaks. Some reports have attempted to pin a multi-billion dollar figure on the impact of the
leaks. In reality, the figure could be incalculable. The report confirms what many US technology companies have been saying for the past year: the activities by
the NSA are harming their businesses in crucial growth markets, including China. The Chinese government's procurement list changes
coincided with a series of high profile leaks that showed the US government have been on an international mass surveillance spree, as well as hacking
expeditions into technology companies, governments, and the personal cellphones of world leaders. Concerned about backdoors implanted by the
NSA, those revelations sparked a change in Chinese policy by forcing Western technology companies to hand over their source
code for inspection. That led to an outcry in the capital by politicians who in the not-so-distant past accused Chinese companies of doing exactly the same
thing. From encrypted instant messengers to secure browsers and operating systems, thees privacy-enhancing apps, extensions, and services can protect you
both online and offline. The fear is that as the China-US cybersecurity standoff continues, it's come too late for Silicon Valley
companies, which are already suffering financially thanks to the NSA's activities. Microsoft said in January at its fiscal fourth-quarter earnings
that China "fell short" of its expectations, which chief executive Satya Nadella described as a "set of geopolitical issues" that the company was working through.
He did not elaborate. Most recently, HP said on Tuesday at its fiscal first-quarter earnings call that it had "execution issues" in China thanks to the "tough market"
with increasing competition from the local vendors approved by the Chinese government. But one company stands out: Cisco probably suffered the worst of all.
Earlier this month at its fiscal second-quarter earnings, the networking giant said it took a 19 percent revenue ding in China, amid
claims the NSA was installing backdoors and implants on its routers in transit. China remains a vital core geography for most US technology
giants with a global reach. But until some middle-ground can be reached between the two governments, expect Silicon Valley's struggles in the country to only
get worse
threats evolve, so do the tech sector's efforts to secure their own data and intellectual property, and to enhance the security tools
and services they offer to customers. Many companies expect to spend between 1 and 5 percent on information security over the
next year. Recognizing not only the importance of information security to ensuring their operations and maintaining customer trust as wed as the evolving
nature of security threats, three-fourths of technology executives expect their companies to spend 1 to 5 percent of their revenue on IT security over the next 12
months. At the same time. 23 percent of those surveyed say their company has suffered a security breach in the past 12 months. The
survey findings on security are an important marker since tech companies are the pace setters in IT security. How much and
where tech companies spend on IT security, and how successful they are can serve as guides for all other industries . In today's
digitally driven world, information security is a foundation for business growth and sustainability.
communications technology (ICT) is not only one of the fastest growing industries directly creating millions of jobs
but it is also
an important enabler of innovation and development. The number of mobile subscriptions (6.8 billion) is approaching global population figures, with 40% of
people in the world already online. In this new environment, the competitiveness of economies depends on their ability to leverage new technologies. Here are
the five common economic effects of ICT. 1.
Direct job creation The ICT sector is, and is expected to remain, one of the largest employers. In
the US alone, computer and information technology jobs are expected to grow by 22% up to 2020, creating 758,800 new jobs. In
Australia, building and running the new super-fast National Broadband Network will support 25,000 jobs annually. Naturally, the growth in different segments is
uneven. In the US, for each job in the high-tech industry, five additional jobs, on average, are created in other sectors. In 2013, the global tech market will grow
by 8%, creating jobs, salaries and a widening range of services and products. 2.
Workforce transformation New microwork platforms, developed by companies like oDesk, Amazon and Samasource, help to
divide tasks into small components that can then be outsourced to contract workers . The contractors are often based in emerging
economies. Microwork platforms allow entrepreneurs to significantly cut costs and get access to qualified workers. In 2012, oDesk alone had over 3 million
registered contractors who performed 1.5 million tasks. This trend had spillover effects on other industries, such as online payment systems. ICT has also
contributed to the rise of entrepreneurship, making it much easier for self-starters to access best practices, legal and regulatory information, marketing and
5. Business innovation In OECD countries, more than 95% of businesses have an online presence. The
Internet provides them with new ways of reaching out to customers and competing for market share. Over the past few years, social
investment resources.
media has established itself as a powerful marketing tool. ICT tools employed within companies help to streamline business processes and improve efficiency.
The unprecedented explosion of connected devices throughout the world has created new ways for businesses to serve their customers.
the IT services sector which added 63,300 jobs between 2013 and 2014 and the R&D, testing, and
engineering services sector that added 50,700 jobs. The U.S. tech industry continues to make significant
contributions to our economy, said Todd Thibodeaux, president and CEO, CompTIA. The tech industry accounts for
7.1 percent of the overall U.S. GDP and 11.4 percent of the total U.S. private sector payroll . With annual
average wages that are more than double that of the private sector, we should be doing all we can to encourage the
growth and vitality of our nations tech industry. An examination of tech job postings for the nation shows a yearover-year jump of more than 11 percent for technology occupations, with over 650,000 job openings in
fourth quarter of 2014. At the state level, Cyberstates shows that 38 states had an overall net increase of tech
industry employment in 2014. The largest gains were in California (+32,900), Texas (+20,100), Florida (+12,500),
Massachusetts (+8,700), and Michigan (+8,100). The states with the highest concentration of workers were Massachusetts (9.8% of
private sector employment), Virginia (9.4%), Colorado (9.2%), Maryland (8.6%), and Washington (8.4%). The largest states by tech
industry employment continues to be California, Texas, and New York.
years edition shows that tech industry jobs account for 5.7 percent of the entire private sector workforce. Tech industry
employment grew at the same rate as the overall private sector, 2 percent, between 2013-2014. Growth was led by the IT
services sector which added 63,300 jobs between 2013 and 2014 and the R&D, testing, and engineering services sector that
added 50,700 jobs. The U.S. tech industry continues to make significant contributions to our economy, said Todd Thibodeaux,
president and CEO, CompTIA. The tech industry accounts for 7.1 percent of the overall U.S. GDP and 11.4 percent of the total
U.S. private sector payroll. With annual average wages that are more than double that of the private sector, we should be doing
all we can to encourage the growth and vitality of our nations tech industry. An examination of tech job postings for the nation shows a
year-over-year jump of more than 11 percent for technology occupations, with over 650,000 job openings in fourth quarter of 2014 . At
the state level, Cyberstates shows that 38 states had an overall net increase of tech industry employment in 2014 . The largest gains were in
California (+32,900), Texas (+20,100), Florida (+12,500), Massachusetts (+8,700), and Michigan (+8,100). The states with the highest concentration of workers
were Massachusetts (9.8% of private sector employment), Virginia (9.4%), Colorado (9.2%), Maryland (8.6%), and Washington (8.4%). The largest states by tech
industry employment continue to be California, Texas, and New York. While California was a leading state for 12 of the 16 technology industry clusters,
Cyberstates also shows clusters throughout the United States, said Skip Newberry, president, Technology Association of Oregon and vice chairman, Technology
Councils of North America TECNA). The state of Washington leads the nation in software publishers employment and Texas leads in tech wholesalers and repair
services. Oregon and Arizona have strong clusters in semiconductors. Virginia has one in computer systems design, a major component of IT services.
Massachusetts is a serious powerhouse in R&D and testing labs. The U.S. tech industry spans the country from coast to coast. The strength of the
technology industry is built on the hard work, intellectual capital, high-value skills, and innovation of our nations technology
workers, said Newberry. Tech workers are the life blood of our industry and as such we need to continue to do all that we can to
ensure access to the best and the brightest workers in the world . This means focusing on STEM education, training and improving access to
high-skilled immigrants. They are going to be the future drivers of our industry. Cyberstates 2015, in its 16th edition, relies primarily on data from the U.S. Bureau
of Labor Statistics. The report provides 2014 national and state-by-state data on tech employment, wages, establishments, payroll, wage differential, employment
concentration, economic output, and job openings. All data are the most recent available at the time of production. 2014 data are preliminary and subject to
revisions.
guide. They have no way of accounting for the value or costs of their decisions. And when the government fails, taxpayers lose.
Subsidies are justified as being necessary to encourage the development of alternative energies because the private sector is unwilling to undertake the risk
necessary for their development. The truth is that private investors should avoid throwing scarce dollars at endeavors that do not make
economic sense. Instances where the private sector will not invest signal that it would also be a bad idea for taxpayers to invest. Policymakers who
believe that entrepreneurs and venture capitalists are investing insufficiently in new technologies should focus their efforts on
reducing the federal tax burden on businesses and investment rather than attempting to subsidize specific firms, industries, or
technologies. Lowering the tax burden is more likely to result in higher economic growth, innovation, and job creationthe same canned justification
that policymakers often fall back on to justify subsidy programs. It is amazing that many of the policymakers who believe that the private sector
needs the government to fill this mythical investment gap are the same ones who want to further tax the rewards of investment, and support sending the money
to agencies like EERE that fund the research and development of commercial products. Advanced research and development subsidies are a form of corporate
welfare because the rewards end up going to private interests while the costs are borne by taxpayers. This cycle of tax and subsidize is just another example of
the government robbing Peter to pay Paul. Policymakers like to tout Pauls success stories when defending energy subsidies, but somehow Peter escapes
acknowledgement.
government subsidy, and 2) policymakers, instead of the market , pick winners and losers. Unseen Losses of Unsubsidized Competitors
By aiding particular businesses and industries, subsidies put other businesses and industries at a disadvantage . This market
distortion generates losses to the economy that are not easily seen and thus generally arent considered by
policymakers . For example, energy companies that dont receive a government subsidy are disadvantaged when they compete against companies that do
receive government backing. A company or entrepreneur with a superior product or technology might never reach the market because they didnt have access to
government handouts. The result is a diversion of resources from businesses preferred by the market to those preferred by policymakers, which leads to losses
for the overall economy. The Cost of Policymakers Picking Winners and Losers When the government starts choosing industries and
technologies to subsidize, it often makes bad decisions at taxpayer expense, because policymakers possess no special knowledge
that allows them to allocate capital more efficiently than markets . Businesses and venture capital firms make many mistakes as well, but they
bear the consequences of those mistakes. When the government picks losers, the costs are involuntarily borne by taxpayers. Even the supposed success
stories that government officials and the direct beneficiaries of subsidies like to tout at congressional hearings do not come without cost. In addition to the
taxpayer money thats spent when policymakers try to steer the market in certain directions, government intervention can also delay the development of superior
alternatives by companies and entrepreneurs who didnt receive government backing. Worse, young companies and entrepreneurs can have a harder time
acquiring capital because private investors usually prefer to provide capital to projects that are subsidized over ones that are not.
of the companies surveyed indicated that security and data privacy were their top concerns, with 81 percent stating that they
want to know exactly where their data is being hosted. Seventy percent were even willing to sacrifice performance in order to ensure that their
data was protected.37 It appears that little consideration was given over the past decade to the potential economic repercussions if the NSAs secret programs
were revealed.38 This failure was acutely demonstrated by the Obama Administrations initial focus on reassuring the public that its
programs primarily affect non-Americans, even though non-Americans are also heavy users of American companies products.
Facebook CEO Mark Zuckerberg put a fine point on the issue, saying that the government blew it in its response to the scandal. He
noted sarcastically: The government response was, Oh dont worry, were not spying on any Americans. Oh, wonderful: thats really helpful to companies [like
Facebook] trying to serve people around the world, and thats really going to inspire confidence in American internet companies.39 As Zuckerbergs comments
reflect, certain parts of the American technology industry are particularly vulnerable to international backlash since growth is heavily dependent on foreign
markets. For example, the U.S. cloud computing industry has grown from an estimated $46 billion in 2008 to $150 billion in 2014, with
nearly 50 percent of worldwide cloud-computing revenues coming from the U.S.40 R Street Institutes January 2014 policy study
concluded that in the next few years , new products and services that rely on cloud computing will become increasingly pervasive. Cloud computing is
also the root of development for the emerging generation of Web-based applicationshome security, outpatient care, mobile payment, distance learning, efficient
energy use and driverless cars, writes R Streets Steven Titch in the study. And it is a research area where the United States is an undisputed leader.41 This
trajectory may be dramatically altered, however, as a consequence of the NSAs surveillance programs. Economic forecasts after the Snowden leaks
have predicted significant, ongoing losses for the cloud-computing industry in the next few years . An August 2013 study by the
Information Technology and Innovation Foundation (ITIF) estimated that revelations about the NSAs PRISM program could cost the American
cloud computing industry $22 to $35 billion over the next three years. 42 On the low end, the ITIF projection suggests that U.S. cloud computing
providers would lose 10 percent of the foreign market share to European or Asian competitors, totaling in about $21.5 billion in losses; on the high-end, the $35
billion figure represents about 20 percent of the companies foreign market share. Because the cloud computing industry is undergoing rapid growth right now a
2012 Gartner study predicted global spending on cloud computing would increase by 100 percent from 2012 to 2016, compared
to a 3 percent overall growth rate in the tech industry as a whole 43vendors in this sector are particularly vulnerable to shifts in the market.
Failing to recruit new customers or losing a competitive advantage due to exploitation by rival companies in other
countries can quickly lead to a dwindling market share . The ITIF study further notes that the percentage lost to foreign competitors could go
higher if foreign governments enact protectionist trade barriers that effectively cut out U.S. providers, citing early calls from German data protection authorities to
suspend the U.S.-EU Safe Harbor program (which will be discussed at length in the next section).44 As the R Street Policy Study highlights,
Ironically, the NSA turned the competitive edge U.S. companies have in cloud computing into a liability, especially in Europe. 4
Research analyst James Staten argued that the think tanks estimates were low, suggesting that the actual figure could be as high as $180 billion over three
years.46 Staten highlighted two additional impacts not considered in the ITIF study. The first is that U.S. customersnot just foreign companieswould also
avoid US cloud providers, especially for international and overseas business. The ITIF study predicted that American companies would retain their domestic
market share, but Staten argued that the economic blowback from the revelations would be felt at home, too. You dont have to be a French company, for
example, to be worried about the US government snooping in the data about your French clients, he wrote.47 Moreover, the analysis highlighted a second and
far more costly impact: that foreign cloud providers, too, would lose as much as 20 percent of overseas and domestic business because of similar spying
programs conducted by other governments. Indeed, the NSA disclosures have prompted a fundamental re-examination of the role of intelligence services in
conducting coordinated cross-border surveillance, according to a November 2013 report by Privacy International on the Five Eyes intelligence partnership
between the United States, the United Kingdom, Canada, Australia, and New Zealand.48 Staten predicts that as the surveillance landscape
around the world becomes more clear, it could have a serious negative impact on all hosting and outsourcing services, resulting
in a 25 percent decline in the overall IT services market, or about $180 billion in losses .49 Recent reports suggest that things are, in fact,
moving in the direction that analysts like Castro and Staten suggested.50 A survey of 1,000 [Information and Communications Technology (ICT)] decisionmakers from France, Germany, Hong Kong, the UK, and the USA in February and March 2014 found that the disclosures have had a direct impact on how
companies around the world think about ICT and cloud computing in particular.51 According to the data from NTT Communications, 88 percent of decisionmakers are changing their purchasing behavior when it comes to the cloud, with the vast majority indicating that the location of the data is very important. The
results do not bode well for recruitment of new customers, either62 percent of those currently not storing data in the cloud indicated that the revelations have
since prevented them from moving their ICT systems there. And finally, 82 percent suggested that they agree with proposals made by German Chancellor Angela
Merkel in February 2014 to have separate data networks for Europe, which will be discussed in further detail in Part III of this report. Providing direct
evidence of this trend, Servint, a Virginia-based webhosting company, reported in June 2014 that international clients have
declined by as much as half, dropping from approximately 60 percent of its business to 30 percent since the leaks began .52 With
faith in U.S. companies on the decline, foreign companies are stepping in to take advantage of shifting public perceptions. As Georg Mascolo and Ben Scott
predicted in a joint paper published by the Wilson Center and the New America Foundation in October 2013, Major commercial actors on both continents are
preparing offensive and defensive strategies to battle in the market for a competitive advantage drawn from Snowdens revelations.53 For example, Runbox, a
small Norwegian company that offers secure email service, reported a 34 percent jump in customers since June 2013.54 Runbox markets itself as a safer email
and webhosting provider for both individual and commercial customers, promising that it will never disclose any user data unauthorized, track your usage, or
display any advertisements.55 Since the NSA revelations, the company has touted its privacy-centric design and the fact that its servers are located in Norway
as a competitive advantage. Being firmly located in Norway, the Runbox email service is governed by strict privacy regulations and is a safe alternative to
American email services as well as cloud-based services that move data across borders and jurisdictions, company representatives wrote on its blog in early
2014.56 F-Secure, a Finnish cloud storage company, similarly emphasizes the fact that its roots [are] in Finland, where privacy is a fiercely guarded value.57
Presenting products and services as NSA-proof or safer alternatives to American-made goods is an increasingly viable strategy
for foreign companies hoping to chip away at U.S. tech competiveness. 58
the market leader, and nearly all other leading cloud providers offer products that are by default vulnerable to snooping,
account hijacking, and data theft by third parties.52 Every time a user logs into their Microsoft Hotmail, Google Docs, Flickr,
Facebook or MySpace account from a coffee shop or other public wireless network, they risk having their private data stolen by
hackers. This problem is not due to the web-based nature of these services. Consumers are able to safely check their online bank accounts, order books from
Amazon, or trade stocks with an online broker while using open wireless networks without any risk of account hijacking or data theft. Yet this private and valuable
information flows over the same Internet connection that Google, Microsoft, Facebook and MySpace have somehow been unable (or unwilling) to secure.
ADV HUMINT
the 376 needs, or 55 percent), with sigint next (35 percent), followed by osint (25 percent), imint (11 percent), and masint (2 percent). [Insert Figure 1 Here]
More detailed data on humint and osint sources from the 1994 survey are provided in Figure 2, which illustrates the strong attraction of both collection methods
to policymakers when it comes to selected topics and areas of the world. The consumers indicated a strong preference for humint when it came
to counterterrorism (critical for 74 percent ), counternarcotics (64 percent), Europe (54 percent), and Near East/South Asia (51 percent). Osint, though,
was considered vastly superior to humint with respect to some regions of the world, most notably Russia/Eurasia (82 percent) and Latin America (77 percent).
The value of the ints varied according to the target, with humint performing most effectively on selected international (transnational) issues,
such as counterterrorism and counternarcotics. With respect to drugs, humint was graded critical more often than all the other
ints together, and provided the main contribution when it came to the vital area of weapons proliferation . Some intelligence experts view
the contribution of osint as widely underappreciated by policymakers, but the findings in Figures 1 and 2 suggest otherwise. Where humint was weakest, osint
proved strongest (Russia/Eurasia and Latin America); conversely, where osint was weakest, humint proved strongest (counterterrorism and counternarcotics).
Beyond excelling on key transnational targets, humint made significant contributions to a number of country targets even if it appeared to be
of little use with respect to Russia, Eurasia, and Latin America. The humint-rich targets were Europe, Near East, and South Asia. Humint added value on Africa
as well, registering a critical evaluation in almost 40 percent of the cases. During the year of the survey (1994), the CIA had its largest number of humint assets
in the two regions that received strong evaluations (Europe and Africa), suggesting that the greater the number of human assets targeted on a
topic or country, the more effective the results. This hypothesis warrants much more testing, however, since in 1994 some locations with a relatively high
density of humint assets recorded only modest results (notably, Central Eurasia/Russia, where osint suddenly experienced a bonanza of open sources when the
iron curtain collapsed three years earlier). [Insert Figure 2 Here] Another survey initiated by intelligence managers soon after the end of the Cold War focused on
intelligence sources for items published in the National Intelligence Daily (NID), one of Americas key intelligence products circulated widely among security
officials in Washington and the worldwide U.S. military chain of command. This survey, conducted during January of 1993, found that osint and overt State
Department humint reporting accounted for the most heavily used sources of information: 525 out of 846 items in the NIDs or 62 percent (see Figure 3). xxi
Clandestinely derived humint from the CIA accounted for 133 items or about 16 percent, with the Defense Attach system far back at 32 items or about 4
percent. Techint played its role, weighing in above CIA humintbut below osint and State humintby contributing to 156 items or 18 percent of the total.
According to this survey, CIA humint reporting was particularly helpful in NID coverage of (in order of value): Africa (19 items), Latin America and the Middle East
(tied at 15), weapons proliferation (14), and East Asia (11). Significant humint contributions also appeared in reporting on Europe and Somalia (both 10) and the
Balkans (9), and was least helpful on transnational issues dealing with counternarcotics (4), terrorism (0), human rights (0), and the environment (0). Defense
attach reporting contributed only modestly across the board, with (in its best performance) seven items on Europe. The most conspicuous contributions in the
survey were chalked up by osint with respect to Eurasia/Russia (65 items), Europe (53), and East Asia (34); by State Department humint with Europe (40) and
Eurasia/Russia (34); and by techint with the Middle East (48). These results are in part a commentary on what topics intelligence consumers and managers may
have wanted to hear about; a political crisis in Portugal would have stimulated more items about that country. Still, the survey results do provide a sense of which
ints contributed to high-priority intelligence targeting in early 1993. [Insert Figure 3 Here] Overlaying the 1993 and the 1994 surveys, the most striking general
conclusion to emerge is that opinions of intelligence consumers on the value of the ints can vary significantly. The 1994 survey found humint particularly
helpful when it came to the broad transnational targets of counterterrori smeven before the Age of Al Qaeda arrived in 1998 with the attacks
on U.S. embassies in Africaand counternarcotics. Important, as well, in this survey were the humint contributions made toward understanding a traditional
regional target, Europe; but also toward the Near East and South Asia, regions given less attention by the United States during the Cold War. These opinions,
recall, reflected how consumers perceived the value of the various ints. In contrast, the 1993 survey looked at actual items appearing in the NID and traced them
back to their int sources. In this case, humint contributions to counterterrorism and counternarcotics fared less well. Here humint shined against specific
regions of the world Africa, Latin America , the Middle East and against weapons proliferation. As a broad generalization, the combined survey
data suggest that clandestinely derived human intelligence has the potential to acquire useful information with respect to the targets listed in Figure 4, which
includes much of the world. Notably missing are Russia/Eurasia and East Asia, as well as humanitarian, environmental, and scientific topics. Humints
contribution to economic intelligence, though relatively small, wasat one-third in the 1994 surveynot insignificant. These survey results support
the view reached about the same time by John I. Millis, an experienced CIA officer, that humint was unsurpassed as a source of critical
intelligence to the national policymaker.
The most incredible and false claim in the Senate intelligence committees report on the CIA
interrogation program is that the program was neither necessary nor effective in the
agencys post-9/11 pursuit of al-Qaeda. The report, written by the committees Democratic
majority and disputed by the Republican minority and the CIA, uses information selectively and distorts
facts to prove its point. I wont try to convince you that the program was the right thing to do
reasonable people will differ. Nor will I discuss the management of the program, other than to say that
the record clearly shows the agency went to extraordinary lengths to assure it was both legal and
approved and the CIA halted the program when uncertain. What I want to address instead is the
committees assertion that the intelligence produced by the interrogation program was not
required to stop al-Qaeda terrorists. The Democratic staffers who drafted the report assert the
program contributed nothing important, apparently to bolster a bogus claim that the CIA lied. But lets
look at a few cases: Finding Osama bin Laden. The committee says the most critical
information was acquired outside the interrogation program. Not true. The man who led the
United States to bin Laden, a courier known as Abu Ahmed al-Kuwaiti, was mentioned by
earlier sources but only as one of many associates bin Laden had years before. Detainees in the
CIA interrogation program pushed Kuwaiti to the top of the list and caused the agency to
focus tightly on him. The most specific information about the courier came from a detainee,
Hassan Ghul, who, after interrogation, strengthened the case by telling of a
specific message the courier had delivered for bin Laden to operations chief Abu Faraj
al-Libi. Finally, interrogated senior operatives such as Khalid Sheik Mohammed, who by that
time was enormously cooperative, lied when confronted with what we had learned about the
courier. That was a dramatic tip-off that he was trying to protect bin Laden . The
staffers who prepared the Senate draft do not appear to understand the role in analysis of
accumulating detail, corroboration and levels of confidence in making momentous decisions like the
May 2011 Abbottabad operation that killed bin Laden. Familiarity with this truth is presumably why
former CIA director Leon Panetta, even though he does not support the program, said, At bottom, we
know we got important, even critical, intelligence from individuals in it. Capturing 9/11
mastermind Khalid Sheik Mohammed. This led to disrupting numerous plots. But
the committee says interrogation of detainees did not play a role in getting him because a
CIA asset (not a terrorist detainee) helped us. This is astounding to those of us involved in
capture operations. In fact, interrogated detainees were essential to connecting the source to
Mohammed. The CIA will not permit me to reveal the operational details a classic problem for
intelligence officers seeking to defend against outlandish charges. Capturing Southeast
Asian terrorist leader Riduan Isamuddin (Hambali). The committee says
interrogation played no role in bringing down this architect of the 2002 Bali bombings. This
is nonsense. After interrogation, Khalid Sheik Mohammed told us he transferred money to
Hambali via a certain individual to finance attacks in Asia. This triggered a string of captures across
two continents that led us to Hambali in Southeast Asia. Disrupting a second wave plot
on the U.S. West Coast. The committee says a source run by another country mentioned
a plot to use airplanes to strike West Coast targets. But thats all we knew none of the
details needed to stop it. That information came from detainees, starting with Khalid Sheik
Mohammed, who told us after interrogation that Hambali would replace him in this plot. This
drove our effort to find Hambali. After that capture, Mohammed said Hambalis brother would
take over. We located him and found he had recruited 17 Southeast Asians and was
apparently trying to arrange flight training for them to attack the West Coast. Disrupting
plots to bomb Karachi hotels. The committee says interrogation played no role in heading off
attacks on the Pakistani hotels, where U.S. and other Western visitors stayed. But it leaves out the fact
that detainee Zayn al-Abidin Muhammed Hussein, better known as Abu Zubaida, provided
officers expressing concern via e-mail that they will be ostracized for saying that certain detainees
did not tell us everything. But the staff leaves out the critical context: The CIA officers were actually
discussing their dismay over the agencys decision to cease the interrogation program, causing the
loss of important intelligence information. Many administration and congressional officials ritualistically
say we will never know whether we could have gotten important information another way. This is a
dodge wrapped in political correctness. We could say that about all intelligence successes. Well
never know , for example, what intelligence is missed when capture is declared too
difficult and terrorists are killed from the air . The point is we did succeed in getting vital
information during a national emergency when time was limited by the great urgenc y of a clock
ticking on the next plot. Terrorists had just killed thousands of Americans, and we felt a deep
" If
you look at all the recent terrorist incidents, the bombs were detected because
of human intelligence not because of screening ... If even a fraction of what is spent on
screening was invested in the intelligence services we would take a real step toward making
air travel safer and more pleasant." Riordan: 'We need to move away from devices and materials to
passenger intent' (Photo: dacba10) Ms Ornstein noted that EU and national-level regulators have entered into an
"arms race" with terrorists in which they are always one step behind. "With every incident that happens, the
regulators ask for more measures, more measures, more measures," she said. "As soon as they heard about this
[the recent plot to load PETN explosives into printer ink cartridges] we got letters from the US and the UK telling us
to take out all the ink cartridges coming through, which means we are fighting yesterday's war because there is no
terrorist in the world who is now going to put PETN into an ink cartridge anyway." The security manager explained
that Schiphol airport is reaching the limits of how much extra security equipment and staff it can put in place due to
physical space and labour market constraints. Security costs have climbed 175 percent in the past five years and
the airport currently employs 4,000 security guards, equivalent to about 1 in 10 of all security guards working in
Amsterdam. Ms Ornstein's concerns were echoed by Kevin Riordan, the UK technical director of private security
company Smiths Detection. "We need to move to dynamic screening - we need to know where you've bought your
ticket, where you've been before, not just what you keep in your bag. We need to move away from devices and
materials to passenger intent. There's all sorts of information available out there and we're not using it," he said.
Speaking on behalf of Contest, the UK home office's security and counter-terrorism bureau, Adam Ogilvie-Smith
noted that the UK is already profiling people who espouse radical ideas as part of its so-called Instinct programme,
but that there are limits to what is acceptable. "Its not about controlling radical opinion. We're not in the game of
controlling people's thoughts - that's not what we're about. You cross the line when you want to become violent," he
said. Schiphol airport's Ms Ornstein also criticised the EU's unilateral decision to begin lifting restrictions on liquids
from April 2011. Under current rules, passengers are not allowed to bring large volumes of liquids on board the
plane even if they have bought them in a duty-free zone in a non-EU airport or on a non-EU airline and carry them
in a sealed transparent bag. From April next year, they will be able to bring them on board in a sealed bag which
will have to be specially scanned in a time-consuming process. "I strongly believe they do not understand the
impact of their decisions at an operational level," Ms Ornstein said. "Under sever pressure from the European
Parliament, they now plan to repeal that regulation. But they do not see whether or not the threat still exists and
they do not realise the extra delays and the confusion that they will cause ... As a normal passenger you will not be
able to understand this. You will not know where and when the material is allowed to be in your luggage." The GSC
event in London is the culmination of a year-long talent-scouting competition for new ideas in the security industry
funded by the US Department of Defence. Two of the winners for 2010 announced on Thursday were Ghanaian firm
mPedigree, which has designed an SMS-based method for detecting counterfeit medicines, and Australian company
iWebGate, which works in the Internet security arena.
HUMINT succeeds
Henley-Putnam 11 (Henley-Putnam University, only accredited online university
solely focused on Strategic Security online degree programs, SIGINT AND HUMINT
ESSENTIAL COMPONENTS OF INTELLIGENCE COLLECTION http://www.henleyputnam.edu/articles/sigint-and-humint.aspx. 2011.)\\mwang
Human intelligence is what is commonly thought of when people think
of the intelligence community. The stereotypical spys main focus is gathering information
from human sources. They use tactics such as espionage and interrogation. HUMINT is an extremely
important function that is instrumental to infiltrating terrorist organizations and
collecting information on terrorist attacks. The Central Intelligence Agency is responsible for
HUMINT The Spy Business
overseeing the majority of HUMINT operations, although the military is often involved in HUMINT as well. Both
parties make use of two main tactics, gathering intelligence through interrogations and through conversations with
key persons who have access to valuable information. HUMINT sources of information include
diplomats, military attaches, prisoners of war, and espionage . SIGINT and HUMINT Training: Both
signals intelligence and human intelligence require training in specialized skills that are unique to each discipline.
SIGINT involves technical skills including computer science and mathematics, whereas HUMINT involves a lot of
psychological training.
--a2 sq solves
Reason why Humint lower because of other intelligence gathering- Humint Key
Margolis 13
Gabriel Margolis (Conflict Management and Resolution Graduate Program University of North Carolina Wilmington Wilmington,
[email protected][http://globalsecuritystudies.com/Margolis%20Intelligence%20(ag%20edits).pdf)
The United States has accumulated an unequivocal ability to collect intelligence as a result of the technological advances of the
20th century. Numerous methods of collection have been employed in clandestine operations around the world including those
that focus on human, signals, geospatial, and measurements and signals intelligence. An infatuation with technological methods
of intelligence gathering has developed within many intelligence organizations, often leaving the age old practice of espionage
as an afterthought. As a result of the focus on technical methods , some of the worst intelligence failures of the 20th century can
be attributed to an absence of human intelligence. The 21st century has ushered in advances in technology have allowed UAVs
to become the ultimate technical intelligence gathering platform; however human intelligence is still being neglected . The
increasing reliance on UAVs will make the United States susceptible to intelligence failures unless human intelligence can be
properly integrated. In the near future UAVs may be able to gather human level intelligence, but it will be a long time before
classical espionage is a thing of the past.
Yemen and Pakistan does not work in Iraq or future hot spots. Without granular intelligence,
drones have no way of distinguishing between combatants and noncombatants. And drone
attacks are only as effective as the intelligence behind them. President Obama has called
radical jihadist groups like ISIS a cancer. But done improperly, chemotherapy can kill the patient faster than
cancer itself. An effective counterterrorism strategy involves a range of financial, law
enforcement, and military tools, but that is not enough. Groups regenerate. Terrorists recruit
new terrorists. Names change, or were never true to begin with. You cannot kill your way to
victory; you must interrogate your way to mission success. Drug Enforcement Agency and
FBI personnel, working alongside Joint Special Operations Command and the CIA should capture and interrogate as
many militants as possible, in a lawful manner. This would allow interrogators to discern the size, nature and
intentions of militant groups with an eye towards destroying them from within. Mike Nudelman/Business Insider
HUMINT needed now more than ever: enemies are hidden among people
Kosh 08 (Colby Cosh, former politics research writer for Alberta in the 20th Century, Alberta Report, and writer for The National
Post. The Necessity of HUMINT May 30, 2008.)\\mwang
That scary acronym HUMINT is, in truth,
nothing more that mil-speak for any relevant knowledge gathered by an army directly from
human sources. Other types include signals intelligence (SIGINT), obtained by intercepting and decrypting the
Guys, honestly: Why even bother having a defence critic?
enemy's (or someone else's) information transmissions, and imagery intelligence (IMINT), which comes from the
study of photographs taken from the air or space. It is not news that the CF has been trying to
strengthen its HUMINT-gathering capacity for years; indeed, it has been openly recruiting bright,
curious soldiers for the purpose. Most of us now know how important SIGINT was in determining Allied success in
the Second World War; victory in Europe would have been delayed considerably if high-level German cryptographic
traffic hadn't been cracked by the British, who essentially invented the digital computer for the purpose. Yet the
importance of human intelligence can scarcely be overstated, though it is sometimes neglected by
the historians. The invasion of Normandy could not have succeeded without an enormous layer
of resistance-provided HUMINT, covering everything from the quality of glider-landing sites to the
dispositions of Axis forces guarding bridgeheads. (By contrast, better Allied HUMINT might have saved
the failed Market Garden offensive of 1944 by tipping commanders to the presence of two freshly arrived
course, probably isn't the reason the CF intends to burn through $27-million. Much of what Canada's HUMINT
company is probably getting up to has very little to do with "spies" as such. The religious, all-male, communal
nature of the Taliban makes it virtually impossible to infiltrate by means of cash (consider how little publicly known
progress has been yielded by means of the bounties on Osama bin Laden's head) or other inducements. Anyway,
even under ideal conditions, much of the work of a HUMINT agency is sophisticated bookkeeping. Some of the
expense will no doubt go toward providing a credible security cover for installations in the region: The Taliban
cannot be allowed to blind our intelligence apparatus at the cost of one suicide bomber. But a lot of it will be going
toward computers and software. Tips and reports from Afghan civilians opposed to the Taliban must be stored in a
way that makes them available for retrieval, rated for reliability and plausibility and turned into memoranda for the
timely use of soldiers and staff. The toughest task of all is linking multiple fragments of intelligence together so that
they combine into a trustworthy picture of, say, the location of a bomb factory or the date of an attack. Military
software developers have been putting a great deal of effort into applying artificial intelligence to HUMINT
gathering: arming computers with natural-language recognition abilities would help them navigate databases and
put up flags when pieces of evidence point in a common direction. It is absurd to demand a "debate" on
whether a fighting force abroad should have a HUMINT apparatus; it would be exactly like
debating whether it should carry ammunition. And the existence of such an apparatus can only raise
"red flags" in the eyes of a person who has never devoted a moment's thought or study to how armies fight.
HUMINT and CI do not fit one within the other. HUMINT is an intelligence discipline used to collect, process, analyze,
and act on intelligence information, while CI is an intelligence function that may employ any number
of intelligence disciplines, including HUMINT. The relationship is recognized in DoD strategy and doctrine,
protection, center of gravity identification, and timing for offensive or defensive operations, among others),
especially when integrated with intelligence obtained through other disciplines . CI uses various
disciplines for the specific purpose of protecting friendly forces from the intelligence activities of an adversary.
Renowned intelligence expert Mark Lowenthal states on one hand that CI does not fit neatly with HUMINT, but he
goes on to explain the importance of CI techniques such as feeding foreign agents false
information or turning them into double agents to provide information on their employer; these are HUMINT
endeavors.18 Retired CIA Associate Deputy AU/ACSC/TOUGAW/AY09 Director for Operations, John McGaffin, notes
that CI in its most aggressive performance includes deep human source penetration of enemy
intelligence services as well as the use of double agents and deception to misinform an
adversarys intelligence services and policy makers; these too are HUMINT actions.19 A
National Counterintelligence Institute report on desired core competencies for CI professionals lists such things as
interviewing and interrogation skills, elicitation, assessing people for targeting, manipulating/influencing/exploiting
people, and managing human sources as key knowledge, skills and abilities; these are also core competencies for
HUMINT professionals.20 HUMINT and CI are not contained one within the other, but they have areas of significant
overlap, including the expertise and training required of the professionals who perform them. HUMINT and CI
have many common characteristics and operate in overlapping spheres, but should not be
mistakenly categorized as the same thing. Although they share several tactical attributes, the ultimate focus of
The CI deliverable is to act on what is known about the adversarys intelligence activities
and manipulate the adversarys understanding of friendly forces. 21 Air Force intelligence doctrine
recognizes the compatibility between HUMINT and CI but does not sufficiently explain the relationship or provide a
construct to ensure the proper synergy and collaboration between them.
agencies used a local contact to replace Hamas bomb-maker Yahya Ayyashs phone with an explosive device which
killed him in 1996. One of the problems with using human intelligence sources is the difficulty in infiltrating a
terrorist organization due to obvious fears of detection and murder of the asset. In one instance, Egyptian security
forces blackmailed their assets in an attempt to assassinate Aymaan al-Zawahiri, the leader of the Egyptian Islamic
Jihad. The plan backfired with Zawahiri surviving and executing his betrayers. Gaining assets in jihadist groups is
particularly difficult owing to their allegiance to a larger community based on faith rather than a solitary-cause
movement. For example, the member of a pan-Islamic jihadist group owes allegiance to the Ummah (Islamic
community) beyond the group. Under these circumstances getting him/her to betray the cause becomes even more
difficult. The fear of being double-crossed by an asset also plays on the minds of his/her handler. A member of a
terrorist group used as an asset by intelligence agencies can cause significant damage because of his/her ability to
play both sides. This was most effectively demonstrated in the case of Humam Khalil Abu Mulal al-Balawi, a
Jordanian doctor, who was recruited by the CIA to infiltrate al Qaeda in Pakistan. Balawi scheduled a meeting with
his CIA handlers in an American base in Afghanistan, and when he arrived he blew himself up, killing seven
Americans. Significantly, the attack killed senior veterans of the CIA, and has been described as a serious blow to
the agencys efforts in the region. The setbacks faced in using human intelligence tools should not come in the way
of expediting their recruitment for intelligence gathering. Human intelligence should not be limited to intelligence
and counter-terrorism agencies, but adopted at the grassroots levels of policing. Cooperative community policing
being adopted worldwide is indicative of this trend. A key element to bolstering the intelligence apparatus should
be developing cooperation between the different security wings. Human intelligence should be shared
quickly and followed up with equal speed, as this could be the game changer in a ticking time bomb
situation. The example of the Nigerian bombers father, who tried to warn the authorities
about his son before he attempted to bomb a plane bound for the United States, is a case in
point. The need to further develop Indias human intelligence capabilities is acutely felt with increasing concerns
of religious extremism gaining momentum in the country. With technical and signals intelligence being boosted in
recent years, the focus of attention should be on human intelligence for the security of the country.
clandestine operations around the world including those that focus on human, signals,
geospatial, and measurements and signals intelligence. An infatuation with technological
methods of intelligence gathering has developed within many intelligence organizations, often
leaving the age old practice of espionage as an afterthought. As a result of the focus on technical
methods, some of the worst intelligence failures of the 20th century can be attributed to an
absence of human intelligence. The 21st century has ushered in advances in technology have
allowed UAVs to become the ultimate technical intelligence gathering platform; however
human intelligence is still being neglected. The increasing reliance on UAVs will make
the United States susceptible to intelligence failures unless human intelligence
can be properly integrated . In the near future UAVs may be able to gather human level intelligence, but
it will be a long time before classical espionage is a thing of the past.
White House, U.S. drones have killed an estimated 3,300 al Qaeda, Taliban, and other
jihadist operatives in Pakistan and Yemen. That number includes over 50 senior leaders of al
Qaeda and the Talibantop figures who are not easily replaced. In 2010, Osama bin Laden[s] warned his
chief aide, Atiyah Abd al-Rahman, who was later killed by a drone strike in the Waziristan region of
Pakistan in 2011, that when experienced leaders are eliminated, the result is the rise
of lower leaders who are not as experienced as the former leaders and who are prone to errors
and miscalculations. And drones also hurt terrorist organizations when they eliminate
operatives who are lower down on the food chain but who boast special skills: passport forgers, bomb
makers, recruiters, and fundraisers. Drones have also undercut terrorists ability to
communicate and to train new recruits. In order to avoid attracting drones, al Qaeda and
Taliban operatives try to avoid using electronic devices or gathering in large numbers. A tip sheet found
among jihadists in Mali advised militants to maintain complete silence of all wireless
contacts and avoid gathering in open areas. Leaders, however, cannot give orders when they are
incommunicado, and training on a large scale is nearly impossible when a drone strike could
wipe out an entire group of new recruits. Drones have turned al Qaedas command and training structures
into a liability, p to choose between having no leaders and risking dead leaders. Critics of drone strikes often
fail to take into account the fact that the alternatives are either too risky or unrealistic. To be
sure, in an ideal world, militants would be captured alive , allowing authorities to question them and
search their compounds for useful information. Raids, arrests, and interrogations can produce vital
intelligence and can be less controversial than lethal operations. That is why they should be, and
indeed already are, used in stable countries where the United States enjoys the support of the host
government. But in war zones or unstable countries, such as Pakistan, Yemen, and Somalia, arresting militants is
highly dangerous and, even if successful, often inefficient. In those three countries, the government exerts little or
no control over remote areas, which means that it is highly dangerous to go after militants hiding out there. Worse
yet, in Pakistan and Yemen, the governments have at times cooperated with militants. If the United States regularly
sent in special operations forces to hunt down terrorists there, sympathetic officials could easily tip off the jihadists,
likely leading to firefights, U.S. casualties, and possibly the deaths of the suspects and innocent civilians.
Many observers believe that intelligence required for the campaign against terrorism will
require significant changes in the human intelligence (humint) collection effort. The CIAs
Operations Directorate is responsible for the bulk of humint collection although the Defense Humint Service (DHS)
within DOD is a smaller entity more directly focused on military-related issues. Overall budget requirements
for humint are dwarfed by the major investment required for satellites and signals
intelligence collection. Humint, however, undoubtedly can be dangerous for those involved and it is, of
course, for many in the media and the general public the core intelligence discipline .11 Both the
emphasis on humint and on the exchange of data between intelligence and law enforcement
agencies will influence the evolution of the U.S. Intelligence Community in the
coming decade. These two efforts will not in themselves have major budgetary implications humint is
both difficult and dangerous, but not necessarily expensive and information exchanges between
agencies ordinarily involve only information technology costs. Placing priorities on these two aspects of the
intelligence effort will almost inevitably detract from other missions and disciplines. In the view of many observers
there may be a tendency to give less emphasis to traditional intelligence collection and analysis regarding foreign
political, economic, and military developments. Whereas to some extent intelligence analysts experienced in
looking at foreign policy, economic, and defense issues can shift from one country to another, it may be more
difficult for an analysts to turn from issues of diplomacy, economics, and warfare to the study of obscure terrorist
groups that may be involved in religious indoctrination or various criminal fund-raising activities.
(DHMO) to support HUMINT operators in the field. Much of this support includes tapping conventional and
nontraditional sources for technologies that aid HUMINT collection, processing and dissemination. Drew Bewick is
the chief of technology tradecraft at the DHMO. Bewicks office represents the HUMINT elements in the military
services, the combatant commands and the Defense Intelligence Agency (DIA). He is tasked with finding new
HUMINT technologies and capabilities and speeding them to the field in the war on terrorism. To win this war
on terrorism and to find people, HUMINT is first among equals, Bewick declares. The DHMO has
four organizational pillars: plans and policies; operations and assessments; training, including training standards
and career paths; and technology tradecraft. For its activities, the office has two focus areas. One is to develop key
technologies that enable the department to penetrate difficult targets. The other is to integrate HUMINT data
into the joint and coalition intelligence, surveillance and reconnaissance (ISR) picture. This
requires correlating HUMINT data with that of signals intelligence (SIGINT),
intelligence specialists can analyse it, fuse it with other information from other data sources and produce the intelligence which is
then used to inform military and civilian decision-makers, particularly for the planning and conduct of operations. While all countries
have their own sources and methods for the production of intelligence, it is not always easy for them to share their intelligence with Allies. Sometimes this is due
to security concerns, sometimes to internal procedural requirements, and sometimes to technological constraints. The objective of NATO Joint ISR is to
champion the concept of need to share over the concept of need to know. This does not mean that all Allies will automatically share everything, but rather that
NATO can facilitate the procedures and technology to promote sharing while simultaneously providing information assurance (i.e., the protection of data and
networks). This way, Allies can have a holistic picture of whatever crisis is occurring and NATO decision-makers can make well-informed, timely and accurate
decisions.
What could the public have learned about the alleged missile sale from open sources on the newsstands? First, the reader could have acquired basic information
about the M-11's specifications. Thirty-one feet in length, the missile had the capacity to carry a payload of 1,750 pounds over a range of 175-185 miles. It was
considered more accurate and easier to launch rapidly, as well as faster and more elusive in flight, than the Soviet-designed Scud missiles used by Iraq during
the first Persian Gulf War. Further, the reader could have found in the newspapers a fairly detailed time line for this issue, from 1983 when the Chinese gave
Pakistan the design of a tested nuclear weapon and enough weapons-grade uranium to build two nuclear bombs to 19 95 when the CIA concluded that
China had delivered M-11missile parts to Pakistanan allegation denied by the governments in Beijing and Islamabad. The public sources of
information on the missile controversy also provided in-depth analysis about U.S.-Chinese and U.S.-Pakistani relations, and why Washington was reluctant to
charge openly either government of duplicity and violations of international agreements prohibiting the proliferation of weapons of mass destruction (WMDs). The
United States sought good relations with both nations, especially the powerful Chinathe fastest growing market for American goods. Moreover, noted some
public commentators, the Chinese may have failed to understand that the M-11 missile did in fact violate accords that banned the sale of medium- range
missiles; the United States defined this category of weapons to include those with a 160- mile range, while the Chinese definition was 625 miles. Other
commentators, though, were more skeptical, accusing the Chinese of violating accords with impunity only to feign great offense whenever anyone complained. In
a word, the public record on this topic was rich during the years from 1989-1995. Readers could take away an extensive understanding of the dispute, although
the record remained cloudy on the central point of contention: had the Chinese actually sold M-11 missiles to Pakistan? To what extent did intelligence reports
chase away these clouds? This was Aspins research question for me. The declassified analyzes provided to the Aspin-Brown Commission by the CIA provided
some valuable additional information, including these key points: the CIA time line was much more detailed in its coverage of key Chinese-Pakistani
interactions related to weapons sales; while less than definitive, imt, sigint, and masint provided significant clues about the likelihood that the sale had been
consummated: records on Pakistani payments for missile components delivered by Chinese freighters; suspicious cargo being unloaded in large boxes from
Chinese vessels in the Pakistani port of Karachi; missile launchers spotted on Chinese trains headed for export ports; photographs of the Sargodha Missile
Complex in Pakistan revealed cylindrical objects on the groundagain, not conclusively identified as M-11 missiles, but strongly suspected as such. Thus, the
circumstantial evidence gathered by U.S. intelligence agencies summed to an even more compelling case than the already persuasive evidence in the
newspapers that the missile deal had gone forward. Much of this covert evidence came from techint, but some humint observations were part of the
data mixmost notably related to port activity in China and Pakistan. While no actual, intact M-11 missiles in Pakistan were ever
observed by a human asset or a spy machine, a combination of the two ints gave Washington officials a much stronger empirical basis to confront officials in
Beijing and Islamabad on the issue through diplomatic channels than would have newspaper reports alone. Both the public and the intelligence record suffered
from many ambiguities; but at least the clandestine sourcesespecially spy machines in this instancecarried the behind-the-scenes debate beyond the
boundaries of speculation and more into the realm of credible, if still circumstantial, evidence. This gave Washington added leverage in ongoing trade and armscontrol negotiations with both powers. Other Qualitative Indicators. While humint played only a secondary role in understanding Aum Shrinkyo
and the Chinese sale of M-11 missiles, in a number of other instances since the end of the Cold War its influence has been strongly felt in
high office, according to my interviews with intelligence and policy officials in Washington from 1992-1998. In 1994, for example, the U.S. Treasury
Department relied heavily on CIA humint reporting in its successful resolution of the Mexican peso crisis in 1994. Almost 600 humint
reports out of Mexico City tracked the deteriorating financial situation and the declining state-led petroleum industry . CIA assets
accurately communicated the likely decreases in Mexicos foreign exchange reserves, its continuing capital flight, a bulge in the short-term debt coming due, and
the probability that Mexico would soon become a net petroleum importer. Humint reports also provided a useful check on the accuracy of
information being released by the Mexican Finance Ministry, which was inclined to manipulate public fiscal dataespecially on the amount of oil revenues
available to the government of Mexico to collateralize U.S. loans. Moreover, negotiations with Tokyo over automobile trade imbalances that favored
the Japanese from 1980-1998 depended on a steady flow of humint (and sigint) reporting. So did questions of tactical military risks and
opportunities in the Balkans, along with bomb-damage assessments from that battlefield during the 1990s. Humint assets secured photography of sites
where human rights atrocities had been committed, including the location of mass graves (further verified by satellite imint) humint in the service of
human rights. Chemical-biological (C-B) weapons production in Russia has also depended on human assets , along with some use of
masint, to report on whether a factory was manufacturing microchips, pharmaceuticals, or C-B weaponry. A Soviet defector offered up startling insights
into Russian production of smallpox, plague, and anthrax in a form for delivery by ICBMs. In each of these instances, humint assets have on
occasion given the United States information to assist its security objectives that was unavailable through other sources.
--add-on china
Human counterintelligence key to prevent China region conflict
Assam Tribune, 12 (Assam Tribune, Guwahati. Local, regional, national, and
international news, in India. English daily newspaper published from Guwahati and
Dibrugarh, Assam. It is the highest circulated English daily in North-East India.
Clandestine defence assets. June 11, 2012.)\\mwang
Guwahati, June 11 -- Offensive techniques in current counter-intelligence doctrine are
principally directed against human sources. It follows that counter-espionage will entail
offensive counter-intelligence, for instance when FBI personnel are embedded with troops
located in war zone. The FBI looks after internal intelligence even as the CIA is concerned
with external intelligence. Rather than battlefield intelligence and tactical support for the
warfighter that have been the brief for intelligence agencies, the Pentagon has constituted a
new intelligence organisation called 'Defence Clandestine Service' (DCS). The focus of DCS
will be on significant facets of 'national intelligence' even as the Pentagon has not been too
specific on the kind of intelligence that may not necessarily be confined to the battlefield.
Intelligence priorities of the United States in recent years have included counter-terrorism on
a global scale with special reference to the Middle East, Asia and Africa. Non-proliferation
issues linked mainly, but not exclusively, to North Korea and Iran, along with the rise in
power and influence of China on a global scale. The US Secretary of State Hillary Clinton has
been critical of the growing military power of China and its increasing assertiveness over
the North China Sea. Under-Secretary of Defence for Intelligence Michael Vickers is better
known as one among others who orchestrated CIA's programme to arm Islamist militants so
as to trigger the ouster of the Soviets from Afghanistan in the 1980s. A former member of US
Special Operations Forces, Vickers has been centred on transforming human intelligence
(HUMINT) into an asset for the world's only superpower. If the US could have had a spy in
the inner circle of former Iraqi President Saddam Hussein, global history would have perhaps
been different. The US Army Command and General Staff are now saddled with the task of
manipulating human sources intelligence into an agency that's proactive, and not entrusted
with the logistics of the war zone or a special force operation that calls for transfer of
personnel from one end of the world to other in a matter of hours, win the war in about a
fortnight and be ready to deploy more than half the world away in 20-30 days to win another
war. The basic objective of the Defence Clandestine Service is meant to complement efforts
of the 19 other intelligence agencies. The objective is to translate the US' clandestine
agency into a springboard for reinforcement of US foreign policy. Military organisations can
do HUMINT that is directly related to their mission, such as local informants in a
peacekeeping or occupation assignment. If a military unit obtains a HUMINT asset of
national interest, the National Clandestine Service (NCS) should oversee it. There may be
special cases where they may run assets directly related to operations. The only rider is that
the CIA would have to be kept in the picture. The recent Pentagon China-phobia policy, its
containment of China, the emergence of new military intelligence agency and the US
hegemonic design in South- and South-East Asia have become a hot debate in electronic
and print media in Europe. The increasing Chinese influence in Pakistan, Afghanistan and Central Asia and
its capture of European and African market together with the aggrandisement of Russian
economy and military industry have caused an unending torment for the United States.
Pentagon authorities didn't sleep a wink since the commencement of recent joint RussiaChina naval exercise in the Yellow Sea between the east coast of mainland China and the
Korean Peninsula and their stance on the Arab Spring. Offensive techniques in current
counter-intelligence doctrine are principally directed against human sources . It follows
that counter-espionage will entail offensive counter-intelligence, for instance when
FBI personnel are embedded with troops located in war zone. FBI looks after internal
intelligence even as the CIA is concerned with external intelligence. The core of exploitation
operations is to degrade the muscle power of an enemy nation or terrorists, militants,
insurgents and guerrilla organisations. There has to be knowledge about the target nation's
intelligence service or a terrorist organisation's. Offensive counter-espionage and counterterrorism is done either by manipulating the adversary in some manner or by disrupting the
adversary's normal operations. Counter-HUMINT deals with both the detection of hostile
HUMINT sources within an organisation, or the detection of individuals likely to become
hostile HUMINT sources in terms of a double agent or spy. There is an additional category
relevant to the broad spectrum of counter-intelligence, and that's when one becomes a
terrorist from being a freedom fighter. 'It's essentially designed to integrate defence
intelligence capabilities with the broader intelligence community by leveraging unique
military capabilities,' said Deputy Assistant Secretary of Defence for Media Operations Navy
Capt John Kirby. He said the new service will inherent 'existing capabilities and personnel to
better concentrate on this kind of intelligence'. About 15 per cent of the DIA's case officers
will be part of the Defence Clandestine Service, The Washington Post wrote. New, more
clearly delineated career paths will give DIA case officers better leverage to continue their
espionage in foreign nations.
to
uproar across the Atlantic, current and former U.S. intelligence officials and government
leaders have argued that, when it comes to spying on allies, the U.S. isn't alone . Bolivia
president's plane rerouted due to Snowden suspicions " It's well known that our allies do spy on
us," said Juan Zarate, a former deputy national security adviser for combating terrorism under President George
W. Bush and a senior national security analyst for CBS News. "Our allies are out to understand what we
know and use it to their advantage." European leaders, he said, may be throwing stones
from their proverbial glass houses. " They should check in with their own intelligence
services before beginning to critique anything the U.S. does, " Zarate said. European
officials lash out at new NSA spying report According to CBS News senior correspondent John Miller, who formerly
worked at Office of the Director of National Intelligence, the practice is widespread. "Pragmatically, even the
countries that are reared up in righteous indignation know, on one level or another, they do
the same thing," Miller said. "Without getting into which countries do what to which other countries, most
people would be surprised if they saw the list of countries. Close military, economic and
political allies of the United States conduct regular intelligence collection operations against
the U.S. overseas and in some cases even on U.S. soil." Other former and current officials have made similar
points after Germany's Der Spiegel's magazine and Britain's The Guardian newspaper published reports Sunday
based on documents leaked by former National Security Agency contractor Edward Snowden detailing the NSA's
surveillance of U.S. allies and their diplomatic missions. Hayden: Administration should do a "bit more" explaining
on surveillance Retired Gen. Michael Hayden, a former NSA director, said on CBS' "Face the Nation" Sunday that
angry Europeans should look at what their own governments are doing. U.S. Secretary of State John Kerry said
" every country in world" spies. And on Monday, President Obama echoed the every-one-does-it
argument. But the outrage in Europe is justified, said James Bamford, who's written multiple books on the NSA,
because of the disproportionate scale of American surveillance activities compared to those of U.S. allies. Countries
spy, yes. But not like the U.S. "It's not the fact that allies spy on each other. It's the extent of the spying," said
Bamford. "The United States spies with the equivalent of a nuclear weapon. And they spy with something more like
a rifle." Many of the major offices for telephone and Internet companies are based in the United States, and,
Bamford argued, the U.S. government can therefore apply pressure to those companies in a way European
countries can't. "Belgium can't go to Yahoo and say, 'Give us all this information,'" he said. Play VIDEO President
Obama addresses accusations of spying on the E.U. In his defense of U.S. surveillance
activities Monday, Mr. Obama quipped, "I guarantee you that in European capitals there are
people who are interested in, if not what I had for breakfast, at least what my talking points
might be should I end up meeting with their leaders." Responding to that quote, Bamford said
Europeans would rightfully find the comment insulting, given, he said, that the NSA spied not just on foreign
government officials but on foreign citizens as well. "What the president of the United States has for breakfast
might be of interest to the intelligence service of some foreign government," Bamford said. "But what an average
European citizen has for breakfast shouldn't be of interest to the American government." But foreign citizens
shouldn't expect the same privacy protection from the U.S. government as American citizens, Hayden said on "Face
the Nation." "Our Fourth Amendment, which protects Americans' privacy, is not an international treaty," Hayden
said. Zarate warned that there are questions about Snowden's credibility and "no hard conclusions" from what he
revealed. "People," he said, "need to take a deep breath here."
Alt causes: U.S. will always spy on its allies for competition
Fisher 13 (Max Fisher, writer at the Washington Post, former writer for
the Atlantic. Why America spies on its allies (and probably should).
<https://www.washingtonpost.com/blogs/worldviews/wp/2013/10/29/whyamerica-spies-on-its-allies-and-probably-should> October 29 2013)
\\mwang
A week now after the initial revelation that the United States may have monitored the cellphone of German
Chancellor Angela Merkel, there's little doubt that the story has been damaging for this country and for the National
Security Agency, which earned the wrath of even longtime defender Sen. Dianne Feinstein, who oversees it as the
Senate Intelligence Committee chair. At the same time, though, the initial anger appears to be giving way to
debate: Is it, in fact, a bad idea for the United States to spy on friendly foreign leaders such as
Merkel? That question might sound counterintuitive, even cynical, a sign of the depth of Americans' hubris that
we would even consider it. After all, friends don't spy on each other, right? But I'm going to let you in on a little
The international system is, and always has been, inherently adversarial,
even among allies . To paraphrase the 19th-century British statesman Lord Palmerston, countries don't
have friends, they have interests. Spying on friendly foreign nations does not actually violate
the standard practices of international relations and in many ways is consistent with those
norms. The close U.S. allies France and Israel are particularly known for it. Still, something as
secret:
explicit as tapping Merkel's cellphone is a big and legitimately surprising step, one that may well go too far. Here is
an evaluation of the pros and cons involved that may help clarify why the United States would decide to take such a
step. The simplest case for spying might be that the United States and Germany, despite being
allies, still compete with one another, sometimes on quite substantive issues. If spying can
give them a leg up on those issues, then aren't their leaders obligated to sanction it?
President Obama's job, after all, is to further American interests, Merkel's to further German interests.
Those conflict more than you might think; when they do, both leaders are potentially better served if they spy on
the other. In 2011, for example, Obama wanted to intervene in Libya, but Merkel did not and could have used her
substantial influence in Europe to reduce NATO's participation. Ultimately, Germany was alone among Western
nations in opposing the U.N. resolution on Libya and nearly alone in not providing military resources for the
intervention. Merkel ended up coming under political pressure at home for the move. Washington and Berlin have
also clashed over how to manage the euro-zone crisis, the resolution and progress of which have far-reaching
implications for the German and U.S. economies. If dropping in on Merkel's phone calls can help the United States
safeguard its economic and national security interests, that would seem to be a strong argument for doing so. The
case may be even starker with France, another major target of recently revealed NSA spying whose
leaders have expressed official outrage at the surveillance. It's easy to forget today that in the 1960s,
France made several provocative breaks with the American ally that had liberated its capital
just two decades earlier. President Charles de Gaulle refused to cooperate on nuclear
weapons with the United States, announcing a nuclear strategy of "defense in all directions" that was
apparently intended to imply his willingness to use them against the Americans. He vetoed Britain's entry into the
European economic partnership that later developed into the European Union, which the United States had
supported. According to historian John Lewis Gaddis, de Gaulle even tried to persuade the leader of West Germany
to loosen his ties with NATO, which would have seriously undermined the U.S.-led coalition and could have changed
the course of the Cold War. Surely those were phone calls the United States would have been well-served by
monitoring.
ADV IHRL
1ac ihrl
Encryption is a human right under international law reforming surveillance in this context is key
Nyst 15, (Carly, Legal Director at Privacy International, TWO YEARS AFTER SNOWDEN, GOVERNMENTS RESIST CALLS
TO END MASS SURVEILLANCE, https://www.privacyinternational.org/?q=node/592, AL)
Governments must accept they have lost the debate over the legitimacy of mass surveillance and reform their oversight of
intelligence gathering, Privacy International and Amnesty International said today in a briefing published two years after Edward Snowden blew the lid on
US and UK intelligence agencies international spying network. The balance of power is beginning to shift, said Edward Snowden in an article published today
in newspapers around the world. With each court victory, with every change in law, we demonstrate facts are more convincing than fear The briefing, Two years
after Snowden: Protecting human rights in an age of mass surveillance, warns that governments are looking to maintain and expand mass surveillance, despite
the practice being condemned as a human rights violation by courts, parliaments and human rights bodies. It comes on the heels of the adoption of the USA
Freedom Act by the US Congress this week, a solitary and limited example of legislative rollback of surveillance powers since Snowden's revelations began.
Thanks to Edward Snowden, millions of ordinary people are now aware that not even their most intimate secrets are safe from government snooping. National
and international expert bodies could not have spoken more clearly: the indiscriminate mass surveillance of communications is a violation of human rights. The
game is up and the time has come for governments to reform their indiscriminate mass surveillance programmes, said Carly Nyst, Legal Director at Privacy
International "It is disappointing that governments have not accepted that mass surveillance violates human rights . While the passage in
Congress of the USA Freedom Act shows that it is possible to roll back surveillance, the prospect of more intrusive spying powers in France and the UK shows
that governments' appetite for ever more information on our private lives is unsated, said Sherif Elsayed-Ali, Deputy Director of Global Issues at Amnesty
International. Governments defy public opinion by expanding surveillance During the past two years, mass surveillance has been condemned as
excessive and a violation of human rights by courts, parliamentary enquiries and legal and technology experts appointed by
governments and international institutions such as the Council of Europe and the United Nations . The briefing warns that, in defiance of
global condemnation, UK and US spying programmes remain shrouded in secrecy, while several other governments are seeking new surveillance powers of their
own. Denmark, Finland, France, the Netherlands, Pakistan and Switzerland are discussing or set to present new intelligence bills that will increase their ability to
spy on communications in these countries and beyond. Just this week, the French Senate voted on a new bill that would grant the authorities vastly increased
surveillance powers. The briefing also warns that technological advances will make surveillance technology cheaper, more powerful and more widespread. Much
of the capability currently available only to US and UK intelligence agencies will likely be available to many more countries in future. Seven-point plan for
protecting human rights in the digital age Amnesty International and Privacy International today presented a seven-point plan calling on governments to introduce
checks and balances on the use of surveillance, including proper judicial control and parliamentary oversight. The rights groups want communications
surveillance to be reeled in within the bounds of international human rights law, which means it only happens when it is: Targeted,
based on sufficient evidence of wrongdoing, and is authorized by a strictly independent authority, such as a judge, Overseen by
transparent and independent parliamentary and judicial processes, Governed by publicly available and sufficiently detailed rules
and policies. The rights groups are also calling on powerful internet and telecoms companies to do more to protect the internet and phone communications of
billions of people from invasive surveillance and criminal attacks. Companies should invest in new and better encryption and other privacy
technologies for securing and anonymizing data, and inform users when the law may oblige them to hand their data over to governments. Tech
companies must do much more to protect their users privacy and freedom of expression online. While some big firms like Apple and Google have started
adopting stronger encryption standards, others are lagging behind. Tech companies need to introduce end-to-end
encryption in their
services by default, whenever possible, said Sherif Elsayed-Ali. The legitimacy of collecting communications in bulk is no longer up for
debate it is a violation of human rights and i nternational law . Mass surveillance must be dismantled and replaced by
targeted, accountable measures that respect human rights , said Carly Nyst. ANNEX Amnesty International and Privacy Internationals seven-point
plan for protecting human rights in the digital age Legal and policy reform: 1. National laws should be reformed to ensure that they comply with
international human rights law and standards, including by not allowing for indiscriminate mass surveillance. Key principles that must
be upheld include: a. Ensuring that surveillance of communications only happens when it is targeted, based on sufficient evidence of wrongdoing, and authorised
by a strictly independent authority, such as a judge; b. Ensuring there is transparent and independent parliamentary and judicial oversight of surveillance powers;
c. Making rules and policies about surveillance publicly available, including how governments are sharing information with other states; d. Ensuring equal privacy
protections apply for nationals and non-nationals, those within the territory of the state, and those outside it. e. Intelligence sharing should be strictly regulated
and conducted in a manner compliant with states human rights obligations; 2. Governments should not make encryption and anonimization technologies, or their
use, illegal; 3. Whistleblowers, including those working on national security issues, should be afforded strong legal protection from any form of retaliation,
including by way of prosecution, for having disclosed public interest information such as on human rights violations. Corporate due diligence In line with
companies responsibility to respect human rights: 4. Companies that own and/or operate telecommunications or internet infrastructure, including undersea
telecommunications cables, and internet companies, must ensure that access to data is permitted only when it conforms to international law and standards on
human rights, including by taking legal action to challenge government requests that seek bulk/wholesale access to communications traffic; 5 . Major internet
and telecommunications companies should lead the way in using strong encryption and other privacy technologies, including
through implementing end-to-end encryption by default, where possible; 6. Internet service providers, telecommunications companies and internet companies
should clearly inform users about legal requirements that they have to comply with, particularly in relation to handing over user information or content.
International standards 7. Further explore and develop means and measures needed to ensure better implementation of the
international human rights standards applicable to communications surveillance , building on efforts towards identifying relevant elements that
have started in the past two years, including reports by the UN Special Rapporteur on Freedom of Expression, the UN High Commissioner of Human Rights the
Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism, as well as civil society initiatives such
as the Necessary and Proportionate Principles.
Legal restrictions and informal obstacles impede the use of encryption and limit anonymous speech online across the four countries examined
in a variety of ways. Legal restrictions on encryption include general bans on the personal use of encryption, as well as more targeted measures, such as the
ability of state authorities to require individuals to decrypt information. The widespread perception that encrypting communications is technically
difficult or an unnecessary burden is among the informal obstacles to personal use of encryption. Meanwhile, online anonymity is hindered by
real name registration laws, which require people to use their real names to register for certain websites, and bans on anonymity tools. Informal obstacles
include websites requiring identity verification as a matter of corporate policy; additionally, lack of trust in the internet as a safe space to
communicate and fear of surveillance can diminish confidence that online anonymity is possible. There are opportunities for governments,
the corporate sector, and civil society to eliminate or minimise obstacles to personal use of encryption and online anonymity. Governments should
implement or reform laws and practices to promote rather than restrict encryption and guarantee anonymous speech online. While the right
to privacy and the right to freedom of expression are not absolute, restrictions must conform with the requirements of international
human rights law . 2 The corporate sector is also in a position to respect rights by promoting practices and developing products that preserve users rights
online. Finally, ci vil society groups should start using and actively promoting encryption and anonymity tools, as well as drawing attention to their relationship
with human rights. Foreword Why We Encrypt Encryption protects our data. It protects our data when its sitting on our computers and in data centres, and it
protects it when it's being transmitted around the Internet. It protects our conversations, whether video, voice, or text. It protects our privacy. It protects our
anonymity. And sometimes, it protects our lives. This protection is important for everyone. It's easy to see how encryption protects journalists,
human rights defenders, and political activists in authoritarian countries. But encryption protects the rest of us as well. It protects our data from
criminals. It protects it from competitors, neighbours, and family members. It protects it from malicious attackers, and it protects it from accidents. Encryption
works best if its ubiquitous and automatic. The two forms of encryption you use most often https URLs on your browser, and the handset-to-tower link for your
cell phone calls work so well because you don't even know they're there. Encryption should be enabled for everything by default, not a feature you turn on only
if you're doing something you consider worth protecting. This is important. If we only use encryption when were working with important data, then encryption
signals that data's importance. If only dissidents use encryption in a country, that country's authorities have an easy way of identifying them. But if everyone uses
it all of the time, encryption ceases to be a signal. No one can distinguish simple chatting from deeply private conversation. The government can't tell the
dissidents from the rest of the population. Every time you use encryption, you're protecting someone who needs to use it to stay alive. It's important to remember
that encryption doesn't magically convey security. There are many ways to get encryption wrong, and we regularly see them in the headlines. Encryption doesnt
protect your computer or phone from being hacked, and it can't protect metadata, such as e-mail addresses that needs to be unencrypted so your mail can be
delivered. But encryption is the most important privacy-preserving technology we have, and one that is uniquely suited to protect against bulk
surveillance the kind done by governments looking to control their populations and criminals looking for vulnerable victims. By forcing both to target their
attacks against individuals, we protect society. Securing Safe Spaces Online 3 Today, we are seeing government pushback against encryption.
Many countries , from States like China and Russia to more democratic governments like the United States and the United Kingdom, are either
talking about or implementing policies that limit strong encryption. This is dangerous, because it's technically impossible, and the attempt will
cause incredible damage to the security of the Internet . There are two morals to all of this. One, we should push companies to offer
encryption to everyone, by default. And two, we should resist demands from governments to weaken encryption. Any weakening, even in
the name of legitimate law enforcement, puts us all at risk. Even though criminals benefit from strong encryption, we're all much more secure when we all have
strong encryption.
Melish 9, (Tara J., Visiting Professor at Notre Dame School of Law, From Paradox to subsidiary: United States and Human
Rights Treaty Bodies, http://www.yale.edu/yjil/files_PDFs/vol34/Melish.pdf, AL)
Institutionalists, on the other hand, see greater instrumental utility in engaging actively with both international institutions and global
norms including human rights norms. While they, too, believe that states act exclusively in accordance with their instrumental interests,146 they see
these interests as being increasingly interwoven with participation in international cooperative, peacebuilding, and dispute-resolution institutions. 147 U.S.
engagement with international institutions thus constitutes for institutionalists an important and instrumental foreign policy tool for
promoting and defending U.S. interests abroad, while conferring key reputational benefits, ever more salient in global politics,
particularly in the international human rights field .148 While realists dominated U.S. human rights policy during the Cold War, 149 and remain highly
influential in the foreign policy establishment today, institutionalists have gained increasing prominence over the last two decades with the dramatic proliferation
of international institutions and rapid expansion of the international human rights architecture. Within this context, the push-pull dynamic over U.S. human rights
policy as a foreign policy objective has shifted determinatively toward institutionalists. For this group, human rights treaty body engagement serves
two primary strategic foreign policy goals today: first, renewal of U.S. moral leadership in multilateral settings and, second,
promotion of human rights and democratic reforms in other countries. Both are directed to furthering national security and global
public order objectives, independent of any domestic policy implication. First, institutionalists appreciate that the international
standing of U.S. diplomats and their ability to lead in international processes of global dispute resolution are compromised by the
nations failure to ratify core human rights treaties and engage in their supervisory procedures. This failure, which has left the
nation increasingly in the company of rogue or failed states,150 renders it out of step with its democratic partners and subjects it
to charges of hypocrisy by less democratic nations where the United States seeks human rights improvements or security
safeguards. 151 On a practical level, this impairs the United Statess ability to accomplish its national security and other global
security priorities within multilateral settings, at times making disagreement with the United States a principled human rights
stand in itself.
Brimmer 14, (Esther, Assistant secretary for the bureau of International Organization affairs at the United States Department
of State, Smart Power and Multilateral Diplomacy, June, http://transatlantic.sais-jhu.edu/publications/books/Smarter
%20Power/Chapter%204%20brimmer.pdf, AL)
Over the subsequent decade, the variable definitions of Smart Power have evolved to reflect a rapidly changing foreign affairs
landscapea landscape shaped increasingly by transnational issues and what can only be described Nations of the world must now calibrate their
foreign policy investments to try to leverage new opportunities as truly global challenges. while protecting their interests from emerging
vulnerabilities. Smart Power is no longer an alternative path; it is a four-lane imperative. From terrorism to nuclear proliferation , climate
change to pandemic disease , transnational crime to cyber attacks , violations of fundamental human rights to natural
disasters , todays most urgent security challenges pay no heed to state borders. Ultimately, the other component necessary in todays
Smart Power alchemy is robust, focused, and sustained international cooperation. In effect, in an increasing number of instances, Smart Power must now feature
shared power, and in that context foreign policy choices must follow two related but distinct axes. First, those policy choices must strengthen a states overall
stature and influence (rather than diminish it), leaving the state undertaking the action in a position of equal or greater global standing. This is easier said than
done. The proliferation in challenges facing all states has created a need for multiple, simultaneous diplomatic transactions among a broadening cast of actors.
Given the nature of todays threats facing states both large and small, those transactions have never been more frequent and at times overlappinga reality that
requires new agility and synchronization within foreign policy hierarchies. States that are less capable of responding to this new reality may experience
diminished political capital and international standing by acting on contemporary threats in isolation or without a full appreciation of the reigning international
sentiment. Many observers have highlighted U.S. decision-making in advance of the 2003 Iraq invasion as indicative of just this phenomenon. So, just as
global power is more diffuse, so too are the opposing threats and challenges, and it is in this new reality that the United States must define and employ
its Smart Power resources. Given the nature of todays threats facing states both large and small, those transactions have never been
more frequent and at times overlappinga reality that requires new agility and synchronization within foreign policy hierarchies. It has
become increasingly clear that effective multilateral diplomacy can create the conditions for an international response to a global
challenge or threat that is greater than the sum of its national parts, and that contributes to the effective resolution of both the
instant challenge and future ones.
companies, cryptologists, and rights groups said mandatory backdoorswhich many authorities in the US government and
abroad have been calling forwould weaken cybersecurity as well as "undermine human rights." More than undermining every
Americans cybersecurity and the nations economic security, introducing new vulnerabilities to weaken encrypted products in the
US would also undermine human rights and information security around the globe. If American companies maintain the ability to unlock
their customers data and devices on request, governments other than the United States will demand the same access, and will also be emboldened to demand
the same capability from their native companies. The US government, having made the same demands, will have little room to object. The result will be an
information environment riddled with vulnerabilities that could be exploited by even the most repressive or dangerous regimes.
Thats not a future that the American people or the people of the world deserve.
States
should avoid all measures that weaken the security that individuals may enjoy
online, such as backdoors, weak encryption standards and key escrows , it adds. A key escrow is
when a third party holds onto an encryption key, the information needed to decrypt data. The report even called on Congress to
consider the Secure Data Act, a bill that would ban the government from forcing companies to build backdoors into their encryption.
The FBI and National Security Agency (NSA) have been battling technologists, Silicon Valley, and a vocal contingent of lawmakers
over encryption standards. Federal officials argue companies should have a method to decrypt data if its needed for a criminal or
national security investigation. Companies counter that such a decryption method would create inherently vulnerable encryption. "I
certainly have great respect for those that would argue that the most important thing is to ensure the privacy of our citizens and we
shouldnt allow any means for the government to access information, NSA Director Adm. Michael Rogers said during a speech in
Estonia on Wednesday, according to reports. I would argue that's not in the nations best long term interest, that weve got to create
some structure that should enable us to do that, mindful that it has to be done in a legal way and mindful that it shouldn't be
something arbitrary, he continued. The U.N. report, while decrying backdoors, does give some credence to the concept of courtordered decryption. Court-ordered
use for criminal purposes in times of terrorism, rather than their role in promoting secure, private and free communications,
facilitating the realisation of rights to expression, opinion and privacy . Mr Kaye observes that encryption and anonymity, separately or
together, assist in shielding opinions from outside scrutiny(particularly important in hostile environments), empower individuals to
circumvent censorship and other unlawful barriers to the free flow of information, and shield journalists, researchers, lawyers and
civil society from unlawful surveillance and harassment. In this regard, encryption and anonymity provide individuals and groups with a zone of
privacy online to hold opinions and exercise freedom of expression without arbitrary and unlawful interference or attacks, Mr Kaye concludes. Affirming an
important application of the right to freedom of expression and opinion to modern-day realities, the report notes that the right to form and hold opinions, unlike the
rights to privacy and freedom of expression, is an absolute right that cannot be limited in any circumstances. Whereas the right to an opinion may traditionally
have been construed as an abstract right that occurs only within one's mind, the report observes, the mechanics of holding opinions have evolved in the digital
age, with individuals both holding opinions digitally saving their views and their search and browse histories, for instance, on hard drives, in the cloud, and in email archives and forming opinions online, through search and browsing activities. The report recommends, inter alia, that States should
not restrict
encryption and anonymity, and blanket prohibitions fail to be necessary and proportionate and thus cannot comply with
human rights law; States should avoid all measures that weaken the security that individuals' privacy may enjoy online, such as
backdoors , weak encryption standards and key escrows ;
ADV MOVEMENTS
border communications that comply with that countrys laws will have that vulnerability. If one party to a communication uses
compromised encryption as required in that country, then those globally who communicate with that country will have their
communications compromised as well. Key escrow provides a vivid example of the least trusted country problem. Consider whatever country in the
world you trust the least. For India, that could be Pakistan, for Taiwan it could be China, for Israel it could be Iran. (I prefer not to pick one such country for the
United States.) How secure would any of these countries be if their least trusted country had key escrow for their communications? We wrote: Ultimately,
laws
that limit effective encryption create security holes . Communications that originate, end, travel through, or comply with the policies of those
nations are systematically weakened they are as secure as they would be in the hands of our least trusted country, whatever country that may be Think
about important communications in the hands of the country you trust least in the world. That is the Internet that would result from limits on strong encryption. In
the United States has a crucial leadership role to play concerning possible compromises in global
communications security . I saw this personally when I met in India with senior officials in 2011, when India was considering a sweeping key escrow
proposal. In these discussions, we explained the history of the crypto wars in the 1990s, and gave the technical and political reasons why the U.S. government
had correctly decided to abandon a key escrow approach. After these discussions, and those with other American and global experts, the Indian government
substantially cut back its legal proposal, and also has had far less than full implementation of the residual provisions. In short, the American example was
useful in reducing the bad effects on global security, notably including for U.S. individuals and companies communicating abroad .
If American policy becomes to mandate encryption vulnerabilities, either in law and practice, then our moral and policy authority to argue for strong cybersecurity
is eroded. The human rights implications of mandating vulnerabilities are also substantial and important. The Review Group Report discussed the importance of
the U.S. Internet Freedom agenda, to bolster protections for journalist, religious minorities, and political dissenters around the world, especially in repressive
regimes. In February, the U.S. government wrote a detailed statement about the importance of encryption to global free expression
and human rights to David Kaye, Special Rapporteur on the Promotion of the Right to Freedom of Opinion and Expression for the United Nations High
Commissioner for Human Rights. Key statements included: As President Obama recently made clear, the United States firmly supports the development of
robust adoption of strong encryption, which is a key tool to secure commerce and trade, safeguard private information, promote freedoms of expression and
association, and strengthen cybersecurity. Encryption, as well as tools that assist with anonymity, are especially important in sensitive
contexts where attribution could have negative political, social or personal consequences or when the privacy interests in the
information are strong. Consistent with this legal framework, as a matter of policy, the United States has long supported the development and use of
strong encryption and anonymity-enabling tools online.25 The importance of these anonymity-enabling tools has been underscored by
financial support, especially from the U.S. State Department, for development of software and platforms to enable human rights
activists and others abroad to communicate effectively notwithstanding local political regimes efforts to undermine such
communications. The U.S. government support for its Internet Freedom agenda is broadly consistent with the June 17, 2015 Joint Civil Society Statement by
25 leading non-government organizations entitled Promote Strong Encryption and Anonymity in the Digital Age.26 In conclusion on the least trusted country
discussion, it is abundantly clear in our globalized world that decisions about U.S. law enforcement access to communications have important effects on how
other countries decide to respond to similar issues in their own countries. The Information Technology Industry Council and Software & Information Industry
Association made this point in a recent letter: In addition to these security and trust concerns, the U.S. policy position on encryption will send a
signal to the rest of the world. Should the U.S. government require companies to weaken encryption technology, such
requirements will legitimize similar efforts by foreign governments. This would threaten the global marketplace as well as deprive
individuals of certain liberties. 27 The United States should be a strong example for cybersecurity and human rights, rather than an excuse used by
repressive regimes to surveil U.S.-based businesses and individuals and clamp down on political dissent.
them, encryption is a critical security tool to avoid being identified, arrested, harassed, or
worsemerely for criticizing government policy. The US government supports Internet freedom abroad as a pillar of its human
rights foreign policy. In recognition of the link between encryption and human rights, Congress has appropriated over $125
million to the State Department and US AID since 2008 to promote Internet freedom, including through programs that develop
encryption tools and train activists on how to use them. But the FBI has embarked on an aggressive campaign to convince the
public that encryption built into our digital tools should be weakened in the name of countering terrorism. Yet is has failed to
recognize the broad, though unintended, harm such an approach would bring to human rights activists worldwide . On June 3,
Michael Steinbach, assistant director of the FBIs counterterrorism division, testified before the House Committee on Homeland Security that technology
companies like Apple and Google should prevent encryption above all else because terrorists are increasingly using the companies secured tools to shield
communications and access to their activity is going dark. Privacy, above all other things, including safety and freedom from terrorism, is not where we want to
go, Steinbach said. FBI Director James Comey is likely to make the same argument before two hearings at the Senate Judiciary and Intelligence Committees on
Wednesday. Governments have a human rights obligation to investigate and prosecute crime and thwart terrorist attacks. But while
strong encryption may limit some existing surveillance capabilities, these limitations are greatly offset by the explosion of new
kinds of investigatory material enabled by the digital world, including location information and vast stores of metadata. It is also
unlikely that limiting strong encryption in US products would prevent bad actors from using it. Terrorists could merely shift to foreign alternatives. Most jarring
for human rights groups, however, is that the FBIs going dark narrative simply ignores the cost of undermining encryption to
human rights activists around the world. For activists, this debate is just as much about their safety and freedom as about privacy. All
Internet users, including those most vulnerable, rely on the security practices of US tech companies to protect them from abusive surveillance and
cybercriminals. In December 2010, in the midst of the Tunisian uprisings, Facebook, a crucial platform for the activists, began receiving reports that Tunisian
Facebook accounts had been compromised or deleted. Facebook soon discovered that the government had launched a large-scale attack to steal social media
passwords of activists and journalists and access their private communications and contacts. So Facebook turned to encryption, enabling HTTPS, a secure
communication protocol, automatically to thwart the attack in Tunisia. Facebook now deploys HTTPS automatically for its 1.4 billion users. In 2014, Apple and
Google announced they would go further and begin encrypting data stored on mobile devices used by activists worldwide, with even the companies unable to
decrypt locally stored data. WhatsApp, a group chat application, is also rolling out end-to-end encryption for its 800 million users. These measures can help
protect the safety of protest organizers in places like Hong Kong, Thailand, and the Middle East, along with millions of other, even if they may not realize it. The
FBI insists that they dont want a back door into secured services, but rather a requirement that companies design their services so they can still decrypt data
with a lawful court order. But whatever label you use, the nearly universal view within the digital security community is that there is no technical solution that
would allow the FBI to decrypt all communications, but wouldnt leave internet users exposed to actors (government and non-government) that would try to
uncover that vulnerability for malicious purposes. Repressive regimes will exploit back doors to identify troublemakers and throw them in jail. And if the FBI
forces tech companies to weaken their security, then why wouldnt every other government demand the same, including those that equate dissent with terrorism.
How comfortable would we be if Russia, China, and Saudi Arabia had back door access to Apple and Google devices? Indeed, China has already started down
this road in a counter-terrorism bill introduced earlier this year that would require firms to install back doors and disclose encryption keys. The US government
would lack credibility to criticize these demands on behalf of US industry or on human rights grounds. Strong encryption is a cornerstone of security
in the digital age. It helps protect vulnerable human rights activists everywhere. Internet back doors make us all less safe. The FBI and
Congress should not ignore these inconvenient facts, even in the name of fighting terror.
Yen 15, (Andy, Graduate from Harvard Physics and Economics, Scientist at European organization
for Nuclear research, Co-founder of Protonmail a email encryption startup, Idea for Ted Talks,
Why we should all care about encryption. Really, http://ideas.ted.com/why-we-should-all-careabout-encryption-really/, AL)
Back in summer 2013, the Edward Snowden revelations got me thinking. How much of our lives are compromised when security agencies or
hackers, or anyone else can read our emails? Emails paint an intimate narrative of ourselves the people we talk to, the
books we read, the politics we practice. This information is powerful. When we lose control over it, it can do great harm to
ourselves and our loved ones. I realized that I wasnt comfortable with the power contained within this information, nor with my lack of control over it.
BANNING ENCRYPTION WONT STOP TERROR ATTACKS OR END RELIGIOUS EXTREMISM. BUT SUCH A BAN WOULD
STIFLE DEMOCRATIC MOVEMENTS, SCUTTLE ONLINE SECURITY, AND UNDERMINE OUR OPEN SOCIETY . In fact, no one
I talk to is comfortable with this information or with its power. But too often, they seem to prefer not to think about these things. Perhaps they imagine their
intimate data tucked away on an anonymous server somewhere, forgotten, and that its potential to impact their lives will remain untapped. Im not so sure. Thats
why I partnered with colleagues from MIT and CERN to build a free, encrypted email service that offers users absolute control over their data. So why does
encryption matter, anyway? Well, some would have you believe that encryption is a tool for the bad guys, enabling terrorists to have
an easy way of plotting their next crimes. In reality, banning encryption wont stop terror attacks or end religious extremism . But
such a ban could stifle democratic movements, scuttle online security, and undermine our open society. Here are three more reasons we should pay attention to
encryption.
Chilling Effect
Cunningham March 2007, Professor of sociology specializing in Social movements, Historical Sociology, Political Sociology,
Quantitative and qualitative inquiry. (David C, Contemporary sociology, March 2007 http://www.jstor.org/stable/20443704?
seq=1#page_scan_tab_contents) //C.A.
But how do we know whether such findings are systematically valid, or whether similar dynamics hold in other cases? Such model-building is not Varons goal; he is squarely focused on the specific contexts
surrounding the WU and RAF, and in the books introduction he clarifies that, while engaging with some of the social movement literature, he does not speak its distinctly sociological causal language (p. 18). Indeed,
his use of oral historical accounts is intended to provide representations of the past generated through the subjective work of memory .|.|. and not the objective reconstruction of the past (p. 16). When confronted
with the thorny issue of specifying the impact of the antiwar movement on U.S. policy, he doubts whether a method could even be devised for rendering such a judgment (p. 147) and instead employs the
biographical account of a single activist to represent his sense of the role played by militants in such outcomes. Fair enough, as his methodology yields a nicely textured portrait of the WU and RAF. His detailed
account of activist experiences also provides a window into the multivalent interactive nature of political contention. But it is difficult to have it both ways, to focus on close readings of subjective experiences while also
attempts to integrate and extend existing insights within book-length analyses (though exceptions include Cunningham, 2004; della Porta and Reiter, 1998; Stanley, 1996). Further, findings have lacked consistency,
with surprisingly little cross-disciplinary conversation. Repression and Mobilization, a recent volume edited by Christian Davenport, Hank Johnston, and Carol Mueller, is a welcome corrective to this trend. The volume
is a product of a 2001 conference at the University of Maryland that brought together many influential thinkers in several social science disciplines, and its contents represent the most significant advance in collective
knowledge on the topic in some time. In his introduction, Davenport astutely assesses the field and suggests possibilities for its advancement. Most importantly for our purposes, his essay identifies a key dynamic
that has steered past research away from detailed analysis of surveillance: the move toward aggregated, multi-form indicators of repression as the object of analysis. To the extent that this approach has
predominated over close study of specific repressive forms (including surveillance) as bounded phenomena, its implicit foundation has been what contributor Charles Tilly labels the classic cost-benefit conception of
the impact of repression on mobilization and vice versa (p. 224). Within such a framework, repression is viewed as a cost imposed by auContemporary Sociology 36, 2 Downloaded from csx.sagepub.com at UNIV
OF MICHIGAN on July 20, 2015 122Symposium thorities on dissidents, leading to invariant conceptions that the allocation of repression decreases mobilization and, conversely, that mobilization predictably
generates a repressive response from authorities. Davenport shows that exploration of the second relationship (i.e., mobilization causes repression) has yielded the expected finding, while studies of the impact of
repression on subsequent mobilization have produced less consistent results. In his view, these empirical regularities/irregularities are problematic, as both have been produced in the presence of significant analytic
blind spots: an overly-narrow conception of repressive and dissident forms, reliance on a small number of fixed cases and data sets, and a simplistic view of the role played by media coverage. What to do? If the
argues that analysts should view the repression-mobilization nexus interactively, employing explanatory concepts derived from the social movement literatures political process tradition i.e., political opportunities
and threats, mobilizing structures, and cultural frames (see McAdam, 1982; McAdam, McCarthy, and Zald, 1996; Tarrow, 1998). The remainder of the volume is effectively an argument for complicating this baseline
model. Insights explicitly or implicitly tied to surveillance dynamics abound. Clark McPhail and John McCarthy highlight the fact that surveillance operations and other repressive tactics are not static or uniformthey
in fact vary by, and diffuse across, local policing jurisdictions in predictable ways. Gilda Zwerman and Patricia Steinhoff recognize that multiple, often divergent, outcomes result from the imposition of surveillance and
senior theorists given the final word in the volumeCharles Tilly and Mark Lichbachbarely mention the contributions of the preceding chapters. Instead, they concern themselves with broader issues of analysts
general orientation to the study of political conflict. Tilly suggests that students of repression and mobilization shift their angles of vision (Tilly, 2005: 225) to align with the mechanism-based approach he has
advanced, with Doug McAdam and Sidney Tarrow, in the 2001 book Dynamics of Contention. The DOC approach recognizes that repression and mobilization are relational phenomena, both involving exchanges
between dissidents and authorities. As such, it sees meaning as rooted in interactions within and between social sites, and centers analyses on episodes, or continuous streams of contention including collective
claim making that bears on other parties interests (McAdam et al., 2001: 234). Its empirical program calls for decomposing those episodes into combinations of recognizable, recurrent processes, then identifying
the invariant causal mechanisms that enter those processes (Tilly, 2005: 2112). The goal is not to identify regularities across classes of episodes, but instead to find robust constituent mechanisms and processes
that combine in varying ways to yield distinct outcomes. In short, the program aims at explaining change and variation, not in discovering uniformity among whole classes of episodes (Tilly, 2005: 212). To illustrate
what a DOC-style analysis might look like, Tilly concludes with a discussion of the mechanisms that constitute two varieties of collective violence, which he refers to as scattered attacks and broken negotiations.
Using these examples, he demonstrates that a single type of state actione.g., the imposition of surveillance against challengerscan yield divergent effects across contentious forms. The general point is that it is
likely misplaced to suggest that a single law govern[s] the relationship of mobilization to repression when both sides of the nexus are really shorthand for diverse sets of relational configurations (Tilly, 2005: 222).
We would be better served, Tilly instructs, to break specific configurations (i.e., episodes of contention) into their constituent Contemporary Sociology 36, 2 Downloaded from csx.sagepub.com at UNIV OF MICHIGAN
on July 20, 2015 Symposium123 processes and mechanisms, which become the sites through which particular types of outcomes emerge. Jules Boykoffs The Suppression of Dissent represents a book-length
treatment of a DOC-style mechanism-based approach. Drawing on a range of cases familiar to students of social movements in the U.S. (and relying, unfortunately, almost exclusively on existing secondary sources
as evidence), Boykoff explains how it is that state efforts to suppress political challenges result in the demobilization of social movements in the U.S. Like Tilly, he argues that such an explanation requires the
identification of distinct mechanisms through which actions contribute to the process of demobilization. The bulk of the book is taken up by descriptive case studies involving Martin Luther King, Jr., the Black Panther
Party, the Hollywood Ten, the American Indian Movement, and other activists from his self-described deep, broad survey of suppression in twentieth and twenty-first century U.S. history (p. 303). From these
accounts he inductively identifies a set of twelve actions, or Modes of Suppression. These Modes, in turn, lead to the demobilization of social movements through the work of five causal mechanisms: resource
depletion, stigmatization, divisive disruption, intimidation, and emulation. Curiously, Boykoffs product doesnt look much like Tillys. While Boykoff does inductively identify his population of Modes by examining
specific cases that can plausibly be conceived as episodes, he does not extend his discussion of mechanisms to explain the trajectory of particular cases of state-dissident interaction. This makes it difficult to
understand how constellations of mechanisms might combine to yield change and variation in outcomes, or how the context-laden character of both sides of the struggle might interact to shape the arc of contention.
While Tilly examines how particular combinations of mechanisms can explain variation, rather than uniformity, in outcomes, Boykoff asks why do seemingly different acts produce a common effect: the suppression of
dissent? (p. 264). So where does this leave us? Given the varied and inconsistent strains reviewed here, in what direction might future studies of surveillance in contentious politics productively move? First, if a
common theme exists in these works, it is that we need to disaggregate concepts such as mobilization and repression, and to pay closer attention to the particular ways in which surveillance as a repressive form
impacts contentious episodes. Taking this recommendation seriously requires that we make explicit the features that distinguish surveillance from other modes of repression. Two recent efforts may be instructive. Earl
(2003) has constructed a typology of repression, within which we can understand surveillance as fitting within classes of action that are: 1) coercive, 2) unobserved by targets and the general public, and 3)
perpetrated either by private or state-based agents. Davenport (2005), in a recent journal article, has alternately focused on a single analytic dimension: the distinction between overt and covert repressive action.
While surveillance of dissident targets is sometimes employed overtly, to chill or otherwise alter the behavior of challengers (Marx, 1979), monitoring more often functions covertly as a means to collect information
that can later be used in a variety of ways against targets. This emphasis on covert state action harks back to Gary Marxs (1974, 1988) seminal research on informants, agents provocateurs, and undercover policing,
and links to an emerging concern with the patterning of surveillance-based acts, in particular the ways in which authorities allocate resources to monitor targets. Recent work has highlighted how state agencies
identify targets by constructing them as such, and has shown that such constructions are shaped not only by ethnic, class, religious, etc. characteristics of potential candidates, but also by the organizational structure
of policing agencies (Cunningham, 2004) and the characteristics of neighborhoods where potential targets reside (Davenport, 2005). A related concern is the impact of state surveillancehow such action affects
activists and sympathetic publics. Boykoff argues that the presence of surveillancewhether perceived or realcan contribute to a process of demobilization through the intimidation of targets, often characterized by
a feeling of paranoia. Such efforts, he asserts, also yield a body of information that can be used by state agencies to disrupt the functioning of targeted groups (pp. 2814). While such unique effects speak to the
inappropriateness of lumping together heteroContemporary Sociology 36, 2 Downloaded from csx.sagepub.com at UNIV OF MICHIGAN on July 20, 2015 124Symposium geneous categories of action as
repression, it is important to recognize that state agencies often simultaneously employ a combination of tactics to minimize dissente.g. aggressively policing public space, gathering extensive intelligence through
covert surveillance efforts, empowering community leaders to exert social control on local residents, and so on (Caldwell, 2006). Research that brackets surveillance as its object of study would almost certainly miss
indirect or emergent effects visible only through the contextualization of individual tactics within broader suppressive programs. In certain cases, such as with the FBIs counterintelligence programs (COINTELPROs)
in operation between 1956 and 1971, state agencies have formalized the use of a diverse repertoire of tactics, self-consciously employed in concert (Cunningham, 2003, 2004). Therefore, alongside efforts to
disaggregate analytic categories, we need to find ways to comprehend how tactical combinations interact to yield predictable outcomes. Is a mechanism-based approach the best way to do so? The question is at the
core of current debate in the field of contentious politics as a whole, reflected by the seeming gulf between Tillys approach and the contextualized political process agenda advanced by the other contributors to the
Davenport et al. volume. In that books concluding chapter, Mark Lichbach promotes a strategy to bridge these perspectives. Lichbach is not troubled by the use of mechanisms to generate dynamic causal accounts
that demonstrate how relationships between inputs and outcomes operate. He is, however, wary of research programs organized around the identification of salient mechanisms, as the exhaustive listing of these
mechanisms can easily expand indefinitely, creating an interminable makework project (Lichbach, 2005: 233). To prevent such chaotic proliferation, Lichbach suggests that researchers should embed their
mechanisms within larger organized systems of knowledge (i.e., logicallyconsistent combinations of mechanisms) and employ stylized facts and historical narratives to evaluate them empirically. Such an agenda
may be one way to take the DOC challenge seriouslyi.e., to give attention to the largely unexamined relational transactions lodged within the causal arrows of social science modelswithout discarding the
underlying political process approach that has guided the field for the past two decades. Such an effort can have broader-reaching effects as well, moving theoretically-inclined social scientists toward the center of
policybased dialogue surrounding the varied impacts of surveillance initiatives. These debates are of course pivotal to understanding
citizens. Equally important, sophisticated analyses can also demonstrate how surveillance efforts can chill citizens ability to
lawfully express dissent, posing a threat to acts vital to the practice of democracy.
wiretaps, agent observation of public events, illegal break-ins, and infiltration by informants and provocateursconstituted the
meat of the states repressive efforts, at least in the U.S. Varon notes that, even before the Weatherman organization went underground,
the FBI had identified at least 270 of its members, nearly a third of whom were marked on the Bureaus Security Index for
detainment in the case of national emergency. Agents and informants also diligently recorded the identities of the 300 or so
people in attendance at a Weatherman-sponsored conference in 1969 (p. 158). Despite considerable safeguards in place to prevent infiltration, in at least
three cases informants successfully gained access to radical collectives. In such instances, informants typically operated as provocateurs, encouraging violent
activities for which participants were then arrested. After their move underground in 1970, FBI Director J. Edgar Hoover designated the Weather leadership
subjects of intensive investigation, and three Bureau officials were later indicted for their resulting authorization of a series of break-ins
(known as black-bag jobs) designed to gather information about suspects whereabouts. Varon reaches a number of conclusions
about how such state action impacted the trajectories of each group . State repression, he suggests, caused those skeptical about
vioSurveillance and Social Movements: Lenses on the Repression-Mobilization Nexus DAVID CUNNINGHAM Brandeis University [email protected] The
Suppression of Dissent: How the State and Mass Media Squelch US American Social Movements, by Jules Boykoff. New York, NY: Routledge, 2006. 288 pp.
$80.00 cloth. ISBN: 0415978106. Repression and Mobilization, edited by Christian Davenport, Hank Johnston, and Carol Mueller. Minneapolis, MN: University of
Minnesota Press, 2005. 328 pp. $75.00. cloth. ISBN: 081664425X. Bringing the War Home: The Weather Underground, the Red Army Faction, and
Revolutionary Violence in the Sixties and Seventies, by Jeremy Varon. Berkeley, CA: University of California Press, 2004. 407 pp. $21.95 paper. ISBN:
0520241190. Downloaded from csx.sagepub.com at UNIV OF MICHIGAN on July 20, 2015 Symposium121 lence to seriously contemplate it and those
persuaded of the need for violence to take the radical leap into action (p. 3). In Germany, [h]ad the states reaction been less severe, the RAFs armed struggle
might neither have endured so long nor become so brutal (p. 254). In the U.S., the traumatic effect of state violence provided a motive for Weather adherents
increased militancy during the late 1960s (p. 162). The move by the Weather Underground toward symbolic damage and away from violence against human
targets prevented the sort of massive program of state repression witnessed in Germany (p. 174). We can also infer dynamics more closely tied to
surveillance: that Weathermans move underground was in part to escape monitoring by police and FBI, and that this move did in
fact significantly reduce the latters ability to surveil the group. Paradoxically, however, this shift expanded the overall scope of the states
surveillance activities as agents increasingly relied on less fine-tuned metrics to locate Weather adherents, focusing on broad networks of above-ground family
and friends as well as a wide range of locales (communes, countercultural centers, etc.) deemed likely to shelter underground suspects. All are provocative
conclusions, and not inconsistent with the specific evidence presented in Bringing the War Home.
--a2 sq solves
Foreign governments are modeling encryption backdoors now
Scheiner 15
Bruce Scheiner (Chief Technology Officer of Resilient Systems, a fellow at Harvard's Berkman Center, and a board
member of EFF ]https://www.schneier.com/blog/archives/2015/06/why_we_encrypt.html)
Encryption protects our data. It protects our data when it's sitting on our computers and in
data centers, and it protects it when it's being transmitted around the Internet. It protects our
conversations, whether video, voice, or text. It protects our privacy. It protects our anonymity. And
sometimes, it protects our lives. This protection is important for everyone. It's easy to see how
encryption protects journalists, human rights defenders, and political activists in authoritarian
countries. But encryption protects the rest of us as well. It protects our data from criminals. It protects
it from competitors, neighbors, and family members. It protects it from malicious attackers, and it
protects it from accidents. Encryption works best if it's ubiquitous and automatic. The two forms of
encryption you use most often -- https URLs on your browser, and the handset-to-tower link for your
cell phone calls -- work so well because you don't even know they're there. Encryption should be
enabled for everything by default, not a feature you turn on only if you're doing something you
consider worth protecting. This is important. If we only use encryption when we're working with
important data, then encryption signals that data's importance. If only dissidents use encryption in a
country, that country's authorities have an easy way of identifying them. But if everyone uses it all of
the time, encryption ceases to be a signal. No one can distinguish simple chatting from deeply private
conversation. The government can't tell the dissidents from the rest of the population. Every time you
use encryption, you're protecting someone who needs to use it to stay alive. It's important to
remember that encryption doesn't magically convey security. There are many ways to get encryption
wrong, and we regularly see them in the headlines. Encryption doesn't protect your computer or phone
from being hacked, and it can't protect metadata, such as e-mail addresses that need to be
unencrypted so your mail can be delivered. But encryption is the most important privacy-preserving
technology we have, and one that is uniquely suited to protect against bulk surveillance -- the kind
done by governments looking to control their populations and criminals looking for vulnerable victims.
By forcing both to target their attacks against individuals, we protect society. Today, we are seeing
government pushback against encryption. Many countries, from States like China and Russia to more
democratic governments like the United States and the United Kingdom, are either talking about or
implementing policies that limit strong encryption. This is dangerous, because it's technically
impossible, and the attempt will cause incredible damage to the security of the Internet. There are two
morals to all of this. One, we should push companies to offer encryption to everyone, by default. And
two, we should resist demands from governments to weaken encryption. Any weakening, even in the
name of legitimate law enforcement, puts us all at risk. Even though criminals benefit from strong
encryption, we're all much more secure when we all have strong encryption. This originally appeared in
Securing Safe Spaces Online. EDITED TO ADD: Last month, I blogged about a UN report on the value of
encryption technologies to human freedom worldwide. This essay is the foreword to a companion
document: To support the findings contained in the Special Rapporteur's report, Privacy International,
the Harvard Law School's International Human Rights Law Clinic and ARTICLE 19 have published an
accompanying booklet, Securing Safe Spaces Online: Encryption, online anonymity and human rights
which explores the impact of measures to restrict online encryption and anonymity in four particular
countries -- the United Kingdom, Morocco, Pakistan and South Korea.
Yen 15, (Andy, Graduate from Harvard Physics and Economics, Scientist at European
organization for Nuclear research, Co-founder of Protonmail a email encryption startup, Idea for
Ted Talks, Why we should all care about encryption. Really, http://ideas.ted.com/why-we-shouldall-care-about-encryption-really/, AL)
In extremis, it has been possible to read someones letter, to listen to someones call, to listen in on mobile communications, said British Prime Minister David Cameron following the
attacks on the offices of Charlie Hebdo magazine in Paris in January 2015. The question remains: are we going to allow a means of communications where it simply is not possible to
do that? My answer to that question is: no, we must not. Meanwhile, over in the United States, President Obama said, If we find evidence of a terrorist plot and despite having a
phone number, despite having a social media address or email address, we cant penetrate that, thats a problem. POLITICIANS ARE NOTORIOUSLY TERRIBLE ARBITERS OF
TECHNOLOGY. These reactions are typical. And perhaps its true if 100% transparency were to somehow magically appear, we might live in a world free of terror and cyberattacks.
surveillance rest on assurances that governments are always benign. But there are many examples of data snooping being used to crush dissent one of the most tragic being
Chinas imprisonment of dissidents, including Wang Xiaoming, using data supplied by Yahoo. Although governments certainly benefit from corporate complicity, they dont like to solely
rely on the cooperation of entities like Yahoo. Consider the persistent efforts of the NSA and other government security organizations to require software back doors in operating
systems to grant them at-will access to data on private servers and computers. Governments dont want to wait for legislation to grant them this access. Recent revelations by the
Russian security software maker Kaspersky Lab show that a shadowy, U.S.-linked intelligence agency installed software deep into the firmware of millions of hard drives at the
manufacturer level, rendering it invisible and undetectable. With this software, a remotely based intelligence agency can not only slip past firewalls and antivirus programs to view whats
on the drives, but could also turn their host computers into tools for future attacks. THERE
Yen 15, (Andy, Graduate from Harvard Physics and Economics, Scientist at European organization
for Nuclear research, Co-founder of Protonmail a email encryption startup, Idea for Ted Talks,
Why we should all care about encryption. Really, http://ideas.ted.com/why-we-should-all-careabout-encryption-really/, AL)
In extremis, it has been possible to read someones letter, to listen to someones call, to listen in on mobile communications, said British Prime Minister David
Cameron following the attacks on the offices of Charlie Hebdo magazine in Paris in January 2015. The question remains: are we going to allow a means of
communications where it simply is not possible to do that? My answer to that question is: no, we must not. Meanwhile, over in the United States, President
Obama said, If we find evidence of a terrorist plot and despite having a phone number, despite having a social media address or email address, we cant
penetrate that, thats a problem. POLITICIANS ARE NOTORIOUSLY TERRIBLE ARBITERS OF TECHNOLOGY. These reactions are typical. And perhaps its
true if 100% transparency were to somehow magically appear, we might live in a world free of terror and cyberattacks. But are we really comfortable living in a
world where all of our private details are available for all to see? The reality is we need some privacy in our lives, and encryption lies at the
foundation of privacy. In every aspect of online security email, banking, medical records we need encryption to keep our
data from falling into the wrong hands. Access to encryption keys whether through back doors or by storing keys in places where they can be stolen
would make the keys themselves useless. Its not just that someone could peer into our lives by viewing our emails. Do politicians really want us all to send
our banking passwords and medical records in plain text so that anyone could read them? Politicians are notoriously terrible arbiters of technology. If security
experts from around the world are unanimously calling for stronger instead of weaker encryption, perhaps the politicians should listen. 3. Maybe we dont have
anything to hide now but maybe we will later. Arguments in favor of surveillance rest on assurances that governments are always
benign. But there are many examples of data snooping being used to crush dissent one of the most tragic being Chinas
imprisonment of dissidents, including Wang Xiaoming, using data supplied by Yahoo . Although governments certainly benefit from
corporate complicity, they dont like to solely rely on the cooperation of entities like Yahoo . Consider the persistent efforts of the NSA and other
government security organizations to require software back doors in operating systems to grant them at-will access to data on private servers and computers.
Governments dont want to wait for legislation to grant them this access. Recent revelations by the Russian security software maker Kaspersky
Lab show that a shadowy, U.S.-linked intelligence agency installed software deep into the firmware of millions of hard drives at the manufacturer level, rendering
it invisible and undetectable. With this software, a remotely based intelligence agency can not only slip past firewalls and antivirus programs to view whats on the
drives, but could also turn their host computers into tools for future attacks. THERE IS NO SUCH THING AS A BACK DOOR THAT ONLY LETS THE GOOD
GUYS IN. Why should we care about these back doors if we have nothing to hide? Privacy empowers and protects the minority. The ability to
communicate, organize, and discuss without government interference is what gives dissidents a voice. Without privacy rights, a
democratic government accountable to all of its people not just the majority simply cannot exist . Someday you may find
yourself in the minority. Why encryption is worth fighting for Taking away encryption is not going to suddenly make the world a safer place but it
will make dissidents and activists suffer. Just as importantly, taking away encryption allows invisible observers to place every action of ordinary citizens
under a microscope and file it away for future reference. If we squander privacy by allowing back doors or building illicit vulnerabilities into encryption tools, there
is nothing to protect us from prying corporations, spying governments or even criminals bent on abusing our data. Unfortunately, there is no such thing as a back
door that only lets the good guys in. Data must always be encrypted, end-to-end, period before it leaves your computer. Privacy is a fundamental right. Lets
not squander it in the name of security.
Encryption key to privacy provides means for individuals to share information without
government interference
Kaye 15, (David, Special Rapporteur on freedom of expression, report to the Human Rights Council, Report of the Special
Rapporteur on the promotion and protection of the right to freedom of opinion and expression
http://www.ohchr.org/EN/Issues/FreedomOpinion/Pages/CallForSubmission.aspx, AL)
Contemporary digital technologies offer Governments, corporations, criminals and pranksters unprecedented capacity to
interfere with the rights to freedom of opinion and expression. Online censorship, mass and targeted surveillance and data
collection, digital attacks on civil society and repression resulting from online expression force individuals around the world to
seek security to hold opinions without interference and seek, receive and impart information and ideas of all kinds. Many seek to protect their security
through encryption, the scrambling of data so only intended recipients may access it, which may be applied to data in transit (e.g., e-mail,
messaging, Internet telephony) and at rest (e.g., hard drives, cloud services ). Others seek additional protection in anonymity, using
sophisticated technologies to disguise their identity and digital footprint. Encryption and anonymity, todays leading vehicles for online security,
provide individuals with a means to protect their privacy, empowering them to browse, read, develop and share opinions and
information without interference and enabling journalists, civil society organizations, members of ethnic or religious groups, those
persecuted because of their sexual orientation or gender identity, activists, scholars, artists and others to exercise the rights to
freedom of opinion and expression.
ADV CHINA
no further than
President Obamas stark criticism of Chinas plan to do exactly that on Tuesday. If only
he would tell the FBI and NSA the same thing. In a stunningly short-sighted move, the FBI - and more
recently the NSA - have been pushing for a new US law that would force tech companies
like Apple and Google to hand over the encryption keys or build backdoors into their products
and tools so the government would always have access to our communications. It was only a matter of time before other
governments jumped on the bandwagon, and China wasted no time in demanding the same from tech companies a few weeks ago.
As President Obama himself described to Reuters, China
Sim cards used by many of the worlds most popular cell phone providers. Its happened many times before too. Security expert
Bruce Schneier has documented with numerous examples, Back-door access built for the good guys is
routinely used by the bad guys. Stamos repeatedly (and commendably) pushed the NSA director for an answer on
what happens when China or Russia also demand backdoors from tech companies, but Rogers didnt have an answer prepared at all.
He just kept repeating I think we can work through this. As Stamos insinuated, maybe Rogers should ask his own staff why we
actually cant work through this, because virtually every technologist agrees backdoors
and U.S. tech giants have come to blows over government backdoors in
encryption products lately, with the government arguing that backdoors are vital to national
security, and the likes of Yahoo claiming it will make encryption pointless. Well, it looks the party line on backdoors changes
pretty sharpish when China is involved. As Reuters reports, China is considering a counterterrorism law that
would require technology firms to surrender encryption keys and install backdoors for
security services something that's not exactly dissimilar to the NSA activities revealed by Edward Snowden. But in an
impressive piece of hypocrisy, the US is throwing up a fit over the proposed Chinese law. Michael
Froman, the US trade representative, claims that "the rules aren't about security they are about protectionism and favoring
Chinese companies...the administration is aggressively working to have China walk back from these troubling regulations." But it's
difficult to ignore the fact that the U.S.
Chinese government encryption keys would be handed over as a matter of form, rather
than on request but the end result is basically identical. Something about chickens coming home to roost would be appropriate
about now. [Reuters]
Beijing has rejected President Obama's criticism of its plan to make tech companies put
backdoors in their software and share their encryption keys if they want to operate in China. On
Monday, Mr Obama told the Reuters news agency he had "made it very clear" China had to change its policy if it
wanted to do business with the US. But Beijing said it needed the powers to combat terror ism
and tackle leaks. It also suggested the West was guilty of having double standards. "The legislation is China's domestic affair, and we
hope the US side can take a right, sober and objective view towards it," said Chinese foreign ministry spokeswoman Hua Chunying.
"On the information-security issue, there
embedded spying software in the computer system of another country's Sim card maker, for surveillance activities. This
is only one out of the recently disclosed cases. "All countries are paying close attention to this and taking measures to safeguard their
own information security, an act that is beyond any reproach." The case she was referring to involved allegations that US cyber-spies
had hacked a Dutch Sim card manufacturer in order to help decrypt their targets' communications. At another press conference,
parliamentary spokeswoman Fu Ying drew attention to the fact that the US government had imposed restrictions on Chinese
companies including Huawei and ZTE. And she suggested that Beijing's
transparent
procedures, China's anti-terrorism campaign will be different from what the United States
has done: letting the surveillance authorities run amok and turn counter-terrorism into
paranoid espionage and peeping on its civilians and allies," Xinhua wrote. "Contrary to the accusations of the United States,
China's anti-terror law will put no unfair regulatory pressures on foreign companies,
because the provisions will apply to both domestic and foreign firms. " Insecure systems The
Conservative party has indicated it wants to expand the UK's cyber-spies' surveillance powers it if wins the May election. Microsoft
sign in China US firms, including Microsoft, are hoping to boost profits by selling their services to China "Our manifesto will make
clear that we will... use all the legal powers available to us to make sure that, where appropriate, the intelligence and security
agencies have the maximum capability to intercept the communications of suspects while making sure that such intrusive
techniques are properly overseen," Home Secretary Theresa May told Parliament in January. One expert said it should be no
surprise that the West was finding it difficult to prevent China seeking greater cyber-surveillance powers of its own, but added there
were good reasons to fear its proposals. "Either behind the scenes or increasingly openly, the US and UK are justifying similar
behaviour for their own purposes, but are extremely concerned when China asks for its own capabilities," said Dr Joss Wright, from
the Oxford Internet Institute. "But what we don't want to see is a world in which internet-based products and services are riddled
with backdoors by every state that says it needs to act against terrorism. "Backdoors
Leyden 15 Online Media The Register, Public Relations and Journalism. (Obama criticises China's mandatory backdoor
tech import rules, John Leyden, The Register UK, March 5, 2015,
http://www.theregister.co.uk/2015/03/05/obama_criticises_china_tech_rules_backdoor_terrorism/)//chiragjain
As previously reported, proposed
government before technology sales within China would be authorised. China is also asking that tech companies adopt Chinese
encryption algorithms and disclose elements of their intellectual property. The new requirements, laid out in a 22-page
document approved late last year, are supposedly geared towards strengthening the cyber security
of critical Chinese industries and guarding against terrorism. In an interview with Reuters, Obama said Beijing's
far-reaching counter-terrorism law would require technology firms to hand over
encryption keys as well as installing "backdoors" into systems, thus granting Chinese authorities access in the
process. "We have made it very clear that this is something they are going to have to change if they are to do business with the
United States," Obama said. "This is something that Ive raised directly with President Xi." The proposed
essentially force
laws "would
all foreign companies, including US companies, to turn over to the Chinese
government mechanisms where they can snoop and keep track of all the users of those services," Obama added. "As you might
imagine, tech companies are not going to be willing to do that, " he said. Aside from user privacy concerns,
Western business groups such as the US Chamber of Commerce have criticised China's policies as
protectionist. The proposed rules extend the scope of recently adopted financial industry regulations that effectively
encouraged Chinese banks to buy from domestic technology vendors. The Chinese government is pushing these anti-terrorism rules
as vital in protecting state and business secrets. The disagreement marks another cyber security and technology policy difference
between US and China, with relations not yet healed from ongoing complaints about Chinese cyber espionage and the Snowden
revelations. The Snowden revelations have effectively prevented the US from taking the moral high ground on internet security and
technology policy issues. For example, Chinese Foreign Ministry Spokesperson Hua Chunying referred to the Gemalto hack in a
press conference where she was asked about Obama's criticism of China proposed laws. The legislation
is China's
domestic affair, and we hope the US side can take a right, sober and objective view towards it. On the information security
issue, there are media revelations that a certain country embedded spying software in the
computer system of other country's SIM card maker for surveillance activities. This is only one out of the recently disclosed cases. All
countries are paying close attention to this and taking measures to safeguard their own information security The Chinese
Western Tech Companies, Paul Mozur, New York Times, January 28, 2015, http://www.nytimes.com/2015/01/29/technology/inchina-new-cybersecurity-rules-perturb-western-tech-companies.html?_r=0)//chiragjain
HONG KONG The Chinese
worldwide tech sector growth. Analysts said new Chinese policies like the bank rules and an antiterrorism law that is still in draft
form would make doing business increasingly difficult in China for foreign hardware and software companies. I think theyre
obviously targeting foreign vendors that are operating in China, said Matthew Cheung, a researcher at the analytics firm Gartner.
They are promoting the local technologies so that local providers who have the capabilities to provide systems to these enterprises
can get more market share. For instance, the bank rules say 75 percent of technology products used by Chinese institutions must be
classified as secure and controllable by 2019. Though analysts say secure and controllable a phrase that peppers several new
Chinese technology policies may be open to interpretation, a chart attached to the banking regulations shows the troubles foreign
companies could have in winning that classification for their products. For most computing and networking equipment, the chart
says, source code must be turned over to Chinese officials. But many
proposed antiterrorism law, it would be required to provide a key so that the Chinese government could decrypt data stored on
iPhones. A growing number of American technology executives have complained about new barriers to access to the Chinese market.
John T. Chambers, the chief executive of the network equipment maker Cisco Systems, has raised the issue, as have executives at the
chip maker Qualcomm. This week, Microsofts chief executive, Satya Nadella, said his company was working through geopolitical
issues regarding China. In the letter, the Western companies voiced concerns about a broader cybersecurity review regime under
which the Chinese government would assess the security and controllability of hardware, software and technology services sold in
China, through audits and other checks. More details about the checks will be sent in February to the Central Leading Group for
Cyberspace Affairs, the committee led by the Chinese president, according to a recent report by Xinhua, the staterun news agency.
The committee, which was created after the disclosures by Mr. Snowden, is leading the charge in consolidating and streamlining
online security efforts in China. Analysts said it had most likely presided over or given tacit support to the new policies. The
leadership committee is said to be also trying to wean the country from its reliance on foreign technology, a longstanding goal that
has gained urgency after Mr. Snowdens revelations. Zuo Xiaodong, vice president of the China Information Security Research
Institute, said the new policies and the broader push for indigenous innovation were not intended to eliminate foreign companies
from the market. Were under the yoke of others. If the others stop services, what do we do? he said, noting that many Chinese
companies and local governments had to scramble when Microsoft discontinued its support of Windows XP. From a security
perspective, that simply wasnt acceptable. Were breaking away from these types of circumstances." Even if Beijing wants it to, the
banking industry cannot immediately do away with all foreign hardware makers, Mr.
Yao of IDC said. Banks purchase billions of dollars worth of hardware and software to
manage transactions, and Chinese companies cannot yet produce some of the higherend servers and mainframes they rely on. Mr.
Yao said 90
represented 21.3 percent revenue share in 2010 in P.R.C. market and we expect in 2014 that number will reach 43.1 percent, he
said, using the abbreviation for the Peoples Republic of China. Thats a huge jump.
ADV CONSTITUTION
Bankston 4/29/15 - Kevin S. Bankston: Policy Director of New Americas Open Technology Institute & CoDirector of New Americas Cybersecurity Initiative. Kevin was a Senior Counsel and the Director of the Free Expression Project at
the Center for Democracy & Technology. He is the Director of New Americas Open Technology Institute. Masters from the
University of Southern California Law School (Before the U.S. House of Representatives Subcommittee on Information Technology
of the Committee on Oversight and Government Reform: Hearing on Encryption Technology and Possible U.S. Policy Responses.,
Kevin S. Bankston, April 29, 2015, https://static.newamerica.org/attachments/2982-at-crypto-hearing-best-arguments-againstbackdoor-mandates-come-from-members-of-congressthemselves/Bankston_Oral_Testimony.ffdedda50c6149309d6d6da935795ed7.pdf)//chiragjain
3.
That bill was also in line with the recommendations of the National Academies, which after extensive study issued a 700-plus page
report on the policy challenges posed by encryption. Its primary recommendation was: Recommendation 1 No law should bar
the manufacture, sale, or use of any form of encryption within the United States. Specifically, a legislative
ban on the use of unescrowed encryption would raise both technical and legal or constitutional
issues. Technically, many methods are available to circumvent such a ban; legally, constitutional issues,
especially those related to free speech , would be almost certain to arise, issues that are not trivial to
resolve.
4.
California Law School (Before the U.S. House of Representatives Subcommittee on Information Technology of the Committee on
Oversight and Government Reform: Hearing on Encryption Technology and Possible U.S. Policy Responses., Kevin S. Bankston,
April 29, 2015, https://static.newamerica.org/attachments/2982-at-crypto-hearing-best-arguments-against-backdoor-mandatescome-from-members-of-congress-themselves/Bankston_Oral_Testimony.ffdedda50c6149309d6d6da935795ed7.pdf)//chiragjain
The Fourth Amendment gives individuals the right to be secure in their papers and effects, prohibiting
unreasonable searches and seizures and requiring that any warrant authorizing such a government
invasion be issued by a court based on a showing of probable cause.44 As indicated by recent Supreme
Court cases, the need for vigorous enforcement of that right has become even more acute in the context
of powerful digital technologies. Most recently, a unanimous Supreme Court in the case of Riley v.
California decided to require warrants for the search of a cellphone in the possession of an arrestee, based
on the unprecedented amount of private data that may be stored on such devices even though such
searches incident to arrest have traditionally been allowed without a warrant.45 As the Court explained,
many cell phones are in fact minicomputers that also happen to have the capacity to be used as a
telephone. They could just as easily be called cameras, video players, rolodexes, calendars, tape recorders,
libraries, diaries, albums, televisions, maps, or newspapers.46 These devices, with immense storage
capacity, can hold every picture [their users] have taken, or every book or article they have read, and
even the most basic phones that sell for less than $20 might hold photographs, picture messages, text
messages, Internet browsing history, a calendar, a thousand-entry phone book, and so on.47 Ultimately,
as the Supreme Court explicitly held, the search of a modern electronic device such as a smartphone or a
computer is more privacy invasive than even the most exhaustive search of a house.
ADV PRIVACY
meaningless junk, and it also creates trust by allowing us to prove who we are online another essential element of doing
business over the internet. "A lot of cryptography isn't just about keeping things secret, a lot of it is about proving identity," says Bill Buchanan, professor of
computing at Edinburgh Napier University. "There's a lot of navet about cryptography as to thinking it's just about keeping something safe on your disk." But the
rise of the internet suddenly meant that access to cryptography became an issue of privacy and economics as well as one of national security, immediately
sparking the clash that came to be known as 'the crypto wars'. Governments fought to control the use of encryption, while privacy advocates
insisted its use was essential not just for individual freedom, but also to protect the commercial development of the nascent
internet. What followed was a series of skirmishes, as the US government and others made increasingly desperate and unsuccessful efforts to reassert
control over encryption technologies. One example in the mid-90s involved the NSA designing the Clipper chip, which was a way to give the agency access to
the communications on any devices on which the chip was installed. Another attempt at government control during this period came with the introduction of key
escrow. Under the scheme, the US government would agree to license encryption providers, if they gave the state access to the keys used to decode
communications. On top ofthis were rules which only allowed products that used weak and easily-cracked encryption to be exported from the US. Remarkably
there was an unwelcome reminder of those days of watered-down encryption with the appearance of the recent FREAK flaw in
the SSL security standard. The vulnerability could be used to force web browsers to default to the weaker "export-strength"
encryption, which can be easily broken. Few experts even knew that the option to use the weaker encryption still existed in the browsers commonly
used today a good example of the dangerous and unexpected consequences of attempts to control privacy technologies, long after the political decisions
affecting it had been reversed and forgotten. But by the early 2000s, it appeared that the privacy advocates had effectively won the crypto wars. The Clipper chip
was abandoned, strong encryption software exports were allowed, key escrow failed, and governments realised it was all but impossible for them to control the
use of encryption. It was understood that if they tried, the damage they would do to the internet economy would be too great. Individual freedoms, and
simple economics, had overwhelmed national security. In 2005, one campaigning group even cheerfully announced "The crypto wars are finally
over and we won!" They were wrong. We now know that the crypto wars were never over. While privacy campaigners celebrated their victory,
intelligence agencies were already at work breaking and undermining encryption. The second stage of the crypto wars the spies' secret
war had begun.
"master key" to all data encryption, that assumes there's a sound mechanism for ensuring that those keys don't fall into the
hands of the bad guys, and that the good guys never use them for the wrong reasons. Those assumptions are laughable. Bruce
Schneier is an authority on why security back doors are a terrible idea: The bad guys inevitably find them and use them. Believe him. Also know that
law enforcement officers are a population like all populations, with good and bad eggs. If you think that no officer, anywhere, will use a back door to find out
things that he or she shouldn't find out, think again. Officers and other employees charged with keeping us safe can misbehave like any other company
employee. I assure you that small indiscretions happen every day that the general public never knows about. Only when things blow
up do we see the headlines, like the ones made by former FBI agent and turncoat Robert Hanssen, who was at one time an
internal affairs investigator and who became known as a "computer expert" in the bureau. Putting data encryption solely into the
hands of government employees won't prevent bad things from happening. Competitive disadvantage Arbitrary spying creates a
competitive disadvantage for our country. The NSA's spying on US citizens and businesses without due process created an
atmosphere in which some foreign businesses are now reluctant to locate in this country . Indeed, analysts predict that US tech
companies could lose $180 billion by 2016 due to international concerns about intelligence agencies' spying. For the US to
restore confidence, legislation must protect - - not remove -- the ability of citizens and businesses to secure their data in such a way
that meets the approval of credible global security experts . That means no back doors. Slippery slope As more and more of our life goes
digital, those of us who are skilled at translating manual processes into automated ones understand what back-door, automated access to our digital lives would
look like. Your photos will be instantly accessible. Jennifer Lawrence recently had firsthand experience with the risks that all Americans will have:
Hackers were able to access (and then distribute) her private photos, created for her boyfriend and placed on Apple's iCloud, because of
poor security. Your love notes, similarly so. Your "private" journal, where you write ugly thoughts that nobody else should ever read -- also
accessible. Where does it end? The answer is that it doesn't . And just as law enforcement doesn't have back-door, automated access to your
personal life today, it shouldn't have back-door, automated access to your business life, either. Criminals favored Thankfully, open-source encryption
software without back doors has existed for a long time. If we outlaw data encryption and replace it with something that has a
back door, we basically declare that law-abiding citizens won't have privacy, but criminals and other malcontents will. The FBI's
Comey says unchecked encryption could lead us to a place in which murderers, child abusers, and other criminals roam free. So are we to believe that
murderers and child abusers won't use freely available open-source encryption software to cover their tracks if it's against the law to use strong encryption?
Please. The only thing that outlawing data encryption will do is take it out of the hands of law-abiding citizens. I'm sympathetic to the
notion that law enforcement officials need a range of tools to catch the bad guys. And they continue to add new tools: DNA analysis, better systems to search
fingerprints and perform forensics, predictive intelligence software, geographic information systems, log correlation, metadata the list goes on. Adding
access to all US-based encrypted data is tantamount to enabling physical searches without warrants . Proponents will say that law
enforcement will use due process, but that's not a given. People notice when a police officer walks into their house and reads their journal. It's a lot harder to
notice an officer using a back door for nefarious purposes. There's no reason to assume that law enforcement officials will be less effective
simply because they must stick to tools legally at their disposal . And following Comey's call to outlaw encryption will lead to a police
state that most law enforcement officials won't be comfortable with, once they realize the true impact on society .
A2 DA CIRCUMVENTION
in their mobile operating systems. If a device is running the latest version of iOS or Android, neither company will be able to
bypass a users PIN or password and unlock a phone, even if the government gets a court order asking it to do so . The
announcements by Apple and Google have in turn led to calls for golden keyshypothetical backdoors in devices intended to allow only law enforcement to
access them. As weve explained, we think these proposals to create backdoors totally misunderstand the technology and make for terrible policy. Amid this
prospect of a second Cryptowar is the lurking fear that the government might force unwilling companies to include backdoors in their products, even if theyre
not required by Congress to do so. We sometimes hear from jaded developers and others who think that all it would take to force a backdoor is
one National Security Letter. While NSLs are unconstitutional, even the government admits that they* [NSLs] can only be used to
obtain limited information, which does not include forcing anyone to backdoor a product. Nevertheless, this fear is feeding some
of the interest generated by the press reports about the governments invocation of All Writs Act in the unlocking cases. *Edited for easier flow
in their mobile operating systems. If a device is running the latest version of iOS or Android, neither company will be able to
bypass a users PIN or password and unlock a phone, even if the government gets a court order asking it to do so . The
announcements by Apple and Google have in turn led to calls for golden keyshypothetical backdoors in devices intended to allow only law enforcement to
access them. As weve explained, we think these proposals to create backdoors totally misunderstand the technology and make for terrible policy. Amid this
prospect of a second Cryptowar is the lurking fear that the government might force unwilling companies to include backdoors in their products, even if theyre
not required by Congress to do so. We sometimes hear from jaded developers and others who think that all it would take to force a backdoor is one National
Security Letter. While NSLs are unconstitutional, even the government admits that they* [NSLs] can only be used to obtain limited information, which does not
include forcing anyone to backdoor a product. Nevertheless, this fear is feeding some of the interest generated by the press reports about the governments
invocation of All Writs Act in the unlocking cases. *Edited for easier flow
their orders were narrow. The New York federal court allowed the company an opportunity to object if the order was unduly
burdensome, while the federal court in Oakland explicitly stated that Apple is not required to attempt to decrypt, or otherwise
enable law enforcements attempt to access any encrypted data. [1] It bears remembering that in both cases, the government had
already obtained search warrants for the phones. Thus, the government was invoking the All Writs Act in these cases to effectuate
the warrants, which dont themselves command the companies to do anything . The Act is the mechanism for getting the
companies assistance. Presumably, these orders concerned phones that the companies were capable of unlocking, though we dont know for sure. If,
on the other hand, the companies simply could not unlock the phones (as would probably be the case for the most recent versions of iOS and Android), the
companies would bring that to the courts attention and that would likely be the end of the matter. A similar dynamic might play out if law enforcement obtained a
warrant for an encrypted phone and sought to use the Act to compel a third party to decrypt it, though the third party might raise different arguments on the
Williams 14 (Lauren C. Williams, tech reporter for ThinkProgress with an affinity for consumer privacy, cybersecurity, tech
culture, and the intersection of civil liberties and tech policy, previous writer for B2B publications, Masters degree from the
University of Michigan and a bachelors degree from the University of Delaware, ThinkProgress, New Snowden Documents
Reveal that the NSA Cant Hack Everyone, 12/29/14 http://thinkprogress.org/world/2014/12/29/3607160/new-snowdendocuments-show-nsa-proof-encryption-exists/)
A new wave of U.S. National Security Agency (NSA) document leaks show the agency wasnt able to spy on everyone thanks to some
encryption tools several programs use that successfully thwart digital espionage. German magazine Der Spiegel reported the NSA couldnt decipher
communications such as emails and online chat messages from a handful of services that use encryption beyond the NSAs codecracking abilities, based on documents obtained from former NSA contractor and whistleblower Edward Snowden in 2013. Der Spiegel recently analyzed
NSA documents Snowden previously released to news outlets in 2013. [U]biquitous encryption on the Internet is a major threat to NSAs ability
to prosecute digital-network intelligence (DNI) traffic or defeat adversary malware, an NSA employee said in an internal
trainingdocument from 2012. Programs that used OTR or off-the-record or end-to-end encryption such as the anonymous network Tor and professional
software company Zohos email and chat services proved to be major challenges for the NSA. The agency also reported that it couldnt break into
files using TrueCrypt, a recently decommissioned open-source, whole disk-encryption service, along with other encryption tools that kept some messages
unreadable. The NSA was stumped further if users incorporated a variety of security measures, such as using Tor to connect to the internet, CSpace to send
online messages and ZRTP to make phone calls. That combination made individuals nearly invisible to the NSA, Der Spiegel reported. But the leaked documents
also revealed which services provide little privacy protections. The NSA labeled the services and files such as trivial, moderate or catastrophic based on how
easy they were to decrypt. Hacking into Facebook chats were considered minor, Der Spiegel reported, while getting emails through mail.ru, a Moscow internet
service provider was a moderate task. Moreover, using a virtual private network or VPN provides minimal security. VPNs, which can be used to circumvent
online government censorship and surveillance, is exploited by the NSA thanks to a team dedicated to hacking VPN connections such as the ones used by
Greek government agencies. Public concerns over government surveillance have swelled and fueled a global push for better privacy
practices, including standardized encryption across the internet since last years Snowden revelations. The NSA released a slew of
redacted documents Christmas Eve detailing how the agency and others in the intelligence community knowingly or unwittingly violated privacy laws to
collect data. The document release confirms earlier reports and suspicions that the agencys spy programs mainly collected private online
communications from ordinary citizens rather than suspected terrorists. Earlier this year, Snowden encouraged tech companies at
the SXSW conference to take the lead by encrypting all of their services to combat government surveillance. Everyday citizens have
heeded Snowdens advice, increasing encryption use more than 60 percent since news of the NSAs spy program hit in
2013. Tech companies such as WordPress, Tumblr and Google have also boosted their web security with tougher encryption measures.
International governments have also taken more precautions to prevent U.S. intelligence agencies from eavesdropping on official
communications. Germany and Russia vowed earlier this year to switch to paper communications including handwritten
notes and typewriters to avoid detection. Other countries have responded by beefing up their own spy programs or doubling down on American
tech companies operating overseas. Companies such as Google and Facebook have had to combat international threats to ban their services if the companies
fail to adhere to strict privacy guidelines. European regulators have chastised the companies for disregarding consumer privacy, and have moved to reign in
indiscriminate voracious data collection practices. Italy recently gave the company 18 months to adopt newly imposed privacy policies that would
require the company to routinely purge user data and get expressed permission before tracking consumers internet activity for advertisements. Facebook is
awaiting a controversial European Union high court ruling that could determine whether the social network illegally let the NSA spy on European users. If the
company loses, other tech companies could be face tougher privacy laws, like getting expressed permission to collect and store consumer data, if they want to
do business in Europe.
agency, causing entire messages to disappear from the system, leaving only the message: " No decrypt available for
this PGP encrypted message."
Bankston 4/29/15 - Kevin S. Bankston: Policy Director of New Americas Open Technology Institute & CoDirector of New Americas Cybersecurity Initiative. Kevin was a Senior Counsel and the Director of the Free Expression Project
at the Center for Democracy & Technology. He is the Director of New Americas Open Technology Institute. Masters from the
University of Southern California Law School (Before the U.S. House of Representatives Subcommittee on Information
Technology of the Committee on Oversight and Government Reform: Hearing on Encryption Technology and Possible U.S.
Policy Responses., Kevin S. Bankston, April 29, 2015, https://static.newamerica.org/attachments/2982-at-crypto-hearing-bestarguments-against-backdoor-mandates-come-from-members-of-congressthemselves/Bankston_Oral_Testimony.ffdedda50c6149309d6d6da935795ed7.pdf)//chiragjain
In September, Apple and Google enhanced the security of all smartphone users by modifying the
operating system software of iPhones and Android smartphones, respectively, to ensure that the contents
of those phones are encrypted by default such that only the user can decrypt them. 1 However, instead of
praising those companies for taking a step that would help prevent countless crimes and data breaches, a variety of high-level
law enforcement and intelligence officials instead quickly raised concerns that such unbreakable
encryptionwhether in the context of smartphones or in the context of end-to-end encrypted Internet communications may
pose a challenge to law enforcement and intelligence investigations.2 Several officials have even gone so
far as to urge Congress to pass legislation to address the issue,3 presumably by requiring companies to build their
systems such that even when their users data is encrypted, the government can still obtain the plain text of that data when necessary
to a lawful investigation. Put more colloquially, they seem to be suggesting that companies build backdoors
into their encrypted products and services in order to allow surreptitious access by the government.
end encryption means that the service provider cannot look at your communications even if they wanted to.
A2 DA BACKDOORS GOOD
The going dark argument should not be used as a reason to support back doors or other special access
by law enforcement to encrypted communications. Last Wednesday I had the privilege of testifying before the Senate Judiciary Committee on the balance
between public safety and encryption. I have been researching and writing on encryption for two decades, including serving on President Obamas Review Group
on Intelligence and Communications Technology. My testimony stressed three arguments First, I agree that there are indeed specific ways that law
enforcement and national security agencies lose specific previous capabilities due to changing encryption technology. These specific
losses, however, are more than offset by massive gains , including: (1) location information; (2) information about contacts and
confederates; and (3) an array of new databases that create digital dossiers about individuals lives. The adoption in the past 20 years of text
messaging, an area highlighted by law enforcement as an example of going dark, specifically shows enormous gains to law enforcement.
Although relatively few text messages were sent 20 years ago, by 2010 the number exceeded 6 trillion texts per year. For the predominant share of those
messages, the content is available from the provider. Even for the subset where the content is encrypted, law enforcement can gain access
to the metadata. Being able to access texts and other metadata is enormously helpful in mapping the social graphs of suspect s. Before
we all communicated online, most of our social interactions (except our phone calls) left no records, and the content of communications left no trace unless law
enforcement happened to have an active wiretap on a phone call. Today, however, metadata leaves traces of every electronic communication a suspect has,
showing whom they speak to, how often, how long, and from where. Identifying these other confederates gives law enforcement the opportunity to use a number
of other tools to access encrypted content, ranging from confidential informants, to surveillance on the co-conspirators, to offering immunity to one participant to
gain access to the content of communications with the others. Law enforcement has expressed particular concern about encrypted text messaging services,
such as WhatsApp. For text messages, it might be tempting to say that law enforcement could call the glass half empty (some texts are encrypted) or half full
(some texts are in the clear). With more than 6 trillion messages filling the cup, though, it takes chutzpah to say the glass is empty. Text messages are a
Yen 15, (Andy, Graduate from Harvard Physics and Economics, Scientist at European organization
for Nuclear research, Co-founder of Protonmail a email encryption startup, Idea for Ted Talks,
Why we should all care about encryption. Really, http://ideas.ted.com/why-we-should-all-careabout-encryption-really/, AL)
Back in summer 2013, the Edward Snowden revelations got me thinking. How much of our lives are compromised when security agencies or
hackers, or anyone else can read our emails? Emails paint an intimate narrative of ourselves the people we talk to, the
books we read, the politics we practice. This information is powerful. When we lose control over it, it can do great harm to
ourselves and our loved ones. I realized that I wasnt comfortable with the power contained within this information, nor with my lack of control over it.
BANNING ENCRYPTION WONT STOP TERROR ATTACKS OR END RELIGIOUS EXTREMISM. BUT SUCH A BAN WOULD
STIFLE DEMOCRATIC MOVEMENTS, SCUTTLE ONLINE SECURITY, AND UNDERMINE OUR OPEN SOCIETY . In fact, no one
I talk to is comfortable with this information or with its power. But too often, they seem to prefer not to think about these things. Perhaps they imagine their
intimate data tucked away on an anonymous server somewhere, forgotten, and that its potential to impact their lives will remain untapped. Im not so sure. Thats
why I partnered with colleagues from MIT and CERN to build a free, encrypted email service that offers users absolute control over their data. So why does
encryption matter, anyway? Well, some would have you believe that encryption is a tool for the bad guys, enabling terrorists to have
an easy way of plotting their next crimes. In reality, banning encryption wont stop terror attacks or end religious extremism . But
such a ban could stifle democratic movements, scuttle online security, and undermine our open society. Here are three more reasons we should pay attention to
encryption.
waste of time and effort. Terrorists are, they say, far more likely to use steganography, which involves obscuring messages
from detection in the first place, as well as straightforward codeword-based messages. If I was a terrorist, the last thing I would do is use
encryption, says Brian Gladman, a UK computer scientist. We need to find out whether encryption was used in these events at all.
technology as gunpowder or firearms, policymakers need to appreciate the irreversibility of this paradigm
shift and adapt. Quite simply , governments no longer enjoy a monopoly on technologies like cryptographic
protocols or offensive cyberwarfare exploits. There are no tech magic bullets to address these policy challenges." The
Passcode Influencers Poll brings together a diverse group of more than 80 security and privacy experts from across
government, the private sector, academia, and the privacy community. To preserve the candor of their responses,
Influencers have the choice to keep their comments anonymous, or voice their opinions on the record.
Non-unique: unbreakable encryption inevitable- bad actors will develop strong encryption
Bankston 15 <Kevin Bankston, Policy Director of New Americas Open Technology Institute & Co-Director of New Americas
Cybersecurity Initiative, 4/29/2015, Hearing on Encryption Technology and Possible U.S. Policy Responses,
https://static.newamerica.org/attachments/2982-at-crypto-hearing-best-arguments-against-backdoor-mandates-come-frommembers-of-congress-themselves/Bankston_Written_Testimony.5876d326c5fc4e0cbd17b59e8d53384f.pdf p.7>//wx
4. It would not succeed at keeping bad actors from using unbreakable encryption. Encryption technology and the ability to create it was already
becoming widespread during the original Crypto Wars,25 and at this point is nearly ubiquitous . And, as was true then, much of that
technology is free and open source. For example, there are the open source versions of PGP encryption software that are still the most popular end-toend email encryption solution, the OpenSSL software library that has long been used to encrypt vast amounts of every-day web traffic, open source disk
encryption programs like TrueCrypt, the open source Off-The-Record instant messaging encryption protocol used by a wide variety of IM clients, and the TOR
onion routing software originally developed by the Naval Research Laboratory that is now widely used to circumvent oppressive governments censorship
regimes and allow for anonymous online browsing.26 A government mandate prohibiting U.S. companies from offering products or services
with unbreakable encryption is of little use when foreign companies can and will offer more secure products and services, and
when an independent coder anywhere on the planet has the resources to create and distribute free tools for encrypting your
communications or the data stored on your mobile devices. As former Homeland Security Secretary Michael Chertoff recently put it, [T]hat genie is not going
back in the bottle.27 The result is that a U.S. government-mandated backdoor into the encrypted products and services of U.S. companies, while
undermining the information security of millions of ordinary Americans and the economic security of the American tech industry, would do little to
prevent bad actors from taking advantage of strong encryption. Or, as PGPs inventor Phil Zimmerman famously said in the 90s: If privacy is
outlawed, only outlaws will have privacy.28 Not only is such a mandate likely to be ineffective, but also...
Encryption will inevitably be used - availability too widespread, US govt cant check
Bryen 7/11/15 <Stephen, a Washington DC-based leader in both the public and private sectors. He served in a senior position on the US
Senate Foreign Relations Committee, as Deputy Under Secretary of Defense, as the founder and first Director of the Defense Technology
Security Administration, and as the President of Finmeccanica North America, Italy's largest defense and high technology company, 7/11/15,
Regulating Encryption: Can it be Done? Yes., Business to Community, http://www.business2community.com/tech-gadgets/regulatingencryption-can-it-be-done-yes-01271230>//wx
enforcement can tap encrypted phones or computers and properly do its job. But the question is, is there a practical solution? I have been in the encryption
business, or more clearly I have built commercial products that use encryption. In the early 1990s I founded a company called SECOM (for Secure
Communications). We developed a computer chat program that provided a secure, encrypted chat. In those days the Internet was only just getting underway and
everyone was using modems (there was no WIFI or data connections except for big business and banks). Nor were there smartphones. The PC, however, was
very popular and we built our product to run on PCs running MSDOS or Windows. And because computers were slow, we built a little plug in computer card
which did the actual encryption and decryption work. Then the fun began. NSA did not like our solution because it was too hard to crack, so they recommended
reducing the key size. It got to the point where the key size was too small to assure security, and after thinking it over (and investing a lot of development money),
we decided we could not sell a product that failed in its critical mission: to protect the users from intercepts. We closed the company. Recommended for
YouWebcast: Successful Customer Experiences Are Identity-Centric It was a bad outcome for us. And, as we pointed out at the time, because we used hardware
and software we could have controlled who the end users were and assured that only bona fide users, not criminals or terrorists, would have access to the
product. What we went through was nothing new. A few years before IBM had proposed building encryption into all PCs so that all the data stored by them would
be secure. NSA again objected, and despite IBM bringing rather heavy guns to bear on the problem, in the person of a direct appeal from the chairman of IBM to
the head of the NSA, IBM had to stand down. No encryption chips would live on the IBM circuit board. NSA and its counterpart the National Institute of Science
and Technology (NIST) wear two different hats: on the one hand NSA is charged with carrying out spying in support of its US government customers; on the
other NSA and NIST produce guidelines for security and even sponsor encryption solutions such as the Advanced Encryption Standard (AES) which has
replaced the old Data Encryption Standard (or DES). These sponsored products can be used without any licenses and can be exported abroad. It may seem
odd, therefore, that the government is worried about encryption if it is also facilitating its development and export . We can add to that
known efforts by NIST to actually publish a random number generator for so-called elliptical curve encryption was found to be buggered. The buggered product
found its way into corporate security systems in the US and around the world. The latest alarm in our government is more a consequence of the embarrassing
and dangerous leaks by Edward Snowden then anything directly to do with ISIS. Terrorists have been using encryption for a number of years,
and they easily get it on the open market. The Russians, Chinese, Europeans, Israelis as well as many companies in the United
States develop and sell a wide range of security products that use encryption . And the Dark Web on the Internet is also a source of
supply for covert type programs and applications. My own thought is that the government is trying very hard to cut a deal with Snowden so that he
will serve a little jail time and then shut up. It seems he still has a large bagful of information that exposes US spying activities. In fact that is the only logical way
to interpret statements by our former attorney general Eric Holder who says a deal is possible with Snowden. He should know. Whatever the case, the
availability of encryption on a global scale seems to suggest that trying to control it is a furtive exercise . But that is what the government
is saying. So the question is what can the government actually do to mitigate the situation? Many in Silicon Valley (and here we are talking about most of the
really big high tech computer and mobile players in the United States) worry that the government will insist on putting a back door into their encryption schemes,
or some other way where the government can get into encrypted communications and data transfers. Clearly this is a scheme the government has pursued for a
long time, but it brings with it two risks: either the security is so weak as to be meaningless, pushing users to outside solutions or the backdoor or hole in the
system is uncovered, as Snowden has already proven. But there is even a third risk: that the backdoor or hole is uncovered by a professional adversary such as
China or Russia, meaning that everything you thought was safe is out the window. Given the plethora of escalating exponential cyber attacks on our government
and on corporate America, this solution is far more dangerous than abandoning encryption altogether, largely because it creates a false expectation of security.
An alternative solution the government could pursue is simply to make the use of encryption in the United States illegal. Such a thing would be very hard to
enforce, but in the mobile world it can be done basically by shutting down any encrypted communication that is unauthorized. The technology for this certainly
exists today in the form of network sniffers and scanners. A modified form of the no encryption approach is to allow encryption only on authorized devices that US
industry and licensed political and social organizations can use. To me this makes a lot of sense, and in fact I proposed an alternative idea back in the 1980s
when I dealt with export controls. The idea propounded then was a sort of Gold Card for industry allowing them to get around the red tape and delays that hurt
their business performance. The idea has merit. We are using it today at American airports, either to have more rapid treatment in security processing (the so
called PRE benefit) or as part of the Global Access Program to allow Americans who travel a lot to get past long lines at border crossings, especially airports.
Such a scheme would make sense in protecting America and allowing us to secure our communications and data. Naturally it would not stop terrorists from using
encryption, but they would not be able to use it with their clients and wannabes in the United States. Such communications would be taken down by scanners. I
think this is an excellent solution for law enforcement because it forces the bad guys out into the open. Then it is law enforcements job to put them out of
business here. And it is the job of the DOD and CIA to shut them down beyond our borders. Above all else it is vastly important to make America safe, and it is
vital that our communications can be secure and our data repositories free from exploitation. This the government itself should understand from its gross
mishandling of sensitive but unclassified information, like the millions of non-encrypted records recently stolen by the Chinese. Lets hope we can arrive at a
sensible solution to security for America.
--xt no compliance
Companies wont comply regardless empirics prove
Golumbic 7 (Charles Martin, University of Haifa, Professor of Computer Science, and Director of the
Caesarea Rothschild Institute for Interdisciplinary Applications of Computer Science, Fighting Terror
Online: the Convergence of Security, Technology, and the Law)//MP
Those involved in the private sector have a clear interest in developing their products in line with the
demands of the market, without any restrictions. Consequently, policy makers must consider the potential consequences
of encryption policy on research and development by the private sector: What economic influence would regulation have on
incentives for private companies? Would such consequences be desirable for private companies and for the market as a whole?
Governmental non-intervention is the desired approach from the point of view of industry concerning
regulating encryption and export of the means of encryption. During the period when restrictions were
more stringent, computer companies protested against them and called for reform. Their call was
supported by the fact that these restrictions had a serious economic effect on American companies. The
CSPP (Computer Systems Policy Project) called for a change in policy and an opening of borders, because
export restrictions were affecting the ability of American companies to compete effectively in world
markets
Bicchierai 5/19/15 <Lorenzo Fransceschi, writer at Motherboard, a magazine covering technology and science,
Everyone in Tech Hates the Idea of Ruining Encryption, Motherboard,
http://motherboard.vice.com/read/everyone-in-tech-hates-the-idea-of-ruining-encryption>//wx
For months, government officials have railed against encryption technology that protects user data from being stolen by hackers but also makes it
difficult for cops to access or intercept. On Tuesday, the tech industry is saying enough. A letter signed by pretty much everyone in
Silicon Valley, including Google, Apple, Yahoo, Twitter, and Facebook, as well as dozens of security and privacy experts and many
civil liberties organizations, urges President Barack Obama to say no to any proposal that would force companies to weaken the security of
their products so that law enforcement authorities can access customer data. The plea comes after months of public debate over encryption ,
which was sparked when Apple announced that data on the new iPhone would be encrypted by default and that even the company wouldnt be able to access to
it. After that announcement, FBI Director James Comey has been urging companies to backtrack and give law enforcement a way in, because otherwise
widespread encryption will lead us all to a very dark place where authorities cant get key evidence when they need it. Despite these complaints, the FBI and
other government agencies have failed to put forward a concrete proposal that would give consumers strong encryption while also providing cops and feds a way
in. Experts have accused the officials of asking for backdoors, which are intentional vulnerabilities designed to give access to otherwise secure systems, while
officials have defended their requests saying they simply want legal frontdoors. Whether you call them frontdoors or backdoors, introducing intentional
vulnerabilities into secure products for the governments use will make those products less secure." Whether you call them frontdoors or backdoors,
introducing intentional vulnerabilities into secure products for the governments use will make those products less secure against
other attackers, the letter reads. The letter goes on to argue that not only backdoors arent technically feasible, but theyre a bad idea because if the US
gets them, then other government will feel legitimized to demand them too, which will undermine human rights and information security around the globe. The
result will be an information environment riddled with vulnerabilities that could be exploited by even the most repressive or dangerous regimes, the letter reads.
Thats not a future that the American people or the people of the world deserve. We decided it was time for the Internet community industry,
advocates, and expertsto draw a line in the sand. Another issue, the letter continues, is that it will hurt American companies operating abroad, as
consumers and businesses will turn to other companies offering products that have stronger protections. A White House spokesperson declined to comment.
The letter was sent by New Americas Open Technology Institute and was signed by leading civil liberties organizations such as the American Civil
Liberties Union, the Electronic Frontier Foundation, and independent security and cryptography experts such as Bruce Schneier, Matthew Green, Matt Blaze and
Steven Bellovin. Other companies that put their name on the letter include Microsoft, Adobe, Cisco, and Dropbox. We decided it was
time for the Internet communityindustry, advocates, and expertsto draw a line in the sand, New America said in a press release.
basic necessity, not a luxury. And now Apple, that quintessential mass-market supplier of technology, seems to have gotten the
message. With an eye to market demand, the company has taken a bold step to the side of privacy, making strong crypto the
default for the wealth of personal information stored on the iPhone. And the backlash has been as swift and fevered as it is wrongheaded. At
issue is the improved iPhone encryption built into iOS 8. For the first time, all the important data on your phonephoxtos, messages, contacts, reminders, call
historyare encrypted by default. Nobody but you can access the iPhones contents, unless your passcode is compromised, something you can make nearly
impossible by changing your settings to replace your four-digit PIN with an alphanumeric password. Rather than welcome this sea change, which makes
consumers more secure, top law enforcement officials, including US Attorney General Eric Holder and FBI director James Comey, are leading a
charge to maintain the insecure status quo. They warn that without the ability to crack the security on seized smartphones, police
will be hamstrung in critical investigations. John Escalante, chief of detectives for Chicagos police department, predicts the iPhone will become the phone of
choice for the pedophile. The issue for law enforcement is that, as with all strong crypto, the encryption on the iPhone is secure even from the maker of the device .
Apple itself cant access your files, which means, unlike in the past, the company cant help law enforcement officials access your files, even if presented with a
valid search warrant. That has lead to a revival of a debate many of us thought resolved long ago, in the crypto wars of the 1990s. Back then, the Clinton
administration fought hard to include trapdoor keys in consumer encryption products, so law enforcement and intelligence officials
NSA being a chief proponentcould access your data with proper legal authority . Critics argued such backdoors are inherently insecure. Trapdoor
keys would be an irresistible target for corrupt insiders or third-party hackers, and would thus make Americans more vulnerable to criminals, foreign intelligence
services, corrupt government officials, and other threats. Additionally, foreign technology companies would gain a competitive advantage over the US, since
theyd have no obligation to weaken their crypto. The feds lost the crypto wars, but without serious consumer demand, strong encryption has crept onto our
gadgets only for narrow purposes, like protecting Internet transactions. The iPhone encrypted email and calendar entries , but little else. Now that
Snowdens revelations have reinforced just how vulnerable our data is, companies like Apple and Google, who were painted as NSA collaborators in the
earliest Snowden leaks, are newly motivated to demonstrate their independence and to
However it got there, Apple has come to the right place. Its a basic axiom of information security that data at rest should be encrypted. Apple should be
lauded for reaching that state with the iPhone. Google should be praised for announcing it will follow suit in a future Android release . And
yet, the argument for encryption backdoors has risen like the undead. In a much-discussed editorial that ran Friday, The Washington Post sided with law
enforcement. Bizarrely, the Post acknowledges backdoors are a bad ideaa back door can and will be exploited by bad guys, tooand then proposes one in
the very next sentence: Apple and Google, the paper says, should invent a secure golden key that would let police decrypt a smartphone with a warrant. The
paper doesnt explain why this golden key would be less vulnerable to abuse than any other backdoor. Maybe its the name, which seems a product of the
same branding workshop that led the Chinese government to name its Internet censorship system the golden shield. Whats not to like? Everyone loves gold!
Implicit in the Posts argument is the notion that the existence of the search warrant as a legal instrument obliges Americans to make their data accessible: that
weakening your crypto is a civic responsibility akin to jury duty or paying taxes. Smartphone users must accept that they cannot be above the law if there is a
valid search warrant, writes the Post. This talking point, adapted from Comeys press conference, is an insult to anyone savvy enough to use encryption. Both
Windows and OS X already support strong full-disk crypto, and using it is a de facto regulatory requirement for anyone handling sensitive consumer or medical
data. For the rest of us, its common sense, not an unpatriotic slap to the face of law and order. This argument also misunderstands the role of the search
warrant. A search warrant allows police, with a judges approval, to do something theyre not normally allowed to do. Its an instrument of permission, not
compulsion. If the cops get a warrant to search your house, youre obliged to do nothing except stay out of their way. Youre not compelled to dump your
underwear drawers onto your dining room table and slash open your mattress for them. And youre not placing yourself above the law if you have a steelreinforced door that doesnt yield to a battering ram. You have to feel for Apple. The companys slovenly security on iCloud made it the butt of jokes for weeks
after the leak of celebrity nude photos. Before that, the Goto Fail bug drew guffaws from computer security experts and inspired mocking tee shirt designs. With
the release of iOS 8, Apple made a privacy improvement so dramatic that it should rightly wipe out the taint of these security failures.
Instead, the company is bashed by the nations top law enforcement official and the editorial board of one of the countrys most prestigious
newspapers. Yes, some investigations will be frustrated by strong crypto on the iPhone and Android. Some criminals who otherwise would be convicted will get
away. But cops will still seize plenty of phones in an unlocked state. Of the others, many crooks will choose insecure passcodes, or write their code on a Post-It.
Still more will hand over their passcodes or unlock their phones voluntarily in the hope of buying leniency; experienced cops are adept at convincing suspects to
cooperate against their best interests. Theres even a growing body of case law saying suspects can be compelled by the court to surrender their crypto keys
under certain circumstances, despite the protections of the Fifth Amendment. That has its own issues, but at least the suspect gets a chance to be heard in court
before a search is conducted, instead of after, as with the current search warrant regime. On balance, smartphones have been a gold mine to police, and the
mild correction imposed by serious crypto will still leave the cops leaps and bounds ahead of where they were seven years ago, while making everyone more
secure from the overreach of the authorities and the depredations of criminal hackers. The law enforcement officials criticizing Apple should put
aside the sense of entitlement theyve developed in those seven years and spend some time thanking Apple and Google for making things so
easy for them for so long.
whether or not we can live within the Constitution or whether or not we have to go around the Constitution.Footnote 73 Encryption
Debate Meanwhile, intelligence
FBI Director James Comey said. Current laws that require telecommunication companies to enable law enforcement (with a court
order) to wiretap landline telephones are outmoded, Comey said, and don't cover new means of communication such as
cellphones.Footnote 74 But technology
Google said it
would follow suit with its Android operating system. This means the companies
themselves won't be able to unlock phones, laptops, and tablets , Comey said. [Encryption]
will have very serious consequences for law enforcement and national security agencies
at all levels. Sophisticated criminals will come to count on these means of evading detection.Footnote 76 But Laura Murphy,
director of the ACLU's Washington legislative office, said, We applaud tech leaders like Apple and Google
that are unwilling to weaken security [in order] to allow the government yet another tool
in its already vast surveillance arsenal. We hope that others in the tech industry follow their lead.Footnote 77
Beginning in 2000, according to documents leaked by then-NSA contractor Snowden, the NSA began to work with
technology companies to build backdoors entry points that bypass security
measures in otherwise encrypted computer systems, including cellphones into their
products to allow the agency to intercept suspect communications .Footnote 78 Mark Jaycox,
servers.Footnote 75 Comey criticized Apple's decision, noting that, shortly after Apple's announcement,
legislative analyst for the Electronic Frontier Foundation, a San Francisco-based organization that supports digital privacy, says the
NSA's insistence on backdoors helped create the privacy problem. If
Exceptional access does not even help law enforcement border issue, noncompliant actors.
Schneier et al 15 Bruce Schneier is an American cryptographer, computer security and privacy specialist, and writer. He is
the author of several books on general security topics, computer security and cryptography. Other authors are all security experts
from all places. Most are from MIT(Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications; 201507-06; http://dspace.mit.edu/bitstream/handle/1721.1/97690/MIT-CSAIL-TR-2015-026.pdf?sequence=8; Page 15-17)//pk
Since there is no specific statement of law enforcement requirements for exceptional access, we consider what we understand to be a very general set of
electronic surveillance needs applicable in multiple jurisdictions around the world . Our goal here is to understand the general nature of security
risks associated with the application of exceptional access requirements in the context of traditional categories of electronic
surveillance. Law enforcement agencies in different countries have presented different requirements at different times, which we will treat under four headings:
access to communications content, access to communications data, access to content at rest, and covert endpoint access. All types of access must be controlled
and capable of being audited according to local legal requirements; for example, under the requirements of US law, one must respect the security and privacy of
non-targeted communications.8 3.1 Access to communications content Most police forces are permitted to access suspect data. In countries with
respect for the rule of law, such access is carefully regulated by statute and supervised by an independent judiciary, though most of
the worlds population do not enjoy such legal protections . Law enforcement access might be to a central database of unencrypted messages
where this exists at a central provider. Where there is no central database, such as for a telephone or video call, the police must tap the
communication as it happens. How might an exceptional access requirement be implemented to enable for access to
communications content? If the data is encrypted, the most obvious mechanism to allow for police access would require that traffic between Alice in
country X and Bob in country Y would have its session key also encrypted under the public keys of the police forces in both X and Y, or of third parties trusted by
them. This, however, raises serious issues. First, any escrow requirement will restrict other important security functionality such as
forward secrecy, the use of transient identities, and strong location privacy . As illustrated in the scenario analysis above, an
exceptional access requirement overlaid on the traditional content surveillance will put the security of the content at risk. To the
extent that capabilities exist to provide law enforcement exceptional access, they can be abused by others. Second, the global
nature of Internet services makes compliance with exceptional access rules both hard to define and hard to enforce. If software
sold in country X will copy all keys to that countrys government, criminals might simply buy their software from countries that
dont cooperate; thus, US crooks might buy their software from Russia . And if software automatically chooses which governments to copy using
a technique such as IP geolocation, how does one prevent attacks based on location spoofing? While it is possible to design mobile phone
systems so that the host jurisdictions have access to the traffic (so long as the users do not resort to VoIP), this is a much harder task for general-purpose
messaging applications. Third, one might have to detect or deter firms that do not provide exceptional access, leading to issues around
certification and enforcement. For example, if the US or the UK were to forbid the use of messaging apps that are not certified under a new escrow law,
will such apps be blocked at the national firewall? Will Tor then be blocked, as in China? Or will it simply become a crime to use such software? And what is
the effect on innovation if every new communications product must go through government-supervised evaluation against some
new key escrow protection profile? 3.2 Access to communications data Communications data traditionally meant call detail records and
(since mobile phones became common) caller location history; it was obtained by subpoena from phone companies, and is used in the
investigation of most serious violent crimes such as murder, rape, and robbery. Communications data remains widely available
as service providers keep it for some time for internal purposes. However, police forces outside the US complain that the move to
globalized messaging services makes a lot of data harder to obtain. For example, emails are now typically encrypted using TLS; that is, the
message is encrypted between the users computer and the service provider (e.g., Google for Gmail, Microsoft for Hotmail, etc.). Thus, to acquire the
communications in plaintext, law enforcement must serve the email provider with a court order. A new UK surveillance law may require
message service firms like Apple, Google, and Microsoft to honor such requests expeditiously and directly as a condition of doing business in the UK . So will
there be uniform provisions for access to communications data subject to provisions for warrants or subpoenas, transparency,
and jurisdiction? As already noted, determining location is not trivial, and cheating (using foreign software, VPNs, and other proxies) could be
easy. Criminals would turn to noncompliant messaging apps, raising issues of enforcement; aggressive enforcement might
impose real costs on innovation and on industry generally. 19 3.3 Access to data at rest Communications data are one instance of the general
problem of access to data at rest. Almost all countries allow their police forces access to data . Where basic rule of law is in place, access is under
the authority of a legal instrument such as a warrant or subpoena, subject to certain limits. Many corporations already insist on escrowing keys
used to protect corporate data at rest (such as BitLocker on corporate laptops). So this is one field with an already deployed escrow
solution: a fraud investigator wanting access to a London rogue traders laptop can simply get a law enforcement officer to
serve a decryption notice on the banks CEO. But still, many of the same problems arise. Suspects may use encryption software
that does not have escrow capability, or may fail to escrow the key properly, or may claim they have forgotten the password, or may actually
have forgotten it. The escrow authority may be in another jurisdiction , or may be a counterparty in litigation. In other words, what works
tolerably well for corporate purposes or in a reasonably well-regulated industry in a single jurisdiction simply does not scale to a
global ecosystem of highly diverse technologies, services, and legal systems. Another thorny case of access to data at rest arises when the
data is only present on, or accessible via, a suspects personal laptop, tablet, or mobile phone. At present, police officers who want to catch a suspect
using Tor services may have to arrest him while his laptop is open and a session is live. Law enforcement agencies in some
countries can get a warrant to install malware on a suspects computer . Such agencies would prefer antivirus companies not to
detect their malware; some might even want the vendors to help them, perhaps via a warrant to install an upgrade with a remote monitoring tool
on a device with a specific serial number. The same issues arise with this kind of exceptional access, along with the issues familiar from
covert police access to a suspects home to conduct a surreptitious search or plant a listening device. Such exceptional access
would gravely undermine trust and would be resisted vigorously by vendors
Peterson 15 <Andrea, reporter covering technology policy for The Washington Post, with an emphasis on cybersecurity,
consumer privacy, transparency, surveillance and open government, cites litany of tech experts, 2/19/15, What President Obama is getting
wrong about encryption, Washington Post, https://www.washingtonpost.com/blogs/the-switch/wp/2015/02/19/what-president-obama-is-gettingwrong-about-encryption/>//wx
President Obama tried to walk a very fine line on encryption, the technology that secures much of the communications that occur online, during his
recent visit to Silicon Valley -- saying that he is a supporter of "strong encryption," but also understands law enforcement's desire to access data. "I lean probably
further in the direction of strong encryption than some do inside of law enforcement," Obama said during an interview with tech news site re/code. "But I am
sympathetic to law enforcement because I know the kind of pressure theyre under to keep us safe. And its not as black and white as its sometimes portrayed."
But the technical aspects of encryption actually are quite black and white, experts say, adding that the example Obama used to illustrate the
risks of encryption doesn't match up with how tech companies are deploying the security measure for customers. Obama suggested that the FBI might
be blocked from discovering who a terrorist was communicating with by tech companies' recent efforts to beef up encryption. But
that type of data would still remain available, technical experts say. The White House declined to comment. Tech companies have expanded
their encryption offerings since details about the National Security Agency's efforts to get around security practices were revealed
by former National Security Agency contractor Edward Snowden. Perhaps most notably, Apple and Google have made it so they are unable to
unlock many mobile devices that use their operating systems -- even if served with a warrant. This has set up a conflict between tech
companies and law enforcement officials , who warn such technology can allow bad guys to "go dark" and evade legitimate
attempts at surveillance. Obama tried to explain a scenario where this might harm national security during his re/code interview: Lets say you knew a
particular person was involved in a terrorist plot. And the FBI is trying to figure out who else were they communicating with, in order to prevent the plot.
Traditionally, what has been able to happen is that the FBI gets a court order. They go to the company, they request those records the same way that theyd go
get a court order to request a wiretap. The company technically can comply. With the expansion of encryption, Obama said, a tech company
may have secured that data so well that it would be inaccessible. But that's not actually how the iOS or Android default
encryption works, technical experts say. "The example he gives in his interview is one where encryption deployed by a company prevents them from
being able to tell the government who someone is in contact with," said Christopher Soghoian, the principal technologist at the American Civil Liberties Union's
Speech, Privacy and Technology Project. "That's not taking place right now." Encrypting mobile devices means that a tech company would be unable to help the
government get at the content stored on those devices. But the type of information Obama said the FBI would want to obtain in that example, details about who
the suspect is contacting, is metadata that should be readily available with a court order through the user's e-mail provider or telephone carrier. The
encryption used by Apple and Googles latest mobile operating systems put only the data kept on the devices themselves beyond the
reach of police. Data kept on remote cloud services which in many cases routinely back up device data such as photographs and other files are generally
available by court order. In some cases, however, the devices themselves have records of the content of communications, over such services as Apples
iMessage instant messaging service, that may not be available to law enforcement any other way. Although there may be some ways for bad guys to cover their
tracks, such as using the anonymous browsing tool Tor, Soghoian said, that is not akin to the consumer encryption expansions major companies
such as Google and Apple have been working on.
applications to their technologies. Google's Eric Schmidt argued that the security agencies had only themselves to blame: "The people who criticized this
are the ones who should have expected this." And Apple CEO Tim Cook recently delivered an impassioned defense of encryption, labeling
attempts to undermine encryption "incredibly dangerous." The companies make two arguments. First, technologically, there is no way
to introduce "backdoors" for the government without allowing criminals or terrorists to exploit the same flaws. Second, they argue that
the government has a number of alternatives: Much cellphone data is now stored in the providers' cloud services and can be
retrieved; legal wiretaps of smartphones are not affected; and finally, officials can still retrieve real-time phone records and logs of text messages.
There is also an international dimension to the conflict. British Prime Minister David Cameron, newly re-elected, has vowed to push through legislation that would
force tech companies doing business in Great Britain to provide encryption to police and security officials or risk being banned from that country. In France, in the
wake of the Charlie Hebdo massacre, new security legislation gives sweeping powers to the government to undertake a host of new tactics against future
terrorist attacks. And the loose language may allow similar action against encrypted devices. Back in the United States, the resolution of the standoff is unclear.
McCaul and others have yet to push hard for legislation. The position of the Obama administration remains indeterminate. President Barack Obama has been
equivocal. When queried insistently by the press, he responded that he sympathized with the tech companies: "They're patriots." But the president went on to
note: "If we find evidence of a terrorist plot ... and despite having a phone number, despite having a social media address or e-mail address, we can't penetrate
that, that's a problem." If the syntax was garbled, so was the message. Claude Barfield is a resident scholar at the American Enterprise Institute.
conspirators are so easy to identify, the prosecutors only have to grant immunity to one co-conspirator in order to gain entry into
the content shared with the other suspects. Fourth, the courts have yet to resolve how the Fifth Amendment privilege against selfincrimination applies to opening an encrypted smartphone , especially in a going dark scenario; the courts may decide that the government can
jail suspects for contempt if they refuse to open the phone. Biometric identification, which is increasingly8 used for smartphones, may be especially available to
law enforcement without triggering the privilege. These four reasons may help explain why it has been so difficult for the FBI and other law enforcement
officials to provide examples of where encryption has frustrated an investigation, and the most recent statistics actually show a
decline in wiretaps encountering encryption in 2014 compared to 2013, hardly evidence of going dark.16 Even where law enforcement
does not gain access to the device (the cornucopia), law enforcement can often get most or all of the relevant data (most of the
cornucopia). I have already discussed much of the data that remains available to law enforcement without recourse to the device itself location of the phone;
plaintext of emails; meta-data and often plaintext for text messages; and social networking data showing confederates. In addition, as discussed above, cloud
storage often exists for numerous other data-sets, such as cloud storage of photos and videos, location on apps such as Waze and Uber, banking and other
financial apps showing purchases, and so on. Indeed the increasing norm is full-device backups to the cloud. Even for an inaccessible device, therefore, the full
content may be available from an accessible cloud provider. E. Summary on Going Dark vs. Golden Age. To summarize, law enforcement does confront
important challenges as encryption and other effective cybersecurity mechanisms become more pervasive. There will be particular instances where a lawful court
order will not generate the full text of a communication. Nonetheless, numerous other technical trends are moving sharply in the direction of
unprecedented law enforcement access. If the agencies had the choice between 1990-era capabilities or capabilities today, they would choose the
capabilities today.
Encryption doesnt hurt law enforcement plenty of other ways to access data
Crowley 15 (Patrick, Professor of Computer Science & Engineering at Washington University in St. Louis, leading
researcher on deep packet inspection (DPI) technologies within various academic, commercial, and government
communities, Is Universal End-to-End Encryption Inevitable?, February 20 2015, https://observable.net/blog/dataprivacy-encryption-appropriate-levels/)
This will make law enforcement harder, to be sure. However, there is no credible alternative. In the same way that we cannot make
weapons that only protect the innocent, we cannot make encryption that only protects good secrets. Key-escrow approaches, in
which a trusted authority is given a copy of a key, are well-known targets for attack, and when Apple and Google get out of that
business, we should all take note. There are ways to protect networks and detect misuse and wrongdoing, even in the presence of
strong encryption. To help enterprise customers, our endpoint modeling technique is designed to flourish in the presence of end-toend encryption. Of course, encryption is no silver bullet for security. There are many ways to access secrets and private
information that are wholly independent of the presence of encryption. We should all rest assured that those charged with
enforcing laws and preserving national security will adapt and make use of other methods to fulfill their responsibilitie s. Here in
the US, we have laws and systems of due process that lawfully permit surveillance in pursuit of criminals and threats to national
security. Bugs in software, social engineering, and insecure networking protocols will keep those in the surveillance business
productive and effective for many years to come, even when encryption turns the lights out on digital communications.
identity of those contacts helps lead investigators to additional targets of interest, thereby painting a broader and more precise picture of potential criminal or
national security activity.
idea of going dark is that law enforcement has lost something they used to be able to see something, and now it is dark. But
that is not what has happened. Not so long ago, there were no text messages in almost all instances, daily communications never created a record of
content, because we spoke to someone in our presence, or called someone on a non-wiretapped phone. A much more accurate comparison with past practice is
that law enforcement has gained an inestimable boon the recorded meta-data of text messages . The history of SMS (short message
service) illustrates the point. According to one source, the number of SMS sent by a typical cell phone user in 1995 was .4 per month, rising to 35 per user per
month by 2000. By 2010, when per-text charges for text messaging were becoming obsolete, an estimated 6.1 trillion SMS text messages were
sent, in addition to the enormous quantity of text messages sent through Facebook Messenger, WhatsApp, and other data text
services.15 For text messaging, therefore, law enforcement has experienced the new brightness of literally trillions of text
messages per year. For the predominant share of those messages, the content is available from the provider. Even for the subset where the content is
encrypted, law enforcement can gain access to the meta-data, linking suspects and witnesses to their entire social graphs. For text messages, it might be
tempting to say that one can call the glass halfempty or half-full for law enforcement . With over six trillion messages filling the cup, though, it takes
chutzpah to say the glass is empty. Text messages are a prime example of a golden age of surveillance, and not of going dark.
2013 to 22 in 2014. In two of these wiretaps, officials were unable to decipher the plain text of the messages. Three federal
wiretaps were reported as being encrypted in 2014, of which two could not be decrypted . Encryption was also reported for five federal
wiretaps that were conducted during previous years, but reported to the AO for the first time in 2014. Officials were able to decipher the plain text of the
communications in four of the five intercepts.
former FBI assistant director wrote about a kidnapped man who would never have been found without the
ability of the FBI to decrypt an iPhone, only to retract the point hours later because it wasn't true. We've
seen this game before. During the crypto wars of the 1990s, FBI Director Louis Freeh and others would repeatedly use the example
of mobster John Gotti to illustrate why the ability to tap telephones was so vital. But the Gotti evidence was collected using a room
bug, not a telephone tap. And those same scary criminal tropes were trotted out then, too. Back then we called them the Four
Horsemen of the Infocalypse: pedophiles, kidnappers, drug dealers, and terrorists. Nothing has changed. Strong
encryption has been around for years. Both Apple's FileVault and Microsoft's BitLocker encrypt the data on computer hard
drives. PGP encrypts email. Off-the-Record encrypts chat sessions. HTTPS Everywhere encrypts your browsing. Android phones
already come with encryption built-in. There are literally thousands of encryption products without back doors
for sale, and some have been around for decades. Even if the U.S. bans the stuff, foreign companies will
corner the market because many of us have legitimate needs for security. Law enforcement has been
complaining about "going dark" for decades now. In the 1990s, they convinced Congress to pass a law requiring phone
companies to ensure that phone calls would remain tappable even as they became digital. They tried and failed to ban strong
encryption and mandate back doors for their use. The FBI tried and failed again to ban strong encryption in 2010. Now, in the postSnowden era, they're about to try again.
important lesson from the 1990s is that the decline in surveillance capacity predicted by law enforcement 20 years ago did not
happen. Indeed, in 1992, the FBIs Advanced Telephony Unit warned that within three years Title III wiretaps would be useless: no more
than 40% would be intelligible and that in the worst case all might be rendered useless [2]. The world did not go dark. On the contrary, law
enforcement has much better and more effective surveillance capabilities now than it did then.
A2 DA POLITICS
including a former CIA Director and the White Houses former anti-terrorism czar, have already concluded: mandating or even
requesting the insertion of encryption backdoors into U.S. companies products and services is a bad idea . As demonstrated by their
support for the SensenbrennerMassie-Lofgren amendment, the Internet industry and the Internet activists agree, which is why
Rights Watch and the Reporters Committee for Freedom of the Press. It was also signed by 60 security and policy experts including Whitfield Diffie,
one of the co-inventors of the public key cryptography commonly used on the Internet today, and the former White House counterterrorism czar
Richard A. Clarke, who was one of a handful of experts the White House asked to review its security policies after the revelations by Edward J. Snowden.
Apple recently switched on end-to-end encryption in its mobile operating system. Facebook turned on similar encryption in its WhatsApp messaging service. And
Google has unveiled an end-to-end encryption system but has yet to turn it on as the default setting. Once it does, law enforcement will have to go directly to the
user, not the companies, to read those messages. Inside the United States, the most vocal critic of tougher encryption has been James B. Comey, the director of
the Federal Bureau of Investigation. After Apple and Googles encryption announcements last fall, Mr. Comey told an audience that encryption threatens to lead
all of us to a very dark place. Sophisticated criminals will come to count on these means of evading detection, Mr. Comey said. Its the equivalent of a closet
that cant be opened. A safe that cant be cracked. And my question is, At what cost? But technologists say the governments arguments hold little
water. The president has been letting his top intelligence and law enforcement officials criticize companies for making their devices more secure, and letting
them suggest that Congress should pass anti-encryption, pro-back-door legislation, Kevin Bankston, the co-director of New Americas Cybersecurity Initiative,
said Tuesday. Thats despite unanimous consensus in the technical community that back doors are bad for security, and despite
lawmakers clearly signaling that they think its a bad idea. At a security conference last month, the nations leading cryptographers
sharply criticized the notion that the government has a safe way to read encrypted communications . Technically speaking, theres a
serious misunderstanding about key escrow, said Ron Rivest, one of the inventors of the widely used RSA encryption algorithm. The head of the N.S.A.
is misusing this idea.
Ron Wyden (D) of Oregon, a key senator who oversees intelligence programs from his perch on the Intelligence Committee,
says he and other members of Congress will fight hard against government "back doors" into encryption . In fact, he calls the
government's push for access to encrypted devices "a very, very bad idea for both consumers security and American companies business.
After former National Security Agency contractor Edward Snowden revealed the sweeping surveillance programs that collected the communications records of
tens of millions of Americans, companies such as Apple and Google came out with stronger encryption measures. In response, senior officials including FBI
Director James Comey and NSA chief Adm. Mike Rogers have demanded a secure channel to access encrypted data which they say is necessary for law
enforcement and intelligence to track criminals and terrorists. What takes my breath away, Senator Wyden said at a breakfast hosted by The Christian Science
Monitor on Friday, is that these are some of the most cutting-edge companies in our country. They pay workers good wages. Theyre doing important research.
Their brand is on fire around the world. And the federal government is going to say, on the front pages of the paper, its going to require them to build weaknesses
into their products? Whats more, he adds, back door access is dangerous. Its not just the good guys who can have the keys to get in there.
There are a lot of bad guys. Wyden said he was especially disturbed by the calls for back doors now, because the NSAs
overreach with its mass surveillance programs created the problem in the first place. After the disclosures, companies had to find some way to
satisfy consumers demands for privacy, he said, since American companies find their brand getting hurt around the world and the US, and upwards of $30
billion lost in terms of economic opportunity and consumer confidence. As this issue picks up steam, Wyden says more members of Congress
will join his camp. It is going to be very hard for a member of Congress, in any quarter of America, to stand up and defend the
federal government particularly after the overreach," he said .
Encryption advocates registered a big win this week when it became abundantly clear at a Congressional
oversight hearing that lawmakers are skeptical of the FBIs warnings about the purported dangers of
encryption technology. On Wednesday, five expert witnesses testified before the House Oversight and
Government Reform Committees Subcommittee on Information Technology on the topic of Encryption
Technology and Potential U.S. Policy Responses . One of those experts was Kevin Bankston, OTIs Policy Director, whose written
testimony laid out 10 reasons why backdoor mandates are a bad idea. (Read Bankston's shorter oral statement here.) Bankston was joined on the panel by
technical expert Dr. Matthew Blaze, a respected computer science professor who, among other things, discovered a fatal flaw in the U.S. government's Clipper
Chip proposal in 1994; Jon Potter, President of the Application Developers Alliance, who discussed the impact of backdoor mandates on companies; Amy Hess,
from the Science and Technology Branch of the FBI, who explained the agencys concerns about strong encryption; and Daniel Conley, District Attorney of
Suffolk County, a representative of local law enforcement interests. Although Blaze, Potter, and Bankston made a compelling case in favor of strong encryption,
many of the best arguments against the idea of mandated backdoors came from the members of Congress themselves. Three
is suggesting that the FBI wants "to use the front door with
clarity and transparency." Either way, leaving a channel open could be considered a huge step backwards for privacy and security, as hackers could
obtain anyone's information once the path was discovered. Some see the request as little more than the resurgence of the "Crypto Wars" from the '90s, but with
more pageantry and less action. Sen.
Ron Wyden (D-OR), a staunch supporter for privacy and Internet rights, said it
would come as a surprise if "more than a handful of members" would support such a tactic . It appears that the
journey to change the current law could be long one for Comey . Several members of Congress and the
Senate have already claimed they would oppose any such changes, adding that it would be a hard sell for
the American public. Thanks to the controversy surrounding the National Security Agency's (NSA) spying on citizens, public support for an open
channel to be spied upon could garner little support. Even Rep. James Sensenbrenner (R-WI), the original author of the
Patriot Act, told The Hill that "it's going to be a tough fight .
Since the Snowden revelations, companies have been stepping up privacy protections . (Video via The Guardian) Some big names in
tech started calling on the government for surveillance and encryption reform as early as 2013 . (Video via The Washington Post) And
they're still at it. In May and in June of this year, technology coalitions signed letters urging the Obama administration to prevent
backdoors or any other intentional weakening of encryption . Also this year, Reddit, Snapchat and Amazon all released their first transparency
reports. The EFF points to this new culture of data awareness as one reason "more and more companies are voluntarily speaking out about
government data requests."
Encryption talks now show support for backdoors as a means for national security
Tucker 7/8/15 (Eric Tucker, The Seattle Times, FBI, Justice Dept. take encryption concerns to Congress,
http://www.seattletimes.com/seattle-news/politics/fbi-justice-dept-taking-encryption-concerns-to-congress/ // PD)
FBI Director James Comey, who has pressed his case repeatedly over the last year before think tanks and in other settings, sought Wednesday to
defuse some of the tension surrounding the dispute . He told senators that he believed technology companies were fundamentally
on the same page as law enforcement, adding, I am not here to fight a war. Encryption is a great thing. It keeps us all safe. It protects
innovation, Comey said. It protects my children. It protects my health care. It is a great thing. But he warned that criminals were using encryption to
create a safe zone from law enforcement. He said that concern was especially acute at a time when the Islamic State has been recruiting sympathizers
through social media and then directing them to encrypted platforms that federal agents cannot access. Our job is to look at a haystack the size of
this country for needles that are increasingly invisible to us because of end-to-end encryption , he said. Deputy Attorney General Sally
Yates said the Justice Department was not currently seeking a legislative fix for the issue and was instead hoping to work cooperatively with the technology
companies. She expressed concern about end-to-end encryption in which only the user can access the communication. And she encouraged more companies
not the government to retain a key that can unlock their customers encrypted data in response to government requests and court orders. The current public
debate about how to strike the careful balance between privacy rights and public safety has at times been a challenging and highly charged discussion, Yates
told the committee. Personal privacy and Internet security, she said, are not absolute. And they have to be balanced against the risks we face from creating
warrant-proof zones of communication. Sen. Dianne Feinstein, D-Calif., echoed Comeys concerns about encryption, saying it allows
those who would do us enormous harm a respite from any kind with law enforcement.
The legislators gathered on Wednesday afternoon to discuss the problems that default encryption schemes implemented by Apple and
Google on their mobile devices would cause law enforcement in the investigation of crimes . Freely available encryption software is decades old
now and the idea that encrypted devices are a challenge to police is hardly a new one, either. But the prevalence of smart phones with large storage capacity
and full-disk encryption that cant be easily defeated has brought the issue back to the fore in Washington and elsewhere. Specifically, in the office of Daniel
Conley, the district attorney of Suffolk County in Massachusetts, which includes Boston. In his testimony , Conley sideswiped both Google and Apple
for their monetization of the data they collect from users and then accused them of constructing a straw man called government
intrusion to justify their decisions to implement strong encryption . Apple and Google are using an unreasonable, hypothetical narrative of
government intrusion as the rationale for the new encryption software, ignoring altogether the facts as Ive just explained them. And taking it to a dangerous
extreme in these new operating systems, theyve made legitimate evidence stored on handheld devices inaccessible to anyone, even with a warrant issued by an
impartial judge, Conley said. For over 200 years, American jurisprudence has refined the balancing test that weighs the individuals rights against those of
society, and with one fell swoop Apple and Google has upended it. They have created spaces not merely beyond the reach of law
enforcement agencies, but beyond the reach of our courts and our laws, and therefore our society .
undermining encryption and barring other law enforcement agencies from collecting US data in bulk
An amendment by Massie and Rep. Zoe Lofgren, D-Calif., to prevent the government from forcing tech companies to install backdoors
passed the House last year by a vote of 293-123 as part of a spending bill for the Defense Department. However, the amendment was stripped
out in the final bill negotiated between the House and Senate . This year, Massie and Pocan have put the provision into legislation that would
repeal the Patriot Act, which is set to expire, in part, on June 1. If their legislation proves too controversial to pass, Massie said he will try again to attach
the anti-backdoor provision to another must-pass spending bill . Justice Department spokesman Peter Carr said the agency has not yet taken a
position on the Pocan-Massie legislation and declined comment. "We're not giving up," Massie said. "People are fed up. They want their
privacy back."
The Obama administration says it is not seeking to weaken the security tools themselves. Theres no scenario in which we dont
want really strong encryption, President Obama said in an interview with the online tech news outlet Re/Code in February. I lean probably
further in the direction of strong encryption than some do inside of law enforcement . But I am sympathetic to law enforcement, because I
know the kind of pressure theyre under to keep us safe. And its not as black and white as its sometimes portrayed.
President Obama opened the door Friday to adopting a tougher position against strong encryption technology, warning that tootough-to-crack protections could threaten national security . "If we get into a situation which the technologies do not allow us at all
to track somebody we're confident is a terrorist and despite knowing that information, despite having a phone number or a social-media address or
email address, that we can't penetrate that, that's a problem," Obama said during a press conference held with British Prime Minister David
Cameron. Obama's comment came at the tail end of the White House conference, in which the two jointly announced a new partnership that
seeks to bolster cyberdefense cooperation between the two allies and deepen collaboration among each country's intelligence agencies.
President Obama agreed with his British counterpart that the absence of backdoors is a problem . As reported
by The Hill, he said: Social media and the Internet is the primary way in which these terrorist organizations are
communicating. Thats not different from anybody else, but theyre good at it. And when we have the ability
to track that in a way that is legal, conforms with due process, rule of law and presents oversight, then
thats a capability that we have to preserve . More specifically, he added, according to the Wall Street Journal: If we find evidence
of a terrorist plot and despite having a phone number, despite having a social media address or email
address, we cant penetrate that, thats a problem .
Obama wont push for encryption- following Cameron
DANNY YADRON 15--- Yadron covers cybersecurity from The Wall Street. He usually writes about hackers, tech policy,
presidential campaign, national politics and Internet security. (Yadron, Obama Sides with Cameron in Encryption Fight, 1/16/15.
The Wall Street Journal. http://blogs.wsj.com/digits/2015/01/16/obama-sides-with-cameron-in-encryption-fight/)//ET
President Barack Obama said Friday that police and spies should not be locked out of encrypted smartphones and messaging apps ,
taking his first public stance in a simmering battle over private communications in the digital age. Apple, Google GOOGL -0.11% and Facebook FB
+0.49% have introduced encrypted products in the past half year that the companies say they could not unscramble, even if faced with a
search warrant. Thats prompted vocal complaints from spy chiefs, the Federal Bureau of Investigation and, this week, British Prime
Minister David Cameron. Obamas comments came after two days of meetings with Cameron, and with the prime minister at his side. If we
find evidence of a terrorist plot and despite having a phone number, despite having a social media address or email address, we cant penetrate
that, thats a problem, Obama said. He said he believes Silicon Valley companies also want to solve the problem. Theyre patriots. In the U.S.,
governments have long been able to access the contents of electronic communication , including phone calls, consumer email and social
media, typically with warrants, through wiretaps and from technology companies themselves. But the law that governs these practices is dated and
doesnt mandate tech firms incorporate such features into modern apps . In the post-Edward Snowden era, many technology firms have turned
encryption and zero-knowledge into marketing buzzwords. The president on Friday argued there must be a technical way to keep information
private, but ensure that police and spies can listen in when a court approves. The Clinton administration fought and lost a similar battle during the
1990s when it pushed for a clipper chip that would allow only the government to decrypt scrambled messages. Thats a notable shift for
the president. He sounded more like Jim Comey than anything else the White House has said in the past couple of months, said Stewart Baker, former general
counsel at the National Security Agency, referring to the FBI director, who has criticized the tech companies new encryption policies.
support stronger encryption to protect U.S. companies and consumers against hackers and cybercriminals. Yet the White House
still needs to take a stand on this issue. Meanwhile, the FBI has repeatedly criticized Apple and Google for their new smartphone encryption schemes,
which, the agency has claimed, will make it harder to stop criminals.
President Obama tried to walk a very fine line on encryption , the technology that secures much of the communications that occur online, during his
recent visit to Silicon Valley -- saying that he is a supporter of "strong encryption," but also understands law enforcement's desire to
access data. "I lean probably further in the direction of strong encryption than some do inside of law enforcement ," Obama said
during an interview with tech news site re/code. "But I am sympathetic to law enforcement because I know the kind of pressure theyre
under to keep us safe. And its not as black and white as its sometimes portrayed ."
Obama said he wants to narrow the gap in the differences of opinion over which has more value: privacy or safety . He said people
who favor airtight encryption also want to be protected from terrorists. There are times where folks who see this through a civil liberties or
privacy lens reject that theres any trade-offs involved, and in fact there are , said Obama, who still uses a protected BlackBerry for nonofficial communications. It may be we want to value privacy and civil liberty far more than we do the safety issues, but we cant
pretend that theres no trade-offs whatsoever .
A2 CP IHRL
2ac cp = sq
The counterplan is the status quo and the plan is the mechanism for compliance UNHRC already
demanded it
Bennett 15 (Corey, cybersecurity reporter for the Hill newspaper, UN report: Encryption crucial for human rights, 5/28/2015,
http://thehill.com/policy/cybersecurity/243381-un-report-encryption-necessary-to-exercise-human-rights)ML
A United Nations report released this week argues that strong encryption is fundamental to exercising basic human rights . "Encryption and
anonymity enable individuals to exercise their rights to freedom of opinion and expression in the digital age and, as such, deserve strong protection,"
says the report, from the UN's Office of the High Commissioner for Human Rights . The international group is releasing the report as the U.S.
and other governments' debate methods that would give law enforcement agencies guaranteed access to encrypted data . Special
reporter David Kaye authored the report, which is strongly worded in its opposition to intentional access points built into encryption, or
"backdoors." "In the contemporary technological environment, intentionally compromising encryption, even for arguably legitimate purposes, weakens
everyone's security online," the report says. The report even called on Congress to consider the Secure Data Act, a bill that would ban the
government from forcing companies to build backdoors into their encryption . The FBI and National Security Agency (NSA) have been battling
technologists, Silicon Valley, and a vocal contingent of lawmakers over encryption standards. Federal officials argue companies should have a method to decrypt
data if it's needed for a criminal or national security investigation. Companies counter that such a decryption method would create inherently vulnerable
encryption.
A2 K TOP LEVEL
2ac fw
Our knowledge production and advocacy through debate is key to technological policy literacy and
portability spills up to affect surveillance practices try or die to influence global institutions
AND, even if theres never any spillover, the process of researching and debating is vital to provide
a sufficiently detailed understanding of encryption policy to successfully engineer individual
responses
Schneier 13 (Bruce Schneier, cryptographer, security technologist, fellow at the Berkman Center for Internet and Society at
Harvard Law School, program fellow at the New America Foundation's Open Technology Institute, founder and chief technology
officer, BT Managed Security Solutions, contributing writer to the Guardian, author of 12 books, honorary Ph.D., University of
Westminster, M.S. computer science, American University, B.S. physics, University of Rochester, The US government has
betrayed the internet. We need to take it back, The Guardian (UK), 9-5-2013,
http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying)KMM
Government and industry have betrayed the internet, and us. By subverting the internet at every level to make it a vast, multilayered and robust surveillance platform, the NSA has undermined a fundamental social contract. The companies that build and
manage our internet infrastructure, the companies that create and sell us our hardware and software, or the companies that host
our data: we can no longer trust them to be ethical internet stewards . This is not the internet the world needs, or the internet its creators
envisioned. We need to take it back . And by we, I mean the engineering community. Yes, this is primarily a political problem , a policy matter
that requires political intervention . But this is also an engineering problem , and there are several things engineers can and should do. One,
we should expose. If you do not have a security clearance, and if you have not received a National Security Letter, you are not
bound by a federal confidentially requirements or a gag order . If you have been contacted by the NSA to subvert a product or protocol, you need to come
forward with your story. Your employer obligations don't cover illegal or unethical activity. If you work with classified data and are truly brave, expose what you know . We
need whistleblowers. We need to know how exactly how the NSA and other agencies are subverting routers, switches,
the internet backbone, encryption technologies and cloud systems . I already have five stories from people like you, and I've just started collecting.
I want 50. There's safety in numbers , and this form of civil disobedience is the moral thing to do. Two, we can design. We need to
figure out how to re-engineer the internet to prevent this kind of wholesale spying. We need new techniques to prevent
communications intermediaries from leaking private information . We can make surveillance expensive again. In particular, we
need open protocols, open implementations, open systems these will be harder for the NSA to subvert. The Internet Engineering Task
Force, the group that defines the standards that make the internet run, has a meeting planned for early November in Vancouver. This group needs to dedicate its next meeting to this
we can influence governance . I have resisted saying this up to now, and I am saddened to
US has proved to be an unethical steward of the internet . The UK is no better. The NSA's actions are legitimizing the
internet abuses by China , Russia , Iran and others. We need to figure out new means of internet governance , ones that
makes it harder for powerful tech countries to monitor everything . For example, we need to demand transparency,
oversight, and accountability from our governments and corporations. Unfortunately, this is going play directly into the
hands of totalitarian governments that want to control their country's internet for even more extreme forms of surveillance. We
need to figure out how to prevent that, too. We need to avoid the mistakes of the I nternational Telecommunications Union, which has
become a forum to legitimize bad government behavior, and create truly international governance that can't be dominated or
abused by any one country. Generations from now, when people look back on these early decades of the internet, I hope they will not be disappointed in us. We can
ensure that they don't only if each of us makes this a priority, and engages in the debate . We have a moral duty to do
this, and we have no time to lose . Dismantling the surveillance state won't be easy . Has any country that engaged in mass
surveillance of its own citizens voluntarily given up that capability? Has any mass surveillance country avoided becoming
totalitarian? Whatever happens, we're going to be breaking new ground . Again, the politics of this is a bigger task than the
engineering , but the engineering is critical. We need to demand that real technologists be involved in any key
government decision making on these issues. We've had enough of lawyers and politicians not fully understanding
technology; we need technologists at the table when we build tech policy . To the engineers, I say this: we built the internet, and
some of us have helped to subvert it. Now, those of us who love liberty have to fix it .
task. This is an emergency, and demands an emergency response. Three,
say it, but the
2ac prereq
The plan is prerequisite to ALT solvency
Wood 15 (Camilla Wood, Solicitor, Birnberg Peirce & Partners, Director, Colombia Caravana UK Lawyers Group, Access
fights for your right to secure communications, Technology and Human Rights, 5-22-2015,
http://technologyandhumanrights.org/access-fights-for-your-right-to-secure-communications/)KMM
Today, we joined a large coalition [PDF] of human rights, privacy, and tech nology organizations, companies, and security experts working
to oppose any law or policy that would force companies to deliberately weaken the security of their products. Instead,
government should defend the rights of users by implementing policies that support the adoption of encryption tools and technologies. The coalition
letter [PDF] we signed refutes statements from high-level government officials who claim that strong encryption would undermine law enforcement and national security. These officials
argue that encryption could cause government surveillance programs to go dark, an argument that was born in the debates from the 1990s and has repeatedly been debunked by
security experts. These experts explain that implementing strong encryption is one of the best ways to protect people against bad actors. As the letter points out, encryption may be the
key barrier that protects users from street criminals, malicious hackers, corporate spies, or foreign intelligence agencies. At Access, we believe you have the fundamental right to secure
your data and communications; its a prerequisite for the freedom of expression, assembly, and thought. Accesss Encrypt All The Thingsinitiative is an effort to promote the use of
available encryption tools. Through the initiative, we ask companies to agree to the importance of protecting networks, data, and users from unauthorized access and surveillance. Its
an example of civil society and the corporate sector working together for a more secure internet. Government-mandated backdoors, on the other hand, undermine user security by
purposefully weakening the protection that they are otherwise afforded. As the letter explains: Whether you call them front doors or back doors, introducing intentional vulnerabilities
into secure products for the governments use will make those products less secure against other attackers. Every computer security expert that has spoken publicly on this issue
agrees on this point, including the governments own experts. Encryption
A2 T CURTAIL
2ac we meet
Plan curtails surveillance
Ribeiro 14 (John Ribeiro, Computer World, Sen. Wyden introduces bill to block FBI backdoor access, IDG News Service, 124-2014, http://www.computerworld.com/article/2854966/sen-wyden-introduces-bill-to-block-fbi-backdoor-access.html)KMM
Sen. Ron Wyden on Thursday introduced a bill that would prevent the government from forcing companies to design backdoors or security vulnerabilities into
their products to aid surveillance. The Secure Data Act aims to preempt moves by the government to better eavesdrop over newer
communications technologies, and is part of an overall bid by some legislators to place curbs on extensive government
surveillance . A key legislation that would put curbs on the bulk collection of phone records by the U.S. National Security Agency, called the USA Freedom
Act, could not move towards a final vote on the legislation in the Senate last month, despite backing from the administration of U.S. President Barack Obama.
Wyden said his bill comes in the wake of proposals by U.S. government officials to compel companies to build backdoors in the security features of their
products. "Strong encryption and sound computer security is the best way to keep Americans' data safe from hackers and foreign threats," Wyden said in a
statement Thursday.
agencies added surveillance power, individuals can limit that power through encryption. In that way, the ubiquitous usage of strong
encryption can help restore the balance between privacy and security.
--xt we meet
Encryption stops Government Surveillance
Bousquet 6/30 (Chris Bousquet Hamilton College undergraduate student
http://dcinno.streetwise.co/2015/06/30/washington-post-encryption-to-stop-government-surveillance/) //CF
Washington Post To Employ Dangerous Encryption to Stop Government Surveillance Beginning Tuesday, the Washington
Post will begin encrypting parts of its website to protect users viewing habits from both governmental and non-governmental
intruderss. WaPo will roll out the new encryption gradually, first using it on its home page, national security page and tech blog,
and will apply the protocol to the rest of its pages in the coming months. The change involves layering an encryption protocol
called TLS or SSL on top of the standard HTTP, creating the recognizable HTTPS prefix. This HTTPS, along with a lock icon will
appear in users Web address bar once the encryption goes into effect. Many businesses, social media sites and even the U.S.
federal government have begun instituting this protocol, but it has been slow to catch on in the media world. Some worry that
though this type of encryption will stop cyber attacks in the short run, it may result in more devastating attacks in the future. On
sites with HTTPS encryption, hackers need to acquire keys/certificates to access data. However, if they do obtain these keys,
and its inevitable that some will, they will be coming over encrypted traffic, meaning theyll have enhanced access to the sites
data and an easier time hiding from cybersecurity detection. All in all, the trend towards HTTPS is probably a good thing, but its
certainly not a panacea for the worlds cybersecurity woes. As companies institute this encryption protocol, theyll also need to
tighten their grasp on certificates to make it more difficult for hackers to get in and wreak havoc.
Palmer 13 (Danny Palmer Staff Writer for Computing, 10 Dec 2013 Encrypting data will not stop government snooping
http://www.computing.co.uk/ctg/analysis/2318021/encrypting-data-will-not-stop-government-snooping) //CF
Frank Jennings, partner at law firm DMH Stallard and specialist lawyer in cloud and technology, agreed
that encryption is the way to go forward. If theres enough data being encrypted then its going to slow
government agencies down considerably, taking them a lot of time and money to decrypt and therefore
more likely to be choosy about what data they seek to decrypt. By necessity, encryption will lead to a
reduction in surveillance, he told Computing.
agency has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL),
used to protect online shopping and banking.
A2 T DOMESTIC SURVEILLANCE
2ac we meet
Encryption backdoors are domestic surveillance
Jardin 10 (Xeni Jardin Boing Boing editor/partner and tech culture journalist Sep 27, 2010
http://boingboing.net/2010/09/27/obama-administration.html)CF
Obama administration wants encryption backdoors for domestic surveillance
--xt we meet
Surveillance is used through backdoors
MBURU and NYAMWANGE 13 (SIMON M. MBURU and ALEX K. NYAMWANGE KABARAK UNIVERSITY,
BLOCKBACKDOOR http://emaktaba.kabarak.ac.ke/bitstream/handle/123456789/391/BLOCKBACKDOOR.pdf)CF
EVIDENCE OF UNAUTHORIZED SURVEILLANCE THROUGH BACKDOORS On 27th May 2014, The Standard Newspaper published an article by
the title Kenya loses privacy war to snooping data spies. The article revealed how Americas NSA programme had collected metadata on Kenyas cellular
telephone network, quoting the article; Last week reports leaked by National Security Agency whistleblower Edward Snowden revealed that Kenya is among five
countries where the US intelligence agency has been intercepting, recording and archiving all phone calls for the last one year. The surveillance is said to
be part of a top-secret NSA programme code-named Mystic which has a backdoor to Kenyas cellular telephone network end of quote.
Having a backdoor to an entire telephone network is possible only if almost every network appliance on the telephone network has a backdoor, which could be
the subscribers cell phones, server computers, routers and so forth. The question that is posed by security experts is, if Kenyas phone calls have been
spied on for the last one year, what about the other top secret 13 information? Such revelation depicts how backdoors could ruin the reputation
of a county.