Is the Cold War Over Encryption at a Boiling Point?

Since Edward Snowden blew the lid off of the National Security Agency’s broad range of bulk surveillance and hacking programs—including the NSA’s secretly tapping directly into Yahoo and Google’s private data links, and its use of a vast catalog of security vulnerabilities in a range of U.S. tech companies’ hardware and software products—relations between the feds on the East Coast and techies on the West Coast have been downright chilly. From the perspective of many in the American tech industry, the NSA’s actions represent an “Advanced Persistent Threat” similar to the cyber-threats posed by organized crime or Chinese intelligence, while also threatening their bottom line by undermining worldwide consumer trust in the security of American companies’ products.

The relationship between the feds and techies got even chillier over the winter, when the FBI director and the U.S. attorney general criticized Apple and Google for securing the data on iPhone and Android smartphones with strong encryption that only the phone’s owner could bypass, and when President Obama seemed to agree with U.K. Prime Minister David Cameron that tech companies should build surveillance backdoors for the government into their products.

The relationship practically iced over in the past week as not one but two bombshell stories broke about how the NSA is undermining the security of our computers and cell phones: first, the story that NSA has figured out how to hide spyware in the firmware of a wide variety of brands of computer hard drives, so that the infection persists even when the hard drive is completely wiped and the operating system is reinstalled; second, the story that NSA had supported the U.K.’s signals intelligence agency GCHQ in breaking into the servers of SIM card manufacturer Gemalto and stealing millions of encryption keys enabling mass cellphone surveillance.

That icy conflict turned hot this Monday at a cybersecurity conference hosted by New America (where I work for the Open Technology Institute) to launch its new Cybersecurity Initiative. There, the director of the NSA was confronted by the head of security at Yahoo, who had a simple question: If the federal government cares so much about cybersecurity, why does it want us to make our products less secure?

A transcript of the question-and-answer exchange between Yahoo Chief Information Security Officer Alex Stamos and Adm. Mike Rogers, director of the NSA and U.S. Cyber Command, is available here. But it basically boiled down to this: Stamos wanted to know why Rogers agreed with FBI Director James Comey that companies should build backdoors into their encrypted products to facilitate government surveillance, when all the technical experts say that cannot be done without opening users up to threats other than the government. In response, Rogers quibbled with the use of the term “backdoor” just as Comey has—“We aren’t seeking a back-door approach,” Comey said in an earlier speech on the topic; “We want to use the front door”—and stated his belief that it was “technically feasible” that surveillance capability could be built into products without otherwise compromising security, so long as we put in place an appropriate legal framework to guide its use.

However, as noted security expert Bruce Schneier put it later in the conference during his own keynote conversation: “It’s not the legal framework that’s hard, it’s the technical framework.” Put another way, as Schneier has blogged before, “there’s no technical difference between a ‘front door’ and a ‘back door’,” only a semantic difference, and whatever you call it, it will undermine security overall. Stamos likened the introduction of backdoors into encrypted products to “drilling a hole in the windshield”—by trying to provide a narrow entry point just for the government, you end up undermining the overall integrity of the encryption shield. Indeed, as Stamos pointed out in his exchange with the NSA director, “all of the best public cryptographers in the world would agree that you can’t really build backdoors in crypto”—a fact that can be verified by looking at this extensive bibliography of all of the writing on the subject that’s been published since the Apple/Google crypto debate first flared up last year. When Rogers replied that he had a lot of “world-class cryptographers” at the NSA, Stamos indicated that he had talked to some of them too and they agreed with his position. Echoing Stamos, ACLU technologist Chris Soghoian tweeted his expectation that there would be “facepalms” back at NSA HQ by mathematicians embarrassed by their director’s statements.

By joining with the FBI director and the attorney general in condemning encryption that doesn’t allow for government snooping, Rogers on Monday increased the chances that the cold war between the feds and the techies is about to get hot. However, President Obama himself offered a much more nuanced position just a couple of weeks ago while visiting the West Coast for the White House’s Cybersecurity Summit at Stanford. In an interview after that summit—where Apple CEO Tim Cook argued that he and others in his industry had a responsibility “to do everything in our power to protect the right to privacy”—the president offered an olive branch on the encryption issue and backed away from the stronger statements of his law enforcement and intelligence officials, saying that he was “a strong believer in strong encryption,” that “there’s no scenario in which we don’t want really strong encryption.” And although he recognized that such technology may pose challenges to law enforcement and that “we’re really gonna have to have a public debate” about how to address those challenges, he suggested that “I lean probably further in the direction of strong encryption than some do inside of law enforcement.”

The techies on the West Coast should be heartened by the president’s comments, even if they would have preferred an even stronger statement in favor of encryption, and even if they were ultimately unimpressed by the president’s call at Stanford for more cooperation between government and industry on cybersecurity. (“Why are people going to want to share with a government that’s weaponizing our technologies?” asked one commentator). But when the president, or the NSA director, or anyone else in government calls for a public debate on the issue, they should be reminded: we already had this debate twenty years ago in the so-called “Crypto Wars” of the ’90s. When faced with the choice between strong encryption or government backdoors, policymakers ultimately chose strong encryption, recognizing that it was the cornerstone of information security and therefore also a cornerstone of the information economy and American competiveness in a global tech marketplace.

Today’s policymakers should learn from that history and follow the advice of the Review Group appointed by the president to examine the NSA’s programs: The U.S. government must support, rather than undermine, the use of strong encryption. Following that advice would help mend the fences between the feds and the techies and better ensure that government and industry can work together to address the serious cybersecurity threats that we all face. However, if we fail to heed the lessons of the Crypto Wars, we will be doomed to repeat them, and in a war between the tech industry and the federal government, everyone’s security will suffer.

This article originally appeared on Future Tense, a collaboration among Arizona State University, New America, and Slate.