Baker left the FBI last year to join a DC-based think tank, where his role is to write for the justice-focused blog, Lawfare…
He writes in the piece, entitled Rethinking Encryption, that he now has a more balanced view of the issue. In particular, he thinks governments need to ’embrace reality’ where encryption is concerned, recognizing that it is needed to protect the US from cyber threats.
What follows are reflections on my efforts to embrace reality [and] rethink my prior beliefs about encryption and to better align those beliefs with the reality that (a) Congress has failed to act—and is not likely to act—to change relevant law notwithstanding law enforcement’s frequent complaints about encryption, and (b) the digital ecosystem’s high degree of vulnerability to a range of malicious cyber actors is an existential threat to society.
In the face of congressional inaction, and in light of the magnitude of the threat, it is time for governmental authorities—including law enforcement—to embrace encryption because it is one of the few mechanisms that the United States and its allies can use to more effectively protect themselves from existential cybersecurity threats, particularly from China. This is true even though encryption will impose costs on society, especially victims of other types of crime.
He says, however, that he stands by the position he took while FBI general counsel in the iPhone case.
During the Federal Bureau of Investigation’s very public disagreement with Apple over encryption in 2016, I was the bureau’s general counsel and responsible for leading its legal efforts on that matter. I fought hard for the government to obtain access to the contents of an iPhone used by one of the perpetrators of the San Bernardino terrorist attack. I stand by that work.
Baker says that strong encryption still poses a substantial problem for law enforcement, but he now recognizes that there is no way to square the circle of protecting both personal and government data on the one hand, and allowing law enforcement to access data on the other.
A solution that focuses solely on law enforcement’s concerns will have profound negative implications for the nation across many dimensions. I am unaware of a technical solution that will effectively and simultaneously reconcile all of the societal interests at stake in the encryption debate, such as public safety, cybersecurity and privacy as well as simultaneously fostering innovation and the economic competitiveness of American companies in a global marketplace.
He says that forcing US companies to create compromised systems would simply shift demand to foreign-made products that remain secure. Additionally, a lot can be done with metadata – that is, records of who contacted who, rather than what was said.
Further, the situation for law enforcement may not actually be as bad as some claim. In fact, some argue that society is in a “golden age of surveillance” as substantially more data—especially metadata—than ever before is available for collection and analysis by law enforcement.
He says that where US infrastructure is concerned, strong encryption is the best way to tackle concerns about spyware in Chinese-made equipment. A zero-trust approach is needed.
The Defense Innovation Board of the U.S. Department of Defense recently released a report that discussed the “zero-trust” 5G network problem for the department.
In general, a zero-trust network is, as the name implies, one that you do not trust. A network operator that employs the zero-trust network concept presumes that one or more adversaries have successfully penetrated the network’s perimeter defenses and are present inside the network. The operator also presumes that it will be difficult or impossible to ever be sure that the adversaries have been identified and removed. Accordingly, they treat their internal systems as zero-trust networks, which will include consistently challenging all users, applications and devices and encrypting data as much as possible.
The former FBI general counsel says law enforcement should continue to explain the challenges posed by strong encryption, but it should also advocate for the use of the same by the government.
For the reasons discussed above, public safety officials should also become among the strongest supporters of widely available strong encryption.
I know full well that this approach will be a bitter pill for some in law enforcement and other public safety fields to swallow, and many people will reject it outright. It may make some of my former colleagues angry at me […]
If law enforcement doesn’t want to embrace encryption as I have suggested here, then it needs to find other ways to protect the nation from existential cyber threats because, so far, it has failed to do so effectively.
The whole piece is well worth reading.
FTC: We use income earning auto affiliate links. More.