Following the terrorist attacks in Paris and San Bernardino, the demand for weaker encryption – either by government mandate or the voluntary action of technology companies – comes from law enforcement officials who argue that encryption hinders their ability to track terrorists and criminals. A major problem with this push, and one largely overlooked in the current debate over encryption, is a different threat to the security of American cyberspace: other countries’ spies.
The federal government’s Office of Personnel Management (OPM) was recently hacked, (probably by agents of China), showcasing how other countries can benefit from lackluster cybersecurity on the homefront. American networks are constantly monitored and probed by countries seeking any and every military, economic, and informational advantage they can find.
OPM does not house information about secret weapons systems or strategies, which might seem to make it a low priority target for hackers. What it does house, however, is a vast amount of data on government employees, including the results of FBI background checks. This data was left relatively exposed due to its seemingly non-vital nature.
But the effects of the recent hack have been serious. As a result, the United States has been forced to pull intelligence agents out of China . The fact that China was able to use stolen data to build profiles of Americans working for embassies to identify likely covert intelligence operatives is a huge setback, one that could affect American intelligence operations for years to come. America’s focus on counter-terrorism and domestic crime may lead us to overlook potentially much larger threats posed by other great power, like China and Russia.
If the U.S. government mandates, or even just encourages, turning encryption off by default, countries interested in prying into Americans’ affairs—and American intelligence operations—will have a much easier time. The costs of computing power and data storage are rapidly declining, while the use of Internet-connected smartphones are rapidly increasing. That means that it’s easier than ever for the Russians and Chinese to infiltrate corporate networks and personal devices to build files on an ever-larger slice of the American population.
If information stolen from federal databases is combined with information about favorite restaurants, websites visited, and personal emails and text messages, foreign intelligence agencies will suddenly have in their possession a chilling level of detailed knowledge about the lives and habits of American government employees, corporate executives, and even everyday Americans.
Weakening encryption only helps foreign spies. The OPM hack wasconnected to earlier data breaches at private health insurers. Those hacks have been directly viewed as attempts by the Chinese to learn more about Americans in order to bribe, blackmail, or threaten them into service as double agents. Information that might be useless in isolation can turn out to be important when woven into a larger tapestry of ill-gotten data, and can lend enemies of the U.S. a dangerously clear view into American lives, and into American intelligence operations overseas. That’s why we’re more secure when encryption is strong, and turned on by default, even when it comes to data and communications that may seem to have little strategic value.
The growing “Internet of Everything” makes strong and ubiquitous encryption even more necessary. Imagine a world in which unfriendly countries can hack into government databases, use the information to select targets for further hacks, and then infiltrate phones (of a government employee or family member) and use downloaded apps to gain access to further information or capabilities. Autonomous cars could be rerouted, doors unlocked, and home appliances repurposed as eavesdropping devices. The networked home security system you use to monitor your house when you’re away can be hijacked to monitor you. Rock-solid data security will be an ever increasing necessity in an age of interconnected devices.
Companies should not be compelled to weaken the encryption that protects their clients. Nor should Americans be prohibited from taking steps to protect their own privacy and security. It’s increasingly hard to draw a bright line between strategically sensitive information and the trivial data of 21st-century daily life. That’s why strong encryption has become an essential tool for ensuring American safety and security, both for overseas operatives and Americans at home.
Terrorism does pose a risk to American lives and livelihoods. And encryption can help criminals, terrorists, and foreign agents keep secrets. But encryption also protects all of us from those criminals, terrorists, and enemy spies. Mandating security vulnerabilities in encryption may make life a little easier for American law enforcement and intelligence, but it might help criminals, terrorists, and foreign spies. Policymakers better be certain that it won’t before they insist on weakening encryption.
Op-ed by Joshua Hampson; originally published in The Hill