It has been over a month since the social distancing guidelines and stay at home orders started across the country. In response, we have collectively turned toward a nice variety of apps that allow us to work from home, play games, and even attend virtual happy hours. The apps not only make such activities possible without physical interaction, but they allow us to do so securely, protecting sensitive work data, conversations with friends, and online banking transactions with strong encryption.
The importance of encryption in this environment was highlighted by the recent controversy over encryption in the online video conferencing app Zoom. Such problems arose because the company claimed to use “end to end” encryption, which suggested that only conference participants were able to access audio and video of their conference. But in actuality, Zoom uses transport layer security encryption to secure conferences, allowing it at least some access to conference communications.
The incident led to an outcry from the privacy community and users, as well as a significant drop in the stock value of the company. It prompted Zoom chief executive officer Eric Yuan to publicly apologize and promise to utilize company development efforts to bolster the encryption used by the app. It turns out that users and investors want communications to be secure. This is the latest instance of why efforts to undermine encryption through backdoors are so dangerous. Reliance upon encryption to secure our app data will only continue to increase in response to increased usage along with a dramatically growing threat environment.
Encryption may not be a silver bullet for our cybersecurity problems, but it is a vital part of the solution, as the Zoom experience attests. Backdoors are a serious threat to the security that encryption offers, just as they were when the modern encryption debate started with the aftermath of the San Bernardino terrorist attack five years ago. Despite the rising importance of encryption, proponents continue to pursue backdoors through legislation like the Earn It Act, despite the fact that such efforts will not achieve their intended aims, as many experts continue to point out.
First, encryption legislation passed by Congress can compel compliance from American technology companies but will not impact the encryption offerings from the open source community or foreign companies that are not subject to such rules. Second, the backdoor creates new openings for hackers to bypass encryption, through the backdoor itself or through new vulnerabilities established as a result. Third, it creates access tools, which are available to federal law enforcement and also to authoritarian regimes in China, Russia, and other countries. Finally, it undermines international trust in the security of American technology offerings.
Ironically, some in government, including Attorney General William Barr, continue to pursue encryption backdoors while warning of the dangers posed by backdoors in Chinese telecommunications equipment, which enable Chinese espionage. Moreover, this foreign access serves as the basis of United States efforts to dissuade our allies from using Huawei equipment on their networks. Can we not see others that opt to avoid American technology offerings due to similar concerns?
Others in government recognize the significant cyberthreat arising from vulnerabilities. The National Security Agency disclosed that it shared one major flaw in Windows so that it could be patched rather than potentially weaponized. It reasoned that the flaw posed too great a threat to millions of American users, both in government and the private sector, to use the flaw as a hacking tool. Meanwhile, the private sector market for the flaws is booming, underpinning both alleged Saudi Arabian efforts to hack the phone of Jeff Bezos and tools used by law enforcement to gain access to the devices that are now targeted for encryption backdoors.
Ultimately, the federal government efforts to secure encryption backdoors undermine American credibility. We are certain to learn many lessons as a result of this pandemic, and the fundamental importance of encryption to protecting our digital society today needs to be one of them.
Michael Hayden is former director of the Central Intelligence Agency and of the National Security Agency. He is a principal at the Chertoff Group, a security consulting firm based in Washington, the founder of the Michael Hayden Center for Intelligence at George Mason University, and author of “The Assault on Intelligence: American National Security in an Age of Lies.”