The private sector perspective on encryption technology is critical to understanding the crux of the debate. Amid news that Dell had agreed to buy RSA’s parent company, EMC, in the largest deal in the IT industry's history, RSA President Amit Yoran sat down with The Cipher Brief to talk about encryption and what he sees as a fundamental misunderstanding on behalf of the government of the implications that a legal request would have had.
Note: We sat down at the same time that FBI Director James Comey told lawmakers last week that the Obama Administration would not be seeking a legal means to force companies to build in technology that would allow them court-approved access to encrypted data.
The Cipher Brief: Where do you stand on the encryption debate?
Amit Yoran: I think it’s absolutely absurd. We have greater surveillance capability, surveillance activity, and information available today than ever before. First of all, this is a law enforcement issue, not an intelligence issue. I want to be clear about that because some people conflate the two, but they shouldn’t. This is very clearly about law enforcement. Any foreign intelligence service, any terrorist actor worth anything, can get what they want. They’re not going to use infrastructure that is back-doored by the U.S. government.
Really, what we’re talking about is the low end of law enforcement requirements. You have greater surveillance capability than has ever been possible or conducted in any society today. And to further the ease of law enforcement gaining access to things which otherwise would be deemed private, is ridiculous. In doing anything like this, you’re actively weakening the defensive protection available to organizations and individuals to protect themselves in an environment where we’re already losing.
TCB: Because the enemy will use the same methods to get into the system that the government would use?
AY: Exactly, and there are lots of examples of compromises that would have been massively catastrophic if there were a law enforcement access field available. For the limited scenario where this would be a strategic advantage to law enforcement, I would argue it’s more of an ease of access issue. The data here is almost overwhelming, and that’s why you’re not seeing any sort of rational appeal. It’s an emotional appeal from Comey and the law enforcement community—“imagine if you had a son or daughter or spouse who was kidnapped, and we found their cell phone, wouldn’t you want us to be able to get into that cell phone to gather information that might help find them?” They try to appeal to emotions, but it’s a nonsensical, absurd argument that will hopefully never see the light of day.
TCB: Do you think that there is a better way? Should law enforcement be tackling their objectives from a different perspective on encryption?
AY: There are lots of ways to gain access to that information. There’s non-cryptography related data that’s available. Where was this cell phone? Where was this person? There’s just an incredible wealth of information that is available to them that has not been available to them historically. There is just so much. They have more data available to them now. Doing anything to weaken people’s protection and privacy, and the protection available to organizations trying to defend themselves against sophisticated threat actors, is certainly not worth the societal tradeoff.
TCB: What would be the impact to American competitiveness overseas?
AY: There is plenty of on the record feedback, from Cisco on down, on the implications of the Snowden revelations on American competitiveness overseas. When you look at the data sovereignty stuff that’s coming out of Europe and other nations, there is a very keen sensitivity to doing business with American corporations. I think adding a requirement for U.S. corporations to add back doors for the U.S. government, which isn’t necessarily trusted on a worldwide basis these days, would just further erode our competitiveness.
I would suggest that anything you do on the encryption side would not only weaken protections available to U.S. corporations and U.S. citizens, it would also have a strategic impact on the U.S. corporations trying to conduct business overseas. Right now, there’s a Department of Justice (DOJ) Microsoft case, which is being appealed by Microsoft, that is about government access to Microsoft customers in Microsoft facilities that are overseas. Again, I think there is a very strategic economic impact from some of the decisions that are coming out of DOJ, or the positions being taken by DOJ.
TCB: If the president were to call on you and ask for your recommendations on what people to engage in the conversation, to lock in a room if you will, to figure out how to think about this in a different way and to identify a more effective strategy that could address both public and private goals, who would you choose to be in that room with you?
AY: I would probably pick Dan Geer, who is the Chief Information Security Officer for In-Q-Tel. He’s probably one of the smartest people in this space that I’ve met. I’d probably pick Bruce Schneier (cryptographer and computer security specialist), which I’m sure is controversial. He has an understanding of both sides of the equation, and he provides a key level of insight. I would pick General Mike Hayden (former Director of the CIA and the National Security Agency). I think Hayden understands the intelligence and national security side really well, and he also probably has a much deeper understanding and appreciation for the law and the private sector implications than most of the intelligence and national security leadership do. I would probably pick some representatives of large economic interests, either someone out of the financial services or more likely, the tech sector. And then probably someone out of the legal/policy side. And Scott Borg (the Director of the U.S. Cyber Consequences Unit) to keep it in check. He has a very good understanding of the policy implications and the macroeconomic implications of decisions that are made. At the end of the day, the government spending is important, but more fundamentally, the policy decisions that get made are going to have a macroeconomic effect, and we need to understand what those might look like—either intended or unintended—which would be important to have at the table.
