FBI’s Testimony to House Committee is less deciphering encryption and more of a false choice.

Posted By CotoBlogzz

Rancho Santa Margarita, CA - Amy Hess , FBI's Executive Assistant Director, Science and Technology Branch , Statement today, Before the House Committee on Energy and Commerce, Subcommittee on Oversight and Investigation is titled Deciphering the Debate Over Encryption, is less of the deciphering  and more a false choice

It is generally acknowledged that security, including cybersecurity, is a cat and mouse game.  Whoever had a cyber-MOM - Motive, Opportunity and Means, then that person is going to win that war- not the battle, as the cyberwars never end, the tools just evolve.

On the one hand, as Ms. Hess stated, "The development and robust adoption of strong encryption is a key tool to secure commerce and trade, safeguard private information, promote free expression and association, and strengthen cyber security."  On the other hand, as we see from daily reports, the bad guys, with the profit-motive as a cyber-MOM, can wreak havoc, from holding private and public institutions hostage using ransomware, or exploiting the general public with phishing attacks:

A brief sampling of breaches using current technology follows:

• ·         On march 24, 2016 the US Department of Justice charged seven Iranian individuals who were employed by two Iran-based computer companies, ITSecTeam (ITSEC) and Mersad Company (MERSAD), that performed work on behalf of the Iranian Government, including the Islamic Revolutionary Guard Corps, on computer hacking charges related to their involvement in an extensive campaign of over 176 days : http://cotobuzz.blogspot.com/2016/03/seven-working-for-iranian-government.html
• 
  
• ·         On March 23, 2016, Stephen Su, a Chinese national pleaded guilty today to participating in a years-long conspiracy to hack into the computer networks of major U.S. defense contractors, steal sensitive military and export-controlled data and send the stolen data to China:http://cotobuzz.blogspot.com/2016/03/stephen-su-chinese-guilty-in-cyber-hack.html
• 
  
• ·         On March 24, 2016, Sprouts Farmers Market a phising attack exposed employee payroll data: http://www.computerweekly.com/news/450279834/Phishing-attack-at-US-retailer-underlines-need-for-proactive-security
• 
  
• ·         Hollywood Presbyterian Medical Center’s computer network was attacked Feb. 5 2016 when malware locked access to certain computer systems and prevented communicating electronically -http://money.cnn.com/2016/02/17/technology/hospital-bitcoin-ransom/
• 
  
• ·         Police Department Pays Cybercriminals Following Ransomware Infection - The Tewksbury, Massachusetts Police Department recently paid a $500 ransom to decrypt its files following an infection with KEYHolder ransomware, according to the Boston Globe: http://www.esecurityplanet.com/malware/police-department-pays-cybercriminals-following-ransomware-infection.html

On the government side, Central Intelligence Agency Director John Brennan consulted the White House before spying on Senate Intelligence Committee, according to a recently released report by the CIA’s Office of the Inspector General.

Politicians and others argue that the intelligence community does not listen in on individual conversations,” it only collects meta data”.  When Malte Spitz asked his operator in Germany to share information stored about him, he concluded that if today's technology had been available to STASI, the Berlin Wall would still be up, just like the Arab Spring was turned into the Winter of Discontent.

With current technology, German security experts demonstrated how easy it was to spy on a phone used by US Congressman Ted Lieu from California, a member of the House Oversight and Reform Subcommittee on Information Technology, who agreed to use an off-the-shelf iPhone knowing it would be hacked.

In Ms. Hess testimony, she goes on to list the cyber-enemy as malicious actors driven by the profit motive and hackavists like ISIS.  She is correct when she frames the problem as a choice:  How much should the government reach into the privacy of ordinary citizens?

She concludes by saying that “the debate so far has been a challenging and highly charged discussion, but one that we believe is essential to have. This includes a productive and meaningful dialogue on how encryption as currently implemented poses real barriers to law enforcement’s ability to seek information in authorized investigations. Mr. Chairman, we believe that the challenges posed by this problem are grave, growing, and extremely complex. At the outset, it is important to emphasize again that we believe there is no one-size-fits-all strategy that will ensure success. We must continue the current public debate about how best to ensure that privacy and security can co-exist and reinforce each other, and continue to consider all of the legitimate concerns at play, including ensuring that law enforcement can keep us safe.”

While we agree that there is no one-size-fits-all strategy, the debate should not be a false choice between more security and less privacy and more about protection, which includes prevention, detection and response.  We believe that the intelligence community has plenty of cyber-MOMs at its disposal, and is more about better utilization of resources, including the use of crowdsourcing, such as the FBI perfectly illustrated with the San Bernardino Terrorist’s iPhone, and the Pentagon is doing inviting individuals to hack its computers to prevent future attacks,