August 31, 2015

Which Government Agencies Encrypt Data? The Answer May Surprise You



This article originally appeared in The Hill on August 28, 2015.

We find ourselves living in a world of constant and abundant information flows. Decentralized networks and a globalized Internet have not only created new means of communicating; they have also contributed to the rise of an entirely new way of interacting with the world. This is the age of the digital economy, and its security is predicated on technologies and system designs that incorporate cryptographic protocols for securing data in transfer and at rest.

Unfortunately, the federal government doesn’t speak with one voice on the virtue of encryption.

So which agencies are supportive of encryption as a tool for securing information? The answers may surprise you.

To begin, numerous former officials have spoken out in favor of encryption. Michael Chertoff, former secretary of homeland security, came out against mandatory encryption “backdoors” – the practice of intentionally weakening encryption protocols so that select individuals and agencies can gain special access – for new software products in a recent speech at the Aspen Security Forum; he called such an approach “a mistake.” Gen. Michael Hayden, former head of the National Security Agency, came out “on the side of industry,” arguing that “[t]he downsides of a front or back door outweigh the very real public safety concerns.” But it’s not just former intelligence community chiefs who disagree with their former employers’ perspectives.

President Obama’s own Review Group on Intelligence and Communications Technologies unanimously argued in favor of promoting encryption in its December 2013 report. The report stated:

The US Government should take additional steps to promote security, by (1) fully supporting and not undermining efforts to create encryption standards; (2) making clear that it will not in any way subvert, undermine, weaken, or make vulnerable generally available commercial encryption; and (3) supporting efforts to encourage greater use of encryption technology for data in transit, at rest, in the cloud, and in storage.

In addition, according to documents made public by Edward Snowden’s NSA leaks, a 2009 report from the U.S. National Intelligence Council likewise notes the importance of secure encryption technology as the “best defense to protect data.” The Department of Health and Human Services’ guidance on security implementation with regards to the Health Insurance and Portability and Accountability Act (HIPAA) does not actually mandate the use of encryption when dealing with data transfers, but suggested that implementation of such protocols should occur if it is determined to be “ a reasonable and appropriate safeguard.”

The Federal Trade Commission has similar guidelines on complying with its safeguards rule, which calls for “[e]ncrypting sensitive customer information when it is transmitted electronically via public networks.” Tony Scott, the federal chief information officer, echoed these policy recommendations in a policy memorandum this past June stipulating “that all publicly accessible Federal websites and web services only provide service through a secure connection,” specifically focusing on the need for widespread use of Hypertext Transfer Protocol Secure (HTTPS) for such purposes.

A White House Big Data Report from May 2014 similarly emphasized the need to “dramatically increase investment for research and development in privacy-enhancing technologies.” Even the FBI, before Director James Comey’s wildly hyperbolic recent Senate testimony, has released statements pointing out that “[a]nytime an application or service runs in ‘unrestricted’ or ‘system’ level within an operation system, it allows any compromise to take full control of the device” and suggesting that individuals use encryption to protect their personal devices. The FBI also recommends encryption in its Safety and Security for the Business Professional Traveling Abroad brochure, which suggests that individuals use encryption to prevent corporate espionage.

Even as some intelligence agencies, such as DHS and intelligence organizations, rail against encryption, it is clear that individuals, private firms, and even other government agencies recognize the need to keep data and information flows secure in the digital age. As the debate over the tradeoffs between securing individuals’ sensitive information and law enforcement’s ability to investigate and prosecute crimes continues, it is telling that some people in the know, both inside and out of government, place so high a value on encryption. Despite the potential risks, most still explicitly recommend, if not mandate, its use.

In the modern age, encryption is a must-have for consumers. It has widespread support not only within various civilian agencies of the government, but almost unanimous backing by major tech companies and the world’s foremost security experts. Far from leaving us vulnerable, encryption serves to protect everyone from the average citizen to intelligence agents from the acts of nefarious hackers, cyber criminals, and even the prying eyes of foreign governments.

Encryption is not just valuable; it is a necessity for online commerce, national security, and the protection of individuals’ personal data. Without it, we are less secure and more vulnerable.

Ryan Hagemann is the civil liberties policy analyst at the Niskanen Center.