After Paris attacks, here’s what the CIA director gets wrong about encryption

It’s not surprising that in the wake of the Paris terrorist attacks last Friday, US government officials would renew their assault on encryption and revive their efforts to force companies to install backdoors in secure products and encryption software.

Just last month, the government seemed to concede that forced decryption wasn’t the way to go for now, primarily because the public wasn’t convinced yet that encryption is a problem. But US officials had also noted that something could happen to suddenly sway the public in their favor.
Robert S. Litt, general counsel in the Office of the Director of National Intelligence, predicted as much in an email sent to colleagues three months ago. In that missive obtained by the Washington Post, Litt argued that although “the legislative environment [for passing a law that forces decryption and backdoors] is very hostile today, it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”

In the story about that email, another US official explained to the Post that the government had not yet succeeded in persuading the public that encryption is a problem because “[w]e do not have the perfect example where you have the dead child or a terrorist act to point to, and that’s what people seem to claim you have to have.”

With more than 120 people killed last week in Paris and dozens more seriously wounded, government officials are already touting the City of
Light as that case. Former CIA deputy director Michael Morell said as much on CBS This Morning, suggesting that recalcitrant US companies and NSA whistleblower Edward Snowden are to blame for the attacks.
We don’t know yet, but I think what we’re going to learn is that [the attackers] used these encrypted apps, right?,” he said on the show Monday morning. “Commercial encryption, which is very difficult, if not impossible, for governments to break. The producers of this encryption do not produce the key, right, for either them to open this stuff up or for them to give to governments to open this stuff up. This is the result of Edward Snowden and the public debate. I now think we’re going to have another public debate about encryption, and whether government should have the keys, and I think the result may be different this time as a result of what’s happened in Paris.

CIA Director John Brennan said something similar at a security forum this morning (.pdf).
There are a lot of technological capabilities that are available right now that make it exceptionally difficult, both technically as well as legally, for intelligence and security services to have the insight they need to uncover it,” he said. “And I do think this is a time for particularly Europe, as well as here in the United States, for us to take a look and see whether or not there have been some inadvertent or intentional gaps that have been created in the ability of intelligence and security services to protect the people that they are asked to serve…. And I do hope that this is going to be a wake-up call.
No solid information has come out publicly yet about what communication methods the attackers used to plot their assault, let alone whether they used encryption.

On Sunday, the New York Times published a story stating that the Paris attackers “are believed to have communicated [with ISIS] using encryption technology.” The paper’s sources were unnamed European officials briefed on the investigation. It was not clear, the paper noted, “whether the encryption was part of widely used communications tools, like WhatsApp, which the authorities have a hard time monitoring, or something more elaborate.”
Twitter users harshly criticized the Times story, and it has since disappeared from the site (though it is archived) and the URL now points to a different story, with no mention of encryption.
A Yahoo news story on Saturday added to the theme, declaring that the Paris attacks show that US surveillance of ISIS is going dark. “Over the past year, current and former intelligence officials tell Yahoo News, IS terror suspects have moved to increasingly sophisticated methods of encrypted communications, using new software such as Tor, that intelligence agencies are having difficulty penetrating—a switch that some officials say was accelerated by the disclosures of former NSA contractor Edward Snowden.”

Numerous other news stories have suggested that attackers like the ones who struck Paris may be using a video game network. According to the Daily Mail and others, authorities in Belgium, where some of the attackers were based, have found evidence that jihadis there have been using the PlayStation 4 network to recruit and plan attacks. A source told the paper that they are using it because “Playstation 4 is even more difficult to monitor than WhatsApp.” The sources didn’t indicate if they were speaking specifically about the Paris attackers or about other jihadis in that country. But the fallacy of these statements has already been pointed out in other stories, which note that communication passing through the PlayStation network is not encrypted end-to-end, and Sony can certainly monitor communications passing through its network, making it even less secure than WhatsApp.

US law enforcement and intelligence agencies have been warning for years that their inability to decrypt communication passing between phones and computers—even when they have a warrant or other legal authority to access the communication—has left them in the dark about what terrorists are planning.
But there are several holes in the argument that forcing backdoors on companies will make us all more secure. While doing this would no doubt make things easier for the intelligence and law enforcement communities, it would come at a grave societal cost—and a different security cost—and still fail to solve some of the problems intelligence agencies say they have with surveillance.

1. Backdoors Won’t Combat Home-Brewed Encryption.
Forcing US companies and makers of encryption software to install backdoors and hand over encryption keys to the government would not solve the problem of terrorist suspects using products that are made in countries not controlled by US laws.
There’s no way of preventing a terrorist from installing a Russian [encryption] app or a Brasilian app,” notes Nate Cardozo, staff attorney for the Electronic Frontier Foundation. “The US or UK government could mandate [backdoors], but Open Whisper Systems is not going to put in a backdoor in their product period and neither is PGP. So as soon as a terrorist is sophisticated enough to know how to install that, any backdoor is going to be defeated.

Such backdoors also will be useless if terrorist suspects create their own encryption apps. According to the security firm Recorded Future, after the Snowden leaks, its analysts “observed an increased pace of innovation, specifically new competing jihadist platforms and three major new encryption tools from three different organizations—GIMF, Al-Fajr Technical Committee, and ISIS.” Encryption backdoors and keys also don’t help when terrorists stop using digital communications entirely. A 2011 AP story indicated that al-Qaida had long ago ditched cell phones and internet-connected computers in favor of walkie talkies and couriers.

News reports about the Paris attacks have indicated that some of the perpetrators lived in the same town in Belgium—which would have made it very easy to coordinate their attack in person, without the need for digital communication.

2. Other Ways to Get Information.
The arguments for backdoors and forced decryption often fail to note the many other methods law enforcement and intelligence agencies can use to get the information they need. To bypass and undermine encryption, intelligence agencies can hack the computers and mobile phones of known targets to either obtain their private encryption keys or obtain email and text communications before they’re encrypted and after they’re decrypted on the target’s computer.

In the case of seized devices that are locked with a password or encryption key, these devices have a number of security holes that give authorities different options for gaining access, as WIRED previously reported. A story this week pointed to vulnerabilities in BitLocker that would make it fairly easy to bypass the Windows encryption tool. And the leaks of Edward Snowden show that the NSA and British intelligence agencies have a constantly evolving set of tools and methods for obtaining information from hard-to-reach systems.

We’re still living in an absolute Golden Age of surveillance,” says Cardozo. “And there is always a way of getting the data that is needed for intelligence purposes.”

3. Encryption Doesn’t Obscure Metadata.
Encryption doesn’t prevent surveillance agencies from intercepting metadata and knowing who is communicating with whom. Metadata can reveal phone numbers and IP addresses that are communicating with one another, the date and time of communication and even in some cases the location of the people communicating. Such data can be scooped up in mass quantities through signals intelligence or by tapping undersea cables. Metadata can be extremely powerful in establishing connections, identities and locating people.

“[CIA] Director Brennan gleefully told us earlier this year that they kill people based on metadata,” Cardozo says. “Metadata is enough for them to target drone strikes. And that’s pretty much the most serious thing we could possibly do with surveillance.
Some metadata is encrypted—for example, the IP addresses of people who use Tor. But recent stories have shown that this protection is not foolproof. Authorities have exploited vulnerabilities in Tor to identify and locate suspects.

Tor can make the ‘where’ a little more difficult, but doesn’t make it impossible [to locate someone],” Cardozo says. “And Tor is a lot harder [for suspects]to use than your average encrypted messaging tool.”

4. Backdoors Make Everyone Vulnerable.
As security experts have long pointed out, backdoors and encryption keys held by a service provider or law enforcement agencies don’t just make terrorists and criminals open to surveillance from Western authorities with authorization—they make everyone vulnerable to the same type of surveillance from unauthorized entities, such as everyday hackers and spy agencies from Russia, China, and other countries. This means federal lawmakers on Capitol Hill and other government workers who use commercial encryption would be vulnerable as well.

The National Security Council, in a draft paper about encryption backdoors obtained by the Post earlier this year, noted the societal tradeoffs in forcing companies to install backdoors in their products. “Overall, the benefits to privacy, civil liberties and cybersecurity gained from encryption outweigh the broader risks that would have been created by weakening encryption,” the paper stated.
If all of these aren’t reason enough to question the attacks on encryption, there is another reason. Over and over again, analysis of terrorist attacks after the fact has shown that the problem in tracking the perpetrators in advance was usually not that authorities didn’t have the technical means to identify suspects and monitor their communications. Often the problem was that they had failed to focus on the right individuals or share information in a timely manner with the proper intelligence partners.

Turkish authorities have already revealed that they had contacted French authorities twice to warn them about one of the attackers, but that French authorities never got back to them until after the massacre in Paris on Friday.
Officials in France indicated that they had thwarted at least six other attack plots in recent months, but that the sheer number of suspects makes it difficult to track everyone. French intelligence maintains a database of suspected individuals that currently has more than 11,000 names on it, but tracking individuals and analyzing data in a timely manner to uncover who poses the greatest threat is more than the security services can manage, experts there have said. It’s a familiar refrain that seems to come up after every terrorist attack.

If Snowden has taught us anything, it’s that the intel agencies are drowning in data,” Cardozo says. “They have this ‘collect it all mentality’ and that has led to a ridiculous amount of data in their possession. It’s not about having enough data; it’s a matter of not knowing what to do with the data they already have. That’s been true since before 9/11, and it’s even more true now.


Time has passed the Turkish alliance

About Muslim celebrations in Berlin, however, there appears to be no doubt. In my chapter “Eurabia,” in State of Emergency: The Third World Invasion and Conquest of America, [2006] is this quote from The New York Times Magazine, exactly 10 years ago.

Parallel to the declarations of ‘unconditional solidarity’ with Americans by the German majority, rallies of another sort were taking place in Neukolln and Kreuzberg. Bottle rockets were set off from building courtyards, a poor man’s fireworks, sporadic, sparse and joyful; two rockets here, three rockets there. Still, altogether, hundreds of rockets were shooting skyward in celebration of the attack, as most Berliners were searching for words to express their horror.

Neukolln and Kreuzberg are neighborhoods of “gastarbeiters,” Muslim Turkish workers who came to Germany in the millions to work in menial jobs beginning around 1960.

While the flap over what Trump saw persists, a more serious question has arisen: Is Turkish strongman President Recep Erdogan trying to draw the United States in on his side in the war in Syria, and into a confrontation with Vladimir Putin’s Russia?

A little history is in order. Not until 1952 did Turkey join the North Atlantic Treaty Organization, all but two of whose original 12 members were on the Atlantic or North Sea. Yet bringing in Turkey was a ten-strike, putting NATO on the Dardanelles and Bosporus and on the southern coast of the Black Sea, right up to the border of Stalin’s Soviet Union.

But the world that made Turkey such a strategic asset has vanished. Armenia and Georgia are no longer Soviet republics but free nations. The Soviet Empire, Warsaw Pact, and Soviet Union no longer exist, and Balkan nations as well as the Baltic States are members of the EU and NATO.

Turkey is no longer the secular nation-state of Kemal Ataturk, but increasingly hearkens to the Islamic Awakening. In Syria’s civil war, her behavior has not been what one might expect of an ally.

The Turks left the door open for jihadists to join ISIS. They are accused by two Turkish journalists, now facing life in prison, of shipping arms to ISIS. The Turks are charged with permitting ISIS to move oil from the Islamic State into and across Turkey. Russia, which joined the U.S. in bombing the tanker trucks that move the oil, charges Erdogan’s son with being involved in the black market trade with the caliphate.

Instead of battling ISIS, Erdogan is fighting Kurds in Turkey and Iraqi Kurdistan and is threatening to attack Syria’s Kurds if they cross to the west bank of the Euphrates. Ankara is also becoming dictatorial and repressive.

Erdogan has dismal relations with Egypt and Israel and appears hell-bent on bringing down Bashar Assad in Syria. Yet, Assad’s army remains the sole force standing between ISIS and Damascus.

Erdogan’s Turkey has its own separate national agenda. While understandable, what is of concern is that Erdogan could escalate his clash with Assad’s regime into a clash with Putin’s Russia, which is backing the Syrian regime—and drag us into his war.

And the longer this war goes on, the greater the likelihood of something like this happening. For the operative premise of NATO is that an attack against one is an attack against all. What do we do should Erdogan provoke a Russian attack on his aircraft, and then invoke Article V and call on all NATO nations to come to Turkey’s defense against Putin’s Russia in Assad’s Syria?

Turkey’s shoot-down of the Russian Sukhoi Su-24 makes this more than a hypothetical question. While the Russians have indicated they are not going to make this a casus belli, Putin charges that the U.S. was given advance notice of the flight plan of the Russian plane.

Were we? Did we authorize, know about, or suspect Erdogan was planning to shoot that Russian plane down? This is no small matter. And Americans have a right to know.

Then there is the geostrategic question. The world of 2015 is nothing like Truman’s world of 1952 or Reagan’s world of 1982. The adversary we confronted then, the Soviet Empire and Soviet Union, has not existed for a quarter century. Why then does NATO, created to defend Western Europe against that adversary, still exist?

Why are we still committed to fight Russia not only to defend Germany, but Estonia and Erdogan’s Turkey, and if the neocons get their way, to be committed in perpetuity to fight Russia for Georgia, South Ossetia, Abkhazia, Moldova, Ukraine, Crimea, Donetsk, and Luhansk?

If the history of the 20th century teaches anything, it is that war guarantees all too often lead to war. But in this war against “radical Islamic terrorism,” who is the real ally: Erdogan, who has been aiding and abetting Islamic jihadists in Syria, or Putin, who has been bombing them?

Patrick J. Buchanan is the author of The Greatest Comeback: How Richard Nixon Rose From Defeat to Create the New Majority. Copyright 2015

Source:   The American Conservative