Encryption is not the enemy: A 21st century response to terror

Whenever terrorists strike, governments respond. It is in the quality and wisdom of those responses that the future of our society rests. David Gewirtz looks at the question of encryption, and how we should think about policy and security in light of the Paris attacks.
Written by David Gewirtz, Senior Contributing Editor

When an attack like that which occurred in Paris takes place, most people with any shred of humanity experience anger and rage, but also a sense of bafflement about how anyone could possibly contemplate, let alone carry out such a heinous deed.

Unfortunately, it is the nature of terrorist attacks that -- at the very least -- the base terrorist goals of attention, horror, and reaction almost always occur. As much as we as a reasonable society shouldn't give these criminals any juice, when hundreds of our fellow world citizens are killed -- and even more are hurt -- we stand up and take notice.

We write about it. We talk about it. We share heartfelt feelings of condolence. And governments take action.

This, of course, is as it should be. Governments are responsible for protecting their citizenry and in the absence of prediction and prevention, pursuit and prosecution is the most appropriate action. These terrorists need to be hunted down, their followers arrested, and their organizations destroyed, eradicated from the planet. They need to be exterminated.

In the wake of any terrorist attack that wasn't thwarted before it occurred, governments also look at their intelligence gathering process and try to understand both what was missed, and how they might do a better job in the future. What signals were missed? What subtle indicators weren't linked with other subtle indicators to lead to an early warning? How might we have been able to predict this? What can we do better in the future?

This is where policy can either take us to a more secure society or to a more totalitarian and, concomitantly, a weaker one. Policy changes happen for both good and bad reasons. They happen to fix flaws, but they also happen because politicians need, like everyone else, to do something.

Today, because of the incredibly powerful nature of consumer and commercially-available technology, we're having a dialog about how and whether governments can peer inside private personal communications. After all, some would say if we could siphon up all the digital talky bits, run them through ginormous Hadoop arrays, and identify suspicious conversations, we might be able to prevent the next attack.

Let's leave aside the not-so-minor issue of the Constitution in America, and similar foundational rights in other nations, and just move on to where such thinking has progressed. Let's say we want to vacuum in everyone's conversations and communications. We can't, because some of them are encrypted with really good crypto.

So then, say desperate policy-makers, let's make sure we can tap into that crypto. Let's make sure all the big companies leave us back doors, leave us ways into consumer and business communication, give us a way to dig through all those digital bits, hopefully in real-time, to prevent further incidents.

This kind of thinking is both foolish and dangerous -- and ultimately ineffective.

Any time a back door or a pre-built vulnerability is left in a system (let's say, like our phone operating systems), it weakens everyone's safety. Sure, it might give some governments a temporary advantage, but it's far more likely that hackers and terrorists themselves will use these vulnerabilities to further cause damage to citizens or, at the very least, steal their personal and financial data.

And lest any policy-makers reading this think, "Well, it'll be safe because we'll safeguard the keys," let me point out the elephant in the room: the United States Office of Personnel Management (OPM) was systematically penetrated and deflowered to such a complete and damaging degree that the actual fingerprints of U.S. government officials with high-level security clearances were exfiltrated with the alacrity of water entering a submarine through a screen door.

Over the coming months, as we process, mourn, and investigate the events of Paris on Friday, influencers and advisors the world over will be citing these attacks as a reason for increased security and readiness. This is as it should be, for a civilized society cannot let these monsters run free and unpunished.

But as we look towards policy, it's also critically important to avoid long-term mistakes for short-term relief or gratification. Strong security in consumer and commercial products strengthens us all. This is why we have such important and necessary organizations like the NSA, GCHQ (UK), and DGSE (France).

After all, they have superpower budgets and brainpower. That's important, because if they have to struggle mightily to break encryption or perform signals intelligence, then the bad guys won't be able to take advantage of holes in our security.

Strong encryption for everyone is a national security advantage.

We need to use the disproportionate capabilities of NSA and GCHQ and DGSE to fight back against the terrorists. Don't give them any advantages. Don't leave them backdoors or weaknesses. Use the power of allied intelligence agencies to break through, track them down, bring them to justice, and then rip their spines out of their living bodies.

By the way, I'm doing more updates on Twitter and Facebook than ever before. Be sure to follow me on Twitter at @DavidGewirtz and on Facebook at Facebook.com/DavidGewirtz.

14 privacy tools you should use to stay secure

Editorial standards