Law enforcement has a whole new landscape to protect. There is no such thing as national security without cybersecurity—a game that is won or lost according to who can be more creative, patient, persistent, and single-minded. Hackers don’t have rules, just a target—and an unlimited choice of pathways to get at the “attack surface.” Law enforcement can’t be everywhere all the time, but the unprecedented cybersecurity concerns facing our world put a premium on a new kind of prevention.
Only a couple of years ago, RSA President Amit Yoran complained that the US government’s “perspective and agenda differs greatly from those trying to defend networks. Some policy proposals, like weakening encryption, are so misguided they simply boggle the mind.”
Since then the relationship between law enforcement authorities and the business community has moved closer toward a workable cybersecurity partnership. Blending intelligence from public and private sectors is one of the crucial weapons in the fight against cybercrime. The U.S. Secret Service and the Department of Justice, among others, share information from their cyber investigations with each other and with trusted security practitioners in private sector companies.
But, while these law enforcement entities use strong encryption, and encourage private sector organizations to do the same, they now face an investigative conundrum: the “Going Dark” problem.
Traditionally, agencies like the FBI have depended on powers granted by 1994’s Communications Assistance for Law Enforcement Act to obtain court-ordered intercepts of data in motion and data at rest (stored on devices). CALEA applies to traditional telecommunications carriers, VOIP services, and broadband providers, but does not cover thousands of companies and communication services that exist today, including, for instance, encrypted direct messaging platforms that have become communication havens for terrorist groups.
Former FBI Director James Comey has said, “Armed with lawful authority, we increasingly find ourselves simply unable to do that which the courts have authorized us to do. It isn’t a question of conflict; we must care deeply about protecting liberty through due process of law, while also safeguarding the citizens we serve.”
Enter the Department of Justice’s National Domestic Communications Assistance Center. NDCAC does not conduct cyber surveillance—it acts as a hub to leverage and share the law enforcement community’s collective technical knowledge, solutions, and resources. For instance, while NDCAC cannot help local officials crack encryption introduced by makers of cellphone operating systems or messaging platforms, it can suggest alternate solutions, such as exploiting Cloud backups. The assumption is that when NDCAC solves computer issues one agency encounters, it will likely fix the problem for all.
“Lawful hacking” may provide a more sustainable solution than dangerous “back doors” that completely circumvent encryption and security components. For instance, grabbing the meta data on messages can often provide crucially valuable information. As former NSA director Mike McConnell says, “If law enforcement and intelligence organizations face a future without assured access to encrypted communications, they will develop technologies and techniques to meet their legitimate mission goals.” Of course, while the NSA possesses resources, capabilities, and time necessary to attack the issue, agencies like the FBI have far fewer of those assets.