Apple vs the FBI: Security vs Security

I thought the national threat assessments presented by DNI Clapper and DIA Director LtGen Stewart along with the release of the FY17 defense budget would offer plenty to engage you with in February, but the more I examined them the less interesting I found them to be.  The biggest news in the Obama Administration’s last defense budget is that it remains essentially flat while laying down markers for transitioning to the as yet to be defined “Third Offset” which will increase military power through the smart use of technology to enhance human capabilities in the battle space.  The intelligence threat assessments presented to the House and Senate Armed Services Committees were, to be kind, a laundry list of twenty plus threats that seemed more aimed at justifying why the defense and intel budgets for FY 17 should not be cut than providing the national leadership with informed insights about the most dangerous threats confronting our country.  It seems the media and the presidential campaigns reacted the same way I did given the amount of attention they have shown these threat assessments and what would be the next President’s inherited defense budget.

Far more interesting to me in February were the three national security stories that continue to be slowed rolled.  During LtGen Stewart’s threat assessment testimony, HPSCI Chairman Devin Nunes expressed his growing impatience with the slow pace of the DoD IG’s investigation into the now six month old charges that CENTCOM intelligence assessments were being altered by seniors in the chain of command so the White House could claim progress against ISIS.  Similarly the Chairman of the Senate Armed Services Committee Senator McCain expressed public anger with the Navy and DoD for not providing his committee with more details regarding the capture and release of two USN riverine patrol boats off of Farsi Island in the Persian Gulf by Iranian Revolutionary Guard forces.  Unless DoD and/or the Navy becomes more responsive, Senator McCain says he is ready to subpoena the eleven USN sailors involved in this bizarre capture and release incident.  Then there is former Secretary of State Hillary Clinton’s email saga, which the Justice Department keeps signaling that it does not intend to deal with until after the election in November.

Certainly the most controversial national security topic of 2016 so far is the debate about whether Apple can refuse to comply with the FBI’s warrant that the company provide a decryption code for unlocking the iPhone of San Bernardino Terrorist Syed Rizwan Farook.   The FBI says it needs Apple’s assistance to unlock Farook’s phone so it can determine who else might have been involved in the December 2nd shooting that left 14 dead and 22 seriously injured.  Apple is refusing on the basis that by assisting the FBI it will make its customers’ data less secure to both domestic and foreign intrusions in the future.  There is also the interesting legal wrinkle that the FBI is not asking Apple for an existing decrypt code but that the company develop one for unlocking Farook’s iPhone.  The larger issue at play here, of course, is the commercial IT industry’s ability to make available in the market place end-to-end encryption that could put information beyond the reach of the government even with a warrant for legitimate criminal and national security investigations and would effectively create “evidence free zones” for those meaning to do harm to American citizens and interests.

As would be expected, the law enforcement and intelligence community support the FBI’s position as essential to protecting Americans from both terrorists and criminal enterprises that could be domestic or foreign in origin.  Conversely, civil libertarians and the tech Industry side with Apple in terms of protecting American citizens from the U.S. Government, foreign governments, terrorists, criminals, and corporations from accessing private information for their own purposes.

Two developments have surprised me though as this fascinating and important legal debate has unfolded.

The first is Secretary of Defense Ash Carter telling the RSA Conference in San Francisco during the first week of March that he favors strong encryption without backdoors.   “Data security — including encryption — is absolutely essential for us,” he said. “None of our stuff works unless it’s connected … So we’re four-square behind strong data security and strong encryption.”  NSA Director Admiral Mike Rogers in his remarks earlier in the week at this same RSA Conference avoided directed comment on the FBI/Apple debate but said in concluding his presentation that one of the things that gives him the greatest concern is cyber operatives expanding from denial of service and theft of information to the manipulation of data such that we lose confidence in the data the digital enterprise is delivering to us.  While comments he has made in different venues suggest Admiral Rogers sees a strong need for government access to commercial encryption for national security reasons, his concerns about data manipulation also indicate he understands the importance of data protection for these same national security concerns.

The second surprise is the Chertoff Group White Paper “The Ground Truth about Encryption and the Consequences of Extraordinary Access” (http://chertoffgroup.com/cms-assets/documents/237983-373343.the-chertoff-groupthe-ground-truth-abo). The conclusion this paper comes to is that “an extraordinary access requirement is likely to have a negative impact on technological development, the United States’ international standing, and the competitiveness of the U.S. economy and will have adverse long-term effects on the security, privacy, and civil liberties of citizens.”  The surprise is not in the arguments this paper makes for unbreakable commercial encryption, but that it is coming from a group founded and lead by Michael Chertoff who served as President George W. Bush’s Department of Homeland Security Secretary from 2005 to 2009.

This clash of competing rights between the government’s legitimate needs to have access to information essential for ensuring the security/safety of Americans and the needs of American’s to protect access to their information from intrusion and misuse when the federal government can’t or won’t is the grist for a landmark Supreme Court decision.  I am not smart enough to know whether we are safer with the government being able to obtain citizens’ digital information with a warrant or if we are more secure if encrypted data is protected from all seeking access to it.  What I am confident about is that our judicial and legislative processes will arrive at a conclusion for this access to encrypted data conundrum (perhaps with assists from the tech and policy communities) that will be widely accepted because we will all understand how and why it was arrived at thanks to our Constitution.

That’s what I think; what do you think?

 

 

 

Advertisements

The Road to War is Littered with Miscalculations

Obama Administration nemesis Senate Armed Services Committee Chairman Senator John McCain and Secretary of Defense Ashton Carter are in agreement that Russia, China, and Iran are all taking actions to assert their influence and demonstrate their ability to confront the United States.   At the Reagan Defense Forum on 7 November the Sec Def observed that “Some actors appear intent on eroding these principles and undercutting the international order that helps enforce them.”   Secretary Carter went on to warn that while the US does not seek confrontation it remains resolved to “…defend our interests, our allies, the principled international order, and the positive future it affords us all.” (http://www.militarytimes.com/story/military/pentagon/2015/11/08/defense-secretary-ash-carter-says-russia-china-potentially-threaten-global-order/75412284/).  This current environment of confrontation creates a tinder box from Syria, to the South China Sea, to any venue for physical terror, to cyberspace where potential shows of strength by Washington, Moscow, Beijing, Tehran, Damascus or Raqqa will increase the probabilities for a miscalculation that could lead to devastating unforeseen and unintended consequences.

Though not yet confirmed, “intelligence chatter” is indicating that ISIS is probably responsible for the 31 October bombing of Metrojet flight 9268 over the Sinai as it was returning 224 Russian vacationers to Saint Petersburg from the Egyptian sea-side resort of Sharm-el-Sheihk.  Apparently this “intel chatter” was not specific enough to be actionable.  The intelligence imperative here is the difficult task of penetrating ISIS with human sources who can provide more granular insights about potential actions both on the battlefield and those directed against the international community.  The quickest way to rectify this lack of HUMINT would be to gain access through Assad’ security forces to members of ISIS that Syria has captured, but that would mean a deal with the devil brokered by Vladimir Putin.

Last month when I was opining about how things could get worse in terms of Syria and ISIS, I didn’t contemplate an act of airline terrorism aimed at Russia when I obviously should have.   If ISIS is responsible for bringing down Metrojet Flight 9268 (as they claim they are) then there is good chance this could lead to Russia and the US tacitly joining together in an “ISIS First Campaign” enabling Bashar al-Assad’s regime to remain in control of Syria until the Islamic State (IS) is neutralized.  With or without US support it seems a reasonable conclusion based on current behavior that Putin will double down on military pressure against ISIS.  Of course, the demise of ISIS works to the benefit of Iran in creating a Shite satellite in southern Iraq that would be a menace to Saudi Arabia.  The alternative is Saudi Arabia funneling money to ISIS to buy them off from bringing their brand Islamic Revolution to the “Kingdom” while keeping Iran and its Shite proxies on the defensive.

Concurrently on the other side of the world USS Lassen conducted on 27 October a Freedom of Navigation Operation (FONOp) in the South China Sea sailing within 12 nautical miles of China’s claimed and militarily fortified Subi Reef.  This was quickly followed on 05 November by US Secretary of Defense Ash Carter and his Malaysian counter-part flying out to the nuclear aircraft carrier USS Theodore Roosevelt (aka “The Big Stick) as this carrier strike group transited the South China Sea enroute its new home port of San Diego after a deployment to the Persian Gulf where its air wing conducted strikes against ISIS in Iraq and Syria. China’s reaction was public but muted with a stern warning given to the US Ambassador in Beijing’s by China’s Deputy Minister of Foreign Affairs for LASSEN’s violation of Chinese territorial waters.  The Chinese also deployed additional military aircraft and missiles to the Spratly Islands.  The US response was to announce its intentions to continue to conduct regular FONOps in the South China Sea and for Secretary Carter to visit the “TR.”  While there has been no overt Chinese military reaction to USS Theodore Roosevelt’s transit of the South China Sea, a Chinese Diesel Electric Submarine was reportedly tracking USS Ronald Reagan in late October as it conducted a naval exercise in the Sea of Japan with the Japanese Maritime Self Defense Force. And in return to a common Cold War practice, two Russian TU-142 Bear aircraft conducted close in surveillance of Reagan under escort by the carrier’s F/A-18’s during this same period.

The daily cyber intrusions against the U.S. private sector by Chinese and Russian state sponsored organizations are well documented and now Check Point Software Technologies on 09 November published a 38-page report identifying specific details and broad analysis on cyber-espionage activity conducted by the group Rocket Kitten, with possible ties to the Iranian Revolutionary Guard Corps (http://blog.checkpoint.com/2015/11/09/rocket-kitten-a-campaign-with-9-lives/).  As result of these menacing cyber assaults, the American private sector is becoming increasingly frustrated with the government’s inability to protect US industries from state sponsored cyber intrusions.

This is generating debate between the private sector and NSA/CYBERCOM about whether and when those in the private sector can engage in “active cyber defense” against those doing harm to them.  Proponents of active cyber defense contend that cyber space is not exclusively a government domain and if the government can’t or won’t protect the private sector from cyber harm then U.S. private entities should not be denied the right of self-defense.  Those opposed to active cyber defense by the private sector contend that the Constitution reserves to the federal government the responsibility for the conduct of foreign affairs.

In its wisdom, Article 1 Section 8 of The United States Constitution states that “The Congress shall have Power to … grant Letters of marque and reprisal.”  This power was used to some effect in the early days of our republic to allow for commercial shipping to make up for our lack of naval power.  At both SAP N2S Solution Summit and the Reagan Defense forum, NSA Director/CyberCom Commander Admiral Mike Rogers said he thought issuing letters of Marque and Reprisal is a reasonable means for the government to authorize selected private companies and individuals to take active cyber defensive measures against those perpetrating harmful cyber actions upon them.  Adm Rogers, however, went on to express his deep concern about the unintended and unforeseen results of private entities taking cyber self-defense/retribution action against foreign state sponsored cyber actions.

I am not sure what is the best way to deal with this cyber constitutional conundrum, but I am reasonably certain that if the US does not develop a coherent policy, organization, and rules of engagement for private sector cyber active defense (and a well-regulated  private sector cyber militia – – – with or without Letters of Marque and Reprisal — sounds like the right approach to me) then U.S. commerce will remain vulnerable to foreign cyber intrusions, while all the unintended/unforeseen events Admiral Rogers is rightly concerned about will be at greater likelihood of happening anyway.

No good options with regard to Syria and ISIS, a return to Cold War like military tensions with Russia and China, and the US private sector looking to take cyber defense into their own      hands create continuing opportunities for miscalculations. The only thing worse than miscalculation is a blunder!

That’s what I think; what do you think?