That Time I Stated the Obvious and Accidentally Made News
It’s important to know your friends, whether human or mathematic.
A few months ago, I was part of an international roundtable discussing encryption policy (nerd alert). While we were waiting for the event to start, another participant came up to me and said “hey, aren’t you the ‘encryption is your friend’ guy?” I replied that yes, indeed I am that guy, and thanks for asking. As I will explain, I was not surprised that someone knew of the comment. What did surprise me is that this person is not from the United States; in fact, he is from the literal other side of the planet. I hadn’t realized how far that one unplanned line had traveled.
Words Matter.
As background, I’ve done a lot of public speaking in my career, but it felt different when I was on the National Security Council and later when I ran the Cybersecurity Division in the Cybersecurity and Infrastructure Security Agency. I wasn’t just spouting whatever came to my mind as some talking head from a cybersecurity company or a think tank. Instead, when I spoke in my capacity as the NSC’s Chief of Cyber Response & Policy or CISA’s EAD for Cybersecurity, my words were generally taken as an official position of the United States Government.
I was very aware of this and thus was extraordinarily careful, both in my prep and with the words I chose. And I talked a lot in those jobs – about everything from cyber threats to the homeland surrounding Russia’s brutal invasion of Ukraine, to ongoing Chinese efforts to compromise our most critical systems, to the remarkable work that CISA did to protect federal networks after the massive SolarWinds intrusion in 2020.
I knew – or at least thought I knew – when my words might make news. So imagine my surprise when stating the patently obvious turned out to be the thing that made the most headlines and that has followed me since.
“Encryption is your friend.”
That’s it. That’s what I said. Four words. Six syllables. And an unexpected shitstorm. I had unintentionally been “surprisingly blunt.”
Really? Because I said “encryption is your friend”?!? But it’s a no-brainer that encryption is your friend: it’s the foundation of digital privacy. It’s why you can be confident buying things online, it’s how you send secure messages to your friends and loved ones. It is the grease that allows our digital world to work. So I didn’t think that saying this truism would be news, let alone be seen as bluntness of any kind, let alone of the surprising variety.
There is Good Faith on Both Sides.
Of course, as most of you reading this know, there’s more to this issue – hence the aforementioned shitstorm. Encryption, and specifically end-to-end encryption, makes it harder for governments to access data, conduct investigations, and collect intelligence. The underlying debate over this aspect of encryption has been burning for decades; it is often known as “lawful access” and addresses the when, how, and why governments can get customer data that companies hold. From the 1990s fight over the “clipper chip” to the recent “going dark” dispute, the public attention surrounding the issue has ebbed and flowed, but the intensity of the underlying dispute has not waned.
All sides can lay claim to a moral high ground. Moreover, all can make legitimate, principled cases to support their position: encryption is an essential privacy tool that protects against criminals and repressive governments, but it is also one that criminals, terrorists, human traffickers, and repressive governments use to do harm. There is no easy answer and you should be suspicious of anyone who tells you otherwise.
But Math is Still Math.
Unfortunately, though, the question of building backdoors into encryption is one that is well and truly binary. No matter the noble intent, if you do it you weaken the encryption. Full stop. Sure, you can build a system to secure that backdoor as best possible, but if we’ve learned anything from the breaches of the past quarter century it is that nothing is secure when a determined adversary wants it. And an encryption backdoor is something that a lot of adversaries would want. Badly.
In light of all this, you may wonder why I, then a senior US government cyber official, did not consider the impact of my words. The short answer is that on a higher level, I did. Yet while this is an issue I have struggled with as I’ve worn different government and private sector hats over the years, the simple statement that encryption is essential was not something I imagined would be such news.
The longer answer is that among CISA’s senior leadership, we did know that telling Americans to use end-to-end encryption would not go over well with some of our partners in government (and around the world). But context is important – I was on a press call providing reporters an update on our work responding to the People’s Republic of China’s 2024 compromise of our telecommunications backbone. Among other details, an interagency partner and I were talking about the PRC’s ability to collect the actual content of some communications. Again, not news: three weeks earlier CISA and the FBI put out a joint statement that the intrusion “enable[d] . . . the compromise of private communications of a limited number of individuals.”
So not surprisingly, multiple reporters (as well as many in Congress, the Executive Branch, and elsewhere) wanted to know what they should do to protect their privacy. My answer on that call was the same one we were giving inside the US government: as much as possible, use an application with end-to-end encryption for calls and messages. Or, as I said in response to the third or fourth question about this, “encryption is your friend.” I simply didn’t think this was news, as we had issued similar guidance to federal agencies. I mean, the press had reported on that guidance. Over the next few hours, I quickly learned I was wrong.
My phone blew up with messages from friends and colleagues from previous lives, many offering “congratulations” while others expressed surprise and even outrage. I did not know how to respond then and struggle to respond now, beyond thanking them for the outreach. At times I had confirm that this was not mis-reporting and that I did in fact say those words in that order. I’m still taken aback as I type this.
But at least most of them were using encrypted messaging apps.
INC. “surprisingly blunt” article: https://www.inc.com/jennifer-conrad/why-you-should-start-using-encrypted-communications-today/91034632
FBI & CISA joint statement: https://www.cisa.gov/news-events/news/joint-statement-fbi-and-cisa-peoples-republic-china-prc-targeting-commercial-telecommunications
Hoooooh boy. Hi Jeff. You know I have some opinions here and have been playing in the encryption issues in and out of govt for quite some time.
There is no real USG position on "strong" encryption or E2E as it gets vigorously debated internally due to the different mission needs. FBI wants access to evidence when they want it. They are very public about this and how (what they call) warrant proof encryption aids criminals. CISA tried to come out with a supportive statement for E2E but ended up watering it down to play the middle.
At NIST, the agency making encryption standards, the main issue is not to address this in the math, as you call it. The actual encryption itself must be trusted and, if there is a decision to do something for access, that should not be required in the algorithms. At that point, why use a US algorithm? Let use the Chinese standards instead and go to the larger market.
The IC wants everyone to just shut up. They end up getting what they need with folks who use bad, broken, outdated or incorrect implementations.
While crypo is your friend, it's actually a difficult technology to implement.
Hard crypto is good: Good crypto is hard.
Now, what about the talk of season two of Acolyte????
Side note on times they are a changing. It's not just AI taking up all the VC money and O2 in the room but we are about to do some significant encryption changes across the infrastructure in the near future on our crypto. On a positive note, we were very good at abstracting encryption away from users, so it just happens. On a negative note, we were very good at abstracting encryption away from users, so its hard for changes to just happen.
Quite intriguingly, the people who are the most vocal advocates for backdoors in crypto are also the most particular about the one they use not having any.