Encryption backdoor debate 'done and dusted,' former White House tech advisor says

interview In the wake of the Salt Typhoon attacks, which lawmakers and privacy advocates alike have called the worst telecoms security breach in America's history, US government agencies have reversed course on encryption.

After decades of advocating against using this type of secure messaging, "encryption is your friend," Jeff Greene, CISA's executive assistant director for cybersecurity, told journalists last month at a press briefing with a senior FBI official, who also advised us to use "responsibly managed encryption" for phone calls and text messages.

In December, CISA published formal guidance [PDF] on how to keep Chinese government spies off mobile devices, and "strongly urged" politicians and senior government officials — these are "highly targeted" individuals that are "likely to possess information of interest to these threat actors" — to ditch regular phone calls and messaging apps and instead use only end-to-end encrypted communications.

It's a major about-face from the feds, which have historically demanded law enforcement needs a backdoor to access people's communications — but only for crime-fighting and terrorism-preventing purposes.

"We know that bad guys can walk through the same doors that are supposedly built for the good guys," Virtru CEO and co-founder John Ackerly told The Register. "It's one thing to tap hardline wires or voice communication. It's yet another to open up the spigot to all digital communication." 

This, of course, is exactly what the the Communications Assistance for Law Enforcement Act — better known as CALEA — did 30 years ago. The 1994 law required telecom providers to design their systems to comply with wiretapping requests from law enforcement. In 2006, the FCC expanded this backdoor mandate to cover broadband internet companies.

We know that bad guys can walk through the same doors that are built for the good guys

CALEA also required telcos to lock down their own networks to prevent foreign spies from intercepting Americans' communications. But the FCC never really enforced this piece of the legislation. 

And earlier this year Beijing's cyberspies recorded "very senior" US political figures' calls as part of the Salt Typhoon espionage campaign. This breach, which one senior US senator called the "worst telecom hack in our nation's history — by far," has renewed calls to reform CALEA and remove these government-ordered backdoors that can be found and abused by others.

"The debate over end-to-end-encryption is done and dusted," Ackerly said. "It's over substantively, and as a country, we should be embracing encryption without backdoors."

Before Ackerly and his brother Will - who previously worked for the US National Security Agency - co-founded their data encryption startup, John Ackerly worked in the George W Bush White House as a tech advisor and played a role in developing the data privacy language in the 2000 Republican Party's platform, which called for encryption without backdoors into networks.

He was also in the West Wing when September 11 happened, and the terrorist events quickly quashed any pro-encryption messaging from the government.

Ackerly said he heard about the Salt Typhoon hacks almost 10 years to the week that he was in New York talking to the press about the 2014 Sony Pictures breach.

"So it was: Here we go again," he said. "But then it became super clear that this is orders of magnitude more devastating than any single hack to a particular company."

• Blocking Chinese spies from intercepting calls? There ought to be a law
• China's Salt Typhoon recorded top American officials' calls, says White House
• Salt Typhoon forces FCC's hand on making telcos secure their networks
• T-Mobile US CSO: Spies jumped from one telco to another in a way 'I've not seen in my career'

Burrowing this deep into America's telecommunications systems essentially gave Salt Typhoon attackers access to "every company across the country and every American," Ackerly added. "This is the worst breach in our nation's history. So that was my second reaction. And then the third reaction was: okay, maybe people will wake up."

The public and lawmakers should wake up to the need for E2EE, he said, adding that Congress should step in with a legislative fix. "Batten down the hatches, the way Ron Wyden is proposing with security requirements for the telecom companies that have been asleep at the wheel," Ackerly said.

He's referring to the US senator from Oregon's proposed legislation that would require American network operators to implement cybersecurity standards and ensure their systems are not susceptible to hacks by nation-state attackers.

Wyden, in announcing the Secure American Communications Act, blasted the FCC's "failure" to implement security standards already required by CALEA.

"What we have to fight against is complacency and bad policy," Ackerly said. "That's why CALEA needs to be reformed. Keep a Klieg light on this until there's a better answer than just: The Chinese are still there, I don't know what to do. It's just too late, forget it." ®