EWI Board Member Michael Chertoff discusses the OPM breach and steps to enhance cybersecurity in an interview with The Huffington Post.
If you can’t lock your door, you can’t maintain the privacy of your home. If you can’t encrypt your phone, you can’t keep your personal data private, either. As tech companies and law enforcement agencies clash over encryption, security and privacy, a former Bush administration official is coming down forcefully on the side of technology that supports civil liberties rather than erodes them.
Michael Chertoff, who served under President George W. Bush as the nation's second Secretary of Homeland Security, suggested to The Huffington Post that using encryption to keep your data or messages personal is like having a quiet, private conversation between friends.
"If I pull you off into a corner and talk to you privately about something, it’s not recorded," he said. "We don’t record conversations in public places so that people can’t whisper to each other and then not tell the authorities what they talked about. That’s not our culture."
Law enforcement and intelligence agencies do, of course, record other conversations. Warrantless surveillance of phone records and the Internet significantly expanded under Bush and then President Barack Obama, until former NSA contractor Edward Snowden leaked information about the secret programs, galvanizing reforms of the Patriot Act.
The U.S. government experienced its own security breach earlier this year, when the Office of Personnel Management disclosed that China-based hackers had reportedly stolen clearance information for millions of federal employees, including more than 5 million fingerprints.
Now, the Obama administration is facing growing pressure to support strong encryption in the United States, with a broad coalition of civil liberties and privacy advocates petitioning the White House to make a strong public statement in favor of improved security to protect personal information, mobile devices and business secrets from hacking or loss. In a recent episode of HuffPost Live, advocates discussed the issues and points of contention.
HuffPost spoke with Chertoff, who now runs a risk management and security consulting firm, this September. The following interview, which touches on technology, spying, privacy and legislative reforms, has been edited for length and clarity.
We've seen huge data breaches in the private sector, but the hack of the Office of Personnel Management looks like the most serious breach of confidential data I can recall. What fallout are you seeing from it?
As to the OPM breach, I agree with you. A number of commentators think that this is less about criminality and more about trying to do, essentially, a database of American citizens, which should be useful for intelligence purposes. That is a huge step forward, in terms of the kind of espionage that they do traditionally.
Beyond that, there’s an emerging ability to corrupt or destroy data, or interfere with the operation of control systems which goes far beyond getting your personal information erased. It is actually potentially disruptive for physical objects or the death of human beings.
I think it is a much broader problem than just the data breach privacy discussion that we’ve been having. As we multiply the number of devices that are connected, often without much consideration of security, I think it’s only going to become a bigger and bigger issue.
Is there a proportionate response to this kind of espionage, in terms of China? Do you support enacting economic sanctions for such actions?
First of all, separate the two types of espionage. I’m very traditional in taking the view that commercial espionage by government is inappropriate. I think the administration talked about some kind of sanctions for companies that benefit from intellectual property, and that’s an unusual approach.
It gets trickier when you get to national security espionage. You protest against it. If you find someone who does it, it’s appropriate to prosecute them. Frankly, that really worked in the Cold War. The Russians did it to our spies, too.
It’s a little hard to get worked up into a moral outrage, because what the Chinese have done with respect to OPM, at least in my view, is a variation on a traditional theme of gathering intelligence, but they’ve been able to scale it up.
Our biggest response has got to be to protect our assets. I think the most serious disappointment in the OPM breach is it appears people didn’t even take the steps that they were told to take to reach a minimum level of security. They utterly missed the fact that they were holding very valuable information. They viewed themselves as if they were like a great big HR department.
We need to have a bigger understanding of the value of data, so that people understand that it’s not just credit cards that matter. There’s all kinds of information that can be useful to an adversary or competitor that needs to be protected.
What steps should average businesses and citizens take, with respect to protecting their own information? What tools should we have available to us?
Obviously, encryption of data in motion and data at rest is a very useful tool. Not everything needs to be connected to everything else. How do you handle administrative privileges? Who gets to set conditions of access and things of that sort? How do you internally monitor the perimeters or anomalous behavior, or something that’s happened that’s inexplicable?
Use a number of different techniques. You’re not totally eliminating the risk, but you’re reducing the risk and you’re managing it. That mitigates a lot of that potential damage from these kinds of attacks.
Risk is an important word, in this context. The FBI and the Justice Department are asking citizens to accept the idea that we should put ourselves at more risk through weakening encryption so that they can access our mobile devices if they have a warrant. What’s your position?
I think even with [strong] encryption, there would be plenty of other ways that law enforcement and judges can use to protect us. That’s always been the case traditionally. In the old days, back when I was doing cases as a prosecutor, they didn't talk very much. We were still able to make cases using other techniques.
I understand what the motivation of the FBI and the law enforcement people is, but I think it’s misguided for a number of reasons. To believe that if you have a law to require a duplicate key or a key escrow, that bad people wouldn’t find another way to make their messages disappear, even if they had to go to technologies and providers from other parts of the world? Frankly, that’s the world we’ve always lived in.
Would bills like the Cybersecurity Information Sharing Act of 2015 or the Cyber Intelligence Sharing and Protection Act, both designed to promote voluntary information sharing between the private sector and government, help with these kinds of issues?
There are a couple areas where I think legislation would be useful. One, I think it would be promoting information [sharing] by creating liability protection for people who share information in an appropriate way both with the government and also among themselves, making sure that what they share is confidential so that they don’t feel constrained about giving information about attacks.
Updating the Electronic Communications Privacy Act will eliminate an anomaly between how we treat interception of email that’s current versus stored email, which is a distinction that maybe made sense when the statute was passed many years ago, but has lost its logic. That would go some way in promoting a greater sense of reassurance about privacy, and that’s certainly an important part of the discussion.
The Computer Fraud and Abuse Act also poses issues for the security research community. People are concerned, with some justification, that if they do research on government or commercial websites, they could be held liable or even prosecuted. Should there be any reform of the law, in your view?
I’m not aware anybody has been prosecuted for doing research, so I don’t know how much of a problem that is. I think, in general, with newer technology, statutes that are 10 years or 20 years old often make no sense, simply because they were drafted at a time when the architecture was radically different from what we have today. These things ought to have an expiration date.
What frustrates you about what Congress and the press say about technology and security?
To me, the most frustrating thing is when people treat privacy and security as if they are trade-offs. I think you can’t have privacy without security. If by privacy we mean, "you give me your information, and I’m gonna make sure it’s treated in a proper way," that promise is meaningless if I can’t enforce it. If somebody can hack into my data, it doesn’t matter what I promised you. It’s going out the door anyway.
At the same time, without privacy, we can’t be secure. Security is to be able to keep data, to keep control of data that you’ve generated that is relevant to you.
I would like to see less of an oppositional approach and more taking a view that these things are actually interdependent and mutually reinforcing.
To read the interview at The Huffington Post, click here.