The U.S. intelligence apparatus still wants a key to your private data. Specifically, it wants “backdoor,” or “exceptional,” access to encrypted data when a court order is obtained for it. Last week, the nation’s intelligence heads—FBI Director James Comey, CIA Director John Brennan, Director of National Intelligence James Clapper, National Security Agency Director Michael Rogers, and Defense Intelligence Agency Director Vincent Stewart—went before the House Intelligence Committee to lay out the threats and make their asks. After raising the specter of crippling large-scale cyberattacks, Clapper said the more pressing concern was persistent, ongoing small attacks, or as Foreign Policy put it, “Get Ready for Everything to Be Hacked All the Time.” To fight these attacks, Clapper wants streamlined access to the private accounts of Americans—an idea that is unnecessary at best and counterproductive at worst. And the intelligence leaders’ bad ideas didn’t end there
While the increasing regularity of both computing and security breaches makes Clapper’s concerns very real, the approach the intelligence agencies want to take is sorely inadequate. While they spent a long time discussing deterrence and surveillance, Clapper et al. practically ignored the most crucial and central aspect of fighting cyberattacks: security. In light of the recent, catastrophic Office of Personnel Management data breach, which compromised the sensitive personal data of more than 20 million people, Clapper’s sense of priorities, as evidenced by his refusal to call the OPM breach an “attack,” is clearly warped. (“There was no destruction of data or manipulation of data,” he said. “It was simply stolen.”) If sensitive information is a house, then the government wants surveillance cameras everywhere and stiff sentences for thieves, yet can’t be bothered to lock the door.
Instead, Clapper and Comey stressed the need for greater deterrence of cyberattacks: not securing systems, but creating incentives against hacking. Regarding the OPM breach, Clapper said, “Until such time as we do create both the substance and the mindset of deterrence, this sort of thing is going to continue.” There are two things wrong with this statement. First, it’s not easy to attribute these attacks to their perpetrators. Even if the U.S. government is convinced that the OPM attacks originated from China, it likely hasn’t figured out whether they were state-sponsored. The government’s attribution of last year’s Sony Pictures hack to North Korea remains dubious and inconclusive, as I pointed out shortly before everyone forgot about it. In the absence of reliable attribution, deterrence is impossible, because the actor will always have plausible deniability.