One remarkable thing about last week’s National Security Conference was how few commentators invoked any form of encryption. From the very outset, the debate over encryption seemed to be either framed as an approach to security and privacy or as an issue of encryption itself. But now that memory is fading, and the political debate is over, it’s worth revisiting the argument in this article by James Bamford. This is his argument that the encryption of encryption technologies provides a primary security mechanism for the operation of modern, sophisticated, national security-oriented information systems.
Bamford has been studying encryption for about ten years. For example, as he explains, several governments, including his own, have claimed that “all information had to be encrypted.” This is not a criticism of encryption: it makes sense that, as Bamford puts it, if “all information was required to be ‘encrypted’ or ‘encrypted’ as widely as possible, it would have come under a lot of surveillance.”
But, at its core, encryption is focused on protecting and securing national security, even if the security can be overridden if national security is deemed imperiled (as in the case of the alleged attempted hack of the State Department website, or of the World Wide Web). The distinction here is between willful concealment and willful consent, and the command to do something (see Superlawbox for more details). When someone is willfully concealring something, it is not clear what they expect to gain by doing so. Conversely, if they accept the notion that their privacy rights are strong enough to withstand such persistent surveillance, that can be a powerful basis for concealing whatever they do, at least at first. Bamford argues that complete and explicit consent is not sufficient to secure, particularly if the surveillance is inadvertent (as in Bamford’s case).
If “a system cannot be protected without compromise,” Bamford argues, “then it is irreversible.” That is, if, for example, “the government hasn’t encrypted itself, I can easily detect when it has taken a government-committed action.” Bamford also argues that “Interception,” an exceptionally robust and reliable encryption protocol for government-conducted surveillance, is a prerequisite for actual national security protection. But he gets more specific: “Those other devices, where it is possible to observe conversations or document sources and methods, can generate standard signaling off the stored data.”
Not only do cryptographic technologies — whether they pertain to servers and other computing infrastructure or to government and non-government agencies — provide a stable, secure means of securing national security, they also assure compliance. Encryption systems comply with strict and globally recognized international standards, and they require active censorship of key messages, which in the security arena is the first requirement for the ability to preserve national security. When present, encryption technology is able to do a couple of things that network technology generally can’t: it allows the United States to monitor calls and, if necessary, intercept key communications; it creates an environment of privacy for government agencies; and it can protect the confidentiality of crucial information.
Bamford goes on to argue that the United States is still a net importer of cryptography, and it is perhaps true that U.S. Government agencies are currently required to store their communications in public cloud servers — the private ones where you, and the country, can see what’s being communicated, and which you can understand and share on the Web. That is obviously a primary function of web encryption; when you imagine a government wanting to encrypt all of its communications, it’s hard to imagine that it wouldn’t store that data in a government-sponsored cloud. But, in other ways, Bamford is correct in finding that encryption allows security protections to emerge through communications as they are actually exchanged.