Anyone who has locked the front door and hidden the key under a flowerpot has dealt with the dilemma of how to maintain both security and access. It’s the quandary facing cybersecurity professionals who must guard the wall around personal online data while managing the demands of law enforcement agencies. They want a backdoor to track down hackers who are eager to rip off consumers and terrorists who are forever plotting attacks on Americans.
With Internet breaches touching millions, the accessibility of these backdoors makes bad guys look like geniuses, and the security mavens like Keystone Kops. Unless authorities can effectively police its entrances, cyberspace could become a no-go zone.
Last week FBI Director James Comey told Congress that investigators have failed to crack the encryption of a cellphone belonging to one of the San Bernardino terrorists. “We still have one of those killer’s phones that we haven’t been able to open,” he told a Senate hearing. Without access to the cellphone information, the FBI can’t be certain that other conspirators aren’t lurking out there for another attack somewhere.
Just days before Mr. Comey’s sheepish concession that encryption has locked out his experts, the FBI itself was the target of a hack attack that exposed the personal online records 20,000 agency employees. Another 9,000 Department of Homeland Security employees were similarly affected. Taken together, the incidents indicate the hunters have become the hunted. It’s not a good sign, especially following the disclosure by the Office of Personnel Management that in 2015 the records of 21 million current and former federal employees had been lifted from government databases. With overlapping databases, some employees may have been victims twice.
President Obama signed an executive order last week empaneling a federal privacy council to make sure that all agencies do their best to protect their employees’ data. He asked for $19 billion in the new budget to upgrade government cybersecurity. But money is not the cure-all. Fundamental questions about the balance between online accessibility and security remain unanswered. Encryption can be made unbreakable, as in the case of the cell phones of the San Bernardino terrorists. If backdoors are built in for law enforcement, tech experts say hackers will eventually find their way in as well, leading to even more devastating breaches. Breaking the intractable logjam is essential.
“I would hope that we have not yet exhausted what can be done voluntarily,” James Clapper, the director of National Intelligence, told another Senate hearing last week. Sens. Richard Burr of North Carolina, a Republican, and Dianne Feinstein of California, a Democrat, are drafting a bill that would require law enforcement agencies to obtain a court order before compelling technology firms to unlock encrypted data needed in an investigation. Placing requests for de-encryption in the hands of a judge makes sense. An objective arbiter of the law is better able to balance the security needs of the nation against the privacy interests of an individual person.
Failure to keep the Internet secure sends a signal that no place is safe from hackers. Unless cyberspace can be made safer than a house key under a flowerpot, some of the millions whose personal records were stolen or exposed may conclude that the price of connectivity is not worth the pain. But that’s the equivalent of a hermit’s life in the big woods.