The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: The Justice Department is racking up wins despite encryption concerns

Analysis by
Anchor of The Cybersecurity 202 newsletter
June 16, 2021 at 7:09 a.m. EDT

with Aaron Schaffer

The Justice Department has been racking up significant victories against criminals who rely on encrypted communications — even as it maintains that the strongest form of encryption makes its work harder. 

First, the department clawed back about $2.3 million that Colonial Pipeline had paid Russia-based hackers to unlock its computer systems from an anonymized bitcoin account. 

Then, the FBI joined global law enforcement in a blockbuster arrest of about 800 criminals it had tricked into planning operations on an allegedly encrypted messaging app that was secretly controlled by the FBI itself. That operation, dubbed “Trojan Shield,” was a particular coup because the FBI lured the criminals by promising just the sort of secrecy that has bedeviled its own operations for years — in the process uncovering evidence of contract killings, robberies and even cocaine-stuffed pineapples

The high-profile operations mark a bright spot for the Justice Department and the FBI, which have spent seven years trying to convince or compel tech companies to give them special access to their customers’ encrypted communications – with little to no success

The pressure campaign has failed to produce any significant legislation reining in encryption or companies’ use of it. And there’s little chance the Biden administration will make encryption a key priority. 

“[Encryption] will always be a priority for the FBI and therefore for the DOJ at some level, but the question is how much sympathy and leeway will they get from the White House,” Stewart Baker, a former top National Security Agency and Department of Homeland Security official, told me. 

“The Obama administration took the FBI’s concerns seriously…but institutionally it was never going to embrace the kinds of solutions Justice and the FBI wanted. I think that’s even more likely in this administration,” said Baker, an attorney at the Steptoe and Johnson. 

The FBI has historically wanted tech companies to maintain a backdoor access to nonencrypted versions of their customers’ communications. 

They argue tech companies could figure out how to do that securely, allowing police to access those communications with a warrant when necessary. Critics say those backdoors could be exploited too easily by cybercriminals and would make everyone less safe online. 

The DOJ efforts reached a fever pitch during the last years of the Trump administration but have been largely dormant since Biden took office

The debate is focused on “end-to-end encryption,” which, if implemented correctly, shields communications from everyone but the sender and recipient — including the communications provider and law enforcement with a warrant. Such communications are quickly becoming a default, with Facebook planning to move all its services to end-to-end encryption sometime next year and Google expanding its encryption options

For critics of the campaign against end-to-end encryption, the recent victories are a sign law enforcement can still catch plenty of bad guys if it puts in the time and effort. 

“This speaks to the larger issue that software isn’t perfect — even encryption,” Maurice Turner, a cybersecurity fellow at the Alliance for Security Democracy, told me. “It’s appropriate for law enforcement to take advantage of vulnerabilities in software without demanding that those vulnerabilities be designed in.”

But law enforcement supporters warn a few one-off victories won’t offset the problem that criminals are increasingly able to plan operations without any means to discover them.

And they can’t count on criminals to regularly make errors in technology and judgment that enable such operations.

“Relying on the stupidity of criminals is not a strategy for stopping sophisticated crime,” Baker told me. 

DOJ has maintained its opposition to end-to-end encryption under Biden though at a less fevered pitch than under President Donald Trump. 

Attorney General Merrick Garland warned during congressional testimony last month that encryption allows terrorists to communicate online with greater secrecy than before. 

Biden and British Prime Minister Boris Johnson pledged in a joint statement this month to “work together to maintain tightly-controlled lawful access to communications content that is vital to the investigation and prosecution of serious crimes including terrorism and child abuse” and to “work in partnership with technology companies to do this, protecting the safety of our citizens.”

By contrast, during the Trump administration, Attorney General William P. Barr slammed Apple for refusing to help the FBI break into an encrypted iPhone used by a Saudi air force student who opened fire at a U.S. military base in Pensacola, Fla. Barr also penned a letter with allies warning that Facebook’s plan to expand end-to-end encryption across its platforms would enable the unchecked spread of child pornography. 

But the encryption debate could heat up again in a moment. 

That’s especially likely if it’s triggered by some high-profile event such as a mass shooting investigation that is hampered by encrypted data. 

Similar spikes in the encryption debate followed the 2019 attack in Pensacola and the 2015 shooting in San Bernardino, Calif.

In both cases, law enforcement eventually accessed information on the iPhones in question by hiring third-party firms that were able to hack into them by exploiting secret bugs unknown to Apple. 

“It could be the case that as encryption becomes ubiquitous and dead easy there are going to be more victims of encryption,” Baker told me. “We shouldn’t assume that the value people put on the privacy of their phone calls will always outweigh the sense of aggrievement from people who know they’ve been victimized by encryption … I don’t think the FBI is likely to give up this fight anytime soon.”

The keys

Researchers linked a hacking group that targets Asian governments to a Chinese military intelligence unit.

The People’s Liberation Army-linked group dubbed Redfoxtrot targeted defense, government and research organizations in India and throughout Central Asia, according to a report from the cybersecurity firm Recorded Future shared exclusively with The Cybersecurity 202. The group’s activity has overlapped with several other China-linked hacking groups, the firm said.

The report is significant because the PLA was responsible for a large share of Chinese government hacking during the early 2010s. But that work was mostly conducted by the civilian Ministry of Security Services since a 2015 restructuring. 

The Recorded Future researchers were able to tie the hacking group’s operations to a specific address used by the PLA. They say the group has been active since at least 2014 and has targeted at least three Indian aerospace and defense contractors and major telecommunications providers in Afghanistan, India, Kazakhstan and Pakistan.

Sen. Ron Wyden (D-Ore.) blasted U.S. ad exchanges for sharing data with Chinese and Russian firms.

The eight digital ad auction houses at issue offered varying amounts of information on the foreign firms they share ad data with.

There’s a “clear national security risk” with the partnerships because U.S. adversaries “can use [the data] for online tracking as well as to target hacking and disinformation campaigns,” Wyden said. 

Wyden plans to introduce legislation to ban exports of Americans’ data to high-risk countries, he said.

The ad auction houses defended their practices in letters to Wyden and other lawmakers, with many of them saying that they have rigorous privacy and data security policies.

Lawmakers want Biden to aggressively confront Putin over cyberattacks.

Biden should make ransomware attacks a key part of the agenda when he meets with Putin in Switzerland today, Reps. Jim Langevin (D-R.I.) and Michael McCaul (R-Tex.) said in a CNN op ed. The lawmakers also laid out a potential threat Biden could bring up to Putin for harboring cybercriminals: “shutting off access to the international financial system for Russian companies that facilitate ransomware.” Langevin and McCaul are co-founders of the Congressional Cybersecurity Caucus. 

Biden “has an opportunity to pressure Putin directly to put an end to Russia-supported cybercrime” during the summit, Senate Majority Leader Charles E. Schumer (D-N.Y.) said. The summit is expected to last more than four hours, with a focus on hacking and other issues.

Global Cyberspace

Once, Superpower Summits Were About Nukes. Now, It’s Cyberweapons. (New York Times)

Alibaba Falls Victim to Chinese Web Crawler in Large Data Leak (Wall Street Journal)

Ukraine hackers uncovered who targeted U.S., Korean firms, say police (Reuters)

Hill happenings

U.S. Senator Rubio plans legislation to address Russia cyberattacks -letter (Reuters)

Cyber insecurity

SEC settles with First American over massive data leak for nearly $500,000 - CyberScoop (CyberScoop)

Ransomware gang turns to revenge porn (Motherboard)

Daybook

  • Cisco CEO and chair Chuck Robbins discusses cybersecurity and other issues at a Washington Post Live event today at 9 a.m. 
  • A Senate Homeland Security and Governmental Affairs Committee panel holds a hearing on cybersecurity threats to state and local governments on Thursday at 10:15 a.m.
  • The University of Southern California’s Election Cybersecurity Initiative will hold its final spring workshop on Thursday at 4:30 p.m.
  • Jeff Greene, the director of the National Institute of Standards and Technology’s National Cybersecurity Center of Excellence who has been detailed to President Biden’s National Security Council, discusses Biden’s recent cybersecurity executive order at a National Security Institute event on Friday at 1 p.m.
  • The R Street Institute hosts an event on the implementation of President Biden’s cybersecurity executive order on June 21 at 3:15 p.m.

Secure log off