Non-US encryption is 'theoretical,' claims CIA chief in backdoor debate

No choice but to use American gear, grins spymaster


CIA director John Brennan told US senators they shouldn't worry about mandatory encryption backdoors hurting American businesses.

And that's because, according to Brennan, there's no one else for people to turn to: if they don't want to use US-based technology because it's been forced to use weakened cryptography, they'll be out of luck because non-American solutions are simply "theoretical."

Thus, the choice is American-built-and-backdoored or nothing, apparently.

The spymaster made the remarks at a congressional hearing on Thursday after Senator Ron Wyden (D-OR) questioned the CIA's support for weakening cryptography to allow g-men to peek at people's private communications and data.

Brennan said this was needed to counter the ability of terrorists to coordinate their actions using encrypted communications. The director denied that forcing American companies to backdoor their security systems would cause any commercial problems.

"US companies dominate the international market as far as encryption technologies that are available through these various apps, and I think we will continue to dominate them," Brennan said.

"So although you are right that there's the theoretical ability of foreign companies to have those encryption capabilities available to others, I do believe that this country and its private sector are integral to addressing these issues."

We don't think the CIA man has been paying attention, to put it generously. A study in February found there are 865 encryption products in use around the world supplied by developers in 55 countries. About a third of these packages came from the US, with Germany, the UK and Canada the next biggest suppliers.

Nevertheless, Brennan is right that the bulk of commercial encryption products in use by enterprises are supplied by American firms. The word he missed is "now."

If US firms are mandated to install backdoors, sales of encryption products are going to change very quickly. Very few overseas companies are going to buy a broken encryption system that can be read by US intelligence, and a fair few US companies aren't going to be wild about doing so either.

Youtube Video

"It is clearly inaccurate to say that foreign encryption is a 'theoretical' capability," said Senator Wyden.

"Requiring companies to build backdoors in their products to weaken strong encryption will put the personal safety of Americans at risk at a dangerous time and – I want to make this clear – I will fight such a policy with everything I have."

Interestingly, Brennan didn't mention legislation proposed by Senators Richard Burr (R‑NC) and Dianne Feinstein (D‑CA) which would mandate backdoors. The proposed bill has little support and instead Brennan indicated he supported an alternative legislative push.

Instead, Brennan spoke supportively of a bill introduced by Senators Mark Warner (D-VA) and House Committee on Homeland Security Chairman Michael McCaul (R-TX) which would set up a congressional committee to explore the encryption issue.

Not that we should be worried about the CIA snooping, Brennan said. In the past three weeks, the CIA has appointed a privacy and civil liberties officer as a full member of senior staff. The person will review all CIA activities to ensure they are legal, Brennan said.

So that's all right then. ®

Broader topics


Other stories you might like

  • Telegram adds paid tier as it cracks 700 million users
    Without so much as a mention of encryption, but with a pastel-hued emoji-heavy nod to ‘sustainable monetization’

    Messaging app Telegram, which came to prominence for offering end-to-end encryption that irritated governments, has celebrated passing 700 million active monthly users with a pastel-hued announcement: a paid Premium tier of service.

    A Sunday post celebrates the 700 million user milestone by announcing a $4.99/month tier. The Premium tier distinguishes itself from the freebie plebeian tier with the ability to upload 4GB files, unthrottled downloads that come as fast as users' carriers will allow, and the chance to follow up to 1000 channels, create up to 20 chat folders each containing up to 200 chats, and to run four accounts in the Telegram app.

    Paying punters will also get exclusive stickers and reactions and won't see ads once they sign up to hand over coin each month.

    Continue reading
  • Protecting data now as the quantum era approaches
    Startup QuSecure is the latest vendor to jump into the field with its as-a-service offering

    Analysis Startup QuSecure will this week introduce a service aimed at addressing how to safeguard cybersecurity once quantum computing renders current public key encryption technologies vulnerable.

    It's unclear when quantum computers will easily crack classical crypto – estimates range from three to five years to never – but conventional wisdom is that now's the time to start preparing to ensure data remains encrypted.

    A growing list of established vendors like IBM and Google and smaller startups – Quantum Xchange and Quantinuum, among others – have worked on this for several years. QuSecure, which is launching this week after three years in stealth mode, will offer a fully managed service approach with QuProtect, which is designed to not only secure data now against conventional threats but also against future attacks from nation-states and bad actors leveraging quantum systems.

    Continue reading
  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading

Biting the hand that feeds IT © 1998–2022