CHESTNUT HILL, Ma.—FBI director James B. Comey today revived the Going Dark discussion during a keynote address at the Boston Conference on Cyber Security, saying it’s time for an adult conversation on the prevalence of strong encryption and how it hinders criminal and national security investigations.
Comey, during his 45-minute address at Boston College, did not address the expansive leaks of CIA hacking tools yesterday by WikiLeaks or Russia’s alleged manipulation of the U.S. presidential election. He did not take questions from media in attendance, though he did answer a few from attendees.
Comey’s stance on strong encryption has remained largely unchanged in the past two years, running in parallel with the growth in mainstream adoption of secure messaging applications such as Signal, WhatsApp and others. The director contends that strong crypto not only impedes investigations, but cuts the legs out from judicial warrants that allow law enforcement on the local and federal level to seize digital devices.
Comey said that between October and December of last year, the FBI took possession of 2,800 devices, and there were 1,200 that the bureau could not crack and access stored data.
“That’s a big deal,” Comey said.
Comey acknowledged that strong crypto has always been around, but prior to Edward Snowden’s leaks of NSA secrets, it was largely the purview of nation states and sophisticated criminal groups.
“These apps are now a default feature of much less sophisticated actors, drug dealers, bank robbers, pedophiles, some terrorists,” Comey said. “Their shadow is spreading across more of our work.”
In the past, Comey has challenged technology companies to try harder to come up with a reasonable solution that does not require a backdoor or one that weakens encryption. Today, he backed off the challenge to tech companies and called for a discussion among the relevant parties that he says share the same values.
“We have to have a hard conversation about what we’re doing,” Comey said.
He also rebuked claims made by experts in the past that law enforcement could gain valuable intelligence from intercepted metadata, which is not encrypted and often includes information about call records, email headers and physical location.
“Metadata is limited, especially when we are obligated to prove guilt beyond a reasonable doubt,” Comey said. “We just can’t get there against a pedophile or a terrorist.”
“Other say that maybe you can develop a hacking tool. That’s expensive and it doesn’t scale,” Comey said, harkening back to the Apple-FBI debate. “Something like that cannot be used broadly because they are perishable.”
Comey tried to tug on some patriotic heart strings as well, pointing out that the country’s founders struck a bargain that the government cannot invade one’s privacy without probable cause and a court order. What they founding fathers were saying, Comey countered, is that with good reason, the government can invade one’s privacy.
“There is no absolute right to privacy,” Comey said, adding, “with respect to default, strong encryption, it changes that bargain, and shatters it, in my view.”
Comey began his keynote by explaining the FBI’s ranking of cyber adversaries, starting with nation states at the top (he named China, Russia, Iran and North Korea), followed by multinational crime syndicates that sometimes work on behalf of nation-states, followed by insiders, hacktivists and terrorists at the bottom of the stack. He also explained the importance of the FBI increasing the cost of attacks for hackers, one of the FBI’s five strategic goals. That strategy includes increasing international pressure to prosecute hackers, or at least name and shame them as the government did in the case of China’s PLA hackers or Iranian actors allegedly responsible for DDoS attacks against U.S. banks in 2012 and 2013.
“We want to make sure they feel our breath on their neck,” Comey said.
Feature photo via @BCcybersecurity.