Cybersecurity Experts Debate Proper Response to Terrorism
Police say the terrorists who killed 130 people in coordinated attacks in Paris in November used cell phones to communicate. And the couple who attacked a holiday party in San Bernardino, Calif., killing 14, may have discussed jihad and martyrdom online.
These recent attacks reignited calls for more government access to people’s electronic communications—phones, emails and Internet browsing history—to prevent terrorism. But privacy advocates and many cybersecurity experts have questions about that strategy.
“There are real tradeoffs here among security, law enforcement, privacy, innovation and cybersecurity,” says Matthew Waxman, Liviu Librescu Professor of Law at Columbia and an expert on national security and international law.
“Whether one thinks compromise solutions are possible depends on how one weighs the different risks. Many people want convenience, but once their bank account is hacked or their identity is stolen, they care a lot about the security of their data and communications.”
Waxman co-chairs the Center for Cybersecurity at Columbia’s Data Science Institute, an interdisciplinary endeavor that brings together experts from the Computer Science Department, Law School, Engineering School and School of International and Public Affairs (SIPA) to develop ways to keep data secure and private.
“There’s a wide range of security problems online—from annoyance, vandalism and theft of information to something really serious,” says Steven Bellovin, professor of computer science and chair of the center. In June hackers targeted the federal Office of Personnel Management and stole the personal information of millions of federal workers as well as individuals who had applied for security clearances.
A year ago, hackers infiltrated Sony Pictures computers and released thousands of emails, documents, Social Security numbers and other personal information of Sony employees.
It was to secure such private data—and also to enable secure online e-commerce and banking transactions—that encryption software was developed. It can also block access to messages on smartphones. “You cannot eliminate encryption, it is vital to Internet security,” says Bellovin, whose latest book, Thinking Security: Stopping Next Year’s Hackers, was published in November.
But in the wake of the terrorist attacks, security experts are discussing whether governments should have exceptional access—a so-called master key—to encrypted data in order to disrupt terrorists’ use of online communication to recruit members, raise funds and plan attacks.
Bellovin argues that giving the government exceptional access won’t reduce the threat of terrorism but will create new holes in computer security that others can exploit.
“There’s a wide range of security problems online— from annoyance, vandalism and theft of information to something really serious.”
— Steven Bellovin
It “creates insecurity and does nothing to close the holes that already are there,” he says. “Bad guys don’t play by the rules, they will just install their own [encryption] software,” he says.
Bellovin would like to see Congress set conditions for government access to electronic communication, much as a search warrant is required for a wiretap.
“Let’s enshrine these restrictions into law,” he says, adding that the sheer volume of online communication complicates anything the government would be able to do. “You can’t scan a million messages a day.”
Terrorists have always used whatever technology was available to get their message across and recruit new followers. In the past it was audiotapes and photocopiers; now computer technology “makes it incredibly easier,” says Jason Healey, a senior research scholar at SIPA who worked in the White House as director for cyber infrastructure protection from 2003 to 2005.
He says access to encrypted communications only works if you know who to listen to. “I understand the frustration of the investigators. But I think they’re overestimating the gain they’re going to get by listening in and underestimating the impact it’s going to have on the rest of us,” says Healey, who was founding director of the cyber statecraft initiative of the Atlantic Council, where he remains a senior fellow.
He says law enforcement has to do a better job of surveillance, and governments need to share information. “After Paris you’ll see a lot more sharing. It leads to better national security, it’s in the national interest.”