Recent hacks should make Democrats favor encryption
Last week, the Democratic National Convention was thrown into a tizzy when Wikileaks released a searchable database of thousands of emails from Democratic National Committee staffers. The most ironic of the emails was one from the DNC’s head of communications declaring a Buzzfeed article about the organization being terrible at cybersecurity the “dumbest thing I’ve ever read.”
(On Friday, the Dems got more bad news: Hillary Clinton’s campaign was also hacked, but it appears that far less information was exposed.)
Patrick Howell O’Neill at the Daily Dot wondered if the embarrassing exposure will “push politicians to finally use encryption.” The New Republic asked, “Do anti-encryption Democrats see the importance of encryption now?”
Some prominent Democrats have demonized end-to-end encryption, the kind that might have helped lesson the impact of this hack by making emails look like gibberish to anyone without a key. It’s only readable when a person on one end of the communication opens the email, excluding the company storing the exchange, a hacker, and law enforcement.
Senator Dianne Feinstein (D-Calif.) has led the charge on a bill that would make end-to-end encryption illegal, requiring companies be able to decrypt data if served with a court order. Hillary Clinton herself has pushed for breakable encryption, claiming that, “Otherwise, law enforcement is blind—blind before, blind during, and, unfortunately, in many instances, blind after.”
But making communications systems easier for law enforcement to get into means hackers can also more easily access them. End-to-end encryption would make people’s communications safer across the board, from nefarious attackers, the government, and Russian state-sponsored hackers, for example.
But even then, it isn’t bulletproof. Even if the DNC staffers had been using end-to-end encryption, hackers who completely owned their network might still have gotten at least some emails.
“If the DNC were using end-to-end encryption, it would have dramatically limited their exposure,” said Nate Fick, CEO of cybersecurity firm Endgame which searches computer systems for hackers. “It would have been far less likely that intruders could get 20,000 emails. But intruders would still have been able to grab it when email was open so it would have helped but wouldn’t have eliminated the risk.”
Jay Kaplan, founder of cybersecurity firm Synack and a former cyber analyst for the NSA, was more pessimistic. If the attackers were able to get their hands on the staffers’ encryption keys, which are used to decode emails, then the end-to-end protection could fail.
“In this case, given the strong likelihood that the entire DNC network was compromised, I wouldn’t put much faith in the protection of those keys,” said Kaplan by email.
The bigger takeaway might be that the DNC shouldn’t be hosting its own email. Instead, it could outsource it to a company that is better at computer security, such as Google.
“It’s unwise for any of us to do anything at which we’re not experts,” said Fick. “The DNC is probably not able to protect its email as well as someone else whose sole job is to protect email.”
The DNC may be wary of doing so for fear of Google getting a peek at their emails. But the solution to that concern is once again end-to-end encryption. Two years ago, Google and Yahoo both announced plans to make it simple for their users to enable end-to-end on their emails, but the projects have languished ever since. Rather than promoting bills that would punish these companies for completing the project, perhaps Democrats should be encouraging them to finish it.