History Demonstrates Strong Encryption Is Here To Stay

(Originally published on LinkedIn – January 13th, 2016)

I am a firm believer that knowing the background and history of things provides a much better forward-looking perspective and present decision-making capability. Would that this view was adopted more. If it were, the age-old George Santayana quote that “those who don’t remember the past are condemned to repeat it” would never have come into existence. The fact mankind never really seems to learn the lessons of history also seems to trap the unfolding of events in a cyclical pattern.

The Encryption Debate and History’s Lesson

Encryption, that technology that for years in the computing world has done its job quietly in the background and without much acclaim, is suddenly a topic that is all the rage due to recent and tragic world events. Lawmakers stipulate and paint a gloomy picture that without the ability to intercept and decipher encrypted communications on the part of criminals and terrorists, national security is at serious risk. Technologists on the other hand, including myself, maintain that the implementation of so-called “backdoor encryption” in effect weakens encryption for all of us with severe consequences and effects to our normal, everyday security, economy, and lives. Essentially, to weaken encryption would be to cut off our noses to spite our collective economic and everyday-life faces. Lawmakers and technologists and technology companies are digging the trenches and the staunch faceoff, while mostly civil at the moment, continues.

If strong encryption were outlawed, then only outlaws would have strong encryption…

In a recent interview for The Wall Street Journal, Max Levchin, past co-founder of PayPal and a cryptography expert, questions along with other technologists (including yours truly) whether lawmakers really understand how encryption actually works. Levchin goes on to stipulate that if we’re going to continue the national debate, let’s at least make sure lawmakers do in fact understand how encryption works technically.  And perhaps few are more qualified to step up and provide such an education than Max and other well-known cryptographers in the cryptographic community.

Not only do I question whether lawmakers understand how encryption works, I also question whether they’ve really taken into account how the world works. It would be easy for anyone to say “how the world works today” but history, if we’re willing to learn from it, demonstrates the world has been working a certain way for a very long time when it comes to widespread technological innovation leveraged in conjunction with outside agenda.

Let’s take a quick lesson from history that coincidentally has ties to today’s date – January 13th – and see if history has anything to teach us concerning how the weakening of encryption would very likely play out were lawmakers to insist on their position through mandatory legislation.

King Francis of France: “No More Books!”

In today’s world, religion and government exist for the most part in different spheres. (Ironically, the insistence in one area of the world that religion and government be uniformly merged into one has driven certain activities and events to the brink of stirring the debate about encryption. I make no further comment here other than to point out the irony.)

In early 16th-century Europe, this was not the case. Martin Luther with his Ninety-Five Theses in 1517 seemingly shattered any remaining hold and immense influence the Roman Catholic Church had on states and governments, and Europe in the 16th century was in turmoil. The severity of religious debate among European populations then was every bit if not much more severe than any debate we’re seeing related to encryption today. The fact the debate touched every aspect of 16th-century life then does however prove similar. Our lesson continues.

In France, King Francis wavered off and on, favorably then unfavorably, between protecting the rights of an emerging Protestant population while being declaratively a Roman Catholic nation and taking action to shut down the ability for French citizens to express themselves according to new Protestant beliefs. Printing was a new and powerful technology at the time due to the Gutenberg press, allowing average citizens the newfound ability to print on paper and mass produce and disseminate materials on nearly any topic. Paris accommodated this through public places where notices, edicts, and even opinions could be posted near buildings and read – the 16th-century equivalent of Facebook, Twitter, and LinkedIn, one might say.

Tensions continued to rise, mostly fueled by public writings and published books through the 1520s and 1530s. Then late in 1534, someone had the audacity to publish and literally nail a then-scandalous document undermining Roman Catholicism directly on King Francis’ bedroom door. (A clear indicator of perimeter security failure and/or insider threat, if there ever was one. J) This so infuriated the monarch that on January 13th, 1535, King Francis sent a kneejerk edict to the Parliament of Paris forbidding the publishing of books of any kind.

What Was The Net Effect of King Francis’ Edict?

We like to think today that the banning of books is left for some futuristic dystopian society to foolishly enact, but alas, as history indicates, men have been making and repeating mistakes for centuries. What ended up happening after this edict? What was the net effect?

Well, it turns out, the reach of King Francis’ kneejerk edict was restricted to, well… only France. Not surprisingly, people who were insistent on publishing, including then incendiary writings on Protestantism, simply moved their operations to neighboring and publish-friendly countries outside the borders of France.

Not only do I question whether lawmakers understand how encryption works, I also question whether they’ve really taken into account how the world works.

If you were a book publisher in France, after January 13th, 1535 you were effectively out of business. That was the economic impact in France albeit restricted to the publishing and subsequentially to the buying and selling of books. Outside of France, opportunities were very open in other countries to go right on publishing books and other writings and smuggling them back into France.  In other words, the net effect other than making book publishing in France illegal… was almost nothing.  Pro-Protestant writings continued to be disseminated and very soon afterward, France’s population went on to become roughly half Protestant and half Roman Catholic despite the edict.

To be fair to King Francis, and to further parallelize this discussion, King Francis shortly after 1535 conceded to allowing some book publishing – but only those books to which a committee of twelve (of course he himself appointed) would approve. And a list of banned books was established.

Regardless — governmental compromise with the technology and technologists of the day or not — the net effect despite intention was… essentially nothing. The proverbial cat of “how to print books and publish” was out of the bag and couldn’t be put back in.  When books were outlawed, then only France had outlawed books, printed from other favorable locations. And books in other locations and bordering countries were totally legal and fine to print, own and read.

The Likely Effect of Legislated Weakened Encryption Today

Does any of this sound eerily applicable and parallel?!  Good! Whew! I hate wasting an obvious history lesson!

It’s really simple when it comes to encryption and other nefarious and criminal elements in the world today.  The cat’s long been out of the bag in terms of strong encryption.  Strong encryption such as RSA and AES isn’t going to suddenly disappear or come off the shelf if “backdoor encryption” is legislated, weakening (and essentially making ineffective) existing strong encryption. The algorithms for strong encryption are known and readily available just as was the Gutenberg press of King Francis’ day.

If strong encryption were outlawed, then only outlaws would have strong encryption. All of this is what Levchin means when he stated in his WSJ interview that “they [the cybercriminals and terrorists] will [continue to have] strong encryption.” (Additions mine.) The net effect despite governmental intention will be – essentially nothing… in terms of law enforcement where the weakening of encryption is being considered. Cybercriminals and terrorists won’t be obligated to “follow the rules” – that’s at least part of what makes them criminals and terrorists (!!) – and the rest of us, in countries where weakened encryption is legislated, will. Like the book publishers of King Francis’ day, cybercriminals will simply continue to use strong encryption “just over the border” that lawmakers still won’t be able to read in countries where commercial encryption has been legislatively weakened.

To weaken encryption would be to cut off our noses to spite our collective economic and everyday-life faces

Aside from the meaningless legislative effects due to still accessible strong encryption technology, the economic effects would be at least two-fold.

One effect, which the general population should consider very carefully, is that the security of normal everyday transactions both in private communications and financial communications will be very seriously undermined. Strong encryption is one of the primary reasons there doesn’t exist more computer crime, fraud, identity theft, and electronic pickpocketing of billions of consumer dollars each year by cybercriminals based, yes, in now “neighboring countries” with environments favorable to this activity – just as in King Francis’ day, as the internet makes every and any country a neighbor. If you think cybercrime against consumers is bad now, wait until encryption is weakened, if in fact we somehow convince ourselves to go so far as 16th-century France did.

The other effect is that weakened encryption could be an out-of-business event for some of the very companies passionately dedicated to protecting our nation and their citizens from such fraud and billion-dollar electronic pickpocketing. (Full disclosure: While I write as an independent technologist espousing my own thoughts and opinions, I am currently employed by one such company.) Strong encryption will remain a viable business strategy for Original Equipment Manufacturers (OEMs) in countries where strong encryption isn’t legislated against. US and UK manufacturers, where such legislation is being most strongly considered, would have no opportunity to sell strong encryption products domestically and essentially have a very difficult time selling commercial products with weakened encryption internationally.

Conclusion

All in all, it’s pretty easy to forecast not only a fairly chaotic if unintentional ending but also a predictable (and therefore unnecessary) ending to legislated weakened encryption.  Strong encryption is essentially here to stay. In what form, where it will remain, and who continues to have use of it are really the only remaining questions. The Gutenberg Press was a point of historical inflection. History was and has never been the same since. In the case of printing, the cat was out of the bag and could not be put back in.

In today’s world, strong encryption really represents a similar if not more important reality considering the enormity of the benefits strong encryption brings, working silently in the background, protecting, shielding, and enabling today’s modern world financially, economically, and expressively.

Lawmakers are not without other effective tools and means for stemming the much smaller percentage of nefarious evil in the world. My hat’s off to the work they have to do and are doing so well. With strong encryption in place, they are still doing an outstanding and unbelievable job.  Here’s simply hoping we don’t kneejerk without fully understanding the likely consequences, pull off “a King Francis,” and cut off our noses to spite our faces.

With the net effect despite intention being… essentially nothing.

Chris Olive

Chris Olive is a seasoned and passionate cybersecurity strategist, evangelist, consultant, trusted advisor, and hands-on technologist with over two decades of cybersecurity consulting experience in the US/UK governments, the Fortune 500, and large international companies all over the world. Chris has primary expertise in Identity Access Management and Identity Governance & Administration along with professional experience and expertise in Ethic Hacking & Penetration Testing, Secure Development, and Data Security & Encryption. Chris is a frequent writer, speaker, and evangelist on a range of cybersecurity topics. Chris is currently a Senior National Security Advisor & Architect for CDW -- a worldwide leader and innovator in solutioning, architecting, and delivering secure information technology solutions on-prem, in the cloud, multi-cloud, hybrid, or co-hosted leveraging the world's largest, best, and most trusted brands.

View all posts by Chris Olive →