Taking stock of the new French-German encryption proposal

With help from Eric Geller

HERE WE GO AGAIN — France’s and Germany’s interior ministers teamed up on Tuesday to propose an EU law requiring tech companies to decrypt data for investigators. The proposal, which the European Commission will consider at a meeting next month, reflects deepening frustration with fragmented European counterterrorism operations and the investigative challenges posed by widespread encryption.


Civil-society groups quickly condemned it, pointing out the conclusion of cryptography experts that there is no technically secure way to provide so-called backdoor access to encrypted data. “The proposal to undermine encryption at the EU level is rooted in the false belief that encrypted communications can somehow be made accessible to law enforcement without being made vulnerable to bad actors,” Lucie Krahulcova, a policy associate at digital-rights group Access Now, told MC. The Franco-German proposal also poses serious economic and strategic risks, said Gabe Rottman, deputy director of the Freedom, Security and Technology Project at the Center for Democracy and Technology. “The ministers,” he told MC, “fail to note, and must consider, the overwhelming consensus in the technical community that mandating backdoors or forced decryption will move bad actors to underground services beyond the reach of police or spies, and create vulnerabilities they can exploit to harm all of us.

— THE GOVERNMENT RESPONSE: The European Commission is looking forward to reviewing the proposal. “We welcome the ideas and actions presented by the French and German interior ministers,” Commission spokeswoman Natasha Bertaud told MC. “The use of encryption should not prevent competent authorities from safeguarding important public interests in accordance with the procedures, conditions and safeguards set forth by law.” Bertaud noted that existing EU law permits member states to “restrict the scope of certain data protection rights” like encryption for national-security purposes.

Europe’s struggle with encryption mirrors the latest phase of the “crypto wars” in the United States, where ISIL-inspired terrorist attacks have sparked new calls for mandatory backdoors. The Obama administration, which considered but ultimately rejected its own backdoor push, declined to comment on the European ministers’ proposal. “As a general matter we decline comment on draft legislation, or indeed proposals to draft draft legislation, in the United States,” White House spokesman Mark Stroh told MC, “so we’ll do the same of European proposals to draft draft legislation.”

HAPPY WEDNESDAY and welcome to Morning Cybersecurity! More late-coming to the bandwagon from your MC host: The new Frank Ocean album is gorgeous. Send thoughts, feedback and especially your tips to [email protected], and be sure to follow @timstarks, @POLITICOPro and @MorningCybersec. Full team info below.

ALL THE NEWS THAT’S FIT TO HACK? — The suspected Russian hackers who breached the Democratic National Committee and House Democrats’ campaign group also targeted The New York Times’ Moscow bureau, the Times reported on Tuesday. But Eileen Murphy, a spokeswoman for the paper, told MC that the paper had seen “no evidence that any of our internal systems, including our systems in the Moscow bureau, have been breached or compromised.” CNN first reported “a series of cyber breaches targeting reporters at The New York Times and other U.S. news organizations,” and The Associated Press and The Washington Post also reported that the hackers targeted specific reporters. Murphy wouldn’t say whether that occurred. CNN’s report also claimed that other news organizations were targeted, but the Times, citing a government official, said that the FBI wasn’t investigating attacks elsewhere, and no news organization contacted by MC reported having been attacked.

— HERE’S WHY (AND MAYBE HOW) THEY’D DO IT: Russia has targeted the media in other countries, but U.S. media outlets could be richer territory still, given journalistic freedoms in the West. “They’re a ripe target for the sensitive information, contact lists and sources they gather,” Nick Rossman, FireEye’s senior program manager for threat intelligence, told MC. That information also could fuel additional attacks. The general Russian surge in cyberspace of late reflects a bolder diplomatic posture from the Kremlin since the civil war in Ukraine, Rossman added. The media industry’s approach to cybersecurity isn’t “the most mature,” he said, but FireEye did see an investment uptick after Chinese attackers infiltrated the Times in 2013.

The New York Times has specific vulnerabilities that attackers might have tried to exploit, SecurityScorecard’s chief research officer, Alex Heid, told MC: “Our platform detected the use of obsolete web browsers within the organization, such as old versions of Internet Explorer and Firefox. The use of old web browsers opens up an enterprise to infection via drive-by-download exploit kit attacks. We also detected email and password pairs for multiple New York Times employees being circulated on multiple underground hacker discussion boards.”

DCCC HACK AT ISSUE IN CAMPAIGN AD — Democrats are crying foul over an ad from the National Republican Congressional Committee that relies on leaked documents from the Democratic Congressional Campaign Committee to attack a candidate for Florida’s 18th District. Deploying a line of defense we reported on here, DCCC Executive Director Kelly Ward accused the NRCC in a statement of "stooping to a shocking new low and using unverified documents provided by the Russians — who are known to fake and doctor materials — to try to influence federal races."

BALTIC TIMES — The United States, Lithuania, Latvia and Estonia agreed Tuesday on a joint declaration of security and defense cooperation that includes a cyber element. “Building national resilience — including bolstering our ability to defend against hybrid and cyber threats, improving civil preparedness, and enhancing protection of critical infrastructure — is an essential element of collective defense,” the declaration states. “Therefore, we affirm that we must focus on aligning U.S. security assistance and deterrence measures, including the U.S. European Reassurance Initiative, and continued significant investments by the Baltic states in order to ensure that our mutual investments will effectively support NATO’s deterrence and collective defense, as well as promote national and regional security and resilience.” The declaration also commits to finding new areas of cyber cooperation.

RECENTLY ON PRO CYBERSECURITY — Rep. Ted Lieu asked the FCC to speed up its investigation into the Signaling System No. 7 flaw in response to the DCCC hack. … The top Democrats on two congressional panels dismissed as election-year posturing a subpoena from House Science Chairman Lamar Smith for three companies tied to Hillary Clinton’s private email server. … The Computer & Communications Industry Association opposes the Franco-German encryption plan.

REPORT WATCH

— The National Cyber Security Alliance and Microsoft are out with a survey today of more than 800 teenagers and 800 parents measuring teens’ internet behavior, and how parents perceive it. One finding: 60 percent of teens report having accounts online that their parents don’t know about. Meanwhile, 27 percent of parents suspect their teens have such secret accounts.

QUICK BYTES

— Belgian authorities say they asked the FBI, not NSA, for help in the search for a Paris terror suspect. POLITICO Europe.

— WikiLeaks’ recent mass information dumps “have also included the personal information of hundreds of people — including sick children, rape victims and mental health patients,” according to The Associated Press.

— A new court filing claims the FBI improved the performance of a child porn website when it took it over. Motherboard.

— Trend Micro offered insights on the first half of 2016.

— Orlando Health says one at least of its employees accessed the personal information of survivors of the Pulse nightclub shooting. WFTV.

— Ashley Madison’s owners were in violation of privacy laws when they were breached, according to Australian and Canadian authorities. Reuters.

— “ Cybersecurity Ventures predicts cybercrime will cost the world in excess of $6 trillion annually by 2021.”

— The developer behind World of Warcraft and Overwatch was hit with another DDoS attack, via The Register. And a Grand Theft Auto fan site’s user information is being traded on the digital underground, per Motherboard.

— A NIST official told the president’s cyber commission that a whole new approach is needed to secure information technology. FedScoop.

That’s all for today. Those Beyonce and Andre 3000 cameos!

Stay in touch with the whole team: Cory Bennett ([email protected], @Cory_Bennett); Bryan Bender ([email protected], @BryanDBender); Eric Geller ([email protected], @ericgeller); Martin Matishak ([email protected], @martinmatishak) and Tim Starks ([email protected], @timstarks).

Follow us on Twitter Heidi Vogt @HeidiVogt



Eric Geller @ericgeller



Martin Matishak @martinmatishak



Tim Starks @timstarks