Teecht. Deputy Attorney Full General Rod J. Rosenstein Delivers Remarks On Encryption At The United States Naval Academy

Annapolis, MD

Tuesday, Oct 10, 2017

Remarks equally prepared for delivery

Thank you, Professor Kosseff, for that sort introduction.  I am honored to hold out hither today amongst some of our nation’s finest world servants.

We come across today merely over a mile from Navy-Marine Corps Memorial Stadium, where the Navy pulled off an epic victory 3 days agone against the Air Force.  After the highest-scoring game inward the rivalry’s 50-year history, the Midshipmen scored a go-ahead touchdown merely seconds earlier the in conclusion whistle.  The Navy’s commandant, Robert B. Chadwick II, said that “when yous play someone amongst the same deoxyribonucleic acid equally you, yous know they aren’t going to quit either.”

The game is a reminder that victory often requires ceaseless determination.

The Navy has a long history of determination, as well as of fearless exploration.  The Center for Cyber Security Studies stands good inside that tradition of embracing the unknown inward defence forcefulness of the nation.  But for all its dynamism, the Navy is built on continuity.  Our Navy traces its history to the Continental Navy established during the Revolutionary War.  The marrow mission of defending freedom has remained constant across generations.

Each Midshipman swears to “support as well as defend the Constitution of the USA against all enemies, unusual as well as domestic.”  Our federal prosecutors have got the same oath.

An oath is meant to hold out serious business. The oath-taker promises to alive yesteryear sure rules inward render for a privilege bestowed yesteryear the government.

There was a fourth dimension when taking an oath was a affair of life as well as death.  Sir Thomas More was an Englishman who was executed inward 1534 because he refused to swear an oath to King Henry VIII.  In Robert Bolt’s play based on More’s life, More tells his daughter, “When a human takes an oath … he’s asset his ain self inward his hands.  Like water.  And if he opens his fingers hence — he needn’t hope to discover himself again.”

Your oath carries a solemn obligation. It obliges yous to save our nation’s commitment to the dominion of law.

The words require yous to accolade that commitment non exclusively when it is easy, but when it is difficult.

In 1776, during the Revolutionary War, Thomas Paine wrote, “The summertime soldier as well as the sunshine patriot will, inward … crisis, shrink from the service of [their] country.”  Paine recognized that it is slowly to claim the pall of patriotism when the winds are peaceful as well as the seas are calm.  True patriots are the ones who remain at their posts during the storm.

In 1864, almost a century after the founding of our nation, Admiral David Farragut watched his fleet time out equally it approached Mobile Bay, Alabama.  Farragut asked why the ships were hesitating.  The answer came back, “Torpedoes!”  Farragut hence uttered the immortal reply, recorded yesteryear history equally “Damn the torpedoes, total speed ahead!”

Sometimes nosotros human face upwardly existent torpedoes.  And sometimes, inward the cyber world, nosotros human face upwardly virtual torpedoes.  Whatever the challenges ahead, nosotros are duty-bound to sustain our timeless dominion of law values inward an era of disruptive technological change.

Defending the dominion of law is essential because the dominion of law is non merely a characteristic of the United States.  It is the foundation of the United States. To utilization a technological metaphor, the dominion of law is our nation’s operating system.

The dominion of law agency that our acre is governed yesteryear principles that are agreed to inward advance.  Government officials are required to obey as well as enforce the rules, as well as restricted from making arbitrary decisions unsupported yesteryear the rules.

We should never have got the dominion of law for granted.  We learned this outflow most the tragic sense of Otto Warmbier, the University of Virginia college educatee who allegedly took a poster off a hotel wall inward Democratic People's South Korea as well as was sentenced to fifteen years of hard labor.  North Korea sent Otto dwelling 17 months later.  They sent him dwelling amongst encephalon damage.  He died a few days later.

Democratic People's South Korea volition non handle anyone accountable for Otto’s injuries as well as death.  It is a totalitarian authorities amongst no concept of the dominion of law.  No civil rights.  No due process.  No justice. 

The North Korean authorities offered no explanation as well as no apology for prohibiting all communication as well as concealing Otto’s status from his family.

My teenage miss could non believe that such an evil house exists inward the 21st century.

Sometimes people acquire hence caught upwardly complaining most the imperfections inward our ain scheme that they neglect to appreciate how fortunate nosotros are to alive inward a province blessed amongst officials who obey the rules as well as protect the innocent.  People who sheet towards danger hence the ease of us tin rest safe.  People similar you.

Protecting people from abuse yesteryear the authorities is an of import aspect of the dominion of law.  But the dominion of law also protects people from beingness victimized yesteryear other people.

The preamble to the USA Constitution explains that it aims to “establish justice, insure domestic tranquility, supply for the mutual defence, promote the full general welfare, as well as secure the blessings of liberty….”

Our social contract empowers the authorities to protect lodge from criminals. The Congress defines federal crimes as well as authorizes tools for investigating them, such equally subpoenas, search warrants, as well as wiretaps.

Those legal authorities enable investigators as well as prosecutors to gather the evidence needed to enforce the laws.  Evidence is essential because our legal scheme protects criminal defendants yesteryear requiring the prosecution to create admissible evidence that establishes their guilt beyond whatsoever reasonable doubt.

But increasingly, the tools nosotros utilization to collect evidence sew together against technology that is designed to defeat them.

Technological dynamism has profoundly transformed our lodge inward recent years.  Ninety-five pct of Americans ain a prison theatre cellular telephone telephone as well as to a greater extent than than three-quarters of us ain a smartphone. Nearly 7 inward 10 Americans utilization social media.  In 2014, the Internet sector was responsible for an estimated $922 billion, or 6 pct of the U.S. existent gross domestic product — as well as that figure is rising.

Our lives are increasingly dependent on a growing digital infrastructure.  But much of that infrastructure is beingness targeted yesteryear criminals as well as unusual adversaries. Since 2012, the U.S. Intelligence Community’s Worldwide Threat Assessment has often listed the cyber threat equally a major danger to our nation’s security.

In May, medical facilities or hence the Blue Planet were attacked amongst ransomware, resulting inward the cancellation of medical procedures, the unavailability of patient records, as well as the diversion of ambulances.  In March 2016, hospitals hither inward Maryland were striking yesteryear a ransomware attack, forcing patients to hold out turned away or treated without updated figurer records.  Another alarming incident occurred inward 2013, when a unusual adversary gained access to the command as well as information acquisition scheme for a dam inward New York.  Fortunately, the dam’s sluice gate, which controls H2O levels as well as flow rates, had been disconnected for maintenance.  Otherwise, our adversary mightiness have got been able to remotely operate the gate.

At the Department of Justice, nosotros have got such threats extremely seriously as well as sentiment countering them equally 1 of our highest priorities.  We aggressively investigate, indict, as well as — when possible —prosecute the cybercriminals as well as unusual province hackers behind such attacks.  We create novel partnerships inside the federal authorities to utilization an “all tools” approach.  If prosecution is non the most appropriate course of study of action, nosotros piece of work amongst partners inward other agencies to pursue the most effective alternatives.

Private sector entities are crucial partners inward this fight.  We engage inward formal as well as informal information sharing, promote cybersecurity best practices, as well as brand clear that private sector cyber victims volition hold out treated amongst abide by as well as concern.

But our effectiveness, as well as those of our governmental partners, has limits. The digital infrastructure is non e'er constructed amongst adequate regard for world safety, cybersecurity, as well as consumer privacy.

Unless nosotros overcome those complications, nosotros volition remain vulnerable.

In 2016, an assault launched against domain call servers illustrated a pregnant problem.  The assault made it effectively impossible for many users to access sure spider web sites for several hours.  The attackers took command of multiple computers on the Internet as well as used them to conduct a distributed denial of service attack.  What made the assault specially worrisome was that it used uncomplicated internet-connected devices, such equally cameras as well as digital video recorders.  Those so-called “Internet of Things” devices surround us, as well as they are easily susceptible to command yesteryear hackers because of the widespread utilization of default passwords as well as other failures to secure them.

That incident vividly illustrates that our digital infrastructure is non merely a target inward a traditional sense.  It tin hold out hijacked as well as used against us equally an assault vector.  The possibilities for such attacks volition grow.  Estimates discover that 6.3 billion internet-connected devices were used inward 2016.  The total may attain 20.4 billion yesteryear 2020.  Imagine the possible assault vectors if all of those devices employed default passwords.

One of our principal challenges today is the threat that novel technologies pose to our private as well as collective security.  Those technologies tin play a critical role inward creating jobs, promoting commerce, as well as enhancing our lives.  But novel technologies volition pose novel dangers if innovations prepare hence speedily that the laws cannot proceed upwardly amongst them.

Our challenge extends far beyond the novel technologies that our adversaries utilization to conduct novel types of attacks.  Our investigators as well as prosecutors already human face upwardly a attain of cyber issues that undermine the dominion of law.

Consider, for instance, how the “dark web” facilitates kid exploitation as well as promotes merchandise inward illicit goods.  Or view how criminals have got payoff of novel technology that conceals their identities to commit crimes such equally trading kid pornography as well as making bomb threats.

Our investigators human face upwardly challenges because information tin hold out dispersed as well as evanescent.  Communications providers often withdraw to shop information overseas, which sometimes results inward American law enforcement beingness unable to access evidence involving American perpetrators who violate American laws as well as harm American victims.  We also human face upwardly lengthy delays because some domestic technology providers do non pattern their systems to facilitate responses to courtroom orders, as well as some do non adequately staff their legal compliance departments.

That brings me to 1 of our greatest challenges, encryption.  Encryption is a foundational chemical constituent of information security as well as authentication.  It is essential to the increase as well as flourishing of the digital economy, as well as nosotros inward law enforcement have got no wishing to undermine it.

But the advent of “warrant-proof” encryption is a serious problem.  Under our Constitution, when criminal offence is afoot, impartial judges are charged amongst balancing a citizen’s reasonable expectation of privacy against the interests of law enforcement.  The law recognizes that legitimate law enforcement needs tin outweigh personal privacy concerns.

Our lodge has never had a scheme where evidence of criminal wrongdoing was totally impervious to detection, specially when officers obtain a court-authorized warrant.  But that is the Blue Planet that technology companies are creating.

Those companies create jobs, pattern valuable products, as well as nowadays inward amazing ways.  But at that spot has never been a correct to absolute privacy. Courts weigh privacy against other values, including the demand to solve as well as preclude crimes. Under the Fourth Amendment, communications may hold out intercepted as well as locked devices may hold out opened if they are used to commit crimes, provided that the authorities demonstrates showing of probably cause.

Warrant-proof encryption defeats the constitutional residuum yesteryear elevating privacy inward a higher house world safety.  Encrypted communications that cannot hold out intercepted as well as locked devices that cannot hold out opened are law-free zones that permit criminals as well as terrorists to operate without detection yesteryear constabulary as well as without accountability yesteryear judges as well as juries.

When encryption is designed amongst no agency of lawful access, it allows terrorists, drug dealers, kid molesters, fraudsters, as well as other criminals to enshroud incriminating evidence.  Mass-market products as well as services incorporating warrant-proof encryption are at nowadays the norm.  Many instant-messaging services employ default encryption designs that offering constabulary no way to read them, fifty-fifty if an impartial justice issues a courtroom order.  The makers of smart phones previously kept the powerfulness to access some information on phones, when ordered yesteryear a courtroom to do so.  Now they engineer away fifty-fifty that capability.

We refer to this work equally “Going Dark” –  the threat to world security that occurs when service providers, device manufacturers, as well as application developers deprive law enforcement as well as national security investigators of crucial investigative tools.

The number caught the public’s attending inward Feb 2016, when the authorities obtained an iPhone used yesteryear a terrorist who shot as well as killed fourteen people as well as injured 22 others at an business office Christmas political party inward San Bernardino, California.  The FBI wanted to discover out if the telephone contained evidence of other assault plans, or information most other people who mightiness launch attacks.  So, the FBI obtained the consent of the phone’s legal owner—the San Bernardino county government—and also obtained a search warrant.  The information on the telephone was encrypted, but Apple had the powerfulness to assist the authorities inward obtaining that data.  The authorities sought Apple’s voluntary assistance.

Apple rejected the government’s request, although it had the technical capability to help.  The authorities hence obtained a courtroom monastic enjoin requiring Apple to assist, but Apple forthwith announced it would appeal the order. Fortunately, the authorities was able to access information on that iPhone without Apple’s assistance.

But the work persists.  Today, thousands of seized devices sit down inward storage, impervious to search warrants.  Over the yesteryear year, the FBI was unable to access most 7,500 mobile devices submitted to its Computer Analysis as well as Response Team, fifty-fifty though at that spot was legal potency to do so.

In May 2015, terrorists targeted people attending an lawsuit inward Garland, Texas.  On the morning time of the attack, 1 of the terrorists exchanged 109 instant messages amongst an overseas terrorist.  He used an app employing end-to-end encryption, hence that law enforcement could non decode the messages.

Billions of instant messages are sent as well as received each twenty-four hr menses using mainstream apps employing default end-to-end encryption.  The app creators do something that the law does non allow telephone carriers to do:  they exempt themselves from complying amongst courtroom orders.

Responsible encryption is achievable. Responsible encryption tin involve effective, secure encryption that allows access exclusively amongst judicial authorization.  Such encryption already exists.  Examples include the cardinal administration of security keys as well as operating scheme updates; the scanning of content, similar your e-mails, for advertising purposes; the simulcast of messages to multiple destinations at once; as well as key recovery when a user forgets the password to decrypt a laptop. 

No 1 calls whatsoever of those functions a “back door.”  In fact, those capabilities are marketed as well as sought out yesteryear many users.

The proposal that providers retain the capability to brand sure evidence of criminal offence tin hold out accessed when appropriate is non an unprecedented idea.

Such a proposal would non require every fellowship to implement the same type of solution.  The authorities demand non require the utilization of a item chip or algorithm, or require whatsoever item key administration technique or escrow.  The law demand non mandate whatsoever item agency inward monastic enjoin to accomplish the crucial end: when a courtroom issues a search warrant or wiretap monastic enjoin to collect evidence of crime, the provider should hold out able to help.

No law tin guarantee that every unmarried production that offers encryption volition also come upwardly amongst an adequate capability to preclude that production from beingness used to enshroud evidence of crime.

Influenza A virus subtype H5N1 requirement to implement a solution could hold out applied thoughtfully, inward the places where it is needed most.  Encrypted communications as well as devices pose the greatest threat to world security when they are constituent of mass-market consumer devices as well as services that enable warrant-proof encryption yesteryear default.

No solution volition hold out perfect.  If exclusively major providers refrain from making their products prophylactic for terrorists as well as criminals, some sophisticated criminals may migrate to less-used platforms. But whatsoever progress inward preserving access to communications methods used yesteryear most criminals as well as terrorists would withal hold out a major mensuration forward.

The approach taken inward the recent yesteryear — negotiating amongst technology companies as well as hoping that they eventually volition assist law enforcement out of a sense of civic duty — is unlikely to work. Technology companies operate inward a highly competitive environment. Even companies that actually wishing to aid must view the consequences. Competitors volition e'er attempt to attract customers yesteryear promising stronger encryption.

That explains why the government’s efforts to engage amongst technology giants on encryption by as well as large do non conduct fruit.  Company leaders may hold out willing to meet, but often they respond yesteryear criticizing the authorities as well as promising stronger encryption. 

Of course of study they do. They are inward the concern of selling products as well as making money. 

We utilization a different mensurate of success. We are inward the concern of preventing criminal offence as well as saving lives. 

Companies are willing to brand accommodations when required yesteryear the government. Recent media reports propose that a major American technology fellowship developed a tool to suppress online posts inward sure geographic areas inward monastic enjoin to concealment a unusual government’s censorship policies.  Another major American tech fellowship of late acquiesced to a unusual partner’s asking that local customers halt using software to circumvent a unusual government’s censorship restrictions.  A 3rd major American firm of late stopped supporting virtual private network apps at the behest of a unusual government, to preclude cyberspace users from overcoming censorship policies.

American technology providers sell products as well as services inward unusual markets where the governments have got questionable human rights records as well as enforce laws affording them access to client data, without American due physical care for or legal protections.

Surely those same companies as well as their engineers could aid American law enforcement officers enforce courtroom orders issued yesteryear American judges, pursuant to American dominion of law principles.

Some critics fence that the evidence concealed yesteryear encryption tin hold out offset yesteryear novel sources of data.  They claim nosotros alive inward a “Golden Age of Surveillance” because law enforcement may access novel sources of information such equally location data, or information derived from internet-connected devices.

That declaration misunderstands what sort of evidence law enforcement needs inward monastic enjoin to preclude as well as punish crime.  We demand to get together powerful evidence that proves a defendant’s guilt beyond a reasonable doubt.  Sometimes a communication is a criminal offence inward itself, or provides conclusive proof.  There is no substitute for introducing the master copy communication inward court.

Location information may demonstrate that a suspect was close the scene of crime, but it does non necessarily bear witness that the soul committed a crime.  Nor does it demonstrate what the suspect was thinking or intending — both of which are of import elements of proof inward many prosecutions. 

It is notable that all of the novel information is generated for, as well as inward the hands of, private companies.  Companies collect increasing volumes of personal information most individuals inward monastic enjoin to predict human conduct as well as create revenue. Databases are built for marketers, who are comfortable making decisions based on far less information as well as far less assurance of accuracy than nosotros require earlier prosecuting someone for a crime.

We may hold out awash inward data, but it is non e'er the sort of evidence that our dominion of law tradition establishes equally sufficient to found guilt beyond whatsoever reasonable doubt.

Police as well as prosecutors were the get-go to recognize the danger posed yesteryear the “going dark” trend.  But the world bears the cost.  When investigations of trigger-happy criminal organizations come upwardly to a halt because nosotros cannot access a phone, lives may hold out lost.  When kid molesters tin operate anonymously over the internet, children may hold out exploited.  When terrorists tin communicate covertly without fearfulness of detection, chaos may follow.

It is of import to recognize that our concern most the harm caused yesteryear “going dark” is non inconsistent amongst our back upwardly for cybersecurity.  We at the Department of Justice empathise as well as encourage strong cybersecurity to protect our citizens.

We know from sense that the largest companies have got the resources to do what is necessary to promote cybersecurity spell protecting world safety.  A major hardware provider, for example, reportedly maintains private keys that it tin utilization to sign software updates for each of its devices.  That would nowadays a huge potential security problem, if those keys were to leak.  But they do non leak, because the fellowship knows how to protect what is important.  Companies tin protect their powerfulness to respond to lawful courtroom orders amongst equal diligence.

Technology providers are working to build a Blue Planet amongst armies of drones as well as fleets of driverless cars, a time to come of artificial tidings as well as augmented reality.  Surely such companies could pattern consumer products that supply information security spell permitting lawful access amongst courtroom approval.

As the “going dark” tendency grows, local, state, as well as federal law enforcement officials demand to hold out candid most how criminals utilization encrypted services as well as devices for illegal purposes.

In an era of dramatic as well as rapid change, nosotros have got a duty to keep our commitment to the dominion of law. That requires us to hold out forthcoming most the dangers posed yesteryear emerging threats.

If companies are permitted to create law-free zones for their customers, citizens should empathise the consequences.  When constabulary cannot access evidence, criminal offence cannot hold out solved.  Criminals cannot hold out stopped as well as punished.

There is an alternative.  Responsible encryption tin protect privacy as well as promote security without forfeiting access for legitimate law enforcement needs supported yesteryear judicial approval.

Technology companies almost sure as shooting volition non prepare responsible encryption if left to their ain devices.  Competition volition fuel a mindset that leads them to create products that are to a greater extent than as well as to a greater extent than impregnable.  That volition give criminals as well as terrorists to a greater extent than opportunities to movement harm amongst impunity.

Sounding the alert most the night side of technology is non popular.  Everyone who speaks candidly most “going dark” faces attacks yesteryear advocates of absolute privacy. 

Some advocates are motivated yesteryear profit.  Others demonstrate sincere concern most the benefits of privacy. They are non concerned most preserving law enforcement capabilities.

Those of us who swear to protect the dominion of law have got a different motivation.  We are obliged to verbalize the truth.

The truth is that “going dark” threatens to disable law enforcement as well as enable criminals as well as terrorists to operate amongst impunity.

Allow me to conclude amongst this thought: There is no constitutional correct to sell warrant-proof encryption.  If our lodge chooses to permit businesses sell technologies that shield evidence fifty-fifty from courtroom orders, it should hold out a fully-informed decision.

Thank yous for your attention, as well as give thank yous you for your devoted service to our cracking nation.  I expression frontward to your questions.