The American attorneys general were both in agreement that at some point the government, likely through an act of Congress, is going to have to come to terms with “warrant proof” devices that are hindering investigations that run from murder to money laundering. Berman said that the government isn’t looking for a “back door” into a phone, nor are they even looking to possess the devices, they just want manufacturers to supply access to the data.
“We would never accept this in the physical world, so we should not accept it in the digital world,” said Donoghue.
He added that the only reason the government was able to bring down Joaquín “El Chapo” Guzmán was because they were able to get into his computer system.“We got it only by flipping the individual who set up the system,” he said.
Hartmann agreed that access is important, but he said the problem is much broader than access.
“There’s still much room for us to improve our way of dealing with the data. I agree with the issue, but the strategy should be more than asking companies for access,” he said.
Donoghue said for many nations, their experience with terrorism has shaped their experience in the cyber realm. All agreed that France, which has suffered several recent terrorist attacks, has taken the lead with companies, demanding that services cannot be sold unless they respond to judicial warrants. As cybercrime is often a borderless domain, he said it will be interesting to see how American companies comply.
But it’s not just the companies that make encrypted devices that don’t want to deal with the Department of Justice (DOJ), even companies that have been attacked are reticent to report the crime. Berman said that companies often don’t want to come forward because they buy into established myths about reporting cybercrime to the DOJ. These myths include losing proprietary information and being reported to regulators such as the Security and Exchange Commission—all of which Berman said does not happen.
“Digital evidence dissipates and we need access as soon as possible,” he said. “We treat companies as victims.”
Donoghue said companies will get hacked and will get attacked no matter what, so it’s important to have a plan in place on how to respond. He noted that threats come from near and far, citing one case in which Iranian hackers attacked 147 universities in 22 countries, and other cases where Chinese students and visiting professors were accused of stealing technology from universities. For most organizations, such security breaches can be a public relations embarrassment, but that’s unavoidable, said Hartmann.
“You have at least one employee or customer who will talk to the media and the case will become public,” he said.
He said that just as victims should coordinate with law enforcement after an attack, they should also coordinate and plan a response to the media. He noted that one hospital in Germany was very transparent after a breach and thanks to that transparency, the public perception was sympathetic.
In closing, Berman said backing up systems remains of utmost importance and that the backup should obviously be disconnected from the system.
“And by the way, don’t use ‘password’ as your password,” he said.