Cybersecurity is a balancing act, says ex-FBI head

A former FBI director has told a gathering of security experts that encryption might be helping criminals hide their secrets.

A former FBI director has told a gathering of security experts that encryption might be helping criminals hide their secrets.

The US government does not have the ability to crack some sophisticated types of encryption, putting investigators of terrorism threats at a disadvantage, admitted Louis Freeh, who was speaking at the Computer Security Conference and Exhibition in Washington DC.

In 2000, the UK passed a law allowing investigators to get warrants requiring encryption suppliers to share their keys, but US investigators have to rely on co-operation from vendors, which can slow things down, he said.

"The ability to get real-time information from encrypted channels is going to be a huge problem in terms of homeland security and national security," said Freeh, who served as FBI director from 1993 to 2001. "In a way, it runs a little bit counter to the interests of corporate America in terms of protecting its information."

Freeh did not go so far as to advocate that the US pass a law similar to the UK encryption law, but he said an "intricate" balance between domestic security and the rights of commerce and free speech is still being worked out.

Judges offer strong protections to US residents to keep law enforcement from overstepping its bounds in the pursuit of information on suspects, Freeh said during a question-and-answer session when an audience member asked what is being done to protect people.

While raising questions about encryption, Freeh encouraged private companies to protect their data and trade secrets. The Economic Espionage Act, passed by Congress in 1996, established ways to prosecute cases in which foreign governments use their spy agencies to steal trade secrets from private US companies, but companies need to assist investigators tracking down trade secret thefts and other computer-related crimes, he said.

The latest computer crime survey, released by the FBI and the Computer Security Institute in May, found that only about 30% of hacking incidents are reported to the police, Freeh said.

Companies may not want to report the loss of trade secrets for a variety of reasons, including alarming stockholders and tipping off competitors, but such reporting is necessary to help investigators track down criminals, he said.

"Many people believe, as I do, that homeland security begins with economic security," he said. "If you subscribe to the notion that economic security does reflect directly on national security, you can't really have a successful and viable homeland security programme unless the reporting percentile ... increases significantly."

Freeh identified identity theft as another computer security challenge for companies, but one of the biggest challenges is for agents to have real-time access to data on suspects.

That kind of instant information "could be the difference between stopping a major attack or not", Freeh said. "The technology is as likely to come from you in the private sector as from a government programme."

Grant Gross writes for IDG News Service

Read more on Hackers and cybercrime prevention