Cybersecurity a balancing act, former FBI head says

On one hand, U.S. businesses need to protect their trade secrets because national security is tied closely to economic security, but on the other hand encryption might be helping criminals hide their secrets, Louis Freeh, former director of the FBI, told a gathering of cybersecurity experts Monday.

The U.S. government doesn’t have the ability to crack some sophisticated types of encryption, putting investigators of terrorism threats at a disadvantage, Freeh said at the Computer Security Conference and Exhibition in Washington, D.C. In 2000, U.K. lawmakers passed a law allowing law enforcement agents to get warrants requiring encryption vendors to share their keys, but U.S. investigators have to rely on cooperation from vendors, which can result in a slow process, Freeh said.

“The ability to get real-time information from encrypted channels is going to be a huge problem in terms of homeland security and national security,” said Freeh, who served as FBI director from 1993 to 2001. “In a way, it runs a little bit counter to the interests of corporate America in terms of protecting its information.”

Freeh didn’t go so far as advocating that the U.S. Congress pass a law similar to the U.K. encryption law, but he said an “intricate” balance between domestic security and the rights of commerce and free speech is still being worked out. Judges offer strong protections to U.S. residents to keep law enforcement from overstepping its bounds in the pursuit of information on suspects, Freeh said during a question-and-answer session when an audience member asked what is being done to protect people.

While raising questions about encryption, Freeh encouraged private companies to protect their data and trade secrets. The Economic Espionage Act, passed by Congress in 1996, established ways to prosecute cases in which foreign governments use their spy agencies to steal trade secrets from private U.S. companies, but companies need to assist investigators tracking down trade secret thefts and other computer-related crimes, he said.

The latest computer crime survey released by the FBI and the Computer Security Institute in May found that only about 30 percent of hacking incidents are reported to law enforcement, Freeh said. Companies may not want to report the loss of trade secrets for a variety of reasons, including alarming stockholders and tipping off competitors, but such reporting is necessary to help investigators track down criminals attacking the U.S., he said.

“Many people believe, as I do, that homeland security begins with economic security,” he said. “If you subscribe to the notion that economic security does reflect directly on national security, you can’t really have a successful and viable homeland security program unless the reporting percentile … increases significantly.”

Freeh identified identity theft as another computer security challenge for companies, but one of the biggest challenges is for law enforcement agents to have real-time access to data on suspects. A police officer needs to know as much as possible about the person in the car the officer just pulled over, Freeh said, and private industry can help law enforcement agencies with the technology necessary to download data on suspects in real time.

That kind of instant information “could be the difference between stopping a major attack or not,” Freeh said. “(The technology) is as likely to come from you in the private sector as from a government program.”