I wrote yesterday about reports that people in the White House are using encrypted communication apps more often, and why that might be. Today I want to follow up by talking about how the politics of encryption might affect government agencies’ choices about how to secure their information. I’ll do this by telling the stories of the CIOs of three hypothetical Federal agencies.
Alice is CIO of Agency A. Her agency’s leader has said in speeches that encryption is a tool of criminals and terrorists, and that encryption is used mostly to hide bad or embarrassing acts. Alice knows that if she adopts encryption for the agency, her boss could face criticism for hypocrisy, for using the very technology that he criticizes. Even if there is evidence that encryption will make Agency A more secure, there is a natural tendency for Alice to look for other places to try to improve security instead.
Bob is CIO of Agency B. His agency’s leader has taken a more balanced view, painting encryption as a tool with broad value for honest people, and which happens to be used by bad people as well. Bob will be in a better position than Alice to adopt encryption if he thinks it will improve his agency’s security. But he might hesitate a bit to do so if Agencies A and B need to work together on other issues, or if the two agency heads are friends–especially if encryption seems more important to the head of Agency A than it does to the head of Bob’s own agency.
Charlie is CIO of Agency C. His agency’s leader hasn’t taken a public position on encryption, but the leader is known to be impulsive, thin-skinned, and resistant to advice from domain experts. Charlie worries that if he starts deploying encryption in his agency, and then the leader impulsively takes a strong position against encryption without consulting his team, the resulting accusations of hypocrisy could anger the leader. That might cost Charlie his job, or seriously undermine the authority he needs to properly manage agency IT. The safe thing for Charlie to do is to avoid deploying encryption–not only to preserve his job but also to protect the rest of the agency’s IT agenda. If Charlie doesn’t change the agency’s practice, then criticism of the practice can be deflected onto the previous leader–and of course we’ll be upgrading to the better practice soon. Here the uncertainty created by the leader’s management style deters Charlie from changing encryption practice.
Let’s recap. Alice, Bob, and Charlie are operating in different environments, but in all three cases, the politics of encryption are deterring them, at least a little, from deploying encryption. Their decision to deploy it or not will depend not only on their best judgment as to whether it will improve the agency’s security, but also on political factors that raise the cost of adopting encryption. And so their agencies may not make enough use of encryption.
This is yet another reason we need a serious and specific discussion about encryption policy.