Government Hacking - Global Challenges

Since the first crypto war of the 1990s, governments have tried to square the seeming ambivalence of encryption. While it enables secure communications which is vital for the economy and the government itself, it also allows criminals to easily hide their communication and data from law enforcement – the so-called “going dark” challenge. Over the years, there have been numerous approaches and proposals to tackle this issue, such as government mandated backdoors, weakening of encryption standards and direct access. Experts across the board however agree that “strong encryption is the basis for secure digital communications and, consequently, that weakening encryption or requiring providers of encrypted products or services to redesign their offerings in order to facilitate government access is detrimental to national security. Therefore, several countries –among them Germany and the United States – have taken to enabling law enforcement and intelligence agencies to conduct investigations via hacking tools (referred to as “government hacking”) in order to shine a light into the going dark problem. Government hacking is not without its shortcomings, to say the least. Neither have those challenges been addressed in an orderly manner, nor have other alternatives – apart from those mentioned above –been thoroughly discussed. Those aspects form the scope for this overview.

A clear legal and policy framework for government hacking is needed to address these challenges thus minimizing privacy violations and limiting overall weakening of informational security. Developing such a framework however requires an identification of the core problems of government hacking. The challenges of the going dark problem set, encryption or government hacking do not stop at national borders. Therefore, fostering a common understanding and sharing best practices within a multilateral or transnational approach might yield significant progress towards solving the core challenges. Those challenges are:  

1. Developing a predictable framework;
2. Maximizing privacy and minimizing security impact;
3. Adopting clearly defined legal standards;
4. Respecting international law and considering international implications;
5. Establishing balanced oversight and transparency;
6. Exploring alternative solutions;
7. Developing a vulnerability management system.