Two decades ago, I attended my first RSA Security Conference in San Francisco, the largest annual security conference in the world.
I didn’t know too much about the area, but with each session I went to, the more my interest grew. By the end of the first day, I was hooked.
Security – and, as I quickly realised, its often frustrating, and frustrated, frenemy privacy – were utterly central to the new, exponentially expanding world of the internet, of networks at home or at work, of individual computers, of hackers, crackers, law enforcement, governments, corporates and the growing ranks of personal computer users.
Security was, in its broadest sense, about privacy, about keeping networks and computers, documents and data, private and protected.
But privacy was also seen as a problem, primarily by law enforcement and governments, who wanted to be able to access communications of criminals, terrorists, and state “actors” (as the term goes). If communications can be kept securely private, they argued (and continue to argue), then espionage and security work aimed to keep populations safe, becomes difficult.
Encryption – the use of computer algorithms to encode data to a degree that makes it close to impossible to break – was easily the most combative issue at that first event I went to 20 years ago.
Its use was allowed within certain restricted contexts within the United States – within the government, by some businesses, by law enforcement – but an angry debate was emerging on whether ordinary computer users should have access to it.
Alongside, was increasing frustration among the business community developing and selling encryption-based technologies and services. Offering products with so-called strong encryption outside the US was at the time, illegal.
US companies were forced to sit on the sidelines while non-US companies had the rest of the world as a prospective market. That vacuum created fast-growth opportunities for many European start-ups, including Ireland's now defunct Baltimore Technologies, which at one point, grew so large as to threaten rival RSA itself.
The encryption debate convulsed the US computing and emerging internet industry, and on many levels, permanently soured relationships with the US government. President Bill Clinton finally allowed the export of strong encryption and freed up its use for any individual that could wade through the headache of using products such as encrypted email.
But the Encryption Wars of the 90s encapsulated a tension between security and privacy, business and government, individuals and government, and gradually, individuals and business that has remained as a substrate to those relationships.
Jump ahead to last week’s RSA conference, and encryption was right back on centre stage – deja vu for us old-timers – and not just figuratively. The main keynotes consistently focused on encryption. So did the conference’s annual highlight, its famed Cryptographers’ Panel comprising several legendary industry figures and digital cryptography pioneers.
This was thanks in large part to the ongoing battle between the FBI and Apple over access to an iPhone used in December's San Bernardino, California, terrorist shootings. The FBI wants Apple to cripple some aspects of the phone's encryption; Apple, with an extraordinary level of tech industry backing, says to do so would – rightly – make everybody, every company, and the US government itself, far less secure.
But security folks were alarmed about the fresh rhetoric around encryption well before the Apple case came up. National governments that should know better, for the first time in years, have been placing encryption in their crosshairs.
The topic has been hotly debated in the US Congress. At one point, encouraged by British prime minister David Cameron, President Barack Obama backed the notion of adding "back door" access to encryption. Obama, thankfully, has retreated from that stance. But Cameron and his party remain blindly convinced this will enhance rather than catastrophically abrade security.
Cameron has shown blind disdain for the views of security industry and privacy experts, who have attempted to explain that you cannot weaken encryption for law enforcement, without also creating an Achilles’ heel that will be targeted by the nasties, too.
Where the US differs from the UK is that at least, senior US government figures now realise they need to be talking to the security industry and the wider business community, not talking at them.
One welcome change in this new phase of the Encryption Wars is that last week’s RSA conference – unlike the event and the Wars in the 1990s – included an unprecedented array of political, security and military figures that gave their points of view, but also listened, and took some very tough questions from engaged audiences.
Among them were some former senior officials – including a former secretary of homeland security (Michael Chertoff) and a former secretary of intelligence and navy admiral (Mike McConnell) – who now support encryption and oppose back doors. Those were important, unexpected voices.
By the event’s end, we had no easy answers, no pat conclusions, no new best friends between government and industry. But there was the start of an important dialogue on contentious but critical issues that affect the security of every one of us.