For years, cybersecurity experts have warned about the risks posed by insecure and outdated communication systems, and the devastating consequences of Salt Typhoon underline how bad the situation has become. The Salt Typhoon hack, also labeled as the worst hack in US history, led to a notable and long-overdue policy shift in the USA.

Cybersecurity and Infrastructure Security Agency (CISA) has now recommended using end-to-end encrypted services for secure communications, and best of all especially those that don’t harvest or store metadata. This move is significant not only because it validates what privacy advocates have been saying for years but also because for the first time US government officials ask everyone to use encryption. In its “Mobile Communications Best Practice Guidance” CISA recommends:

”1. Use only end-to-end encrypted communications”

CISA specifically names the Signal chat app as a secure alternative, not only because of its quantum-resistant, end-to-end encryption, but also because users should “evaluate the extent to which the app and associated services collect and store metadata” – which in Signal’s case is very little.

Battle against end-to-end encryption

Historically, the US government has had a much different relationship with end-to-end encryption.

Politicians and governmental agencies alike have often portrayed encryption as a barrier to law enforcement rather than a safeguard for individual privacy. Again and again, politicians tried to force tech companies offering secure encryption for backdoor access – stating that “access for the good guys” should be possible to prevent terrorist attacks or the sexual exploitation of children.

Efforts to undermine strong encryption have been persistent for as long as end-to-end encryption has existed.

The “Crypto Wars” of the 1990s

In the early days of the internet and shortly after the invention of PGP encryption – which for the first time allowed individuals to send encrypted emails over the internet, the US government pushed against the export of such technology. The US government argued that technology like PGP would allow anyone – including foreign adversaries - to protect their communication from prying eyes, in particular, from US secret services.

Consequently, US government export regulations banned the export of cryptographic systems with 128-bit keys, like PGP’s AES/RSA encryption. The attitude towards encryption in the US was split: On one side, military cryptography experts entirely focused on preventing adversaries from accessing sensitive information, making sure to use strong encryption for such information. On the other side, officials wanted access to foreign communications.

However, a backdoor to encryption was never introduced to PGP, and strong end-to-end encryption is being used to this day, now even with quantum-resistant algorithms.

Apple vs. FBI (2016)

US government wanting backdoor access to iPhones from Apple. Hackers, repressive regimes etc. standing in line to also get access.

The FBI’s demand that Apple should create a backdoor to unlock the iPhone of the San Bernardino shooter sparked a national debate in the USA. Apple’s refusal highlighted the fundamental tension between individual privacy and governmental surveillance.

To this day, Apple is able to offer strong end-to-end encryption to its users.

The “EARN IT Act” (2020)

Under the guise of combating child exploitation, the US government wanted to force companies offering encrypted services to undermine this encryption by enabling scanning mechanisms with the help of the EARN IT Act.

Critics warned it would effectively outlaw strong encryption, and the EARN IT Act never got passed.

The “Lawful Access to Encrypted Data Act” (2020)

Introduced as a measure to ensure law enforcement could access encrypted data during investigations, the Lawful Access to Encrypted Data Act sought to mandate that companies create backdoors in their encryption systems. Proponents argued it was necessary for public safety, but critics pointed out that such backdoors would weaken encryption for everyone, exposing users to cyberattacks and surveillance.

The proposal faced significant opposition from privacy advocates and the tech industry and ultimately failed to gain traction in Congress.

Every attempt to break encryption has consistently led to a very controversial debate about encryption in the United States during the last few decades.

But every time anyone demands backdoor access to encryption, one thing comes out crystal-clear:

Any deliberate weakening of encryption not only compromises privacy but also exposes users to the same kinds of attacks demonstrated by Salt Typhoon.

Salt Typhoon: A wake-up call

Salt Typhoon’s success was rooted in exploiting weaknesses in (old and outdated) telecommunications networks. While much of the focus has been on the scale of the hack, its implications are even more alarming. This attack revealed that attackers could access sensitive communications, gather extensive metadata, and potentially disrupt critical infrastructure.

The breach is a stark reminder that secure communication is not a given, we must make smart decisions to make sure our online communication is secure by choosing encrypted services like Signal and Tuta Mail – as it has now been recommended by CISA.

Victory for privacy

We at Tuta highly welcome CISA’s new recommendation – we do not only welcome it, we call it a long-awaited victory for privacy.

This recommendation by CISA marks a significant and overdue shift in US policy towards prioritizing privacy and security in digital communications. For years, experts have emphasized the importance of end-to-end encryption and minimal metadata retention. It’s the only safe method we have to make sure our communication can not be monitored. It is encouraging to see this is finally being understood at such a high governmental level. CISA’s recent statement is the loudest endorsement of encryption that we have ever heard from an agency of the US government.

At Tuta, our goal is to give users full control over their data. By implementing strong, quantum-safe encryption algorithms, by using a zero-knowledge architecture and by storing as little metadata as possible about our users, we make sure that our users’ data stays safe, online and offline.

Why privacy matters

Privacy is often framed as necessary only for those with “something to hide.” But this narrative ignores the fundamental role privacy plays in a democratic society. Privacy matters because without it, free speech and freedom of expression, even freedom of thought are at risk. Journalists, activists, and whistleblowers rely on secure communication to expose corruption and injustice.

But that’s only one part. If we are able to keep our data private and confidential, we can protect it from any kind of prying eyes – not just from political opponents, but also from economic adversaries. Businesses depend on privacy through end-to-end encryption to protect sensitive data from competitors, business espionage and bad actors.

Salt Typhoon demonstrated what can happen when these safeguards are absent. This breach mainly affected politicians – spied upon by Chinese attackers – but anyone could fall victim to it: individuals, businesses, NGOs, anyone. The Salt Typhoon hack affects national security and global trust in critical communications infrastructure – and the only method that can keep us safe is end-to-end encryption.

Calling on politicians to end the crypto wars

CISA’s recommendation of using end-to-end encryption is a step in the right direction, but it must be followed by action. Policymakers need to resist future attempts to weaken encryption or to undermine it with backdoors for the “good guys”.

The crypto wars must finally come to an end!

Instead, politicians must actively support end-to-end encryption and the development of secure technologies – in their own interest.

Let’s build a more secure digital future. Let’s fight for privacy together!