Hayes said it is less about the developers of encryption apps sharing decryption keys than it is about Apple and Google and public officials allowing encryption on smartphones to be broken when a judge issues a warrant to grant spy agencies access to communications.
Apple and Google both enable disk-level encryption in more-recent versions of their mobile operating systems; it's been part of iOS since iOS 4, and part of Android since Android 5.0 (Lollipop). That means a decryption key is only kept on the phone itself, which makes it virtually impossible for Apple or Google to turn over the key to investigators, Hayes said. BlackBerry offers disk-level encryption, but can make the decryption keys available to investigators, he said.
"We've reached the point [of] no access for [investigating] agencies, even with a warrant in their possession," Hayes said. "Apple and Google don't have the key -- that's the problem. The keys to decrypt a phone are stored locally and the companies no longer hold the keys. They say, 'Sorry, we can't help you.'
"Privacy should absolutely be protected and data should be encrypted and anonymous, but if a judge is in agreement, then I believe the government can investigate," Hayes said. "It's clear from my research that ISIS is using secure mobile devices and either using their own encryption or paying for trusted third-party apps."
Hayes said the ability to decrypt needs to be available to IT shops as well, in case they need to obtain access to corporate data encrypted on a worker's cell phone. "Companies have to be able to investigate the insider threat also," he said.
Even if a user has a third-party encryption app running on a phone, gaining access to the disk-level encryption would turn the encrypted data from most third-party apps into plain text, he added.
Congress needs to update the Communications Assistance for Law Enforcement Act (CALEA), a wiretapping law first passed in 1994, to help the FBI and others gain the ability to monitor encrypted communications sent wirelessly over different modes, with a judge's consent, Hayes said. He said the current law has "shortcomings."
Congress and other policymakers have thus far been ineffectual, he added. "I don't think anybody is listening to the terror threat," Hayes said. "I haven't heard any movement on changes. It's worrying."
Another cybersecurity expert questioned whether there is solid evidence ISIS used encryption at all. "I would take claims ISIS used encryption with a grain of salt," said Matthew Green, assistant professor at the Johns Hopkins Information Security Institute.
"There's been a year-long debate on encryption and there's a kind of vested interest [by security agencies] to find ways to weaken encryption for wiretaps. After any breach, the first thing you hear is that encryption has to be banned," Green said. "Terrorists are really too hard to find, and the hard part is not wiretapping but finding who to wiretap."
Sign up for CIO Asia eNewsletters.