Top intelligence officials on Tuesday told senators that the difficulties investigators face when seeking information protected by encryption should not be addressed through legislation. Instead, they should be dealt with on a case-by-case basis with partnerships in the private sector.
Agency officials pushed back on suggestions from some lawmakers that an encryption mandate could solve the thorny issue of criminals and terrorists shielding their communications.
“The trend is clear. Terrorists are becoming more savvy about protecting their communications, including through the use of strong encryption,” Adm. Mike Rogers, director of the National Security Agency, said today at a Senate Armed Services Committee hearing.
“We’re dealing with a whole new ecosystem out there,” Rogers added. “We’ve got to bore into this ecosystem and look at it in just that way. Don’t focus on just one particular application that’s used by one particular target. Think more broadly about the host of actors that are out there. If we look at this more as an ecosystem, we will find more vulnerabilities that we can access.”
Rogers, who also heads U.S. Cyber Command, said the government is “making investments in technologies and capabilities” designed to solve the obstacles created by encryption. He didn’t elaborate.
Rogers was joined by Marcel Lettre, under secretary of defense for intelligence, who told the panel that it is “most important” for the Pentagon to create partnerships with leaders in the tech industry. He said the Defense Department’s senior leaders are “invested heavily in conversations” with the U.S. tech sector.
Lettre said that partnering with tech companies would work better for intelligence and national security officials than any potential new law. The Defense Department does not think that legislation is “the best way to go at this time,” he added.
“New legal and regulatory approaches are not as potentially productive as a robust dialogue seeking collaboration and cooperation with the private sector,” Lettre told the committee.
Arizona Sen. John McCain (R), who’s chairman of the committee, expressed concern about communications “tricks” used by the self-proclaimed Islamic State that were detailed in a recent Wall Street Journal report.
“Unless there is a policy about what the United States’ actions will be in the case of a threat, in the case of actual attack, in the case of other aspects of this challenge we’re on, then you’re going to see legislation,” McCain said. “Right now there is no policy.”
“If you don’t act, then I guarantee you that the Congress will act,” he added.
McCain’s comments come amid rumors suggesting Senate Intelligence Committee leaders Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.) are circulating a new draft of a bill that would require tech firms to decrypt data for government investigators.
A spokeswoman for Feinstein on Monday said the senator’s staff is continuing to talk to a range of stakeholders regarding ideas and feedback received in response to an encryption bill drafted last April by Feinstein and Burr.
Tech and civil liberties groups vehemently oppose the idea behind Burr and Feinstein’s proposal, which they have been floating for a year.
Leading opponents argue that aside from the privacy concerns, policies aimed at weakening encryption might create vulnerabilities in secure technologies that could see exploitation from hackers either working through criminal channels or for other nation states.
The intelligence officials before the Senate committee Tuesday acknowledged that they are opposed to giving the government a so-called “back door” into technology companies’ encrypted services.
“From a policy perspective, we’re in favor of strong encryption,” Lettre said. “We benefit from it ourselves. Anything that looks like a back door is not something we would like to pursue.”
Lettre said he prefers a “really rich dialogue case-by-case with key industry players to see what kinds of solutions can be brought to bear.”
Sen. Jeanne Shaheen (D-N.H.) said the difficulty that the U.S. intelligence community ran into when attempting to get Apple Inc. to unlock an iPhone used by one of the San Bernardino shooters or to get Twitter to allow a “scrub” of some of their data shows “limits to that kind of strategy.”
“I would always rather try and sit down and resolve the situation rather than pass legislation,” Shaheen said. “But right now we’ve had mixed reviews of the opportunity to work collaboratively with the private sector to address this issue.”
Passing any sort of encryption measure would be difficult, even without the tight schedule awaiting lawmakers before the close of the 114th Congress.
One idea with bipartisan backing is the creation of a digital securities commission made up of experts from the private sector and government to study the issue and then report back to Congress with policy proposals and suggestions.
Sen. Mark Warner (D-Va.) is the sponsor of legislation that would set up that kind of commission. Director of National Intelligence James Clapper suggested in a Senate Intelligence Committee hearing in June that he supports that approach. Other leaders who back the idea of a congressional commission are Apple Chief Executive Tim Cook and Democratic presidential nominee Hillary Clinton.
Homeland Security Committee Chairman Michael McCaul (R-Texas) sponsors the House companion to Warner’s bill. Neither measure has received a hearing or a markup.
