Skip to main content

tv   Politics and Public Policy Today  CSPAN  April 19, 2016 11:09am-1:10pm EDT

11:09 am
they have to make that key available. so that they don't have to spend the resources to crack a code. rather have a new operating system -- >> thanks. by the way, thank you. i'm over? all right. i just want to say i thought what representative clark said about resources for you to let you do some of this work on your own makes an awful lot of sense. some of these conflicts are going to be frankly as much as we want to say they're resolvable. they're hard to resolve. >> recognize mr. mullen for five minutes. >> as you can see, i think both sides on this -- up here on this -- in this committee you can see we want to get to the real problem. we want to be helpful not a hindrance. all of us want to be safe but we want to make sure we operate within a constitution. and the technology is changing at such a pace.
11:10 am
i know law enforcement has to do their job and staying with it because criminals are doing their job, too. like it or not. and if it changes, crimes change, we have to change the way we operate. the concern is privacy, obviously and getting into that. some have argued that the expansion of connected devices to the internet of things provides law enforcement with new surveillance tools and capabilities. recently, the center at harvard university argues the internet of things could offset the government's inability to access incrypted technology for providing new paths for surveillance and monitoring. my question is, what's your reaction to the idea that internet of things presents an alternative to access of incrypted devices? >> certainly, i do think the internet of things and associated mata data presents us with an additional opportunity to collect information and evidence that will be helpful to
11:11 am
us in investigations. however, those merely provide us with leads or clues whereas the real contents of the communications is what we really seek in order to prove beyond all reasonable doubt in court in order to get a conviction. >> could you expand a little bit on the content to what's in the device? >> the actual -- >> or communication between the device. >> what people are saying to each other. as opposed who is communicating or what location they were communicating. it's important to law enforcement to know what they said in order to prove intent. >> is there something that we on this panel need -- i say this panel, this committee should be looking at to help you be able to gain access to that? or since it's connected, does it even take any extra steps for you to be able to access that information? >> yes, and exactly to the point of discussion here today, is that we need to work with industry and with academia in
11:12 am
order to come up with solutions so they can access that content and provide it to us. >> the fbi is exploring options? >> we are, yes, sir. >> are there challenges or concerns using the growth of connected devices you can see coming down the road, obviously, with the technology changing rapidly today? what are some of the challenges you're facing? >> certainly as more and more things in today's world become connected. there's an increasing demand for incrypting those particular services and devices and capabilities. and that's well-warranted and well-merited. again, it presents a challenge for us as mata data is incrypted that presents as challenge as well. we need to be able to access the information and the content. in other words, if a suspect's toaster is connected to their car so that they know it's going to come on at a certain time, that's helpful. but it doesn't help us to know the content of the communication
11:13 am
when it comes to developing plots. >> so is there a difference between say, the fbi the way you have to operate captain cohen and the way you operate? >> not much of a difference. because we work very well together. initial challenges, in february apple announces it plans to tie the same encryption key to the icloud accounts. apple has announced they plan to make that incrypted and unaccessible to legal process. we'll lose that area of content as well. >> i just assume that everything i do online for some purpose is out there. and people's going to be able to retrieve it. i don't assume any privacy when it's on the internet. is that analogy true, or should we be expecting a sense of privacy when it's on the internet? we put it out there. >> sir, i believe we should all
11:14 am
expect a sense of privacy on the internet, when we talk in a restaurant, talk on the telephone. that privacy cannot be absolute. we need to have a search warrant, and have the ability, the constitution protects us from unreasonable searches and seizures, not all search and seizures. >> do you have an opinion on this? >> i agree also. on the internet, you have a right to privacy. most of these apps and programs give you privacy settings so nobody can get at it. when you get into the criminal world, that's when law enforcement has to have the ability to go in and see what you have on there. >> thank you. i yield back. >> thank you. mr. pelon is recognizes for five minutes. >> thank you, mr. chairman. i never seem to be amazed at how
11:15 am
complex an issue this is. it requires balancing competing values and societal goals. much of the debate is focused on simp luphysicaled versions. there nee-- we've heard the encryption puts us in danger in going dark. we heard that the law enforcement now has access to more information than ever. so-called golden age of surveillance. at harvard at the burkeman center there was a report titled don't panic making progress on the going dark debate that concludes, the communications of the future will neither be eclipsed into darkness or illuminated without shadow. i think that's the useful framework to view the issue, not as a binary choice between darkness and/or illumination but rather a spectrum. it's fair to say there have been and always will be areas of
11:16 am
darkness where criminals are able to conceal information and no matter whataw enforcement has a tough job. but the question is how much darkness is too much. i wanted to ask you all -- this is for any of you -- key questions on the spectrum. if you will. where should we be on the spectrum if we're not in the right place how do we get there. let me start with ms. hess. >> yes, sir. as far as the amount of information we can receive today, yes, it is true we do receive more information today than we received in the past. but i would draw the analogy to the fact that the haystack has gotten bigger but we're still looking for the same needle. the challenge for us is to figure out what's important and relevant to the investigation. now we're present would volumes of information. and the problem additionally with that is that what we are
11:17 am
collecting, what we are able to see is, for example, who is communicating with who. or potentially what ip addresses are communicating with each other, the location, the time, perhaps the duration. but not the content of what they were actually saying. >> chief, did you want to add to that? >> i do agree that, you know, the internet has provided a lot more information to police. we can go out and find public records and find records within police departments throughout the country. so to police, the internet has made things a little bit easier. however, the encryption is taking all of those gains away. i think the more and more we go towards encryption the harder it's going to be to really investigate and conduct long term cases. we do a lot of cases in new york. about gangs. we call them crews. it's vital all the information we get on the internet that are sometimes public out there.
11:18 am
now they're switching to incrypted and making long term cases or i guess call them similar to rico cases very very difficult to put together. we're in a bind. >> all right. did you want to -- >> i see we have a lack of information that i've not seen before in my 20 years of investigations. not solely by encryption. but also it relates retention of information and the lack of -- similar to what the rest of the banking industry as well as our inability to service legal process on companies who are located in the united states and stored data outside the united states. i see it as interrelated issues which together conspire to make it more difficult than ever before for me to gather the information i need to conduct a criminal investigation. on the spectrum you asked about. i see it far to the extent we're losing the ability to access information we need to rescue victims and solve crimes. >> thank you.
11:19 am
i think my second question, i think to some extent you already answered. if anybody wants to add to it. the second question is where do you see the trend moving? are you comfortable where we're heading or the technology trends leaving us with too much darkness? you kind of answered that unless anyone wants to add to what they said. ms. hess? >> increasingly technology platforms continue to change and present challenges for us that i provided in my opening statement. in addition to that, we try to figure out how we might be able to use what is available to us and we are constantly challenged by that as well. for example, some companies may not know what exactly or how to provide the information we're seeking. and it's not just a matter of needing that information to enable us to see the content or enable us to see what people are
11:20 am
saying to each other. it's a matter of being able to figure out who we should be focusing on more quickly. if we can get that information, we can exonerate the innocent and identify the guilty. >> i'm going to end with that. i wanted to ask, obviously, that you can continue to engage with us to help us answer these questions. i mean, not just, you know, with what you're saying today. you know, a constant dialogue is what we need. thank you, mr. chairman. >> thank you. now recognize dr. burgess for five minutes. >> thank you. and thank you all for being here. i acknowledge there's another hearing going on upstairs. if we seem to be toggling back and forth that's what happening. there is another committee called the commerce manufacturing and trade subcommittee. we're working very closely with federal trade commission which is under our jurisdiction on the
11:21 am
issue of data breach notification and data security. a component of that effort has been to push companies to strengthen security. one of those ways could be perhaps through encryption. the ftc will look at security protocols for handling data when it reviews a company. so has the fbi had any discussions with federal trade commission over whether the back doors are access points might compromise the secured data? >> yes, sir we have engaged in a number of conversations among the interagency with other agencies with industry. with academia. i can get back to you as far as whether we met with the trade commission. >> that would be helpful. we are trying to work through the concept of more on the retail space but of data security. data security is data security regardless of who is harmed in the process.
11:22 am
data security is national security at large. so that would be enormously helpful. let me ask you a question,ist probably off topic but i can't help myself. one of the dark sides of encryption is someone comes in and incrypts you stuff you didn't want it incrypted and they won't get it back to you unless you fork over bit coins them in a dark market. what is it the committee needs to understand about that ransom ware concept that's going on currently? >> yes, sir. it's an increasing problem we're seeing and investigating on a regular basis. certainly to exercise hygiene is important. to be able to access the information is important to be able to talk to each other about what solutions might be available to be able to fall back to another type of backup
11:23 am
solutions so you aren't beholden to any particular ransom demands. >> that's critically important. i'm a physician by background, some of the ronsoansom ware has occurred in medical facilities. i just cannot imagine going into an icu and asking to see the data on my patient and being told it's been incrypted by an outside source and you can't have it, doctor. when you catch those people, i think the appropriate punishment is shot at sunrise and i wouldn't put a lot of appeals between the action and reaction. thank you mr. chairman. i'll yield back. >> i recognize mr. yarmouth for five minutes. >> thanks to the witnesses for your testimony. i find it hard to come up with any question that is going to elicit any new answers from you. and i think that the -- your
11:24 am
testimony and the discussion we've had today is an indication of how difficult this situation is. it sounds to me like there's a great business opportunity here somewhere. but probably you don't have the budgets to pay a business what they would need to be paid to get the information you're after. so that may be not such a good business opportunity after all. i want to ask one question of you ms. hess. in your budget request for fiscal year '17. you request more than $38 million to deal with the going dark issue. and your request says it's non-personnel. so it seems to me that personnel has to be a huge part of this effort. could you elaborate on what your request and budget request involves and what you plan to do with that? >> yes, sir. at a higher level, essentially we're looking for any possible
11:25 am
solutions, any possible tools we might be able to throw at the problem. all the different challenges we encounter and whether that's giving us the ability to be better password guessers or whether that's the ability to try to develop solutions for we might be able to perhaps exploit some type of vulnerability. or maybe that's a tool where we may be able to make better use of mata data. we try to come up with solutions to get around the problem we're current laely discussing. >> i don't know enough to ask anything else. unless someone is interested in my time i yield back. >> now recognize mr. mckinley for five minutes. >> thank you, mr. chairman. i've been here in congress for five years, five and a half years. we've been talking about this for all five and a half years.
11:26 am
i don't see much progress being made with it. i hear the frustration in your voices. i was hoping we were going to hear today more specifics. if you could pass a magic wand what would it be. what's the solution. you hinted towards it but we didn't get close enough. so one of the things i'd like to try and understand is how we differentiate between privacy and national security. i don't feel that we've come to grips with that. i don't know how many people are on both sides of that aisle. i don't care. i'm very concerned about national security as it relates to encryption. we've had just this past weekend there was a very provocative tv show with 60 minutes came out with the hacking into cell phones. we had about a year ago we were briefed, it wasn't classified. it was the -- where russia hacked in and shut down the electric grid in ukraine.
11:27 am
the impact that could have that a foreign government could have access to it. it just in this past week at town hall meetings back in the district, twice people raised the issue about hacking into shutting down the electric grid. and it reminded me of testimony that had been given to us about a year ago on the very subject when one of the presenters like yourself said that it would -- within four days a group of engineers in america or kids could shut down the grid from boston down through -- where was it? from boston to new york you could shut down in just four days. i'm very concerned about that. where we're going with this whole issue of encryption and protection. if i could ask you the question, how confident are you? that the adequacy of the
11:28 am
encryption is protecting our infrastructure in your jurisdiction? >> sir, cyber security and infrastructure is very complicated. we have another whole section in the police department and in the city that monitors works closely with all the agencies such as coned, dep and so on. we work very closely with the fbi and that joint cyber task force to monitor -- >> but my question really is how do you feel? everyone comes in here, and when i've got to the power companies, i don't need to list their names. all of them have said we think we've got it. yet, during that discussion on 60 minutes, this hacker that was there is a professional hacker, he said i can break into any system. any system. my question back to you s how confident are you that the system is going to work? it's going to be protected?
11:29 am
>> i think with all the agencies that are involved in trying to protect critical infrastructure. i think there is a big emphasize in new york, i'll speak about new york. working with multiple agencies we're looking at vulnerabilities to the system. i do think that is an encryption issue. i think what i was speaking about more when it came to encryption is more about communications and investigating crimes or terrorism elted offenses. >> beyond your jurisdiction on that? >> that's not an area i would comment. >> how about you in indiana? >> what are you talking about? control systems being compromised. again we're talking about fire walls not encryption. we're talking about the ability for someone to get inside the system. to have the password, to have the pass phrase something like that. to get the fire wall. so encryption of data in motion as an example, would not protect us from the types of things you're talking about and being able to shut down a power grid. it's noteworthy i saw that 60
11:30 am
minutes piece. and what that particular hack was able to exploit would not have been fixed by encryption. that's a separate system related to how the cellular -- cell system works separate from the issue of encryption. what i can say is having more robust encryption would not fix those problems. i lack the background to be able to tell you specifically do i feel confident or not confident about how the fire walls are right now in the systems you asked about. >> ms. hess? boiler up by the way. my question, same to you. how would you respond to this? >> first off i don't think there's any such thing as 100% secure. anything as a purely secure solution. with that said, i think it is incumbent on all of us to build the most secure system possible but at the same time representing the challenge law
11:31 am
enforcement has to be able to get or access or be provided with the information we seek pursuant to a lawful order. a warrant that has been signed by a judge to be able to get the information we seek in order to prove or to have evidence that a crime has occurred. >> thank you. i yield back my time. >> recognize mr. tonka for five minutes. >> thank you, mr. chair. thank you to our witnesses. i'm encouraged that here today we're developing dialogue, which i think is critical for us to best understand the issue from a policy perspective. there's no denying that we're at risk with more and more threats to our national security. including cyber threats. but there's also a strong desire to maintain individual rights and opportunity to store information and understand and believe that it's protected. and sometimes those two are very difficult. there's a balance that needs to be struck. and so i i think, you know, first question to any of the three of you is is there a
11:32 am
better outcome in terms of training? do you believe that there's better dialogue, better communication, formalized training that would help the law enforcement community? if they network with these companies that develop the technology? i'm concerned that we don't always have all the information we require to do our end of the responsibility thing here. >> i do think that certainly in today's world, we need people who have those specialized skills and have the training. who have the tools and the resources available to them to be able to better address this challenge. there is still no one sized fits all solution to this. >> anything, chief or captain that you'd like to add? >> i would just say that we do work very closely with a lot of
11:33 am
these companies like google and we do, you know, share information. and at times work on training amongst the two -- agency and the company. there is cooperation there. i think that it could always get better. >> and ms. hess in this encryption debate. what specifically would you suggest the fbi is asking for? asking of the tech community? >> that when we present an order signed by an independent neutral judge that they're able to comply with that order and provide us with the information we're seeking in readable form. >> case. and also to ms. hess, is the fbi asking apple and possibly other companies to create a back door that would then potentially weaken encryption? >> i don't believe the fbi or law enforcement in general should be in the position of dictating to companies what the
11:34 am
solution is. they have built those systems, they know their device and systems better than we do and how they might be able to build some type of the most secure systems available or the most secure devices available and be able to comply with orders. >> do you believe that that type of assistance that you're requesting from tech companies would lead to any unintended consequences such as a weakened order of encryption? >> i believe it's best for the tech companies to answer that question. because as they build these solutions to be able to answer these orders, they would know what those vulnerabilities are or potentialally could be. >> thank you. another potential unintended consequence of u.s. law enforcement gaining special access may be the message that is sent to -- they're sending to other nations. other countries that seek to stifle dissent may ask for tools
11:35 am
as well. if countries demand a work around. apple and other companies can legitimately argue they do not have it t. how would you respond to the argument that helping tech companies help subvert their own encryption establishes presdants from people around the world to protect them from despottic regimes? first in the international community -- we've had a number of conversations with our partners nationally, this inters a problem throughout the work. there are international implications to any solutions that might be gdeveloped. what we seek is a lawful order with the system we've set up in this country to be able to go to a magistrate or judge to get a warrant to say that we believe we have probable cause to
11:36 am
believe that someone or some entity is committing a crime. i believe that if other countries had such a way of doing business that that would probably be a good thing for all of us. >> chief or captain, do you have anything to add by what w? >> i saw stories that said apple provided an ios code to china. i don't know if that's true or not. i tried to find an example of apple answering a under oath and i did not find that. the source code of the operating system would be the first thing that would be need today hack into an iphone. and i know that they have not provided a source code to u.s. law enforcement. >> thank you. thank you. my time is exhausted, so -- >> thank you, mr. hudson you're
11:37 am
recognized for five minutes. >> thank you, chairman. thank you to the panel today. as our lives become more of the technical universe, the need for strong security becomes more important. i naturally suggest a massive increase in our digital footprint and the amount of information that's available on the internet. is there more creative ways to conduct investigations? we talked about mata data but other options we haven't discussed yet? >> i do believe we should make every use of the tools that we've been authorized by congress, the american people to use. and if that pertains to mata data or other types of information we might be able to get from new technologies we
11:38 am
should take advantage of that in order to accomplish our mission. at the same time, clearly, these things present challenges to us as well as previously articulated. >> have you and others in law enforcement engaged with the technology community or others to explore these types of opportunities or look at potential ways to do this going forward? >> yes, sir. we're in daily contact with industry and with academia in order to try to come up with solutions in order to try to come up with ways we might be able to get evidence in our investigations. >> and what have you learned from those conversations? >> clearly, technology changes on a very very rapid pace. and sometimes the providers or the people who build those technologies may not have build in or thought to build in a law enforcement solution. a solution so they can readily provide us with that information, even if they want to. in other cases perhaps it's the way they do business that they may not want to provide that
11:39 am
information or may not be set up to do that. either because of resources or just because of the proprietary way their systems are created. >> i see. the other members of the panel, do you have any opinion on this? >> i would just say that as technology advances, it does create a lot of new tools for law enforcement to complete investigations. however, as those advances as we start using them, we see them shrinking away. you know, for -- with encryption especially blocking things that we recently were able to obtain. >> got you. you don't -- okay. to all of you, i recently read about the co of msab, a technology company in the detroit news article. said there's a way for government to access data stored on our phones without building a back door to encryption. his solution is to build a two part decription system with both the government and the
11:40 am
manufacturer possess a unique key and only with both keys as well as the device in hand could you access the incrypted data on the device. i'm not an expert on decription. i ask, is such a solution achievable. secondly, have there been discussions between you and the tech community regarding a proposal like this or something similar that would allow safe access to the data without giving a key so to speak to one entity? >> to answer your question, that paradigm would work. that's very similar to the paradigm of the safety deposit box in a bank where you have twenty-two differetwo different keys. it would require the cooperation of industry. >> anything to add? >> what i was going to say. >> okay. we'll get a chance to hear from industry in our next panel. i was trying to explain this to my staffers, i said did you see the new star wars movie.
11:41 am
you got to put them together. oh, i get it now. anyway, i think it's important that law enforcement and technology work together. continuing to have the discussions. i want to thank the chairman for giving us the opportunity to do that. i thank you for being here. >> gentleman yields back. recognize ms. blackburn for five minutes. >> thank you, mr. chairman. and thank you to the witnesses. i am so appreciative of your time. and i'm appreciative of the work product that our committee has put into this. mr. welch and i with some of the members that are on the diashave served on data security task force. for the committee looking at how we construct legislation and looking what we ought to do. when it comes to the issues of privacy and data security and
11:42 am
going back to the law and the intent of the law. i mean, congress authorized wire taps in 1934. and then in '67 you come along and there is the language you've got katz versus the u.s. that citizens have a reasonable expectation of privacy. and we know that for you in law enforcement you come upon that with this new technology. and that sometimes it seems there is the fight between technology and law enforcement. and the balance that's necessary between that reasonable expectation and looking at the ability of your ability to do your job. which is to keep citizens safe. so i thank you for the work that
11:43 am
you are doing in this realm. and considering all of that, i'd like to hear from each of you -- ms. hess we'll start with you and work down the panel. do you think that at this point there is an adversarial relationship between the private sector and law enforcement? and if you advise us, what should be our framework, and what should be the penalties that are put in place that will help you to get these criminals out of the virtual space? and help our citizens know that their virtual you, their presence online is going to be protected, but that you are going to have the ability to help keep them safe? kind of a loaded question. we've got two minutes and 36 seconds. it's all yours and we will move down the line. >> yes, ma'am. as far as whether there's an adversarial relationship, my response is i hope not.
11:44 am
certainly from our perspective and the fbi, we want to work with industry. we want to work with academia. we do believe that we have the same values. we share the same values in this country that we want our citizens to be protected. we also very much value our privacy. and we all do. i think as you noted for over 200 years, this country has balanced privacy and security. these are not binary things. it shouldn't be one or the other. it should be both working cooperatively together. how do we do that. i don't think that's for the fbi to decide nor do i think it's for tech companies to decide. >> it will be for congress to decide. >> it's not an adversarial relationship either. there's so many things we have to work with. all the big tech companies, twitter, google, facebook on threats that are coming in. they are cooperative and we work with them in certain areas. this is a new area we're going
11:45 am
into. but right now i will say it's not adversarial. they're cooperative. >> as you mentioned, some of the statutes that authorize wire tap lawful interception, authorized a collection of evidence, they have not been updated recently. as technology evolves some of the statutes have not evolved to keep up. we lack the technical ability at this point to properly execute the laws that congress has passed because the technology has by-passed the law. >> okay. we would appreciate hearing from you as we look at these updates. the physical space statutes are there. but we need that application to the virtual space. and this is where it would be helpful to hear from you. what is that framework? what are those penalties? what enables you to best enforce? and so if you could submit to
11:46 am
us -- i'm running out of time. submit to us your thoughts on that. it would be helpful and we would appreciate it. mr. chairman i yield back. >> now recognize mr. cramer for five minutes. >> thank you mr. chairman. i thank all of you. it's refreshing to participate in a hearing where people asking the questions don't know the answer until you give it to us. that's really cool. i want to hone in on the issue of breaking modern encryption by brute force as we call it. that's the ability to apply multiple pass codes and perhaps an unlimited number of pass codes until you break it. that's sort of trick. with the iphone specifically there's the issue of the data destruction feature. would removing the data destruction feature sort of be at least a partial solution to
11:47 am
the -- your side of the formula? in other words, you know, we're not creating the back door, but we are removing one of the tools. and i'm just open minded to it and looking for your out loud thoughts on that issue. >> yes, sir. if i may. certainly that is one potential solution that we do use and we should continue to use. to be able to guess the right password. is something that we employ in a wide variety and number of investigations. the problem and the challenge is that sometimes those pass code links may get longer and longer. they may involve alphanumeric characters. it could take years to solve that problem regardless of what resources we apply. we ask our investigators to help us be better guessers in order to come up with information or
11:48 am
technolo intelligence to help us make a better guess. that's not always possible. >> ten tries and you're out data destruction feature that iphone utilized. that makes your job all the more difficult. would expanding that from 10-20 or unlimited, is there some -- i'm not looking for magic formula. it seems to me there could be some way to at least increase your chances. >> yes, sir, and that's one of the things that does quite clearly present to us a challenge. usually it takes us more than ten guesses before we get the right answer. if at all. and in addition to that, many companies have implemented services or types of procedures so that there is a time delay between guesses. so after five guesses for example you have to wait a minute or 15 minutes or a day in order to get between those pass codes. >> others? >> i don't think personally that the brute force solution would
11:49 am
provide a substantive solution to the problem as ms. hess mentioned. oftentimes the delay is built in, i os went from a four digit pin to a six digit pin. you're increasing the number of guesses to guess it right. if you were to legislate it would not wipe the data after a specific period of time you would have to write in that pass codes could only be a certain complexity and length. and that would degrade security. what's important to understand is we want security, we want hard encryption but we need a way to quickly be able to access that data because the investigations i work. oftentimes i'm returning against the clock to try to identify a child victim and being able to brute force that in a matter of days or weeks or months is not fast enough. >> thanks for your testimony and all that you do. i yield back.
11:50 am
>> our tradition is to allow others outside the committee to comment. >> i committee, you're recognized for five minutes. >> i thank the witness for your service to the country. i heard one of you state in your opening testimony that congress is the correct form to make decisions on data security. i agree with that. however, encryption and related issues are technical, complicated. most members of congress aren't experts in these areas. therefore, it's appropriate that congress authorize a panel of experts from relevant fields to review the issues and advise the congress. the legislation does exactly that. do each of you agree with that approach, the mccall legislation? >> i believe we need to work with industry, academia and all parties to come up with the right solution, yes. >> you agree that's the right
11:51 am
approach, convene a panel of experts in cyber security, in privacy, and so on? >> i believe that construct, there are varying aspects of that construct, but, yes, that premise, i would agree with. >> okay. captain. >> sorry. i really couldn't comment because i haven't seen that bill. >> basically -- >> i agree with what she said, we need to work together, have a panel of experts and advise and work with congress. i do believe the answer is in congress. so i do agree with the principle. >> whatever paradigm helps members of congress feel they are properly balancing civil liberties and security versus ability for law enforcement to conduct investigations, whatever paradigm supports that i fully support. >> you've eliminated some of the information that has been available before in cell phones
11:52 am
but no longer is available because of encryption. i thank you for doing that. i was a little in the dark about that. what haven't we heard, though, about information that is now available but wasn't available in the past because of technology? >> i'm having problems thinking of an example that wasn't before. from my perspective, through investigations that information for, when you combined encryption issue with shorter and shorter retention keeping records, metadata, the process, find an example of an avenue available that wasn't before. >> sir, i would only say i've been in the police department for 3 years. technology opened up avenues for law enforcement. i do think there's a lot of
11:53 am
things we are able to obtain today that we couldn't 10 or 20 years ago. technology helped law enforcement. the encryption and the issue we're speaking on today is eliminating a lot of those gains we made. >> thank you. recording back ondoor access would drive customers to oversee suppliers. if so, we would gain nothing by acquiring back door or exceptional access. do you agree or disagree with that? >> i disagree from the sense that i think many countries are having the same conversation, discussion, because law enforcement in those countries have the same challenges we do. this will continue to be a larger and larger issue. while it may temporarily drive certain people who may decide it's too much of a risk to be
11:54 am
able to do business here in this country, i don't think that's the majority. i think the majority of consumers want good products and those products are made here. >> thank you for calling out the quality of american products. i appreciate that, especially since my neighbor here and i represent the part of california where those products are developed. i think there's always going to be countries where products are available that would supersede whatever requirements we make. also back door access would alert bad actors that there's a weakness in our system and motivate them to try to find those weaknesses. do you agree with that or not? >> i don't believe there's anything such as 100 pure system. there will always be people who are trying to find and exploit those vulnerabilities. >> if we design weaknesses into the system and everybody knows about it, they are going to be
11:55 am
looking for those and those are designed weaknesses. i don't see how that could further security infrastructure and so on. i guess my time has expired, mr. chairman. >> thank you. chair recognizes congressman for five minutes. >> thank you. i appreciate it so much. miss hess, thank you for participating today this much needed hearing. appreciate the entire panel. we're certainly at a crossroads of technology and the law and having the fbi perspective is imperative in my opinion. i have a question about timing. the recent debate has been revised as technology companies are using strong encryption. you describe the problem as growing. what will a hearing like this lo like a year from now, two years
11:56 am
from now? what do you see as the next evolutionary step in the debate so we can attempt to get ahead of it. as processors become faster, will the ability to encrypt keep increasing? >> yes, sir. my reaction to that is if things don't change, this hearing a year from now, we would be sitting here giving you examples how we would solve cases or find predators or rescue victims in increasing numbers. that would be the challenge for us, how can we keep that from happening and how might we be able to come up with solutions working cooperatively together. >> thank you. again, the next question is for the entire panel, please. what have been some successful collaboration lessons between law enforcement and software or hardware manufacturers dealing with encryption.
11:57 am
are there any building blocks or success stories we c build upon or have recent advancements in strong encryption making any previous success obsolete for the entire panel. who would like to go first, miss hess? >> yes, sir. i apologize. could i ask you -- i'm not 100% clear on that question. >> let me repeat it. for the entire panel again. what have been some successful collaboration lessons between law enforcement and software or hardware manufacturers dealing with encryption. that's the first question. there are any building blocks or success stories we can build upon or have the recent advancements in strong encryption made any previous success obsolete. >> yes, certainly deal with industry on a daily basis. come up with secure ways to provide us with that information and still be responsive to our
11:58 am
request and our orders. i think building on our successes from the past, clearly there are certain companies, for example, as has been already stated here today that fell under calea. those covered providers have built ways to respond to appropriate orders and that's provided us with a path so they know when they build those systems what exactly we're looking for and how we need to receive that information. >> sir? >> i'm sorry, sir. i really couldn't comment on that. that's not an area of expertise for me. >> i agree with what miss hess said. there are companies that worked with law enforcement to provide a legal solution and did that voluntarily, technological solution, provide a legal solution such as we can access data. >> thank you. >> building on those collaborations and having other industry members follow in that
11:59 am
path would be a great help. >> thank you. next question for the panel. what percentage of all cases jeopardized due to suspect having encrypted device, cell phone, laptop, desktop or something else. i recognize some cases such as pornography, it may be 100% impossible to charge someone without decrypting their storage device. what about other cases where physical evidence or other evidence might be available. does metadata fill in the gap? for the entire panel, let's start with miss hess, please. >> yes, sir. we are increasingly seeing the issue currently and just the first six months of this fiscal year starting from last october. we're seeing in the fbi the number of cell phones we have seized as evidence. we're encountering passwords about 30% of the time. we have no capability around 13%
12:00 pm
of that time. we've seen those numbers continue to increase. clearly that presents us with a challenge. >> thank you. >> sir, i'll give you some numbers. we have approximately 102 devices we couldn't get in. these are 67 of them being apple devices. if i just look at 67 apple devices, 10 related to homicide, two to rape, one to criminal sex acts and two related to members of the police department who were hot. we are seeing an increase as we go forward of phones, not getting information on the phones. one thing i will say, it doesn't always prevent us from making an arrest. however, it doesn't present all the evidence available for the prosecution. >> and to expand on what the chief said. that can be exculpatory evidence we don't have access to. the sad part is when our forensic examiners get called, we ask a
12:01 pm
series of questions of investigator, is there an iphone, which model? we're told a model 5s or newer, 164 operating system, encrypted. we don't even take that into evidence anymore because we know there's no technical solution. the problem is we never know what we don't know. we don't know what evidence we're missing. whether that is, again, on a suspect's phone or victim's phone where the victim is not capable of giving us that pass code. >> thank you very much. i appreciate it, mr. chairman. i yield back the time. >> i think we have one last question for the first panel. that's gentlelady from california. >> thank you for extending that legislative encouragement to be here and join in on this hearing because i'm not a member of the subcommittee. the rules of the committee allow us to, and i appreciate your courtesy.
12:02 pm
i first want to go to captain cohen. i first heard you say apple disclosed its source code to the chinese government. i believe that you said that. that's a huge allegation for nypd to base on some news stories. can you confirm this? >> yes, ma'am. i'm with indiana state police, not nypd. >> i'm sorry. >> what i said in my testimony, i have found several news stories but i was unable to find anything to either confirm or deny -- >> did you say that? i didn't hear all of your presentation around that allegation. but i think it's very important for the record that we set this straight. that takes my breath away. that's a huge allegation.
12:03 pm
so thank you. to miss hess. the san bernardino case is really illustrative for many reasons. one of the more sprtriking aspes to me is the way in which fbi approached the issue to gaining access to that now infamous iphone. we know the fbi went to court for-of- to force a private company to for the government. i think that's breathtaking. it takes my breath away to try and digest that. then to use that information whenever and however it wishes. some disagree, some agree, but i think that this is a worthy and very, very important discussion. this came about after the
12:04 pm
government missed a key opportunity to back up and potentially recover information from the device by resetting the icloud password in the days following the shooting. the congress has appropriated just shy of $9 billion, with a b, dollars for the fbi. n now, out of that $9 billion and how those dollars are spread across the agency, how is it that the fbi didn't know what to do? >> yes, ma'am. >> how can that be? >> in the aftermath of san bernardino, we were looking for any way to identify whether or not -- >> did you ask apple -- did you call apple right away and say, we have this in our possession. this is what we need to get. how do we do it, because we
12:05 pm
don't know how? >> we did have discussions with apple. >> when? after it was essentially destroyed because more than 10 attempts were made relative to the pass code. >> i'm not sure. i'll have to take that as a question for the record. >> i'd like to know, miss hess, your response to this. i served for almost a decade on the house intelligence committee. during my tenure, michael hayden was the cia director. now he's the former director of ciae has said america is safer with unbreakable end to end encryption. tell me what your response is to that. >> my response -- >> i think cyber crime, excuse me, is embedded in this whole issue but i'd like to hear your
12:06 pm
response to the former director of the cia. >> yes, ma'am. from what i have read and heard from what he has said, he certainly, i believe, emphasizes and captures what was occurring at the time that he was in charge of those agencies. >> has his thinking stopped from the time he was cia director to being former, and he doesn't understand encryption any longer? what are you suggesting? >> technology proceeds at such a rapid pace, one must be constantly in that business in order to keep up with the iterations. >> let me ask you about this. once criminals know that american encryption products are open to government surveillance, what's going to stop them from using encrypted products and applications that fall outside of the jurisdiction of american law enforcement? i've heard you repeat over and
12:07 pm
over again we're talking to people in europe, we're talking. i don't know. is there a body that you're working through? has this been formalized? because if this stops at our border but doesn't include others, this is a big problem for the united states of america, law enforcement, and american products. >> the gentlelady's time has expired. >> can she respond. >> working with international committee. >> how? is there some kind of international body you're working through? >> thank you. >> can she answer that? >> do you want to finish your remark? >> there's no one specific organization that we work through. dollar number of organizations we work through to that extent. >> thank you, mr. chairman. >> mr. chairman, i'd ask unanimous consent all of the members of the committee, as
12:08 pm
well as the members of the full committee who have been asked to sit in be allowed to supplement their verbal answers with written answers of the witnesses. >> approved. >> without any members seeking to be recognized for questions i'd like to thank the witnesses for their testimony today. now i'd like to call the witnesses for our second panel to the table. thank you again.
12:09 pm
12:10 pm
okay. start the second panel, i'd like to introduce the witnesses of our second panel for today's hearing starteding with mr. bruce sewell will lead off the second panel. mr. sewell is apple's general counsel and senior vice president of legal and global security. he serves on the executive board and oversees all matters including corporate governance and privacy. we thank you for being with us today and look forward to commen comments. also like to welcome the president of american security company. as president, responsible for developing rha strategic vision and operation across the business. thank you for appearing before us today and we appreciate the testimony. next, we welcome dr. matthew
12:11 pm
blaze, the associate professor of computer and information science at the university of pennsylvania. dr. blaze is a researcher in the area of secure systems, cryptology, he's been at the forefront over a decade and appreciate his being here and offering testimony on this very important issue. finally i'd like to introduce dr. daniel wisener, who is director and principle research scientist at computer science and artificial intelligence laboratory, decentralized information group at the massachusetts institute of technology. mr. wisener previously served as united states technological officer for internet policy in the white house. we thank him for being with us today and look forward to learning from his expertise. i want to thank all of our witnesses for being here and look forward to the discussion. as we begin, you're aware this commit is holding an investigative hearing. when doing so has had the
12:12 pm
practice of taking testimony under oath. do any of you have objection to testifying under oath? seeing none, the chair advises you under the ruse of the house and rules of the committee you're entitled to be advised by counsel. do any of you desire to be represented or advised by counsel during your testimony today. seeing none, in that case full rise and raise your right-hand, i will swear you in. do you swear that the testimony you're about to give is the truth, the whole truth, and nothing but the truth? thank you. you're now under oath and subject to penalties in title 18-1001 of the code. you now have a five-minute summary -- each of you may give a five-minute summary of your written statement starting with mr. sewell.
12:13 pm
>> thank you chairman murphy and members of the subcommittee. it's my pleasure to appear before you today on behalf of apple. we preshtd your invitation and opportunity to be part of this discussion on encryption. hundreds of millions of people trust apple products with the most intimate details of their daily lives. some of you may have a smartphone in your pocket right now. if you think about it, there's probably more information stored on the phone than a thief could get breaking into your home. it's not just a home. it's a photo album, a wallet, it's how you communicate with your doctor, your partner and your kids. it's also the command central for your car and your home. many people also use their smartphone to authenticate and gain access to other networks, businesses, financial systems and critical infrastructure. we feel a great sense of responsibility to protect that
12:14 pm
information and that access. for all of these reasons, our digital devices, indeed, our entire digital lives are increasingly and persistently under attack by attackers. their attacks grow more every day, the quest fuels multi-billion dollar covert world of thieves, hackers and crooks. we're all aware of some of the recent large scale attacks. 00 of thousands of social security numbers were stolen from irs. u.s. office of personnel management has said as many as 21 million records were compromised and as many as 78 million people were affected by an attack on anthem's health insurance records. the best way we and technology industry know how to protect your information is through the use of strong encryption. strong encryption is a good thing. it is a necessary thing. the government agrees, encryption is the backbone of cyber security infrastructure
12:15 pm
and provides the very best defense we have against increasingly hostile attacks. the united states has spent tens of millions of dollars through the open technology fund and other programs to fund strong encryption. the administration's review group on intelligence and communications technology urged the u.s. government to fully support and not in any way subvert, undermine or weaken generally available encryption software. at apple with every release of software we advance safety and security features in our products. we work hard also to assist law enforcement because we share their goal of creating a better world. i manage a team of dedicated professionals on call 24 hours a day, 365 days a year. not a day goes by where someone on my team is not working with law enforcement. we know from our interaction with law enforcement officials the information we're providing is extremely useful helping to
12:16 pm
solve crimes. keep in mind people subject to law enforcement inquiries represent far less than one-tenth of 1% of our hundreds of millions of users. but all of those users, 100% of them, would be made more vulnerable if we were forced to build a back door. as you've heard from our colleagues in livermore, they have the perception that encryption walls off information from them. but technologists and national security experts don't see the world that way. we see a data rich world that seems to be full of information, information that law enforcement can use to solve and prevent crimes. this difference in perspective, this is where we should be focused. to suggest american people is to choose between privacy and security is a false choice. the issue is not about privacy at the extent of security it's about safety and security. we feel strongly americans will be better off if we can offer
12:17 pm
protections for their digital lives. mr. chairman, that's where i was going to conclude my comments but i think i owe it to this committee to add one additional thought. and i want to be very clear on this. we have not provided source code to the chinese government. we did not have a key 19 months ago that we threw away. we have not announced we're going to apply pass code encryption to the next generation icloud. i just want to be very clear on that because we heard three allegations. those allegations have no merit. thank you. >> thank you. we turn to the second panelist. >> chairman murphy, ranking member and members of the committee, thank you for the opportunity to testify. i applaud the committee's effort to better understand all aspects of this debate. my nature is amit yoran.
12:18 pm
i'd like to thank my mom for coming to hear my testimony today. in case things go sideways, i assure you she's much tougher than she looks. i've spent over 20 years in the cyber security field. in my current role i strive to ensure we provide industry leading cyber security solutions. we have been a security leader more than 30 years. more than 30,000 global customers we serve represent every sector of our economy. fundamental to rsa's understanding at hand is a basis for cyber security technology. our cyber security products are found in government agencies, banks, utilities, retailers as well as hospitals and schools. at our core, we at rsa believe in power of technology to fundamentally transform business and society for the better. and the pervasiveness of our technology hopes to protect
12:19 pm
everyone. let me take a moment to say we deeply appreciate the work of law enforcement and national security community to protect our nation. i commend law enforcement who has dedicated their life to serving justice. partnered with law enforcement agencies to advance and protect our nation and the rule of law. where lawful court orders mandate or moral alignment encourages it many tech companies have a regular, ongoing and cooperative relationship with law enforcement in the u.s. and abroad. simply put, it is in all of our best interest for the laws to be enforced. i have four points i'd like to present today, all of which i've extrapolated on in my written testimony. first, this is no place for extreme positions or rush decisions. the line connecting privacy and security is as delicate to national security as it is to our prosperity as a nation. i encourage you to continue to evaluate the issue and not rush to a solution. second, law enforcement has access to a lot of valuable
12:20 pm
information they need to do their job. i would encourage you to ensure that the fbi and law enforcement agencies have the resources and are prioritizing the tools and technical expertise required to keep up with the evolution of technology and meet their important mission. third, strong encryption is foundational to good cyber security. if we lower the bar there, we expose ourselves further to those that would do us harm. as you know, recent terrorist attacks have reinvigorated calls for exceptional access mechanisms. this is a call to create back door to allow law enforcement access to all encrypted information. exceptional access increases complexity and introduces new vulnerabilities. it undermines integrity of internet infrastructure and introduces more risk, not less, to our national interest. creating a back door to encryption means creating opportunity for more people with nefarious intentions to harm us.
12:21 pm
sophisticated as ver sears and criminals would not knowingly use methods they know law enforcement could access, particularly when foreign encryption is readily available. therefore, any perceived gains to our security from exceptional access are greatly overestimated. fourth, this is a basic principle of economics with very serious consequences. our standard of living depends on the goods and services we can produce. if we can require exceptional access from companies that would make us less secure, the market will go else wrchlt worse than that, it would weaken our power, utilities, infrastructure, manufacturing, health care, defense, and if anything systems. weakening encryption would significantly weaken our nation. simply put, exceptional access does more harm than good. this is the seemingly unanimous opinion of the entire tech
12:22 pm
industry, academia, national security industry as well as all industries that rely on encryption and secure products. in closing, i'd like to thank all the members of the community for their dedication understanding this complex issue. >> thank you. dr. blaze. >> thank you, mr. chairman and members of the committee for the opportunity to testify before you today. the encryption issue, which you know i've been involved with for over two decades now has been characterized as a question of whether we can build systems that keep the good guys -- a lot of the good guys in but keep the bad guys out. much of the debate focused on questions of whether we can trust the government with keys for data. but before we can ask that
12:23 pm
question, and that's a legitimate political question that the political process is well equipped to answer, there's an underlying technical question of whether we can trust the technology to actually give us a system that does that. and unfortunately, we simply don't know how to do that safely and securely at any scale and in general across the wide range of systems that exist today and that we depend on. it would be wonderful if we could. it would solve -- if we could build systems with that kind of assurance, it would solve so many of the problems in computer security and in general computer systems that have been with us since really the very beginning of software-based systems. but unfortunately many of the problems are deeply fundamental.
12:24 pm
the state of computer and network security today can really only be characterized as a national crisis. we hear about large scale data breaches, compromises of personal information, financial information, and national security information literally on a daily basis today. and as systems become more interconnected and become more relied upon for the function of the fabric of our society and for our critical infrastructure, the frequency of these breaches and their consequences have been increasing. if a computer science had a good solution for making large scale robust software, we would be
12:25 pm
deploying it with enormous enthusiasm today. it is really at the core of fundamental problems we have. we are fighting a battle against complexity and scale that we are barely able to keep up with. i wish my field had simpler and better solutions to offer, but it simply does not. we have only two good tools, tried and true tools, that work for building reliable robust systems. one of those is to build the systems to be as simple as possible, to have them include as few functions as possible, to decrease what we call the attack surface of these systems. unfortunately we want systems more complex and more integrated with other things and that becomes harder and harder to do. the second tool we have is photography, which allows us to trust fewer components of the
12:26 pm
system, rely on fewer component of the system, and manage the inevitable insecurity that we have. unfortunately proposals for exceptional access methods that have been advocated by law enforcement, and we heard advocated for by members of the previous panel, work against really the only two tools that we have for building more robust systems. we need all the help we can get to secure our national infrastructure across the board. there's overwhelming consensus in the technical community that these requirements are incompatible with good security engineering practice. i can refer you to a paper i collaborated on called keys under door mats that i referenced in my written testimony that i think describes the consensus of the technical community pretty well here.
12:27 pm
it's unfortunate that this debate has been so focused on this narrow and very potentially dangerous solution of mandates for back doors and exceptional access because it leaves unexplored potentially viable alternatives that may be quite fruitful for law enforcement going forward. one of -- there's no single magic bullet that will solve all of law enforcement problems here, or really anywhere in law enforcement, but a sustained and committed understanding of things like exploitation of data in the cloud, data available in the hands of third parties, targeted exploitation of devices such as miss hess described in her testimony will require significant resources but have the potential to address many of the problems law enforcement described. we owe it to them, and to all of
12:28 pm
us, to explore them as fully as we can. thank you very much. >> thank you vice chairman mckinley, chairman murphy and ranking member, thank you for having me. i think this hearing comes at a very important time in the debate about how to best accommodate the very real needs of law enforcement in the digital age. i want to say i don't think there's any sense in which law enforcement is exaggerating or overstating the challenges they face and i don't think they should be surprised they have big challenges. we think about introduction of computers in our society, workplace and homes. to be colloquial, it throws everyone for a loop for a while. our institutions take a while to adjust. we shouldn't expect this problem to be solved overnight. i do think that's happening at this point in the debate, as some of the previous witnesses said, we are, i think, seeing a growing consensus that introducing mandatory
12:29 pm
infrastructure-wide back doors is not the right approach. i'm going to talk about some ways we can move forward. i'm going to why i think it is. it comes back to safe-deposit box analogy we heard. we all do think it's reasonable banks should have a second key to our safe-deposit boxes and maybe you should have drills to drill through the locks in case you can't find one of the keys. the problem here is we're all using the same safe, every single one of us. so if we make those safe-deposit boxes too easy to drill into or someone gets ahold of the key, then everyone at risk, not just couple thousand customers who happen to be at one bank. that's why we see political leaders around the world rejecting the idea of mandatory back doors. recently secretary of defense ash carter said, i'm not a believer in back doors or single technical approach. i don't think it's realistic he said. robert hanigan, director of uk
12:30 pm
said in a talk he delivered at mit that mandatory back doors are not the solution. epps encryption should not be weakened, let alone banned. neither is it true nothing can be done without weakening encryption. he said i'm not in favor of weakening encryption or mandatory back doors. vice president of european commission, who was the former prime minister of estonia and famous for digitizing almost the entire country and the government, said if people know there are back doors, how could people, for example, who vote online trust the results of the election if they know their government has a key to break into the system. two very quick steps that i think we should avoid going forward, and then a few suggestion about how to approach this challenge that you face. number one, i think you've heard us all say we have to avoid introducing new vulnerabilities into an already quite vulnerable
12:31 pm
information infrastructure. it would nice if we could choose only the bad guys got weaken kripgs and the rest of us got strong encryption but i think we understand that's not possible. you've also heard remps to cfer callia, a piece of legislation in this commission, extending calea to apply to internet companies. if you look closely at calea, it shows just how hard it will be to solve the problem in one size all solution. calea, a few telecommunication companies that had the same product, regulated in then stable way by federal communications industry. internet, platform, mobile apps, device industry is incredibly diverse, global industry. there's no single regulatory agency that governs those services and products. that's very much by design, and so i think trying to impose a top down regulatory solution on
12:32 pm
this whole complex of industries in order to solve this problem simply won't work. what can we do going forward? number one, i think that in the effort of the encryption working group this committee and judiciary committee set up, i think it's very important to look closely at the specific situations law enforcement faces, at the specific court orders they have been issued which have been successfully satisfied, which haven't, which introduce system wide vulnerabilities if followed through and which could be pursued without systemwide risk. i think there's a lot to be learned about best practices both of law enforcement and technology companies. there are probably some law enforcement agencies and technology companies that could up their game a little bit if they had a better sense of how to approach this issue. i also think it's awfully important that we make sure to preserve public trust in this environment, in this internet environment. i think we understand in the last five years that there's
12:33 pm
been significant concern from the public about the powers both of government and private sector organizations. i think it's a great step that the house judiciary committee moving forward and amendments electronic communications privacy act that will protect data in the cloud. i think we can do more of that and ensure public data is protected both in the context of government surveillance and private sector use that will be able to move forward with this issue more constructively. thanks very much and i'm looking forward to the discussion. >> thank you very much for your testimony and for the whole panel, if i might recognize myself for the first five minutes with some questions. mr. sewell, you made quite a point that you have not provided the source codes to china. that was interesting. it had come up in the earlier panel on that. were you ever asked to provide by anyone? >> by the chinese government or
12:34 pm
anyone? >> yes. >> we have been asked by the chinese government, we refused. >> how recent were you asked? >> within the past two years. >> okay. >> mr. yoran, i've got a couple questions for you. first i was a little taken back, you said don't rush on this solution, whatever that might be. as i said earlier, this has been 5 1/2 years i've been hearing everyone talk about it and they are not getting anything done. i think we're waiting. i don't know what we're waiting for. there's got to be a solution. i'm one of three licensed engineers in congress. by now we would have the solution if there were more engineers and less attorneys here, perhaps. i might, your question, i understand your company was founded by original creators of critical algorithm and public cryptography. needless to say encryption is your company's dna. if anyone understands the importance of protecting
12:35 pm
encryption keys, it's your company. yet apparently several years ago someone stole your seed keys. as i understand, these are the keys that generate keys, that are used for remote access, much like those used by members and their staff. if a company like yours, as sophisticated as it is and all the security you have can lose control of encryption keys, how can we have confidence in others, especially smaller companies, the ability to do the same. >> mr. chairman, i think you bring up two great points. the first statement i would make is that i'd like to highlight the fact a tremendous amount of cooperation happens currently between law enforcement and the tech community. so the characterization we've made no progress over the last five years understates the level of effort put forth by the tech community to reapply to and support the efforts of law enforcement.
12:36 pm
i think what's occurring is -- and i won't call it a line in the sand, but i think the current requests of law enforcement have now gotten to the point where they are requesting a mandate that our product be less secure and will have a tremendous and profound negative impact on our society and public safety as has already been made the point earlier. the second point regarding -- that highlights the very critical role encryption plays in the entire cyber security puzzle. the fact that sophisticated threat actors, nation, state or cyber criminals are going to target the supply chain and where strong encryption and strong cyber security capabilities come from. we're dealing with incredibly sophisticated adversary and one that would put forth a
12:37 pm
tremendous effort to find back doors if they were embedded in our security systems. it highlights the value of encryption to society in general. i think it also highlights importance of transparency around cyber breaches and cyber security issues. >> thank you. in the first testimony, first panel, stay with you, mr. yoran, talked about security of our infrastructure. and i think the response was along the line that that's not -- it's not an encryption problem, it's a firewall problem. i'm not sure that the american public understands the difference between that. so i'm going to go back. how comfortable should we be, can we be, we have proper protection on security from firms like yours that our energy, our transportation system, particularly our grid,
12:38 pm
as i said, we've been -- we're subject to it. we know we've already been attacked once. so what more should we be doing? >> mr. chairman, i think the point made by the response provided by earlier panelist was wrong. i think encryption plays an incredibly important role protecting critical infrastructure. it is not -- this is a firewall solution or encryption solution, most organizations that truly understand cyber security have a diverse set of products, applications, and many layers of defenses, knowing that adversaries are going to get in through fire walls. not only adversaries but important openings are created in fire walls so that the appropriate parties can communicate through them as well. those path are frequently leveraged by adversaries to do nefarious things. >> are you acknowledging we still are very vulnerable to
12:39 pm
someone with the electric grid? >> i believe we're vulnerable in any infrastructure that leverage technology. how much of it is the entire grid, how much is localized, i certainly believe utilities are exposed. >> let me in closing to all four of you, if you've got suggestion how we might address this, i'm hearing time and time in the district with our grid system, i'd sure like to hear back from you what we might do. with that yield the next question from the ranking member from colorado. >> thank you so much. following up on the last question, i'd like to stipulate that i believe, as most members of the panel believe, strong encryption is critical to national security and everything else. as i said in my opening statement, i also recognize we need to try to give law
12:40 pm
enforcement the ability to apprehend criminals when criminals are utilizing this technology to be able to commit their crimes and cover up after the crimes. first of all, mr. sewell, i believe you testified that your company works with law enforcement now. is that correct? >> that is correct. >> thanks. and i think you would also acknowledge that while encryption really does provide benefit both for consumers and for society for security and privacy, we also need to address this thorny issue about how we deal with criminals and terrorists who are using encrypted devices and technologies. is that correct? >> i think this is a very real problem. let me start by saying the conversation we're engaged in now has become something of a conflict, apple versus the fbi.
12:41 pm
>> right. >> just the wrong -- >> you don't agree with that, i would hope. >> absolutely not. >> mr. yoran you don't agree with that, that it's technology versus law enforcement, do you? yes or no will work. >> no, i don't agree. >> i'm assuming you dr. blaze. >> no. >> and you? that's good. here is another question, then. i asked the last panel that. do you think it's a good idea for the fbi and other law enforcement agencies to have to go to third party hackers to get access to data for which they have court orders to get. >> i don't think that's a good idea. >> do you think so, mr. yoran? >> no, ma'am. >> dr. blaze? >> no. if i could just clarify the fact that the fbi had to go to a third party indicates that the fbi either had or devoted insufficient resources to
12:42 pm
finding a solution. >> right. i'm going to get to that in a second. so it's just really not a good model. so here is my question. mr. yoran, do you think the government should enhance its own capabilities to penetrate encrypted systems and pursue work arons when legally entitled to information that cannot obtain either from the users directly or service providers. do you think they should develop that? >> yes, ma'am. >> do you think they have the ability to develop that? >> yes, ma'am. >> professor, do you think they have the ability to develop that? >> it requires enormous resource. they probably with the resource they currently have, i think it's likely they don't have the ability? >> what congress has, we may not be internet experts but we have resources. >> i think this is a soluble problem. >> mr. weitzner? >> i think they certainly should have the resources.
12:43 pm
i think really the key question is whether they have the personnel and i think it will take some time to build up a set of -- >> i understand it will take time but do you think they can develop resources. >> thank you. okay. so mr. yoran i want to ask you another question. do you think that all of us supporting the development of increased capability within the government can be reasonable path forward as opposed to relying on technologies or companies with new systems. do you think that's a better source? >> yes, ma'am. >> i guess mr. sewell you agree with that, too. >> more time, money, resources on the fbi training -- >> would apple be willing to help them with those capabilities? >> we actively do help them. >> so your answer would be yes. >> participate in training. >> helping them develop those new capabilities.
12:44 pm
>> what we can do is help them understand our ecosystem. that's what we do on a daily basis. >> i'm not trying to trick you. >> i'm responding. your answer would be yes, you're willing to help us with law enforcement and congress to solve this problem. is that correct, mr. sewell? >> i want to solve the problem like everyone else. >> are you willing to work with law enforcement and congress to do it, yes or no? >> congresswoman, we work with them every day. of course we are. >> yes or no will work. thank you. >> mr. yoran? >> yes. >> mr. blaze? >> yes. >> thank you so much. mr. chairman. >> thank you. now recognize mr. griffith from virginia. >> i appreciate that. just a small college history major who then went into law. as a part of that, mr. sewell, i
12:45 pm
would have to ask, would you agree with me that it took in the history of mankind took us thousands of years to come up with civil liberties and perhaps 5 1/2 years isn't such a long time to try to find a solution to this current issue? and likewise, it was -- the answer was in the affirmative for those who may not have heard that. >> yes. >> and it was lawyers who actually created the concept of individual liberty and one that our country has been proud to be the leader in the world in promoting. would that also be true. >> that's very true, yes. >> that being said, i was pleased to hear answers to miss dagett to solve this. there is no easy answer. i like the safe-deposit box analogy. thanks for ruining that for me, in your analysis. i would ask mr. sewell if there isn't some way -- and again, i can't do what you all do.
12:46 pm
so i have to simplify it to my terms. is there some way we can create the vault that the banks have with the safety deposit box in it. once you're inside of there, if you want that security, because not everybody has a safety deposit box, but if you want that security, then there's a system of dual but separate keys with companies like yours or others holding one of the two keys and the individual holding the other key and having the ability to, with a proper search warrant, have law enforcement be able to get in? i'm trying to break it down into a concept i can understand, where i can then apply what we have determined over the course of the last several hundred years is the appropriate way to get information. it's difficult in this electronic age. >> it is very difficult, congressman, i agree. we haven't figured out a way that we can create an access
12:47 pm
point and then create a set of locks that are reliable to protect access through that access point. that's what we struggle with. we can create an access point and we can create locks, but the problem is the keys to that lock will ultimately be available somewhere. if they are available anywhere, they can be accessed by both good guys and bad guys. >> you would agree with mr. weitzner's position or his analysis, which i thought was accurate, the problem is we're not giving a key and a drill to one safety deposit box, it's everybody in the bank who suddenly would have their information open. i saw that you wanted to make a comment, mr. weitzner. >> i just want to -- since this analogy seems to be working, you know, we don't put much stuff in our safe-deposit boxes, right? i don't have one, to be honest. i think that there's this core concern back to your civil le s
12:48 pm
liberties framework somehow we have a warrant-free zone that's going to take over the world. i think that if you follow the safety deposit box analogy, what we know is that the information that's important to law enforcement exists in many places. i don't question that there will be some times when law enforcement can't get some piece of information it wants. i think what you're hearing from a number of us and from the technical community is that this information is very widely distributed. much of it is accessible in one way or the other or inferable from information by third parties. the path to try to understand how to exploit that to the best extent possible in investigations so that we're not all focused on the hardest part of the problem. the hardest part is what do you do if you have very strongly encrypted data, can you ever get
12:49 pm
it. it may not be the best place to look all the time because it may not always be available. >> historically you're never able to get ahold of everything. dr. blaze, you wanted to weigh in. >> i want to caution the split key design, as attractive as it sounds was also at the core of the nsa designed clipper chip, which was where we started over two decades ago. >> i appreciate that. mr. yoran, i've got to tell you, i did think your testimony and written testimony in particular was enlightening in regard to the fact if we do shut down the u.s. companies, then there may even be safe havens created by those countries not our friends and specifically our enemies. unfortunately i wanted to ask a series of questions on that and i see my time is expired and i'm required to yield back, mr. chairman. >> welcome looking at other panel members, we have miss
12:50 pm
brook from indiana. your five minutes. >> thank you, mr. chairman. i'd like to start out with a comment that was made in the first panel. i guess this is to mr. sewell, whether or not you can share with to use encryption in the cloud? >> we have made no such announcement. i'm not sure where that statement came from, but we made so such announcement. >> i understand you made no such announcement, but is that being explored? >> i think it would be irresponsible for me to tell you we're not even looking at that, but we have made no announcement, no decision has been made. >> and are these discussions helping inform apple's decisions? and is apple communicating with any law enforcement about that possibility? >> these discussions are enormously helpful. i would be glad to go further into that. i have learned some things today i didn't know before. so they're extremely important. we have considering, talking to people, we are being very mindful of the environment in which we're operating.
12:51 pm
>> and i have certainly seen and i know that apple and many companies have a whole set of policies and procedures on compliance with legal processes and so forth. and so i assume that you have regular conversations with policymakers of law enforcement, whether it's fbi or other agencies on these policy issues. is that correct? >> that's very correct. i interact with law enforcement at two very different levels. one is a very operational level. my team supports daily activities in response to lawful process. we work very closely on actual investigations. i can mention at least two where we have recently found children who have been abducted. we have been able to save lives working directly with our colleagues in law enforcement. at that level, we have a very good relationship. i think that gets lost in the debate sometimes. at the other side, i work at perhaps a different level. i work directly with my counterpart at the fbi. i work directly with the most
12:52 pm
senior people in the department of justice. and i work with senior people in local law enforcement on exactly these policy issues. >> i thank you and all the others for cooperating with law enforcement and working on these issues. but it seems as if most recently, there have not been enough of -- enough of the discussions, hence that's why we're having these hearings and why we need to continue to have these hearings. but i think that we have to continue to have the dialogue on the policy while continuing to work on the actual cases and recognize that obviously technology companies have been tremendously helpful, and we need them to be tremendously helpful in solving crimes and preventing future crimes. it's not just about solving crimes already perpetrated, but it's also, particularly with respect to terrorism, how do we insure we're keeping the country safe. i'm curious with respect to a couple questions with respect to legal hacking.
12:53 pm
and what -- and the types of costs that are associated with legal hacking, as well as the personnel needed. and since the newer designs of iphones prevent the bypassing of the built-in encryption, does apple actually believe that lawful hacking is an appropriate method for investigators to use to assess the evidence in investigations? >> so, i don't think we have a firm position on that. i think there are questions that would have to be answered with respect to what the outcome of that lawful hacking is, what happens to the product of that lawful hacking. so i don't have a formal corporate position on that. >> but, so then because that has been promoted, so to speak, as far as a way around this difficult issue, are you having those policy discussions about apple's view and the technology sector's view on lawful hacking? are those discussions happening with law enforcement? >> i think this is a very nascent area for us.
12:54 pm
but particularly, the question is what happens to the result? does it get disclosed, does it not get disclosed? that is an issue that has not been well explored. >> do you have an opinion on lawful hacking? >> not an opinion on lawful hacking in specific, but i would just point out that doing encryption properly is very, very hard. trying to keep information secret in the incredibly interconnected world we live in, is very, very hard. and i would suggest that it's getting harder, not easier. so the information, the data that law enforcement has access to is certainly much more than the metadata that they have had over the past several years. but now as applications go to the cloud, the cloud application providers need to access the data. so the sensitive information is not just on your iphone or other device. it's sitting in the cloud, and law enforcement has access there because it cannot be encrypted.
12:55 pm
it needs to be accessed by the cloud provider in order to do the sophisticated processing and provide the insight to the consumer that they're looking for. >> my time has expired. i have to yield back. >> thank you. and no other members of the subcommittee that are with us, we can then -- >> mr. chairman. >> i'm sorry. >> okay. you're on the subcommittee? >> no. >> we're going, none of the subcommittee so now we're going to members who have been given privileges to speak. i was advised to go to the other side. your five minutes. >> thank you, mr. chairman. first of all, to mr. yoran, i love your suit and tie. it brings a little of the flavor of my district into this big old hearing room. and warm welcome to your mother. i don't know where she is, but
12:56 pm
it's great to have your mother here. great, wonderful. i know that associate professor blaze talked about the crisis of the vulnerability in our country relative to, you know, how our systems, how vulnerable our systems are. i would just like to add for the record that up to 90% of the breaches in our system in our country are due to two major factors. one is systems that are less than hygiene. unhygienic systems. number two, very poor security management. so i think the congress should come up with at least a floor relative to standards. and so that we can move that word crisis away from this. but we really can do something about that. i know it costs money to keep systems up. and there are some that don't
12:57 pm
invest in it. but that can be addressed. the word conversation has been used, and i think very appropriately. and this is a very healthy hearing. unfortunately, the first thing the american people heard was a very powerful federal agency on the -- you know, within moments of the tragedy in san bernardino, demand of a private company that they must do this, otherwise we will be forever pitted against one another, and there is no other resolution except what i call a swinging door that people can go in and out of. when i say people, in this case, it's the government. the american people have a healthy suspicion of big brother. but they also have a healthy
12:58 pm
suspicion of big corporations. they just do. it's in our dna. i don't think that's an unhealthy thing. but that first snapshot, i think, we need to move to the next set of pictures on this. and i'm heartened that the panel seems to be unanimous that this weakening of our overall system by having a back door, by having a swinging door, is not the way to go. so in going past that, i would like to ask mr. sewell the following. whether introducing the third-party access, and that's been talked about, i think that would fundamentally weaken our security. how does third-party access impact security? how likely do you think it is
12:59 pm
that law enforcement could design a system to address encrypted data that would not carry with it the unanticipated weaknesses of its own? i'm worried about law enforcement in this. i want to put this on the record as well. i think that it says something that the fbi didn't know what it was doing when it got ahold of that phone. and that's not good for us. it's not going to attract smart young people to come into a federal agency because what it says to them is they don't know -- it doesn't seem to us they know what they're doing. can you address this third-party access and what kind of effect it would have on overall security? >> thank you very much for the question. if you allow third-party access, you have to give the third party a portal in which to exercise that access. this is fundamentally the definition of a back door, or a
1:00 pm
swinger door, as you have, i think, very aptly described it. there is no way that we know of to create that vulnerability, to create that access point. and more particularly, to maintain it. this was the issue in san bernardino, was not just give us an access point, but maintain that access point in perpetuity so we can get in over and over and over again. that, for us, we have no way of doing that without undermining and endangering the entire encryption infrastructure. we believe that strong ubiquitous encryption is the best way we can maintain the safety, security, and privacy of all of our users. that would be fundamentally a problem. >> thank you very much. thank you, mr. chairman, and again, thank you to the witnesses. you have been, i think, most helpf helpful. >> i apologize. i ran out for a while, but i get to ask a few questions here. mr. sewell, we can all
1:01 pm
understand the benefits of strong encryption, whether it's keeping someone's own bank statement, financial records encrypted, so we don't have to worry about hackers there. we also offered compelling testimony about law enforcement, criminal actuvty, child predators, homicide, et cetera. based on your experience, what we heard today, can you acknowledge that this default encryption does provide a challenge for law enforcement? >> i think it absolutely does. and i would not suggest for a moment that law enforcement is overstating this same claim that has been made by other panelists. i think the problem is that there's a fundamental disconnect between the way we see the world and the way law enforcement sees the world. and that's where i think we ought to be focusing. >> what is that disconnect? >> the disconnect has to do with the evolution of technology in society. and the impact of that technology in society.
1:02 pm
what you have heard from our colleagues in law enforcement is that the context in which encryption occurs reduces the scope of useful data that they have access to. this going dark problem. if you talk to technologiests, we see the world in a very different way. we see the impact of technology is actually a burgeoning of information. we see there's an abundance of information, and this will only increase exponentially as we move into a world where the internet of things becomes part of our reality. so you hear on one side, we're going dark. you hear on the other side, there's an abundance of information. that circle needs to be squared. the only way i think we can do that is by cooperating and talking and engaging in the kind of activity that the madam was suggesting. >> i appreciate that. that's a very compelling argument you gave, but i have no wried what you just said. let me put this into terms we can all talk about.
1:03 pm
your time from the first panel, child predators were able to hide behind this invisible cloak. a murder scene in where they could have perhaps caught who did this. we know when it comes to crimes, there are those who won't commit crimes because they have a good moral compass. we have those who will commit them anyway because they have none. we have those who can be deterred because they think they might get caught. and we have terrorist acts where you can get into a cell phone from someone who has comrited a terrorist act, you can find out if they're planning more and save other lives. so what do you tell a family member who has had their child abused and assaulted in unspeakable forms? what do you tell them about burgeoning technology? i mean, tell me what comfort we can give someone about the future? >> i think in situations like that, of course, they're tragic. i'm not sure there's anything any one of us could say to ease that pain.
1:04 pm
on the other hand, we deal with this every day. we deal with cases where children have been abducted. we work directly with law enforcement to try to solve those crimes. we had a 14-year-old girl from pennsylvania who was abducted from her captor. we worked immediately with the fbi to identify the location where she had been stashed. we were audibble to get feet on ground in a matter of hours, find that woman, rescue her, and apprehend -- >> that's good. i appreciate that. but what about -- i look at this case, it was presented, whenm someone may have a lot of information hidden, and if they could get in there, whether it is child predators or it is a terrorist where we could prevent more harm. >> and we're missing the point of technology here. the problems that we're trying to solve don't have an easy fix. >> i know that. i need to know you're working in a direction that helps. >> absolutely. >> that's what i'm trying to help -- >> hashing images so when the
1:05 pm
images move across the internet, we can identify them. we can track them. the work that we do with operation railroad is exactly that. it's an example of taking technology, taking feet on the ground, law enforcement techniques, and marrying them together in a way that fundamentally changes. >> for people using encrypted sources, whether it's by default or intention to hide their data and their intention and their harmful activity that they're planning on hurting more, what do we -- what do we tell the public about that? >> we tell the public that fundamentally we're working on the problem and we believe strong ubiquitous encryption provides -- >> does that mean apple is working with the fbi and law enforcement. the response of apple is we ought to have a commission. you're looking at the commission. we want to find solutions. we want to work with you. i'm pleased you're here today. you heard many of us say we don't think there's right or
1:06 pm
wrong absolutes. this is not black and white. we're all in this together. and we want to work on that. i need to know about your commitment, too, in working with law enforcement. could you make a statement? >> could i tell you a story? i sat opposite my counterpart at the fbi, a person that i know very well. we don't talk frequently, but we talk regularly. we'ren a first-name basis. i sat opposite him and said amidst all this clamor and rancor, why don't we set aside a day? we'll send some smart people to washington or you send smart people to kuper teeno and what we'll do is talk to you about what the world looks like from our perspective. what is this explosion of data that we see, why do we think it's so important, and you talk to us about the world. how do they think ability technology? how do they think about the problems that they're trying to solve? and we are going to sit down together for a day. we were planning that at the time that the san bernardino
1:07 pm
case was filed. that got put on hold. but that offer still exists. that's the way we're going to solve these problems. >> chairman. >> yes? >> will you yield for one second? you know, mr. sewell, if we can facilitate that meeting in any way, i'm sure the chairman and i would be more than happy to do that. and we have some very lovely conference rooms that are painted this very same color, courtesy of chairman upton, and we'll have you there. >> madam, if we can get out of the lawsuit world -- >> you know what. that would be great. thank you. >> we want that to be facilitated. we have too many lives at stake and the concernoffs many families and americans. this is center, this is core. >> i agree. >> i know i'm out of time. mr. bilirakis is recognized for five minutes. >> thank you. i appreciate it so very much. i want to thank everyone on the panel for your technology leadership that helps us keep us safe, because that's where our top priority is here in the
1:08 pm
united states congress. at least it's mine and i know many others on the panel. we're here to try to find a balance between security and privacy and not continue to pit them against each other. i think you'll agree with that. mr. yoran, how quickly does one life cycle of encryption last in the secure system until vulnerabilities are found and exploited? will this continually be a game of cat and mouse? or are we at a level now where software and the processes are strong enough to make end-to-end encryption a stable system? >> systems are attacked and vulnerabilities are exploited almost instantaneously once computer systems, mobile devices are put on the internet. once crypto methods are publi published, there's an entire community that goes to work depending on the strength of the encryption, vulnerabilities made to be discovered immediately or
1:09 pm
decades down the road, in which case all of the information may have been at risk while the crypto system was in use. and frequently, the exposure and the exploitation of crypto systems isn't necessarily based on the strength of the algorithms themselves but on how they're implemented and how the systems are interconnected. i might not have the key to get information off of a particular device, but because i can break into the operating system because i have physical access to it, because i can read the chips, because i can do different things, i can still get information or i can get the key. it's a very complex system. it all has to work perfectly in order for the information to be protected. >> thank you. next question is for the entire panel. we've known for the past few years that any significant threat to our homeland will likely include a cyberattack. will you agree on that? >> can you elaborate on the role that encryption plays in this process of

2 Views

info Stream Only

Uploaded by TV Archive on