The heads of the federal government’s top intelligence and law enforcement agencies made a rare group appearance in the same room on Capitol Hill Thursday, where Director of National Intelligence James Clapper, CIA Director John Brennan, FBI Director James Comey and commander of U.S. Cyber Command and NSA Director Michael Rogers briefed Congress on global cyber threats facing the U.S.
According to the heads of various agencies, some of those threats are unwittingly posed by U.S. tech companies themselves, many of whom have adopted new standards for encrypting user data and communications in the wake of mass surveillance programs leaked by former National Security Agency contractor Edward Snowden.
Intelligence and law enforcement have spent significant time asking Congress to intervene in the issue of criminals “Going Dark” in the year since Google and Apple announced default end-to-end encryption of all user communications, which in Apple’s case, not even the company can decrypt.
Comey has led the charge in calling on Silicon Valley to give agencies access to encrypted data — something companies have historically pushed back against since the ’90s over privacy, economic and security concerns.
“Why don’t they give us a proposal and let us weigh in on it,” House Intelligence Committee ranking Democrat and California Rep. Adam Schiff said about Silicon Valley’s reaction to federal agencies’ demand that companies develop a means of accessing encrypted data.
Schiff, whose district lies not far from the headquarters of Sony Pictures hacked last year, said he met with a number of companies including Google, Facebook and Twitter on the encryption issue last week, many of whom said they were frustrated with the government’s expectation.
“They framed it, and with some discomfort, as the intelligence community is coming to us and saying, ‘You’re brilliant, figure it out,’” Schiff said Thursday.
Apple has already refused a court order for communications belonging to suspected drugs and firearms traffickers on the grounds their iPhone iMessage communications were encrypted — an eventuality Comey and others spent the last year warning would happen.
“This is not a problem that’s going to be solved by the government alone,” Comey told Schiff, adding he thought it would take public, private and academia all working together to come up with multiple solutions to accessing encryption, depending on the various types of companies the government could seek information from.
“We all care about safety and security on the Internet — and I’m a big fan of strong encryption — we all care about public safety, and the problem we have here is those are in tension in a whole lot of our work.”
In response to the economic argument — that companies already suffering from distrust abroad over their compliance with mass NSA surveillance programs could lose even more market share to foreign competitors — Comey said the U.S. already has standards for manufacturing the rest of the world does not.
“There are lots of costs that come with being in American business — you’re not allowed to employ children, you can’t pollute the environment, we impose all kinds of rules on people that other countries don’t, which is a disadvantage to our companies,” Comey said, suggesting likeminded countries come together to establish shared standards for developing encryption products.
“We work for the American people, we work with the tools that they give us through Congress. And so our job is to say, ‘Hey look, our tools are being eroded, and we’re not making it up,’ Comey continued. “What has helped people, I think, in the ISIL threat is to see we’re not making it up.”
“You should not look to the government for innovation, technological innovation is not our thing.”
The second major topic of Thursday’s hearing was response to cyber espionage and attack, and the lack of specific “rules of the road” outlining measured retaliation for cyber intrusions like that of the U.S. Office of Personnel Management revealed earlier this summer.
Rogers told the committee it was important to note the differences between cyberattacks like that against Sony, meant to cause damage, cyber theft from private companies meant to gain economic advantage, and cyber espionage like OPM, with the end goal of counterintelligence.
“To date, we’ve tried to be somewhat nuanced, if you will, in how we as a government have responded,” Rogers said, adding it was up to policymakers to decide on a set of acceptable norms in cyberspace.
“We clearly understand nation states use the spectrum of capabilities they have to attempt to generate insights on the world around them. But that does not mean that the use of cyber for manipulative, destructive purposes is acceptable. It does not mean that the use of cyber for the extraction of massive amounts of personally identifiable information is acceptable. And we’re going to have to work our way though how we develop all that in a much more refined way than we have to date.”
Rogers said the administration has largely gauged reactions to cyber aggression on a case-by-case basis, the most recent examples being economic sanctions against North Korea for Sony and China for OPM. According to the NSA and Cyber Command head, that strategy is unlikely to deter future acts of cyber aggression.
“A purely reactive defensive strategy is not ultimately, I think, going to change the dynamic where we are now,” Rogers told the committee. “And the dynamic we find ourselves in now, I don’t think is acceptable to anyone.”