Hearings
Hearing Type:
Open
Date & Time:
Wednesday, July 8, 2015 - 2:30pm
Location:
Hart 216
Witnesses
Director
James B.
Comey
FBI
Full Transcript
[Senate Hearing 114-739]
[From the U.S. Government Publishing Office]
S. Hrg. 114-739
COUNTERTERRORISM, COUNTERINTELLIGENCE, AND THE CHALLENGES OF ``GOING
DARK''
=======================================================================
HEARING
BEFORE THE
SELECT COMMITTEE ON INTELLIGENCE
OF THE
UNITED STATES SENATE
ONE HUNDRED FOURTEENTH CONGRESS
FIRST SESSION
__________
WEDNESDAY, JULY 8, 2015
__________
Printed for the use of the Select Committee on Intelligence
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.fdsys.gov
_________
U.S. GOVERNMENT PUBLISHING OFFICE
27-896 PDF WASHINGTON : 2018
____________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
SELECT COMMITTEE ON INTELLIGENCE
[Established by S. Res. 400, 94th Cong., 2d Sess.]
RICHARD BURR, North Carolina, Chairman
DIANNE FEINSTEIN, California, Vice Chairman
JAMES E. RISCH, Idaho RON WYDEN, Oregon
DANIEL COATS, Indiana BARBARA A. MIKULSKI, Maryland
MARCO RUBIO, Florida MARK WARNER, Virginia
SUSAN COLLINS, Maine MARTIN HEINRICH, New Mexico
ROY BLUNT, Missouri ANGUS KING, Maine
JAMES LANKFORD, Oklahoma MAZIE K. HIRONO, Hawaii
TOM COTTON, Arkansas
MITCH McCONNELL, Kentucky, Ex Officio
HARRY REID, Nevada, Ex Officio
JOHN McCAIN, Arizona, Ex Officio
JACK REED, Rhode Island, Ex Officio
----------
Chris Joyner, Staff Director
David Grannis, Minority Staff Director
Desiree Thompson-Sayle, Chief Clerk
CONTENTS
----------
JULY 8, 2015
OPENING STATEMENTS
Burr, Hon. Richard, Chairman, a U.S. Senator from North Carolina. 1
Feinstein, Hon. Dianne, Vice Chairman, a U.S. Senator from
California..................................................... 58
WITNESS
Comey, Hon. James B., Director, Federal Bureau of Investigation.. 59
Prepared statement........................................... 63
SUPPLEMENTAL MATERIAL
Computer Science and Artificial Intelligence, Laboratory
Technical Report dated July 6, 2015, entitled ``Keys Under
Doormats''..................................................... 4
Letter from the American Civil Liberties Union dated July 7, 2015 38
Letter from the Business Software Alliance dated July 8, 2015.... 47
Remarks of Director Comey to the Brookings Institution on October
16, 2014....................................................... 50
COUNTERTERRORISM,
COUNTERINTELLIGENCE, AND THE
CHALLENGES OF ``GOING DARK''
----------
WEDNESDAY, JULY 8, 2015
U.S. Senate,
Select Committee on Intelligence,
Washington, DC.
The Committee met, pursuant to notice, at 2:33 p.m. in Room
SH-216, Hart Senate Office Building, Hon. Richard Burr
(Chairman of the Committee) presiding.
Committee Members Present: Burr, Feinstein, Risch, Coats,
Collins, Blunt, Lankford, Cotton, McCain, Wyden, Mikulski,
Warner, Heinrich, and Hirono.
OPENING STATEMENT OF HON. RICHARD BURR, CHAIRMAN, A U.S.
SENATOR FROM NORTH CAROLINA
Chairman Burr. Good afternoon. I call this hearing to
order. I'd like to welcome our witness today, Director of the
Federal Bureau of Investigation, James Comey. I would note that
Director Comey appeared this morning before the Senate
Judiciary Committee. Jim, I appreciate your appearing before us
now and enduring a long day of Congressional testimony. I know
the Vice Chair has had an opportunity to have a bite at you,
but she wanted one more, she told me.
As we often conduct hearings in closed session, I'd like to
take this opportunity to publicly commend the Director and the
men and women of the FBI for their outstanding efforts in
keeping our country safe. It is due in no small part to FBI
vigilance in concert with the intelligence community partners
that our Nation's enjoyed peaceful and safe Independence Day
celebrations this past weekend.
Director Comey, as you're well aware, extremists fueled by
anti-Western propaganda remain intent on inflicting harm on
U.S. interests at home and abroad. Over the past year we've
witnessed the Islamic State of Iraq and the Levant, also
referred to as ``ISIL'' or the ``Islamic State'' or ``Daesh,''
attempt to inspire a wide range of individuals to conduct
attacks against innocent civilians.
Largely as a result of ISIL's media savvy, the number of
U.S.-based individuals in 2015 seeking to conduct attacks in
the homeland or overseas to join ISIL has already exceeded the
combined number of individuals attempting these activities in
2013 and 2014.
Unfortunately, the threats facing our Nation are not
limited to terrorist actors. Foreign governments remain intent
on stealing our country's most valuable trade, intellectual
property and national security secrets. The FBI is charged with
confronting all these threats as well and is continually
challenged by the capabilities and tradecraft employed by these
nation-state actors.
In addition to these fairly unique jurisdictional issues,
the FBI conducts routine law enforcement investigations of drug
trafficking, theft of government property, child pornography,
robbery, extortion, murder, and the list goes on and on and on.
These criminals are also turning to encrypted communications as
a means of evading detection. These two issues that might at
first glance appear unrelated are in fact closely linked.
Communications between a terrorist organization's
operational commanders and field soldiers require enabling
technology. Communications between a foreign state and its
spies also requires enabling technology. In both cases, the
enabling technology used by terrorists and foreign state spies
is increasingly secure encrypted communications. Both of these
adversaries are taking advantage of the rapid advances in
secure communications that are employing advanced--that are
employing advanced commercially available encryption.
Director, as I understand the issue, even when law
enforcement has the legal authority to intercept and access
communications pursuant to a court order, you may lack the
technical ability to do so. This is what you've referred to and
others have referred to as ``Going Dark.'' You've described it
as one of the biggest challenges facing your agency and law
enforcement generally. This challenge falls at the intersection
of technology, law, freedom, and security.
It results from the adoption of universal encryption. These
applications are designed so that only the user has the key to
decode their content. In these cases, when the FBI or any other
law enforcement agency requests access to a user's
communications via a lawful warrant, it is inaccessible or
unreadable. It does not matter whether the user is a suspected
terrorist, a child molester, a spy or a drug trafficker; law
enforcement's blind and becoming so, and as a result we're less
safe.
I, like all Americans, desire privacy. As Americans we're
guaranteed the right to be secure pursuant to the Fourth
Amendment in our persons, houses, papers and effects. I'm also
concerned, though, as are our fellow members, about the
terrorist, counterintelligence and other criminal threats to
those very same things. I strongly believe that we must
identify a solution that first protects American privacy, but
also allows for lawful searches under valid court orders.
Director Comey, you said that the encryption now readily
available--and I quote--``is equivalent to a closet that can't
be opened or a safe that can't be cracked,'' unquote. You have
an opportunity today to speak to the Committee and to the
American people and to convince us that in order to keep the
American people safe, you need to be able to open the closet or
to crack the safe. There are no easy answers and we're
embarking on what will be a robust debate that I think it was
initiated by you and I think that's a good thing.
Director, you wrote on Monday that part of your job is to
make sure the debate is informed by a reasonable understanding
of the cost. I look forward to your testimony, this discussion,
and I appreciate you being here.
Before I turn to the Vice Chairman for her remarks, I'd
like to ask unanimous consent to enter several documents into
the record. The first is the Computer Science and Artificial
Intelligence Laboratory Technical Report dated July 6th, 2015,
entitled ``Keys Under Doormats.''
[The material referred to follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Burr. The second letter, from the American Civil
Liberties Union to the Committee, dated July 7th, 2015, on the
topic of this hearing.
[The material referred to follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
The third is a letter from the Business Software Alliance
dated July the 8th, 2015, again to this Committee and the
Senate Judiciary Committee, on the topic of today's hearing.
[The material referred to follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
And the fourth is the transcript of the Director's remarks
to the Brookings Institute dated October 16th, 2014. Without
objection, those four documents will be entered into the
record.
[The material referred to follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
I now turn to the Vice Chairman for any remarks she might
make.
OPENING STATEMENT OF HON. DIANNE FEINSTEIN, VICE CHAIRMAN, A
U.S. SENATOR FROM CALIFORNIA
Vice Chairman Feinstein. Thanks very much, Senator. And
thank you, Mr. Chairman, for holding this hearing. There was a
crowded hearing this morning in Judiciary and I think the
number of people here today is evidence that this a subject of
great interest, so I thank you for holding this open hearing.
Director Comey, welcome again back to the Committee, and
let me just repeat what I said this morning in Judiciary. I
want to thank you and the men and women of the FBI for really
unparalleled service to protect this country and disrupt and
prevent attacks. We are very grateful and I hope you will say
that to your people, so thank you.
For a period last month there were arrests almost every day
as the Bureau worked to thwart attacks around the 4th of July
holiday. Counterterrorism has been the top of the FBI's
priority list since 9/11. And never has it included so many
operations and threats to our country.
The Assistant Attorney General for National Security, John
Carlin, said last week in remarks in London that the United
States Government was running hundreds of counterterrorism
investigations involving every United States State. In addition
to the growth in the number of terrorist incidents, the nature
of the threat has changed significantly. Hundreds and perhaps
thousands of Americans here at home are in contact with ISIL
members and affiliates, ranging from those taking direction to
those who were inspired by ISIL messages on social media
platforms.
As you know, I have been particularly concerned about
terrorists' use of the internet to instruct, recruit, and
inspire terrorism inside the United States. And you very
graphically pointed that out and I hope you will again this
afternoon, in what you said this morning. I believe that United
States companies, including many founded and headquartered in
my home State, have an obligation to do everything they can to
ensure that their products and services are not allowed to be
used to foment the evil that ISIL embodies.
Last week I read a lengthy feature in the New York Times.
The title was ``ISIS and the Lonely American,'' which described
in detail how ISIL members used Twitter and other services to
recruit a young woman over months to support a militant brand
of Islam and try to get her to marry an ISIL fighter and travel
to Syria.
As Director Comey notes in his opening statement, quote,
``The foreign terrorist now has direct access to the United
States like never before,'' end quote. Foreign terrorist
groups, as well as adversarial nation-states today, have
greater awareness of how the United States intelligence
community conducts its business to collect intelligence needed
to protect the people of this country and to inform national
security decisions.
This Committee has heard from the FBI, the National
Security Agency as late as yesterday afternoon, the National
Counterterrorism Center, about how terrorist groups in
particular have moved to forms of communications that are
harder or impossible for the intelligence community and law
enforcement to access. The increased use of end-to-end strong
encryption by both new and established communications companies
has exacerbated this trend.
I understand the need to protect records and encryption is
one way of doing so. Especially in this area of cyber-
penetrations of our government and our private sector
companies, encryption is an important safeguard. That doesn't
mean, however, that companies should configure their services
in a way that denies them the ability to respond to a court
warrant, a FISA order, or a similar legal process from the
government.
This is not a theoretical issue. The FBI has briefed this
Committee on cases where it knows of communications involving
ongoing terrorists by ISIL inside the United States, but it has
no way to obtain the content of those communications even with
a court order based on probable cause.
It seems to me that if companies will not voluntarily
comply with lawful court orders for information, then they
should be required to be able to do so through legislation in a
way that protects security of consumer data against
unauthorized access. As Director Comey has said, we are not
looking for a back door into American companies; we are looking
to be able to use the front door.
So, I welcome today's hearing and look forward to the
Director's testimony on the ongoing threat of terrorism against
the United States and the need to acquire lawfully and quickly
information necessary to stop those threats from becoming real
attacks. Thank you very much, Mr. Chairman.
Chairman Burr. Thank you, Vice Chairman.
For members, after the Director's comments members will be
recognized for five minutes based upon their order of
attendance today. And I would like to remind all members that
we're in an open session, which is unusual. Therefore, I would
ask you to be particularly careful in the questions that you
ask. I trust, Director if in fact you have an answer that can't
be given in an open session, you'll just tell the Vice Chairman
and I that we'll carry this over to a closed session at an
appropriate time, and we'll accommodate you on that.
With that, let me turn it to you, Director Comey, for any
of your comments that you'd like to make.
STATEMENT OF HON. JAMES B. COMEY, DIRECTOR, FEDERAL BUREAU OF
INVESTIGATION
Director Comey. Great. Thank you, Mr. Chairman, Madam Vice
Chair. Thank you for this opportunity. I really do like the use
of the word ``conversation.'' I think this is a conversation we
have to have as a country and this is a great opportunity to
have it, to begin having it. I sometimes hear people talk about
the crypto-wars and we're fighting the crypto-wars today, and I
don't like that metaphor because I don't feel like I'm fighting
anything. I am not here to win anything. I'm here, I hope, to
explain the ways in which the change in technology and the
change in which bad people are using technology affects the
tools the American people through this body have given the FBI.
I think we all care about the same things. We care deeply
about the security of our information, of our healthcare, of
our finances, of our innovations, of all the great things that
travel over the internet. We all care about that. And I think
we all care about public safety. We all care about the ability
to keep the folks safe in this country. And so I don't see it
as a war, I see it as an opportunity to talk about how one is
in tension with the other and what should we do about it.
I really do believe we stand at an inflection point that I
felt not long after I became Director, which is why I started
talking about this, where the technology has moved to a place
where encryption, which was always available over the last 20
years, has become the default. And that change has been
accompanied by an explosion in apps that ride on the internet
and offer end-to-end encrypted communication. Those things have
put us at an infliction point most obviously, given my primary
responsibility, with respect to counterterrorism.
But this Committee knows from closed sessions what I think
the American people may know less well, which is the terrorism
threat today is very, very different and has changed just in my
almost two years as Director. It is not the Al-Qaeda of old.
The Al-Qaeda of old was interested in the multipronged,
national landmark-based, careful, long-planned attack with
carefully vetted operatives. We still face that challenge. The
Al-Qaeda of old was very different from what see today. And the
Al-Qaeda of old wanted to proselytize and it did so by posting
magazines on websites, and if somebody wanted to consume
propaganda they found the website and they went and read the
propaganda and if they wanted to talk to a terrorist they sent
an email into the magazine and maybe Anwar Awlaki would email
you back.
Here's what's changed. ISIL thinks about their terror in a
very different way. They're not focused on the national
landmark, multipronged, long tail event. They want people to be
killed in their name. And they're coming to us with that
message, with their propaganda and their entreaty to action
through Twitter and other parts of the social media. And that
is a very different thing than Al-Qaeda ever did.
They come into our country through thousands and thousands
of followers of ISIL tweeters who are based in Syria. They have
a physical safe haven and so they broadcast a message, which is
two-pronged: come to the Islamic State, join us here in this,
you know, our version of paradise, which is a nightmare, but
their version of paradise. And second, if you can't come, kill
somebody where you are, videotape it. If you can cut their head
off and videotape it, great. Please try and kill law
enforcement or military; here's a list of names where you could
kill somebody.
And this message is pushed and pushed and pushed. Social
media companies are worth billions of dollars because pushing
to someone's pocket, whether you're selling shoes or cars or
terror, works, right. ISIL has invested in this for about the
last year and they have about 21,000 English language followers
right now, and they're pushing this message. It's as if a devil
sits on someone's shoulder all day long, saying kill, kill,
kill and the terrorist, if you want to talk to them, is right
there in your device.
And so they're reaching and they're calling and they're
calling, and it's having an effect on troubled souls in the
United States. As the Vice Chair said, I have hundreds of these
investigations in every single State, and we had disrupted just
in the last few weeks very serious efforts to kill people in
the United States. The challenge to us is, ISIL will find the
live ones on Twitter and then we can see them say: Okay, here
is my encrypted end-to-end mobile messaging app contact
information; contact me there.
And so our task, to find needles in a nationwide haystack,
becomes complicated by the fact that the needle at that moment
goes invisible, right. I know I'm giving information to bad
people. We cannot break strong encryption, right. I think
people watch TV and think the Bureau can do lots of things. We
cannot break strong encryption.
So, even if I get a court order under the Fourth Amendment
to intercept that communication as it travels over the wires, I
will get gobbledygook. That needle will remain dark to me. That
is a big, big problem for us.
And the second way in which this is enormously challenging
is ISIL does something Al-Qaeda would never imagine. They test
people by tasking them. Kill somebody and then we'll see
whether you really are a believer. And these people react in
ways that are very difficult to predict.
What you saw in Boston was what the experts call flash to
bang being very close, right. In Boston you had a guy who was
in touch in an encrypted way with these ISIL recruiters and we
believe was bent on doing something on July 4th. He woke up one
morning, June 2nd, and decided he was going to go kill
somebody. Right, thank goodness we were able to confront him.
He confronted our people with a knife and unfortunately they
had to use their weapons. But that's an example of sort of the
unpredictability of this.
So you combine the blindness with this broad reach and that
flash to bang and we face a challenge that we've not seen
before. This is not your grandfather's Al-Qaeda. This is a very
new threat that we face.
Now, some people say to me: Well, you have all kinds of
other information you can get; we live in the golden age of
surveillance; and I think of it differently. I think we live in
the golden age of communication. Al-Qaeda--Osama bin Laden
would never have dreamed that he could speak simultaneously to
hundreds of Americans, find them and task them in ways that
American law enforcement could not see and do it at the speed
of light. The golden age of communication is posing enormous
challenges for us.
I'm not here to scare folks, though. I'm here to tell
people there is a problem. I do not know the answer. A whole
lot of good people have said: It's too hard; that we can't have
any diminution in strong encryption to accomplish public
safety, else it'll all fall down and there'll be a disaster.
And maybe that's so. But my reaction to that is, I'm not sure
that we've really tried. I think Silicon Valley is full of
great people who when they were younger were told, your dreams
are too hard. They were standing in a garage some place and
they were told ``Can't be done.'' Thank goodness they didn't
listen.
I think we have the talent to think about this in a good
way. My hope from this conversation is that folks will realize
this really matters. And the FBI is not the source of
innovation. We're just telling people we've got to talk about
this, because I see the present and I see the future, which in
many ways is more troubling, because the logic of it is
inexorable.
FBI is not some occupying force imposed on the American
people from abroad. We belong to the American people. We only
have the tools that they have given us through you. I'm here to
tell the American people: The tools you've given us are not
working the way you expect them to work in the highest stakes
matters. I need help figuring out what to do about that. The
companies are run by good people. I think they see the
challenge, they want to help. We have to figure out a way to
solve this, to crack this riddle.
And maybe it's too hard, maybe we end up in that place. But
I think this country has never been made up of people who say,
``Can't be done.'' We really ought to talk about it more. So, I
appreciate the opportunity to discuss it with the Committee.
[The prepared statement of Director Comey follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Burr. Director, thank you. And I think it's safe
to restate that we're at the start of the debate, even though
we have had the conversations for some time privately. We've
watched encryption grow more dominant and more dominant, and
really, as you said, become the default. It's almost automatic
now. And it places a huge challenge on your ability to fulfill
your mandate, and our challenge is to work with you as an
extension of the American people to provide you what tools
America is comfortable with and I think as we go through this
debate we'll figure out where that sweet spot is.
With that, I'm going to turn to the Vice Chairman for her
questions, and I would share with the members it would be
Feinstein, Wyden, Heinrich, Cotton, Coats, Hirono, Mikulski,
Collins, Warner, McCain, Blunt and Lankford in that order. Vice
Chairman.
Vice Chairman Feinstein. Thanks very much, Mr. Chairman.
Director Comey, I think you spoke very eloquently, but can
you quantify this at all? Can you tell us how often the FBI
acting pursuant to a warrant or other lawful process encounters
encrypted information you cannot access?
Director Comey. Thank you, Senator Feinstein. The answer is
I really can't at this point, for a couple of reasons. We're
sort of at the beginning of this and we're going to work to try
and collect that data.
But the other thing is, it's a bit of like proving a
negative. When my folks see that something is encrypted, they
move on and try to find some other way to assess this bad guy,
this potential bad guy. And so we obviously have incidents, the
courts have collected incidents, where wiretaps were issued by
courts and then encryption was encountered. But my numbers--I
don't have good enough numbers yet.
Vice Chairman Feinstein. Okay. I think it would helpful if
the Department could gather some numbers to quantify this.
The next question is BSA, which is known as The Software
Alliance, sent a letter to this Committee and the Judiciary
Committee stating that calls for weakened encryption, quote,
``can create artificial commercial disadvantages for United
States companies and barriers to market access.'' End quote.
I'd like to have your reaction to that statement?
Director Comey. First, I think--again, I'm not an expert.
Public safety is my thing, but I think I take issue with the
notion of weakening encryption. I also take issue with the
whole back door notion. I think what smart people have told me
is there are a number of companies already out there that use
strong encryption on their data, including data in motion, that
have the ability to access the data and comply with court
orders, and they're able to do both in a pretty robust way in
all different sectors, in the information--in the ISP world as
well as in finance and a bunch of other places.
So I don't know that it's going to be a question of
weakening encryption. It's simply going to be a way of figuring
out how do we comply with a judge's order, we the company, and
I don't think the government is, frankly, smart enough to be
able to impose a one size fits all solution. But I also think
you're right that there are competitive and international
implications in this. None of us want to do anything to damage
the innovation of America. It's the great engine of this
amazing country.
And so I do think there are international implications that
have to be considered. Every country that cares about the rule
of law is grappling with this right now. All of them are trying
to figure out a way to maximize safety on the internet, right,
make sure there's strong encryption, and maximize public
safety, and do it under the rule of law. Our friends in the
U.K. are doing that right now. So I agree that there are
implications to it internationally.
Vice Chairman Feinstein. Well--and let me ask you to
respond. This is another quote from the same letter:
``Requiring technology that provides law enforcement access to
information also risks undermining the security of all
electronic communications and digitally stored information.''
End quote.
Would you comment on that? As I understand it, what you
would be talking about is some kind of a front door key? Is
that--is that correct?
Director Comey. Again, it's part--my reaction to that
comment is ``Maybe.'' And if that's the case, well, I guess
we're stuck. But I don't think the great innovative people of
America have actually put their mind to this, frankly because
they haven't been incentivized to do so.
But again, I believe there are companies that provide
significant portions of our internet activity that have
encrypted--strongly encrypted data in motion and have the
ability, because it's part of their business model, to see the
data and comply with court orders.
Vice Chairman Feinstein. So, you're saying that some do and
some don't.
Director Comey. Correct.
Vice Chairman Feinstein. Is that what you're saying?
Director Comey. Somehow they've managed to do it without
the entire system crashing or without their own business being
materially vulnerable in some way. But look, here's how I
understand it. There's no such thing as secure. There's more
secure and less secure. There's vulnerability in every system.
The question is: So what can we do to maximize public safety
that results in an acceptable level of security? And the answer
is I don't know, but I think a lot of smart people should talk
to each other to try and figure that out.
Vice Chairman Feinstein. Thank you.
Thank you, Mr. Chairman.
Chairman Burr. Senator Wyden.
Senator Wyden. Thank you very much, Mr. Chairman.
Director Comey, I very much share Director--Chairman Burr's
comment with respect to the respect we have for the men and
women of the FBI, and you and I have policy differences on that
matter, but we are not going to respect the men and women who
work for you any less because of those differences.
Every Senator who serves on this Committee understands that
it is a dangerous world and the challenge is to make sure that
we pursue approaches that promote security while not
diminishing our liberty. Too often, we haven't been able to
achieve either. And I think as we start this debate I want to
emphasize how exactly we got here. Executive Branch agencies
are now dealing with a problem that they largely created.
Senior officials made the choice to secretly twist the law
to support an ill-conceived secret program that vacuumed up
millions of phone and email records of law-abiding Americans. A
number of us spent years warning what the consequences would
be, but obviously public confidence was dramatically
diminished.
That led to a very serious public backlash and in response
to it, just as Senator Feinstein read, our hardware and
software companies accelerated their efforts to provide
customers with stronger protections.
This obviously creates real challenges for you. But I will
tell you, as of this morning statements are being made that do
not inspire a lot of confidence. You talk about the need to
strike the right balance. There hasn't been a lot of balance in
the past, and as of what I heard this morning there still isn't
too much balance in the so-called balance.
The Deputy Attorney General, Ms. Yates, seemed to suggest
this morning that companies should retain a stockpile of
encryption keys for the government to access. Making this a
mandatory requirement would obviously present huge problems
since any such stockpile would be vulnerable to compromise or
abuse. In my judgment, a mandate like that would be a huge gift
to foreign hackers and criminals.
So what I want to do with my time for questions is put this
into context on a matter we all care about up here, which is
cyber security. I've had companies in Oregon hacked for
economic espionage and my constituents are not alone. So on the
topic of encryption and cyber security, has the Executive
Branch done any analysis of the impact that a requirement for
U.S. companies to build weaker encryption or stockpile these
encryption keys would have on U.S. cyber security?
Director Comey. Not that I'm aware of, because that forms
part of our concern that we not try to impose a solution. I
didn't understand her to be saying--obviously, I sat next to
her. I didn't understand her to be saying that. I understood
her to be saying the end state we want is that companies,
however they choose to do it, will be able to comply with
judges' orders, but that we don't want to impose a one size
fits all; we want companies to work with us to figure what
works for you, because it seems that some companies have
figured out how to do it.
Senator Wyden. Well, she was suggesting in my view that
there be a stockpile of these keys. She didn't want the
government to have it. And once you're going down that route, I
think it's trouble.
Now, having said that you're not aware of any study, and
that was my sense, is it fair to say that strong encryption
improves cyber security and weaker encryption reduces cyber
security?
Director Comey. Yes. Strong encryption is great.
Senator Wyden. Okay. Now, if a stockpile of encryption keys
was created somewhere, because I took Ms. Yates' comment to not
be the government but she wanted it somewhere, if you had a
stockpile of these keys created somewhere, would you be able to
guarantee that these keys would never be stolen by a hostile
foreign actor?
Director Comey. The hypothetical stockpile of keys, surely
not. But again, please don't understand me to be suggesting,
nor should you listen to me if I suggest, a technical solution.
I don't know what the answer is.
Senator Wyden. But I think you're right. I think that,
based on my 14 years of service on this Committee, I don't have
a lot of confidence that a stockpile of these encryption keys--
and as I say, I heard Ms. Yates said there ought to be some
kind of arrangement to have these encryption keys somewhere.
I'm not confident it wouldn't be compromised or abused. That's
the flaw in the concept. We'll continue to have this debate.
Thank you, Mr. Chairman.
Chairman Burr. Senator Heinrich.
Senator Heinrich. Mr. Chairman, I want to thank you for
holding a public hearing on this topic and giving us an
opportunity to discuss these issues. If I had one critique it
would be that we're missing valuable insight from the
technology, privacy and constitutional liberties experts who
also have valid concerns around these ideas, potential
proposals.
So, you know, one of the things that I would suggest is
that we consider holding a follow-up public hearing where we
can hear from some of those individuals as well, particularly
in the technology space. And in the meantime I ask unanimous
consent that a number of letters and background materials that
you did not include in your earlier unanimous consent be made
part of the hearing record.
Chairman Burr. Without objection.
[The material referred to follows:]
Senator Heinrich. Let's see. Director Comey, you know, this
issue of losing access to encrypted communication is obviously
complex, particularly from a technological point of view. And I
guess I want to start by just commending you and, as I have NSA
Director Rogers, for your willingness to address this publicly
and to start the conversation. I think one of the challenges is
that it's going to be very hard to address this issue without a
specific technological proposal or fix to be able to discuss.
And, you know, back in the 1990s we had a first crack at this
which really came apart at the seams once it became solidified
around the particular piece of technology and that's what I'm
concerned about today.
So, in the interest of time, I'm going to submit the rest
of my opening statement for the record so I can get to a couple
of questions. But I think that's going to be at the crux of
this conversation for a while, is that we need to know what a
potential fix looks like or in the case of if there are
examples--and I'll get to that in my questions--what those look
like, to be able to know whether a fix is really better or
whether it creates inherent weaknesses that are exploitable by
some of these very talented, nefarious actors that you brought
up in your testimony.
As you know, yesterday several respected computer and cyber
security experts, people who are really well renowned in the
area of cryptography, released a report that effectively
concluded that you can't reliably provide the government or
anyone else with exceptional access to software applications
without introducing some critical weaknesses in that
encryption.
Given your interest in this issue--and I hope you've had a
chance to at least familiarize yourself with that report--you
know, one of the things I'm concerned about here I guess is
that it seems like government and the technology interests are
sort of talking past one another, and need to sit down and get
at least the technology pieces of this on the table, so that we
can all agree that we're talking about the same thing. And I
think it would be a mistake with regard to exceptional access
to leave the solution to a Congress that I would argue is not
always the best judge of all things technical.
As you mentioned, there are a lot of people in Silicon
Valley who are doing a really good job of trying to manage
these things. So, can you give some examples of programs that
currently use some form of end-to-end encryption, so provide
that security, but also are able to respond somehow to the law
enforcement warrants that you need to put out there?
Director Comey. Thank you, Senator. I agree very much,
which is why I'm so excited about this opportunity, because I
think things like this hearing will drive the conversation,
because we need to do it together. They are the source of the
innovation and the expertise. We need their help in solving
this.
I'd never heard until I read--I read the executive summary
and I went through that paper pretty quickly, the rest of it,
I'd never heard the term ``exceptional access.'' My reaction
when I read it is I don't want exceptional access; I want
ordinary access where a judge issues an order and folks are
able to comply with the order that a judge issues. There are
providers who, because of their business model, encrypt, as I
understand, strongly encrypt the communications in motion, but
they are visible to them on their servers that they control, as
part of the business models, because they want to be able to
sell you ads and so they need to be able to see the content.
And for those providers, some of whom are huge providers,
we are able to serve a judge's order and get the content in a
counterterrorism case or an espionage case or serious criminal
case of communications that the judge has authorized us to do.
And I don't think those folks think that their system is
materially vulnerable.
And so I wonder. Again, folks should not be looking to me
for technical advice. I wonder whether that isn't an example
that we should use in our conversations with the companies. But
every company is going to be different, which is why I don't
think one size fits all, because some of the companies at issue
that the terrorist use are three guys in a garage who started
this end-to-end encrypted app. And so our ability to work with
them may be very different than with some bigger companies.
So, I don't think we want to be seen as we're going to
impose this fix on all of you. We want to talk to you about how
we can solve this. I don't want to demonize the companies,
either. They love their country, they care about public safety.
I know that from private conversations, and so it's about we
care about these two things; how do we maximize both of these?
Maybe it's impossible. Maybe the scientists are right. I'm not
ready to give up on that yet.
Senator Heinrich. Well, we're overtime here, so I'll wait
for the second round. But I guess everybody has this concern
about, you know, just having been one of the people who got a
letter from OPM recently, that the government might not be the
right folks to be holding the keys for end-to-end encryption.
So we need to find a more elegant approach.
Director Comey. Agreed.
Chairman Burr. Senator Cotton.
Senator Cotton. Thank you, Mr. Chairman.
Thank you, Director, for being here to address this very
important problem. To make sure I understand the issue here,
what we're talking about is not some kind of extraordinary
surveillance, not something that's unknown to the user of a
device, but encryption technology that would thwart a lawful
court order that has been taken in front of an independent
Federal or State judge by law enforcement authorities to get
access to data, and then you go to a company and the company
says: Sorry, we can't provide you this information because we
have designed a system in a way that prevents us from accessing
it.
Director Comey. That's correct. Or with respect to a device
that's locked and the same judge issues a search warrant, and
they tell us: We can't open it because we designed our system
to make the phones--we cannot unlock them.
Senator Cotton. And this is the Intelligence Committee, but
I know you testified in front of the Judiciary Committee this
morning. This is an issue not just for terrorist operations,
but I would presume also for things like child molesters, child
pornographers, sex traffickers, kidnappers, is that correct?
Director Comey. Yes. This is an overwhelming issue in local
law enforcement and prosecution, especially the data that's on
a device that can't be opened, because they tell me that's a
feature of all of the cases you mentioned as well as domestic
violence, car accidents. The information on there can show you
who the bad guy is, also tell you someone is not guilty, and so
it's very important in all their work.
Senator Cotton. In one of the recent Congressional
recesses, I spent some time at the Little Rock field office for
the FBI. First, I want to commend the agents and employees you
have in that field office there for their dedicated public
service. It was a very important afternoon for me. They
specifically brought up the ``Going Dark'' issue and the way it
has thwarted their operations to keep Arkansans safe.
Furthermore, I was able to see in their lab an effort they
had made to get access to a locked device, and they got access
and it actually allowed them to recover a young girl who had
gone missing. But they said that that was rare and that they
were fortunate they were able to do it. I think that's just an
example of what I suspect is the case, is that in your opinion
in all 50 States of our Union is this an ongoing problem for
both Federal law enforcement and local law enforcement?
Director Comey. Yes.
Senator Cotton. Do the companies with--with whom you deal
in private settings, appreciate the fact that the technology
that they are creating and marketing is being used by
terrorists and some of the most heinous criminals in our
society?
Director Comey. They do and it bothers them, which is why I
think we're starting to have more productive conversations,
because they're good--they're good people.
Senator Cotton. So we're not the only society to encounter
this kind of problem, of course, and one argument you hear from
American companies is that they need to compete in the
international market because most people don't live in the
United States.
Director Comey. That's true.
Senator Cotton. Have you taken a look at how countries
like, let's say, the United Kingdom or France have addressed
this issue?
Director Comey. Yes. They are both grappling with it.
They're both a little bit ahead of us. They both have passed
legislation that as I understand it will require providers to
give access, again with appropriate authority, in the course of
investigations. So they--they're grappling with it just as we
are. Everybody who cares about the rule of law and public
safety has to grapple with the same thing.
Senator Cotton. So about 20 years ago, this Congress passed
something called CALEA, the Communications Assistance for Law
Enforcement Act, saying, in the old days, essentially on
telephones--that telephone companies had to provide the ability
to let law enforcement with a lawful court order, a lawful
court order, put in a wiretap. Could you look to CALEA or maybe
what other countries have done to address the ``Going Dark''
program with data encryption as a model for this Congress to
act?
Director Comey. It's possible. I mean, it's one of the
things that's being talked about, is that a model that can be
adapted to deal with this challenge? And so we're still working
on that.
Senator Cotton. Okay.
Director Comey. And by us I mean not just in the
government, but I think the private sector has to be part of
the conversation.
Senator Cotton. Does the Executive Branch yet have
legislative proposals that they are prepared for this Congress
to take under advisement?
Director Comey. Not yet.
Senator Cotton. Is that because you're continuing to work
with some of these companies to try to develop the technical,
legal, and policy frameworks?
Director Comey. Yes. Just as I think we all do, the
President sees the problem, sees that these two things we care
about tremendously are in tension and that's it's a really hard
problem. And so he's commissioned a whole lot of work on
different streams, but one of them is to figure out what
legislation, if we decide to go that route, would make sense,
and to get the input from the private sector on, so what would
work for you folks?
Senator Cotton. Well, thank you very much, Director, for
your testimony. Thank you very much for what you represent, the
tens of thousands of agents around the country who keep us safe
on days like the 4th of July and every day. I just urge you and
the men and women with whom you work in the Executive Branch to
get us that kind of proposal as quickly as possible. We all
recognize the tension between trying to protect data, which we
want to do for American citizens, but also ensure that law
enforcement has the tools they need, not just to stop terrorism
but stop the most heinous kinds of crimes imaginable in our
society.
Chairman Burr. Senator Coats.
Senator Coats. Thank you, Mr. Chairman.
Director, we're having I think a very worthwhile discussion
and I appreciate your being here, and also your open-mindedness
in terms of finding humility in a sense in saying we don't know
all the answers, but there are a lot of cooperative and smart
people out there that can help us find the answers and
hopefully attain that balance between privacy and that balance
between protecting people's lives.
I don't envy you your job, because every day I pick up the
paper or turn on the television and the news, and there's an
abducted child, there's a criminal act, there is a threat,
terrorist threats from abroad. And the American public is
demanding that your agency do everything possible to prevent
that from happening, to recover that child, to address the
blatant use of communication devices and so forth and so on
that result in very, very bad criminal acts.
By the same token, you get hit from the other side by
saying, but don't you dare do anything that would give you--
that could potentially be used to violate someone's privacy.
And so that's a very narrow path to try to walk down and
achieve both of those goals. And I think your statement
relative to the fact that we need to turn to those very people
that are providing the encryption in order to protect people's
privacy are part, a very essential part, of the solution.
My question here though, is that, while we can make
patriotic requests to all these technical companies, Silicon
Valley, in other words to help us through this and there are
patriotic Americans that say, yes, let's see if we can find
that sweet spot, we also know that there are countries around
the world that have no intent of helping us whatsoever. And
within those countries or even some of those lawless areas like
you mentioned in terms of ISIL occupying physical territory,
the last thing they're going to want to do is cooperate with us
in terms of finding a solution to this particular problem.
And so it would be very easy--well, that turns us to the
difficulty of, no matter how much we do, we're a global
communications system in place, and it's easily to turn
somewhere else. We've seen offshore gambling because we passed
laws that say you can't do gambling on the internet here in the
United States, and they simply find an island in the Caribbean
and set up and through the ether, there it goes.
So I'm wondering how you can continue to have the agency
perform its role without some type of authority to allow you
to, of course within the legal system, address the problem? And
obviously, it's going to take time to develop any kinds of
solutions. Do you--what do you have to do relative to manpower
costs to fill the gap between now and then?
Director Comey. Thank you, Senator. And I should have said
this earlier, to thank the entire Committee, but Senator Cotton
and you, Senator Coats, reminded me. Thank you for the nice
things you said about the folks at the FBI. I sent them all a
note, an email, before July 4th saying, thank you for the
American people. I know we're grateful, I know that you're bone
tired. My folks are bone tired, but they stopped the stuff that
was trying to come at us for July 4th. But that--now, it's July
7th and 8th, and they're on to the next thing. So thank you for
that. I'm going to pass it along to them. It means a lot to
them.
We love walking that fine line right between public safety
and privacy and civil liberties, right? Because we care--we've
got families, we care about the same stuff. So we like walking
that line. We do agree that there's an international component
to this, as you said, Senator, that we're going to have to
address. The folks, especially in Western Europe and here in
North America, who care about the things that we care about, we
have to figure out an approach together that makes sense, but
America is the big dog. All right. The innovation is here, the
energy is here, the infrastructure is here. What we do will set
the tone and the pattern for the rest of the world. We can't
fix the whole world, but for the world that thinks about things
the way we do, values what we do, we can drive it.
But that doesn't mean it's not--that it's an easy thing. We
try to fill the gap by--if I can't see the communications of
the terrorist, then I got to figure out, okay, can I get an
informant in on them? Can I send an undercover in? Can I follow
him 24/7--24/7 for weeks and weeks and see if I turn something
up?
All I'm telling folks is we will keep doing it. My folks
will keep working no matter how tired they are. It's just the
tools the American people thought we had are being diminished
and I see that only continuing.
Senator Coats. I think we all look forward to working with
you trying to achieve that goal.
Thank you, Mr. Chairman.
Chairman Burr. Senator Hirono.
Senator Hirono. Thank you, Mr. Chairman.
Thank you, Director, for your work and of course all of the
people who work for the FBI and protecting the safety of our
citizens.
I'd like to get a little bit more information on where we
are now in terms of your ability to see information. For
example, in how many cases have you seen a warrant for a device
or a warrant that has been thwarted--completely thwarted by
encryption? And how many Federal investigations had been unable
to progress because of encryption?
Director Comey. So the answer--as I said earlier, Senator
Hirono, I don't know the answer to that. We're going to try and
see if there's data we can collect on that. I'm not confident
it's going to be very reliable for you, though, because what
our investigators do is if they see someone is on an app that
we know is encrypted, they're not going to bother seeking a
wiretap for that. So we won't be able to count that, I don't
think, as a wiretap thwarted. And if we see encryption, we just
try and find another way to assess the situation and we try to
use the other tools.
We're going to try and do that for you, but I'm not
optimistic we're going to be able to get you a great data set.
There's no doubt that it is a real feature of our life. I think
that's one thing everybody should be able to agree upon, that
the logic of this is all of our papers and effects, all of our
communications, will at some point be covered by strong
encryption. I hope everybody agrees that will have profound
consequences for law enforcement.
Senator Hirono. I think that's one of the reasons that we
have to be very careful in what--in what we decide to do. And
so it always helps to define the extent of the problem in the
current situation. And then, as you say, no system is secure,
so we need to weigh the--what the risks are, et cetera, because
at the same time, we have this very august group who have said
that forcing companies to--to provide a back door to encryption
is going to result in a lot of unintended possibly
consequences, including we are told that some of our companies
will lose a competitive advantage because of--for example, if
we expand CALEA to including encrypted apps, that CALEA only
would apply to our companies and therefore, if our companies
have to provide a sort of a back door way to get to this
information and foreign companies who are in the marketplace
don't, then they are at a competitive disadvantage.
So there are a lot of issues that we do have to weigh. And
speaking of CALEA, by the way, did I understand you to say that
expanding CALEA is just one of the things on the table, because
I thought you had said at another forum perhaps that you think
CALEA should be expanded to include encryption apps?
Director Comey. I don't know whether I said that, but if I
said it I'm smarter today than I was then. I think that's
something that folks are discussing. But I don't know what that
answer is. That's why we haven't come to the hearing with a
proposal. We're trying to show the humility to say we actually
don't know what will be best. But I agree with the competitive
harm point, Senator.
Senator Hirono. As we wrestle with this subject, though,
meanwhile the companies are providing more and more encryption
apps. I mean, at what point do you think that we will be
prepared to take some sort of legislative action that would
enable you to get access to information and yet still provide
our companies with the--the kind of environment that they would
like us to provide?
Director Comey. I don't know.
Senator Hirono. And what is the timeframe for that?
Director Comey. I don't know, because I do think this is
a--one of the most complicated problems I've ever seen in
government, for the reasons that I have alluded to here,
including what you said about competitive harm. We do not want
to damage the engine of innovation that is America. And so we
have to figure out, so how can we maximize safety on the
internet and public safety in a way that makes sense for
America.
Now, it probably makes sense, we ought to figure out what
kind of people we want to be first, what makes sense for our
country. But I do think we've got to do that in league with
international partners, so we don't create a situation where
America is the only mover and that causes harm to our--our
companies.
Senator Hirono. I think that is a very important aspect of
what we need to do going forward on the ``Going Dark'' problem,
because it would be very unfair to our companies, as you say,
if we're the only country that requires a back door way to this
information. So I'm glad that that's on the table with--in our
discussions with our--with other countries.
So the president's review group, that's some--some other
people I have already mentioned. But they said very strongly
that we should not require a back door way. So in these
discussions, is the technical, you know, technology companies,
are they going to be at the table as we discuss going forward
and what might be appropriate legislative action?
Director Comey. They have to be, because I think we all
think no one size fits all. So you've got to figure out what
would work for different companies. And as I said before, I
think that is the source of the innovation. That is the source
of the creativity that we have to harness.
Senator Hirono. Thank you, Mr. Chair.
Chairman Burr. Senator Mikulski.
Senator Mikulski. Mr. Director, it's very nice to see you
again.
Mr. Chairman, thank you for having this hearing, as well as
the Vice Chair. I'd like to pick up on Senator Heinrich's
recommendation about an additional hearing on this subject from
the technical and civil liberties folks. In our briefing
materials, I read letters from the ACLU, whose views we so
value; The Software Alliance; and I saw a lot of criticism of
what we're pursuing here for some type of opportunity to not go
dark.
But I didn't see any solutions. I saw a lot of criticisms,
a lot of critiques, but I didn't see solutions. Now, I believe,
again as Senator Heinrich said and others, we have tremendous
technical know-how, and I believe that the people in Silicon
Valley are indeed very patriotic people and they don't want
drug dealers and international traffickers and child
pornographers to be able to get away with nefarious things.
So if we could actually perhaps get from those as well as
the civil liberties community, how we can start working to a
solution, that would be great.
Mr. Director, in this year's appropriations funding we
worked very hard to support you, both when I was chair of the
subcommittee that funds you, as now as Senator Shelby. We have
now put in $8.4 billion to fund you for this coming year. And
we also put in $483 million for cyber security. My question to
you is, do you feel that those resources and the type of
workforce you have is able to be flexible enough to meet the
ongoing threat?
This is a--and no, I'm not being critical of what you have,
but as you talk about the recruitment tools of ISIL, who are
pretty talented using Twitter and other forms of social media,
that's a whole different generation. And it's a whole different
generation than the original cyber warriors that were hired
under your predecessor. So do you feel you have enough
resources to be able to recruit the people needed to deal with
this, as well as the administrative flexibility to bring in
teams? This is not going to be your traditional agent. Could
you share with us, because we can have the best law in the
world, but unless you have the best workforce and the
flexibility and the resources to hire it, we're just creating
hollow opportunities?
Director Comey. Thank you, Senator. I think the answer is
yes and no. Yes, I believe that the Senate and this Congress is
giving us the resources I need for next year, the money I can
responsibly spend. But I face a threat obviously that continues
to grow, so I will be back to ask for additional help. But I
think you have given us what we can reasonably spend,
reasonably invest in.
And I think the answer is yes, I think I can attract the
talent. I cannot compete on dough, but the value proposition is
totally different. If you're interested in dough, you don't
want to work in the FBI, and that's--you didn't--you don't come
here to get rich. But so many young people want to make a
difference in the life of this country that they don't care
about the dough. They want to be part of addressing these
threats. That's pretty exciting, and so I'm optimistic
actually.
Now, once I get them in and they're here five, six years,
start to have a family and there's no cost of living
adjustment, maybe I start to lose their enthusiasm a little
bit, but that's a problem I'll deal with down the road. I've
got lots of smart young folks who want----
Senator Mikulski. But what about the flexibility--so here--
there's the--you investigate breaches and a variety of things.
You're also counterterrorism. That's the social media world
that you're now operating in. Even a modern director like
Director Mueller did not face what you have. He faced Al Qaeda;
you face a variety of other challenges, as you so clearly said.
Do you have the administrative flexibility to bring on people
as you need them that might not be the traditional trade routes
for recruitment of FBI personnel?
Director Comey. I think so. There's a couple of things
around that that I'm thinking about. But in the main the answer
is yes. One of the things we have to consider is should we look
at a different career proposition for people. Have them come--
once people come to the FBI, they almost never leave. They get
addicted to it. But should there be a model where they come,
then they go and do something in the private sector, then come
back? That's something we haven't done before, but that may be
a model I want to look at. But in the main, yes. I have the--
you've given me the flexibility.
Senator Mikulski. My last question, and I think perhaps
it's not appropriate to an open session. So we had three so-
called coincidences today: the fact that the technology has
failed at United Airlines, the New York Stock Exchange, as well
as the Wall Street Journal. I don't believe in coincidence. I
believe a coincidence is an event that we don't have an
explanation for. Is the FBI investigating these as breaches or
have you not been called in, or you're not able to say?
Director Comey. We----
Senator Mikulski. I was very troubled by these so-called
coincidences.
Director Comey. Yes, as was--obviously, that caught my
attention. We're not big believers in coincidence, either. We
want to dig into that. So we've been involved in--all three, in
contact with all three companies to understand what's going on.
And we do not see any indication of a cyber breach or cyber
attack. Actually, I think the Wall Street Journal piece is
connected to people flooding their website in response to the
New York Stock Exchange to find out what's going on. But it
looks--again, in my business you don't love coincidences, but
it does appear that there is not a cyber-intrusion involved.
Senator Mikulski. Thank you very much, Mr. Director.
Chairman Burr. Senator Collins.
Senator Collins. Thank you, Mr. Chairman.
Director, you've talked about the impact on terrorism cases
and your counter-terrorism efforts. And you've said that it's
very difficult to quantify what the impact is. But it's my
understanding that this morning in testimony before the
Judiciary Committee that the district attorney for Manhattan
said that in the past six months alone there have been 74 cases
where law enforcement had been stymied because they were unable
to get information from lawfully seized cell phones. Is that
accurate?
Director Comey. I saw that in the written testimony of
District Attorney Vance and so, knowing him, I believe it to be
accurate.
Senator Collins. As I look at this problem, which obviously
has ramifications, as some of my colleagues have pointed out,
for criminal cases as well as for counter-terrorism
investigations, would an option be to require the companies
themselves to be able to access the information to comply with
a lawful court order, not the government having the keys or a
back door in, but the company itself. Might that be a solution
to this problem?
Director Comey. Yes. And that's something the deputy
attorney general talked about this morning, that it's possible
to imagine a world where the companies figure out how to comply
in a way that maximizes security of their information and
complies with the judge's order, and that every company does it
in a slightly different way. Yes, that's a possible outcome.
Senator Collins. Now, there are some--most companies I
suspect that are involved in developing this end-to-end
encryption did so with the best of intentions. They were trying
to increase the security of the data of their customers. But do
you believe that there are some companies that have
intentionally developed this kind of system in order to thwart
their ability to respond to a lawful court order?
Director Comey. I don't know, with respect to the intent
question. I know there are companies that have, once they made
the decision, advertised it as a solution that would be immune
to a search warrant. Apple did that when they ruled out their
new phone. But I don't know that the intention of the original
change was to accomplish that result, if that distinction makes
sense.
Senator Collins. Well, it doesn't to me, because when a
company is advertising that the information would be safe from
a search warrant that's very troubling to me, because that to
me implies an intent to keep information away from law
enforcement despite the issuance of a lawful court order. And I
think most people involved in the encryption process in
developing these products would not want to thwart law
enforcement, whether it's for a criminal case or terrorism. But
that kind of advertising does trouble me. And I won't ask you
to respond to that.
I do want to switch to access to a different kind of
information that suggests how much we need a computer--a cyber-
security law. I just met with the CEO of a large bank. He
relayed to me an incident where the FBI knew that his bank had
been targeted for a cyber attack. Here's what he told me had to
happen.
He said that the FBI under current law could not
immediately go to this bank and convey the information. First,
they had to go to the bank regulators, the OCC regional office.
Then the information had to go from there to the OCC in
Washington. From there, it had to go to the Department of
Homeland Security. Then they had--the Department of Homeland
Security approved the FBI contacting the bank to warn them of
this imminent attack.
Well, obviously--and he said this all occurred over a
weekend. So it was difficult to reach people, there were cell
phones involved, et cetera. That's a terrible system. And we
need to be able to empower the FBI in real time to be able to
notify a financial services organization, the electric grid,
the air traffic control system, critical infrastructure, of an
impending attack. Would you agree with that?
Director Comey. Very much. And what you've described
surprises me because I think the way we operate is we call
them. If there's a threat to an institution of any kind, we've
developed relationships with their chief information security
officers, so what--I'm going to go back and track--maybe you
can privately give me the information.
Senator Collins. I will privately----
Director Comey. Because it's not the way I understand it
works or is supposed to work.
Senator Collins. Well, this incident really troubles me,
because by the time the information got to the proper people at
the bank, it is nothing short of a miracle that the cyber
attack hadn't already occurred.
Thank you, Mr. Chairman.
Chairman Burr. Senator Warner.
Senator Warner. Thank you, Mr. Chairman.
Director Comey, good to see you again, and let me add my
comments to my colleagues' about the good work that you and the
people of the FBI do.
Building on Senator Collins' comment, I think again, even
if this was a one-off, a notion that there's not clarity and a
single point of contact is--speaks volumes about the need to at
least take forward the legislation that this Committee passed
in a bipartisan way and at least take a first step, it's not
going to solve all the problems, but I think it would be a
significant step forward.
I have some technology background. I've--I have had some
conversations with companies in the IT space and the encryption
space who once they've created this entity I think in a sense
are starting to understand the potential problems that are
being created. Can you speak to any of that in terms of a
recognition that, under the guise of either privacy or business
protections, of a growing recognition within particularly the
IT community that this is very much a double-edged sword and
may have created a monster that is not controllable?
Director Comey. Thank you Senator. I meant what I said. I
think they are good people, and I--look, it's not their job to
worry about public safety. And so I don't think it's something
that's front and center for them. I think what's happened is,
particularly this ISIL threat and how real it is and everywhere
has focused them. And so they see it, and so we're having
productive conversations. Again, they don't want people to die;
they don't want kids to get kidnapped. These are regular folks.
And so that's why I'm excited about the prospect of harnessing
that innovation.
They are good people who want to have successful businesses
and they want to protect their country. And so--again, I'm not
a naysayer. I know here people write papers that say it's just
too hard, and I'm not buying that, because I don't think the
great people of Silicon Valley and other places have said: You
know what, let's see what we can do in a way that protects that
which we have built and the country in which we live.
Senator Warner. And Mr. Chairman, I'd just say I've got a
series of these companies in Virginia and when the hundred-plus
military personnel and their families' names were publicized in
an attempt to intimidate, I think it woke up in at least the
Commonwealth of Virginia a lot of IT companies about the notion
of how very real and how obscene some of the actions that this
ISIL group does in terms of threatening people.
Let me move to--Senator Mikulski asked the question I was
hoping to ask about the three events today and I hope you will
get back to us. But I'm going to raise another issue that I
think there has been a great deal of confusion around and
concern about, and that's the OPM breach. We're literally
months into this now and continue to get a series of different
answers in terms of numbers. I've been very disappointed by
OPM's reaction post-breach in terms of assuring those Federal
employees current and past, both in terms of what actions the
government's going to take to protect them going forward and
some of the subcontractors they've been using and how ill-
equipped they've been.
Not your topic, but if you can perhaps give a little more
clarity about the overall scope of that attack within the
confine or within the context of this public hearing? There's
an awful lot of people listening for those kind of answers.
Director Comey. It's something I have to approach carefully
in an open hearing. And I know that the administration, OPM in
particular, is working and is close to offering a more--a
public and more detailed accounting of what we think was lost.
But it is an enormous breach and a huge amount of data that is
personal and sensitive to Federal employees, former Federal
employees, people who applied for Federal employment was
available to the adversary. And we have to--we have to assume
that it was looked at and or ex-filled. So we--we're talking
about millions and millions of people affected by this.
And the challenge of it is it's not just--I'm sure the
adversary has my SF86 now. My SF86 lists every place I've ever
lived since I was 18, every foreign travel I've ever taken, all
of my family, their addresses. So it's not just my identity
that's affected. It's, you know, I've got siblings, I've got
five kids, I've got--all of that is in there. And so the
numbers quickly grow far beyond the number of Federal
employees, which is millions over the last 20 years. And so it
is a very, very big number. It is a huge deal.
Senator Warner. And I understand an active investigation.
But I also know that we're now running on 60 plus days,
actually, more than a year since the first breach. And the lack
of a single answer or even some sense of that answer overall
from the administration is very troubling.
Thank you, Mr. Chairman.
Chairman Burr. Senator McCain. John, cut on that
microphone, would you.
Senator McCain. Is it true that you have stated on several
occasions that ISIS poses over time a direct threat to the
United States of America?
Director Comey. Yes.
Senator McCain. And that is the case today?
Director Comey. Yes. Every day, they're trying to motivate
people here to kill people on their behalf.
Senator McCain. And every day that they take advantage of
this use of the internet which you have described by going to
unbreakable methods of communicating, the more people are
recruited and motivated to--here in the United States and other
countries, to attack the United States of America; is that
true?
Director Comey. Yes, sir.
Senator McCain. So this is not a static situation. This is
a growing problem as ISIS makes very effective use of the
internet, is that correct?
Director Comey. That's correct, sir.
Senator McCain. So in all due respect to your opening
comments, this is more than a conversation that's needed. It's
action that's needed. And isn't it true that over time the
ability of us to respond is diminished as the threat grows and
we maintain the status quo?
Director Comey. I think that's fair.
Senator McCain. So we are now--and I've heard my
colleagues, with all due respect, talking about attacks on
privacy and our constitutional rights, et cetera. But it seems
to me that our first obligation is the protection of our
citizenry against attack which you agree is growing, is that a
fact?
Director Comey. With respect to the--I agree that our--that
is our first responsibility. I also agree----
Senator McCain. So the status quo is not acceptable if we
support the--the assertion that our duty is to protect the
lives and property of our fellow citizenry as our first
priority, is that--do you agree with that?
Director Comey. I agree that this is something we have to
figure out what to do about.
Senator McCain. So now we have a situation where the major
corporations are not cooperating and saying that if we give the
government access to their internet that somehow it will
compromise their ability to do business, is that correct also?
Director Comey. That's a fair summary of what some have
said.
Senator McCain. So we are discussing a situation in which
the U.S. Government, i.e. law enforcement and the intelligence
community, lack the capability to do that which they have the
authority to do; is that correct?
Director Comey. Certainly with respect to the interception
of encrypted communications and accessing locked devices, yes.
Senator McCain. So we're now in an interesting situation
where your obligation is to defend the country and at the same
time you're unable to do so because these telecommunications--
these organizations are saying that you can't and are devising
methodology which prevents you from doing so if it's the single
key only used by the user, is that correct?
Director Comey. I wouldn't agree, Senator, that I'm unable
to discharge my duty to protect the country. We're doing it
every single day using all kinds of tools.
Senator McCain. Are you able to have access to those
systems that--which only have one key?
Director Comey. No. We can't break strong encryption.
Senator McCain. So you can't break it. And that is a
mechanism which is installed by the manufacturer to prevent you
from using the--that there's only one key that is available to
them--to you.
Director Comey. That's correct.
Senator McCain. So suppose that we had legislation which
required two keys, one for the user and one that, given a court
order, requiring a court order, that you would be able to, with
substantial reason and motivation for doing so, would want to
go into that particular sight. What's the problem with that?
Director Comey. Well, a lot of smart people, smarter than I
certainly, say that would have a disastrous impact on broader
security across the internet, which is also part of my
responsibility to provide that.
Senator McCain. Do you believe that?
Director Comey. I'm skeptical that we can't find a solution
that overcomes that harm. But a lot of--a lot of serious people
say: Ah, you don't realize; you'll rush into something and it
will be disaster for your country because it'll kill your
innovation, it'll kill the internet. That causes me to at least
pause and say, okay, well, let's talk about it.
Senator McCain. Yes. But we've just established the fact
that ISIS is rushing into trying--attempting to harm America
and kill Americans, aren't we?
Director Comey. They are.
Senator McCain. So I say, with respect to my colleagues and
their advocacy for our constitutional obligations and rights,
that we are facing a determined enemy who is as we speak,
according to you and the Director of Homeland Security, seeking
to attack America, destroy America and kill Americans.
So it seems to me that the object should be here is to find
a way not only to protect Americans' rights, but to protect
American lives. And I hope that you will devote some of your
efforts and I hope this Committee and I hope the Congress will
understand the nature of this threat and to have--to say that
we can't protect Americans' constitutional rights and at the
same time protect America is something that I simply won't
accept.
I thank you, Director Comey.
Chairman Burr. Senator Blunt.
Senator Blunt. Thank you.
Director, thank you for being here and thank you for the
work you do. Following up on the comments that Chairman McCain
made, what are we really focused on here? A--the recruitment of
somebody who's not already in a terror network? And the reason
I'm asking this, it seems to me that if you want to use
encrypted equipment from some other country and two of you were
committed to do that, you could do that.
I mean, when I'm out of the country, I can get on the
internet, the wireless out of the country, the wireless
network, use the equipment that I took with me, which is
certainly not something I purchased there. So what I'm asking
is if--even if we did something about encryption here, I'm no
technical expert, but it seems to me that wouldn't stop two
people who plan to communicate with each other on devices they
got somewhere else from doing that.
Is there something here I don't understand about that? And
then the other part of the question is, or is our real target
here to monitor the recruiting efforts or the internal efforts
of people who aren't in a terror network but are talking in the
United States among themselves about doing terrorist things?
Director Comey. Thank you, Senator. The recruitment tends
to take place in a way that we with lawful process can see it
either--usually on Twitter or Twitter Direct Messaging, which
are not encrypted. And then if it looks productive to the ISIL
recruiters, they move them to the end-to-end encrypted
communication. And so a major concern is what are the guys in
Syria telling these guys and what are they telling them back,
and what are they saying to their buddies using encrypted
platforms in the United States? So it's both the international,
right, and the local within the network in the United States.
Senator Blunt. I guess what I'm asking is, if the
international encrypted equipment is still available, is there
anything we can do that stops that from being a problem that
you can't penetrate?
Director Comey. I think the answer is--again, I'm not an
expert--if the servers are located entirely outside the United
States, that we would have a heck of a time enforcing a regime
that would require them to give us access.
Now, I suppose an expert might say to you, well, but if it
transits to United States, there's some way we can--we can
impose our will on it. I just don't know well enough to
evaluate that. So I do think one of the challenges that people
have raised with us is to say, even if we fix our problem, you
have to address it in some fashion internationally, because the
really bad guys will move to infrastructure that is in Western
Europe.
And so to solve your problem, people say, you've got--
America has got to get its act together, and it's the big dog
so you probably ought to do it first. Then your colleagues and
allies in Western Europe have to get their act together to make
sure there isn't a safe haven there. Now, that still leaves you
with people who might want to move their infrastructure to some
other less well governed part of the world. So you're always
going to have a small part of that problem. But I think the
main part of the problem could be dealt with with North America
and Europe focusing on it.
Senator Blunt. And is Europe focusing on it?
Director Comey. Yes. As you--as I think I said earlier, the
U.K. and France, they're a little bit ahead of us on this, the
French in particular in the wake of Charlie Hebdo and the--and
the Brits. Both--I know the British better--have legislation
that requires access to communications. Their challenge is the
reverse of what you're saying. The infrastructure is in the
United States on which they want to compel access. And so
trying to figure out how to deal with that is a--is a challenge
we're still working through.
Senator Blunt. And so the infrastructure is really the
target, as opposed to the device somebody might be using? Even
if the device is encrypted, what infrastructure it goes through
may or may not accept that encrypted message?
Director Comey. Well, I think the reason I was talking
about the infrastructure is that would give you the ability to
compel some--to impose a requirement that that provider, the
owner of that infrastructure that sits in your country, comply
with American law to give judge--traditional orders to make
them effective.
The challenge is, if the infrastructure is not in the
United States, who are you compelling to give the judge's order
effect?
Senator Blunt. Mr. Chairman, I think I'm joining the group
that's suggesting we have a more technical--does not--not to
diminish either your ability in this area or mine. And probably
in a closed session, so we could ask questions without being
concerned about anybody telling us something that everybody in
the world doesn't necessarily need to know so we'd understand
this.
But I think we have a bigger problem than we can deal with
on our own, and to fight a big fight here that is easily evaded
by somebody who wants to evade it would be of concern to me.
But in conjunction with others who are perhaps even ahead of us
on this, I think the director makes a--makes a good point that
we need to be sure we all understand.
Chairman Burr. I assure the Senator that Senator Feinstein
and I were up conversing already about how we put together
another hearing, if not a series of hearings, to try to get
into this a little bit deeper and to better understand, along
with the director, what our options might be as we proceed
forward.
This is--this is something I would recommend to all the
members that they become educated in on a periodic basis,
because this is not the end of technological advances.
Therefore it's not the--this is not the last challenge we're
going to be faced with from a technology standpoint.
Senator Lankford.
Senator Lankford. Thank you Mr. Chairman. And you're right,
this is not the last one we're going to deal with. This is the
latest technological battle we're going to deal with.
Director Comey, thank you for all your work and please pass
on to the folks who worked some very long hours leading up to
July the 4th our appreciation for what they did for the Nation
and for the citizens of my State and people all over the
country. We do appreciate their work very much and you have a
terrific team.
The challenge that we face on this is not only the
technology side in dealing with terrorism; it's also the
benefit that is gained from this. I would tell you the folks at
OPM would be glad to talk about encryption and the value of
that right now. If they had kept their data in a more encrypted
location and stored it better and had greater security on this,
whether that be retailers around the country, whether that be
banks, whether it be government agencies, we are benefiting
from encryption and from the technology that has been invented.
The hard part of this is the other side of it. And so what
I'd like to talk about is we've got to have some kind of
balance in the conversation because we absolutely need
encrypted technology because we are very exposed and we're
finding out all the ways that our information is exposed and so
we need that technology to continue to advance on one side as
we deal with cyber security, but on basic law enforcement and
on real threats for physical security, we've got to have a
different ability, and I think that's the complicating factor
of this.
With that in that conversation, talk to me a little bit
about some legal frameworks here. If someone goes on social
media and they have child pornography, that's a criminal issue.
If someone goes on to social media and says, Here's a group of
people to kill and we'd like you to kill them and here's some
ideas to do that, talk to me about the legal frameworks between
the two. Because there's a step before this when they move
encryption that is the recruiting and that recruiting side is a
group of individuals that are recruiting based on, we're
looking for people who actively believe like we do, which is
not the problem, but that will also act out and kill people.
Help me understand some of the legal frameworks there?
Director Comey. Well, the--if someone is on social media
talking about the possibility or offering any kind of criminal
activity, which includes terrorism because it's a criminal act
as well, that that's obviously a predicate for an FBI
investigation and for us using our lawful tools, including
judicial orders, to find out what's going on there and who are
these people.
Senator Lankford. Okay. So I'm really talking the step
before that then, and that's where you're not talking about
now, that social media side of that. What does that trigger at
that point, or is that you begin the investigation, you begin
the process obviously of trying to track this down because
they're encouraging a criminal act on American soil.
But then you've got extra communication that's happening
now on the encrypted level; is that what I'm picking up?
Director Comey. Yes. Right. What's happening is they're
broadcasting out this poison through Twitter. They have 21,000
followers now in English and they'll have Twitter-following
communications so it tweets back and forth. Then they may have
direct messaging through Twitter.
All of which again with lawful process we can get access to
and evaluate. And if it looks like someone--and here's the way
ISIL operates. If the person appears to be serious, they will
then say: Okay, move to this mobile messaging app which is
encrypted end-to-end. And that's when we lose them. And so--and
we have--as I said earlier, we have no ability--If we intercept
that mobile messaging app data traveling back and forth, we can
intercept the data, but it's gobbledygook and we can't break
that encryption.
Senator Lankford. Yes. Right. Yes, that part I understand.
So the social media platforms, they still see no issue, once
it's clearly known that this is an illegal activity that's
happening on their platform? Is their response to say ``You
can't do that on our platform?'' Or their response is, ``Hey,
we're just open for anything whether it's prostitution, child
porn, or terrorism; you can use it?''
Director Comey. Oh, I'm sorry. I misunderstood the
question, Senator. They're being quite good about this,
frankly, and it's gotten increasingly good over the last year.
Twitter does not want people engaging in, soliciting,
advertising criminal activity of any sort on their social media
platform. But they're being particularly aggressive at shutting
down and trying to stop ISIL-related sites. I think it actually
led ISIL to threaten to kill their CEO, which helped them
understand the problem in a better way. And so it's a--they are
being quite good about that.
Senator Lankford. Okay. And then you've alluded twice now
to the U.K. and France are a little bit ahead of us on this,
and then you said that they're discussing this. Can you give us
greater detail to what they're discussing? When you say they're
a little bit ahead of us on this, I think it's a rare moment
for Europe to be ahead of us on anything, but that's a whole
different issue. So help me understand what you mean by that?
Director Comey. Right. I don't want to swell the Brits'
heads. They're a little bit ahead of us, but then they're not.
So let me explain what I mean by that. They have passed
legislation that's called ``DRIPA''--I don't remember what that
stands for--that imposes data retention requirements on
communications providers and then also imposes access
requirements that the providers must comply with lawful orders
for data that's moving on their network.
So they're ahead of us in that they've passed the
legislative package that addresses in part what we're talking
about here. Where they're not ahead of us is, they have to
figure out, so how will that work when all the providers are in
the United States? And so how will they enforce their
legislation if they want data from someone who's located in
California and all the infrastructure's in California? How will
they actually make that a reality?
Senator Lankford. Okay, thank you.
I yield back.
Chairman Burr. Senator Risch.
Senator Risch. Thank you, Mr. Chairman.
Director Comey, those of us on this Committee meet
regularly with heads of state and people like you from other
countries. Interestingly enough, their top question to us
always is and their top concern to us is similar to what we get
from the American press and the American people. And that is
that this whole thing has gotten to the point where the most
serious problem is these lone wolf people who are either
inspired or directed from out of their country to do something.
And of course, the most recent horrific example is what
happened in Tunisia just last week. And without--obviously we
are in an open session, I understand that. But I'd like to give
you the opportunity to talk to the American people and tell
them how--what a--what a concern this is for you, how this fits
into your priorities, and what you're doing about this in
matters that are unclassified. Could you do that for me please?
Director Comey. Sure. Thank you, Senator. ISIL is reaching
into the United States, to all 50 States, trying to motivate
troubled souls and increasingly kids to either come to their
caliphate or kill where you are. And social media, this
investment in buzzing in your pocket all day long, actually
works. It works to sell shoes, it works to sell cars, it works
to motivate troubled souls to do bad things. We are now reaping
the results of a year-long effort by ISIL to invest in this
social media push, which is why you see so many arrests by the
FBI. These are our disruptions stopping people from going and
shooting innocent people or trying to behead them.
And so this is going on all over the place. We're working
very, very hard on it. I want the American people to know about
it because it's an important thing, but we also need their
help. In almost every case, someone saw something. Someone saw
something weird that didn't seem right. We've got to get folks
just to tell us. I mean, human nature is to write an innocent
narrative over the hair standing up on the back of your neck
and say: I must have misunderstood; he must be having a bad
day. Okay, if it's just a bad day there won't be a problem. We
investigate in secret so we don't smear innocent folks.
But we've got to get folks, when they see something that
makes the hair stand up on the back of their neck, say, that
guy doesn't seem right, and tell somebody, so that we can check
it out, right? We need the help--because this spans all 50
States, we've got State and local law enforcement helping us
all around the country. We need the good folks of America, if
they see something that seems out of place just say something
and we'll check it out. You can tell any police officer, any
deputy sheriff in the entire United States. Since 9/11 we have
gotten our act together and that information will get within
minutes to the right people.
Senator Risch. Director Comey, thank you for that, and I
appreciate what you do and what your organization does. And we
all know that you've got to be right every day 100 percent of
the time. They've only got to be right once.
And so you're doing--you're a good job, and keep up the
good work. Thank you.
Thank you, Mr. Chairman.
Chairman Burr. Thank you Senator.
Director, we're going to take just a few more questions and
I'll just make this note for members. We've got a series of
five stacked votes starting at 4:30.
I want to try to sort of wrap a lot of things that you
talked about because people have asked individual pieces of
this question on ``Going Dark.'' Is your--is your greatest
concern finding the balance between what we ask phone companies
or service providers or manufacturers to do to their products
or their system and where the breakpoint is before they become
a foreign company versus a domestic company, where I would take
from what your folks said to you, when you get to the point
you've chased them out of the country you've just made your
problem much worse versus better. Can you help us dissect that?
Director Comey. Yes. The reason this is the hardest problem
I've seen in my career in government is we have important
public safety issues that we've talked about that I think
everybody agrees are implicated by the universal strong
encryption. And then we've got innovation, which is
unbelievably important. It's the engine of our amazing country.
And we've got security.
As a number of Senators have said, I care a lot about cyber
security. I love strong encryption. So how do we take those
all--those things we care about, innovation and jobs, security
on the internet and security for ordinary people from crime and
terrorism, how do we maximize them all? How do we optimize them
all? And as I said, some smart people say: Well, if you do
anything, it will destroy the internet or it will chase all the
business overseas.
And so I do think we have to engage on the technical
solution with smart people and creative people and we need to
think about is there an international aspect to this? And
again, I'm making this up, but ought not the civilized rule of
law countries agree upon a framework that makes sense?
Sometimes people say to me: Well, if we do this for you, we've
got to do it for China. And my response is: Well, if China
wants you to do for me--for them what I want you to do, which
is require me to go to an independent judge, show probable
cause, get a written order, right, be subject to all this, that
would be great for the Chinese people. I don't think China
wants you to do what I want you to do. So I'm less worried
about what we agree to being used against us in China.
But I am worried about this point that's raised about
chasing business to other parts of the Western world, which is
why I think we've got to be thoughtful about it.
Chairman Burr. Well, we certainly--we get that part and
we're going to follow that up with some tech company questions
at a hearing.
Now, before I turn to the Vice Chairman, I want to give you
one opportunity. If there's something you want to share with
the American people that you haven't already talked about as it
relates to the Bureau, I want to give you the opportunity to do
that about your folks at the Bureau and what the Bureau does
and why the American people should care whether you're
successful.
Director Comey. Well as I said earlier, I--we work for the
American people. We are the--I hope a lot of folks know folks
in the Bureau. We're ordinary people who've chosen to do this
with our lives. We use the tools you gave us. And I'm here not
to scare the American people, but to say to the owners of the
FBI: I've got a problem; I need help fixing it so that I can
continue to do my job.
But make no mistake about it, the folks who work for me,
we're going to stay at it every single day round the clock. And
if this tool goes away, okay, we'll do our absolute best. But
we think it would be irresponsible not to tell the
shareholders, the people who own the FBI, the challenges we're
facing so that we can figure out whether we can address it.
But my folks that--you know, on TV sometimes we look great,
sometimes not. In movies sometimes good, sometimes not. In
movies the director is often doing exciting things that I would
rip an Achilles doing. But we are ordinary people who've
chosen, not to make a good living but to make a different kind
of life. We love this work. We love working for you, right? And
we're simply here to tell you, sort of give you a status report
on how's it going with the tools you've given us.
Chairman Burr. Vice Chair.
Vice Chairman Feinstein. Thanks, Mr. Chairman.
We--this Committee passed out its intelligence
authorization bill I think on June 24th. And in that bill we
put a provision which would require technology companies to
inform the appropriate authority when they obtain knowledge of
terrorist activity. Now, this is modeled after an existing law
which requires technology companies to notify authorities about
cases of child pornography, but it doesn't require companies to
monitor any user, subscriber, or customer. It is really the
beginning of saying: Look, Look, Mr. and Mrs. American
Technology, you have a responsibility, too. What do you think
of that?
Director Comey. It's an interesting idea. I've heard about
it. My folks have told me about it. I haven't read it or
studied it and so I haven't--I frankly can't give you an
intelligent answer. It's an interesting idea. I do find in
practice that they are pretty good about telling us what they
see so--that's a--I have to give you a non-answer.
Vice Chairman Feinstein. Well, it's really simple. We do
that for child pornography. Don't you think we should do it for
possible terrorist acts?
Director Comey. Maybe, but I haven't heard--I'd want to
hear out the other side.
Vice Chairman Feinstein. Oh, dear.
Director Comey. I want to make sure I'm not missing
something. Again, I haven't read it. I'm dumb enough when I
know something. This is something I haven't studied enough to
give you an intelligent answer.
Vice Chairman Feinstein. Okay.
Thanks, Mr. Chairman.
Chairman Burr. Senator Wyden.
Senator Wyden. Mr. Comey, one last question. If the United
States were to require our companies doing business here to
ensure government access to encrypted communications, would you
expect that foreign governments would create the same
requirement for companies operating there?
Director Comey. I think they might or might try to.
Senator Wyden. And I will tell you that in my view would
clearly be the outcome. I think that would make American
individuals and businesses more vulnerable to surveillance by
foreign governments.
And I just want to leave you with one last thought. I've
been on this Committee for 14 years, so I kind of get a sense
where something is headed. And I think, Mr. Director, where
this is headed is towards proposals for some kind of stockpile
of encryption keys. I don't think we have it fleshed out where
Senators are going to want to go, but I get the sense that's
where this is going, that there should be some kind of stock
pile of encryption keys for the government to access.
I just want you to know that I'm willing to work with you
on ideas here but I think this proposal is a big time loser.
It's a on ideas here, but I think this proposal is a big-time
loser. It's a loser on security grounds for the reasons that
I've mentioned. It is a retreat on privacy. And I think it will
do great damage to our cutting-edge digital companies that have
jobs and pay good wages.
So I hope we're not going to go there. I just want you to
know my sense, having listened to a couple of hours of this and
listening to this morning's testimony, where I think this is
headed and I think it is the wrong way to proceed.
Thank you, Mr. Chairman.
Chairman Burr. Senator Heinrich.
Senator Heinrich. Director Comey, you've heard this before,
but I want to say it again. Please thank all of your personnel,
not just for their efforts in recent weeks but their efforts
that go unsung year in and year out.
I want to thank you in particular for the amount of
humility that you've shown today. I think it's really helpful
at wrapping our heads around how we should proceed on this
because I think--I think the most dangerous thing is to jump to
a solution that turns out to be the wrong solution.
I have some ideas that I won't share in open session, that
I'll share with you and share with my colleagues here, about
places we should be investing right now to address some of
these concerns. And I'll just reiterate, I think we would be
making a mistake if we immediately jump forward and say we
passed a law tomorrow that prohibited strong end-to-end
encryption with temporary expiring keys, and effectively what
we did under that scenario, or at least what I would fear, is
that a terrorist or a criminal would simply download an app
from Pakistan or somewhere else that would allow them to get
around this scenario. And it would put our Americans' data at
risk, while protecting theirs effectively.
So I think we just need to think through all of that to
make sure that at the end of the day, we're getting at the
people who are causing the problem and we're not building in
weakness into the protection of our country's data, be it the
government or just individuals who expect their financial data,
their healthcare data, all the things that we use online now,
to remain--to remain private.
So with that, once again, I would ask you to share any
final thoughts and thank you for realizing that there are going
to be a lot of questions and realizing that we're not going to
have all the answers immediately and we shouldn't jump to
answers before we completely understand the problem.
Director Comey. Well, thank you, Senator. I agree that
something has to be approached carefully. As I said, I think
it's the hardest problem I've seen in government. The stakes
are very, very high on all sides of this.
I think we care about the same things whether we're from
industry or government, and I think that's one of the great
things about this country. We do hard stuff when we talk about
it together and figure out together, especially when the whole
effort is around shared values.
Senator Heinrich. I'll leave you with one last thought.
We've heard a lot about the amazing innovations of Silicon
Valley and I would tend to agree that, especially on the
business front, incredible stuff comes out of there all the
time. I think as we seek a solution to some of these things, we
should not forget the incredible innovations that come out of
our national laboratories. And some of--some of those solutions
may make even better sense in this scenario.
So thank you once again, Director.
Chairman Burr. Thank you, Senator Heinrich. I'd think less
of you if you didn't get that plug in there on the lab before
you left.
And I won't speak for the Vice Chairman but, you know, if
anything I've been a little frustrated, frustrated that nobody
in the administration, no agency, is coming up and saying:
Here's what we think we need. I mean, we've been talking about
``Going Dark'' for some time and I think you deserve a
tremendous amount of credit for your restraint. Don't know that
we know the answer yet, therefore we're not laying proposals on
the table. We're not up saying: Here's a solution we think
might work. We're--we'll come when we've got a solution we know
will work, we know we can do.
So I commend you for that. I hadn't heard anybody talk
about thousands of keys until today. I'm sure there's some that
sit at home at night and are concerned that maybe that's the
choice we'll make. If it were that easy, I think we'd already
have a solution proposed to us and we'd be considering
legislation and Dianne and I would be hashing it out with our
members. The fact is that we know that that's not going to meet
the test of getting legislation, one, through Congress; two,
possibly signed into law. And I think we're just as challenged
as you are, Director, about what the solution is. We want to--
we want to be part of the solution. We want to work with you.
I think it's safe to say that we're probably going to have
some hearings. They may be closed, they may be open. CEOs of
tech companies, the privacy groups. We're going to try to reach
out to some experts. Not with the belief that we're going to
come up with a solution that you haven't come up with, but that
we're going to be knowledgeable enough as we go down that road
together to write legislation that both sides are confident of
where we're going and we're fairly confident that it's going to
be beneficial to the end goal, which is defending the American
people.
So let me just add one note. When I left prior to the 4th
after doing this now for 15 years since 2000, I was convinced
that we were going to have an incident before I came back this
Monday. It didn't happen. And I am convinced it did not happen
because the Bureau and the intelligence community worked like
it's designed to work, and you asked your folks all around the
country to go on a different schedule and they did and they
were on that tempo for weeks and may still be there.
And the fact is that we were able to thwart a lot of things
early and maybe postpone some things that might have happened.
Your folks deserve a tremendous amount of credit and the entire
intelligence community does. We know this is not going away
with the 4th of July. Ramadan stays vibrant for a few more
weeks. There will be another national holiday and there'll be a
target and we'll pick up on some things. But we also have to
recognize the fact that we've got some areas that we're going
to be making decisions without the information we've had in the
past because of the communication tools that these folks are
using.
We want to be able to address this as quickly as we can so
that we can return to as robust of information sharing between
intelligence and law enforcement, so that your folks feel
confident they can do what they're asked to do versus just
hoping that we're putting on a good enough face on Saturday
that we're scaring the enemy or the opponent that well.
But you deserve a tremendous amount of credit for how over
the last three or four weeks the Bureau has defended the
American people. And for that, please give our regards to all
at the Bureau.
And with that, Director, thank you for being here. Sorry
that you had to pull a double-header today, but you're a strong
guy. And hopefully your Achilles is still there. This hearing
is adjourned.
[Whereupon, at 4:20 p.m., the hearing was adjourned.]