[House Hearing, 114 Congress] [From the U.S. Government Publishing Office] DECIPHERING THE DEBATE OVER ENCRYPTION: INDUSTRY AND LAW ENFORCEMENT PERSPECTIVES ======================================================================= HEARING BEFORE THE SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS OF THE COMMITTEE ON ENERGY AND COMMERCE HOUSE OF REPRESENTATIVES ONE HUNDRED FOURTEENTH CONGRESS SECOND SESSION __________ APRIL 19, 2016 __________ Serial No. 114-136 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Printed for the use of the Committee on Energy and Commerce energycommerce.house.gov ______ U.S. GOVERNMENT PUBLISHING OFFICE 20-696 WASHINGTON : 2017 ----------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Publishing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001 COMMITTEE ON ENERGY AND COMMERCE FRED UPTON, Michigan Chairman JOE BARTON, Texas FRANK PALLONE, Jr., New Jersey Chairman Emeritus Ranking Member ED WHITFIELD, Kentucky BOBBY L. RUSH, Illinois JOHN SHIMKUS, Illinois ANNA G. ESHOO, California JOSEPH R. PITTS, Pennsylvania ELIOT L. ENGEL, New York GREG WALDEN, Oregon GENE GREEN, Texas TIM MURPHY, Pennsylvania DIANA DeGETTE, Colorado MICHAEL C. BURGESS, Texas LOIS CAPPS, California MARSHA BLACKBURN, Tennessee MICHAEL F. DOYLE, Pennsylvania Vice Chairman JANICE D. SCHAKOWSKY, Illinois STEVE SCALISE, Louisiana G.K. BUTTERFIELD, North Carolina ROBERT E. LATTA, Ohio DORIS O. MATSUI, California CATHY McMORRIS RODGERS, Washington KATHY CASTOR, Florida GREGG HARPER, Mississippi JOHN P. SARBANES, Maryland LEONARD LANCE, New Jersey JERRY McNERNEY, California BRETT GUTHRIE, Kentucky PETER WELCH, Vermont PETE OLSON, Texas BEN RAY LUJAN, New Mexico DAVID B. McKINLEY, West Virginia PAUL TONKO, New York MIKE POMPEO, Kansas JOHN A. YARMUTH, Kentucky ADAM KINZINGER, Illinois YVETTE D. CLARKE, New York H. MORGAN GRIFFITH, Virginia DAVID LOEBSACK, Iowa GUS M. BILIRAKIS, Florida KURT SCHRADER, Oregon BILL JOHNSON, Ohio JOSEPH P. KENNEDY, III, BILLY LONG, Missouri Massachusetts RENEE L. ELLMERS, North Carolina TONY CARDENAS, California LARRY BUCSHON, Indiana BILL FLORES, Texas SUSAN W. BROOKS, Indiana MARKWAYNE MULLIN, Oklahoma RICHARD HUDSON, North Carolina CHRIS COLLINS, New York KEVIN CRAMER, North Dakota Subcommittee on Oversight and Investigations TIM MURPHY, Pennsylvania Chairman DAVID B. McKINLEY, West Virginia DIANA DeGETTE, Colorado Vice Chairman Ranking Member MICHAEL C. BURGESS, Texas JANICE D. SCHAKOWSKY, Illinois MARSHA BLACKBURN, Tennessee KATHY CASTOR, Florida H. MORGAN GRIFFITH, Virginia PAUL TONKO, New York LARRY BUCSHON, Indiana JOHN A. YARMUTH, Kentucky BILL FLORES, Texas YVETTE D. CLARKE, New York SUSAN W. BROOKS, Indiana JOSEPH P. KENNEDY, III, MARKWAYNE MULLIN, Oklahoma Massachusetts RICHARD HUDSON, North Carolina GENE GREEN, Texas CHRIS COLLINS, New York PETER WELCH, Vermont KEVIN CRAMER, North Dakota FRANK PALLONE, Jr., New Jersey (ex JOE BARTON, Texas officio) FRED UPTON, Michigan (ex officio) C O N T E N T S ---------- Page Hon. Tim Murphy, a Representative in Congress from the Commonwealth of Pennsylvania, opening statement................ 2 Prepared statement........................................... 3 Hon. Diana DeGette, a Representative in Congress from the state of Colorado, opening statement................................. 4 Hon. Fred Upton, a Representative in Congress from the state of Michigan, opening statement.................................... 6 Prepared statement........................................... 8 Hon. Frank Pallone, Jr., a Representative in Congress from the State of New Jersey, opening statement......................... 8 Prepared statement........................................... 9 Witnesses Ron Hickman, Sherriff, Harris County, Texas Prepared statement........................................... 12 Amy Hess, Executive Assistant Director for Science and Technology, Federal Bureau of Investigations................... 20 Prepared statement........................................... 22 Answers to submitted questions \1\........................... 144 Thomas P. Galati, Chief, Intelligence Bureau, New York City Police Department.............................................. 26 Prepared statement........................................... 28 Answers to submitted questions............................... 150 Charles Cohen, Commander, Office of Intelligence and Investigative Technologies, Indiana State Police............... 32 Prepared statement........................................... 34 Answers to submitted questions............................... 156 Bruce Sewell, General Counsel, Apple, Inc.; Amit Yoran, President, RSA Security........................................ 72 Prepared statement........................................... 74 Answers to submitted questions............................... 165 Amit Yoran, President, RSA Security.............................. 77 Prepared statement........................................... 79 Answers to submitted questions............................... 175 Matthew Blaze, Associate Professor, Computer and Information Science, School of Engineering and Applied Science, University of Pennsylvania................................................ 87 Prepared statement........................................... 89 Answers to submitted questions............................... 183 Daniel J. Weitzner, Principal Research Scientist, MIT Computer Science and Artificial Intelligence Lab, and Director, MIT Internet Policy Research Initiative............................ 100 Prepared statement........................................... 102 Answers to submitted questions............................... 189 Submitted Material Subcommittee memorandum.......................................... 135 Statement of the Consumer Technology Association, submitted by Mr. Murphy..................................................... 140 Statement of TechNet, submitted by Ms. Eshoo..................... 142 Document binder \1\ ---------- \1\ The information can be found at: http://docs.house.gov/ Committee/Calendar/ByEvent.aspx?EventID=104812. DECIPHERING THE DEBATE OVER ENCRYPTION: INDUSTRY AND LAW ENFORCEMENT PERSPECTIVES ---------- TUESDAY, APRIL 19, 2016 House of Representatives, Subcommittee on Oversight and Investigations, Committee on Energy and Commerce, Washington, DC. The subcommittee met, pursuant to call, at 10:00 a.m., in room 2123, Rayburn House Office Building, Hon. Tim Murphy (chairman of the subcommittee) presiding. Present: Representatives Murphy, McKinley, Burgess, Blackburn, Griffith, Bucshon, Brooks, Mullin, Hudson, Cramer, Upton (ex officio), DeGette, Tonko, Yarmuth, Clarke, Kennedy, Welch, and Pallone (ex officio). Also Present: Representatives McNerney and Eshoo. Staff Present: Rebecca Card, Assistant Press Secretary; Paige Decker, Executive Assistant; Melissa Froelich, Counsel, Commerce, Manufacturing, and Trade; Giulia Giannangeli, Legislative Clerk, Commerce, Manufacturing, and Trade; Jay Gulshen, Staff Assistant; Charles Ingebretson, Chief Counsel, Oversight and Investigations; John Ohly, Professional Staff, Oversight and Investigations; Tim Pataki, Professional Staff Member; David Redl, Chief Counsel, Telecom; Dan Schneider, Press Secretary; Dylan Vorbach, Deputy Press Secretary; Gregory Watson, Legislative Clerk, Communications and Technology; Ryan Gottschall, Minority GAO Detailee; Tiffany Guarascio, Minority Deputy Staff Director and Chief Health Advisor; Chris Knauer, Minority Oversight Staff Director; Una Lee, Minority Chief Oversight Counsel; Elizabeth Letter, Minority Professional Staff Member; Tim Robinson, Minority Chief Counsel; Matt Schumacher, Minority Press Assistant; Ryan Skukowski, Minority Policy Analyst; and Andrew Souvall, Minority Director of Communications, Outreach and Member Services. Mr. Murphy. Good morning, and welcome to the Oversight and Investigations Subcommittee hearing on ``Deciphering the Debate over Encryption: Industry and Law Enforcement Perspectives.'' Before I start with my statement, I want to let our witnesses and other people know we have multiple hearings going on today, and tomorrow, we have a hearing as well, so you will see people coming and going. So especially for our witnesses so you don't think that that is chaos, we have members trying to juggle a lot of things at the same time. Ms. DeGette. It is chaos. OPENING STATEMENT OF HON. TIM MURPHY, A REPRESENTATIVE IN CONGRESS FROM THE COMMONWEALTH OF PENNSYLVANIA Mr. Murphy. It is chaos, OK. I stand corrected. We are meeting today to consider the deceptively complex question: Should the government have the ability to lawfully access encrypted technology and communications? This is the question at the center of a heated public debate, catalyzed earlier this year when the FBI obtained a court order to compel Apple to assist in unlocking an iPhone used by one of the San Bernardino terrorists. But this isn't a new question. Strong encryption has existed for decades. For years, motivated individuals have had access to the tools necessary to conceal their activities from law enforcement. And for years, the government has repeatedly tried to limit the use of or obtain access to encrypted data. The most notable example occurred in the 1990s when the development of encrypted communications equipment sparked fears that the government would lose its ability to conduct lawful surveillance. In response, the NSA developed a new encryption chip called the Clipper Chip that would enable encrypted communications, but would also provide the government with a key to access those communications, if necessary. This so- called back door sparked intense debate between the government and the technology community about the benefits and risks of government access to encrypted technology. One of the principal arguments of the technology community was that such a back door would create a vulnerability that could be exploited by actors outside of the government. This concern was validated when a critical flaw was discovered in the chip's design. I should note that one of our witnesses here today, Dr. Matt Blaze, identified that vulnerability, which made the government's back door more akin to a front door. As a partial solution, Congress passed the Communications Assistance for Law Enforcement Act, called CALEA. CALEA addressed the government's concern that rapidly evolving technologies were curtailing their ability to conduct lawful surveillance by requiring telecommunications providers to provide assistance in executing authorized surveillance. However, the law included notable caveats which limited the government's response to encrypted technologies. After the government relaxed export controls on encryption in 2000, the Crypto Wars entered a period of relative quiet. So what has changed in recent years to renew the debate? Part of the concern is, once again, the rapid expansion of technology. At its core, however, this debate is about the widespread availability of encryption, by default. While encryption has existed for decades, until recently, it was complex, cumbersome, and hard to use. It took effort and sophistication to employ its benefits, either for good or evil. But because of this, law enforcement was still able to gain access to the majority of the digital evidence they discovered in their investigations. But now, the encryption of electronic data is the norm. It's the default. This is a natural response to escalating concerns both from government and consumers about the security of digital information. The decision by companies like Apple and the messaging application WhatsApp to provide default encryption means more than a billion people, including some living in countries with repressive governments, have the benefit of easy, reliable encryption. At the same time, however, criminals and terrorists have the same access to secure means of communication, and they know it, and they will use it as their own mission control center. And that is the crux of the recent debate. Access to secure technologies beyond the reach of law enforcement no longer requires coordination or sophistication. It is available to anyone and to everyone. At the same time, however, as more of our lives become dependent on the Internet and information technologies, the availability of widespread encryption is critical to our personal, economic, and national security. Therefore, while many of the arguments in the current debate may echo those of decades past, the circumstances have changed and so, too, must the discussion. This can no longer be a battle between two sides or a choice between black and white. If we take that approach, the only outcome is that we all lose. This is a core issue of public safety and ethics, and it requires a very thoughtful approach. That is why we are today to begin moving the conversation from Apple versus the FBI or right versus wrong to a constructive dialogue that recognizes this is a complex issue that affects everyone and therefore we are in this together. We have two very strong panels, and I expect each will make strong arguments about the benefits of strong encryption and the challenges it presents for law enforcement. I encourage my colleagues to embrace this opportunity to learn from these experts to better understand the multiple perspectives, layers, and complexities of the issues. It is time to begin a new chapter in this battle, one which I hope can ultimately bring some resolution to the war. This process will not be easy, but if it does not happen now, we may reach a time when it is too late and success becomes impossible. So, for everyone calling on Congress to address this issue, here we are. I can only hope, moving forward, you will be willing to join us at the table. I now recognize the ranking member from Colorado, Ms. DeGette, for 5 minutes. [The prepared statement of Mr. Murphy follows:] Prepared statement of Hon. Tim Murphy We are meeting today to consider the deceptively complex question: Should the government have the ability to lawfully access encrypted technology and communications? This is the question at the center of a heated public debate, catalyzed earlier this year when the FBI obtained a court order to compel Apple to assist in unlocking an iPhone used by one of the San Bernardino terrorists. But this isn't a new question. Strong encryption has existed for decades. For years, motivated individuals have had access to the tools necessary to conceal their activities from law enforcement. And for years, the government has repeatedly tried to limit the use of or obtain access to encrypted data. The most notable example occurred in the 1990s when the development of encrypted communications equipment sparked fears that the government would lose its ability to conduct lawful surveillance. In response, the NSA developed a new encryption chip--called the ``Clipper Chip''--that would enable encrypted communications, but would also provide the government with a key to access those communications, if necessary. This so- called ``backdoor'' sparked intense debate between the government and the technology community about the benefits--and risks--of government access to encrypted technology. One of the principle arguments of the technology community was that such a backdoor would create a vulnerability that could be exploited by actors outside of the government. This concern was validated when a critical flaw was discovered in the chip's design. I should note that one of our witnesses here today, Dr. Matt Blaze, identified that vulnerability which made the government's backdoor more akin to a front door. As a partial solution, Congress passed the Communications Assistance for Law Enforcement Act (CALEA). CALEA addressed the government's concern that rapidly evolving technologies were curtailing their ability to conduct lawful surveillance by requiring telecommunications providers to provide assistance in executing authorized surveillance. However, the law included notable caveats which limited the government's response to encrypted technologies. After the government relaxed export controls on encryption in 2000, the Crypto Wars entered a period of relative quiet. So what has changed in recent years to renew the debate? Part of the concern is, once again, the rapid expansion of technology. At its core, however, this debate is about the widespread availability of encryption, by default. While encryption has existed for decades, until recently it was complex, cumbersome and hard to use. It took effort and sophistication to employ its benefits, either for good or evil. Because of this, law enforcement was still able to gain access to the majority of the digital evidence they discovered in their investigations. But now, the encryption of electronic data is the norm--the default. This a natural response to escalating concerns--both from government and consumers--about the security of digital information. The decision by companies like Apple and the messaging application WhatsApp to provide default encryption means more than a billion people--including some living in countries with repressive governments--have the benefit of easy, reliable encryption. At the same time, however, criminals and terrorists have the same access to secure means of communication--and they know it, and they will use it as their own mission control center. That is the crux of the recent debate. Access to secure technologies beyond the reach of law enforcement no longer requires coordination or sophistication. It is available to anyone and everyone. At the same time, however, as more of our lives become dependent on the Internet and information technologies, the availability of widespread encryption is critical to our personal, economic and national security. Therefore, while many of the arguments in the current debate may echo those of decades past, the circumstances have changed and so too must the discussion. This can no longer be a battle between two sides, a choice between black-and-white. If we take that approach, the only possible outcome is that we all lose. This is a core issue of public safety and ethics--and it requires a very thoughtful approach. That is why we are today--to begin moving the conversation from ``Apple vs. the FBI'' or ``right versus wrong'' to a constructive dialogue that recognizes this is a complex issue that affects everyone and therefore ``we are in this together.'' We have two very strong panels and I expect each will make strong arguments about the benefits of strong encryption and the challenges it presents for law enforcement. I encourage my colleagues to embrace this opportunity to learn from these experts to better understand the multiple perspectives, layers and complexities to this issue. It is time to begin a new chapter in this battle--one which I hope can ultimately bring some resolution to the war. This process will not be easy but if it does not happen now, we may reach a time when it is too late and success becomes impossible. So, for everyone calling on Congress to address this issue, here we are. I can only hope, moving forward, you will be willing to join us at the table. OPENING STATEMENT OF HON. DIANA DEGETTE, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF COLORADO Ms. DeGette. Thank you, Mr. Chairman. And thank you for holding this important hearing. Issues surrounding encryption and particularly the disagreements between law enforcement and the tech community gained significant public attention in the San Bernardino case, but I am not particularly interested in re-litigating that dispute today. As you said, Mr. Chairman, the conversation needs to be broader than just that one case. Let me state unequivocally that I, like you, and I think the rest of us here today recognize and appreciate the benefits of strong encryption in today's digital world. It keeps our communications secure, our critical infrastructure safe, and our bank accounts from being drained. It also provides each one of us with significant privacy protections. But also, like you, I see the flip side of the coin. While encryption does provide these invaluable protections, it can also be used to obscure the communications and plots of criminals and terrorists and increasingly at great risk. It is our task to help find the proper balance between those competing interests. We need to ask both industry and law enforcement some hard questions today. Last month, the President said, for example, ``We want strong encryption because part of us preventing terrorism or preventing people from disrupting the financial system is that hackers, state or non-state, can't get in there and mess around.'' But if we make systems that are impenetrable or warrant-proof, how do we stop criminals and terrorists? If you can't crack these systems, President Obama said, ``then everybody is walking around with a Swiss bank account in their pocket.'' I have heard the tech community's concern that some of the policies being proposed like creating a back door for law enforcement will undermine the encryption that everybody needs to keep them safe. And, as they remind us, a back door for good guys ultimately becomes a front door for criminals. The tech community has been particularly vocal about the negative consequences of proposals to address the encryption challenge. I think many of these arguments are valid, but I have only heard what we should not do, not what we should do collectively to address this challenge. I think the discussion needs to include a dialogue about how to move forward. I can't believe that this problem is intractable. Now, the same thing seems to be true from where I sit for law enforcement, which raises legitimate concerns but doesn't seem to be focused on workable solutions. I don't promote forcing industry to build back doors or other circumventions that experts tell us will undermine security or privacy for all of us. At the same time, I am not comfortable with impenetrable warrant-proof spaces where criminals or terrorists can operate without any fear that law enforcement could discover their plots. So what I want to hear today is from both law enforcement and industry about possible solutions going forward. For example, if we conclude that expansive warrant-proof spaces are not acceptable in society, then what are the policy options? What happens if encryption is the reason law enforcement can't solve or prevent a crime? If the holder or transmitter of the data or device can't or won't help law enforcement, what then? What are suitable options? Last week, for example, the Washington Post reported that the government relied on gray-hat hackers to circumvent the San Bernardino iPhone. Well, thank goodness? I don't think so. I don't think relying on a third party is a good model. This recent San Bernardino case suggests that when the government needs to enhance its capabilities when it comes to exploring ways to work around the challenges posed by encryption. I intend to ask both panels what additional resources and capabilities the government needs to keep pace with technology. While providing government with more tools or capability require additional discussions regarding due process and the protection of civil liberties, enhancing the government's technical capability is one potential solution that does not mandate back doors. Finally, the public, the tech community, and the government are all in this together. In that spirit, I really do want to thank our witnesses for coming today. I am happy that we have people from law enforcement, academia, and industry, and I am really happy that Apple came to testify today. Your voice is particularly important because other players like Facebook and WhatsApp declined our invitation to be a part of this panel. Now, the tech community has told Congress we need to solve this problem, and we agree, but I have got to tell you, it is hard to solve a problem when the key players won't show up for the discussion. And I am here also to tell you, as a longtime member of this subcommittee, relying on Congress to, on its own, pass legislation in a very complex situation like this is a blunt instrument at best. I think it would be in everybody's best interest to come to the table and help us work on a solution. Thanks again for holding this hearing. I know we won't trivialize these concerns. I look forward to working with everybody to come up with a reasonable solution, and I yield back. Mr. Murphy. The gentlelady yields back. I now recognize the chairman of the full committee, Mr. Upton, for 5 minutes. OPENING STATEMENT OF HON. FRED UPTON, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF MICHIGAN Mr. Upton. Thank you, Mr. Chairman. For months now, we have witnessed an intense and important debate between law enforcement and the technology community about encryption. While much of this recent debate has focused on the FBI and Apple, this issue is certainly much bigger than any one entity, device, application, or piece of technology. At its very core, this is a debate about what we, as a society, are willing to accept. If you have paid any attention to the debate, it might appear to be a black-and-white choice. Either we side with law enforcement and grant them access to encrypted technologies, thus weakening the security and privacy of our digital infrastructure, or we can side with the technology community and prevent law enforcement from accessing encrypted technologies, thus creating a warrantless safe haven for terrorists, pedophiles, and other evil and terrible actors. It is important that we move beyond the us-versus-them mentality that has encompassed this discussion for too long. This debate is not about picking sides; it is about evaluating options. It begins by acknowledging the equities on both sides. From the technology perspective, there is no doubt that strong encryption is a benefit to our society. As more of our daily lives become integrated with the digital universe, encryption is critical to the security and privacy of our personal and corporate secrets. As evidenced by the breaches over the past year, data theft can have a devastating effect on our personal privacy, economic strength, and national security. In addition, encryption doesn't just enable terrorists and wrongdoers to do terrible things. It also provides a safe haven for dissidents, victims of domestic violence, and others who wish to remain hidden for noble purposes. And as we look to the future and see that more and more aspects of our lives will become connected to the Internet, including things such as cars, medical devices, and the electric grid, encryption will play an important role in minimizing the risk of physical harm or loss of life should these technologies be compromised. From the law enforcement perspective, while strong encryption helps protect the information and lives, it also presents a serious risk to public safety. As strong, inaccessible encryption becomes the norm, law enforcement loses access to valuable tools and evidence necessary to stop bad actors from doing terrible things. And as we will hear today, this cannot always be offset by alternative means such as metadata or other investigative tools. There are certain situations, such as identifying the victims of child exploitation, not just the perpetrators, where access to content is critical. These are but a few of the many valid concerns on both sides of this debate, which leads us to the question: What is the answer? Sitting here today, I don't have the answer, nor do I expect that we will find it during this hearing. This is a complex issue, and it is going to require a lot of difficult conversations, but that is not an excuse to put our head in the sand or resort to default positions. We need to confront these issues head-on because they are not going to go away, and they are only going to get more difficult as time continues to tick. Identifying a solution to this problem may involve tradeoffs and compromise on both sides, but ultimately, it comes down to what society accepts as the appropriate balance between government access to encryption and security of encrypted technologies. For that reason and others, many have called on us, us, this committee, confront the issues here. That is why we are holding this hearing, and that is why Chairman Goodlatte and I, along with Ranking Members Pallone and Conyers, established a bipartisan, joint committee-working group to examine this very issue. In order for Congress to successfully confront the issue, however, it will require patience, creativity, courage, and more importantly, cooperation. It is easy to call on Congress to take on an issue, but you better be prepared to answer the call when we do. This issue is too important to have key players sitting on the sidelines, and therefore, I hope all of you are prepared to participate as we take to heart what we hear today and be part of the solution moving forward. And I yield back. [The prepared statement of Mr. Upton follows:] Prepared statement of Hon. Fred Upton For months we have witnessed an intense and important debate between law enforcement and the technology community about encryption. While much of this recent debate has focused on the FBI and Apple, this issue is much bigger than any one entity, device, application, or piece of technology. At its core, this is a debate about what we, as a society, are willing to accept. If you have paid any attention to the debate, it might appear to be a black and white choice. Either we side with law enforcement and grant them access to encrypted technologies-- thus weakening the security and privacy of our digital infrastructure. Or, we can side with the technology community and prevent law enforcement from accessing encrypted technologies, thus creating a warrantless safe-haven for terrorists, pedophiles, and other evil actors. It is important that we move beyond the ``us versus them'' mentality that has encompassed this discussion for too long. This debate is not about picking sides--it is about evaluating options. This begins by acknowledging the equities on both sides. From the technology perspective, there is no doubt that strong encryption is a benefit to our society. As more of our daily lives become integrated with the digital universe, encryption is critical to the security and privacy of our personal and corporate secrets. As evidenced by the breaches over the past year, data theft can have devastating effects on our personal privacy, economic strength, and national security. In addition, encryption doesn't just enable terrorists and wrongdoers to do terrible things--it also provides a safe haven for dissidents, victims of domestic violence, and others who wish to remain hidden for ignoble purposes. As we look to the future and see that more and more aspects of our lives will become connected to the Internet--including things such as cars, medical devices, and the electric grid--encryption will play an important role in minimizing the risk of physical harm or loss of life should these technologies be compromised. From the law enforcement perspective, while strong encryption helps protect information and lives, it also presents a serious risk to public safety. As strong, inaccessible encryption becomes the norm, law enforcement loses access to valuable tools and evidence necessary to stop bad actors from doing terrible things. As we will hear today, this cannot always be offset by alternative means such as meta-data or other investigative tools. There are certain situations, such as identifying the victims of child exploitation--not just the perpetrators--where access to content is critical. These are but a few of the many valid concerns on both sides of this debate. Which leads us to the question--what is the answer? Sitting here today, I do not have that answer nor do I expect we will find it during this hearing. This is a complex issue and it is going to require some difficult conversations--but that is not an excuse to put our head in the sand or resort to default positions. We need to confront these issues head-on because they are not going away and they will only get more difficult with time. Identifying a solution to this problem may involve trade- offs and compromise, on both sides, but ultimately it comes down to what society accepts as the appropriate balance between government access to encryption and security of encrypted technologies. For that reason and others, many have called on Congress to ``confront the issues here.'' That is why we are holding this hearing and that is why Chairman Goodlatte and I-- along with Ranking Members Pallone and Conyers--established a bipartisan, joint committee-working group to examine this issue. In order for Congress to successfully ``confront this issue,'' however, it will require patience, creativity, courage, and most importantly, cooperation. It is easy to call on Congress to take on an issue--but you better be prepared to answer the call when we do. This issue is too important to have key players sitting on the sidelines. Therefore, I hope those who were unprepared to participate in this hearing take this to heart and will be part of the solution moving forward. Mr. Murphy. The gentleman yields back. I now recognize Mr. Pallone for 5 minutes. OPENING STATEMENT OF HON. FRANK PALLONE, JR., A REPRESENTATIVE IN CONGRESS FROM THE STATE OF NEW JERSEY Mr. Pallone. Thank you, Mr. Chairman. I welcome the opportunity to hear today from both law enforcement and the tech community as we seek to understand and develop solutions to this encryption debate. Encryption enables the privacy and security that we value, but it also creates challenges for those seeking to protect us. Law enforcement has a difficult job of keeping our nation safe, and they are finding that some encrypted devices and programs are hampering their efforts to conduct thorough investigations. Even when they obtain a warrant, they find themselves unable to access information protected by end-to-end encryption. And this raises questions of how comfortable we are as a nation with these ``dark'' areas that cannot be reached by law enforcement. At the same time, the tech community helps protect some of our most valuable information, and the most secure way to do that is by using end-to-end encryption, meaning the device or app manufacturer does not hold the key to that information. When the tech community tells us that providing back doors will make their job of protecting our information that much more difficult, we should heed that warning and work towards a solution that will not solve one problem by creating many others. It is clear that both sides in this discussion have compelling arguments, but simply repeating those arguments is not a sufficient response. We need to work together to move forward, and I hope today's hearing is just the beginning of that conversation. In the last several months and years, we have seen major players in this debate look to Congress for solutions. In 2014, FBI Director Comey said, ``I am happy to work with Congress, with our partners in the private sector, and with my law enforcement and national security counterparts, and with the people we serve, to find the right answer, to find the balance we need.'' In an e-mail to Apple employees earlier this year, Apple CEO Tim Cook wrote about his support for Congress to bring together ``experts on intelligence, technology, and civil liberties to discuss the implications for law enforcement, national security, privacy, and personal freedoms.'' And he wrote that ``Apple would gladly participate in such an effort.'' So if we have any hope of moving this debate forward, we need all parties to come to the table. The participation of our witnesses today should serve as a model to others who have been reluctant to participate in this discussion. We can't move forward if each party remains in its corner, unwilling to compromise or propose solutions. Both sides need to recognize that this is an effort to strike a balance between the security and privacy of personal data and public safety. The public needs to feel confident that their information is secure, but at the same time, we need to assure them that law enforcement has all the tools it needs to do their jobs effectively. So, Mr. Chairman, I would like to yield the remaining time to the gentlewoman from New York, Ms. Clarke. [The prepared statement of Mr. Pallone follows:] Prepared statement of Hon. Frank Pallone, Jr. I welcome the opportunity to hear today from both law enforcement and the tech community as we seek to understand and develop solutions to this encryption debate. Encryption enables the privacy and security that we value, but it also creates challenges for those seeking to protect us. Law enforcement has a difficult job of keeping our nation safe. And they are finding that some encrypted devices and programs are hampering their efforts to conduct thorough investigations. Even when they obtain a warrant, they find themselves unable to access information protected by end-to-end encryption. This raises questions of how comfortable we are as a nation with these ``dark'' areas that cannot be reached by law enforcement. At the same time, the tech community helps protect some of our most valuable information, and the most secure way to do that is by using end-to-end encryption, meaning the device or app manufacturer does not hold a key to that information. When the tech community tells us that providing backdoors will make their job of protecting our information that much more difficult, we should heed that warning and work toward a solution that will not solve one problem by creating many others. It is clear that both sides in this discussion have compelling arguments, but simply repeating those arguments is not a sufficient response. We need to work together to move forward, and I hope today's hearing is just the beginning of that conversation. In the last several months and years, we have seen major players in this debate look to Congress for solutions. In 2014, FBI Director Comey said, ``I'm happy to work with Congress, with our partners in the private sector, with my law enforcement and national security counterparts, and with the people we serve, to find the right answer--to find the balance we need.'' In an e-mail to Apple employees earlier this year, Apple CEO Tim Cook wrote about his support for Congress to bring together ``experts on intelligence, technology and civil liberties to discuss the implications for law enforcement, national security, privacy and personal freedoms.'' He wrote that ``Apple would gladly participate in such an effort.'' If we have any hope of moving this debate forward, we need all parties to come to the table. The participation of our witnesses today should serve as a model to others who have been reluctant to participate in this discussion. We cannot move forward if each party remains in its corner, unwilling to compromise or propose solutions. Both sides need to recognize that this is an effort to strike a balance between the security and privacy of personal data and public safety. The public needs to feel confident that their information is secure. But at the same time, we need to assure them that law enforcement has all the tools it needs to do their jobs effectively. I would like to yield my remaining time to Rep. Clarke. Ms. Clarke. I thank Ranking Member Pallone for yielding. First, let me welcome Chief Thomas Galati, who is the chief of Intelligence for my hometown of New York City. And many refer to the New York City Police Department as New York's finest, but I would like to think of them as the world's finest. Welcome, Chief Galati. At its core, our Constitution is about the balance of power. It is about balancing power among the Federal Government, State government, and the rights of individuals. Through the years, getting that balance just right has been challenging and at times tension-filled, but we have done it. We have prevailed. The encryption-versus-privacy-rights issue is simply another opportunity for us to again recalibrate and fine-tune the balance in our democracy. And as the old cliche states, democracy is not a spectator sport. So it is time for all of us to participate. It is time to roll up our sleeves and work together to resolve this issue as an imperative because it is not going away. So I am glad that we are having this hearing today because I do believe that, working together, we can find a way to balance our concerns and to address this issue of physical security with our rights to private security. So I look forward to hearing the perspectives of our witnesses today, and I yield back the remainder of the time. Thank you, Mr. Chairman. Mr. Murphy. So your side yields back then? Thank you. I just do ask unanimous consent that the members' written opening statements be introduced into the record. Without objection, the documents will be entered into the record. And now I would like to introduce the witnesses of our first panel for today's hearing. Our first witness on the panel is Ms. Amy Hess. Ms. Hess is the executive assistant director for Science and Technology at the Federal Bureau of Investigations. In this role she is responsible for the executive oversight of the Criminal Justice Information Services Laboratory and Operational Technology divisions. Ms. Hess has logged time in the field as an FBI special agent, as well as the Bureau's headquarters here in Washington, D.C., and we thank Ms. Hess for preparing her testimony and look forward to hearing your insights in these matters. We also want to welcome Chief Thomas Galati from the New York City Police Department. Chief Galati is a 32-year veteran of the New York City Police Department and currently serves as the Chief of Intelligence. As Chief of Intelligence, he is responsible for the activities of the Intelligence Bureau, the Western Hemisphere's largest municipal law enforcement intelligence operation. Thank you, Chief Galati, for your testimony today, and we look forward to hearing your comments. And finally, for the first panel, we welcome Captain Charles Cohen of the Indiana State Police. Currently, he is the Commander of the Office of Intelligence and Investigative Technologies where he is responsible for the Cyber Crime, Electronic Surveillance, and Internet Crimes Against Children. We appreciate his time today, and once again thank all the witnesses for being here. I also want to note that Sheriff Ron Hickman of the Harris County Sheriff's Office unfortunately will not be joining us today due to the tragic flooding yesterday in the Houston area. Our prayers and thoughts are with the people of Houston. We know there have been several tragedies there. We all wish Sheriff Hickman could be with us, but we certainly understand travel logistics can sometimes make these things impossible. I would ask unanimous consent, however, that Sheriff Hickman's testimony be entered into the record, and without objection, his testimony will be entered into the record. [The prepared statement of Ron Hickman follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Murphy. Now, to our panelists, as you are aware, the committee is holding an investigative hearing, and when doing so, has the practice of taking testimony under oath. Do any of you have any objections to taking testimony under oath? They all say no. The chair then advises you that under the rules of the House and rules of the committee, you are entitled to be advised by counsel. Do any of you desire to be advised by counsel during the hearing today? And all say no as well. In that case, would you please rise, raise your right hand. I will swear you in. [Witnesses sworn.] Mr. Murphy. Thank you. You may be seated. And all the witnesses answered in the affirmative and you are now under oath and subject to the penalties set forth in title 18, section 1001 of the United States Code. You may now give a 5- minute summary of your opening statement. Ms. Hess, you are recognized for 5 minutes. STATEMENTS OF AMY HESS, EXECUTIVE ASSISTANT DIRECTOR FOR SCIENCE AND TECHNOLOGY, FEDERAL BUREAU OF INVESTIGATIONS; THOMAS P. GALATI, CHIEF, INTELLIGENCE BUREAU, NEW YORK CITY POLICE DEPARTMENT; AND CHARLES COHEN, COMMANDER, OFFICE OF INTELLIGENCE AND INVESTIGATIVE TECHNOLOGIES, INDIANA STATE POLICE STATEMENT OF AMY HESS Ms. Hess. Thank you. Good morning, Chairman Murphy, Ranking Member DeGette, and members---- Mr. Murphy. Just make sure your microphone is pulled as close to you as possible and turned on. Ms. Hess. Yes, sir. Mr. Murphy. Thank you. Ms. Hess [continuing]. And members of the subcommittee. Thank you for the opportunity to appear before you today and engage in this important discussion. In recent years, we've seen new technologies transform our society, most notably by enabling digital communications and facilitating e-commerce. It is essential that we protect these communications to promote free expression, secure commerce and trade, and safeguard sensitive information. We support strong encryption, but we've seen how criminals, including terrorists, are using advances in technology to their advantage. Encryption is not the only challenge we face in today's technological landscape, however. We face significant obstacles in lawfully tracking suspects because they can seamlessly communicate while changing from a known Wi-Fi service to a cellular connection to a Wi-Fi hotspot. They can move from one communication application to another and carry the same conversation or multiple conversations simultaneously. Communication companies do not have standard data retention policies or guidelines, and without historical data, it's very difficult to put pieces of the investigative puzzle together. Some foreign communication providers have millions of users in the United States but no point of presence here, making it difficult if not impossible to execute a lawful court order. We encounter platforms that render suspects virtually anonymous on the Internet, and if we cannot attribute communications and actions to a specific individual, critical leads and evidence may be lost. The problem is exponentially increased when we face one or more of these challenges on top of another. Since our nation's inception, we've had a reasonable expectation of privacy. This means that only with probable cause and a court order can law enforcement listen to an individual's private conversations or enter their private spaces. When changes in technology hinder or prohibit our ability to use authorized investigative tools and follow critical leads, we may not be able to root out child predators hiding in the shadows or violent criminals targeting our neighborhoods. We may not be able to identify and stop terrorists who are using today's communication platforms to plan and execute attacks in our country. So we are in this quandary trying to maximize security as we move into a world where, increasingly, information is beyond the reach of judicial authority and trying to maximize privacy in this era of rapid technological advancement. Finding the right balance is a complex endeavor, and it should not be left solely to corporations or to the FBI to solve. It must be publicly debated and deliberated. The American people should decide how we want to govern ourselves in today's world. It's law enforcement's responsibility to inform the American people that the investigative tools we have successfully used in the past are increasingly becoming less effective. The discussion so far has been highly charged at times because people are passionate about privacy and security. But this is an essential discussion which must include a productive, meaningful, and rational dialogue on how encryption, as currently implemented, poses significant barriers to law enforcement's ability to do its job. As this discussion continues, we're fully committed to working with industry, academia, and other parties to develop the right solution. We have an obligation to ensure everyone understands the public safety and national security risks that result from the use of new technologies and encrypted platforms by malicious actors. To be clear, we're not asking to expand the government's surveillance authority, but rather to ensure we can continue to obtain electronic information and evidence pursuant to the legal authority that Congress has provided us to keep America safe. There is not and will not be a one-size-fits-all solution to address the variety of challenges we face. The FBI is pursuing multiple avenues to overcome these challenges, but we realize we cannot overcome them on our own. Mr. Chairman, we believe the issues posed by this growing problem are grave and extremely complex. We must therefore continue the public discourse on how best to ensure that privacy and security can coexist and reinforce each other, and this hearing today is a vital part of that process. Thank you again for your time and your attention to this important matter. [The prepared statement of Amy Hess follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Murphy. Thank you, Ms. Hess. I now recognize Chief Galati for 5 minutes. STATEMENT OF THOMAS P. GALATI Chief Galati. Thank you. Mr. Murphy. Make sure your microphone is turned on, and again, pull it as close to you as you can. Chief Galati. Thank you. On behalf of Mayor de Blasio and Police Commissioner Bratton and myself, thanks to the committee for the opportunity to speak with you this morning. Years ago, criminals and their accomplices stored their information in closets, drawers, safes, and glove boxes. There was and continues to be an expectation of privacy in these areas, but the high burden imposed by the Fourth Amendment, which requires a lawful search be warranted and authorized by a neutral judge, has been deemed sufficient protection against unreasonable government search and seizure for the past 224 years. But now it seems that that legal authority is struggling to catch up with the times because today, nearly everyone lives their life on a smartphone, including criminals, so evidence that once would have been stored in a file cabinet or a notebook is now archived in an email or a text message. The same exact information that would solve a murder, catch a rapist, or prevent a mass shooting is now stored in that device. But where law enforcement has legal access to the file cabinet, it is shut out of the phone, not because of constraints built into the law, but rather limits imposed by technology. When law enforcement is unable to access evidence necessary to the investigation, prosecution, and prevention of a crime, despite the lawful right to do so, we call this ``going dark.'' Every day, we deal with this evidentiary dilemma on two fronts. First, it's what is known as ``data at rest.'' This is when the actual device----the computer, the tablet, or the phone----is in law enforcement's possession, but the information stored within it is inaccessible. In just the 6- month period from October of 2015 through March of this year, New York City, we have been locked out of 67 Apple devices lawfully seized pursuant to the investigation of 44 violent crimes. In addition, there are 35 non-Apple devices. Of these Apple devices, these incidents include 23 felonies, 10 homicides, two rapes, and two police officers shot in the line of duty. They include robberies, criminal weapons possession, criminal sex acts, and felony assaults. In every case, we have the file cabinet so to speak, and the legal authority to open it, but we lack the technical ability to do so because encryption protects its contents. But in every case, these crimes deserve our protection, too. The second type of ``going dark'' is an incident known as ``data in motion.'' In these cases, law enforcement is legally permitted, through a warrant or other judicial process, to intercept and access a suspect's communications. But the encryption built in to the applications such as WhatsApp, Telegram, or Wickr, and others thwarts this type of lawful surveillance. So we may know a criminal group is communicating, but we are unable to understand why. In the past, a phone or a wiretap, again, legally obtained from a judge, would alert the police to drop-off locations, hideouts, and target locations. Now, we are literally in the dark, and criminals know it, too. We recently heard a defendant in a serious felony case make a call from Rikers Island where he extolled the Apple iOS 8 and its encryption software as ``a gift from God.'' This leaves the police, prosecutors, and the people we are sworn to protect in a very precarious position. What is even more alarming is that the position is not dictated by our elected officials, our judiciary system, or our laws. Instead, it is created and controlled by corporations like Apple and Google, who have taken it upon themselves to decide who can access critical information in criminal investigations. As a bureau chief in our nation's largest municipal police department, an agency that's charged with protecting 8.5 million residents and millions of daily commuters and tourists every day, I am confident that corporate CEOs do not hold themselves to the same public safety standards as our elected officials and law-enforcement professionals. So how do we keep people safe? The answer cannot be warrant-proof encryption, which creates a landscape of criminal information outside the reach of search warrants or a subpoena and outside legal authority to establish over centuries of jurisprudence. But this has not always been Apple's answer. Until 19 months ago, they held the key that could override protections and open phones. Apple used this master key to comply with court orders in kidnappings, murders, and terrorism cases. There was no documented incident or code getting out to hackers or the government. If they were able to comply with constitutionally legal court orders then, why not now? The ramifications to this fight extends far beyond San Bernardino, California, and the 14 people murdered there. It is important to recognize that more than 90 percent of all criminal prosecutions in our country are handled at the State or local level. These cases involve real people, families, your friends, your loved ones. They deserve police departments that are able to do everything within the law to bring them justice, and they deserve corporations to appreciate their ethical responsibilities. I applaud you for holding this hearing today. It is critical that we work together and across silos to fight crime and disorder because criminals are not bound by jurisdictional boundaries or industry standards. But increasingly, they are aware of the safety net that the warrant-proof encryption provides them, and we must all take responsibility for what that means. For the New York City Police Department, it means investing more in people's lives in--than in quarterly earnings reports and putting public safety back into the hands of the brave men and women who have sworn to defend it. Thank you, and I will take any questions. [The prepared statement of Thomas P. Galati follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Murphy. Thank you very much, Chief. Now, Captain Cohen, you are recognized for 5 minutes. Again, pull the microphone close to you. STATEMENT OF CHARLES COHEN Mr. Cohen. Mr. Chairman, members of the subcommittee, thank you for allowing me to testify. My name is Chuck Cohen, and I'm a captain with the Indiana State Police. I also serve as Indiana Internet Crimes Against Children Task Force commander. I would not be here today if it were not for encountering serious problems associated with encryption that do not have easy technological fixes. We need your help, and it is increasingly apparent that that help must be legislative. As far as I know, the FBI is not exaggerating or trying to mislead anyone when they say that there is currently no way to recover data from newer iPhones. Apple has intentionally designed an operating system and device combination that functionally acts as a locked container without a key. The sensitivity of the personal information people keep stored in their phones should be compared with the sensitivity of information that people keep in bank deposit boxes and bedrooms. Criminal investigators with proper legal authorization have the technical means to access both deposit boxes and bedrooms, but we lack the technical means to access newer cellular phones running default hard encryption. We are often asked for examples of how encryption hinders law enforcement's ability to conduct criminal investigations. There are numerous encrypted phones sitting in the Indiana State Police evidence rooms waiting for a solution, legal or technical, to the problem. Some of those phones belong to murder victims and child sex crimes victims. Earlier this year, a mother and son were shot to death inside their home in Indiana. Both victims had newer iPhones. I'm confident that, if they were able, both would give consent for us to forensically examine their phones to help us find the killer or killers. But unfortunately, being deceased, they were unable to give consent, and unfortunately for investigators working to solve their murders, they chose to buy phones running encrypted operating systems by default. I need to emphasize that we are talking not just about suspects' phones but also victims' phones, and not just about incriminating evidence but also exculpatory evidence that cannot be recovered. It is always difficult to know what evidence and contraband is not being recovered, the child victims that are not being rescued, and the child sex offenders that are not being arrested as a result of encryption. But the investigation, prosecution, and Federal conviction of Randall R. Fletcher helps to shed light on the type of evidence that is being concealed by encryption. Fletcher lived in northern Indiana. During the course of an investigation for production and possession of child pornography, computer hard drives with encrypted partitions and an encrypted thumb drive were seized. The encryption was a bust such that it was not possible to forensically examine the encrypted data, despite numerous attempts by several law enforcement agencies. A Federal judge compelled Fletcher to disclose the encryption key. He then provided law enforcement with a passcode that opened the encrypted partitions but not the encrypted thumb drive. In the newly opened data, law enforcement found thousands of images and videos depicting minors being caused to engage in sexually explicit conduct. To this day, investigators believe the thumb drive contains homemade child pornography produced by Fletcher but have no way of confirming or disproving that belief. Fletcher had continuing and ongoing access to children, including a child he previously photographed in lascivious poses. Fletcher has previous convictions for conspiracy to commit murder and child sex offenses that are detailed in my written testimony. There is good reason to believe that, because of hard encryption on the USB storage device, additional crimes committed by Fletcher cannot be investigated and prosecuted. That means additional child victims cannot be provided victim services or access to the justice that they so richly deserve. I hope that Congress takes the time to truly understand what is at stake with the ``going dark'' phenomenon and what problems have been created. There is a cost associated with an encryption scheme that allows lawful access with some theoretically higher chance of lost data, but there is a much greater and very real human cost that we already see across the country because investigations that fail due to default hard encryption. In my daily work, I feel the impact of law enforcement going dark. For me, it is a strong feeling of frustration because it makes the detectives and forensic examiners for whom I am responsible less effective. But for crime victims and their families, it is altogether different. It is infuriating, unfair, and incomprehensible why such critical information for solving crimes should be allowed to be completely out of reach. I have heard some say that law enforcement can solve crimes using metadata alone. That is simply not true. That is like asking a detective to process a crime scene by only looking at the street address on the outside of the house where a crime was committed. I strongly encourage committee members to contact your State investigative agency or local police department and ask about this challenge. I greatly appreciate your invitation to share my perspective, and I'm happy to answer questions today or at any point in the future. Thank you, Mr. Chairman, members of the committee. [The prepared statement of Charles Cohen follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Murphy. I thank the panel. I would now recognize myself 5 minutes for questions. Ms. Hess, I think sometimes the FBI's concerns about encryption are broadly characterized as being against encryption. Considering the FBI's work on investigations like the Sony data breach or the recent ransomware attacks on hospitals, I have a tough time believing that your organization is against the technology that is so instrumental in protecting digital information. So to clarify, does the FBI agree that strong encryption is important to the security and privacy of our citizens, our economic strength, and our national security? Ms. Hess. Yes, sir. Mr. Murphy. And it also benefits law enforcement? Yes? Ms. Hess. Yes. Mr. Murphy. Can you elaborate on that? Ms. Hess. Yes, sir. Yes. And you are correct. Is that--as I stated in my opening statement, we do support strong encryption because it does all of the things you just said. We also recognize that we have a continuing struggle, an increasing struggle to access readable information, to access content of communications caused by that encryption that is now in place by default. Mr. Murphy. And so it brings this question up then. Are you witnessing an increase in individuals intentionally or even unintentionally evading the law through availability of default encryption? Ms. Hess. I think it's difficult to discern whether or not they're intentionally doing it. However, we are significantly seeing increases in the use and deployment of decryption because it is a default setting now on most devices. Mr. Murphy. So related to that then, Chief Galati, would you say that the default application of encryption can create significant hurdles for law enforcement? Is that the issue, as Ms. Hess was just saying, it is the default one? Chief Galati. Yes, sir. The encryption, a lot of the apps that are being used today, even with legal process or, you know, coverage on the phone, you cannot intercept those conversations. Often, we hear criminals and also in the terrorism cases that we do, people encouraging participants to go to apps like Telegram, WhatsApp, Wickr, and so on. Mr. Murphy. Captain Cohen, your testimony was very moving about those cases you described involved with murder and with victimizing children. You know, this debate is oftentimes been about picking sides, the most notable being Apple v. FBI. So either you support law enforcement or you support the tech community. That feels like a lose-lose proposition. Look, I understand people want to be able to have encrypted technology, but based upon the responses, Captain, that you heard from Ms. Hess and from the chief, do you think this is an us-versus-them debate or are there answers that we can be going forward here? What do you think? Because you are on the frontlines dealing with these terrible cases. Is this an us- them? Is there an answer? Mr. Cohen. Mr. Chairman, I definitely do not think it's an us-them. What we do see, though, is a challenge with default encryption that functionally cannot be turned off. I don't have the option to even disable that encryption. The difference with Mr. Fletcher, the example I gave you, was that after two prior convictions, he then learned that he needed to do something to protect himself better from criminal investigation and then went out in search of, we assume, encryption and ways to do that. The difference is now we are seeing increasingly, to talk to your question of Ms. Hess as well, what we're seeing now is discussion among a wide variety of criminals--and I see it daily--discussion among those that sexually solicit children online, sexually extort children, trade in child pornography, discussing the best possible systems to buy, the best combination of cell phone and operating system to buy to prevent encryption. Please make no mistake that criminals are listening to this testimony and learning from it. They're learning which messaging app to use to protect themselves against encryption. They are also learning which messaging app is located outside the United States and has no bricks-and-mortar location here in the United States, which ones are located in countries with which we have a mutual legal assistance treaty and which ones we don't. Criminals are using this as an education to make themselves more effective at their criminal tradecraft. Mr. Murphy. So given that, Ms. Hess, what answer will we have here for those cases where, whether it is a terrorist planning a plot or they have already killed some people and we are trying to find out what the next move is or it is a child predator? Will there be an answer for this? Ms. Hess. Yes, sir. And to clarify my earlier statement, too, we do see individuals--criminals, terrorists--encouraging others to move to encrypted platforms, and we've seen that for some time. And the solution to that for us is no investigator, no agent will take that as an answer to say that they should stop investigating. They will try to find whatever workaround they possibly can, but those solutions may be time-intensive. They may not eventually be effective. They may require an additional amount of resources or an additional amount of skill in order to get to those solutions. But primarily we are usually in a race against the clock, and that's the key component of how we're finding additional solutions around this problem. Mr. Murphy. I know this is a frightening aspect for Americans. Look, we understand privacy, but if there is some child predator hiding in the bushes by the playground watching to snatch a victim, you can find them. But now, if this has given them this cloak of invisibility, it is pretty frightening. We better find an answer. My time is up. I now recognize Ms. DeGette for 5 minutes. Ms. DeGette. Thanks, Mr. Chairman. Well, just to follow up on the chairman's questioning, the problem really isn't default encryption because if you eliminated default encryption, criminals could still get encryption, and they do, isn't that correct, Ms. Hess? Ms. Hess. Yes, that's correct. Ms. DeGette. Right. And so the problem is that criminals can have easy access to encryption. And I think we can stipulate that encryption is really great for people like me who have bank accounts who don't want them to be hacked, but it is just really a horrible challenge for all of us as a society, not just law enforcement, when you have a child sex predator who is trying to encrypt, or just as bad really, a terrorist. So what I want to know is, what are we going to do about it? And the industry says that if Congress forces them to develop tools so that law enforcement, with probable cause and a warrant, can get access to that data, that then will just open the door. Do you believe that is true, Ms. Hess? Ms. Hess. I believe that there certainly will be always no such thing as 100 percent security. However, industry leaders today have built systems that enable us to be able to get or receive readable content. Ms. DeGette. And, Chief Galati, what is your view on that? Chief Galati. I believe that in order to provide--and I don't want to call it a back door but rather a front door--I think if the companies can provide law enforcement, I don't believe that it would be abused. We have to---- Ms. DeGette. Why not? Why not? Chief Galati. We have the CALEA law from 1994, and that was not abused, so I don't see how by making law enforcement---- Ms. DeGette. What they are saying is the technology--once they develop that technology, then anybody could get access to it and they could break the encryption. Chief Galati. I believe that if we look at Apple, they have the technology going back to about 18, 19 months ago where they were doing it for law enforcement, and I don't--I am not aware of any cases of abuse that came out when Apple actually did have the key. So I could see if they still have the key today, then they hold it---- Ms. DeGette. I will ask them that because they are coming up. Captain Cohen? Mr. Cohen. I think it might be helpful to look for real- world analogies. If you think of an iPhone or an Android OS phone as a safety deposit box, the key the bank holds, that's the private key encryption. The key the customer holds, that's the public key encryption. But what the bank does is it builds firewalls around that. There's a difference between encryption and firewalls. The---- Ms. DeGette. And you think that technology exists? Mr. Cohen. The technology does exist. Ms. DeGette. OK. Mr. Cohen. So when we're---- Ms. DeGette. I am sorry. I don't have a lot of time but I am going to---- Mr. Cohen. No, go ahead. I'm sorry. Ms. DeGette [continuing]. Ask them the same question. Now, there is something else that can be done, forcing the industry to comply, or like in the San Bernardino case, the FBI hired a third party to help them break the code in that phone. And that was what we call gray hats, people who are sort of in this murky market. What do you think about that suggestion, Ms. Hess? Ms. Hess. Yes, ma'am. That certainly is one potential solution, but that takes me back to my prior answer, which is that the solutions are very case-by-case specific. They may not work in all instances. They're very dependent upon the fragility of the systems or vulnerabilities we might find, and also, they're very time-intensive and resource-intensive, which may not be scaleable to enable us to be successful in our investigations. Ms. DeGette. Do you think there is any ethical issue with using these third-party hackers to do this? Ms. Hess. I think that certainly there are vulnerabilities that we should review to make sure that we identify the risks and benefits of being able to exploit those vulnerabilities in a greater setting. Ms. DeGette. Well, I understand you are doing it because you have to in certain cases. Do you think it is a good policy to follow? Ms. Hess. I do not think that that should be the solution. Ms. DeGette. And one more question is if third-party individuals can develop these techniques to get into these encrypted devices or programs, why can't we bring more capabilities in-house to the government to be able to do that? Ms. Hess. Certainly, these types of solutions--and as I said, this should not be the only solution--but these types of solutions that we do employee and can employ, they require a lot of highly skilled, specialized resources that we may not have immediately available to us. And that---- Ms. DeGette. Can we develop those with the right resources? Ms. Hess. No, ma'am, I don't see that---- Ms. DeGette. OK. Ms. Hess [continuing]. Possible. I think that we really need the cooperation of industry, we need the cooperation of academia, we need the cooperation of the private sector in order to come up with solutions. Ms. DeGette. Thank you. Mr. Murphy. The gentlelady's time is expired. I now recognize the gentlelady from Indiana, Mrs. Brooks, for 5 minutes. Mrs. Brooks. Thank you, Mr. Chairman. In 2001, after I was appointed U.S. attorney for the Southern District of Indiana, I began work with the Indiana Crimes Against Children Task Force, which was led primarily by Assistant U.S. Attorney Steve DeBrota, working hand-in-hand with you, Captain Cohen, and I want to thank you so much for being here. Because prior to that time I would say that I was certainly not aware about what really went into and what horrific crimes really were being perpetrated against children back at that time in 2001, 2002. And when we talk about child exploitation against children, we need to realize this involves babies up to teenagers. This is not all about just willing teenagers being involved in these types of acts. These are people preying on children of all ages. And I want to walk you through, Captain Cohen, what some of the impediments are, more about how this works, how you are being thwarted in your investigations, and I also want to wrap up and make sure you have time for you to explain your thoughts about the firewalls. First of all, if you could just please walk through with us, offenders--and I am talking about older children now--older kids who have access to social media. Offenders, perpetrators are making connections through social media platforms, correct? Mr. Cohen. Yes, ma'am. Mrs. Brooks. And are those typically unencrypted or encrypted? Mr. Cohen. Two years ago, I would have said typically unencrypted; now, typically encrypted. Mrs. Brooks. OK. And I left my services as U.S. attorney in '07, so things, I think, have changed pretty dramatically. Then, in the second step, the conversation moves to encrypted discussions. Would that be correct? They encourage particularly young people to go to apps like WhatsApp, Kik, and others. Mr. Cohen. Correct. They'll generally go trolling for a potential victim in an unencrypted app. Once they have a victim they think that they can perpetrate against, then they'll move to an encrypted communication now. Mrs. Brooks. And then would it be fair to say that, through the relationship that has been developed, they typically encourage them to send an image? Mr. Cohen. Correct. They're going to want that victim to do one compromising act that they can then exploit. Mrs. Brooks. And that image is sent typically from one smartphone to another or from one smartphone to a computer? Mr. Cohen. Generally from one smartphone to another in the United States involving an Android phone or an iPhone. Mrs. Brooks. But this doesn't just happen in our country, correct? Mr. Cohen. Correct. It's possible like never before for someone even in another country to victimize a child here in the U.S. Mrs. Brooks. And in fact, so we have out-of-country perpetrators, as well as in-country perpetrators focusing on even out-of-country victims as well, is that right? Mr. Cohen. Correct, ma'am, yes. Mrs. Brooks. Then, are those typically encrypted? The transmission of those photos is typically encrypted? Mr. Cohen. Yes, that's one of our challenges. The transmission is encrypted, as well as when the data sits at rest on the phones. It's encrypted there as well. Mrs. Brooks. And you presenting that image to a jury if an individual is caught and is prosecuted, it is imperative, is it not, for you to present the actual image to a jury? Mr. Cohen. Yes, ma'am. The metadata alone, who was talking with whom, doesn't matter. It's the content of the communication. It's the images that were sent and received. Mrs. Brooks. So if you can't get these encrypted images and the encrypted discussions, what do you have in court? Mr. Cohen. We have nothing in court. We can't complete the investigation. Mrs. Brooks. How do you find the victims? Mr. Cohen. Oftentimes, we don't have a way of identifying the victims. They go unserved. Mrs. Brooks. And can you please talk to us a bit more about what it is that you actually do to find the victims? Mr. Cohen. We do everything we can. We try to look for legal solutions, meaning trying to get records from service providers, from the technology companies, trying to identify them through that. The challenge we encounter there many times, as Ms. Hess mentioned, is because of retention periods. The records no longer exist. The metadata no longer exists. And then we try to get the content and communication to show who was talking with whom, and oftentimes, we're unable to do that because of encryption. Mrs. Brooks. And isn't it pretty common that when you find one of these phones or a computer or a perpetrator, there are usually thousands of images---- Mr. Cohen. Thousands---- Mrs. Brooks [continuing]. Involving multiple victims? Mr. Cohen. Thousands or hundreds of thousands, and increasingly, we're finding those also in encrypted cloud storage sites like Dropbox and Google Drive and OneDrive. Mrs. Brooks. And could you please just expand a little bit on what you previously started to answer, a potential solution with respect to firewalls? Mr. Cohen. A potential solution is to provide a better firewall. Think of that as the vault door where the safety deposit box is. Think of that as the doors to the bank. So while you think of the actual locks on the bank deposit boxes as the encryption, you build firewalls around that. Those firewalls can, with legal process, be opened up, can--you can go inside it. But just like a safety deposit box, if we go to the bank with a search warrant, the bank uses their key, we get a drill and we drill the customer's lock and we see what's inside the safety deposit box. I've done that dozens of times in the course of my career. The difference is, with encryption, my drill doesn't break the lock. Mrs. Brooks. Thank you. I yield back. Mr. Murphy. The gentlelady yields back. I now recognize Ms. Clarke for 5 minutes. Ms. Clarke. I thank you, Mr. Chairman, and I thank our ranking member. In October of 2014, FBI Director Comey gave these remarks on encryption before the Brookings Institute: ``We in the FBI will continue to throw every lawful tool we have at this problem, but it is costly, it is inefficient, and it takes time. We need to fix this problem. It is long past time. We need assistance and cooperation from companies to comply with lawful court orders so that criminals around the world cannot seek safe haven for lawless conduct. We need to find common ground, and we care about the same things.'' So, Ms. Hess, I would like to ask this question of you. Other than tech companies creating back doors for law enforcement, what do you believe are some possible solutions to address the impasse between law enforcement's need to lawfully gain access to critical information and the cybersecurity benefits of strong encryption? Ms. Hess. Yes, ma'am. And as previously stated, I really believe that certain industry leaders have created secure systems, but they are still yet able to comply with lawful orders. They're still able to access the contents to either--of those communications to either provide some protection for their customers against malicious software or some other types of articles. In addition to that, they're able to do it perhaps for business purposes or for banking regulations, for example. In addition to those solutions, we certainly don't stop there. We look at any possible tools we might have in our toolbox, and that might include the things we previously discussed here today, whether that be individual solutions, metadata, whether it could be an increase in physical surveillance, but each of those things comes at a cost, and all of those things are not as responsive as being able to get the information directly from the provider. Ms. Clarke. So do you believe that there is some common ground? Ms. Hess. I do. Ms. Clarke. To the other panelists, are there solutions that you can see that might solve this impasse? Mr. Cohen. The solution that we had in place previously in which Apple, as an example, did hold a key, and as Chief Galati mentioned, that was never compromised so they could comply with the proper service of legal process. Essentially, what happened in this instance is Apple solved a problem that does not exist. Chief Galati. I would say by Apple or other industries holding the key, it reduces at least the law enforcement having to go outside of those companies to find people that can get a solution. So, as mentioned earlier about the gray-hat hackers, they're going to be out there, but if the companies are doing it, it reduces the risk, I believe. Ms. Clarke. Very well. In the San Bernardino case, press accounts indicate that the FBI has used the services of private sector third parties to work around the encryption of the iPhone in question. This case raises important questions about whether we want law enforcement using nongovernmental third- party entities to circumvent security features developed by private companies. So I have questions about whether this is a good model or whether a better model exists. Ms. Hess, assuming press accounts are true and you procured the help of a third party to gain access to that iPhone, why were you apparently not able to solve this problem on your own? Ms. Hess. For one thing, as previously discussed, technology is changing very rapidly. We live in such an advanced age of technology development, and to keep up with that, we do require the services of specialized skills that we can only get through private industry. And that partnership is critical to our success. Ms. Clarke. So this is to the entire panel. Do you believe that the U.S. Government needs enhanced technological capabilities? Chief Galati. I think it does. Private industry provides a lot of opportunity, so I think the best people that are out there are working for private companies and not working for the government. Mr. Cohen. I agree with the chief. Essentially, we need the help of private industry, both the industry that makes that technology and others. We need industry to act as good corporate citizens and help us because we can't do it alone. There are over 18,000 police agencies in the United States, and while the FBI may have some technical ability internally, those other agencies do not. And as the chief mentioned, over 90 percent of all the investigations are handled at the State and local level. We need industry's help. Ms. Clarke. Very well. I will yield back, Mr. Chairman. Mr. Murphy. The gentlelady yields back. I now recognize Mr. Griffith for 5 minutes. Mr. Griffith. Well, thank you all for being here for this important discussion that we are having today. I will tell you, we have to figure out what the balance is both from a security standpoint but also to make sure that we are fulfilling our obligations under our Constitution, which was written with real-life circumstances in mind where they said we don't want the government being able to come in and get everything. They were aware of the situation of general warrants both in London used against John Wilkes and the Wilkesite Rebellion. And the Founding Fathers were also aware of James Otis and his fight in Massachusetts, which John Adams said sowed the seeds of the revolution when the British Government wanted to go from warehouse to warehouse looking for smuggled goods. So it is not an easy situation. I do have this question, though. Apparently, some researchers recently published the results of a survey of over 600 encrypted products that are available online, and basically they found that about \2/3\ of them are foreign products. So the question would be, given that so many of the encrypted products could in fact be from companies not located or headquarters within the United States of America, if we force the companies that we do have jurisdiction over to weaken the security of their products, are we doing little more than hurting American industry and then sending the really bad actors like Mr. Fletcher, who is the child pornographer, just to a different format that we don't have control over? That is one question that I would ask all three of you. Mr. Cohen. Right now, Google and Apple act as the gatekeepers for most of those encrypted apps, meaning the app is not available on the App Store for an iOS device. If the app was not available in Google Play for an Android OS device, a customer in the United States cannot install it. So while some of the encrypted apps like Telegram are based outside the United States, U.S. companies act as gatekeepers as to whether those apps are accessible here in the United States to be used. Mr. Griffith. Chief? Chief Galati. I would agree exactly what the captain said. And certain apps are not available on all devices, so if the companies that are outside the United States can't comply with the same rules and regulations of the ones that are in the United States, then they shouldn't be available on the app stores. For example, you can't get every app on a BlackBerry that you can on an Android or a Google. Ms. Hess. Yes, sir, what you stated is correct. And I think that certainly we need to examine how other countries are viewing the same problem because they have the same challenges as we speak and are having similar deliberations as to how their law enforcement might gain access to these communications as well. So as we move toward that, the question for us is what makes consumers want to buy American products? Is it because they are more secure? Is it because they actually cover the types of services that the consumers desire? Is it just because of personal preference? But at the same time, we need to make sure that we balance that security as well as the privacy that the consumers have come to expect. Mr. Griffith. And I appreciate that. Captain Cohen, I am curious. You talked about the Fletcher case and indicated that the judge ordered that he give the password to the computer, but then you didn't get access to the thumb drive. Was the judge asked to force him to do that as well or---- Mr. Cohen. In that instance, the judge compelled him to provide it. He said it was not encrypted; the thumb drive is not encrypted. His defense expert disagreed with him and said it was encrypted. He then provided a password and failed a stipulated polygraph as to whether he knew the password and failed to disclose it. So every indication is he intentionally chose to not give the second password for that device. Mr. Griffith. And was he held in contempt for that? Mr. Cohen. Not that I--I do not believe he was. Mr. Griffith. Look, obviously, if you can get the images, you have a better chance of finding the victim, but it is true that even before encryption, there was a great difficulty in finding victims even if you found a store of photographs in a filing cabinet? It is sometimes hard to track down the victims, isn't that correct? Mr. Cohen. It is always very difficult to find child victims. Mr. Griffith. It is. It is just a shame. I like the concept, the visual of you are able to drill into the safety deposit box but you can't get into the encrypted computer or telephone. Is there a product out there that would be that limited? Because one of the problems that I know Apple has had is that they don't want to have a back door to every single phone that other folks can get a hold of and that the government could use at will, particularly governments maybe not as conscious of civil liberties as the United States. Do you know of any such a product that would give you that kind of specificity? Mr. Cohen. Again, the specificity would be similar to what we had prior to Apple changing where the encryption key is kept, meaning that the legal process served on Apple, as an example, and Apple is the one to use the drill, not law enforcement. That helps provide another layer of protection against abuses by governments other than ours, meaning while they have that capability because they're inside the firewall, those outside the firewall, outside the vault, would have no ability to get access. Mr. Griffith. Right. I appreciate it, and I yield back, Mr. Chairman. Mr. Murphy. The gentleman yields back. I now recognize Mr. Welch for 5 minutes. Mr. Welch. Thank you very much. First of all, I want to thank each of you for the work you and your departments do. It is astonishing times when the kind of crimes that all America is exposed to are happening and the expectation on the part of the public is somehow, someway you are going to make it right and you are going to make us safe. So I think all of us really appreciate your work. This issue, as you have acknowledged, is very, very difficult. I think if any of us were in your position, what we would want is access to any information that the Fourth Amendment allowed us to get in order for us to do our job. But there are three issues that are really difficult. One is the law enforcement issue that you have very clearly enunciated. You have got probable cause, you go through the process of getting a warrant, you are entitled to information that is in the cabin or on the phone or in the house. Yet because of technology, we have these impediments to getting what you are legally authorized to get. I think all of us want you to be able to get the information that you rightfully can obtain. But the second issue that makes it unique almost is that in order for you to get the information, you have to get the active participation of an innocent third party who had nothing to do with the events, but who potentially can get the information for you. That is the whole Apple case. But it is a very complicated situation because it is not as though if you came with a warrant to my house for me to turn over information that I had, it is one thing if I just go in my drawer and give it to you. It is another thing if it is buried in the backyard and the order is that I have got to buy a backhoe or rent a backhoe and go out there and start digging around until I find it. Normally, that would be the burden on the law enforcement agency. So that is the second issue. How much can the government require a third party, a company or an individual, to actually use their own resources to assist in getting access to the information? And then the third issue that is really tough that Mr. Griffith was just acknowledging, we get a back door key, we trust you, but we have other governments that our companies are doing business with, and they get pressured to provide the same back door key, the key is lost, and then things happen with respect to privacy and security that you don't want to happen and that we don't want to happen. So this is a genuinely tough situation where, frankly, I am not sure there is an ``easy'' balance on this. So just a couple of questions. Ms. Hess, what would you see as the answer here? I know you want the information, but if the getting of the information requires me to hire a few people to work in the yard with the backhoe or Apple to really deploy high-cost engineers to come up with an entry key, are you saying that that is what should be required now? Ms. Hess. Yes, sir. I think that the best solution is for us to work cooperatively with technology, with industry, and with academia to try to come up with the best possible solution. But with that, I would say that no investigative agency should forgo that for all other solutions. They should continue to drive forward with all solutions available to them. Mr. Welch. All right. And, Chief, I will ask you. You are on the frontline there in New York all of the time, and is it your view that the right policy now would be for you, when you have probable cause to protect us--and we are all on the same page there--to force a technology company, at significant effort and expense, to assist in getting access to the information? Chief Galati. So I would say up until a couple of years ago most of the technology companies--and they still do--have a law enforcement liaison that we work very closely with. For example, if it's Facebook or Google, even Apple where we have the ability to go to them with legal process, and they're providing us with the---- Mr. Welch. Right. Chief Galati [continuing]. Search warrant results---- Mr. Welch. Yes. My understanding from talking to those folks is that if it is information like that is stored in the cloud, this is a situation with San Bernardino, there was a lot of stuff that was relatively easy to retrieve, and they do provide that. They do cooperate as long as you have the warrant. They do everything they can to accommodate those lawful requests from law enforcement. Has that been your experience? Chief Galati. Yes. The cloud does have some issues because things can be deleted from the cloud and then never recovered. If the phone is not uploaded to the cloud, then---- Mr. Welch. Right. Chief Galati [continuing]. Things are lost. There's a very interesting---- Mr. Welch. Would you just acknowledge this? There is a significant distinction between a company turning over information that is easily retrievable in the cloud comparable to me going in my house and opening the drawer and giving you the information you requested versus a company that has to have engineers try to somehow crack the code so that they are very energetically involved in the process of decryption. That is a difference, you would agree? Chief Galati. Yes, it is a difference, and I believe when they create the operating system, that's where they have to make that key available so that they don't have to spend the resources to crack a code rather have a new operating system that---- Mr. Welch. Thanks. Just one last thing. By the way, thank you for---- Mr. Murphy. Out of time. Mr. Welch. Oh, I am over. All right. I just want to say I thought what Representative Clarke said about resources for you to let you do some of this work on your own really makes an awful lot of sense, but some of these conflicts are going to be--frankly---- Mr. Murphy. Thank you. Mr. Welch [continuing]. As much as we want to say they are resolvable, they are tough to resolve. I am sorry. Thank you, Mr. Chairman. Mr. Murphy. All right. I now recognize Mr. Mullin for 5 minutes. Mr. Mullin. Well, as you can see that I think both sides up here in this committee, you can see we want to get to the real problem. We want to be helpful, not a hindrance. Obviously, all of us want to be safe, but we also want to make sure that we operate within the Constitution. And the technology is changing at such a pace that I know law enforcement has to do their job in staying with it because the criminals are always doing their job, too, like it or not. And if it changes, crimes change, we have to change the way we operate. The concern is privacy obviously, and getting into that, Ms. Harris, some have argued that the expansion of connected devices through the Internet of Things with new surveillance tools and capabilities. Recently, the Berkman Center at Harvard University argues that the Internet of Things could potentially offset the government's inability to access encrypted technology for providing new paths for surveillance and monitoring. My question is, what is your reaction to the idea that the Internet of Things presents a potential alternative to accessing encrypted devices? Ms. Hess. Certainly, sir, I do think that the Internet of Things and associated metadata presents us with opportunities to collect information and evidence that will be helpful to us in investigations. However, those merely provide us with leads or clues, whereas the real content of the communications is what we really seek in order to prove beyond a reasonable doubt in court in order to get a conviction. Mr. Mullin. Could you expand a little bit on the content to what is in the device---- Ms. Hess. The actual content of communication. Mr. Mullin [continuing]. Or the conversation that happens between the devices? Ms. Hess. What the people are saying to each other as opposed to just who's communicating or at what location they were communicating. It's critically important to law enforcement to know what they said in order to prove intent. Mr. Mullin. Is there something that we on this panel need to be--or, I say this panel, this committee should be looking at to help you to be able to gain access to that? Or since it is connected, do we need take any extra steps for you to be able to access that information? Ms. Hess. Yes. And exactly to the point of the discussion here today is that we need to work with industry and with academia in order to come up with solutions so that we can access that content or so they can access it and provide it to us. Mr. Mullin. So the FBI is exploring the options, I am assuming? Ms. Hess. We are, yes, sir. Mr. Mullin. OK. Are there challenges or concerns using the growth of connected devices that you can see going down the road? Obviously, with the technology changing rapidly today, what are some of the challenges that you are facing? Ms. Hess. Certainly, as more and more things in today's world become connected, there's also an increasing demand for encrypting those particular services, those particular devices and capabilities, and that's well-warranted and well-merited. But again, it presents a challenge for us. As metadata is increasingly encrypted, that presents a challenge for us as well. We need to be able to access the information, but more importantly, the content. In other words, if a suspect's toaster is connected to their car so that they know it's going to come on at a certain time, that's helpful, but it doesn't help us to know the content of the communication when it comes to---- Mr. Mullin. Sure. Ms. Hess [continuing]. Developing plots. Mr. Mullin. So is there a difference between, say, the FBI, the way you have to operate, Captain Cohen, and the way that you have to operate? Mr. Cohen. There's not much of a difference because, quite candidly, we work very well together. But you asked about additional challenges, in February Apple announced that it plans to tie the same encryption key to the iCloud account. So, as an example, the content that's currently in that cloud system, iCloud, Apple has announced publicly they plan to make that encrypted and inaccessible with the service of legal process. So that's one of the challenges that you asked about that we're looking at is we're going to lose that area of content as well. Mr. Mullin. So I just assume that everything I do online for some intended purpose is out there and people are going to be able to retrieve it. I don't assume any privacy really when it is on the Internet. Could that analogy hold up true or should we be expecting a sense of privacy when it is on the Internet? I mean, we put it out there. Mr. Cohen. Sir, I believe we should all expect a sense of privacy on the Internet, a sense of privacy when we talk in a restaurant, when we talk on the telephone, landline or cellular, that privacy cannot be completely absolute. We need to have, when we serve a legal process--a search warrant is an example--have the ability. The Constitution protects us from unreasonable searches and seizures, not all searches and seizures. So we have our private companies without checks and balances protecting everyone against all searches. Mr. Mullin. Chief, do you have an opinion on this? Chief Galati. Yes. I agree also. On the Internet you have a right to privacy, and most of these apps and programs give you privacy settings so nobody can get at it. I think when you get into the criminal world or the malicious criminal intent, that's when law enforcement has to have the ability to go in and see what you have on there. Mr. Mullin. Thank you. I yield back. Mr. Murphy. Thank you. Mr. Pallone is recognized for 5 minutes. Mr. Pallone. Thank you, Mr. Chairman. I never cease to be amazed at how complex an issue this is and it requires balancing various competing values and societal goals, yet much of the public debate is focused on simplified versions of the situation. They are painted in black and white, and there seems to be some misunderstanding that we have to either have cybersecurity or no protection online at all. We have heard that the limitations encryption places on law enforcement access to information puts us in danger of going dark. By contrast, we have heard that law enforcement now has access to more information than ever, the so-called golden age of surveillance. At Harvard at the Berkman Center there was a report titled ``Don't Panic: Making Progress on the 'Going Dark' Debate'' that concludes, ``The communications of the future will neither be eclipsed in the darkness or illuminated without shadow.`` And I think that is a useful framework to view the issue, not as a binary choice between total darkness or complete illumination, but rather a spectrum. I think it is fair to say there have been and always will be areas of darkness where criminals are able to conceal information, and no matter what, law enforcement has a tough job. But the question is how much darkness is too much? So I wanted to ask you all--this is for any of you--about some key questions on this spectrum. Where are we on the spectrum? Currently, where should we be on the spectrum? If we are not in the right place, how do we get there? Let me start with Ms. Hess and then whoever else wants to say something. Ms. Hess. Yes, sir. As far as the amount of information that we can receive today, I think, yes, it is true we do receive more information today than we received in the past, but I would draw an analogy to the fact that the haystack has gotten bigger but we're still looking for the same needle. And the challenge for us is to figure out what's important and relevant to the investigation. We're now presented with this volume of information. And the problem additionally with that is that what we are collecting, what we are able to see is, for example, who's communicating with who or potentially what IP addresses are communicating with each other, the location, the time, perhaps the duration, but not the content of what they were actually saying. Mr. Pallone. Chief, did you want to add to that? Chief Galati. I do agree that the Internet has provided a lot more information to police that we can go out and we can find public records, we can find records within police departments throughout the country. So to police, the Internet has made things a little bit easier. However, the encryption is taking all of those gains away, and I think the more and more we go towards encryption, the harder it's going to be to really investigate and conduct long-term cases. We do a lot of cases in New York about gangs, drug gangs. We call them crews. And it's very vital, all the information that we get from people on the Internet that sometimes are very public out there. Now they're switching over to encrypted, and it's making those long-term cases--or those, I guess, to call them similar to RICO cases--very, very difficult to put together because we're in the blind. Mr. Pallone. All right. Captain, did you want to---- Mr. Cohen. I see it where we have a lack of information that I've not seen before in my 20 years of investigations, to be able to do criminal investigations not solely by encryption but also as it interrelates to retention of information and the lack of legislation related to data retention with internet service providers similar to what there is with the banking industry, as well as our inability to serve legal process on companies that are either located out of the United States or some that store data outside the United States. I see it as all interrelated issues, which together conspire to make it more difficult than ever before for me to gather the information I need to functionally conduct a criminal investigation. So on the spectrum that you asked about, I see it far to the extent of we're losing the ability to access information that we need to rescue victims and solve crimes. Mr. Pallone. Thank you. I think my second question to some extent you already answered, but if anybody wants to, the second question is where do you see the trend moving? Are we comfortable with where we are headed or are the technological trends such as increasing a stronger encryption leaving us with too much darkness? But you answered that, unless anybody wants to add to what they said. Yes, Ms. Hess? Ms. Hess. Yes, sir. I do see that increasingly, technology platforms continue to change and they continue to present challenges for us that I provided in my opening statement. In addition to that, we try to figure out how we might be able to use what is available to us, and we are constantly challenged by that as well. For example, some companies may not know what exactly or how to provide the information we are seeking. And it's not just a matter of needing that information to enable us to see the content or enable us to see what people are saying to each other, it's also a matter of being able to figure out who we should be focusing on more quickly so that if we could get that information, we're able to target our investigations more appropriately and be able to exonerate the innocence--the innocent as well as identifying the guilty. Mr. Pallone. Thank you. I am going to end with that, but I just wanted to ask obviously that you continue to engage with us to help us answer these questions, not just with what you are saying today but a constant dialogue is what we need. Thank you, Mr. Chairman. Mr. Murphy. Thank you. I now recognize Dr. Burgess for 5 minutes. Mr. Burgess. Thank you. And thank you all for being here. I just acknowledge there is another hearing going on upstairs, so if some of us seem to be toggling back and forth, that is exactly what is happening. So, Ms. Hess, let me just ask you a couple of questions if I could. There is another subcommittee at the Energy and Commerce Committee called the Commerce, Manufacturing, and Trade Subcommittee. And we are working very closely with the Federal Trade Commission, which is under our jurisdiction, that subcommittee, on the issue of data breach notification and data security. A component of that effort has been the push for companies to strengthen data security. One of those ways perhaps could be through encryption, and the FTC will look at a company's security protocols for handling data when it reviews whether or not the company is fulfilling its obligations, protecting its customers. So has the FBI had any discussions with the Federal Trade Commission over whether the back doors or access points might compromise the secured data? Ms. Hess. Yes, sir. We've engaged in a number of conversations among the interagency, with other agencies, with industry, with academia. I can get back to you as far as whether we specifically met with the Federal Trade Commission. Mr. Burgess. That would be helpful as, again, we are actually trying to work through the concepts of more in the retail space bit of data security. Data security is data security, regardless of who is harmed in the process, and data security is national security writ large. So that would be enormously helpful. Let me just ask you a question that is probably a little bit off-topic, but I can't help myself. One of the dark sides for encryption is if someone comes in and encrypts your stuff and you didn't want it encrypted, and then they won't give it back to you unless you fork over several thousand dollars in bit coins to them in some dark market. So what is it that the committee needs to understand about that ransomware concept that is going on currently? Ms. Hess. Yes, sir, ransomware is an increasing problem that we're seeing and investigating on a regular basis now. And I think that certainly to exercise good cybersecurity hygiene is important, to be able to backup systems, to have the capability to access that information is important, to be able to talk to each other about what solutions might be available, to be able to fall back to some other type of backup solutions so that you aren't beholden to any particular ransom demands. Mr. Burgess. And of course that is critically important. I am a physician by background. Some of the ransomware has, of course, occurred in hospitals and medical facilities. And I will just offer an editorial comment for what it is worth. I just cannot imagine going into an ICU some morning and asking to see the data on my patient and being told it has been encrypted by an outside source, we can't have it, Doctor. When you catch those people, I think the appropriate punishment is shot at sunrise, and I wouldn't put a lot of appeals between the action and the reaction. Thank you, Mr. Chairman. I will yield back. Mr. Murphy. I now recognize Mr. Yarmuth for 5 minutes. Mr. Yarmuth. Thank you, Mr. Chairman. Thanks to the witnesses for your testimony. I find it hard to come up with any question that is going to elicit any new answers from you, and I think your testimony and the discussion that we have had today is an indication of how difficult the situation is. It sounds to me like there is a great business opportunity here somewhere, but probably you don't have the budget to pay a business what they would need to be paid to get the information that you are after, so that may not be such a good business opportunity after all. I do want to ask one question of you, Ms. Hess. In your budget request for fiscal year '17, you request more than $38 million to deal with the going-dark issue, and your request also says that it is non-personnel. So it seems to me that personnel has to be a huge part of this effort, so could you elaborate on what your budget request involves and what you plan to do with that? Ms. Hess. Yes, sir, at a higher level, essentially, we're looking for any possible solutions, any possible tools we might be able to throw at the problem, all the different challenges that we encounter, and whether that's giving us the ability to be better password-guessers or whether that's the ability to try to develop solutions where we might be able to perhaps exploit some type of vulnerability, or maybe that's perhaps a tool where we might be able to make better use of metadata. All of those things go into that request so that we can try to come up with solutions to get around the problem we're currently discussing. Mr. Yarmuth. OK. Well, I don't know enough to ask anything else, so unless anyone else is interested in my time, I would yield back. Thank you, Mr. Chairman. Mr. Murphy. Thank you. The gentleman yields back. I now recognize Mr. McKinley for 5 minutes. Mr. McKinley. Thank you, Mr. Chairman. I have been here in Congress for 5 \1/2\ years now, and we have been talking about this for all 5 \1/2\ years. And I don't see much progress being made with it. And I hear the frustration in some of your voices, but I was hoping we were going to hear today more specifics. If you could pass the magic wand, what would it be? What is the solution? I think you started to hint toward it, but we didn't get close enough. So one of the things I would like to try to understand is how we differentiate between privacy and national security. I don't feel that we have really come to grips with that. I don't know how many people are on both sides of that aisle. I really don't care. I am very concerned about national security as it relates to encryption. Just this past weekend there was a very provocative TV show. Sixty Minutes came out about the hacking into cell phones. About a year ago we all were briefed. It wasn't classified. It was where Russia hacked in and shut down the electric grid in Ukraine, the impact that could have, that a foreign government could have access to it. And just this past week at town hall meetings back in the district, twice people raised the issue about hacking into and shutting down the electric grid. And it reminded me of some testimony that had been given to us about a year ago on the very subject when one of the presenters like yourself said that, within 4 days, a group of engineers in America or kids could shut down the grid from Boston down through--I am trying to think; where was it--from Boston to New York you could shut down in just 4 days. I am very concerned about that, that where we are going with this, this whole issue of encryption and protection. So, Mr. Galati, if I could ask you the question. Just how confident are you that the adequacy of the encryption is protecting our infrastructure in your jurisdiction? Chief Galati. Well, sir, cybersecurity and infrastructure is very complicated, and we have another whole section in the police department and in the city that monitors, works very closely with all the agencies such as Con Ed, DEP, and so on. We also work very closely with the FBI and their joint cyber task force to monitor cyber threats---- Mr. McKinley. OK. But my question really is, how do you feel, because everyone comes in here, and when I have gone to the power companies with--I don't need to elicit their names, but all of them has said we think we have got it. But yet during that discussion on 60 Minutes, this hacker that was there, he is a professional hacker, he said I can break into any system, any system. So my question more, again, back to you is how confident are you that this system is going to work, that it is going to be protected? Chief Galati. Well, I think with all the agencies that are involved in trying to protect critical infrastructure, and I think that there is a big emphasis in New York--I'll speak about New York--working with multiple agencies. We're looking at vulnerabilities to the system. I do think that is an encryption issue, but again, I think what I was speaking about more when it came to encryption is more about communications and investigating crimes or terrorism-related offenses. Mr. McKinley. It is beyond your jurisdiction then on that. How about---- Chief Galati. That is not an area that I would comment. Mr. McKinley. OK. How about you in Indiana? Mr. Cohen. What are you talking about? Control systems being compromised? Again, we're talking about firewalls, not encryption. We're talking about the ability for someone to get inside the system, to have the password, to have the passphrase, something like that to get the firewall. So encryption of data in motion as an example would not protect us from the types of things you're talking about to be able to shut down a power grid. It's noteworthy that I saw that 60 Minutes piece, and what that particular hacker was able to exploit would not have been fixed by encryption. That is a separate system related to how the cellular--how our cell system works essentially, completely separate, unrelated from the issue of encryption. So what I can say is having more robust encryption would not fix either of those problems. Mr. McKinley. Thank you. Mr. Cohen. And I lack the background to be able to tell you specifically do I feel confident or not confident about how the firewalls are right now in the systems you asked about. Mr. McKinley. Ms. Hess, boiler up, by the way. And so---- Ms. Hess. Yes---- Mr. McKinley [continuing]. And so my question back to you is same to you. How would you respond to this? Ms. Hess. Yes, sir. I think that, first off, I don't think there's any such thing as 100 percent secure---- Mr. McKinley. Right. Ms. Hess [continuing]. Anything as a truly secure solution. With that said, I think that it is incumbent upon all of us to build the most secure systems possible, but at the same time, we're presenting to you today the challenge that law enforcement has to be able to get or access or be provided with the information we seek pursuant to a lawful order, a warrant that has been signed by a judge, be able to get the information we seek in order to prove or to have evidence that a crime has occurred. Mr. Yarmuth. Thank you. I yield back my time. Mr. Murphy. Thank you. I now recognize Mr. Tonko for 5 minutes. Mr. Tonko. Thank you, Mr. Chair, and thank you to our witnesses. I am encouraged that here today we are developing dialogue which I think it is critical for us to best understand the issue from a policy perspective. And there is no denying that we are at risk with more and more threats to our national security, including cyber threats, but there is also a strong desire to maintain individual rights and opportunity to store information and understand and believe that it is protected. And sometimes those two are very difficult. There is a tender balance that needs to be struck. And so I think, you know, first question to any of the three of you is, is there a better outcome in terms of training? Do you believe that there is better dialogue, better communication, formalized training that would help the law enforcement community if they network with these companies that develop the technology? I am concerned that we don't always have all of the information we require to do our end of the responsibility thing here. Ms. Hess? Ms. Hess. Yes, sir. I do think that certainly in today's world we need people who have those specialized skills, who have the training, who have the tools and the resources available to them to be able to better address this challenge. But with that said, there is still no one-size-fits-all solution to this. Mr. Tonko. Anything, Chief or Captain, that you would like to add? Chief Galati. I would just say that we do work very closely with a lot of these companies like Google, and we do share information and also at times work on training among the agency and the company. So there is cooperation there, and I think that it can always get better. Mr. Tonko. And, Ms. Hess, in this encryption debate, what specifically would you suggest the FBI is asking of the tech community? Ms. Hess. That when we present an order signed by an independent, neutral judge, that they are able to comply with that order and provide us with the information we are seeking in readable form. Mr. Tonko. OK. And also to Ms. Hess, is the FBI asking Apple and possibly other companies to create a back door that would then potentially weaken encryption? Ms. Hess. I don't believe the FBI or law enforcement in general should be in the position of dictating to companies what the solution is. They have built those systems. They know their devices and their systems better certainly than we do and how they might be able to build some type of the most secure systems available or the most secure devices available, yet still be able to comply with orders. Mr. Tonko. Do you believe that the type of assistance that you are requesting from tech companies would lead to any unintended consequences such as a weakened order of encryption? Ms. Hess. I believe it's best for the tech companies to answer that question because, as they build the solutions to be able to answer these orders, they would know what those vulnerabilities are or potentially could be. Mr. Tonko. I thank you. Another potential unintended consequence of U.S. law enforcement gaining special access may be the message that they are sending to other nations. Other countries that seek to stifle dissent or oppose their citizens may ask for such tools as well. Right now, even if other countries start to demand such a workaround, Apple and other technology companies can legitimately argue that they do not have it. So, Ms. Hess, how would you respond to this argument that requiring tech companies to help subvert their own encryption establishes precedence that could endanger people around the world who rely on protected communications to shield them from despotic regimes? Ms. Hess. Yes, sir. I would say, first, that in the international community--and we've had a number of conversations with our partners internationally--that this is a common problem among law enforcement throughout the world. And so as we continue to see this problem, obviously, there are international implications to any solutions that might be developed. But in addition to that, what we seek is through a lawful order with the system that we've set up in this country for the American judicial system to be able to go to a magistrate or a judge to get a warrant to say that we believe-- we have probable cause to believe that someone or some entity is committing a crime. I believe that if other countries had such a way of doing business, that that would probably be a good thing for all of us. Mr. Tonko. And Chief Galati or Captain Cohen, do you have anything to add to what was shared here by Ms. Hess? Mr. Cohen. In preparing for the testimony, I saw several news stories that said that Apple provided the source code for iOS to China as an example. I don't know whether those stories are true or not. I also tried to find an example of Apple answering a question under oath and did not find that. I noted that Apple said they could not--did not provide a back door to China but did not talk about the source code. The source code for the operating system would be the first thing that would be needed to hack into an iPhone as an example. And I know that they have not provided that source code to U.S. law enforcement. Mr. Tonko. OK. Thank you. My time is exhausted, so I yield back, Mr. Chairman. Mr. Murphy. Yield back. Thank you. Mr. Hudson, you are recognized for 5 minutes. Mr. Hudson. Thank you, Chairman. I would like to thank the panel for being here today. Thank you for what you do to keep us safe. Ms. Hess, as more and more of our lives become part of the digital universe, everything from communications to medical records, home security systems, the need for strong security becomes all that more important. At the same time, however, it naturally suggests a massive increase in our digital footprint and the amount of information about individuals that becomes available on the Internet. Does this present an opportunity for law enforcement to explore new, creative ways to conduct investigations? I know we have talked a little bit about metadata, and while that may not be a good solution, but new forms of surveillance or other options that maybe we haven't discussed yet. Ms. Hess. Yes, sir. I do believe that we should make every use of the tools that we've been authorized by Congress, the American people to use. And if that pertains to metadata or other types of information we might be able to get from new technologies, then certainly we should take advantage of that in order to accomplish our mission. But at the same time, clearly, these things have presented challenges to us as well, as previously articulated. Mr. Hudson. Well, have you and others in the law enforcement community engaged with the technology community or others to explore these other types of opportunities or look at potential ways to do this going forward? Ms. Hess. Yes, sir, we're in daily contact with industry and with academia in order to try to come up with solutions, in order to try to come up with ways that we might be able to get evidence in our investigations. Mr. Hudson. And what have you learned from those conversations? Ms. Hess. Clearly, technology changes on a very, very rapid pace. And sometimes, the providers or the people who build those technologies may not have built in or thought to build in a law enforcement solution, a solution so that they can readily provide us with that information even if they want to. And in other cases, perhaps it's the way they do business, that they might not want to be able to readily provide that information or they just may not be set up to do that either because of resources or just because of the proprietary way that their systems are created. Mr. Hudson. I see. The other members of the panel, do you have any opinion on this? Chief Galati. I would just say that as technology advances, it does create a lot of new tools for law enforcement to complete investigations. However, as those advances, as we start using them, we also see them shrinking away, for--with encryption especially, locking things that we recently were able to obtain. Mr. Hudson. Got you. You don't have to--OK. To all of you, I recently read about the CEO of MSAB, a technology company in a Detroit News article. It says there is a way for government to access data stored on our phones without building a back door to encryption. His solution is to build a two-part decryption system where both the government and the manufacturer possess a unique decryption key, and then only with both keys, as well as the device in hand, could you access the encrypted data on the device. I am not an expert on decryption so I must ask, is such a solution achievable? And secondly, have there been any discussions between you all, the law enforcement community, with the tech community or tech industry regarding a proposal like this or something similar that would allow safe access to the data without giving a key so to speak to one entity? Is that---- Mr. Cohen. To answer your question, that paradigm would work. That's very similar to that paradigm of the safety deposit box in a bank where you have two different keys. And that would work, but it would require the cooperation of industry. Mr. Hudson. Anything to add? Ms. Hess. What I was going to say---- Mr. Hudson. OK. Ms. Hess [continuing]. Yes, sir. Mr. Hudson. Well, we will get a good chance to hear from industry on our next panel, but I was trying to explain this to one of my staffers and I said did you see the new Star Wars movie? Well, the map to find Luke, BB-2 had part of it--or BB-8 and R2-D2 had the other half so you got to put them together. They were like, oh, I get it now. Anyway, I think it is important that law enforcement and technology work together, continue to have these discussions. So I want to thank the chairman for giving us this opportunity to do that. And I thank you all for being here. And with that, I will yield back. Mr. Murphy. The gentleman yields back. I recognize the vice chair of the full committee, Mrs. Blackburn, for 5 minutes. Mrs. Blackburn. Thank you, Mr. Chairman, and thank you to the witnesses. I am so appreciative of your time. And I am appreciative of the work product that our committee has put into this. Mr. Welch and I, with some of the members that are on the dais, have served on a privacy and data security task force for the committee looking at how we construct legislation and looking at what we ought to do when it comes to the issues of privacy and data security and going back to the law and the intent of the law. I mean, Congress authorized wiretaps in 1934, and then in '67 you come along and there is the language, you have got Katz v. the U.S. that citizens have a reasonable expectation of privacy. And we know that for you in law enforcement you come up upon that with this new technology that sometimes it seems there is the fight between technology and law enforcement and the balance that is necessary between that reasonable expectation and looking at your ability to do your job, which is to keep citizens safe. So I thank you for the work that you are doing in this realm. And considering all of that, I would like to hear from each of you, and, Ms. Hess, we will start with you and just work down the panel. Do you think that at this point there is an adversarial relationship between the private sector and law enforcement? And if you advise us, what should be our framework and what should be the penalties that are put in place that will help you to get these criminals out of the virtual space and help our citizens know that their virtual ``you,'' their presence online is going to be protected but that you are going to have the ability to help keep them safe? So kind of a loaded question. We have got 2 minutes and 36 seconds, so it is all yours, and we will move right down the line. Ms. Hess. Yes, ma'am. As far as whether there is an adversarial relationship, my response is I hope not. Certainly, from our perspective in the FBI we want to work with industry, we want to work with academia. We do believe that we have the same values. We share the same values in this country, that we want our citizens to be protected. We also very much value our privacy, and we all do. I think, as you noted, for over 200 years we--this country has balanced privacy and security. And these are not binary things. It shouldn't be one or the other. It should be both working cooperatively together. And how do we do that? And I don't think that's for the FBI to decide, nor do I think it's for tech companies to decide unilaterally. Mrs. Blackburn. No, it will be for Congress to decide. We need your advice. Chief Galati. I think that it's not an adversarial relationship either. I mean, there are so many things that we have to work with all the big tech companies, Twitter, Google, Facebook, on threats that are coming in on a regular basis. So they are very cooperative and we do work with them in certain areas. This is a new area that we're going into, but right now, I would say it's not adversarial. They're actually very cooperative. Mr. Cohen. I agree with the other two that it's not an adversarial relationship, but as you mentioned, some of these statutes that authorize wire tap, lawful interception, authorize the collection of evidence, they have not been updated recently. And as technology at an exponential pace evolved, some of the statutes have not evolved to keep up with them. And we just lack the technical ability at this point to properly execute the laws that Congress has passed because the technology has bypassed the law. Mrs. Blackburn. OK. And we would appreciate hearing from you as we look at these updates. The physical space statutes are there, but we need that application to the virtual space. And this is where it would be helpful to hear from you. What is that framework? What are those penalties? What enables you to best enforce? And so if you could just submit to us. I am running out of time, but submit to us your thoughts on that. It would be helpful and we would appreciate it. Mr. Chairman, I yield back. Mr. Murphy. The gentlelady yields back. I now recognize Mr. Cramer for 5 minutes. Mr. Cramer. Thank you, Mr. Chairman, and thank all of you. It is refreshing to participate in a hearing where the people asking the questions don't know the answer until you give it to us. That is really cool. I want to go in real specifically on the issue of breaking modern encryption by brute force as we call it, and that is the ability to apply multiple passcodes and, perhaps an unlimited number of passcodes until you break it. That is sort of the trick here, and with the iPhone specifically, there is this issue of the data destruction feature. Would removing the data destruction feature sort of be at least a partial solution to your side of the formula? In other words, we are not creating the back door but we are removing one of the tools. And I am just open-minded to it and looking for your out-loud thoughts on that issue. Ms. Hess. Yes, sir, if I may. Certainly, that is one potential solution that we do use and we should continue to use. To be able to guess the right password is something that we employ in a wide variety and number of investigations. The problem and the challenge is that sometimes those passcode lengths may get longer and longer. They may involve alphanumeric characters. They may present to us special challenges that it would take years, if ever, to actually solve that problem, regardless of what type of computing resources we might apply. And so to that point, we ask our investigators to help us be better guessers in order to come up with information or intelligence that might be able to help us make a better guess. But that's not always possible. Mr. Cramer. But if I might, with the ``you get 10 tries and you are out'' data destruction feature that iPhone utilizes, that makes your job all the more difficult. It would be expanding that from 10 to 20 or unlimited or is there some--I am not looking for a magic formula, but it seems to me there could be some way to at least increase your chances. Ms. Hess. Yes, sir, and one of the things that does quite clearly present to us a challenge is that usually it takes us more than 10 guesses before we get the right answer, if at all. And in addition to that, many companies have implemented services or types of procedures so that there is a time delay between guesses. So after five guesses, for example, you have to wait a minute or 15 minutes or a day in order to guess between those passcodes. Mr. Cramer. Others? Mr. Cohen. I don't think personally that the brute-force solution would provide a substantive solution to the problem. As Ms. Hess mentioned, oftentimes that delay is built in. iOS, as an example, went from a four-digit pin to a six-digit pin so what you're doing is increasing the number of guesses to guess it right. So if you were to, as an example, legislate that it would not wipe the data and override the data after a specific period of time, you would also have to write in that passcodes could only be of a certain complexity, a certain length---- Mr. Cramer. Sure. Mr. Cohen [continuing]. And that would degrade security. What is important to understand is we want security, we want hard encryption but also need a way to quickly be able to access that data because the investigations I work, oftentimes, I'm running against the clock to try to identify a child victim. And being able to brute force that---- Mr. Cramer. Sure. Mr. Cohen [continuing]. Even a matter of days, let alone weeks or months, that's not fast enough. Mr. Cramer. Yes. Wow. Well, thanks for your testimony and all that you do. I yield back. Mr. Murphy. Our tradition is to allow someone outside the committee if they want to ask questions. Mr. McNerney, you are recognized for 5 minutes. Mr. McNerney. I thank the chairman for his courtesy, and I thank the witnesses for your service to our country. I heard at least one of you state in your opening testimony that Congress is the correct forum to make decisions on data security, and I agree with that. However, encryption and related issues are technical, they are complicated. Most Members of Congress aren't really experts in these areas. Therefore, it is appropriate that Congress authorize a panel of experts from relevant fields to review the issues and advise the Congress. The McCaul legislation does exactly that. Do each of you agree with that approach, the McCaul legislation? Ms. Hess. I believe we do need to work with industry and academia and all the relevant parties in order to come up with the right solution, yes, sir. Mr. McNerney. So you would agree that that is the right approach, to convene a panel of experts in cybersecurity, in privacy, and so on? Ms. Hess. I believe that construct, we--there are varying aspects of that construct, but yes, that premise I would agree with. Mr. McNerney. OK. Captain, Chief? Chief Galati. Sir, I really couldn't comment because I haven't seen that bill. Mr. McNerney. OK. Basically, it would---- Chief Galati. I do agree with Ms. Hess that we need to work together. I think we need to have a panel of experts that can advise and work with Congress. I do believe that the answer is in Congress, so I do agree with the principle of it. Mr. McNerney. OK. Thank you. Captain? Mr. Cohen. Whatever paradigm helps Members of Congress feel comfortable that they are properly balancing civil liberties and security versus the ability for law enforcement to do proper investigations. Whatever paradigm serves that purpose I fully support. Mr. McNerney. Thank you. Chief Galati and Captain Cohen, you have illuminated some of the information that has been available before in cell phones but no longer is available because of encryption and I thank you fro doing that. I was a little in the dark about that. What haven't we heard, though, about information that is now available that wasn't available in the past because of technology? Mr. Cohen. Sir, I'm having problems thinking of an example of information that's available now that was not before. From my perspective, thinking through investigations that we previously had information for, when you combine the encryption issue along with shorter and shorter retention periods for internet service providers--I mean, keeping their records, both metadata and data for shorter periods of time available to legal process. I mean, I can definitely find an example of an avenue that's available that was not before. Chief Galati. Sir, I would only say I've been in the police department for 32 years, so technology really has opened up a lot of avenues for law enforcement. So I do think there is a lot of things that we are able to obtain today that we couldn't obtain 10 or 20 years ago. So--and technology has helped law enforcement. However, the encryption issue and I think the issue that we're speaking on today is definitely eliminating a lot of those gains we've made. Mr. McNerney. Thank you. Ms. Hess, requiring back-door or exceptional access would drive customers to overseas suppliers, and if so, we would gain nothing by requiring back-door or exceptional access. Do you agree or disagree with that? Ms. Hess. I disagree from the sense that I think many countries are having the same conversation, the same discussion currently because law enforcement in those countries has the same challenges that we do. And so I think this will just continue to be a larger and larger issue. So while it may temporarily drive certain people who may decide that it's too much of a risk to be able to do business here in this country, I don't think that that's the majority. I think the majority of consumers actually want good products, and those products are made here. Mr. McNerney. Well, thank you for calling out the quality of American products. I appreciate that, especially since my neighbor here and I represent the part of California where those products are developed. But I think there is always going to be countries where products are available that would superseded whatever requirements we make. Also, requiring back-door access would alert potential bad actors that there are weaknesses designed into our system and motivate them to try to find those weaknesses. Do you agree with that or not? Ms. Hess. I don't believe there's anything such as a 100 percent secure system, so I think there will always be people who are trying to find and exploit those vulnerabilities. Mr. McNerney. But if we design weaknesses into the system and everybody knows about it, they are going to be looking for those and those are design weaknesses. I mean, I don't see how that could further security of critical infrastructure and so on. Well, I guess my time is expired, Mr. Chairman. Mr. McKinley [presiding]. Thank you. And the chair recognizes Congressman Bilirakis for his 5 minutes. Mr. Bilirakis. Thank you, Mr. Chairman. I appreciate it so very much. Ms. Hess, thanks for participating in today's much-needed hearing. I appreciate the entire panel. We are certainly at a crossroads of technology and the law, and having you and the FBI perspective is imperative in my opinion. I have a question about timing. The recent debate has been revived as technology companies are using strong encryption, and you described the problem as growing. What will a hearing like this look like a year from now, 2 years from now? What do you perceive is the next evolutionary step in the encryption debate so we can attempt to get ahead of it? And as processers become faster, will the ability to encrypt keep increasing? Ms. Hess. Yes, sir. My reaction to that is that if things don't change, then this hearing a year from now, we would be sitting here giving you examples of how we were unable to solve cases or find predators or rescue victims in increasing numbers. And that would be the challenge for us is how can we keep that from happening and how might we be able to come up with solutions working cooperatively together. Mr. Bilirakis. Thank you. Again, next question is for the entire panel, please. What have been some successful collaboration lessons between law enforcement and software or hardware manufacturers dealing with encryption? And are there any building blocks or success stories we can build upon, or have the recent advancements in strong encryption made any previous success obsolete? For the entire panel. Who would like to go first? Ms. Hess? Ms. Hess. Yes, sir. I apologize but could I ask you to--I'm not 100 percent clear on that question. Mr. Bilirakis. OK. Let me repeat it. For the entire panel again, what have been some successful collaboration lessons between law enforcement and software or hardware manufacturers dealing with encryption? That is the first question. Are there any building blocks or success stories we can build upon, or have the recent advancements in strong encryption made any previous success obsolete? Ms. Hess. Yes, sir. Certainly, we deal with industry on a daily basis to try to come up with the most secure ways of being able to provide us with that information and still be responsive to our request and our orders. I think that building on our successes from the past, clearly, there are certain companies, for example, as has already been stated here today that fell under CALEA and those CALEA-covered providers have built ways to be able to respond to appropriate orders. And that's provided us with a path so that they know when they build those systems what exactly we're looking for and how we need to receive that information. Mr. Bilirakis. Sir? Chief Galati. I'm sorry, sir. I really couldn't comment on that. That's not really an area of expertise of mine. Mr. Cohen. I concur with what Ms. Hess said. There are a few technology companies that have worked with law enforcement to provide a legal solution, and they've done that voluntarily. So we know the technological solution. They provide a legal solution such that we can access data. Mr. Bilirakis. Thank you. Mr. Cohen. And building on those collaborations and having other industry members follow in that path would be of great help. Mr. Bilirakis. Thank you. Next question for the panel, what percentage of all cases are jeopardized due to the suspect having an encrypted device, whether it is a cell phone, laptop, desktop, or something else? I recognize that some cases such as pornography, it may be 100 percent impossible to charge someone without decrypting their storage device, but what about the other cases where physical evidence or other evidence might be available? Does metadata fill in the gaps? And for the entire panel, let's start with Ms. Hess, please. Ms. Hess. Yes, sir, we are increasingly seeing the issue. Currently, in just the first 6 months of this fiscal year starting from last October we're seeing of--in the FBI the number of cell phones that we have seized as evidence, we're encountering passwords about 30 percent of the time, and we have no capability around 13 percent of that time. So we're seeing those numbers continue to increase, and clearly, that presents us with a challenge. Mr. Bilirakis. Thank you. Chief Galati. Sir, I'll give you some numbers. We have approximately 102 devices that we couldn't get in, and these are 67 of them being Apple devices. And if I just look at the 67 Apple devices, 10 of them are related to a homicide, two to rapes, one to a criminal sex act, and two are related to two members of the police department that were shot. So we are seeing an increase as we go forward of not getting the information out of the phones. One thing I will say is it doesn't always prevent us from making an arrest. However, it just doesn't present all the evidence that's available for the prosecution. Mr. Cohen. And to expand on what the chief said, that can be incriminating evidence or that can be exculpatory evidence, too, that we don't have access to. On the Indiana State Police, the sad part is when our forensic examiners get called, we ask a series of questions now of the investigator, is it an iPhone, which model? And if we're told it's a model, as an example, 5S or newer or on a 64-bit operating system and it's encrypted, we don't even take that as an item of evidence anymore because we know that there is no technical solution. So the problem is we never know what we don't know. We don't know what evidence we're missing, whether that is again on a suspect's phone or on a victim's phone where the victim is not capable of giving us that passcode. Mr. Bilirakis. Well, thank you very much. I appreciate it, Mr. Chairman. I yield back the time. Mr. McKinley. And I think we have one last question for the first panel, and that is from the gentlelady from California, Ms. Eshoo. Ms. Eshoo. Thank you very much, Mr. Chairman, for extending legislative courtesy to me to be here to join in on this hearing because I am not a member of this subcommittee. But the rules of the committee allow us to, and I appreciate your courtesy. I first want to go to Captain Cohen. I think I heard you say that Apple had disclosed its source code to the Chinese Government. I believe that you said that, and that is a huge allegation for the NYPD to base on some news stories. Can you confirm this? Did you---- Mr. Cohen. Yes, ma'am. I'm with the Indiana State Police, by the way, not NYPD. Ms. Eshoo. I am sorry. Mr. Cohen. What I said was in preparing for my testimony I had found several news stories but I was unable to find anything to either confirm or deny that assertion---- Ms. Eshoo. Did you say that in---- Mr. Cohen [continuing]. By the media. Ms. Eshoo. I didn't hear all of your presentation around that allegation, but I think it is very important for the record that we set this straight because that takes my breath away. That is a huge allegation. So thank you. To Ms. Hess, the San Bernardino case is really a illustrative for many reasons. But one of the more striking aspects to me is the way in which the FBI approached the issue of gaining access to that now-infamous iPhone. We know that the FBI went to court to force a private company to create a system solely for the purpose of the Federal Government, and I think that is quite breathtaking. It takes my breath away just to try and digest that, and then to use that information whenever and however it wishes. Some disagree, some agree, but I think that this is a worthy and very, very important discussion. Now, this came about after the government missed a key opportunity to back up and potentially recover information from the device by resetting the iCloud password in the days following the shooting. Now, the Congress has appropriated just shy of $9 billion with a B for the FBI. Now, out of that $9 billion and how those dollars are spread across the agency, how is it that the FBI didn't know what to do? Ms. Hess. Yes, ma'am. Ms. Eshoo. How can that be? Ms. Hess. If In the aftermath of San Bernardino, we were looking for any way to identify whether or not---- Ms. Eshoo. But did you ask Apple? Did you call Apple right away and say we have this in our possession, this is what we need to get, how do we do it because we don't know how? Ms. Hess. We did have a discussion with Apple---- Ms. Eshoo. When? Ms. Hess. I would---- Ms. Eshoo. After---- Ms. Hess. I would have to get---- Ms. Eshoo. After it was essentially destroyed because more than 10 attempts were made relative to the passcode? Ms. Hess. I'm not sure. I will have to take that as a question for the record. Ms. Eshoo. I would like to know, Ms. Hess, your response to this. I served for almost a decade on the House Intelligence Committee, and during my tenure, Michael Hayden was the CIA director. Now, as the former director of the CIA, he has said that America is safer, safer with unbreakable end-to-end encryption. Tell me what your response is to that? Ms. Hess. My response would---- Ms. Eshoo. I think cyber crime, I might add, excuse me, is embedded--if I might use that word--in this whole issue, but I would like to hear your response to the former director of the CIA. Ms. Hess. Yes, ma'am. And from what I have read and heard of what he has said, he certainly, I believe, emphasizes and captures what was occurring at the time that he was in charge of those agencies. Ms. Eshoo. Has his thinking stopped from the time he was CIA director to being former and he doesn't understand encryption any longer? What are you---- Ms. Hess. No, ma'am---- Ms. Eshoo [continuing]. Suggesting? Ms. Hess [continuing]. As technology proceeds as such a rapid pace that one must be constantly in that business in order to keep up with the iterations. Ms. Eshoo. Let me ask you about this. Once criminals know that American encryption products are open to government surveillance, what is going to stop them from using encrypted products and applications that fall outside of the jurisdiction of American law enforcement? I have heard you repeat over and over we are talking to people in Europe, we are talking--I don't know. Is there a body that you are working through? Has this been formalized? Because if this stops at our border but doesn't include others, this is a big problem for the United States of America law enforcement and American products. Mr. McKinley. The gentlelady's time is expired. Ms. Eshoo. Could she respond? Mr. McKinley. Thank you very much. Ms. Hess. Yes, ma'am, we are working with the international community and our international---- Ms. Eshoo. How? Ms. Hess [continuing]. Partners on that issue. Mr. McKinley. Thank you. Ms. Eshoo. Do you have a national body? Is there some kind of international body that you are working through? Mr. McKinley. Thank you. Ms. Eshoo. Can she answer that? Mr. McKinley. Do you want to finish your remark? Ms. Hess. There is no one specific organization that we work through. There are a number of organizations we work through to that extent. Ms. Eshoo. Thank you, Mr. Chairman. Ms. DeGette. Mr. Chairman, I would ask unanimous consent that all of the members of the committee, as well as the members of the full committee who have been asked to sit in be allowed to supplement their verbal questions with written questions of the witnesses. Mr. McKinley. So approved. Without seeing any more members seeking to be recognized for questions, I would like to thank the witnesses once again for their testimony today. Now, I would like to call up the witnesses for our second panel to the table. Thank you again. OK. We will start the second panel. First, I would like to introduce the witnesses of our second panel for today's hearing, starting with Mr. Bruce Sewell will lead off on the second panel. Mr. Sewell is Apple's general counsel and senior vice president of legal and global security. He serves on the company's executive board and oversees all legal matters, including corporate governance, global security, and privacy. We thank Mr. Sewell for being with us today and look forward to his comments. We would also like to welcome Amit Yoran--is that close enough--Mr. Yoran, president of RSA Security. RSA is an American computer and network security company, and as president, Mr. Yoran is responsible for developing RSA's strategic vision and operational execution across the business. Thanks to Mr. Yoran for appearing before us today, and we appreciate this testimony. Next, we welcome Dr. Matthew Blaze, associate professor of computer and information science at the University of Pennsylvania. Dr. Blaze is a researcher in the area of secure systems, cryptology, and trust management. He has been at the forefront of these issues for over a decade, and we appreciate his being here today and offering his testimony on this very important issue. Finally, I would like to introduce Dr. Daniel Weitzner, who is director and principal research scientist at the Computer Science and Artificial Intelligence Laboratory, Decentralized Information Group at the Massachusetts Institute of Technology. Mr. Weitzner previously served as United States deputy chief technological officer for internet policy in the White House. We thank him for being here with us today and look forward to learning from his expertise. I want to thank all of our witnesses for being here and look forward to the discussion. Now, as we begin, you are aware that this committee is holding an investigative hearing, and when doing so, it has had the practice of taking testimony under oath. Do any of have objection to testifying under oath? OK. Seeing none, the chair then advises you that under the rules of the House and the rules of the committee, you are entitled to be advised by counsel. Do any of you desire to be represented or advised by counsel during your testimony today? Seeing none, in that case, if you would please rise and raise your right hand, I will swear you in. [Witnesses sworn.] Mr. McKinley. Thank you. You are now under oath and subject to the penalties set forth in title 18, section 1001 of the United States Code. Each of you may be able to give a 5-minute summary of your written statement, starting with Mr. Sewell. STATEMENTS OF BRUCE SEWELL, GENERAL COUNSEL, APPLE, INC.; AMIT YORAN, PRESIDENT, RSA SECURITY; MATTHEW BLAZE, ASSOCIATE PROFESSOR, COMPUTER AND INFORMATION SCIENCE, SCHOOL OF ENGINEERING AND APPLIED SCIENCE, UNIVERSITY OF PENNSYLVANIA; AND DANIEL J. WEITZNER, PRINCIPAL RESEARCH SCIENTIST, MIT COMPUTER SCIENCE AND ARTIFICIAL INTELLIGENCE LAB, AND DIRECTOR, MIT INTERNET POLICY RESEARCH INITIATIVE STATEMENT OF BRUCE SEWELL Mr. Sewell. Thank you, Chairman Murphy, Ranking Member DeGette, and members of the subcommittee. It's my pleasure to appear before you today on behalf of Apple. We appreciate your invitation and the opportunity to be part of this important discussion on encryption. Hundreds of millions of people trust Apple products with the most intimate details of their daily lives. Some of you might have a smartphone in your pocket right now, and if you think about it, there's probably more information stored on that phone than a thief could get by breaking into your home. And it's not just a phone. It's a photo album, it's a wallet, it's how you communicate with your doctor, your partner, and your kids. It's also the command central for your car and your home. Many people also use their smartphone to authenticate and to gain access into other networks, businesses, financial systems, and critical infrastructure. And we feel a great sense of responsibility to protect that information and that access. For all of these reasons, our digital devices, indeed our entire digital lives, are increasingly and persistently under siege from attackers. And their attacks grow more sophisticated every day. This quest for access fuels a multibillion dollar covert world of thieves, hackers, and crooks. We are all aware of some of the recent large-scale attacks. Hundreds of thousands of Social Security numbers were stolen from the IRS. The U.S. Office of Personnel Management has said as many as 21 million records were compromised and as many as 78 million people were affected by an attack on Anthem's health insurance records. The best way that we and the technology industry know how to protect your information is through the use of strong encryption. Strong encryption is a good thing. It is a necessary thing. And the government agrees. Encryption today is the backbone of our cybersecurity infrastructure and provides the very best defense we have against increasingly hostile attacks. The United States has spent tens of millions of dollars through the Open Technology Fund and other programs to fund strong encryption. And the administration's Review Group on Intelligence and Communications Technology urged the U.S. Government to fully support and not in any way to subvert, undermine, or weaken generally available commercial encryption software. At Apple, with every release of hardware and software, we advance the safety, security, and data protection features in our products. We work hard to also assist law enforcement because we share their goal of creating a safer world. I manage a team of dedicated professionals that are on call 24 hours a day, 365 days a year. Not a day goes by where someone on my team is not working with law enforcement. We know from our interaction with law enforcement officials that the information we are providing is extremely useful in helping to prevent and solve crimes. Keep in mind that the people subject to law enforcement inquiries represent far less than \1/10\ of 1 percent of our hundreds of millions of users. But all of those users, 100 percent of them, would be made more vulnerable if we were forced to build a back door. As you've heard from our colleagues in law enforcement, they have the perception that encryption walls off information from them. But technologists and national security experts don't see the world that way. We see a data-rich world that seems to be full of information, information that law enforcement can use to solve and prevent crimes. This difference in perspective, this is where we should be focused. To suggest that the American people must choose between privacy and security is to present a false choice. The issue is not about privacy at the expense of security. It is about maximizing safety and security. We feel strongly that Americans will be better off if we can offer the very best protections for their digital lives. Mr. Chairman, that's where I was going to conclude my comments, but I think I owe it to this committee to add one additional thought, and I want to be very clear on this. We have not provided source code to the Chinese Government. We did not have a key 19 months ago that we threw away. We have not announced that we are going to apply passcode encryption to the next-generation iCloud. I just want to be very clear on that because we heard three allegations. Those allegations have no merit. Thank you. [The prepared statement of Bruce Sewell follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. McKinley. Thank you. And we turn now to the second panelist, Mr. Yoran. STATEMENT OF AMIT YORAN Mr. Yoran. Chairman Murphy, Ranking Member DeGette, and members of the committee, thank you for the opportunity to testify today on encryption. This is a very complex and nuanced issue, and I applaud the committee's efforts to better understand all aspects of the debate. My name is Amit Yoran, and I'm the President of RSA, the security division of EMC. I would like to thank my mom for coming to hear my testimony today. In case things go sideways, I assure you, she's much tougher than she looks. I've spent over 20 years in the cybersecurity field. In my current role, I strive to ensure that RSA provides-industry leading cybersecurity solutions. RSA has been a cybersecurity industry leader for more than 30 years. The more than 30,000 global customers we serve represent every sector of our economy. Fundamental to RSA's understanding of the issues at hand is our rich heritage in encryption, which is the basis for cybersecurity technology. Our cybersecurity products are found in government agencies, banks, utilities, retailers, as well as hospitals and schools. At our core, we at RSA believe in the power of digital technology to fundamentally transform business and society for the better, and that the pervasiveness of our technology helps to protect everyone. Let me take a moment to say that we deeply appreciate the work of law enforcement and the national security community to protect our nation. I commend the men and women of law enforcement who have dedicated their lives to serving justice. Private industry has long partnered with law enforcement agencies to advance and protect our nation and the rule of law. Where lawful court orders mandate it or where moral alignment encourages it, many tech companies have a regular, ongoing, and cooperative relationship with law enforcement in the U.S. and abroad. Simply put, it is in all of our best interests for the laws to be enforced. I have four points I'd like to present today, all of which I've extrapolated on in my written testimony. First, this is no place for extreme positions or rushed decisions. The line connecting privacy and security is as delicate to national security as it is to our prosperity as a nation. I encourage you to continue to evaluate the issue and not rush to a solution. Second, law enforcement has access to a lot of valuable information they need to do their job. I would encourage you to ensure that the FBI and law enforcement agencies have the resources and are prioritizing the tools and technical expertise required to keep up with the evolution of technology and meet their important mission. Third, strong encryption is foundational to good cybersecurity. If we lower the bar there, we expose ourselves even further to those that would do us harm. As you know, recent and heinous terrorist attacks have reinvigorated calls for exceptional access mechanisms. This is a call to create a back door to allow law enforcement access to all encrypted information. Exceptional access increases complexity and introduces new vulnerabilities. It undermines the integrity of internet infrastructure and reduces--and introduces more risk, not less, to our national interests. Creating a back door into encryption means creating opportunity for more people with nefarious intentions to harm us. Sophisticated adversaries and criminals would not knowingly use methods they know law enforcement could access, particularly when foreign encryption is readily available. Therefore, any perceived gains to our security from exceptional access are greatly overestimated. Fourth, this is a basic principle of economics with very serious consequences. Our standard of living depends on the goods and services we can produce. If we require exceptional access from U.S.-based companies that would make our information economy less secure, the market will go elsewhere. But worse than that, it would weaken our power and utilities, our infrastructures, manufacturing, health care, defense, and financial systems. Weakening encryption would significantly weaken our nation. Simply put, exceptional access does more harm than good. This is the seemingly unanimous opinion of the entire tech industry, academia, the national security community, as well as all industries that rely on encryption and secured products. In closing, I would like to thank all the members of the committee for their dedication in understanding this very complex issue. [The prepared statement of Amit Yoran follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. McKinley. Thank you. Dr. Blaze? STATEMENT OF MATTHEW BLAZE Mr. Blaze. Thank you, Mr. Chairman, and members of the committee for the opportunity to testify before you today. The encryption issue which, as you know, I've been involved with for over two decades now, has been characterized as a question of whether we can build systems that keep a lot of the good guys in but keep the bad guys out. And much of the debate has focused on questions of whether we can trust the government with the keys for data. But before we can ask that question, and that's a legitimate political question that the political process is well-equipped to answer, there's an underlying technical question of whether we can trust the technology to actually give us a system that does that. And unfortunately, we simply don't know how to do that safely and securely at any scale and in general across the wide range of systems that exist today and that we depend on. It would be wonderful if we could. If we could build systems with that kind of assurance, it would solve so many of the problems in computer security and in general computer systems that have been with us since really the very beginning of software-based systems. But unfortunately, many of the problems are deeply fundamental. The state of computer and network security today can really only be characterized as a national crisis. We hear about large-scale data breaches, compromises of personal information, financial information, and national security information literally on a daily basis today. And as systems become more interconnected and become more relied upon for the function of the fabric of our society and for our critical infrastructure, the frequency of these breaches and their consequences have been increasing. If computer science had a good solution for making large- scale robust software, we would be deploying it with enormous enthusiasm today. It is really at the core of fundamental problems that we have. But we are fighting a battle against complexity and scale that we are barely able to keep up with. I wish my field had simpler and better solutions to offer, but it simply does not. We have only two good tools, tried-and-true tools that work for building reliable, robust systems. One of those is to build the systems to be as simple as possible, to have them include as few functions as possible, to decrease what we call the attack surface of these systems. Unfortunately, we want systems that are more complex and more integrated with other things, and that becomes harder and harder to do. The second tool that we have is cryptography, which allows us to trust fewer components of the system, rely on fewer components of the system, and manage the inevitable insecurity that we have. Unfortunately, proposals for exceptional access methods that have been advocated by law enforcement and we heard advocated for by some of the members of the previous panel work against really the only two tools that we have for building more robust systems, and we need all the help we can get to secure our national infrastructure across the board. There's overwhelming consensus in the technical community that these requirements are incompatible with good security engineering practice. I can refer you to a paper I collaborated on called ``Keys Under Doormats'' that I referenced in my written testimony that I think describes the consensus of the technical community pretty well here. It's unfortunate that this debate has been so focused on this narrow and very potentially dangerous solution of mandates for back doors and exceptional access because it leaves unexplored potentially viable alternatives that may be quite fruitful for law enforcement going forward. There's no single magic bullet that will solve all of law enforcement problems here or really anywhere in law enforcement, but a sustained and a committed understanding of things like exploitation of data in the cloud, data available in the hands of third parties, targeted exploitation of end devices such as Ms. Hess described in her testimony will require significant resources but have the potential to address many of the problems law enforcement describes, and we owe it to them and to all of us to explore them as fully as we can. Thank you very much. [The prepared statement of Matthew Blaze follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. McKinley. Mr. Weitzner, you have 5 minutes. STATEMENT OF DANIEL J. WEITZNER Mr. Weitzner. Thank you, Vice Chairman McKinley, Chairman Murphy, and Ranking Member DeGette. Thank you for having me. I think this hearing comes at a very important time in the debate about how to best accommodate the very real needs of law enforcement in the digital age. I want to say that I don't think there's any sense in which law enforcement is exaggerating or overstating the challenges they face, and I don't think we should be surprised that they have big challenges. We think about the introduction of computers in our society, in our workplace, and our homes, and to be colloquial, it throws everyone for a loop for a little while, and our institutions take a while to adjust. So we shouldn't expect this problem is going to be solved overnight. I do think what's happening at this point in the debate, however, is that, as some of the previous witnesses said, we are seeing a growing consensus that introducing mandatory infrastructure-wide back doors is not the right approach. I'm going to talk about some ways that I think we can move forward, but I want to say why I think it is, and it comes back to the safe deposit box analogy that we heard. We all do think it's reasonable that banks should have a second key to our safe deposit boxes, and maybe even you should have drills that can drill through those locks in the event you can't find one of the keys. But the problem here is that we're all using the same safe, every single one of us, so if we make those safe deposit boxes so that they're a little too easy to drill into or if someone gets a hold of the key, then everyone is at risk, not just the couple thousand customers who happen to be at the one bank. That's why we see political leaders really from all around the world now rejecting the idea of mandatory back doors. Recently, Secretary of Defense Ash Carter said, ``I'm not a believer in back doors or a single technical approach. I don't think it's realistic,'' he said. Robert Hannigan, who is the director of the U.K. surveillance agency GCHQ, said in a talk he delivered at MIT last month that ``mandatory back doors are not the solution.'' He said ``encryption should not be weakened, let alone banned, but neither is it true that nothing could be done without weakening encryption.'' He said, ``I'm not in favor of banning encryption, nor of asking for mandatory back doors.'' And very tellingly, the vice president of the European Commission, who was the former Prime Minister of Estonia and famous for digitizing almost the entire country and the government, said if people know there are back doors, how could people who, for example, vote online trust the results of the election if they know their government has a key to break into the system? Two very quick steps that I think we should avoid going forward, and then a few suggestions about how to approach this challenge that you face, number one, I think you've heard us all say that we have to avoid introducing new vulnerabilities into an already quite vulnerable information infrastructure. It would be nice if we could choose that only the bad guys got weak encryption and the rest of us all got strong encryption, but I think we understand that's simply not possible. You've also heard reference to CALEA, a piece of legislation in this committee's jurisdiction. There have been calls to address this very difficult question by simply extending CALEA to apply to internet companies. But if you look closely at CALEA, it shows just how hard it will be to solve this problem with a one-size-fits-all solution. CALEA was targeted to a very small group of telecommunications companies that provided basically all the same product and were regulated in a then-pretty-stable way by the Federal Communications Commission. The internet and platform industry and the mobile apps and device and history is an incredibly diverse, global industry, and there's no single regulatory agency that governs those services and products. That's very much by design, and so I think trying to impose a top-down regulatory solution on this whole complex of industries in order to solve this problem simply won't work. What can we do going forward? Number one, I think that's in the efforts of the encryption working group that this committee and the Judiciary Committee had set up, I think it's very important to look closely at the specific situations that law enforcement faces, at the specific court orders, which have been successfully satisfied, which haven't, which introduce system-wide vulnerabilities that they were followed through, and which actually could be pursued without system-wide risk. I think there's a lot to be learned about the best practices both of law enforcement and technology companies, and there are probably some law enforcement agencies and technology companies that could up their game a little bit if they had a better sense of how to approach this issue. I also think it's awfully important we make sure to preserve public trust in this environment, in this internet environment. I think we understand in the last 5 years that there's been significant concern from the public about the powers both of government and private sector organizations. I think it's a great step that the House Judiciary Committee is moving forward amendments to the Electronic Communications Privacy Act that will protect data in the cloud, and I think if we can do more of that and assure the public that their data is protected, both in the context of government surveillance and private sector use, that we'll be able to move forward with this issue more constructively. Thanks very much, and I'm looking forward to the discussion. [The prepared statement of Daniel J. Weitzner follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. McKinley. And thank you very much for your testimony. And for the whole panel, if I might recognize myself for the first 5 minutes with some questions. Mr. Sewell, you made quite a point that you have not provided the source codes to China. And it had come up from the earlier panel. Were you ever asked to provide anyone---- Mr. Sewell. By the Chinese Government or anyone? Mr. McKinley. Yes. Mr. Sewell. We have been asked by the Chinese Government. We refused. Mr. McKinley. How recent were you asked? Mr. Sewell. Within the past 2 years. Mr. McKinley. OK. Mr. Yoran, I have got a couple of questions for you. First, I was a little taken back. You said don't rush on the solution or whatever that might be. And as I said earlier, this has been 5 \1/2\ years. I have been hearing everyone talk about it, and they are not getting anything done. I don't know what we are waiting for. There has got to be a solution. I am just one of three licensed engineers in Congress, and by now, we would have the solution if there were more engineers and fewer attorneys here perhaps. But if I might, with your question, I understand your company was founded by the original creators of a critical algorithm in public key cryptography. Needless to say, encryption is your company's DNA. If anyone understands the importance of protecting encryption keys, it is your company. Yet apparently, several years ago, someone stole your seed keys, and as I understand, these are the keys that generate keys that are used for remote access, much like those used by Members and their staff. If a company like yours, as sophisticated as it is and with the securities you have, it can lose control of encryption keys, how could we have confidence in others, especially smaller companies, the ability to do the same? Mr. Yoran. Mr. Chairman, I think that you bring up two great points. The first statement I would make is that I'd like to highlight the fact that a tremendous amount of cooperation happens currently between law enforcement and the tech community, so that characterization that we've made no progress over the past 5 years, I think understates the level of effort put forth by the tech community to reply to and support the efforts of law enforcement. I think what's occurring is--and I won't call it a line in the sand--but I think the current request from law enforcement have now gotten to the point where they're requesting a mandate that our products be less secure and wil have a tremendous and profound negative impact on our society and public safety, as has already been made the point earlier. The second point regarding RSA's own breach, I think, that highlights the very critical role that encryption plays in the entire cybersecurity puzzle. The fact that sophisticated threat actors, nation, state, or cyber criminals are going to target the supply chain and where strong encryption and strong cybersecurity capabilities come from. We're dealing with an incredibly sophisticated adversary and one that would put forth a tremendous effort to find any back doors if they were embedded in our security systems. It highlights the value of encryption to society in general, and I think it also highlights the importance of transparency around cyber breaches and cybersecurity issues. Mr. McKinley. Thank you. In the first panel--I will stay with you, Mr. Yoran--talked a little bit about the security of our infrastructure. And I think the response was along the line that it is not an encryption problem; it is a firewall problem. I am not sure that the American public understands the difference between that, and so I am going to go back to how comfortable should we be or can we be that we have proper protection on our security firms like yours that are energy or transportation system, particularly our grid? As I said, we have been hacked--we are subject to it. We know we already have been attacked once. So what more should we be doing? Mr. Yoran. Mr. Chairman, I think the response provided by the earlier panel was wrong. I think encryption plays an incredibly important role in protecting critical infrastructure. It is not a this is a firewall solution or this is an encryption solution. Most organizations that truly understand cybersecurity have a diverse set of products, applications, and many layers of defenses, knowing that adversaries are going to get in through firewalls. Not only adversaries but important openings are created in firewalls so that the appropriate parties can communicate to them as well. And those paths are frequently leveraged by adversaries to do nefarious things. Mr. McKinley. So are you acknowledging, then, that we still are very vulnerable to someone shutting down our electric grid? Mr. Yoran. I believe we are extremely vulnerable in any infrastructure that leverages technology, how much of it is the entire grid, how much of it is localized. I certainly believe that utilities are exposed. Mr. McKinley. Thank you. And let me just say in closing to all four of you, if you have got some suggestions how we might be able to address this, I am hearing time and time again in the districts with our grid system. I sure would like to hear back from you about what we might be able to do. With that, I yield the next question from the ranking member from Colorado, Ms. DeGette. Ms. DeGette. Thank you so much. Well, following up on the last question, I would like to stipulate that I believe, as most members of this panel believe, that strong encryption is really critical to our national security and everything else. But, as I said in my opening statement, I also recognize that we need to try to give law enforcement the ability to apprehend criminals when criminals are utilizing this technology to be able to commit their crimes and to cover up after the crimes. So, first of all, Mr. Sewell, I believe you testified that your company works with law enforcement now, is that correct? Mr. Sewell. That is correct. Ms. DeGette. Thanks. And I think that you would also acknowledge that while encryption really does provide benefit both for consumers and for society for security and privacy, we also need to address this thorny issue about how we deal with criminals and terrorists who are using encrypted devices and technologies, is that correct? Mr. Sewell. I think this is a very real problem. And let me start by saying that the conversation we're engaged in now, I think, has become something of a conflict, Apple v. the FBI---- Ms. DeGette. Right. And I don't---- Mr. Sewell [continuing]. And that's just the wrong approach. Ms. DeGette. And you don't agree with that, I would hope. Mr. Sewell. I absolutely do not. Ms. DeGette. And, Mr. Yoran, you don't agree with that, that it is technology versus law enforcement, do you? Yes or no will work. Mr. Yoran. No, I don't agree it's technology---- Ms. DeGette. OK. And I am assuming that you, Dr. Blaze? Mr. Blaze. No. Ms. DeGette. And how about you, Mr. Weitzner? Mr. Weitzner. [Nonverbal response.] Ms. DeGette. No. Well, that is good. So here is another question, then. And I asked the last panel that. Do you think it is a good idea for the FBI and other law enforcement agencies to have to go to third-party hackers to get access to data for which they have court orders to get? Mr. Weitzner. I don't think that's a good idea. Ms. DeGette. Do you think so, Mr. Yoran? Mr. Yoran. No, ma'am. Ms. DeGette. Dr. Blaze? Mr. Blaze. No, if I could just clarify, the fact that the FBI had to go to a third party indicates that the FBI either had or devoted insufficient resources to---- Ms. DeGette. Right. Mr. Blaze [continuing]. Finding a solution---- Ms. DeGette. And they couldn't---- Mr. Blaze [continuing]. In advance of the problem. Ms. DeGette [continuing]. Do it on their own. Right. I am going to get to that in a second. So it is just really not a good model. So here is my question. Mr. Yoran, do you think that the government should enhance its own capabilities to penetrate encrypted systems and pursue workarounds when legally entitled to information they cannot obtain either from the user directly or service providers? Do you think that they should develop that? Mr. Yoran. Yes, ma'am. Ms. DeGette. Do you think they have the ability to develop that? Mr. Yoran. Yes, ma'am. Ms. DeGette. Professor, do you think that they have the ability to develop that? Mr. Blaze. It requires enormous resources, and they probably--with the resources they currently have, I think it's likely that they don't have the ability to---- Ms. DeGette. One thing Congress has, we may not be internet experts but we have resources. Mr. Blaze. Right. And I think this is a soluble problem. Ms. DeGette. Mr. Weitzner? Mr. Weitzner. I think that they certainly should have the resources, and I think really the key question is whether they have the personnel. And I think it will take some time to build up a set of personnel expertise---- Ms. DeGette. Well, I understand it will take time---- Mr. Weitzner. Yes. Ms. DeGette [continuing]. But do you think they can develop those resources? Mr. Weitzner. I think so. Absolutely. The only thing---- Ms. DeGette. Thank you. OK. So, Mr. Yoran, I want to ask you another question. Do you think that all of us supporting the development of increased capability within the government can be a reasonable path forward, as opposed to either relying on third parties or making companies write new software or redesign systems? Mr. Yoran. Yes, ma'am. Ms. DeGette. You think that is a better approach? OK. And I assume, Mr. Sewell, you probably agree with that, too? Mr. Sewell. I'd agree that we ought to spend more money, time, resources on the FBI and on local law enforcement training---- Ms. DeGette. And would Apple be willing to help them develop those capabilities? Mr. Sewell. We actively do participate in helping them. Ms. DeGette. So your answer would be yes? Mr. Sewell. That we would participate in training, we would---- Ms. DeGette. And helping them develop those in new capabilities? Mr. Sewell. What we can do is to help them understand our ecosystem. Ms. DeGette. Right. Mr. Sewell. That's what we do on a---- Ms. DeGette. So I guess---- Mr. Sewell [continuing]. Daily basis. Ms. DeGette. Right. I am not trying to trick you. Mr. Sewell. No, and I'm not---- Ms. DeGette. Yes. OK. Mr. Sewell [continuing]. Responding either. Ms. DeGette. So I guess, then, your answer would be yes, you are willing to help us in conjunction with law enforcement and Congress to solve this problem. Is that correct, Mr. Sewell? Mr. Sewell. I want to solve the problem just like everyone else. Ms. DeGette. And are you willing to work with law enforcement and Congress to do it? Yes or no? Mr. Sewell. Congresswoman, we work with them every day. Yes, of course---- Ms. DeGette. A yes or no will work. Mr. Sewell. Of course we will. Of course we are. Ms. DeGette. Thank you. Mr. Sewell. Yes. Ms. DeGette. Mr. Yoran? Mr. Yoran. Yes, ma'am. Ms. DeGette. Professor Blaze? Mr. Blaze. Absolutely? Ms. DeGette. And Mr. Weitzner? Mr. Weitzner. Yes. Ms. DeGette. Thank you so much. Thank you, Mr. Chairman. Mr. McKinley. Thank you. And I now recognize Mr. Griffith from Virginia. Mr. Griffith. Thank you, Mr. Chairman. I greatly appreciate that. My background, I am just a small college history major that then went into law, and as a part of that, Mr. Sewell, I would have to ask, would you agree with me that, in the history of mankind, it took us thousands of years to come up with the concept of civil liberties and that perhaps 5 \1/2\ years isn't such a long time to try to find a solution to this current issue? And likewise, the answer was in the affirmative for those who might not have---- Mr. Sewell. It was, yes. Mr. Griffith [continuing]. Heard that. And that it was lawyers who actually created the concept of individual liberty and one that our country has been proud to be the leader in the world in promoting. Would that also be true? Mr. Sewell. That's very true, sir, yes. Mr. Griffith. That being said, I was very pleased to hear in answers to Ms. DeGette that all of you are willing to help us solve this problem because there is no easy answer. I liked the safety deposit box analogy. Mr. Weitzner, thanks for ruining it for me in your analysis. But I would ask Mr. Sewell if there isn't some way--and again, I can't do what you all do so I have to simplify it to my terms. Is there some way that we can create the vault that the banks have with the safety deposit box in it, and then once you are inside of there, if you want that security--because not everybody has a safety deposit box--but if you want that security, that then there is a system of a dual but separate keys with companies like yours are others holding one of the two keys and then the individual holding the other key and then having the ability to, with a proper search warrant, have law enforcement be able to get in? I mean, I am trying to break it down into a concept I can understand where I can then apply what we have determined over the course of the last several hundred years is the appropriate way to get at information. And it is difficult in this electronic age. Mr. Sewell. It is very difficult, Congressman. I agree. We haven't figured out a way that we can create an access point and then create a set of locks that are reliable to protect access through that access point. That is what we struggle with. We can create an access point and we can create locks, but the problem is that the keys to that lock will ultimately be available somewhere, and if they're available anywhere, they can be accessed by both good guys and bad guys. Mr. Griffith. So you would agree with Mr. Weitzner's position or his analysis, which I thought was accurate, is that the problem is we are not giving a key and a drill to one safety deposit box; it is everybody in the bank who suddenly would have their information in the open. And I saw that you wanted to make a comment, Mr. Weitzner? Mr. Weitzner. I just want to--since this analogy seems to be working, we don't put much stuff in our safe deposit boxes, right? I mean, I actually don't have one to be honest. There's this core concern, back to your civil liberties framework, that somehow we have a warrant-free zone that's going to take over the world. I think that if you follow the safety deposit box analogy, what we know is that the information that's important to law enforcement exists in many places. And I don't question that there will be some times when law enforcement can't get some piece of information at once. But I think what you're hearing from a number of us and from the technical community is that this information is very widely distributed, and much of it is accessible in one way or the other or inferable from information that's produced by other third parties. And I think that part of the path forward is to really understand how to exploit that to the best extent possible in investigations so that we're not all focused on the hardest part of the problem where the hardest part of the problem is what do you do if you have very strongly encrypted data? Can you ever get it? It may not be the best place to look all the time because it may not always be available. Mr. Griffith. And, of course, historically, you are never able to get a hold of everything. Dr. Blaze, you wanted to weigh in? Mr. Blaze. So I just wanted to caution that the split-key design, as attractive as it sounds, was also the core of the NSA-designed clipper chip, which was where we started over two decades ago. Mr. Griffith. I appreciate that. Mr. Yoran, I have got to tell you, I did think your testimony and your written testimony in particular was enlightening in regard to the fact that if we do shut down the U.S. companies, then there may even be safe havens created by those companies that are not our friends and are specifically our enemies. I wanted to ask a series of questions on that, but I see that my time has expired, and so I am required to yield back, Mr. Chairman. Mr. McKinley. Looking at the other panel members, we have Mrs. Brooks from Indiana, your 5 minutes. Mrs. Brooks. Thank you, Mr. Chairman. I would like to start out with a comment that was made in the first panel, and I guess this is to Mr. Sewell, whether or not you can share with us. Does Apple plan to use encryption in the cloud? Mr. Sewell. We've made no such announcement. I'm not sure where that statement came from, but we've made no such announcement. Mrs. Brooks. OK. I understand you've made no such announcement, but is that being explored? Mr. Sewell. I think it would be irresponsible for me to come here and tell you that we are not even looking at that, but we have made no announcement. No decision has been made. Mrs. Brooks. And are these discussions helping inform Apple's decisions? And is Apple communicating with any law enforcement about that possibility? Mr. Sewell. These discussions are enormously, enormously helpful, and I'd be glad to go further into that. I've learned some things today that I didn't know before, so they're extremely important. We are considering, we are talking to people, we are being very mindful of the environment in which we are operating. Mrs. Brooks. And I have certainly seen and I know that Apple and many companies have a whole set of policies and procedures on compliance with legal processes and so forth. And so I assume that you have regular conversations with policymakers and law enforcement, whether it is FBI or other agencies, on these policy issues. Is that correct? Mr. Sewell. That's very correct. I interact with law enforcement at two very different levels. One is a very operational level. My team supports daily activities in response to lawful process, and we worked very closely on actual investigations. I can mention at least two where we've recently found children who've been abducted. We've been able to save lives working directly with our colleagues in law enforcement. So at that level we have a very good relationship, and I think that gets lost in the debate sometimes. At the other side, I work at a--perhaps a different level. I work directly with my counterpart at the FBI. I work directly with the most senior people in the Department of Justice, and I work with senior people in local law enforcement on exactly these policy issues. Mrs. Brooks. Well, and I thank you and all the others for cooperating with law enforcement and working on these issues, but it seems as if most recently there have not been enough of that discussions. Hence, that is why we are having these hearings and why we need to continue to have these hearings. But I think that we have to continue to have the dialogue on the policy while continuing to work on the actual cases and recognize that obviously technology companies have been tremendously helpful, and we need them to be tremendously helpful in solving crimes and in preventing future crimes. I mean, it is not just about solving crimes already perpetrated, but it is always, particularly with respect to terrorism, how do we ensure that we are keeping the country safe? I am curious with respect to a couple of questions with respect to legal hacking and the types of costs that are associated with legal hacking, as well as the personnel needed. And since the newer designs of iPhones prevent the bypassing of the built-in encryption, does Apple actually believe that lawful hacking is an appropriate method for investigators to use to assess the evidence in investigations? Mr. Sewell. So I don't think we have a firm position on that. I think there are questions that would have to be answered with respect to what the outcome of that lawful hacking is, what happens to the product of that lawful hacking. So I don't have a formal corporate position on that. Mrs. Brooks. So then, because that has been promoted, so to speak, as far as a way around this difficult issue, are you having those policy discussions about Apple's view and the technology sector's view on lawful hacking? Are those discussions happening with law enforcement? Mr. Sewell. I think this is a very nascent area for us, but particularly the question is what happens to the result. Does it get disclosed? Does it not get disclosed? That, I think, is an issue that has not been well explored. Mrs. Brooks. Mr. Yoran, do you have an opinion on that lawful hacking? Mr. Yoran. Not an opinion on lawful hacking in specific, but I would just point out that doing encryption properly is very, very hard. Trying to keep information secret in the incredibly interconnected world that we live in is very, very hard. And I would suggest that it's getting harder, not easier. So the information, the data that law enforcement has access to, I think, is certainly much more than the metadata that they've had over the past several years. But now, as applications go into the cloud, those cloud application providers need to access the data. So the sensitive information is not just on your iPhone or other device, it's sitting in the cloud, and law enforcement has access there because it cannot be encrypted. It needs to be accessed by the cloud provider in order to do the sophisticated processing and provide the insight to the consumer that they're looking for. Mrs. Brooks. My time is expired. I have to yield back. Mr. McKinley. Thank you. And now seeing no other members of the subcommittee here with us, we can then go---- Mr. Bilirakis. Mr. Chairman? I am sorry. Mr. McKinley. Oh, OK. You are on the subcommittee? Mr. Bilirakis. No. Mr. McKinley. OK. We are going to--none on the subcommittee, so now we are going to members that have been given privileges to speak. And I was advised I was to go to the other side, like this ping-pong game. And Ms. Eshoo from California, your 5 minutes. Ms. Eshoo. Thank you, Mr. Chairman. First of all, to Mr. Yoran, I love your suit and tie. It brings a little of the flavor of my district into this big old hearing room. And a warm welcome to your mother. I don't know where she is, but it is great to have your mother here, great, wonderful. I know that Associate Professor Blaze talked about the crisis of the vulnerability in our country relative to, you know, how our systems, how vulnerable our systems are. I would just like to add for the record that up to 90 percent of the breaches in our system in our country are due to two major factors. One is systems that are less than hygiene, unhygienic systems. Number two, very poor security management. So I think the Congress should come up with at least a floor relative to standards so that we can move that word crisis away from this. But we really can do something about that. I know it costs money to keep systems up, and there are some that don't invest in it, but that can be addressed. The word conversation has been used, and I think very appropriately. And this is a very healthy hearing. Unfortunately, the first thing the American people heard was a very powerful Federal agency, you know, within moments of the tragedy in San Bernardino demand of a private company that they must do thus and so, otherwise, we will be forever pitted against one another, and there is no other resolution except what I call a swinging door that people can go in and out of. When I say people, in this case, it is the government. Now, they American people have a healthy suspicion of Big Brother, but they also have a healthy suspicion of big corporations. They just do. It is in our DNA, and I don't think that is an unhealthy thing. But that first snapshot, I think, we need to move to the next set of pictures on this. And I am heartened that the panel seems to be unanimous that this weakening of our overall system by having a back door, by having a swinging door is not the way to go. So in going past that, I would like to ask Mr. Sewell the following. Whether introducing a third-party access, and that has been talked about, I think that would fundamentally weaken our security. How does third-party access impact security? How likely do you think it is that law enforcement could design a system to address encrypted data that would not carry with it the unanticipated weaknesses of its own? I am worried about law enforcement in this, and I want to put this on the record as well. I think that it says something that the FBI didn't know what it was doing when it got a hold of that phone, and that is not good for us. It is not going to attract smart young people to come into a Federal agency because what it says to them is it doesn't seem to us they know what they are doing. So can you address this third-party access and what kind of effect it would have on overall security? Mr. Sewell. Thank you very much for the question, Congresswoman. If you allow third-party access, you have to give the third party a portal in which to exercise that access. This is fundamentally the definition of a back door or a swinging door as you've, I think, very aptly described it. There is no way that we know of to create that vulnerability, to create that access point and more particularly to maintain it. This was the issue in San Bernardino was not just give us an access point but maintain that access point in perpetuity so that we can get in over and over and over again. We have no way of doing that without undermining and endangering the entire encryption infrastructure. We believe that strong, ubiquitous encryption is the best way that we can maintain the safety, security, and privacy of all of our users. So that would be fundamentally a problem. Ms. Eshoo. Thank you very much. Thank you, Mr. Chairman, for your legislative courtesy again. Thank you to the witnesses. You have been, I think, most helpful. Mr. Murphy. I thank the witnesses, too. I apologize I had to run out for a while, but I am going to get to ask a few questions here and I want to make sure to follow up. So, Mr. Sewell---- Mr. Sewell. Sir. Mr. Murphy [continuing]. We can all understand the benefits of strong encryption, whether it is keeping someone's own bank statement, financial records encrypted so we didn't have to worry about hackers there. We already heard some pretty compelling testimony in the first, challenges about law enforcement, criminal activity, child predators, homicides, et cetera. Based on your experience, what we heard today, can you acknowledge that the spread of default encryption does present a challenge for law enforcement? Mr. Sewell. I think it absolutely does. And I would not suggest for a moment that law enforcement is overstating the same claim that has been made by other panelists. I think the problem is that there's a fundamental disconnect between the way we see the world and the way law enforcement sees the world, and that's where I think we ought to be focusing. Mr. Murphy. And what is that disconnect? What is that two different world views? Mr. Sewell. The disconnect has to do with the evolution of technology in society and the impact of that technology in society. What you've heard from our colleagues in law enforcement is that the context in which encryption occurs reduces the scope of useful data that they have access to, this going-dark problem. But if you talk to technologists, we see the world in a very different way. We see the impact of technology is actually a burgeoning of information. We see that there's an abundance of information, and this will only increase exponentially as we move into a world where the Internet of Things becomes part of our reality. So you hear on one side we're going dark, and you hear on the other side there's an abundance of information. That circle needs to be squared. And the only way that I think we can do that is by cooperating and talking and engaging in the kind of activity that Madam DeGette was suggesting. We need to work together---- Mr. Murphy. So let me bring this---- Mr. Sewell [continuing]. So we understand their perspective, they understand ours. Mr. Murphy. I appreciate that, but I am not--it is a very compelling argument you gave, but I have no idea what you just said. So let me---- Mr. Sewell. Sure. Mr. Murphy [continuing]. Try and put this into terms that we can all talk about. Mr. Sewell. Sure. Mr. Murphy. We heard testimony from the first panel of child predators who are able to hide behind this invisible cloak, from a murder scene where they could have perhaps caught who did this. We know that when it comes to crimes, there are those who just won't commit crimes because they have a good moral compass. We have those who will commit them anyway because they have none. We also have those who can be deterred because they think they might get caught. And when it comes to other issues such as terrorist acts where you can get into a cell phone or something from someone who has committed an act, you can find out if they are planning more and save other lives. So what do you tell a family member who has had their child abused and assaulted in unspeakable forms, what do you tell them about burgeoning technology? I mean, tell me what comfort we can give someone about the future? Mr. Sewell. I think in situations like that, of course, they're tragic. I'm not sure that there's anything which I or any one of us could say that would help to ease that pain. On the other hand, we deal with this every day. We deal with cases where children have been abducted. We work directly with law enforcement to try to solve those crimes. We had a 14- year-old girl from Pennsylvania just recently that was abducted by her captor. We worked immediately with the FBI in order to use IP logs to identify the location where she had been stashed. We were able to get feet on the ground within a matter of hours, find that woman, rescue her, and apprehend---- Mr. Murphy. And that is good and I appreciate that, but what about--I look at this case that was presented, though, when someone may have a lot of information hidden, and if they could get in there, whether it is child predators or it is a terrorist where we could prevent more harm---- Mr. Sewell. And we're missing the point of technology here. The problems that we're trying to solve don't have an easy fix---- Mr. Murphy. I know that. I know that. But tell me, I need to know---- Mr. Sewell. So---- Mr. Murphy [continuing]. You are working in a direction that helps here. Mr. Sewell. Absolutely. Mr. Murphy. That is what I am trying to help you elicit. Mr. Sewell. Photo DNA, hashing images so that when those images move across the Internet we can identify them, we can track them. The work that we do with Operation Railroad is exactly that. It's an example of taking technology, taking feet-on-the-ground law enforcement techniques and marrying them together in a way that fundamentally changes---- Mr. Murphy. And for people who are using encrypted sources, whether it is by default or intention to hide their data and their intention and their harmful activity that they are planning on hurting more, what do we tell the public about that? Mr. Sewell. We tell the public that, fundamentally, we're working on the problem and that we believe strong, ubiquitous encryption provides the best and safest---- Mr. Murphy. So does that mean Apple is going to be working with the FBI and law enforcement on this problem? I know that the response of Apple was we ought to have a commission. You are looking at the commission, the Energy and Commerce Committee Oversight and Investigation Committee, and we want to find solutions. We want to work with you. And I am pleased you are here today. And you heard many of us say we don't think there is right or wrong absolutes. This is not black and white. Mr. Sewell. Yes. Mr. Murphy. We are all in this together, and we want to work on that. I need to know about your commitment, too, in working with law enforcement. Could you make a statement on that? Mr. Sewell. Can I tell you a story, Congressman? Mr. Murphy. Sure. Mr. Sewell. Can I actually do that? I sat opposite my counterpart at the FBI, a person that I know very well. We don't talk frequently but we talk regularly. We're on a first- name basis. I sat opposite from him and I said amidst all of this clamor and rancor, why don't we set aside a day. We'll send some smart people to Washington or you send some smart people to Cupertino, and what we'll do for that day is that we'll talk to you about what the world looks like from our perspective. What is this explosion of data that we can see? Why do we think it's so important? And you, talk to us about the world that confronts your investigators from the moment they wake up in the morning. How do they think about technology? How do they think about the problems that they're trying to solve? And we were going to sit down together for a day. We were planning that at the time that the San Bernardino case was filed. That got put on hold. But that offer still exists. That's the way we're going to solve these problems. Ms. DeGette. Mr. Chairman? Mr. Murphy. Yes. Ms. DeGette. Will you yield for one second? Mr. Murphy. Yes. Ms. DeGette. You know, Mr. Sewell, if we can facilitate that meeting in any way, I am sure the chairman and I would be more than happy to do that. And we have some very lovely conference rooms that are painted this very same color, courtesy of Chairman Upton, and we will have you there. Mr. Sewell. Madam, if we can get out of the lawsuit world-- -- Ms. DeGette. You know what---- Mr. Sewell [continuing]. Let's start cooperating. Ms. DeGette. That would be great. Mr. Sewell. Yes. Ms. DeGette. Thank you. Mr. Sewell. Great. Mr. Murphy. We want that to be facilitated. We have too many lives at stake and the concerns of many families and Americans. This is central. This is core. Mr. Sewell. I agree. Mr. Murphy. So thank you. I know I am out of time. Mr. Bilirakis is going to be recognized now for 5 minutes. Mr. Bilirakis. Thank you, Mr. Chairman. I appreciate it so very much. I want to thank everyone here on the panel for your technology leadership that helps keep us safe because that is what our priority here is in the United States Congress. At least it is mine and I know many others on this panel. We are here to find a balance between security and privacy and not continue to pit them against each other. I think you will agree with that. Mr. Yoran, how quickly does one lifecycle of encryption last as a secure system until vulnerabilities are found and exploited? Will this continually be a game of cat-and-mouse or are we at a level now where software and the processes are strong enough to make end-to-end encryption a stable system? Mr. Yoran. Systems are attacked and vulnerabilities are exploited almost instantaneously once computer systems, mobile devices are put on the Internet. Once crypto methods are published, there's an entire research community that goes to work. Depending on the strength of the encryption, vulnerabilities may be discovered immediately, or they may be discovered decades down the road, in which case all of the information may have been at risk while that crypto system was in use. And frequently, the exposure and the exploitation of crypto systems isn't necessarily based on the strength of the algorithms themselves but on how they're implemented and how the systems are interconnected. I might not have the key to get information off of a particular device, but because I can break into the operating system because I have physical access to it, because I can read the chips, because I can do all sorts of different things. I can still get information or I can get the key while it was resident in memory. It's just a very complex system that all has to work perfectly in order for the information to be---- Mr. Bilirakis. Thank you. Mr. Yoran [continuing]. Protected. Mr. Bilirakis. The next question is for the entire panel. We have known for the past few years that any significant threat to our homeland will likely include a cyber attack. Will you agree on that? Can you elaborate on the role that encryption plays in this process of continuing national security? Certainly, the military has used forms of encryption for decades, but can you give us a contemporary snapshot of how encryption use by government or nongovernment users protect us against cyber attacks today? We can start over here, please. Mr. Sewell. I will answer the question, but I am not at all the expert in this space. I think the other panelists are much more expert than I am in the notion of encryption and protecting our infrastructure. The one point that I will say that I tried to emphasize in my opening statement was that we shouldn't forget about some of the changes that are happening in terms of the way that infrastructure can be accessed. I think we sometimes lose sight of the fact that phones themselves now are being used as authentication devices. If you can break the encryption and you can get into the phone, that may be a very easy way to get into the power grid, to get into our transport systems, into our water systems. So it's not just a question of the firewalls or the access; it's how--what is the instrumentality that you used to get into those things that we also have to be concerned about. Mr. Bilirakis. Thank you. Mr. Yoran? Mr. Yoran. I believe fundamentally that security is actually on the same side as privacy and our economic interest. It's fundamental. It's fundamental in the national security community. But it's also mandated by law to protect all sorts of other data in other infrastructures and systems such as financial services, health care records, so on and so forth, such that even folks who might not gain an advantage by having strong encryption available like General--I'm sorry, Admiral Rogers, the director of the NSA; and James Clapper, the director of National Intelligence, are on the record saying that they believe it's not in the U.S. best interest to weaken encryption. Mr. Bilirakis. Anyone else wish to comment, please? Mr. Blaze. I mean, encryption is used in protecting critical infrastructure the same way it's used in protecting other aspects of our society. It protects sensitive data when it's being transmitted and stored, including on mobile devices and over the Internet and so on. I just want to add that critical infrastructure systems are largely based and built upon the same components that we're using in consumer and business devices as well. There aren't-- critical infrastructure systems essentially depend upon mobile phones and operating systems that you and I are using in our day-to-day life. And so when we weaken them, we also weaken the critical infrastructure systems. Mr. Bilirakis. Sir? Mr. Weitzner. Could I just add very briefly that I actually thought Mr. Sewell's answer was pretty good. But--and what's critical about those systems that we rely on to protect our critical infrastructure is that when we find flaws in them, we have to patch them quickly. We have to fix them quickly. As Mr. Yoran said, you know, these systems are constantly being looked at. I'm concerned that if we end up imposing requirements on our security infrastructure, on our encryption tools, if we impose CALEA-like requirements, the process of identifying flaws, fixing them, putting out new versions rapidly is going to be slowed down to figure out whether those comply with whatever the surveillance requirements are. And I think that's the wrong direction for us to go in. We want to make these tools as adaptive as possible. We want them to be fixed as quickly as possible, not be caught in a whole set of rules about what they have to do and not do to accommodate surveillance needs. Mr. Bilirakis. Thank you very much. Thank you, Mr. Chairman, for allowing me to participate. I appreciate it, and I will yield back. Mr. Murphy. Thank you. I ask unanimous consent that the letter from CTA be admitted to the record. Without objection, that will be so. [The information appears at the conclusion of the hearing.] Mr. Murphy. And I believe, Ms. DeGette? Ms. DeGette. I would ask unanimous consent--Ms. Eshoo has a letter from TechNet dated April 19 that we would like to have put in the record. Mr. Murphy. Thank you. [The information appears at the conclusion of the hearing.] Mr. Murphy. And I also ask unanimous consent that the contents of the document binder \1\ be introduced in the record and authorize staff to make any appropriate redactions. Without objection, the documents will be entered in the record with any redactions the staff determines are appropriate. --------------------------------------------------------------------------- \1\ The contents of the document binder can be found at: http:// docs.house.gov/Committee/Calendar/ByEvent.aspx?EventID=104812. --------------------------------------------------------------------------- Mr. Murphy. And in conclusion, I want to thank all the witnesses and members that participated in today's hearing. I remind members they have 10 business days to submit questions for the record. I ask that the witnesses all agree to respond promptly to the questions. Thank you so much. We look forward to hearing from you more, and we will get you together. Thank you. Mr. Sewell. Good. Thank you, Mr. Chairman. Mr. Murphy. This committee is adjourned. [Whereupon, at 1:14 p.m., the subcommittee was adjourned.] [Material submitted for inclusion in the record follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] [all]