SAN FRANCISCO -- Thursday afternoon, at RSA Conference 2016, Rep. Michael McCaul made the case for an encryption commission bill. The legislation, which was introduced on Monday, would create the McCaul-Warner Commission on Digital Security.
McCaul (R-Texas) is chair of the House of Representatives' Committee on Homeland Security; Sen. Mark Warner (D-Va.) has worked with McCaul on the bill, which also received backing from Sen. Ron Johnson (R-Wis.).
"The world has changed, [and] we cannot win by simply bombing," McCaul said. "The bad guys are operating beyond the reach of U.S. authorities, and this includes nation states themselves that are behind the attacks." During the Q&A session, McCaul added, "I think there's a technology solution to this 'going dark' problem."
"The challenge of protecting national security and digital security simultaneously is complex. The ongoing Apple versus FBI dispute is only a symptom of a much larger problem. But we are almost certain to see this scenario repeated, unless the larger issue is addressed," McCaul said in a statement on Monday.
Going dark: Compromise solution
The bill is seen as a compromise measure in light of the Apple conflict with the FBI over unlocking an iPhone used by one of the attackers in San Bernardino last year.
Michael McCaulchair of the House of Representatives' Committee on Homeland Security
The proposed legislation is modest in its goal: to create a nonpartisan advisory committee, with members who are experts from the tech industry, intelligence community and privacy advocates to study the issues related to accessing data that has been encrypted. The committee would recommend solutions, possibly in the form of legislation, to answer the question: How can we keep our data safe, while also keeping our country safe?
According to a document McCaul and Warner released, they "are calling for an independent Digital Security Commission to bring all stakeholders together, once and for all. The commission's goal will be to develop recommendations for maintaining privacy and digital security, while also finding ways to keep criminals and terrorists from exploiting these technologies to escape justice."
Repeating and explaining the keyword from the title of his presentation, "Security versus security," McCaul asked: "How can we keep our country safe, while also keeping our private data safe?"
While noting that "attribution is difficult," McCaul repeatedly pointed the finger at the Chinese as being behind the OPM breach. The data from "OPM is undoubtedly being exploited by China to this day," he said.
McCaul also echoed Adm. Michael Rogers' comments to RSA Conference 2016 from earlier in the week, noting the attacks on critical infrastructure in Ukraine last year, and saying "more of these attacks are coming."
Saying the U.S. needs "organizations in this room to share and cooperate," McCaul added that "if you sit on the sidelines, everyone is more vulnerable."
Encryption control, but not gun control?
During the Q&A period, one audience member garnered applause when asking whether it was more important for the government to take control over encryption when there was little control over firearms. McCaul answered by saying, "The weapon of choice of the terrorists is the AK-47," and the U.S. government has no way to control global black-market sales of those weapons.
"What do you do to stop that?" McCaul asked, adding that without access to communications through lawful warrants, it makes the work of preventing attacks much more difficult. He noted how the "going dark" problem manifested itself recently in Paris: "We didn't see" what the attackers were doing, because they were using end-to-end encryption. "They are using this dark space of communications, which is quite a challenge for us."
Vendor reaction to 'going dark' solution
"As security vendors, our No. 1 priority is protecting our customers. That's No. 1, and it should be for every company here," Domingo Guerra, co-founder and president of San Francisco-based mobile app security firm Appthority, told SearchSecurity earlier in the week. "Does that mean go out of your way to make life difficult for the government? No, but it means make that difficult for bad guys as much as you can. And, ultimately, encryption is a big stopper, or gatekeeper, for other types of access to that data."
"Now, as technology gets to the point where some of these things are not virtually -- but actually -- impossible to crack, then yeah, it might prevent law enforcement from [gaining access]," Guerra said. "But I believe the greater is really to protect overall consumers, not to make backdoors, or ways to go around it."
"The fact is, if we as U.S.-based security companies are forced to include ways to defeat our own software or our own hardware, then vendors overseas that are not subject to those laws are going to have better products than we do. And we're seeing pain in the marketplace," he added.
"We've seen that already, by the way," Guerra said. "After [Edward] Snowden, we saw a lot of our European government customers worry that our data was easily accessible by the [National Security Agency], or their data was easily accessible by the NSA. So, a lot of security companies in our space had to invest in data centers in Europe, or keeping data abroad so that it's seen as more secure, as opposed to having it here, and being a court order away from opening up and revealing potential secrets."
"So, it's real, where it has business implications," Guerra concluded. "And if we want to be cutting edge in terms of security, we have to implement whatever we see as the best way to protect customers' data. It's not trying to take sides other than preserving our business."
CIOs are making security -- but not privacy -- a priority in 2016.
Privacy vs. public safety: The encryption debate
Harvard report says metadata means there is no 'going dark' for the FBI