STATEMENT OF KENNETH L WAINSTEIN PARTNER CADWALADER WICKERSHAM TAFT LLP CONCERNING CYBERSECURITY AND U S NATIONAL SECURITY BEFORE THE COMMITTEE ON ARMED SERVICES UNITED STATES SENATE JULY 14 2016 Chairman McCain Ranking Member Reed and distinguished Members of the Committee thank you for the invitation to appear before you today My name is Ken Wainstein I am a partner at the law firm of Cadwalader Wickersham Taft and I previously served as the Homeland Security Advisor to President George W Bush as the Assistant Attorney General for National Security and in a variety of other positions in the Justice Department Thank you for the opportunity to address the pressing national security issues raised by encryption I Introduction We are in the midst of a national debate that was triggered by the recent adoption of default encryption by large communications service providers The debate is between those in government who insist there should be a technical accommodation allowing them to penetrate encryption and surveil criminal and terrorist communications and those in the technology and civil liberties communities who insist that any such accommodation would compromise encryption and jeopardize the security of our communications This debate has been going on for 1 about two years and we now find ourselves at an impasse with neither side showing any sign of backing down It is time for Congress to step in and break through that impasse Congress has long played a pivotal role in striking the balance between individual and societal privacy interests and our government’s law enforcement and national security interests Congress should play that role once again by pushing both sides of this debate toward a solution to this impasse II Legal Background Since the dawn of telephony we have wrestled with the question of when and under what conditions government investigators should be allowed access to the content of private communications In the 1967 decision Katz v United States the Supreme Court ruled that an individual has a reasonable expectation of privacy in the content of his or her phone calls and the next year Congress passed Title III of the Omnibus Crime Control and Safe Streets Act mandating the process by which the government must make a probable-cause showing to secure a judicial warrant authorizing it to use a wiretap After Congressional investigations in the 1970’s revealed a series of surveillance abuses against persons like Dr Martin Luther King Jr Congress passed the Foreign Intelligence Surveillance Act of 1978 “FISA” creating a process of judicial review and approval for electronic surveillance to obtain information related to foreign intelligence international terrorism foreign espionage and other national security threats With the passage of Title III and FISA Congress struck a balance between the privacy interests in electronic communications and the legitimate needs of law enforcement and intelligence agencies to obtain access to those communications While the balance Congress struck in each of these laws—and other laws addressing government investigative access to private information—may have been suitable at that time that balance shifted with the evolution of technology in the ensuing years which in turn triggered a series of national debates over how best to adapt existing laws to new technological realities Over the past couple decades Congress has done a very commendable job of brokering those debates and bringing the surveillance laws up to date No better example was the legislative debate in 2007-08 that resulted in the FISA Amendments Act a well-considered piece of legislation that realigned our foreign intelligence surveillance authorities to account for the revolution in communications technology since the passage of FISA in 1978 Once each of those debates was resolved and the rules were legislatively established government officials could then move forward to conduct the surveillance they needed To get the judicial authorization they provided the required predication and justification to the relevant court and received the court’s authorizing warrant or order Then to get the warrant or order implemented they served the relevant communications provider with a secondary order commanding the provider to execute the warrant or order 2 III Going Dark Over time however this process became less and less reliable as more and more providers were unable to give the government the assistance necessary to execute the authorized surveillances With the exponential increase in the volume of electronic communications and the diversification of technologies from wire telephony to mobile voice communications over digital switch-based services many providers became either unable or unwilling to satisfy lawful wiretap requests As a result by the mid-1990’s law enforcement agencies saw that their surveillance capabilities were declining and they started to worry that they were “going dark ” Congress responded to this concern in 1994 by passing the Communications Assistance for Law Enforcement Act “CALEA which required telecommunications carriers to modify their equipment facilities and services to ensure that the government could conduct lawfullyauthorized surveillances Despite CALEA significant gaps remained in our surveillance capabilities There were a number of companies that simply did not invest the money and time necessary to develop the capabilities to enable surveillance in their systems In addition there developed a broad range of communications technologies—like email instant messaging social networking sites and peerto-peer services—that were simply not covered by CALEA As a result the government was increasingly unable to surveil its criminal and national security targets by the end of the last decade This “going dark” issue then became exponentially more problematic with the recent advent of default endpoint and end-to-end encryption With endpoint encryption the data is encrypted while stored on the communication device while with end-to-end encryption the contents of a communication are encrypted in transit In both scenarios the service provider and device manufacturer have limited access if any to the encryption key which is typically held by the device owner or stored on the device Endpoint and end-to-end encryption became the default settings for a large number of devices and services when Apple unveiled a new operating system for its iPhones and other devices in September 2014 and other service providers like Google followed suit for certain device and service offerings As a result of these default encryption processes service providers and device manufacturers are often unable to satisfy lawful court surveillance orders—a scenario that will increasingly put our law enforcement and national security officials in the dark as this technology becomes industry standard and our adversaries gravitate to it IV Going Dark Going Forward This dilemma is now clear for all to see and the battle lines have been drawn with the government and tech industry taking dueling views on the way to proceed FBI Director James Comey has argued that the increasing availability and use of endpoint and end-to-end encryption puts our country at grave risk as it effectively creates safe spaces for criminals and terrorists to 3 operate outside the reach of law enforcement or the Intelligence Community He acknowledges the important privacy interests at stake but asserts that those interests must be balanced with the security interests of the broader society and urges industry to search for a technological solution that can accommodate the government’s lawful surveillance needs Representatives of the tech industry and the civil liberties community have aggressively countered Director Comey’s position with a variety of arguments including the following That any accommodation for the government would introduce a vulnerability that would undermine the security and integrity of encryption which inarguably is a vitally important technology for protecting information and preventing theft and other cyber mischief That any such accommodation could not be confined to the United States as other governments—including repressive governments—would likely demand the same access That any accommodation would put U S tech companies at a competitive disadvantage because customers—especially overseas customers and those who are already suspicious of U S government surveillance in the aftermath of the Snowden revelations—may stop using those companies’ services if they learn that the companies are cooperating with the U S government to circumvent encryption and That any accommodation imposed on U S companies would be of limited effectiveness because criminals terrorists and other wrongdoers would simply start using foreign encrypted services Citing these arguments some in the tech industry and civil liberties community have taken an absolutist position that there should be no government accommodation at all One tech industry association sent President Obama a letter urging him to resist “encryption ‘workarounds’” for the government’s surveillance needs contending that a work-around would “compromise the security of communications products and services rendering them more vulnerable to attacks and erode consumers’ trust in the products and services they rely on for protecting their information ” I fully appreciate the importance and tremendous societal value of strong encryption and I recognize the validity of the tech industry’s concerns However I do not believe that those concerns automatically mean that encryption should be inviolable and that our government should henceforth be denied access to large swaths of communications That reasoning just does not square with the reality of today’s national security imperatives That reality is that government access to these communications is critical to our national security From my earliest days as a federal prosecutor investigating narcotics networks I saw the value of communications surveillance in gaining insight into the plans and inner workings of 4 a conspiracy That value is particularly high when the conspiracy being investigated is a foreign terrorist group where leaders and foot soldiers are often located in different parts of the world and have to rely on electronic communication for operational coordination Thanks in large part to our signals intelligence capabilities the government has been fairly successful in detecting and protecting our country against large-scale terrorism since 9 11 That record of success is now being tested however by the rise of ISIS which in many ways is a more formidable adversary than al-Qaeda ever was In response to our allies’ recent success in pushing back the borders of its conquered territory ISIS seems determined to counter those losses with terrorist attacks directed against the homelands of those countries—like the U S — that they consider their mortal enemies It is also clear that ISIS recognizes the operational value of encrypted communications We know that it has issued a guide for its members discussing the relative “safety” of different encrypted messaging apps We know that as part of its recruiting efforts ISIS often initially engages on social media but then moves the conversation to encrypted apps And we know that attackers inspired by ISIS have made use of such apps prior to conducting their attacks For example FBI Director Comey has testified that one of the attackers at the Muhammad art exhibit in Garland Texas exchanged over 100 encrypted messages with a known overseas terrorist on the morning of the shooting Those messages remain encrypted and unreadable by investigators V Resolving the Debate With this gathering threat on the horizon now is not the time to blithely concede that encryption automatically trumps surveillance and allow our intelligence and law enforcement agencies to go dark To the contrary now is the time for Congress to mobilize on this issue and push for a solution—a solution that allows government the access it needs to protect our people and our country without unduly compromising the encryption technology that protects our data and communications I urge Congress to embark on a legislative process that calls on both sides of this debate to fully lay out the basis of their views For the government this means laying out the case that concretely demonstrates how significantly their different investigative efforts are—or are not—handicapped by the use of default encryption technologies For the tech industry and civil liberties groups this means laying out technically specific support for the contention that a government accommodation would undermine the integrity of default encryption They should provide hard data that demonstrates exactly how—and how much—each possible type of accommodation would impact their encryption systems It is only when Congress receives that data that it can knowledgeably perform its deliberative function and balance the potential cyber security dangers posed 5 by a government accommodation against the national security and law enforcement benefits of having such an accommodation in place Congress can undertake this effort either through a series of hearings and a traditional legislative process or else through the establishment of a commission like that proposed by Senator Warner and Chairman McCaul—a commission composed of technologists security experts and other key stakeholders who could delve deeply into the intricacies of this complex issue Either of these options would be a significant step forward The option that is not a step forward is the option of inaction and continued impasse We have seen the consequences of that option before as that was the option the government effectively pursued in the late 1990’s and early 2000’s when debating the wisdom of “the wall ” the regulatory barrier that prevented coordination and information sharing between law enforcement and Intelligence Community personnel That inaction had tragic consequences when the existence of the wall contributed to our inability to identify the 9 11 hijackers and prevent them from launching their attacks Congress dismantled the wall when it passed the PATRIOT Act six weeks after the 9 11 attacks but that was too late for the 3 000 murdered Americans We made the mistake of inaction once before we must not make it again I applaud the Committee for holding today’s hearing and showing leadership on this issue It gives me hope that we can in fact move beyond the current impasse and reach a workable solution to this critical problem My thanks again for inviting me and I look forward to answering any questions you may have 6
OCR of the Document
View the Document >>