[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]





 DECIPHERING THE DEBATE OVER ENCRYPTION: INDUSTRY AND LAW ENFORCEMENT 
                              PERSPECTIVES

=======================================================================

                                HEARING

                               BEFORE THE

              SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             APRIL 19, 2016

                               __________

                           Serial No. 114-136





[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]







      Printed for the use of the Committee on Energy and Commerce

                        energycommerce.house.gov
                                   ______

                         U.S. GOVERNMENT PUBLISHING OFFICE 

20-696                         WASHINGTON : 2017 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Publishing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001
                           
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                    COMMITTEE ON ENERGY AND COMMERCE

                          FRED UPTON, Michigan
                                 Chairman
JOE BARTON, Texas                    FRANK PALLONE, Jr., New Jersey
  Chairman Emeritus                    Ranking Member
ED WHITFIELD, Kentucky               BOBBY L. RUSH, Illinois
JOHN SHIMKUS, Illinois               ANNA G. ESHOO, California
JOSEPH R. PITTS, Pennsylvania        ELIOT L. ENGEL, New York
GREG WALDEN, Oregon                  GENE GREEN, Texas
TIM MURPHY, Pennsylvania             DIANA DeGETTE, Colorado
MICHAEL C. BURGESS, Texas            LOIS CAPPS, California
MARSHA BLACKBURN, Tennessee          MICHAEL F. DOYLE, Pennsylvania
  Vice Chairman                      JANICE D. SCHAKOWSKY, Illinois
STEVE SCALISE, Louisiana             G.K. BUTTERFIELD, North Carolina
ROBERT E. LATTA, Ohio                DORIS O. MATSUI, California
CATHY McMORRIS RODGERS, Washington   KATHY CASTOR, Florida
GREGG HARPER, Mississippi            JOHN P. SARBANES, Maryland
LEONARD LANCE, New Jersey            JERRY McNERNEY, California
BRETT GUTHRIE, Kentucky              PETER WELCH, Vermont
PETE OLSON, Texas                    BEN RAY LUJAN, New Mexico
DAVID B. McKINLEY, West Virginia     PAUL TONKO, New York
MIKE POMPEO, Kansas                  JOHN A. YARMUTH, Kentucky
ADAM KINZINGER, Illinois             YVETTE D. CLARKE, New York
H. MORGAN GRIFFITH, Virginia         DAVID LOEBSACK, Iowa
GUS M. BILIRAKIS, Florida            KURT SCHRADER, Oregon
BILL JOHNSON, Ohio                   JOSEPH P. KENNEDY, III, 
BILLY LONG, Missouri                     Massachusetts
RENEE L. ELLMERS, North Carolina     TONY CARDENAS, California
LARRY BUCSHON, Indiana
BILL FLORES, Texas
SUSAN W. BROOKS, Indiana
MARKWAYNE MULLIN, Oklahoma
RICHARD HUDSON, North Carolina
CHRIS COLLINS, New York
KEVIN CRAMER, North Dakota

              Subcommittee on Oversight and Investigations

                        TIM MURPHY, Pennsylvania
                                 Chairman
DAVID B. McKINLEY, West Virginia     DIANA DeGETTE, Colorado
  Vice Chairman                        Ranking Member
MICHAEL C. BURGESS, Texas            JANICE D. SCHAKOWSKY, Illinois
MARSHA BLACKBURN, Tennessee          KATHY CASTOR, Florida
H. MORGAN GRIFFITH, Virginia         PAUL TONKO, New York
LARRY BUCSHON, Indiana               JOHN A. YARMUTH, Kentucky
BILL FLORES, Texas                   YVETTE D. CLARKE, New York
SUSAN W. BROOKS, Indiana             JOSEPH P. KENNEDY, III, 
MARKWAYNE MULLIN, Oklahoma               Massachusetts
RICHARD HUDSON, North Carolina       GENE GREEN, Texas
CHRIS COLLINS, New York              PETER WELCH, Vermont
KEVIN CRAMER, North Dakota           FRANK PALLONE, Jr., New Jersey (ex 
JOE BARTON, Texas                        officio)
FRED UPTON, Michigan (ex officio)

















  
                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Tim Murphy, a Representative in Congress from the 
  Commonwealth of Pennsylvania, opening statement................     2
    Prepared statement...........................................     3
Hon. Diana DeGette, a Representative in Congress from the state 
  of Colorado, opening statement.................................     4
Hon. Fred Upton, a Representative in Congress from the state of 
  Michigan, opening statement....................................     6
    Prepared statement...........................................     8
Hon. Frank Pallone, Jr., a Representative in Congress from the 
  State of New Jersey, opening statement.........................     8
    Prepared statement...........................................     9

                               Witnesses

Ron Hickman, Sherriff, Harris County, Texas
    Prepared statement...........................................    12
Amy Hess, Executive Assistant Director for Science and 
  Technology, Federal Bureau of Investigations...................    20
    Prepared statement...........................................    22
    Answers to submitted questions \1\...........................   144
Thomas P. Galati, Chief, Intelligence Bureau, New York City 
  Police Department..............................................    26
    Prepared statement...........................................    28
    Answers to submitted questions...............................   150
Charles Cohen, Commander, Office of Intelligence and 
  Investigative Technologies, Indiana State Police...............    32
    Prepared statement...........................................    34
    Answers to submitted questions...............................   156
Bruce Sewell, General Counsel, Apple, Inc.; Amit Yoran, 
  President, RSA Security........................................    72
    Prepared statement...........................................    74
    Answers to submitted questions...............................   165
Amit Yoran, President, RSA Security..............................    77
    Prepared statement...........................................    79
    Answers to submitted questions...............................   175
Matthew Blaze, Associate Professor, Computer and Information 
  Science, School of Engineering and Applied Science, University 
  of Pennsylvania................................................    87
    Prepared statement...........................................    89
    Answers to submitted questions...............................   183
Daniel J. Weitzner, Principal Research Scientist, MIT Computer 
  Science and Artificial Intelligence Lab, and Director, MIT 
  Internet Policy Research Initiative............................   100
    Prepared statement...........................................   102
    Answers to submitted questions...............................   189

                           Submitted Material

Subcommittee memorandum..........................................   135
Statement of the Consumer Technology Association, submitted by 
  Mr. Murphy.....................................................   140
Statement of TechNet, submitted by Ms. Eshoo.....................   142
Document binder \1\

----------
\1\ The information can be found at: http://docs.house.gov/
  Committee/Calendar/ByEvent.aspx?EventID=104812.

 
 DECIPHERING THE DEBATE OVER ENCRYPTION: INDUSTRY AND LAW ENFORCEMENT 
                              PERSPECTIVES

                              ----------                              


                        TUESDAY, APRIL 19, 2016

                  House of Representatives,
      Subcommittee on Oversight and Investigations,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 10:00 a.m., in 
room 2123, Rayburn House Office Building, Hon. Tim Murphy 
(chairman of the subcommittee) presiding.
    Present: Representatives Murphy, McKinley, Burgess, 
Blackburn, Griffith, Bucshon, Brooks, Mullin, Hudson, Cramer, 
Upton (ex officio), DeGette, Tonko, Yarmuth, Clarke, Kennedy, 
Welch, and Pallone (ex officio).
    Also Present: Representatives McNerney and Eshoo.
    Staff Present: Rebecca Card, Assistant Press Secretary; 
Paige Decker, Executive Assistant; Melissa Froelich, Counsel, 
Commerce, Manufacturing, and Trade; Giulia Giannangeli, 
Legislative Clerk, Commerce, Manufacturing, and Trade; Jay 
Gulshen, Staff Assistant; Charles Ingebretson, Chief Counsel, 
Oversight and Investigations; John Ohly, Professional Staff, 
Oversight and Investigations; Tim Pataki, Professional Staff 
Member; David Redl, Chief Counsel, Telecom; Dan Schneider, 
Press Secretary; Dylan Vorbach, Deputy Press Secretary; Gregory 
Watson, Legislative Clerk, Communications and Technology; Ryan 
Gottschall, Minority GAO Detailee; Tiffany Guarascio, Minority 
Deputy Staff Director and Chief Health Advisor; Chris Knauer, 
Minority Oversight Staff Director; Una Lee, Minority Chief 
Oversight Counsel; Elizabeth Letter, Minority Professional 
Staff Member; Tim Robinson, Minority Chief Counsel; Matt 
Schumacher, Minority Press Assistant; Ryan Skukowski, Minority 
Policy Analyst; and Andrew Souvall, Minority Director of 
Communications, Outreach and Member Services.
    Mr. Murphy. Good morning, and welcome to the Oversight and 
Investigations Subcommittee hearing on ``Deciphering the Debate 
over Encryption: Industry and Law Enforcement Perspectives.''
    Before I start with my statement, I want to let our 
witnesses and other people know we have multiple hearings going 
on today, and tomorrow, we have a hearing as well, so you will 
see people coming and going. So especially for our witnesses so 
you don't think that that is chaos, we have members trying to 
juggle a lot of things at the same time.
    Ms. DeGette. It is chaos.

   OPENING STATEMENT OF HON. TIM MURPHY, A REPRESENTATIVE IN 
         CONGRESS FROM THE COMMONWEALTH OF PENNSYLVANIA

    Mr. Murphy. It is chaos, OK. I stand corrected.
    We are meeting today to consider the deceptively complex 
question: Should the government have the ability to lawfully 
access encrypted technology and communications? This is the 
question at the center of a heated public debate, catalyzed 
earlier this year when the FBI obtained a court order to compel 
Apple to assist in unlocking an iPhone used by one of the San 
Bernardino terrorists.
    But this isn't a new question. Strong encryption has 
existed for decades. For years, motivated individuals have had 
access to the tools necessary to conceal their activities from 
law enforcement. And for years, the government has repeatedly 
tried to limit the use of or obtain access to encrypted data.
    The most notable example occurred in the 1990s when the 
development of encrypted communications equipment sparked fears 
that the government would lose its ability to conduct lawful 
surveillance. In response, the NSA developed a new encryption 
chip called the Clipper Chip that would enable encrypted 
communications, but would also provide the government with a 
key to access those communications, if necessary. This so-
called back door sparked intense debate between the government 
and the technology community about the benefits and risks of 
government access to encrypted technology.
    One of the principal arguments of the technology community 
was that such a back door would create a vulnerability that 
could be exploited by actors outside of the government. This 
concern was validated when a critical flaw was discovered in 
the chip's design. I should note that one of our witnesses here 
today, Dr. Matt Blaze, identified that vulnerability, which 
made the government's back door more akin to a front door.
    As a partial solution, Congress passed the Communications 
Assistance for Law Enforcement Act, called CALEA. CALEA 
addressed the government's concern that rapidly evolving 
technologies were curtailing their ability to conduct lawful 
surveillance by requiring telecommunications providers to 
provide assistance in executing authorized surveillance. 
However, the law included notable caveats which limited the 
government's response to encrypted technologies. After the 
government relaxed export controls on encryption in 2000, the 
Crypto Wars entered a period of relative quiet.
    So what has changed in recent years to renew the debate? 
Part of the concern is, once again, the rapid expansion of 
technology. At its core, however, this debate is about the 
widespread availability of encryption, by default. While 
encryption has existed for decades, until recently, it was 
complex, cumbersome, and hard to use. It took effort and 
sophistication to employ its benefits, either for good or evil. 
But because of this, law enforcement was still able to gain 
access to the majority of the digital evidence they discovered 
in their investigations. But now, the encryption of electronic 
data is the norm. It's the default. This is a natural response 
to escalating concerns both from government and consumers about 
the security of digital information.
    The decision by companies like Apple and the messaging 
application WhatsApp to provide default encryption means more 
than a billion people, including some living in countries with 
repressive governments, have the benefit of easy, reliable 
encryption. At the same time, however, criminals and terrorists 
have the same access to secure means of communication, and they 
know it, and they will use it as their own mission control 
center.
    And that is the crux of the recent debate. Access to secure 
technologies beyond the reach of law enforcement no longer 
requires coordination or sophistication. It is available to 
anyone and to everyone. At the same time, however, as more of 
our lives become dependent on the Internet and information 
technologies, the availability of widespread encryption is 
critical to our personal, economic, and national security.
    Therefore, while many of the arguments in the current 
debate may echo those of decades past, the circumstances have 
changed and so, too, must the discussion. This can no longer be 
a battle between two sides or a choice between black and white. 
If we take that approach, the only outcome is that we all lose. 
This is a core issue of public safety and ethics, and it 
requires a very thoughtful approach.
    That is why we are today to begin moving the conversation 
from Apple versus the FBI or right versus wrong to a 
constructive dialogue that recognizes this is a complex issue 
that affects everyone and therefore we are in this together.
    We have two very strong panels, and I expect each will make 
strong arguments about the benefits of strong encryption and 
the challenges it presents for law enforcement. I encourage my 
colleagues to embrace this opportunity to learn from these 
experts to better understand the multiple perspectives, layers, 
and complexities of the issues.
    It is time to begin a new chapter in this battle, one which 
I hope can ultimately bring some resolution to the war. This 
process will not be easy, but if it does not happen now, we may 
reach a time when it is too late and success becomes 
impossible.
    So, for everyone calling on Congress to address this issue, 
here we are. I can only hope, moving forward, you will be 
willing to join us at the table.
    I now recognize the ranking member from Colorado, Ms. 
DeGette, for 5 minutes.
    [The prepared statement of Mr. Murphy follows:]

                 Prepared statement of Hon. Tim Murphy

    We are meeting today to consider the deceptively complex 
question: Should the government have the ability to lawfully 
access encrypted technology and communications? This is the 
question at the center of a heated public debate, catalyzed 
earlier this year when the FBI obtained a court order to compel 
Apple to assist in unlocking an iPhone used by one of the San 
Bernardino terrorists.
    But this isn't a new question. Strong encryption has 
existed for decades. For years, motivated individuals have had 
access to the tools necessary to conceal their activities from 
law enforcement. And for years, the government has repeatedly 
tried to limit the use of or obtain access to encrypted data.
    The most notable example occurred in the 1990s when the 
development of encrypted communications equipment sparked fears 
that the government would lose its ability to conduct lawful 
surveillance. In response, the NSA developed a new encryption 
chip--called the ``Clipper Chip''--that would enable encrypted 
communications, but would also provide the government with a 
key to access those communications, if necessary. This so-
called ``backdoor'' sparked intense debate between the 
government and the technology community about the benefits--and 
risks--of government access to encrypted technology.
    One of the principle arguments of the technology community 
was that such a backdoor would create a vulnerability that 
could be exploited by actors outside of the government. This 
concern was validated when a critical flaw was discovered in 
the chip's design. I should note that one of our witnesses here 
today, Dr. Matt Blaze, identified that vulnerability which made 
the government's backdoor more akin to a front door.
    As a partial solution, Congress passed the Communications 
Assistance for Law Enforcement Act (CALEA). CALEA addressed the 
government's concern that rapidly evolving technologies were 
curtailing their ability to conduct lawful surveillance by 
requiring telecommunications providers to provide assistance in 
executing authorized surveillance. However, the law included 
notable caveats which limited the government's response to 
encrypted technologies.
    After the government relaxed export controls on encryption 
in 2000, the Crypto Wars entered a period of relative quiet. So 
what has changed in recent years to renew the debate? Part of 
the concern is, once again, the rapid expansion of technology. 
At its core, however, this debate is about the widespread 
availability of encryption, by default.
    While encryption has existed for decades, until recently it 
was complex, cumbersome and hard to use. It took effort and 
sophistication to employ its benefits, either for good or evil. 
Because of this, law enforcement was still able to gain access 
to the majority of the digital evidence they discovered in 
their investigations.
    But now, the encryption of electronic data is the norm--the 
default. This a natural response to escalating concerns--both 
from government and consumers--about the security of digital 
information. The decision by companies like Apple and the 
messaging application WhatsApp to provide default encryption 
means more than a billion people--including some living in 
countries with repressive governments--have the benefit of 
easy, reliable encryption. At the same time, however, criminals 
and terrorists have the same access to secure means of 
communication--and they know it, and they will use it as their 
own mission control center.
    That is the crux of the recent debate. Access to secure 
technologies beyond the reach of law enforcement no longer 
requires coordination or sophistication. It is available to 
anyone and everyone. At the same time, however, as more of our 
lives become dependent on the Internet and information 
technologies, the availability of widespread encryption is 
critical to our personal, economic and national security.
    Therefore, while many of the arguments in the current 
debate may echo those of decades past, the circumstances have 
changed and so too must the discussion. This can no longer be a 
battle between two sides, a choice between black-and-white. If 
we take that approach, the only possible outcome is that we all 
lose. This is a core issue of public safety and ethics--and it 
requires a very thoughtful approach.
    That is why we are today--to begin moving the conversation 
from ``Apple vs. the FBI'' or ``right versus wrong'' to a 
constructive dialogue that recognizes this is a complex issue 
that affects everyone and therefore ``we are in this 
together.'' We have two very strong panels and I expect each 
will make strong arguments about the benefits of strong 
encryption and the challenges it presents for law enforcement. 
I encourage my colleagues to embrace this opportunity to learn 
from these experts to better understand the multiple 
perspectives, layers and complexities to this issue.
    It is time to begin a new chapter in this battle--one which 
I hope can ultimately bring some resolution to the war. This 
process will not be easy but if it does not happen now, we may 
reach a time when it is too late and success becomes 
impossible. So, for everyone calling on Congress to address 
this issue, here we are. I can only hope, moving forward, you 
will be willing to join us at the table.

 OPENING STATEMENT OF HON. DIANA DEGETTE, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF COLORADO

    Ms. DeGette. Thank you, Mr. Chairman. And thank you for 
holding this important hearing.
    Issues surrounding encryption and particularly the 
disagreements between law enforcement and the tech community 
gained significant public attention in the San Bernardino case, 
but I am not particularly interested in re-litigating that 
dispute today. As you said, Mr. Chairman, the conversation 
needs to be broader than just that one case.
    Let me state unequivocally that I, like you, and I think 
the rest of us here today recognize and appreciate the benefits 
of strong encryption in today's digital world. It keeps our 
communications secure, our critical infrastructure safe, and 
our bank accounts from being drained. It also provides each one 
of us with significant privacy protections.
    But also, like you, I see the flip side of the coin. While 
encryption does provide these invaluable protections, it can 
also be used to obscure the communications and plots of 
criminals and terrorists and increasingly at great risk. It is 
our task to help find the proper balance between those 
competing interests.
    We need to ask both industry and law enforcement some hard 
questions today. Last month, the President said, for example, 
``We want strong encryption because part of us preventing 
terrorism or preventing people from disrupting the financial 
system is that hackers, state or non-state, can't get in there 
and mess around.'' But if we make systems that are impenetrable 
or warrant-proof, how do we stop criminals and terrorists? If 
you can't crack these systems, President Obama said, ``then 
everybody is walking around with a Swiss bank account in their 
pocket.''
    I have heard the tech community's concern that some of the 
policies being proposed like creating a back door for law 
enforcement will undermine the encryption that everybody needs 
to keep them safe. And, as they remind us, a back door for good 
guys ultimately becomes a front door for criminals.
    The tech community has been particularly vocal about the 
negative consequences of proposals to address the encryption 
challenge. I think many of these arguments are valid, but I 
have only heard what we should not do, not what we should do 
collectively to address this challenge. I think the discussion 
needs to include a dialogue about how to move forward. I can't 
believe that this problem is intractable.
    Now, the same thing seems to be true from where I sit for 
law enforcement, which raises legitimate concerns but doesn't 
seem to be focused on workable solutions. I don't promote 
forcing industry to build back doors or other circumventions 
that experts tell us will undermine security or privacy for all 
of us. At the same time, I am not comfortable with impenetrable 
warrant-proof spaces where criminals or terrorists can operate 
without any fear that law enforcement could discover their 
plots.
    So what I want to hear today is from both law enforcement 
and industry about possible solutions going forward. For 
example, if we conclude that expansive warrant-proof spaces are 
not acceptable in society, then what are the policy options? 
What happens if encryption is the reason law enforcement can't 
solve or prevent a crime? If the holder or transmitter of the 
data or device can't or won't help law enforcement, what then? 
What are suitable options?
    Last week, for example, the Washington Post reported that 
the government relied on gray-hat hackers to circumvent the San 
Bernardino iPhone. Well, thank goodness? I don't think so. I 
don't think relying on a third party is a good model. This 
recent San Bernardino case suggests that when the government 
needs to enhance its capabilities when it comes to exploring 
ways to work around the challenges posed by encryption. I 
intend to ask both panels what additional resources and 
capabilities the government needs to keep pace with technology.
    While providing government with more tools or capability 
require additional discussions regarding due process and the 
protection of civil liberties, enhancing the government's 
technical capability is one potential solution that does not 
mandate back doors.
    Finally, the public, the tech community, and the government 
are all in this together. In that spirit, I really do want to 
thank our witnesses for coming today. I am happy that we have 
people from law enforcement, academia, and industry, and I am 
really happy that Apple came to testify today. Your voice is 
particularly important because other players like Facebook and 
WhatsApp declined our invitation to be a part of this panel.
    Now, the tech community has told Congress we need to solve 
this problem, and we agree, but I have got to tell you, it is 
hard to solve a problem when the key players won't show up for 
the discussion. And I am here also to tell you, as a longtime 
member of this subcommittee, relying on Congress to, on its 
own, pass legislation in a very complex situation like this is 
a blunt instrument at best. I think it would be in everybody's 
best interest to come to the table and help us work on a 
solution.
    Thanks again for holding this hearing. I know we won't 
trivialize these concerns. I look forward to working with 
everybody to come up with a reasonable solution, and I yield 
back.
    Mr. Murphy. The gentlelady yields back.
    I now recognize the chairman of the full committee, Mr. 
Upton, for 5 minutes.

   OPENING STATEMENT OF HON. FRED UPTON, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF MICHIGAN

    Mr. Upton. Thank you, Mr. Chairman.
    For months now, we have witnessed an intense and important 
debate between law enforcement and the technology community 
about encryption. While much of this recent debate has focused 
on the FBI and Apple, this issue is certainly much bigger than 
any one entity, device, application, or piece of technology. At 
its very core, this is a debate about what we, as a society, 
are willing to accept.
    If you have paid any attention to the debate, it might 
appear to be a black-and-white choice. Either we side with law 
enforcement and grant them access to encrypted technologies, 
thus weakening the security and privacy of our digital 
infrastructure, or we can side with the technology community 
and prevent law enforcement from accessing encrypted 
technologies, thus creating a warrantless safe haven for 
terrorists, pedophiles, and other evil and terrible actors.
     It is important that we move beyond the us-versus-them 
mentality that has encompassed this discussion for too long. 
This debate is not about picking sides; it is about evaluating 
options. It begins by acknowledging the equities on both sides. 
From the technology perspective, there is no doubt that strong 
encryption is a benefit to our society. As more of our daily 
lives become integrated with the digital universe, encryption 
is critical to the security and privacy of our personal and 
corporate secrets. As evidenced by the breaches over the past 
year, data theft can have a devastating effect on our personal 
privacy, economic strength, and national security.
    In addition, encryption doesn't just enable terrorists and 
wrongdoers to do terrible things. It also provides a safe haven 
for dissidents, victims of domestic violence, and others who 
wish to remain hidden for noble purposes. And as we look to the 
future and see that more and more aspects of our lives will 
become connected to the Internet, including things such as 
cars, medical devices, and the electric grid, encryption will 
play an important role in minimizing the risk of physical harm 
or loss of life should these technologies be compromised.
    From the law enforcement perspective, while strong 
encryption helps protect the information and lives, it also 
presents a serious risk to public safety. As strong, 
inaccessible encryption becomes the norm, law enforcement loses 
access to valuable tools and evidence necessary to stop bad 
actors from doing terrible things. And as we will hear today, 
this cannot always be offset by alternative means such as 
metadata or other investigative tools. There are certain 
situations, such as identifying the victims of child 
exploitation, not just the perpetrators, where access to 
content is critical.
     These are but a few of the many valid concerns on both 
sides of this debate, which leads us to the question: What is 
the answer? Sitting here today, I don't have the answer, nor do 
I expect that we will find it during this hearing. This is a 
complex issue, and it is going to require a lot of difficult 
conversations, but that is not an excuse to put our head in the 
sand or resort to default positions. We need to confront these 
issues head-on because they are not going to go away, and they 
are only going to get more difficult as time continues to tick.
    Identifying a solution to this problem may involve 
tradeoffs and compromise on both sides, but ultimately, it 
comes down to what society accepts as the appropriate balance 
between government access to encryption and security of 
encrypted technologies. For that reason and others, many have 
called on us, us, this committee, confront the issues here.
    That is why we are holding this hearing, and that is why 
Chairman Goodlatte and I, along with Ranking Members Pallone 
and Conyers, established a bipartisan, joint committee-working 
group to examine this very issue. In order for Congress to 
successfully confront the issue, however, it will require 
patience, creativity, courage, and more importantly, 
cooperation. It is easy to call on Congress to take on an 
issue, but you better be prepared to answer the call when we 
do. This issue is too important to have key players sitting on 
the sidelines, and therefore, I hope all of you are prepared to 
participate as we take to heart what we hear today and be part 
of the solution moving forward.
    And I yield back.
    [The prepared statement of Mr. Upton follows:]

                 Prepared statement of Hon. Fred Upton

    For months we have witnessed an intense and important 
debate between law enforcement and the technology community 
about encryption. While much of this recent debate has focused 
on the FBI and Apple, this issue is much bigger than any one 
entity, device, application, or piece of technology. At its 
core, this is a debate about what we, as a society, are willing 
to accept.
    If you have paid any attention to the debate, it might 
appear to be a black and white choice. Either we side with law 
enforcement and grant them access to encrypted technologies--
thus weakening the security and privacy of our digital 
infrastructure. Or, we can side with the technology community 
and prevent law enforcement from accessing encrypted 
technologies, thus creating a warrantless safe-haven for 
terrorists, pedophiles, and other evil actors.
    It is important that we move beyond the ``us versus them'' 
mentality that has encompassed this discussion for too long. 
This debate is not about picking sides--it is about evaluating 
options.
    This begins by acknowledging the equities on both sides. 
From the technology perspective, there is no doubt that strong 
encryption is a benefit to our society. As more of our daily 
lives become integrated with the digital universe, encryption 
is critical to the security and privacy of our personal and 
corporate secrets. As evidenced by the breaches over the past 
year, data theft can have devastating effects on our personal 
privacy, economic strength, and national security. In addition, 
encryption doesn't just enable terrorists and wrongdoers to do 
terrible things--it also provides a safe haven for dissidents, 
victims of domestic violence, and others who wish to remain 
hidden for ignoble purposes. As we look to the future and see 
that more and more aspects of our lives will become connected 
to the Internet--including things such as cars, medical 
devices, and the electric grid--encryption will play an 
important role in minimizing the risk of physical harm or loss 
of life should these technologies be compromised.
    From the law enforcement perspective, while strong 
encryption helps protect information and lives, it also 
presents a serious risk to public safety. As strong, 
inaccessible encryption becomes the norm, law enforcement loses 
access to valuable tools and evidence necessary to stop bad 
actors from doing terrible things. As we will hear today, this 
cannot always be offset by alternative means such as meta-data 
or other investigative tools. There are certain situations, 
such as identifying the victims of child exploitation--not just 
the perpetrators--where access to content is critical.
    These are but a few of the many valid concerns on both 
sides of this debate. Which leads us to the question--what is 
the answer? Sitting here today, I do not have that answer nor 
do I expect we will find it during this hearing. This is a 
complex issue and it is going to require some difficult 
conversations--but that is not an excuse to put our head in the 
sand or resort to default positions. We need to confront these 
issues head-on because they are not going away and they will 
only get more difficult with time.
    Identifying a solution to this problem may involve trade-
offs and compromise, on both sides, but ultimately it comes 
down to what society accepts as the appropriate balance between 
government access to encryption and security of encrypted 
technologies. For that reason and others, many have called on 
Congress to ``confront the issues here.'' That is why we are 
holding this hearing and that is why Chairman Goodlatte and I--
along with Ranking Members Pallone and Conyers--established a 
bipartisan, joint committee-working group to examine this 
issue.
    In order for Congress to successfully ``confront this 
issue,'' however, it will require patience, creativity, 
courage, and most importantly, cooperation. It is easy to call 
on Congress to take on an issue--but you better be prepared to 
answer the call when we do. This issue is too important to have 
key players sitting on the sidelines. Therefore, I hope those 
who were unprepared to participate in this hearing take this to 
heart and will be part of the solution moving forward.

    Mr. Murphy. The gentleman yields back.
    I now recognize Mr. Pallone for 5 minutes.

OPENING STATEMENT OF HON. FRANK PALLONE, JR., A REPRESENTATIVE 
            IN CONGRESS FROM THE STATE OF NEW JERSEY

    Mr. Pallone. Thank you, Mr. Chairman.
    I welcome the opportunity to hear today from both law 
enforcement and the tech community as we seek to understand and 
develop solutions to this encryption debate. Encryption enables 
the privacy and security that we value, but it also creates 
challenges for those seeking to protect us.
    Law enforcement has a difficult job of keeping our nation 
safe, and they are finding that some encrypted devices and 
programs are hampering their efforts to conduct thorough 
investigations. Even when they obtain a warrant, they find 
themselves unable to access information protected by end-to-end 
encryption. And this raises questions of how comfortable we are 
as a nation with these ``dark'' areas that cannot be reached by 
law enforcement.
    At the same time, the tech community helps protect some of 
our most valuable information, and the most secure way to do 
that is by using end-to-end encryption, meaning the device or 
app manufacturer does not hold the key to that information. 
When the tech community tells us that providing back doors will 
make their job of protecting our information that much more 
difficult, we should heed that warning and work towards a 
solution that will not solve one problem by creating many 
others.
    It is clear that both sides in this discussion have 
compelling arguments, but simply repeating those arguments is 
not a sufficient response. We need to work together to move 
forward, and I hope today's hearing is just the beginning of 
that conversation.
    In the last several months and years, we have seen major 
players in this debate look to Congress for solutions. In 2014, 
FBI Director Comey said, ``I am happy to work with Congress, 
with our partners in the private sector, and with my law 
enforcement and national security counterparts, and with the 
people we serve, to find the right answer, to find the balance 
we need.''
    In an e-mail to Apple employees earlier this year, Apple 
CEO Tim Cook wrote about his support for Congress to bring 
together ``experts on intelligence, technology, and civil 
liberties to discuss the implications for law enforcement, 
national security, privacy, and personal freedoms.'' And he 
wrote that ``Apple would gladly participate in such an 
effort.''
    So if we have any hope of moving this debate forward, we 
need all parties to come to the table. The participation of our 
witnesses today should serve as a model to others who have been 
reluctant to participate in this discussion. We can't move 
forward if each party remains in its corner, unwilling to 
compromise or propose solutions. Both sides need to recognize 
that this is an effort to strike a balance between the security 
and privacy of personal data and public safety.
    The public needs to feel confident that their information 
is secure, but at the same time, we need to assure them that 
law enforcement has all the tools it needs to do their jobs 
effectively.
    So, Mr. Chairman, I would like to yield the remaining time 
to the gentlewoman from New York, Ms. Clarke.
    [The prepared statement of Mr. Pallone follows:]

             Prepared statement of Hon. Frank Pallone, Jr.

    I welcome the opportunity to hear today from both law 
enforcement and the tech community as we seek to understand and 
develop solutions to this encryption debate. Encryption enables 
the privacy and security that we value, but it also creates 
challenges for those seeking to protect us.
    Law enforcement has a difficult job of keeping our nation 
safe. And they are finding that some encrypted devices and 
programs are hampering their efforts to conduct thorough 
investigations. Even when they obtain a warrant, they find 
themselves unable to access information protected by end-to-end 
encryption. This raises questions of how comfortable we are as 
a nation with these ``dark'' areas that cannot be reached by 
law enforcement.
    At the same time, the tech community helps protect some of 
our most valuable information, and the most secure way to do 
that is by using end-to-end encryption, meaning the device or 
app manufacturer does not hold a key to that information. When 
the tech community tells us that providing backdoors will make 
their job of protecting our information that much more 
difficult, we should heed that warning and work toward a 
solution that will not solve one problem by creating many 
others.
    It is clear that both sides in this discussion have 
compelling arguments, but simply repeating those arguments is 
not a sufficient response. We need to work together to move 
forward, and I hope today's hearing is just the beginning of 
that conversation.
    In the last several months and years, we have seen major 
players in this debate look to Congress for solutions. In 2014, 
FBI Director Comey said, ``I'm happy to work with Congress, 
with our partners in the private sector, with my law 
enforcement and national security counterparts, and with the 
people we serve, to find the right answer--to find the balance 
we need.''
    In an e-mail to Apple employees earlier this year, Apple 
CEO Tim Cook wrote about his support for Congress to bring 
together ``experts on intelligence, technology and civil 
liberties to discuss the implications for law enforcement, 
national security, privacy and personal freedoms.'' He wrote 
that ``Apple would gladly participate in such an effort.''
    If we have any hope of moving this debate forward, we need 
all parties to come to the table. The participation of our 
witnesses today should serve as a model to others who have been 
reluctant to participate in this discussion. We cannot move 
forward if each party remains in its corner, unwilling to 
compromise or propose solutions.
    Both sides need to recognize that this is an effort to 
strike a balance between the security and privacy of personal 
data and public safety. The public needs to feel confident that 
their information is secure. But at the same time, we need to 
assure them that law enforcement has all the tools it needs to 
do their jobs effectively.
    I would like to yield my remaining time to Rep. Clarke.

    Ms. Clarke. I thank Ranking Member Pallone for yielding.
    First, let me welcome Chief Thomas Galati, who is the chief 
of Intelligence for my hometown of New York City. And many 
refer to the New York City Police Department as New York's 
finest, but I would like to think of them as the world's 
finest.
    Welcome, Chief Galati.
    At its core, our Constitution is about the balance of 
power. It is about balancing power among the Federal 
Government, State government, and the rights of individuals. 
Through the years, getting that balance just right has been 
challenging and at times tension-filled, but we have done it. 
We have prevailed.
    The encryption-versus-privacy-rights issue is simply 
another opportunity for us to again recalibrate and fine-tune 
the balance in our democracy. And as the old cliche states, 
democracy is not a spectator sport. So it is time for all of us 
to participate. It is time to roll up our sleeves and work 
together to resolve this issue as an imperative because it is 
not going away.
    So I am glad that we are having this hearing today because 
I do believe that, working together, we can find a way to 
balance our concerns and to address this issue of physical 
security with our rights to private security.
    So I look forward to hearing the perspectives of our 
witnesses today, and I yield back the remainder of the time. 
Thank you, Mr. Chairman.
    Mr. Murphy. So your side yields back then? Thank you.
    I just do ask unanimous consent that the members' written 
opening statements be introduced into the record. Without 
objection, the documents will be entered into the record.
    And now I would like to introduce the witnesses of our 
first panel for today's hearing. Our first witness on the panel 
is Ms. Amy Hess. Ms. Hess is the executive assistant director 
for Science and Technology at the Federal Bureau of 
Investigations. In this role she is responsible for the 
executive oversight of the Criminal Justice Information 
Services Laboratory and Operational Technology divisions. Ms. 
Hess has logged time in the field as an FBI special agent, as 
well as the Bureau's headquarters here in Washington, D.C., and 
we thank Ms. Hess for preparing her testimony and look forward 
to hearing your insights in these matters.
    We also want to welcome Chief Thomas Galati from the New 
York City Police Department. Chief Galati is a 32-year veteran 
of the New York City Police Department and currently serves as 
the Chief of Intelligence. As Chief of Intelligence, he is 
responsible for the activities of the Intelligence Bureau, the 
Western Hemisphere's largest municipal law enforcement 
intelligence operation. Thank you, Chief Galati, for your 
testimony today, and we look forward to hearing your comments.
    And finally, for the first panel, we welcome Captain 
Charles Cohen of the Indiana State Police. Currently, he is the 
Commander of the Office of Intelligence and Investigative 
Technologies where he is responsible for the Cyber Crime, 
Electronic Surveillance, and Internet Crimes Against Children. 
We appreciate his time today, and once again thank all the 
witnesses for being here.
    I also want to note that Sheriff Ron Hickman of the Harris 
County Sheriff's Office unfortunately will not be joining us 
today due to the tragic flooding yesterday in the Houston area. 
Our prayers and thoughts are with the people of Houston. We 
know there have been several tragedies there. We all wish 
Sheriff Hickman could be with us, but we certainly understand 
travel logistics can sometimes make these things impossible.
    I would ask unanimous consent, however, that Sheriff 
Hickman's testimony be entered into the record, and without 
objection, his testimony will be entered into the record.
    [The prepared statement of Ron Hickman follows:]
    
    

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
      
    Mr. Murphy. Now, to our panelists, as you are aware, the 
committee is holding an investigative hearing, and when doing 
so, has the practice of taking testimony under oath. Do any of 
you have any objections to taking testimony under oath?
    They all say no.
    The chair then advises you that under the rules of the 
House and rules of the committee, you are entitled to be 
advised by counsel. Do any of you desire to be advised by 
counsel during the hearing today?
    And all say no as well.
    In that case, would you please rise, raise your right hand. 
I will swear you in.
    [Witnesses sworn.]
    Mr. Murphy. Thank you. You may be seated. And all the 
witnesses answered in the affirmative and you are now under 
oath and subject to the penalties set forth in title 18, 
section 1001 of the United States Code. You may now give a 5-
minute summary of your opening statement.
    Ms. Hess, you are recognized for 5 minutes.

   STATEMENTS OF AMY HESS, EXECUTIVE ASSISTANT DIRECTOR FOR 
   SCIENCE AND TECHNOLOGY, FEDERAL BUREAU OF INVESTIGATIONS; 
  THOMAS P. GALATI, CHIEF, INTELLIGENCE BUREAU, NEW YORK CITY 
  POLICE DEPARTMENT; AND CHARLES COHEN, COMMANDER, OFFICE OF 
  INTELLIGENCE AND INVESTIGATIVE TECHNOLOGIES, INDIANA STATE 
                             POLICE

                     STATEMENT OF AMY HESS

    Ms. Hess. Thank you. Good morning, Chairman Murphy, Ranking 
Member DeGette, and members----
    Mr. Murphy. Just make sure your microphone is pulled as 
close to you as possible and turned on.
    Ms. Hess. Yes, sir.
    Mr. Murphy. Thank you.
    Ms. Hess [continuing]. And members of the subcommittee. 
Thank you for the opportunity to appear before you today and 
engage in this important discussion.
    In recent years, we've seen new technologies transform our 
society, most notably by enabling digital communications and 
facilitating e-commerce. It is essential that we protect these 
communications to promote free expression, secure commerce and 
trade, and safeguard sensitive information.
    We support strong encryption, but we've seen how criminals, 
including terrorists, are using advances in technology to their 
advantage. Encryption is not the only challenge we face in 
today's technological landscape, however. We face significant 
obstacles in lawfully tracking suspects because they can 
seamlessly communicate while changing from a known Wi-Fi 
service to a cellular connection to a Wi-Fi hotspot. They can 
move from one communication application to another and carry 
the same conversation or multiple conversations simultaneously.
    Communication companies do not have standard data retention 
policies or guidelines, and without historical data, it's very 
difficult to put pieces of the investigative puzzle together. 
Some foreign communication providers have millions of users in 
the United States but no point of presence here, making it 
difficult if not impossible to execute a lawful court order. We 
encounter platforms that render suspects virtually anonymous on 
the Internet, and if we cannot attribute communications and 
actions to a specific individual, critical leads and evidence 
may be lost. The problem is exponentially increased when we 
face one or more of these challenges on top of another.
    Since our nation's inception, we've had a reasonable 
expectation of privacy. This means that only with probable 
cause and a court order can law enforcement listen to an 
individual's private conversations or enter their private 
spaces. When changes in technology hinder or prohibit our 
ability to use authorized investigative tools and follow 
critical leads, we may not be able to root out child predators 
hiding in the shadows or violent criminals targeting our 
neighborhoods. We may not be able to identify and stop 
terrorists who are using today's communication platforms to 
plan and execute attacks in our country.
    So we are in this quandary trying to maximize security as 
we move into a world where, increasingly, information is beyond 
the reach of judicial authority and trying to maximize privacy 
in this era of rapid technological advancement. Finding the 
right balance is a complex endeavor, and it should not be left 
solely to corporations or to the FBI to solve. It must be 
publicly debated and deliberated. The American people should 
decide how we want to govern ourselves in today's world.
    It's law enforcement's responsibility to inform the 
American people that the investigative tools we have 
successfully used in the past are increasingly becoming less 
effective. The discussion so far has been highly charged at 
times because people are passionate about privacy and security. 
But this is an essential discussion which must include a 
productive, meaningful, and rational dialogue on how 
encryption, as currently implemented, poses significant 
barriers to law enforcement's ability to do its job.
    As this discussion continues, we're fully committed to 
working with industry, academia, and other parties to develop 
the right solution. We have an obligation to ensure everyone 
understands the public safety and national security risks that 
result from the use of new technologies and encrypted platforms 
by malicious actors.
    To be clear, we're not asking to expand the government's 
surveillance authority, but rather to ensure we can continue to 
obtain electronic information and evidence pursuant to the 
legal authority that Congress has provided us to keep America 
safe. There is not and will not be a one-size-fits-all solution 
to address the variety of challenges we face. The FBI is 
pursuing multiple avenues to overcome these challenges, but we 
realize we cannot overcome them on our own.
    Mr. Chairman, we believe the issues posed by this growing 
problem are grave and extremely complex. We must therefore 
continue the public discourse on how best to ensure that 
privacy and security can coexist and reinforce each other, and 
this hearing today is a vital part of that process.
    Thank you again for your time and your attention to this 
important matter.
    [The prepared statement of Amy Hess follows:]
    
  
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
  
    
     
    Mr. Murphy. Thank you, Ms. Hess.
    I now recognize Chief Galati for 5 minutes.

                 STATEMENT OF THOMAS P. GALATI

    Chief Galati. Thank you.
    Mr. Murphy. Make sure your microphone is turned on, and 
again, pull it as close to you as you can.
    Chief Galati. Thank you. On behalf of Mayor de Blasio and 
Police Commissioner Bratton and myself, thanks to the committee 
for the opportunity to speak with you this morning.
    Years ago, criminals and their accomplices stored their 
information in closets, drawers, safes, and glove boxes. There 
was and continues to be an expectation of privacy in these 
areas, but the high burden imposed by the Fourth Amendment, 
which requires a lawful search be warranted and authorized by a 
neutral judge, has been deemed sufficient protection against 
unreasonable government search and seizure for the past 224 
years.
    But now it seems that that legal authority is struggling to 
catch up with the times because today, nearly everyone lives 
their life on a smartphone, including criminals, so evidence 
that once would have been stored in a file cabinet or a 
notebook is now archived in an email or a text message. The 
same exact information that would solve a murder, catch a 
rapist, or prevent a mass shooting is now stored in that 
device.
    But where law enforcement has legal access to the file 
cabinet, it is shut out of the phone, not because of 
constraints built into the law, but rather limits imposed by 
technology. When law enforcement is unable to access evidence 
necessary to the investigation, prosecution, and prevention of 
a crime, despite the lawful right to do so, we call this 
``going dark.''
    Every day, we deal with this evidentiary dilemma on two 
fronts. First, it's what is known as ``data at rest.'' This is 
when the actual device----the computer, the tablet, or the 
phone----is in law enforcement's possession, but the 
information stored within it is inaccessible. In just the 6-
month period from October of 2015 through March of this year, 
New York City, we have been locked out of 67 Apple devices 
lawfully seized pursuant to the investigation of 44 violent 
crimes. In addition, there are 35 non-Apple devices. Of these 
Apple devices, these incidents include 23 felonies, 10 
homicides, two rapes, and two police officers shot in the line 
of duty. They include robberies, criminal weapons possession, 
criminal sex acts, and felony assaults.
    In every case, we have the file cabinet so to speak, and 
the legal authority to open it, but we lack the technical 
ability to do so because encryption protects its contents. But 
in every case, these crimes deserve our protection, too.
    The second type of ``going dark'' is an incident known as 
``data in motion.'' In these cases, law enforcement is legally 
permitted, through a warrant or other judicial process, to 
intercept and access a suspect's communications. But the 
encryption built in to the applications such as WhatsApp, 
Telegram, or Wickr, and others thwarts this type of lawful 
surveillance.
    So we may know a criminal group is communicating, but we 
are unable to understand why. In the past, a phone or a 
wiretap, again, legally obtained from a judge, would alert the 
police to drop-off locations, hideouts, and target locations. 
Now, we are literally in the dark, and criminals know it, too.
    We recently heard a defendant in a serious felony case make 
a call from Rikers Island where he extolled the Apple iOS 8 and 
its encryption software as ``a gift from God.'' This leaves the 
police, prosecutors, and the people we are sworn to protect in 
a very precarious position.
    What is even more alarming is that the position is not 
dictated by our elected officials, our judiciary system, or our 
laws. Instead, it is created and controlled by corporations 
like Apple and Google, who have taken it upon themselves to 
decide who can access critical information in criminal 
investigations.
    As a bureau chief in our nation's largest municipal police 
department, an agency that's charged with protecting 8.5 
million residents and millions of daily commuters and tourists 
every day, I am confident that corporate CEOs do not hold 
themselves to the same public safety standards as our elected 
officials and law-enforcement professionals.
    So how do we keep people safe? The answer cannot be 
warrant-proof encryption, which creates a landscape of criminal 
information outside the reach of search warrants or a subpoena 
and outside legal authority to establish over centuries of 
jurisprudence.
    But this has not always been Apple's answer. Until 19 
months ago, they held the key that could override protections 
and open phones. Apple used this master key to comply with 
court orders in kidnappings, murders, and terrorism cases. 
There was no documented incident or code getting out to hackers 
or the government. If they were able to comply with 
constitutionally legal court orders then, why not now?
    The ramifications to this fight extends far beyond San 
Bernardino, California, and the 14 people murdered there. It is 
important to recognize that more than 90 percent of all 
criminal prosecutions in our country are handled at the State 
or local level. These cases involve real people, families, your 
friends, your loved ones. They deserve police departments that 
are able to do everything within the law to bring them justice, 
and they deserve corporations to appreciate their ethical 
responsibilities.
    I applaud you for holding this hearing today. It is 
critical that we work together and across silos to fight crime 
and disorder because criminals are not bound by jurisdictional 
boundaries or industry standards. But increasingly, they are 
aware of the safety net that the warrant-proof encryption 
provides them, and we must all take responsibility for what 
that means.
    For the New York City Police Department, it means investing 
more in people's lives in--than in quarterly earnings reports 
and putting public safety back into the hands of the brave men 
and women who have sworn to defend it.
    Thank you, and I will take any questions.
    [The prepared statement of Thomas P. Galati follows:]
    
    

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
   
    Mr. Murphy. Thank you very much, Chief.
    Now, Captain Cohen, you are recognized for 5 minutes. 
Again, pull the microphone close to you.

                   STATEMENT OF CHARLES COHEN

    Mr. Cohen. Mr. Chairman, members of the subcommittee, thank 
you for allowing me to testify. My name is Chuck Cohen, and I'm 
a captain with the Indiana State Police. I also serve as 
Indiana Internet Crimes Against Children Task Force commander.
    I would not be here today if it were not for encountering 
serious problems associated with encryption that do not have 
easy technological fixes. We need your help, and it is 
increasingly apparent that that help must be legislative.
    As far as I know, the FBI is not exaggerating or trying to 
mislead anyone when they say that there is currently no way to 
recover data from newer iPhones. Apple has intentionally 
designed an operating system and device combination that 
functionally acts as a locked container without a key. The 
sensitivity of the personal information people keep stored in 
their phones should be compared with the sensitivity of 
information that people keep in bank deposit boxes and 
bedrooms. Criminal investigators with proper legal 
authorization have the technical means to access both deposit 
boxes and bedrooms, but we lack the technical means to access 
newer cellular phones running default hard encryption.
    We are often asked for examples of how encryption hinders 
law enforcement's ability to conduct criminal investigations. 
There are numerous encrypted phones sitting in the Indiana 
State Police evidence rooms waiting for a solution, legal or 
technical, to the problem. Some of those phones belong to 
murder victims and child sex crimes victims.
    Earlier this year, a mother and son were shot to death 
inside their home in Indiana. Both victims had newer iPhones. 
I'm confident that, if they were able, both would give consent 
for us to forensically examine their phones to help us find the 
killer or killers. But unfortunately, being deceased, they were 
unable to give consent, and unfortunately for investigators 
working to solve their murders, they chose to buy phones 
running encrypted operating systems by default.
    I need to emphasize that we are talking not just about 
suspects' phones but also victims' phones, and not just about 
incriminating evidence but also exculpatory evidence that 
cannot be recovered. It is always difficult to know what 
evidence and contraband is not being recovered, the child 
victims that are not being rescued, and the child sex offenders 
that are not being arrested as a result of encryption.
    But the investigation, prosecution, and Federal conviction 
of Randall R. Fletcher helps to shed light on the type of 
evidence that is being concealed by encryption. Fletcher lived 
in northern Indiana. During the course of an investigation for 
production and possession of child pornography, computer hard 
drives with encrypted partitions and an encrypted thumb drive 
were seized. The encryption was a bust such that it was not 
possible to forensically examine the encrypted data, despite 
numerous attempts by several law enforcement agencies.
    A Federal judge compelled Fletcher to disclose the 
encryption key. He then provided law enforcement with a 
passcode that opened the encrypted partitions but not the 
encrypted thumb drive. In the newly opened data, law 
enforcement found thousands of images and videos depicting 
minors being caused to engage in sexually explicit conduct. To 
this day, investigators believe the thumb drive contains 
homemade child pornography produced by Fletcher but have no way 
of confirming or disproving that belief.
    Fletcher had continuing and ongoing access to children, 
including a child he previously photographed in lascivious 
poses. Fletcher has previous convictions for conspiracy to 
commit murder and child sex offenses that are detailed in my 
written testimony.
    There is good reason to believe that, because of hard 
encryption on the USB storage device, additional crimes 
committed by Fletcher cannot be investigated and prosecuted. 
That means additional child victims cannot be provided victim 
services or access to the justice that they so richly deserve.
    I hope that Congress takes the time to truly understand 
what is at stake with the ``going dark'' phenomenon and what 
problems have been created. There is a cost associated with an 
encryption scheme that allows lawful access with some 
theoretically higher chance of lost data, but there is a much 
greater and very real human cost that we already see across the 
country because investigations that fail due to default hard 
encryption.
    In my daily work, I feel the impact of law enforcement 
going dark. For me, it is a strong feeling of frustration 
because it makes the detectives and forensic examiners for whom 
I am responsible less effective. But for crime victims and 
their families, it is altogether different. It is infuriating, 
unfair, and incomprehensible why such critical information for 
solving crimes should be allowed to be completely out of reach.
    I have heard some say that law enforcement can solve crimes 
using metadata alone. That is simply not true. That is like 
asking a detective to process a crime scene by only looking at 
the street address on the outside of the house where a crime 
was committed.
    I strongly encourage committee members to contact your 
State investigative agency or local police department and ask 
about this challenge.
    I greatly appreciate your invitation to share my 
perspective, and I'm happy to answer questions today or at any 
point in the future. Thank you, Mr. Chairman, members of the 
committee.
    [The prepared statement of Charles Cohen follows:]
    
    
    
  
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
  
    
      
    Mr. Murphy. I thank the panel.
    I would now recognize myself 5 minutes for questions.
    Ms. Hess, I think sometimes the FBI's concerns about 
encryption are broadly characterized as being against 
encryption. Considering the FBI's work on investigations like 
the Sony data breach or the recent ransomware attacks on 
hospitals, I have a tough time believing that your organization 
is against the technology that is so instrumental in protecting 
digital information. So to clarify, does the FBI agree that 
strong encryption is important to the security and privacy of 
our citizens, our economic strength, and our national security?
    Ms. Hess. Yes, sir.
    Mr. Murphy. And it also benefits law enforcement? Yes?
    Ms. Hess. Yes.
    Mr. Murphy. Can you elaborate on that?
    Ms. Hess. Yes, sir. Yes. And you are correct. Is that--as I 
stated in my opening statement, we do support strong encryption 
because it does all of the things you just said. We also 
recognize that we have a continuing struggle, an increasing 
struggle to access readable information, to access content of 
communications caused by that encryption that is now in place 
by default.
    Mr. Murphy. And so it brings this question up then. Are you 
witnessing an increase in individuals intentionally or even 
unintentionally evading the law through availability of default 
encryption?
    Ms. Hess. I think it's difficult to discern whether or not 
they're intentionally doing it. However, we are significantly 
seeing increases in the use and deployment of decryption 
because it is a default setting now on most devices.
    Mr. Murphy. So related to that then, Chief Galati, would 
you say that the default application of encryption can create 
significant hurdles for law enforcement? Is that the issue, as 
Ms. Hess was just saying, it is the default one?
    Chief Galati. Yes, sir. The encryption, a lot of the apps 
that are being used today, even with legal process or, you 
know, coverage on the phone, you cannot intercept those 
conversations. Often, we hear criminals and also in the 
terrorism cases that we do, people encouraging participants to 
go to apps like Telegram, WhatsApp, Wickr, and so on.
    Mr. Murphy. Captain Cohen, your testimony was very moving 
about those cases you described involved with murder and with 
victimizing children. You know, this debate is oftentimes been 
about picking sides, the most notable being Apple v. FBI. So 
either you support law enforcement or you support the tech 
community. That feels like a lose-lose proposition.
    Look, I understand people want to be able to have encrypted 
technology, but based upon the responses, Captain, that you 
heard from Ms. Hess and from the chief, do you think this is an 
us-versus-them debate or are there answers that we can be going 
forward here? What do you think? Because you are on the 
frontlines dealing with these terrible cases. Is this an us-
them? Is there an answer?
    Mr. Cohen. Mr. Chairman, I definitely do not think it's an 
us-them. What we do see, though, is a challenge with default 
encryption that functionally cannot be turned off. I don't have 
the option to even disable that encryption.
    The difference with Mr. Fletcher, the example I gave you, 
was that after two prior convictions, he then learned that he 
needed to do something to protect himself better from criminal 
investigation and then went out in search of, we assume, 
encryption and ways to do that.
    The difference is now we are seeing increasingly, to talk 
to your question of Ms. Hess as well, what we're seeing now is 
discussion among a wide variety of criminals--and I see it 
daily--discussion among those that sexually solicit children 
online, sexually extort children, trade in child pornography, 
discussing the best possible systems to buy, the best 
combination of cell phone and operating system to buy to 
prevent encryption.
    Please make no mistake that criminals are listening to this 
testimony and learning from it. They're learning which 
messaging app to use to protect themselves against encryption. 
They are also learning which messaging app is located outside 
the United States and has no bricks-and-mortar location here in 
the United States, which ones are located in countries with 
which we have a mutual legal assistance treaty and which ones 
we don't. Criminals are using this as an education to make 
themselves more effective at their criminal tradecraft.
    Mr. Murphy. So given that, Ms. Hess, what answer will we 
have here for those cases where, whether it is a terrorist 
planning a plot or they have already killed some people and we 
are trying to find out what the next move is or it is a child 
predator? Will there be an answer for this?
    Ms. Hess. Yes, sir. And to clarify my earlier statement, 
too, we do see individuals--criminals, terrorists--encouraging 
others to move to encrypted platforms, and we've seen that for 
some time. And the solution to that for us is no investigator, 
no agent will take that as an answer to say that they should 
stop investigating. They will try to find whatever workaround 
they possibly can, but those solutions may be time-intensive. 
They may not eventually be effective. They may require an 
additional amount of resources or an additional amount of skill 
in order to get to those solutions.
    But primarily we are usually in a race against the clock, 
and that's the key component of how we're finding additional 
solutions around this problem.
    Mr. Murphy. I know this is a frightening aspect for 
Americans. Look, we understand privacy, but if there is some 
child predator hiding in the bushes by the playground watching 
to snatch a victim, you can find them. But now, if this has 
given them this cloak of invisibility, it is pretty 
frightening. We better find an answer.
    My time is up. I now recognize Ms. DeGette for 5 minutes.
    Ms. DeGette. Thanks, Mr. Chairman.
    Well, just to follow up on the chairman's questioning, the 
problem really isn't default encryption because if you 
eliminated default encryption, criminals could still get 
encryption, and they do, isn't that correct, Ms. Hess?
    Ms. Hess. Yes, that's correct.
    Ms. DeGette. Right. And so the problem is that criminals 
can have easy access to encryption. And I think we can 
stipulate that encryption is really great for people like me 
who have bank accounts who don't want them to be hacked, but it 
is just really a horrible challenge for all of us as a society, 
not just law enforcement, when you have a child sex predator 
who is trying to encrypt, or just as bad really, a terrorist.
    So what I want to know is, what are we going to do about 
it? And the industry says that if Congress forces them to 
develop tools so that law enforcement, with probable cause and 
a warrant, can get access to that data, that then will just 
open the door. Do you believe that is true, Ms. Hess?
    Ms. Hess. I believe that there certainly will be always no 
such thing as 100 percent security. However, industry leaders 
today have built systems that enable us to be able to get or 
receive readable content.
    Ms. DeGette. And, Chief Galati, what is your view on that?
    Chief Galati. I believe that in order to provide--and I 
don't want to call it a back door but rather a front door--I 
think if the companies can provide law enforcement, I don't 
believe that it would be abused. We have to----
    Ms. DeGette. Why not? Why not?
    Chief Galati. We have the CALEA law from 1994, and that was 
not abused, so I don't see how by making law enforcement----
    Ms. DeGette. What they are saying is the technology--once 
they develop that technology, then anybody could get access to 
it and they could break the encryption.
    Chief Galati. I believe that if we look at Apple, they have 
the technology going back to about 18, 19 months ago where they 
were doing it for law enforcement, and I don't--I am not aware 
of any cases of abuse that came out when Apple actually did 
have the key. So I could see if they still have the key today, 
then they hold it----
    Ms. DeGette. I will ask them that because they are coming 
up.
    Captain Cohen?
    Mr. Cohen. I think it might be helpful to look for real-
world analogies. If you think of an iPhone or an Android OS 
phone as a safety deposit box, the key the bank holds, that's 
the private key encryption. The key the customer holds, that's 
the public key encryption. But what the bank does is it builds 
firewalls around that. There's a difference between encryption 
and firewalls. The----
    Ms. DeGette. And you think that technology exists?
    Mr. Cohen. The technology does exist.
    Ms. DeGette. OK.
    Mr. Cohen. So when we're----
    Ms. DeGette. I am sorry. I don't have a lot of time but I 
am going to----
    Mr. Cohen. No, go ahead. I'm sorry.
    Ms. DeGette [continuing]. Ask them the same question. Now, 
there is something else that can be done, forcing the industry 
to comply, or like in the San Bernardino case, the FBI hired a 
third party to help them break the code in that phone. And that 
was what we call gray hats, people who are sort of in this 
murky market. What do you think about that suggestion, Ms. 
Hess?
    Ms. Hess. Yes, ma'am. That certainly is one potential 
solution, but that takes me back to my prior answer, which is 
that the solutions are very case-by-case specific. They may not 
work in all instances. They're very dependent upon the 
fragility of the systems or vulnerabilities we might find, and 
also, they're very time-intensive and resource-intensive, which 
may not be scaleable to enable us to be successful in our 
investigations.
    Ms. DeGette. Do you think there is any ethical issue with 
using these third-party hackers to do this?
    Ms. Hess. I think that certainly there are vulnerabilities 
that we should review to make sure that we identify the risks 
and benefits of being able to exploit those vulnerabilities in 
a greater setting.
    Ms. DeGette. Well, I understand you are doing it because 
you have to in certain cases. Do you think it is a good policy 
to follow?
    Ms. Hess. I do not think that that should be the solution.
    Ms. DeGette. And one more question is if third-party 
individuals can develop these techniques to get into these 
encrypted devices or programs, why can't we bring more 
capabilities in-house to the government to be able to do that?
    Ms. Hess. Certainly, these types of solutions--and as I 
said, this should not be the only solution--but these types of 
solutions that we do employee and can employ, they require a 
lot of highly skilled, specialized resources that we may not 
have immediately available to us. And that----
    Ms. DeGette. Can we develop those with the right resources?
    Ms. Hess. No, ma'am, I don't see that----
    Ms. DeGette. OK.
    Ms. Hess [continuing]. Possible. I think that we really 
need the cooperation of industry, we need the cooperation of 
academia, we need the cooperation of the private sector in 
order to come up with solutions.
    Ms. DeGette. Thank you.
    Mr. Murphy. The gentlelady's time is expired.
    I now recognize the gentlelady from Indiana, Mrs. Brooks, 
for 5 minutes.
    Mrs. Brooks. Thank you, Mr. Chairman.
    In 2001, after I was appointed U.S. attorney for the 
Southern District of Indiana, I began work with the Indiana 
Crimes Against Children Task Force, which was led primarily by 
Assistant U.S. Attorney Steve DeBrota, working hand-in-hand 
with you, Captain Cohen, and I want to thank you so much for 
being here. Because prior to that time I would say that I was 
certainly not aware about what really went into and what 
horrific crimes really were being perpetrated against children 
back at that time in 2001, 2002.
    And when we talk about child exploitation against children, 
we need to realize this involves babies up to teenagers. This 
is not all about just willing teenagers being involved in these 
types of acts. These are people preying on children of all 
ages.
    And I want to walk you through, Captain Cohen, what some of 
the impediments are, more about how this works, how you are 
being thwarted in your investigations, and I also want to wrap 
up and make sure you have time for you to explain your thoughts 
about the firewalls.
    First of all, if you could just please walk through with 
us, offenders--and I am talking about older children now--older 
kids who have access to social media. Offenders, perpetrators 
are making connections through social media platforms, correct?
    Mr. Cohen. Yes, ma'am.
    Mrs. Brooks. And are those typically unencrypted or 
encrypted?
    Mr. Cohen. Two years ago, I would have said typically 
unencrypted; now, typically encrypted.
    Mrs. Brooks. OK. And I left my services as U.S. attorney in 
'07, so things, I think, have changed pretty dramatically.
    Then, in the second step, the conversation moves to 
encrypted discussions. Would that be correct? They encourage 
particularly young people to go to apps like WhatsApp, Kik, and 
others.
    Mr. Cohen. Correct. They'll generally go trolling for a 
potential victim in an unencrypted app. Once they have a victim 
they think that they can perpetrate against, then they'll move 
to an encrypted communication now.
    Mrs. Brooks. And then would it be fair to say that, through 
the relationship that has been developed, they typically 
encourage them to send an image?
    Mr. Cohen. Correct. They're going to want that victim to do 
one compromising act that they can then exploit.
    Mrs. Brooks. And that image is sent typically from one 
smartphone to another or from one smartphone to a computer?
    Mr. Cohen. Generally from one smartphone to another in the 
United States involving an Android phone or an iPhone.
    Mrs. Brooks. But this doesn't just happen in our country, 
correct?
    Mr. Cohen. Correct. It's possible like never before for 
someone even in another country to victimize a child here in 
the U.S.
    Mrs. Brooks. And in fact, so we have out-of-country 
perpetrators, as well as in-country perpetrators focusing on 
even out-of-country victims as well, is that right?
    Mr. Cohen. Correct, ma'am, yes.
    Mrs. Brooks. Then, are those typically encrypted? The 
transmission of those photos is typically encrypted?
    Mr. Cohen. Yes, that's one of our challenges. The 
transmission is encrypted, as well as when the data sits at 
rest on the phones. It's encrypted there as well.
    Mrs. Brooks. And you presenting that image to a jury if an 
individual is caught and is prosecuted, it is imperative, is it 
not, for you to present the actual image to a jury?
    Mr. Cohen. Yes, ma'am. The metadata alone, who was talking 
with whom, doesn't matter. It's the content of the 
communication. It's the images that were sent and received.
    Mrs. Brooks. So if you can't get these encrypted images and 
the encrypted discussions, what do you have in court?
    Mr. Cohen. We have nothing in court. We can't complete the 
investigation.
    Mrs. Brooks. How do you find the victims?
    Mr. Cohen. Oftentimes, we don't have a way of identifying 
the victims. They go unserved.
    Mrs. Brooks. And can you please talk to us a bit more about 
what it is that you actually do to find the victims?
    Mr. Cohen. We do everything we can. We try to look for 
legal solutions, meaning trying to get records from service 
providers, from the technology companies, trying to identify 
them through that. The challenge we encounter there many times, 
as Ms. Hess mentioned, is because of retention periods. The 
records no longer exist. The metadata no longer exists. And 
then we try to get the content and communication to show who 
was talking with whom, and oftentimes, we're unable to do that 
because of encryption.
    Mrs. Brooks. And isn't it pretty common that when you find 
one of these phones or a computer or a perpetrator, there are 
usually thousands of images----
    Mr. Cohen. Thousands----
    Mrs. Brooks [continuing]. Involving multiple victims?
    Mr. Cohen. Thousands or hundreds of thousands, and 
increasingly, we're finding those also in encrypted cloud 
storage sites like Dropbox and Google Drive and OneDrive.
    Mrs. Brooks. And could you please just expand a little bit 
on what you previously started to answer, a potential solution 
with respect to firewalls?
    Mr. Cohen. A potential solution is to provide a better 
firewall. Think of that as the vault door where the safety 
deposit box is. Think of that as the doors to the bank. So 
while you think of the actual locks on the bank deposit boxes 
as the encryption, you build firewalls around that. Those 
firewalls can, with legal process, be opened up, can--you can 
go inside it.
    But just like a safety deposit box, if we go to the bank 
with a search warrant, the bank uses their key, we get a drill 
and we drill the customer's lock and we see what's inside the 
safety deposit box. I've done that dozens of times in the 
course of my career. The difference is, with encryption, my 
drill doesn't break the lock.
    Mrs. Brooks. Thank you. I yield back.
    Mr. Murphy. The gentlelady yields back.
    I now recognize Ms. Clarke for 5 minutes.
    Ms. Clarke. I thank you, Mr. Chairman, and I thank our 
ranking member.
    In October of 2014, FBI Director Comey gave these remarks 
on encryption before the Brookings Institute: ``We in the FBI 
will continue to throw every lawful tool we have at this 
problem, but it is costly, it is inefficient, and it takes 
time. We need to fix this problem. It is long past time. We 
need assistance and cooperation from companies to comply with 
lawful court orders so that criminals around the world cannot 
seek safe haven for lawless conduct. We need to find common 
ground, and we care about the same things.''
    So, Ms. Hess, I would like to ask this question of you. 
Other than tech companies creating back doors for law 
enforcement, what do you believe are some possible solutions to 
address the impasse between law enforcement's need to lawfully 
gain access to critical information and the cybersecurity 
benefits of strong encryption?
    Ms. Hess. Yes, ma'am. And as previously stated, I really 
believe that certain industry leaders have created secure 
systems, but they are still yet able to comply with lawful 
orders. They're still able to access the contents to either--of 
those communications to either provide some protection for 
their customers against malicious software or some other types 
of articles. In addition to that, they're able to do it perhaps 
for business purposes or for banking regulations, for example.
    In addition to those solutions, we certainly don't stop 
there. We look at any possible tools we might have in our 
toolbox, and that might include the things we previously 
discussed here today, whether that be individual solutions, 
metadata, whether it could be an increase in physical 
surveillance, but each of those things comes at a cost, and all 
of those things are not as responsive as being able to get the 
information directly from the provider.
    Ms. Clarke. So do you believe that there is some common 
ground?
    Ms. Hess. I do.
    Ms. Clarke. To the other panelists, are there solutions 
that you can see that might solve this impasse?
    Mr. Cohen. The solution that we had in place previously in 
which Apple, as an example, did hold a key, and as Chief Galati 
mentioned, that was never compromised so they could comply with 
the proper service of legal process. Essentially, what happened 
in this instance is Apple solved a problem that does not exist.
    Chief Galati. I would say by Apple or other industries 
holding the key, it reduces at least the law enforcement having 
to go outside of those companies to find people that can get a 
solution. So, as mentioned earlier about the gray-hat hackers, 
they're going to be out there, but if the companies are doing 
it, it reduces the risk, I believe.
    Ms. Clarke. Very well. In the San Bernardino case, press 
accounts indicate that the FBI has used the services of private 
sector third parties to work around the encryption of the 
iPhone in question. This case raises important questions about 
whether we want law enforcement using nongovernmental third-
party entities to circumvent security features developed by 
private companies. So I have questions about whether this is a 
good model or whether a better model exists.
    Ms. Hess, assuming press accounts are true and you procured 
the help of a third party to gain access to that iPhone, why 
were you apparently not able to solve this problem on your own?
    Ms. Hess. For one thing, as previously discussed, 
technology is changing very rapidly. We live in such an 
advanced age of technology development, and to keep up with 
that, we do require the services of specialized skills that we 
can only get through private industry. And that partnership is 
critical to our success.
    Ms. Clarke. So this is to the entire panel. Do you believe 
that the U.S. Government needs enhanced technological 
capabilities?
    Chief Galati. I think it does. Private industry provides a 
lot of opportunity, so I think the best people that are out 
there are working for private companies and not working for the 
government.
    Mr. Cohen. I agree with the chief. Essentially, we need the 
help of private industry, both the industry that makes that 
technology and others. We need industry to act as good 
corporate citizens and help us because we can't do it alone. 
There are over 18,000 police agencies in the United States, and 
while the FBI may have some technical ability internally, those 
other agencies do not. And as the chief mentioned, over 90 
percent of all the investigations are handled at the State and 
local level. We need industry's help.
    Ms. Clarke. Very well. I will yield back, Mr. Chairman.
    Mr. Murphy. The gentlelady yields back.
    I now recognize Mr. Griffith for 5 minutes.
    Mr. Griffith. Well, thank you all for being here for this 
important discussion that we are having today.
    I will tell you, we have to figure out what the balance is 
both from a security standpoint but also to make sure that we 
are fulfilling our obligations under our Constitution, which 
was written with real-life circumstances in mind where they 
said we don't want the government being able to come in and get 
everything.
    They were aware of the situation of general warrants both 
in London used against John Wilkes and the Wilkesite Rebellion. 
And the Founding Fathers were also aware of James Otis and his 
fight in Massachusetts, which John Adams said sowed the seeds 
of the revolution when the British Government wanted to go from 
warehouse to warehouse looking for smuggled goods. So it is not 
an easy situation.
    I do have this question, though. Apparently, some 
researchers recently published the results of a survey of over 
600 encrypted products that are available online, and basically 
they found that about \2/3\ of them are foreign products.
    So the question would be, given that so many of the 
encrypted products could in fact be from companies not located 
or headquarters within the United States of America, if we 
force the companies that we do have jurisdiction over to weaken 
the security of their products, are we doing little more than 
hurting American industry and then sending the really bad 
actors like Mr. Fletcher, who is the child pornographer, just 
to a different format that we don't have control over? That is 
one question that I would ask all three of you.
    Mr. Cohen. Right now, Google and Apple act as the 
gatekeepers for most of those encrypted apps, meaning the app 
is not available on the App Store for an iOS device. If the app 
was not available in Google Play for an Android OS device, a 
customer in the United States cannot install it. So while some 
of the encrypted apps like Telegram are based outside the 
United States, U.S. companies act as gatekeepers as to whether 
those apps are accessible here in the United States to be used.
    Mr. Griffith. Chief?
    Chief Galati. I would agree exactly what the captain said. 
And certain apps are not available on all devices, so if the 
companies that are outside the United States can't comply with 
the same rules and regulations of the ones that are in the 
United States, then they shouldn't be available on the app 
stores. For example, you can't get every app on a BlackBerry 
that you can on an Android or a Google.
    Ms. Hess. Yes, sir, what you stated is correct. And I think 
that certainly we need to examine how other countries are 
viewing the same problem because they have the same challenges 
as we speak and are having similar deliberations as to how 
their law enforcement might gain access to these communications 
as well.
    So as we move toward that, the question for us is what 
makes consumers want to buy American products? Is it because 
they are more secure? Is it because they actually cover the 
types of services that the consumers desire? Is it just because 
of personal preference? But at the same time, we need to make 
sure that we balance that security as well as the privacy that 
the consumers have come to expect.
    Mr. Griffith. And I appreciate that.
    Captain Cohen, I am curious. You talked about the Fletcher 
case and indicated that the judge ordered that he give the 
password to the computer, but then you didn't get access to the 
thumb drive. Was the judge asked to force him to do that as 
well or----
    Mr. Cohen. In that instance, the judge compelled him to 
provide it. He said it was not encrypted; the thumb drive is 
not encrypted. His defense expert disagreed with him and said 
it was encrypted. He then provided a password and failed a 
stipulated polygraph as to whether he knew the password and 
failed to disclose it. So every indication is he intentionally 
chose to not give the second password for that device.
    Mr. Griffith. And was he held in contempt for that?
    Mr. Cohen. Not that I--I do not believe he was.
    Mr. Griffith. Look, obviously, if you can get the images, 
you have a better chance of finding the victim, but it is true 
that even before encryption, there was a great difficulty in 
finding victims even if you found a store of photographs in a 
filing cabinet? It is sometimes hard to track down the victims, 
isn't that correct?
    Mr. Cohen. It is always very difficult to find child 
victims.
    Mr. Griffith. It is. It is just a shame.
    I like the concept, the visual of you are able to drill 
into the safety deposit box but you can't get into the 
encrypted computer or telephone. Is there a product out there 
that would be that limited? Because one of the problems that I 
know Apple has had is that they don't want to have a back door 
to every single phone that other folks can get a hold of and 
that the government could use at will, particularly governments 
maybe not as conscious of civil liberties as the United States. 
Do you know of any such a product that would give you that kind 
of specificity?
    Mr. Cohen. Again, the specificity would be similar to what 
we had prior to Apple changing where the encryption key is 
kept, meaning that the legal process served on Apple, as an 
example, and Apple is the one to use the drill, not law 
enforcement. That helps provide another layer of protection 
against abuses by governments other than ours, meaning while 
they have that capability because they're inside the firewall, 
those outside the firewall, outside the vault, would have no 
ability to get access.
    Mr. Griffith. Right. I appreciate it, and I yield back, Mr. 
Chairman.
    Mr. Murphy. The gentleman yields back.
    I now recognize Mr. Welch for 5 minutes.
    Mr. Welch. Thank you very much.
    First of all, I want to thank each of you for the work you 
and your departments do. It is astonishing times when the kind 
of crimes that all America is exposed to are happening and the 
expectation on the part of the public is somehow, someway you 
are going to make it right and you are going to make us safe. 
So I think all of us really appreciate your work.
    This issue, as you have acknowledged, is very, very 
difficult. I think if any of us were in your position, what we 
would want is access to any information that the Fourth 
Amendment allowed us to get in order for us to do our job.
    But there are three issues that are really difficult. One 
is the law enforcement issue that you have very clearly 
enunciated. You have got probable cause, you go through the 
process of getting a warrant, you are entitled to information 
that is in the cabin or on the phone or in the house. Yet 
because of technology, we have these impediments to getting 
what you are legally authorized to get. I think all of us want 
you to be able to get the information that you rightfully can 
obtain.
    But the second issue that makes it unique almost is that in 
order for you to get the information, you have to get the 
active participation of an innocent third party who had nothing 
to do with the events, but who potentially can get the 
information for you. That is the whole Apple case.
    But it is a very complicated situation because it is not as 
though if you came with a warrant to my house for me to turn 
over information that I had, it is one thing if I just go in my 
drawer and give it to you. It is another thing if it is buried 
in the backyard and the order is that I have got to buy a 
backhoe or rent a backhoe and go out there and start digging 
around until I find it. Normally, that would be the burden on 
the law enforcement agency. So that is the second issue. How 
much can the government require a third party, a company or an 
individual, to actually use their own resources to assist in 
getting access to the information?
    And then the third issue that is really tough that Mr. 
Griffith was just acknowledging, we get a back door key, we 
trust you, but we have other governments that our companies are 
doing business with, and they get pressured to provide the same 
back door key, the key is lost, and then things happen with 
respect to privacy and security that you don't want to happen 
and that we don't want to happen. So this is a genuinely tough 
situation where, frankly, I am not sure there is an ``easy'' 
balance on this.
    So just a couple of questions. Ms. Hess, what would you see 
as the answer here? I know you want the information, but if the 
getting of the information requires me to hire a few people to 
work in the yard with the backhoe or Apple to really deploy 
high-cost engineers to come up with an entry key, are you 
saying that that is what should be required now?
    Ms. Hess. Yes, sir. I think that the best solution is for 
us to work cooperatively with technology, with industry, and 
with academia to try to come up with the best possible 
solution. But with that, I would say that no investigative 
agency should forgo that for all other solutions. They should 
continue to drive forward with all solutions available to them.
    Mr. Welch. All right. And, Chief, I will ask you. You are 
on the frontline there in New York all of the time, and is it 
your view that the right policy now would be for you, when you 
have probable cause to protect us--and we are all on the same 
page there--to force a technology company, at significant 
effort and expense, to assist in getting access to the 
information?
    Chief Galati. So I would say up until a couple of years ago 
most of the technology companies--and they still do--have a law 
enforcement liaison that we work very closely with. For 
example, if it's Facebook or Google, even Apple where we have 
the ability to go to them with legal process, and they're 
providing us with the----
    Mr. Welch. Right.
    Chief Galati [continuing]. Search warrant results----
    Mr. Welch. Yes. My understanding from talking to those 
folks is that if it is information like that is stored in the 
cloud, this is a situation with San Bernardino, there was a lot 
of stuff that was relatively easy to retrieve, and they do 
provide that. They do cooperate as long as you have the 
warrant. They do everything they can to accommodate those 
lawful requests from law enforcement. Has that been your 
experience?
    Chief Galati. Yes. The cloud does have some issues because 
things can be deleted from the cloud and then never recovered. 
If the phone is not uploaded to the cloud, then----
    Mr. Welch. Right.
    Chief Galati [continuing]. Things are lost. There's a very 
interesting----
    Mr. Welch. Would you just acknowledge this? There is a 
significant distinction between a company turning over 
information that is easily retrievable in the cloud comparable 
to me going in my house and opening the drawer and giving you 
the information you requested versus a company that has to have 
engineers try to somehow crack the code so that they are very 
energetically involved in the process of decryption. That is a 
difference, you would agree?
    Chief Galati. Yes, it is a difference, and I believe when 
they create the operating system, that's where they have to 
make that key available so that they don't have to spend the 
resources to crack a code rather have a new operating system 
that----
    Mr. Welch. Thanks. Just one last thing. By the way, thank 
you for----
    Mr. Murphy. Out of time.
    Mr. Welch. Oh, I am over. All right. I just want to say I 
thought what Representative Clarke said about resources for you 
to let you do some of this work on your own really makes an 
awful lot of sense, but some of these conflicts are going to 
be--frankly----
    Mr. Murphy. Thank you.
    Mr. Welch [continuing]. As much as we want to say they are 
resolvable, they are tough to resolve. I am sorry. Thank you, 
Mr. Chairman.
    Mr. Murphy. All right. I now recognize Mr. Mullin for 5 
minutes.
    Mr. Mullin. Well, as you can see that I think both sides up 
here in this committee, you can see we want to get to the real 
problem. We want to be helpful, not a hindrance. Obviously, all 
of us want to be safe, but we also want to make sure that we 
operate within the Constitution. And the technology is changing 
at such a pace that I know law enforcement has to do their job 
in staying with it because the criminals are always doing their 
job, too, like it or not. And if it changes, crimes change, we 
have to change the way we operate.
    The concern is privacy obviously, and getting into that, 
Ms. Harris, some have argued that the expansion of connected 
devices through the Internet of Things with new surveillance 
tools and capabilities. Recently, the Berkman Center at Harvard 
University argues that the Internet of Things could potentially 
offset the government's inability to access encrypted 
technology for providing new paths for surveillance and 
monitoring. My question is, what is your reaction to the idea 
that the Internet of Things presents a potential alternative to 
accessing encrypted devices?
    Ms. Hess. Certainly, sir, I do think that the Internet of 
Things and associated metadata presents us with opportunities 
to collect information and evidence that will be helpful to us 
in investigations. However, those merely provide us with leads 
or clues, whereas the real content of the communications is 
what we really seek in order to prove beyond a reasonable doubt 
in court in order to get a conviction.
    Mr. Mullin. Could you expand a little bit on the content to 
what is in the device----
    Ms. Hess. The actual content of communication.
    Mr. Mullin [continuing]. Or the conversation that happens 
between the devices?
    Ms. Hess. What the people are saying to each other as 
opposed to just who's communicating or at what location they 
were communicating. It's critically important to law 
enforcement to know what they said in order to prove intent.
    Mr. Mullin. Is there something that we on this panel need 
to be--or, I say this panel, this committee should be looking 
at to help you to be able to gain access to that? Or since it 
is connected, do we need take any extra steps for you to be 
able to access that information?
    Ms. Hess. Yes. And exactly to the point of the discussion 
here today is that we need to work with industry and with 
academia in order to come up with solutions so that we can 
access that content or so they can access it and provide it to 
us.
    Mr. Mullin. So the FBI is exploring the options, I am 
assuming?
    Ms. Hess. We are, yes, sir.
    Mr. Mullin. OK. Are there challenges or concerns using the 
growth of connected devices that you can see going down the 
road? Obviously, with the technology changing rapidly today, 
what are some of the challenges that you are facing?
    Ms. Hess. Certainly, as more and more things in today's 
world become connected, there's also an increasing demand for 
encrypting those particular services, those particular devices 
and capabilities, and that's well-warranted and well-merited.
    But again, it presents a challenge for us. As metadata is 
increasingly encrypted, that presents a challenge for us as 
well. We need to be able to access the information, but more 
importantly, the content. In other words, if a suspect's 
toaster is connected to their car so that they know it's going 
to come on at a certain time, that's helpful, but it doesn't 
help us to know the content of the communication when it comes 
to----
    Mr. Mullin. Sure.
    Ms. Hess [continuing]. Developing plots.
    Mr. Mullin. So is there a difference between, say, the FBI, 
the way you have to operate, Captain Cohen, and the way that 
you have to operate?
    Mr. Cohen. There's not much of a difference because, quite 
candidly, we work very well together. But you asked about 
additional challenges, in February Apple announced that it 
plans to tie the same encryption key to the iCloud account. So, 
as an example, the content that's currently in that cloud 
system, iCloud, Apple has announced publicly they plan to make 
that encrypted and inaccessible with the service of legal 
process. So that's one of the challenges that you asked about 
that we're looking at is we're going to lose that area of 
content as well.
    Mr. Mullin. So I just assume that everything I do online 
for some intended purpose is out there and people are going to 
be able to retrieve it. I don't assume any privacy really when 
it is on the Internet. Could that analogy hold up true or 
should we be expecting a sense of privacy when it is on the 
Internet? I mean, we put it out there.
    Mr. Cohen. Sir, I believe we should all expect a sense of 
privacy on the Internet, a sense of privacy when we talk in a 
restaurant, when we talk on the telephone, landline or 
cellular, that privacy cannot be completely absolute. We need 
to have, when we serve a legal process--a search warrant is an 
example--have the ability. The Constitution protects us from 
unreasonable searches and seizures, not all searches and 
seizures. So we have our private companies without checks and 
balances protecting everyone against all searches.
    Mr. Mullin. Chief, do you have an opinion on this?
    Chief Galati. Yes. I agree also. On the Internet you have a 
right to privacy, and most of these apps and programs give you 
privacy settings so nobody can get at it.
    I think when you get into the criminal world or the 
malicious criminal intent, that's when law enforcement has to 
have the ability to go in and see what you have on there.
    Mr. Mullin. Thank you. I yield back.
    Mr. Murphy. Thank you. Mr. Pallone is recognized for 5 
minutes.
    Mr. Pallone. Thank you, Mr. Chairman.
    I never cease to be amazed at how complex an issue this is 
and it requires balancing various competing values and societal 
goals, yet much of the public debate is focused on simplified 
versions of the situation. They are painted in black and white, 
and there seems to be some misunderstanding that we have to 
either have cybersecurity or no protection online at all.
    We have heard that the limitations encryption places on law 
enforcement access to information puts us in danger of going 
dark. By contrast, we have heard that law enforcement now has 
access to more information than ever, the so-called golden age 
of surveillance.
    At Harvard at the Berkman Center there was a report titled 
``Don't Panic: Making Progress on the 'Going Dark' Debate'' 
that concludes, ``The communications of the future will neither 
be eclipsed in the darkness or illuminated without shadow.`` 
And I think that is a useful framework to view the issue, not 
as a binary choice between total darkness or complete 
illumination, but rather a spectrum.
    I think it is fair to say there have been and always will 
be areas of darkness where criminals are able to conceal 
information, and no matter what, law enforcement has a tough 
job. But the question is how much darkness is too much?
    So I wanted to ask you all--this is for any of you--about 
some key questions on this spectrum. Where are we on the 
spectrum? Currently, where should we be on the spectrum? If we 
are not in the right place, how do we get there?
    Let me start with Ms. Hess and then whoever else wants to 
say something.
    Ms. Hess. Yes, sir. As far as the amount of information 
that we can receive today, I think, yes, it is true we do 
receive more information today than we received in the past, 
but I would draw an analogy to the fact that the haystack has 
gotten bigger but we're still looking for the same needle.
    And the challenge for us is to figure out what's important 
and relevant to the investigation. We're now presented with 
this volume of information. And the problem additionally with 
that is that what we are collecting, what we are able to see 
is, for example, who's communicating with who or potentially 
what IP addresses are communicating with each other, the 
location, the time, perhaps the duration, but not the content 
of what they were actually saying.
    Mr. Pallone. Chief, did you want to add to that?
    Chief Galati. I do agree that the Internet has provided a 
lot more information to police that we can go out and we can 
find public records, we can find records within police 
departments throughout the country. So to police, the Internet 
has made things a little bit easier. However, the encryption is 
taking all of those gains away, and I think the more and more 
we go towards encryption, the harder it's going to be to really 
investigate and conduct long-term cases.
    We do a lot of cases in New York about gangs, drug gangs. 
We call them crews. And it's very vital, all the information 
that we get from people on the Internet that sometimes are very 
public out there. Now they're switching over to encrypted, and 
it's making those long-term cases--or those, I guess, to call 
them similar to RICO cases--very, very difficult to put 
together because we're in the blind.
    Mr. Pallone. All right. Captain, did you want to----
    Mr. Cohen. I see it where we have a lack of information 
that I've not seen before in my 20 years of investigations, to 
be able to do criminal investigations not solely by encryption 
but also as it interrelates to retention of information and the 
lack of legislation related to data retention with internet 
service providers similar to what there is with the banking 
industry, as well as our inability to serve legal process on 
companies that are either located out of the United States or 
some that store data outside the United States. I see it as all 
interrelated issues, which together conspire to make it more 
difficult than ever before for me to gather the information I 
need to functionally conduct a criminal investigation.
    So on the spectrum that you asked about, I see it far to 
the extent of we're losing the ability to access information 
that we need to rescue victims and solve crimes.
    Mr. Pallone. Thank you. I think my second question to some 
extent you already answered, but if anybody wants to, the 
second question is where do you see the trend moving? Are we 
comfortable with where we are headed or are the technological 
trends such as increasing a stronger encryption leaving us with 
too much darkness? But you answered that, unless anybody wants 
to add to what they said.
    Yes, Ms. Hess?
    Ms. Hess. Yes, sir. I do see that increasingly, technology 
platforms continue to change and they continue to present 
challenges for us that I provided in my opening statement.
    In addition to that, we try to figure out how we might be 
able to use what is available to us, and we are constantly 
challenged by that as well. For example, some companies may not 
know what exactly or how to provide the information we are 
seeking. And it's not just a matter of needing that information 
to enable us to see the content or enable us to see what people 
are saying to each other, it's also a matter of being able to 
figure out who we should be focusing on more quickly so that if 
we could get that information, we're able to target our 
investigations more appropriately and be able to exonerate the 
innocence--the innocent as well as identifying the guilty.
    Mr. Pallone. Thank you. I am going to end with that, but I 
just wanted to ask obviously that you continue to engage with 
us to help us answer these questions, not just with what you 
are saying today but a constant dialogue is what we need.
    Thank you, Mr. Chairman.
    Mr. Murphy. Thank you. I now recognize Dr. Burgess for 5 
minutes.
    Mr. Burgess. Thank you. And thank you all for being here.
    I just acknowledge there is another hearing going on 
upstairs, so if some of us seem to be toggling back and forth, 
that is exactly what is happening.
    So, Ms. Hess, let me just ask you a couple of questions if 
I could. There is another subcommittee at the Energy and 
Commerce Committee called the Commerce, Manufacturing, and 
Trade Subcommittee. And we are working very closely with the 
Federal Trade Commission, which is under our jurisdiction, that 
subcommittee, on the issue of data breach notification and data 
security. A component of that effort has been the push for 
companies to strengthen data security. One of those ways 
perhaps could be through encryption, and the FTC will look at a 
company's security protocols for handling data when it reviews 
whether or not the company is fulfilling its obligations, 
protecting its customers.
    So has the FBI had any discussions with the Federal Trade 
Commission over whether the back doors or access points might 
compromise the secured data?
    Ms. Hess. Yes, sir. We've engaged in a number of 
conversations among the interagency, with other agencies, with 
industry, with academia. I can get back to you as far as 
whether we specifically met with the Federal Trade Commission.
    Mr. Burgess. That would be helpful as, again, we are 
actually trying to work through the concepts of more in the 
retail space bit of data security. Data security is data 
security, regardless of who is harmed in the process, and data 
security is national security writ large. So that would be 
enormously helpful.
    Let me just ask you a question that is probably a little 
bit off-topic, but I can't help myself. One of the dark sides 
for encryption is if someone comes in and encrypts your stuff 
and you didn't want it encrypted, and then they won't give it 
back to you unless you fork over several thousand dollars in 
bit coins to them in some dark market. So what is it that the 
committee needs to understand about that ransomware concept 
that is going on currently?
    Ms. Hess. Yes, sir, ransomware is an increasing problem 
that we're seeing and investigating on a regular basis now. And 
I think that certainly to exercise good cybersecurity hygiene 
is important, to be able to backup systems, to have the 
capability to access that information is important, to be able 
to talk to each other about what solutions might be available, 
to be able to fall back to some other type of backup solutions 
so that you aren't beholden to any particular ransom demands.
    Mr. Burgess. And of course that is critically important.
    I am a physician by background. Some of the ransomware has, 
of course, occurred in hospitals and medical facilities. And I 
will just offer an editorial comment for what it is worth. I 
just cannot imagine going into an ICU some morning and asking 
to see the data on my patient and being told it has been 
encrypted by an outside source, we can't have it, Doctor. When 
you catch those people, I think the appropriate punishment is 
shot at sunrise, and I wouldn't put a lot of appeals between 
the action and the reaction.
    Thank you, Mr. Chairman. I will yield back.
    Mr. Murphy. I now recognize Mr. Yarmuth for 5 minutes.
    Mr. Yarmuth. Thank you, Mr. Chairman.
    Thanks to the witnesses for your testimony.
    I find it hard to come up with any question that is going 
to elicit any new answers from you, and I think your testimony 
and the discussion that we have had today is an indication of 
how difficult the situation is. It sounds to me like there is a 
great business opportunity here somewhere, but probably you 
don't have the budget to pay a business what they would need to 
be paid to get the information that you are after, so that may 
not be such a good business opportunity after all.
    I do want to ask one question of you, Ms. Hess. In your 
budget request for fiscal year '17, you request more than $38 
million to deal with the going-dark issue, and your request 
also says that it is non-personnel. So it seems to me that 
personnel has to be a huge part of this effort, so could you 
elaborate on what your budget request involves and what you 
plan to do with that?
    Ms. Hess. Yes, sir, at a higher level, essentially, we're 
looking for any possible solutions, any possible tools we might 
be able to throw at the problem, all the different challenges 
that we encounter, and whether that's giving us the ability to 
be better password-guessers or whether that's the ability to 
try to develop solutions where we might be able to perhaps 
exploit some type of vulnerability, or maybe that's perhaps a 
tool where we might be able to make better use of metadata. All 
of those things go into that request so that we can try to come 
up with solutions to get around the problem we're currently 
discussing.
    Mr. Yarmuth. OK. Well, I don't know enough to ask anything 
else, so unless anyone else is interested in my time, I would 
yield back. Thank you, Mr. Chairman.
    Mr. Murphy. Thank you. The gentleman yields back.
    I now recognize Mr. McKinley for 5 minutes.
    Mr. McKinley. Thank you, Mr. Chairman.
    I have been here in Congress for 5 \1/2\ years now, and we 
have been talking about this for all 5 \1/2\ years. And I don't 
see much progress being made with it. And I hear the 
frustration in some of your voices, but I was hoping we were 
going to hear today more specifics. If you could pass the magic 
wand, what would it be? What is the solution? I think you 
started to hint toward it, but we didn't get close enough.
    So one of the things I would like to try to understand is 
how we differentiate between privacy and national security. I 
don't feel that we have really come to grips with that. I don't 
know how many people are on both sides of that aisle. I really 
don't care. I am very concerned about national security as it 
relates to encryption.
    Just this past weekend there was a very provocative TV 
show. Sixty Minutes came out about the hacking into cell 
phones. About a year ago we all were briefed. It wasn't 
classified. It was where Russia hacked in and shut down the 
electric grid in Ukraine, the impact that could have, that a 
foreign government could have access to it. And just this past 
week at town hall meetings back in the district, twice people 
raised the issue about hacking into and shutting down the 
electric grid.
    And it reminded me of some testimony that had been given to 
us about a year ago on the very subject when one of the 
presenters like yourself said that, within 4 days, a group of 
engineers in America or kids could shut down the grid from 
Boston down through--I am trying to think; where was it--from 
Boston to New York you could shut down in just 4 days. I am 
very concerned about that, that where we are going with this, 
this whole issue of encryption and protection.
    So, Mr. Galati, if I could ask you the question. Just how 
confident are you that the adequacy of the encryption is 
protecting our infrastructure in your jurisdiction?
    Chief Galati. Well, sir, cybersecurity and infrastructure 
is very complicated, and we have another whole section in the 
police department and in the city that monitors, works very 
closely with all the agencies such as Con Ed, DEP, and so on. 
We also work very closely with the FBI and their joint cyber 
task force to monitor cyber threats----
    Mr. McKinley. OK. But my question really is, how do you 
feel, because everyone comes in here, and when I have gone to 
the power companies with--I don't need to elicit their names, 
but all of them has said we think we have got it. But yet 
during that discussion on 60 Minutes, this hacker that was 
there, he is a professional hacker, he said I can break into 
any system, any system. So my question more, again, back to you 
is how confident are you that this system is going to work, 
that it is going to be protected?
    Chief Galati. Well, I think with all the agencies that are 
involved in trying to protect critical infrastructure, and I 
think that there is a big emphasis in New York--I'll speak 
about New York--working with multiple agencies. We're looking 
at vulnerabilities to the system. I do think that is an 
encryption issue, but again, I think what I was speaking about 
more when it came to encryption is more about communications 
and investigating crimes or terrorism-related offenses.
    Mr. McKinley. It is beyond your jurisdiction then on that. 
How about----
    Chief Galati. That is not an area that I would comment.
    Mr. McKinley. OK. How about you in Indiana?
    Mr. Cohen. What are you talking about? Control systems 
being compromised? Again, we're talking about firewalls, not 
encryption. We're talking about the ability for someone to get 
inside the system, to have the password, to have the 
passphrase, something like that to get the firewall. So 
encryption of data in motion as an example would not protect us 
from the types of things you're talking about to be able to 
shut down a power grid.
    It's noteworthy that I saw that 60 Minutes piece, and what 
that particular hacker was able to exploit would not have been 
fixed by encryption. That is a separate system related to how 
the cellular--how our cell system works essentially, completely 
separate, unrelated from the issue of encryption. So what I can 
say is having more robust encryption would not fix either of 
those problems.
    Mr. McKinley. Thank you.
    Mr. Cohen. And I lack the background to be able to tell you 
specifically do I feel confident or not confident about how the 
firewalls are right now in the systems you asked about.
    Mr. McKinley. Ms. Hess, boiler up, by the way. And so----
    Ms. Hess. Yes----
    Mr. McKinley [continuing]. And so my question back to you 
is same to you. How would you respond to this?
    Ms. Hess. Yes, sir. I think that, first off, I don't think 
there's any such thing as 100 percent secure----
    Mr. McKinley. Right.
    Ms. Hess [continuing]. Anything as a truly secure solution. 
With that said, I think that it is incumbent upon all of us to 
build the most secure systems possible, but at the same time, 
we're presenting to you today the challenge that law 
enforcement has to be able to get or access or be provided with 
the information we seek pursuant to a lawful order, a warrant 
that has been signed by a judge, be able to get the information 
we seek in order to prove or to have evidence that a crime has 
occurred.
    Mr. Yarmuth. Thank you. I yield back my time.
    Mr. Murphy. Thank you.
    I now recognize Mr. Tonko for 5 minutes.
    Mr. Tonko. Thank you, Mr. Chair, and thank you to our 
witnesses.
    I am encouraged that here today we are developing dialogue 
which I think it is critical for us to best understand the 
issue from a policy perspective. And there is no denying that 
we are at risk with more and more threats to our national 
security, including cyber threats, but there is also a strong 
desire to maintain individual rights and opportunity to store 
information and understand and believe that it is protected. 
And sometimes those two are very difficult. There is a tender 
balance that needs to be struck.
    And so I think, you know, first question to any of the 
three of you is, is there a better outcome in terms of 
training? Do you believe that there is better dialogue, better 
communication, formalized training that would help the law 
enforcement community if they network with these companies that 
develop the technology? I am concerned that we don't always 
have all of the information we require to do our end of the 
responsibility thing here. Ms. Hess?
    Ms. Hess. Yes, sir. I do think that certainly in today's 
world we need people who have those specialized skills, who 
have the training, who have the tools and the resources 
available to them to be able to better address this challenge. 
But with that said, there is still no one-size-fits-all 
solution to this.
    Mr. Tonko. Anything, Chief or Captain, that you would like 
to add?
    Chief Galati. I would just say that we do work very closely 
with a lot of these companies like Google, and we do share 
information and also at times work on training among the agency 
and the company. So there is cooperation there, and I think 
that it can always get better.
    Mr. Tonko. And, Ms. Hess, in this encryption debate, what 
specifically would you suggest the FBI is asking of the tech 
community?
    Ms. Hess. That when we present an order signed by an 
independent, neutral judge, that they are able to comply with 
that order and provide us with the information we are seeking 
in readable form.
    Mr. Tonko. OK. And also to Ms. Hess, is the FBI asking 
Apple and possibly other companies to create a back door that 
would then potentially weaken encryption?
    Ms. Hess. I don't believe the FBI or law enforcement in 
general should be in the position of dictating to companies 
what the solution is. They have built those systems. They know 
their devices and their systems better certainly than we do and 
how they might be able to build some type of the most secure 
systems available or the most secure devices available, yet 
still be able to comply with orders.
    Mr. Tonko. Do you believe that the type of assistance that 
you are requesting from tech companies would lead to any 
unintended consequences such as a weakened order of encryption?
    Ms. Hess. I believe it's best for the tech companies to 
answer that question because, as they build the solutions to be 
able to answer these orders, they would know what those 
vulnerabilities are or potentially could be.
    Mr. Tonko. I thank you. Another potential unintended 
consequence of U.S. law enforcement gaining special access may 
be the message that they are sending to other nations. Other 
countries that seek to stifle dissent or oppose their citizens 
may ask for such tools as well. Right now, even if other 
countries start to demand such a workaround, Apple and other 
technology companies can legitimately argue that they do not 
have it.
    So, Ms. Hess, how would you respond to this argument that 
requiring tech companies to help subvert their own encryption 
establishes precedence that could endanger people around the 
world who rely on protected communications to shield them from 
despotic regimes?
    Ms. Hess. Yes, sir. I would say, first, that in the 
international community--and we've had a number of 
conversations with our partners internationally--that this is a 
common problem among law enforcement throughout the world. And 
so as we continue to see this problem, obviously, there are 
international implications to any solutions that might be 
developed. But in addition to that, what we seek is through a 
lawful order with the system that we've set up in this country 
for the American judicial system to be able to go to a 
magistrate or a judge to get a warrant to say that we believe--
we have probable cause to believe that someone or some entity 
is committing a crime.
    I believe that if other countries had such a way of doing 
business, that that would probably be a good thing for all of 
us.
    Mr. Tonko. And Chief Galati or Captain Cohen, do you have 
anything to add to what was shared here by Ms. Hess?
    Mr. Cohen. In preparing for the testimony, I saw several 
news stories that said that Apple provided the source code for 
iOS to China as an example. I don't know whether those stories 
are true or not. I also tried to find an example of Apple 
answering a question under oath and did not find that.
    I noted that Apple said they could not--did not provide a 
back door to China but did not talk about the source code. The 
source code for the operating system would be the first thing 
that would be needed to hack into an iPhone as an example. And 
I know that they have not provided that source code to U.S. law 
enforcement.
    Mr. Tonko. OK. Thank you. My time is exhausted, so I yield 
back, Mr. Chairman.
    Mr. Murphy. Yield back. Thank you. Mr. Hudson, you are 
recognized for 5 minutes.
    Mr. Hudson. Thank you, Chairman.
    I would like to thank the panel for being here today. Thank 
you for what you do to keep us safe.
    Ms. Hess, as more and more of our lives become part of the 
digital universe, everything from communications to medical 
records, home security systems, the need for strong security 
becomes all that more important. At the same time, however, it 
naturally suggests a massive increase in our digital footprint 
and the amount of information about individuals that becomes 
available on the Internet. Does this present an opportunity for 
law enforcement to explore new, creative ways to conduct 
investigations? I know we have talked a little bit about 
metadata, and while that may not be a good solution, but new 
forms of surveillance or other options that maybe we haven't 
discussed yet.
    Ms. Hess. Yes, sir. I do believe that we should make every 
use of the tools that we've been authorized by Congress, the 
American people to use. And if that pertains to metadata or 
other types of information we might be able to get from new 
technologies, then certainly we should take advantage of that 
in order to accomplish our mission.
    But at the same time, clearly, these things have presented 
challenges to us as well, as previously articulated.
    Mr. Hudson. Well, have you and others in the law 
enforcement community engaged with the technology community or 
others to explore these other types of opportunities or look at 
potential ways to do this going forward?
    Ms. Hess. Yes, sir, we're in daily contact with industry 
and with academia in order to try to come up with solutions, in 
order to try to come up with ways that we might be able to get 
evidence in our investigations.
    Mr. Hudson. And what have you learned from those 
conversations?
    Ms. Hess. Clearly, technology changes on a very, very rapid 
pace. And sometimes, the providers or the people who build 
those technologies may not have built in or thought to build in 
a law enforcement solution, a solution so that they can readily 
provide us with that information even if they want to. And in 
other cases, perhaps it's the way they do business, that they 
might not want to be able to readily provide that information 
or they just may not be set up to do that either because of 
resources or just because of the proprietary way that their 
systems are created.
    Mr. Hudson. I see. The other members of the panel, do you 
have any opinion on this?
    Chief Galati. I would just say that as technology advances, 
it does create a lot of new tools for law enforcement to 
complete investigations. However, as those advances, as we 
start using them, we also see them shrinking away, for--with 
encryption especially, locking things that we recently were 
able to obtain.
    Mr. Hudson. Got you. You don't have to--OK. To all of you, 
I recently read about the CEO of MSAB, a technology company in 
a Detroit News article. It says there is a way for government 
to access data stored on our phones without building a back 
door to encryption. His solution is to build a two-part 
decryption system where both the government and the 
manufacturer possess a unique decryption key, and then only 
with both keys, as well as the device in hand, could you access 
the encrypted data on the device.
    I am not an expert on decryption so I must ask, is such a 
solution achievable? And secondly, have there been any 
discussions between you all, the law enforcement community, 
with the tech community or tech industry regarding a proposal 
like this or something similar that would allow safe access to 
the data without giving a key so to speak to one entity? Is 
that----
    Mr. Cohen. To answer your question, that paradigm would 
work. That's very similar to that paradigm of the safety 
deposit box in a bank where you have two different keys. And 
that would work, but it would require the cooperation of 
industry.
    Mr. Hudson. Anything to add?
    Ms. Hess. What I was going to say----
    Mr. Hudson. OK.
    Ms. Hess [continuing]. Yes, sir.
    Mr. Hudson. Well, we will get a good chance to hear from 
industry on our next panel, but I was trying to explain this to 
one of my staffers and I said did you see the new Star Wars 
movie? Well, the map to find Luke, BB-2 had part of it--or BB-8 
and R2-D2 had the other half so you got to put them together. 
They were like, oh, I get it now.
    Anyway, I think it is important that law enforcement and 
technology work together, continue to have these discussions. 
So I want to thank the chairman for giving us this opportunity 
to do that. And I thank you all for being here.
    And with that, I will yield back.
    Mr. Murphy. The gentleman yields back.
    I recognize the vice chair of the full committee, Mrs. 
Blackburn, for 5 minutes.
    Mrs. Blackburn. Thank you, Mr. Chairman, and thank you to 
the witnesses. I am so appreciative of your time. And I am 
appreciative of the work product that our committee has put 
into this. Mr. Welch and I, with some of the members that are 
on the dais, have served on a privacy and data security task 
force for the committee looking at how we construct legislation 
and looking at what we ought to do when it comes to the issues 
of privacy and data security and going back to the law and the 
intent of the law.
    I mean, Congress authorized wiretaps in 1934, and then in 
'67 you come along and there is the language, you have got Katz 
v. the U.S. that citizens have a reasonable expectation of 
privacy. And we know that for you in law enforcement you come 
up upon that with this new technology that sometimes it seems 
there is the fight between technology and law enforcement and 
the balance that is necessary between that reasonable 
expectation and looking at your ability to do your job, which 
is to keep citizens safe. So I thank you for the work that you 
are doing in this realm.
    And considering all of that, I would like to hear from each 
of you, and, Ms. Hess, we will start with you and just work 
down the panel. Do you think that at this point there is an 
adversarial relationship between the private sector and law 
enforcement? And if you advise us, what should be our framework 
and what should be the penalties that are put in place that 
will help you to get these criminals out of the virtual space 
and help our citizens know that their virtual ``you,'' their 
presence online is going to be protected but that you are going 
to have the ability to help keep them safe? So kind of a loaded 
question. We have got 2 minutes and 36 seconds, so it is all 
yours, and we will move right down the line.
    Ms. Hess. Yes, ma'am. As far as whether there is an 
adversarial relationship, my response is I hope not. Certainly, 
from our perspective in the FBI we want to work with industry, 
we want to work with academia. We do believe that we have the 
same values. We share the same values in this country, that we 
want our citizens to be protected. We also very much value our 
privacy, and we all do.
    I think, as you noted, for over 200 years we--this country 
has balanced privacy and security. And these are not binary 
things. It shouldn't be one or the other. It should be both 
working cooperatively together. And how do we do that? And I 
don't think that's for the FBI to decide, nor do I think it's 
for tech companies to decide unilaterally.
    Mrs. Blackburn. No, it will be for Congress to decide. We 
need your advice.
    Chief Galati. I think that it's not an adversarial 
relationship either. I mean, there are so many things that we 
have to work with all the big tech companies, Twitter, Google, 
Facebook, on threats that are coming in on a regular basis. So 
they are very cooperative and we do work with them in certain 
areas. This is a new area that we're going into, but right now, 
I would say it's not adversarial. They're actually very 
cooperative.
    Mr. Cohen. I agree with the other two that it's not an 
adversarial relationship, but as you mentioned, some of these 
statutes that authorize wire tap, lawful interception, 
authorize the collection of evidence, they have not been 
updated recently. And as technology at an exponential pace 
evolved, some of the statutes have not evolved to keep up with 
them. And we just lack the technical ability at this point to 
properly execute the laws that Congress has passed because the 
technology has bypassed the law.
    Mrs. Blackburn. OK. And we would appreciate hearing from 
you as we look at these updates. The physical space statutes 
are there, but we need that application to the virtual space. 
And this is where it would be helpful to hear from you. What is 
that framework? What are those penalties? What enables you to 
best enforce? And so if you could just submit to us. I am 
running out of time, but submit to us your thoughts on that. It 
would be helpful and we would appreciate it.
    Mr. Chairman, I yield back.
    Mr. Murphy. The gentlelady yields back.
    I now recognize Mr. Cramer for 5 minutes.
    Mr. Cramer. Thank you, Mr. Chairman, and thank all of you. 
It is refreshing to participate in a hearing where the people 
asking the questions don't know the answer until you give it to 
us. That is really cool.
    I want to go in real specifically on the issue of breaking 
modern encryption by brute force as we call it, and that is the 
ability to apply multiple passcodes and, perhaps an unlimited 
number of passcodes until you break it. That is sort of the 
trick here, and with the iPhone specifically, there is this 
issue of the data destruction feature. Would removing the data 
destruction feature sort of be at least a partial solution to 
your side of the formula? In other words, we are not creating 
the back door but we are removing one of the tools. And I am 
just open-minded to it and looking for your out-loud thoughts 
on that issue.
    Ms. Hess. Yes, sir, if I may. Certainly, that is one 
potential solution that we do use and we should continue to 
use. To be able to guess the right password is something that 
we employ in a wide variety and number of investigations. The 
problem and the challenge is that sometimes those passcode 
lengths may get longer and longer. They may involve 
alphanumeric characters. They may present to us special 
challenges that it would take years, if ever, to actually solve 
that problem, regardless of what type of computing resources we 
might apply.
    And so to that point, we ask our investigators to help us 
be better guessers in order to come up with information or 
intelligence that might be able to help us make a better guess. 
But that's not always possible.
    Mr. Cramer. But if I might, with the ``you get 10 tries and 
you are out'' data destruction feature that iPhone utilizes, 
that makes your job all the more difficult. It would be 
expanding that from 10 to 20 or unlimited or is there some--I 
am not looking for a magic formula, but it seems to me there 
could be some way to at least increase your chances.
    Ms. Hess. Yes, sir, and one of the things that does quite 
clearly present to us a challenge is that usually it takes us 
more than 10 guesses before we get the right answer, if at all. 
And in addition to that, many companies have implemented 
services or types of procedures so that there is a time delay 
between guesses. So after five guesses, for example, you have 
to wait a minute or 15 minutes or a day in order to guess 
between those passcodes.
    Mr. Cramer. Others?
    Mr. Cohen. I don't think personally that the brute-force 
solution would provide a substantive solution to the problem. 
As Ms. Hess mentioned, oftentimes that delay is built in. iOS, 
as an example, went from a four-digit pin to a six-digit pin so 
what you're doing is increasing the number of guesses to guess 
it right. So if you were to, as an example, legislate that it 
would not wipe the data and override the data after a specific 
period of time, you would also have to write in that passcodes 
could only be of a certain complexity, a certain length----
    Mr. Cramer. Sure.
    Mr. Cohen [continuing]. And that would degrade security. 
What is important to understand is we want security, we want 
hard encryption but also need a way to quickly be able to 
access that data because the investigations I work, oftentimes, 
I'm running against the clock to try to identify a child 
victim. And being able to brute force that----
    Mr. Cramer. Sure.
    Mr. Cohen [continuing]. Even a matter of days, let alone 
weeks or months, that's not fast enough.
    Mr. Cramer. Yes. Wow. Well, thanks for your testimony and 
all that you do. I yield back.
    Mr. Murphy. Our tradition is to allow someone outside the 
committee if they want to ask questions. Mr. McNerney, you are 
recognized for 5 minutes.
    Mr. McNerney. I thank the chairman for his courtesy, and I 
thank the witnesses for your service to our country.
    I heard at least one of you state in your opening testimony 
that Congress is the correct forum to make decisions on data 
security, and I agree with that. However, encryption and 
related issues are technical, they are complicated. Most 
Members of Congress aren't really experts in these areas. 
Therefore, it is appropriate that Congress authorize a panel of 
experts from relevant fields to review the issues and advise 
the Congress.
    The McCaul legislation does exactly that. Do each of you 
agree with that approach, the McCaul legislation?
    Ms. Hess. I believe we do need to work with industry and 
academia and all the relevant parties in order to come up with 
the right solution, yes, sir.
    Mr. McNerney. So you would agree that that is the right 
approach, to convene a panel of experts in cybersecurity, in 
privacy, and so on?
    Ms. Hess. I believe that construct, we--there are varying 
aspects of that construct, but yes, that premise I would agree 
with.
    Mr. McNerney. OK. Captain, Chief?
    Chief Galati. Sir, I really couldn't comment because I 
haven't seen that bill.
    Mr. McNerney. OK. Basically, it would----
    Chief Galati. I do agree with Ms. Hess that we need to work 
together. I think we need to have a panel of experts that can 
advise and work with Congress. I do believe that the answer is 
in Congress, so I do agree with the principle of it.
    Mr. McNerney. OK. Thank you. Captain?
    Mr. Cohen. Whatever paradigm helps Members of Congress feel 
comfortable that they are properly balancing civil liberties 
and security versus the ability for law enforcement to do 
proper investigations. Whatever paradigm serves that purpose I 
fully support.
    Mr. McNerney. Thank you. Chief Galati and Captain Cohen, 
you have illuminated some of the information that has been 
available before in cell phones but no longer is available 
because of encryption and I thank you fro doing that. I was a 
little in the dark about that. What haven't we heard, though, 
about information that is now available that wasn't available 
in the past because of technology?
    Mr. Cohen. Sir, I'm having problems thinking of an example 
of information that's available now that was not before. From 
my perspective, thinking through investigations that we 
previously had information for, when you combine the encryption 
issue along with shorter and shorter retention periods for 
internet service providers--I mean, keeping their records, both 
metadata and data for shorter periods of time available to 
legal process. I mean, I can definitely find an example of an 
avenue that's available that was not before.
    Chief Galati. Sir, I would only say I've been in the police 
department for 32 years, so technology really has opened up a 
lot of avenues for law enforcement. So I do think there is a 
lot of things that we are able to obtain today that we couldn't 
obtain 10 or 20 years ago. So--and technology has helped law 
enforcement. However, the encryption issue and I think the 
issue that we're speaking on today is definitely eliminating a 
lot of those gains we've made.
    Mr. McNerney. Thank you. Ms. Hess, requiring back-door or 
exceptional access would drive customers to overseas suppliers, 
and if so, we would gain nothing by requiring back-door or 
exceptional access. Do you agree or disagree with that?
    Ms. Hess. I disagree from the sense that I think many 
countries are having the same conversation, the same discussion 
currently because law enforcement in those countries has the 
same challenges that we do. And so I think this will just 
continue to be a larger and larger issue.
    So while it may temporarily drive certain people who may 
decide that it's too much of a risk to be able to do business 
here in this country, I don't think that that's the majority. I 
think the majority of consumers actually want good products, 
and those products are made here.
    Mr. McNerney. Well, thank you for calling out the quality 
of American products. I appreciate that, especially since my 
neighbor here and I represent the part of California where 
those products are developed. But I think there is always going 
to be countries where products are available that would 
superseded whatever requirements we make.
    Also, requiring back-door access would alert potential bad 
actors that there are weaknesses designed into our system and 
motivate them to try to find those weaknesses. Do you agree 
with that or not?
    Ms. Hess. I don't believe there's anything such as a 100 
percent secure system, so I think there will always be people 
who are trying to find and exploit those vulnerabilities.
    Mr. McNerney. But if we design weaknesses into the system 
and everybody knows about it, they are going to be looking for 
those and those are design weaknesses. I mean, I don't see how 
that could further security of critical infrastructure and so 
on. Well, I guess my time is expired, Mr. Chairman.
    Mr. McKinley [presiding]. Thank you. And the chair 
recognizes Congressman Bilirakis for his 5 minutes.
    Mr. Bilirakis. Thank you, Mr. Chairman. I appreciate it so 
very much.
    Ms. Hess, thanks for participating in today's much-needed 
hearing. I appreciate the entire panel.
    We are certainly at a crossroads of technology and the law, 
and having you and the FBI perspective is imperative in my 
opinion.
    I have a question about timing. The recent debate has been 
revived as technology companies are using strong encryption, 
and you described the problem as growing. What will a hearing 
like this look like a year from now, 2 years from now? What do 
you perceive is the next evolutionary step in the encryption 
debate so we can attempt to get ahead of it? And as processers 
become faster, will the ability to encrypt keep increasing?
    Ms. Hess. Yes, sir. My reaction to that is that if things 
don't change, then this hearing a year from now, we would be 
sitting here giving you examples of how we were unable to solve 
cases or find predators or rescue victims in increasing 
numbers. And that would be the challenge for us is how can we 
keep that from happening and how might we be able to come up 
with solutions working cooperatively together.
    Mr. Bilirakis. Thank you. Again, next question is for the 
entire panel, please. What have been some successful 
collaboration lessons between law enforcement and software or 
hardware manufacturers dealing with encryption? And are there 
any building blocks or success stories we can build upon, or 
have the recent advancements in strong encryption made any 
previous success obsolete? For the entire panel. Who would like 
to go first? Ms. Hess?
    Ms. Hess. Yes, sir. I apologize but could I ask you to--I'm 
not 100 percent clear on that question.
    Mr. Bilirakis. OK. Let me repeat it. For the entire panel 
again, what have been some successful collaboration lessons 
between law enforcement and software or hardware manufacturers 
dealing with encryption? That is the first question. Are there 
any building blocks or success stories we can build upon, or 
have the recent advancements in strong encryption made any 
previous success obsolete?
    Ms. Hess. Yes, sir. Certainly, we deal with industry on a 
daily basis to try to come up with the most secure ways of 
being able to provide us with that information and still be 
responsive to our request and our orders. I think that building 
on our successes from the past, clearly, there are certain 
companies, for example, as has already been stated here today 
that fell under CALEA and those CALEA-covered providers have 
built ways to be able to respond to appropriate orders. And 
that's provided us with a path so that they know when they 
build those systems what exactly we're looking for and how we 
need to receive that information.
    Mr. Bilirakis. Sir?
    Chief Galati. I'm sorry, sir. I really couldn't comment on 
that. That's not really an area of expertise of mine.
    Mr. Cohen. I concur with what Ms. Hess said. There are a 
few technology companies that have worked with law enforcement 
to provide a legal solution, and they've done that voluntarily. 
So we know the technological solution. They provide a legal 
solution such that we can access data.
    Mr. Bilirakis. Thank you.
    Mr. Cohen. And building on those collaborations and having 
other industry members follow in that path would be of great 
help.
    Mr. Bilirakis. Thank you. Next question for the panel, what 
percentage of all cases are jeopardized due to the suspect 
having an encrypted device, whether it is a cell phone, laptop, 
desktop, or something else? I recognize that some cases such as 
pornography, it may be 100 percent impossible to charge someone 
without decrypting their storage device, but what about the 
other cases where physical evidence or other evidence might be 
available? Does metadata fill in the gaps? And for the entire 
panel, let's start with Ms. Hess, please.
    Ms. Hess. Yes, sir, we are increasingly seeing the issue. 
Currently, in just the first 6 months of this fiscal year 
starting from last October we're seeing of--in the FBI the 
number of cell phones that we have seized as evidence, we're 
encountering passwords about 30 percent of the time, and we 
have no capability around 13 percent of that time. So we're 
seeing those numbers continue to increase, and clearly, that 
presents us with a challenge.
    Mr. Bilirakis. Thank you.
    Chief Galati. Sir, I'll give you some numbers. We have 
approximately 102 devices that we couldn't get in, and these 
are 67 of them being Apple devices. And if I just look at the 
67 Apple devices, 10 of them are related to a homicide, two to 
rapes, one to a criminal sex act, and two are related to two 
members of the police department that were shot. So we are 
seeing an increase as we go forward of not getting the 
information out of the phones.
    One thing I will say is it doesn't always prevent us from 
making an arrest. However, it just doesn't present all the 
evidence that's available for the prosecution.
    Mr. Cohen. And to expand on what the chief said, that can 
be incriminating evidence or that can be exculpatory evidence, 
too, that we don't have access to. On the Indiana State Police, 
the sad part is when our forensic examiners get called, we ask 
a series of questions now of the investigator, is it an iPhone, 
which model? And if we're told it's a model, as an example, 5S 
or newer or on a 64-bit operating system and it's encrypted, we 
don't even take that as an item of evidence anymore because we 
know that there is no technical solution.
    So the problem is we never know what we don't know. We 
don't know what evidence we're missing, whether that is again 
on a suspect's phone or on a victim's phone where the victim is 
not capable of giving us that passcode.
    Mr. Bilirakis. Well, thank you very much. I appreciate it, 
Mr. Chairman. I yield back the time.
    Mr. McKinley. And I think we have one last question for the 
first panel, and that is from the gentlelady from California, 
Ms. Eshoo.
    Ms. Eshoo. Thank you very much, Mr. Chairman, for extending 
legislative courtesy to me to be here to join in on this 
hearing because I am not a member of this subcommittee. But the 
rules of the committee allow us to, and I appreciate your 
courtesy.
    I first want to go to Captain Cohen. I think I heard you 
say that Apple had disclosed its source code to the Chinese 
Government. I believe that you said that, and that is a huge 
allegation for the NYPD to base on some news stories. Can you 
confirm this? Did you----
    Mr. Cohen. Yes, ma'am. I'm with the Indiana State Police, 
by the way, not NYPD.
    Ms. Eshoo. I am sorry.
    Mr. Cohen. What I said was in preparing for my testimony I 
had found several news stories but I was unable to find 
anything to either confirm or deny that assertion----
    Ms. Eshoo. Did you say that in----
    Mr. Cohen [continuing]. By the media.
    Ms. Eshoo. I didn't hear all of your presentation around 
that allegation, but I think it is very important for the 
record that we set this straight because that takes my breath 
away. That is a huge allegation. So thank you.
    To Ms. Hess, the San Bernardino case is really a 
illustrative for many reasons. But one of the more striking 
aspects to me is the way in which the FBI approached the issue 
of gaining access to that now-infamous iPhone. We know that the 
FBI went to court to force a private company to create a system 
solely for the purpose of the Federal Government, and I think 
that is quite breathtaking. It takes my breath away just to try 
and digest that, and then to use that information whenever and 
however it wishes.
    Some disagree, some agree, but I think that this is a 
worthy and very, very important discussion. Now, this came 
about after the government missed a key opportunity to back up 
and potentially recover information from the device by 
resetting the iCloud password in the days following the 
shooting.
    Now, the Congress has appropriated just shy of $9 billion 
with a B for the FBI. Now, out of that $9 billion and how those 
dollars are spread across the agency, how is it that the FBI 
didn't know what to do?
    Ms. Hess. Yes, ma'am.
    Ms. Eshoo. How can that be?
    Ms. Hess. If In the aftermath of San Bernardino, we were 
looking for any way to identify whether or not----
    Ms. Eshoo. But did you ask Apple? Did you call Apple right 
away and say we have this in our possession, this is what we 
need to get, how do we do it because we don't know how?
    Ms. Hess. We did have a discussion with Apple----
    Ms. Eshoo. When?
    Ms. Hess. I would----
    Ms. Eshoo. After----
    Ms. Hess. I would have to get----
    Ms. Eshoo. After it was essentially destroyed because more 
than 10 attempts were made relative to the passcode?
    Ms. Hess. I'm not sure. I will have to take that as a 
question for the record.
    Ms. Eshoo. I would like to know, Ms. Hess, your response to 
this. I served for almost a decade on the House Intelligence 
Committee, and during my tenure, Michael Hayden was the CIA 
director. Now, as the former director of the CIA, he has said 
that America is safer, safer with unbreakable end-to-end 
encryption. Tell me what your response is to that?
    Ms. Hess. My response would----
    Ms. Eshoo. I think cyber crime, I might add, excuse me, is 
embedded--if I might use that word--in this whole issue, but I 
would like to hear your response to the former director of the 
CIA.
    Ms. Hess. Yes, ma'am. And from what I have read and heard 
of what he has said, he certainly, I believe, emphasizes and 
captures what was occurring at the time that he was in charge 
of those agencies.
    Ms. Eshoo. Has his thinking stopped from the time he was 
CIA director to being former and he doesn't understand 
encryption any longer? What are you----
    Ms. Hess. No, ma'am----
    Ms. Eshoo [continuing]. Suggesting?
    Ms. Hess [continuing]. As technology proceeds as such a 
rapid pace that one must be constantly in that business in 
order to keep up with the iterations.
    Ms. Eshoo. Let me ask you about this. Once criminals know 
that American encryption products are open to government 
surveillance, what is going to stop them from using encrypted 
products and applications that fall outside of the jurisdiction 
of American law enforcement? I have heard you repeat over and 
over we are talking to people in Europe, we are talking--I 
don't know. Is there a body that you are working through? Has 
this been formalized? Because if this stops at our border but 
doesn't include others, this is a big problem for the United 
States of America law enforcement and American products.
    Mr. McKinley. The gentlelady's time is expired.
    Ms. Eshoo. Could she respond?
    Mr. McKinley. Thank you very much.
    Ms. Hess. Yes, ma'am, we are working with the international 
community and our international----
    Ms. Eshoo. How?
    Ms. Hess [continuing]. Partners on that issue.
    Mr. McKinley. Thank you.
    Ms. Eshoo. Do you have a national body? Is there some kind 
of international body that you are working through?
    Mr. McKinley. Thank you.
    Ms. Eshoo. Can she answer that?
    Mr. McKinley. Do you want to finish your remark?
    Ms. Hess. There is no one specific organization that we 
work through. There are a number of organizations we work 
through to that extent.
    Ms. Eshoo. Thank you, Mr. Chairman.
    Ms. DeGette. Mr. Chairman, I would ask unanimous consent 
that all of the members of the committee, as well as the 
members of the full committee who have been asked to sit in be 
allowed to supplement their verbal questions with written 
questions of the witnesses.
    Mr. McKinley. So approved.
    Without seeing any more members seeking to be recognized 
for questions, I would like to thank the witnesses once again 
for their testimony today.
    Now, I would like to call up the witnesses for our second 
panel to the table. Thank you again.
    OK. We will start the second panel. First, I would like to 
introduce the witnesses of our second panel for today's 
hearing, starting with Mr. Bruce Sewell will lead off on the 
second panel. Mr. Sewell is Apple's general counsel and senior 
vice president of legal and global security. He serves on the 
company's executive board and oversees all legal matters, 
including corporate governance, global security, and privacy. 
We thank Mr. Sewell for being with us today and look forward to 
his comments.
    We would also like to welcome Amit Yoran--is that close 
enough--Mr. Yoran, president of RSA Security. RSA is an 
American computer and network security company, and as 
president, Mr. Yoran is responsible for developing RSA's 
strategic vision and operational execution across the business. 
Thanks to Mr. Yoran for appearing before us today, and we 
appreciate this testimony.
    Next, we welcome Dr. Matthew Blaze, associate professor of 
computer and information science at the University of 
Pennsylvania. Dr. Blaze is a researcher in the area of secure 
systems, cryptology, and trust management. He has been at the 
forefront of these issues for over a decade, and we appreciate 
his being here today and offering his testimony on this very 
important issue.
    Finally, I would like to introduce Dr. Daniel Weitzner, who 
is director and principal research scientist at the Computer 
Science and Artificial Intelligence Laboratory, Decentralized 
Information Group at the Massachusetts Institute of Technology. 
Mr. Weitzner previously served as United States deputy chief 
technological officer for internet policy in the White House. 
We thank him for being here with us today and look forward to 
learning from his expertise.
    I want to thank all of our witnesses for being here and 
look forward to the discussion.
    Now, as we begin, you are aware that this committee is 
holding an investigative hearing, and when doing so, it has had 
the practice of taking testimony under oath. Do any of have 
objection to testifying under oath?
    OK. Seeing none, the chair then advises you that under the 
rules of the House and the rules of the committee, you are 
entitled to be advised by counsel. Do any of you desire to be 
represented or advised by counsel during your testimony today?
    Seeing none, in that case, if you would please rise and 
raise your right hand, I will swear you in.
    [Witnesses sworn.]
    Mr. McKinley. Thank you. You are now under oath and subject 
to the penalties set forth in title 18, section 1001 of the 
United States Code. Each of you may be able to give a 5-minute 
summary of your written statement, starting with Mr. Sewell.

STATEMENTS OF BRUCE SEWELL, GENERAL COUNSEL, APPLE, INC.; AMIT 
   YORAN, PRESIDENT, RSA SECURITY; MATTHEW BLAZE, ASSOCIATE 
    PROFESSOR, COMPUTER AND INFORMATION SCIENCE, SCHOOL OF 
 ENGINEERING AND APPLIED SCIENCE, UNIVERSITY OF PENNSYLVANIA; 
   AND DANIEL J. WEITZNER, PRINCIPAL RESEARCH SCIENTIST, MIT 
COMPUTER SCIENCE AND ARTIFICIAL INTELLIGENCE LAB, AND DIRECTOR, 
            MIT INTERNET POLICY RESEARCH INITIATIVE

                   STATEMENT OF BRUCE SEWELL

    Mr. Sewell. Thank you, Chairman Murphy, Ranking Member 
DeGette, and members of the subcommittee. It's my pleasure to 
appear before you today on behalf of Apple. We appreciate your 
invitation and the opportunity to be part of this important 
discussion on encryption.
    Hundreds of millions of people trust Apple products with 
the most intimate details of their daily lives. Some of you 
might have a smartphone in your pocket right now, and if you 
think about it, there's probably more information stored on 
that phone than a thief could get by breaking into your home. 
And it's not just a phone. It's a photo album, it's a wallet, 
it's how you communicate with your doctor, your partner, and 
your kids. It's also the command central for your car and your 
home. Many people also use their smartphone to authenticate and 
to gain access into other networks, businesses, financial 
systems, and critical infrastructure.
    And we feel a great sense of responsibility to protect that 
information and that access. For all of these reasons, our 
digital devices, indeed our entire digital lives, are 
increasingly and persistently under siege from attackers. And 
their attacks grow more sophisticated every day. This quest for 
access fuels a multibillion dollar covert world of thieves, 
hackers, and crooks.
    We are all aware of some of the recent large-scale attacks. 
Hundreds of thousands of Social Security numbers were stolen 
from the IRS. The U.S. Office of Personnel Management has said 
as many as 21 million records were compromised and as many as 
78 million people were affected by an attack on Anthem's health 
insurance records.
    The best way that we and the technology industry know how 
to protect your information is through the use of strong 
encryption. Strong encryption is a good thing. It is a 
necessary thing. And the government agrees. Encryption today is 
the backbone of our cybersecurity infrastructure and provides 
the very best defense we have against increasingly hostile 
attacks.
    The United States has spent tens of millions of dollars 
through the Open Technology Fund and other programs to fund 
strong encryption. And the administration's Review Group on 
Intelligence and Communications Technology urged the U.S. 
Government to fully support and not in any way to subvert, 
undermine, or weaken generally available commercial encryption 
software.
    At Apple, with every release of hardware and software, we 
advance the safety, security, and data protection features in 
our products. We work hard to also assist law enforcement 
because we share their goal of creating a safer world.
    I manage a team of dedicated professionals that are on call 
24 hours a day, 365 days a year. Not a day goes by where 
someone on my team is not working with law enforcement. We know 
from our interaction with law enforcement officials that the 
information we are providing is extremely useful in helping to 
prevent and solve crimes. Keep in mind that the people subject 
to law enforcement inquiries represent far less than \1/10\ of 
1 percent of our hundreds of millions of users. But all of 
those users, 100 percent of them, would be made more vulnerable 
if we were forced to build a back door.
    As you've heard from our colleagues in law enforcement, 
they have the perception that encryption walls off information 
from them. But technologists and national security experts 
don't see the world that way. We see a data-rich world that 
seems to be full of information, information that law 
enforcement can use to solve and prevent crimes. This 
difference in perspective, this is where we should be focused. 
To suggest that the American people must choose between privacy 
and security is to present a false choice. The issue is not 
about privacy at the expense of security. It is about 
maximizing safety and security. We feel strongly that Americans 
will be better off if we can offer the very best protections 
for their digital lives.
    Mr. Chairman, that's where I was going to conclude my 
comments, but I think I owe it to this committee to add one 
additional thought, and I want to be very clear on this. We 
have not provided source code to the Chinese Government. We did 
not have a key 19 months ago that we threw away. We have not 
announced that we are going to apply passcode encryption to the 
next-generation iCloud. I just want to be very clear on that 
because we heard three allegations. Those allegations have no 
merit.
    Thank you.
    [The prepared statement of Bruce Sewell follows:]
    
    

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    
    Mr. McKinley. Thank you. And we turn now to the second 
panelist, Mr. Yoran.

                    STATEMENT OF AMIT YORAN

    Mr. Yoran. Chairman Murphy, Ranking Member DeGette, and 
members of the committee, thank you for the opportunity to 
testify today on encryption. This is a very complex and nuanced 
issue, and I applaud the committee's efforts to better 
understand all aspects of the debate.
    My name is Amit Yoran, and I'm the President of RSA, the 
security division of EMC. I would like to thank my mom for 
coming to hear my testimony today. In case things go sideways, 
I assure you, she's much tougher than she looks.
    I've spent over 20 years in the cybersecurity field. In my 
current role, I strive to ensure that RSA provides-industry 
leading cybersecurity solutions. RSA has been a cybersecurity 
industry leader for more than 30 years. The more than 30,000 
global customers we serve represent every sector of our 
economy.
    Fundamental to RSA's understanding of the issues at hand is 
our rich heritage in encryption, which is the basis for 
cybersecurity technology. Our cybersecurity products are found 
in government agencies, banks, utilities, retailers, as well as 
hospitals and schools. At our core, we at RSA believe in the 
power of digital technology to fundamentally transform business 
and society for the better, and that the pervasiveness of our 
technology helps to protect everyone.
    Let me take a moment to say that we deeply appreciate the 
work of law enforcement and the national security community to 
protect our nation. I commend the men and women of law 
enforcement who have dedicated their lives to serving justice.
    Private industry has long partnered with law enforcement 
agencies to advance and protect our nation and the rule of law. 
Where lawful court orders mandate it or where moral alignment 
encourages it, many tech companies have a regular, ongoing, and 
cooperative relationship with law enforcement in the U.S. and 
abroad. Simply put, it is in all of our best interests for the 
laws to be enforced.
    I have four points I'd like to present today, all of which 
I've extrapolated on in my written testimony. First, this is no 
place for extreme positions or rushed decisions. The line 
connecting privacy and security is as delicate to national 
security as it is to our prosperity as a nation. I encourage 
you to continue to evaluate the issue and not rush to a 
solution.
    Second, law enforcement has access to a lot of valuable 
information they need to do their job. I would encourage you to 
ensure that the FBI and law enforcement agencies have the 
resources and are prioritizing the tools and technical 
expertise required to keep up with the evolution of technology 
and meet their important mission.
    Third, strong encryption is foundational to good 
cybersecurity. If we lower the bar there, we expose ourselves 
even further to those that would do us harm. As you know, 
recent and heinous terrorist attacks have reinvigorated calls 
for exceptional access mechanisms. This is a call to create a 
back door to allow law enforcement access to all encrypted 
information.
    Exceptional access increases complexity and introduces new 
vulnerabilities. It undermines the integrity of internet 
infrastructure and reduces--and introduces more risk, not less, 
to our national interests. Creating a back door into encryption 
means creating opportunity for more people with nefarious 
intentions to harm us. Sophisticated adversaries and criminals 
would not knowingly use methods they know law enforcement could 
access, particularly when foreign encryption is readily 
available. Therefore, any perceived gains to our security from 
exceptional access are greatly overestimated.
    Fourth, this is a basic principle of economics with very 
serious consequences. Our standard of living depends on the 
goods and services we can produce. If we require exceptional 
access from U.S.-based companies that would make our 
information economy less secure, the market will go elsewhere. 
But worse than that, it would weaken our power and utilities, 
our infrastructures, manufacturing, health care, defense, and 
financial systems. Weakening encryption would significantly 
weaken our nation.
    Simply put, exceptional access does more harm than good. 
This is the seemingly unanimous opinion of the entire tech 
industry, academia, the national security community, as well as 
all industries that rely on encryption and secured products.
    In closing, I would like to thank all the members of the 
committee for their dedication in understanding this very 
complex issue.
    [The prepared statement of Amit Yoran follows:]
    
    

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    
    Mr. McKinley. Thank you.
    Dr. Blaze?

                   STATEMENT OF MATTHEW BLAZE

    Mr. Blaze. Thank you, Mr. Chairman, and members of the 
committee for the opportunity to testify before you today.
    The encryption issue which, as you know, I've been involved 
with for over two decades now, has been characterized as a 
question of whether we can build systems that keep a lot of the 
good guys in but keep the bad guys out. And much of the debate 
has focused on questions of whether we can trust the government 
with the keys for data.
    But before we can ask that question, and that's a 
legitimate political question that the political process is 
well-equipped to answer, there's an underlying technical 
question of whether we can trust the technology to actually 
give us a system that does that. And unfortunately, we simply 
don't know how to do that safely and securely at any scale and 
in general across the wide range of systems that exist today 
and that we depend on. It would be wonderful if we could. If we 
could build systems with that kind of assurance, it would solve 
so many of the problems in computer security and in general 
computer systems that have been with us since really the very 
beginning of software-based systems. But unfortunately, many of 
the problems are deeply fundamental.
    The state of computer and network security today can really 
only be characterized as a national crisis. We hear about 
large-scale data breaches, compromises of personal information, 
financial information, and national security information 
literally on a daily basis today. And as systems become more 
interconnected and become more relied upon for the function of 
the fabric of our society and for our critical infrastructure, 
the frequency of these breaches and their consequences have 
been increasing.
    If computer science had a good solution for making large-
scale robust software, we would be deploying it with enormous 
enthusiasm today. It is really at the core of fundamental 
problems that we have. But we are fighting a battle against 
complexity and scale that we are barely able to keep up with. I 
wish my field had simpler and better solutions to offer, but it 
simply does not.
    We have only two good tools, tried-and-true tools that work 
for building reliable, robust systems. One of those is to build 
the systems to be as simple as possible, to have them include 
as few functions as possible, to decrease what we call the 
attack surface of these systems. Unfortunately, we want systems 
that are more complex and more integrated with other things, 
and that becomes harder and harder to do.
    The second tool that we have is cryptography, which allows 
us to trust fewer components of the system, rely on fewer 
components of the system, and manage the inevitable insecurity 
that we have. Unfortunately, proposals for exceptional access 
methods that have been advocated by law enforcement and we 
heard advocated for by some of the members of the previous 
panel work against really the only two tools that we have for 
building more robust systems, and we need all the help we can 
get to secure our national infrastructure across the board.
    There's overwhelming consensus in the technical community 
that these requirements are incompatible with good security 
engineering practice. I can refer you to a paper I collaborated 
on called ``Keys Under Doormats'' that I referenced in my 
written testimony that I think describes the consensus of the 
technical community pretty well here.
    It's unfortunate that this debate has been so focused on 
this narrow and very potentially dangerous solution of mandates 
for back doors and exceptional access because it leaves 
unexplored potentially viable alternatives that may be quite 
fruitful for law enforcement going forward.
    There's no single magic bullet that will solve all of law 
enforcement problems here or really anywhere in law 
enforcement, but a sustained and a committed understanding of 
things like exploitation of data in the cloud, data available 
in the hands of third parties, targeted exploitation of end 
devices such as Ms. Hess described in her testimony will 
require significant resources but have the potential to address 
many of the problems law enforcement describes, and we owe it 
to them and to all of us to explore them as fully as we can.
    Thank you very much.
    [The prepared statement of Matthew Blaze follows:]
    
 
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
   
    
  
    
    Mr. McKinley. Mr. Weitzner, you have 5 minutes.

                STATEMENT OF DANIEL J. WEITZNER

    Mr. Weitzner. Thank you, Vice Chairman McKinley, Chairman 
Murphy, and Ranking Member DeGette. Thank you for having me.
    I think this hearing comes at a very important time in the 
debate about how to best accommodate the very real needs of law 
enforcement in the digital age.
    I want to say that I don't think there's any sense in which 
law enforcement is exaggerating or overstating the challenges 
they face, and I don't think we should be surprised that they 
have big challenges. We think about the introduction of 
computers in our society, in our workplace, and our homes, and 
to be colloquial, it throws everyone for a loop for a little 
while, and our institutions take a while to adjust. So we 
shouldn't expect this problem is going to be solved overnight.
    I do think what's happening at this point in the debate, 
however, is that, as some of the previous witnesses said, we 
are seeing a growing consensus that introducing mandatory 
infrastructure-wide back doors is not the right approach. I'm 
going to talk about some ways that I think we can move forward, 
but I want to say why I think it is, and it comes back to the 
safe deposit box analogy that we heard.
    We all do think it's reasonable that banks should have a 
second key to our safe deposit boxes, and maybe even you should 
have drills that can drill through those locks in the event you 
can't find one of the keys. But the problem here is that we're 
all using the same safe, every single one of us, so if we make 
those safe deposit boxes so that they're a little too easy to 
drill into or if someone gets a hold of the key, then everyone 
is at risk, not just the couple thousand customers who happen 
to be at the one bank.
    That's why we see political leaders really from all around 
the world now rejecting the idea of mandatory back doors. 
Recently, Secretary of Defense Ash Carter said, ``I'm not a 
believer in back doors or a single technical approach. I don't 
think it's realistic,'' he said.
    Robert Hannigan, who is the director of the U.K. 
surveillance agency GCHQ, said in a talk he delivered at MIT 
last month that ``mandatory back doors are not the solution.'' 
He said ``encryption should not be weakened, let alone banned, 
but neither is it true that nothing could be done without 
weakening encryption.'' He said, ``I'm not in favor of banning 
encryption, nor of asking for mandatory back doors.''
    And very tellingly, the vice president of the European 
Commission, who was the former Prime Minister of Estonia and 
famous for digitizing almost the entire country and the 
government, said if people know there are back doors, how could 
people who, for example, vote online trust the results of the 
election if they know their government has a key to break into 
the system?
    Two very quick steps that I think we should avoid going 
forward, and then a few suggestions about how to approach this 
challenge that you face, number one, I think you've heard us 
all say that we have to avoid introducing new vulnerabilities 
into an already quite vulnerable information infrastructure. It 
would be nice if we could choose that only the bad guys got 
weak encryption and the rest of us all got strong encryption, 
but I think we understand that's simply not possible.
    You've also heard reference to CALEA, a piece of 
legislation in this committee's jurisdiction. There have been 
calls to address this very difficult question by simply 
extending CALEA to apply to internet companies. But if you look 
closely at CALEA, it shows just how hard it will be to solve 
this problem with a one-size-fits-all solution. CALEA was 
targeted to a very small group of telecommunications companies 
that provided basically all the same product and were regulated 
in a then-pretty-stable way by the Federal Communications 
Commission. The internet and platform industry and the mobile 
apps and device and history is an incredibly diverse, global 
industry, and there's no single regulatory agency that governs 
those services and products. That's very much by design, and so 
I think trying to impose a top-down regulatory solution on this 
whole complex of industries in order to solve this problem 
simply won't work.
    What can we do going forward? Number one, I think that's in 
the efforts of the encryption working group that this committee 
and the Judiciary Committee had set up, I think it's very 
important to look closely at the specific situations that law 
enforcement faces, at the specific court orders, which have 
been successfully satisfied, which haven't, which introduce 
system-wide vulnerabilities that they were followed through, 
and which actually could be pursued without system-wide risk. I 
think there's a lot to be learned about the best practices both 
of law enforcement and technology companies, and there are 
probably some law enforcement agencies and technology companies 
that could up their game a little bit if they had a better 
sense of how to approach this issue.
    I also think it's awfully important we make sure to 
preserve public trust in this environment, in this internet 
environment. I think we understand in the last 5 years that 
there's been significant concern from the public about the 
powers both of government and private sector organizations. I 
think it's a great step that the House Judiciary Committee is 
moving forward amendments to the Electronic Communications 
Privacy Act that will protect data in the cloud, and I think if 
we can do more of that and assure the public that their data is 
protected, both in the context of government surveillance and 
private sector use, that we'll be able to move forward with 
this issue more constructively.
    Thanks very much, and I'm looking forward to the 
discussion.
    [The prepared statement of Daniel J. Weitzner follows:]
    
    
  
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
  

    Mr. McKinley. And thank you very much for your testimony.
    And for the whole panel, if I might recognize myself for 
the first 5 minutes with some questions.
    Mr. Sewell, you made quite a point that you have not 
provided the source codes to China. And it had come up from the 
earlier panel. Were you ever asked to provide anyone----
    Mr. Sewell. By the Chinese Government or anyone?
    Mr. McKinley. Yes.
    Mr. Sewell. We have been asked by the Chinese Government. 
We refused.
    Mr. McKinley. How recent were you asked?
    Mr. Sewell. Within the past 2 years.
    Mr. McKinley. OK. Mr. Yoran, I have got a couple of 
questions for you. First, I was a little taken back. You said 
don't rush on the solution or whatever that might be. And as I 
said earlier, this has been 5 \1/2\ years. I have been hearing 
everyone talk about it, and they are not getting anything done. 
I don't know what we are waiting for. There has got to be a 
solution. I am just one of three licensed engineers in 
Congress, and by now, we would have the solution if there were 
more engineers and fewer attorneys here perhaps.
    But if I might, with your question, I understand your 
company was founded by the original creators of a critical 
algorithm in public key cryptography. Needless to say, 
encryption is your company's DNA. If anyone understands the 
importance of protecting encryption keys, it is your company. 
Yet apparently, several years ago, someone stole your seed 
keys, and as I understand, these are the keys that generate 
keys that are used for remote access, much like those used by 
Members and their staff.
    If a company like yours, as sophisticated as it is and with 
the securities you have, it can lose control of encryption 
keys, how could we have confidence in others, especially 
smaller companies, the ability to do the same?
    Mr. Yoran. Mr. Chairman, I think that you bring up two 
great points. The first statement I would make is that I'd like 
to highlight the fact that a tremendous amount of cooperation 
happens currently between law enforcement and the tech 
community, so that characterization that we've made no progress 
over the past 5 years, I think understates the level of effort 
put forth by the tech community to reply to and support the 
efforts of law enforcement.
    I think what's occurring is--and I won't call it a line in 
the sand--but I think the current request from law enforcement 
have now gotten to the point where they're requesting a mandate 
that our products be less secure and wil have a tremendous and 
profound negative impact on our society and public safety, as 
has already been made the point earlier.
    The second point regarding RSA's own breach, I think, that 
highlights the very critical role that encryption plays in the 
entire cybersecurity puzzle. The fact that sophisticated threat 
actors, nation, state, or cyber criminals are going to target 
the supply chain and where strong encryption and strong 
cybersecurity capabilities come from.
    We're dealing with an incredibly sophisticated adversary 
and one that would put forth a tremendous effort to find any 
back doors if they were embedded in our security systems. It 
highlights the value of encryption to society in general, and I 
think it also highlights the importance of transparency around 
cyber breaches and cybersecurity issues.
    Mr. McKinley. Thank you. In the first panel--I will stay 
with you, Mr. Yoran--talked a little bit about the security of 
our infrastructure. And I think the response was along the line 
that it is not an encryption problem; it is a firewall problem. 
I am not sure that the American public understands the 
difference between that, and so I am going to go back to how 
comfortable should we be or can we be that we have proper 
protection on our security firms like yours that are energy or 
transportation system, particularly our grid? As I said, we 
have been hacked--we are subject to it. We know we already have 
been attacked once. So what more should we be doing?
    Mr. Yoran. Mr. Chairman, I think the response provided by 
the earlier panel was wrong. I think encryption plays an 
incredibly important role in protecting critical 
infrastructure. It is not a this is a firewall solution or this 
is an encryption solution. Most organizations that truly 
understand cybersecurity have a diverse set of products, 
applications, and many layers of defenses, knowing that 
adversaries are going to get in through firewalls. Not only 
adversaries but important openings are created in firewalls so 
that the appropriate parties can communicate to them as well. 
And those paths are frequently leveraged by adversaries to do 
nefarious things.
    Mr. McKinley. So are you acknowledging, then, that we still 
are very vulnerable to someone shutting down our electric grid?
    Mr. Yoran. I believe we are extremely vulnerable in any 
infrastructure that leverages technology, how much of it is the 
entire grid, how much of it is localized. I certainly believe 
that utilities are exposed.
    Mr. McKinley. Thank you. And let me just say in closing to 
all four of you, if you have got some suggestions how we might 
be able to address this, I am hearing time and time again in 
the districts with our grid system. I sure would like to hear 
back from you about what we might be able to do.
    With that, I yield the next question from the ranking 
member from Colorado, Ms. DeGette.
    Ms. DeGette. Thank you so much.
    Well, following up on the last question, I would like to 
stipulate that I believe, as most members of this panel 
believe, that strong encryption is really critical to our 
national security and everything else. But, as I said in my 
opening statement, I also recognize that we need to try to give 
law enforcement the ability to apprehend criminals when 
criminals are utilizing this technology to be able to commit 
their crimes and to cover up after the crimes.
    So, first of all, Mr. Sewell, I believe you testified that 
your company works with law enforcement now, is that correct?
    Mr. Sewell. That is correct.
    Ms. DeGette. Thanks. And I think that you would also 
acknowledge that while encryption really does provide benefit 
both for consumers and for society for security and privacy, we 
also need to address this thorny issue about how we deal with 
criminals and terrorists who are using encrypted devices and 
technologies, is that correct?
    Mr. Sewell. I think this is a very real problem. And let me 
start by saying that the conversation we're engaged in now, I 
think, has become something of a conflict, Apple v. the FBI----
    Ms. DeGette. Right. And I don't----
    Mr. Sewell [continuing]. And that's just the wrong 
approach.
    Ms. DeGette. And you don't agree with that, I would hope.
    Mr. Sewell. I absolutely do not.
    Ms. DeGette. And, Mr. Yoran, you don't agree with that, 
that it is technology versus law enforcement, do you? Yes or no 
will work.
    Mr. Yoran. No, I don't agree it's technology----
    Ms. DeGette. OK. And I am assuming that you, Dr. Blaze?
    Mr. Blaze. No.
    Ms. DeGette. And how about you, Mr. Weitzner?
    Mr. Weitzner. [Nonverbal response.]
    Ms. DeGette. No.
    Well, that is good. So here is another question, then. And 
I asked the last panel that. Do you think it is a good idea for 
the FBI and other law enforcement agencies to have to go to 
third-party hackers to get access to data for which they have 
court orders to get?
    Mr. Weitzner. I don't think that's a good idea.
    Ms. DeGette. Do you think so, Mr. Yoran?
    Mr. Yoran. No, ma'am.
    Ms. DeGette. Dr. Blaze?
    Mr. Blaze. No, if I could just clarify, the fact that the 
FBI had to go to a third party indicates that the FBI either 
had or devoted insufficient resources to----
    Ms. DeGette. Right.
    Mr. Blaze [continuing]. Finding a solution----
    Ms. DeGette. And they couldn't----
    Mr. Blaze [continuing]. In advance of the problem.
    Ms. DeGette [continuing]. Do it on their own. Right. I am 
going to get to that in a second. So it is just really not a 
good model. So here is my question. Mr. Yoran, do you think 
that the government should enhance its own capabilities to 
penetrate encrypted systems and pursue workarounds when legally 
entitled to information they cannot obtain either from the user 
directly or service providers? Do you think that they should 
develop that?
    Mr. Yoran. Yes, ma'am.
    Ms. DeGette. Do you think they have the ability to develop 
that?
    Mr. Yoran. Yes, ma'am.
    Ms. DeGette. Professor, do you think that they have the 
ability to develop that?
    Mr. Blaze. It requires enormous resources, and they 
probably--with the resources they currently have, I think it's 
likely that they don't have the ability to----
    Ms. DeGette. One thing Congress has, we may not be internet 
experts but we have resources.
    Mr. Blaze. Right. And I think this is a soluble problem.
    Ms. DeGette. Mr. Weitzner?
    Mr. Weitzner. I think that they certainly should have the 
resources, and I think really the key question is whether they 
have the personnel. And I think it will take some time to build 
up a set of personnel expertise----
    Ms. DeGette. Well, I understand it will take time----
    Mr. Weitzner. Yes.
    Ms. DeGette [continuing]. But do you think they can develop 
those resources?
    Mr. Weitzner. I think so. Absolutely. The only thing----
    Ms. DeGette. Thank you. OK. So, Mr. Yoran, I want to ask 
you another question. Do you think that all of us supporting 
the development of increased capability within the government 
can be a reasonable path forward, as opposed to either relying 
on third parties or making companies write new software or 
redesign systems?
    Mr. Yoran. Yes, ma'am.
    Ms. DeGette. You think that is a better approach? OK. And I 
assume, Mr. Sewell, you probably agree with that, too?
    Mr. Sewell. I'd agree that we ought to spend more money, 
time, resources on the FBI and on local law enforcement 
training----
    Ms. DeGette. And would Apple be willing to help them 
develop those capabilities?
    Mr. Sewell. We actively do participate in helping them.
    Ms. DeGette. So your answer would be yes?
    Mr. Sewell. That we would participate in training, we 
would----
    Ms. DeGette. And helping them develop those in new 
capabilities?
    Mr. Sewell. What we can do is to help them understand our 
ecosystem.
    Ms. DeGette. Right.
    Mr. Sewell. That's what we do on a----
    Ms. DeGette. So I guess----
    Mr. Sewell [continuing]. Daily basis.
    Ms. DeGette. Right. I am not trying to trick you.
    Mr. Sewell. No, and I'm not----
    Ms. DeGette. Yes. OK.
    Mr. Sewell [continuing]. Responding either.
    Ms. DeGette. So I guess, then, your answer would be yes, 
you are willing to help us in conjunction with law enforcement 
and Congress to solve this problem. Is that correct, Mr. 
Sewell?
    Mr. Sewell. I want to solve the problem just like everyone 
else.
    Ms. DeGette. And are you willing to work with law 
enforcement and Congress to do it? Yes or no?
    Mr. Sewell. Congresswoman, we work with them every day. 
Yes, of course----
    Ms. DeGette. A yes or no will work.
    Mr. Sewell. Of course we will. Of course we are.
    Ms. DeGette. Thank you.
    Mr. Sewell. Yes.
    Ms. DeGette. Mr. Yoran?
    Mr. Yoran. Yes, ma'am.
    Ms. DeGette. Professor Blaze?
    Mr. Blaze. Absolutely?
    Ms. DeGette. And Mr. Weitzner?
    Mr. Weitzner. Yes.
    Ms. DeGette. Thank you so much. Thank you, Mr. Chairman.
    Mr. McKinley. Thank you. And I now recognize Mr. Griffith 
from Virginia.
    Mr. Griffith. Thank you, Mr. Chairman. I greatly appreciate 
that.
    My background, I am just a small college history major that 
then went into law, and as a part of that, Mr. Sewell, I would 
have to ask, would you agree with me that, in the history of 
mankind, it took us thousands of years to come up with the 
concept of civil liberties and that perhaps 5 \1/2\ years isn't 
such a long time to try to find a solution to this current 
issue? And likewise, the answer was in the affirmative for 
those who might not have----
    Mr. Sewell. It was, yes.
    Mr. Griffith [continuing]. Heard that. And that it was 
lawyers who actually created the concept of individual liberty 
and one that our country has been proud to be the leader in the 
world in promoting. Would that also be true?
    Mr. Sewell. That's very true, sir, yes.
    Mr. Griffith. That being said, I was very pleased to hear 
in answers to Ms. DeGette that all of you are willing to help 
us solve this problem because there is no easy answer. I liked 
the safety deposit box analogy. Mr. Weitzner, thanks for 
ruining it for me in your analysis.
    But I would ask Mr. Sewell if there isn't some way--and 
again, I can't do what you all do so I have to simplify it to 
my terms. Is there some way that we can create the vault that 
the banks have with the safety deposit box in it, and then once 
you are inside of there, if you want that security--because not 
everybody has a safety deposit box--but if you want that 
security, that then there is a system of a dual but separate 
keys with companies like yours are others holding one of the 
two keys and then the individual holding the other key and then 
having the ability to, with a proper search warrant, have law 
enforcement be able to get in? I mean, I am trying to break it 
down into a concept I can understand where I can then apply 
what we have determined over the course of the last several 
hundred years is the appropriate way to get at information. And 
it is difficult in this electronic age.
    Mr. Sewell. It is very difficult, Congressman. I agree. We 
haven't figured out a way that we can create an access point 
and then create a set of locks that are reliable to protect 
access through that access point. That is what we struggle 
with. We can create an access point and we can create locks, 
but the problem is that the keys to that lock will ultimately 
be available somewhere, and if they're available anywhere, they 
can be accessed by both good guys and bad guys.
    Mr. Griffith. So you would agree with Mr. Weitzner's 
position or his analysis, which I thought was accurate, is that 
the problem is we are not giving a key and a drill to one 
safety deposit box; it is everybody in the bank who suddenly 
would have their information in the open. And I saw that you 
wanted to make a comment, Mr. Weitzner?
    Mr. Weitzner. I just want to--since this analogy seems to 
be working, we don't put much stuff in our safe deposit boxes, 
right? I mean, I actually don't have one to be honest.
    There's this core concern, back to your civil liberties 
framework, that somehow we have a warrant-free zone that's 
going to take over the world. I think that if you follow the 
safety deposit box analogy, what we know is that the 
information that's important to law enforcement exists in many 
places. And I don't question that there will be some times when 
law enforcement can't get some piece of information at once.
    But I think what you're hearing from a number of us and 
from the technical community is that this information is very 
widely distributed, and much of it is accessible in one way or 
the other or inferable from information that's produced by 
other third parties. And I think that part of the path forward 
is to really understand how to exploit that to the best extent 
possible in investigations so that we're not all focused on the 
hardest part of the problem where the hardest part of the 
problem is what do you do if you have very strongly encrypted 
data? Can you ever get it? It may not be the best place to look 
all the time because it may not always be available.
    Mr. Griffith. And, of course, historically, you are never 
able to get a hold of everything.
    Dr. Blaze, you wanted to weigh in?
    Mr. Blaze. So I just wanted to caution that the split-key 
design, as attractive as it sounds, was also the core of the 
NSA-designed clipper chip, which was where we started over two 
decades ago.
    Mr. Griffith. I appreciate that.
    Mr. Yoran, I have got to tell you, I did think your 
testimony and your written testimony in particular was 
enlightening in regard to the fact that if we do shut down the 
U.S. companies, then there may even be safe havens created by 
those companies that are not our friends and are specifically 
our enemies. I wanted to ask a series of questions on that, but 
I see that my time has expired, and so I am required to yield 
back, Mr. Chairman.
    Mr. McKinley. Looking at the other panel members, we have 
Mrs. Brooks from Indiana, your 5 minutes.
    Mrs. Brooks. Thank you, Mr. Chairman.
    I would like to start out with a comment that was made in 
the first panel, and I guess this is to Mr. Sewell, whether or 
not you can share with us. Does Apple plan to use encryption in 
the cloud?
    Mr. Sewell. We've made no such announcement. I'm not sure 
where that statement came from, but we've made no such 
announcement.
    Mrs. Brooks. OK. I understand you've made no such 
announcement, but is that being explored?
    Mr. Sewell. I think it would be irresponsible for me to 
come here and tell you that we are not even looking at that, 
but we have made no announcement. No decision has been made.
    Mrs. Brooks. And are these discussions helping inform 
Apple's decisions? And is Apple communicating with any law 
enforcement about that possibility?
    Mr. Sewell. These discussions are enormously, enormously 
helpful, and I'd be glad to go further into that. I've learned 
some things today that I didn't know before, so they're 
extremely important. We are considering, we are talking to 
people, we are being very mindful of the environment in which 
we are operating.
    Mrs. Brooks. And I have certainly seen and I know that 
Apple and many companies have a whole set of policies and 
procedures on compliance with legal processes and so forth. And 
so I assume that you have regular conversations with 
policymakers and law enforcement, whether it is FBI or other 
agencies, on these policy issues. Is that correct?
    Mr. Sewell. That's very correct. I interact with law 
enforcement at two very different levels. One is a very 
operational level. My team supports daily activities in 
response to lawful process, and we worked very closely on 
actual investigations. I can mention at least two where we've 
recently found children who've been abducted. We've been able 
to save lives working directly with our colleagues in law 
enforcement. So at that level we have a very good relationship, 
and I think that gets lost in the debate sometimes.
    At the other side, I work at a--perhaps a different level. 
I work directly with my counterpart at the FBI. I work directly 
with the most senior people in the Department of Justice, and I 
work with senior people in local law enforcement on exactly 
these policy issues.
    Mrs. Brooks. Well, and I thank you and all the others for 
cooperating with law enforcement and working on these issues, 
but it seems as if most recently there have not been enough of 
that discussions. Hence, that is why we are having these 
hearings and why we need to continue to have these hearings.
    But I think that we have to continue to have the dialogue 
on the policy while continuing to work on the actual cases and 
recognize that obviously technology companies have been 
tremendously helpful, and we need them to be tremendously 
helpful in solving crimes and in preventing future crimes. I 
mean, it is not just about solving crimes already perpetrated, 
but it is always, particularly with respect to terrorism, how 
do we ensure that we are keeping the country safe?
    I am curious with respect to a couple of questions with 
respect to legal hacking and the types of costs that are 
associated with legal hacking, as well as the personnel needed. 
And since the newer designs of iPhones prevent the bypassing of 
the built-in encryption, does Apple actually believe that 
lawful hacking is an appropriate method for investigators to 
use to assess the evidence in investigations?
    Mr. Sewell. So I don't think we have a firm position on 
that. I think there are questions that would have to be 
answered with respect to what the outcome of that lawful 
hacking is, what happens to the product of that lawful hacking. 
So I don't have a formal corporate position on that.
    Mrs. Brooks. So then, because that has been promoted, so to 
speak, as far as a way around this difficult issue, are you 
having those policy discussions about Apple's view and the 
technology sector's view on lawful hacking? Are those 
discussions happening with law enforcement?
    Mr. Sewell. I think this is a very nascent area for us, but 
particularly the question is what happens to the result. Does 
it get disclosed? Does it not get disclosed? That, I think, is 
an issue that has not been well explored.
    Mrs. Brooks. Mr. Yoran, do you have an opinion on that 
lawful hacking?
    Mr. Yoran. Not an opinion on lawful hacking in specific, 
but I would just point out that doing encryption properly is 
very, very hard. Trying to keep information secret in the 
incredibly interconnected world that we live in is very, very 
hard. And I would suggest that it's getting harder, not easier.
    So the information, the data that law enforcement has 
access to, I think, is certainly much more than the metadata 
that they've had over the past several years. But now, as 
applications go into the cloud, those cloud application 
providers need to access the data. So the sensitive information 
is not just on your iPhone or other device, it's sitting in the 
cloud, and law enforcement has access there because it cannot 
be encrypted. It needs to be accessed by the cloud provider in 
order to do the sophisticated processing and provide the 
insight to the consumer that they're looking for.
    Mrs. Brooks. My time is expired. I have to yield back.
    Mr. McKinley. Thank you. And now seeing no other members of 
the subcommittee here with us, we can then go----
    Mr. Bilirakis. Mr. Chairman? I am sorry.
    Mr. McKinley. Oh, OK. You are on the subcommittee?
    Mr. Bilirakis. No.
    Mr. McKinley. OK. We are going to--none on the 
subcommittee, so now we are going to members that have been 
given privileges to speak. And I was advised I was to go to the 
other side, like this ping-pong game. And Ms. Eshoo from 
California, your 5 minutes.
    Ms. Eshoo. Thank you, Mr. Chairman.
    First of all, to Mr. Yoran, I love your suit and tie. It 
brings a little of the flavor of my district into this big old 
hearing room. And a warm welcome to your mother. I don't know 
where she is, but it is great to have your mother here, great, 
wonderful.
    I know that Associate Professor Blaze talked about the 
crisis of the vulnerability in our country relative to, you 
know, how our systems, how vulnerable our systems are. I would 
just like to add for the record that up to 90 percent of the 
breaches in our system in our country are due to two major 
factors. One is systems that are less than hygiene, unhygienic 
systems. Number two, very poor security management.
    So I think the Congress should come up with at least a 
floor relative to standards so that we can move that word 
crisis away from this. But we really can do something about 
that. I know it costs money to keep systems up, and there are 
some that don't invest in it, but that can be addressed.
    The word conversation has been used, and I think very 
appropriately. And this is a very healthy hearing. 
Unfortunately, the first thing the American people heard was a 
very powerful Federal agency, you know, within moments of the 
tragedy in San Bernardino demand of a private company that they 
must do thus and so, otherwise, we will be forever pitted 
against one another, and there is no other resolution except 
what I call a swinging door that people can go in and out of. 
When I say people, in this case, it is the government.
    Now, they American people have a healthy suspicion of Big 
Brother, but they also have a healthy suspicion of big 
corporations. They just do. It is in our DNA, and I don't think 
that is an unhealthy thing. But that first snapshot, I think, 
we need to move to the next set of pictures on this. And I am 
heartened that the panel seems to be unanimous that this 
weakening of our overall system by having a back door, by 
having a swinging door is not the way to go.
    So in going past that, I would like to ask Mr. Sewell the 
following. Whether introducing a third-party access, and that 
has been talked about, I think that would fundamentally weaken 
our security. How does third-party access impact security? How 
likely do you think it is that law enforcement could design a 
system to address encrypted data that would not carry with it 
the unanticipated weaknesses of its own?
    I am worried about law enforcement in this, and I want to 
put this on the record as well. I think that it says something 
that the FBI didn't know what it was doing when it got a hold 
of that phone, and that is not good for us. It is not going to 
attract smart young people to come into a Federal agency 
because what it says to them is it doesn't seem to us they know 
what they are doing.
    So can you address this third-party access and what kind of 
effect it would have on overall security?
    Mr. Sewell. Thank you very much for the question, 
Congresswoman.
    If you allow third-party access, you have to give the third 
party a portal in which to exercise that access. This is 
fundamentally the definition of a back door or a swinging door 
as you've, I think, very aptly described it.
    There is no way that we know of to create that 
vulnerability, to create that access point and more 
particularly to maintain it. This was the issue in San 
Bernardino was not just give us an access point but maintain 
that access point in perpetuity so that we can get in over and 
over and over again.
    We have no way of doing that without undermining and 
endangering the entire encryption infrastructure. We believe 
that strong, ubiquitous encryption is the best way that we can 
maintain the safety, security, and privacy of all of our users. 
So that would be fundamentally a problem.
    Ms. Eshoo. Thank you very much.
    Thank you, Mr. Chairman, for your legislative courtesy 
again. Thank you to the witnesses. You have been, I think, most 
helpful.
    Mr. Murphy. I thank the witnesses, too. I apologize I had 
to run out for a while, but I am going to get to ask a few 
questions here and I want to make sure to follow up.
    So, Mr. Sewell----
    Mr. Sewell. Sir.
    Mr. Murphy [continuing]. We can all understand the benefits 
of strong encryption, whether it is keeping someone's own bank 
statement, financial records encrypted so we didn't have to 
worry about hackers there. We already heard some pretty 
compelling testimony in the first, challenges about law 
enforcement, criminal activity, child predators, homicides, et 
cetera. Based on your experience, what we heard today, can you 
acknowledge that the spread of default encryption does present 
a challenge for law enforcement?
    Mr. Sewell. I think it absolutely does. And I would not 
suggest for a moment that law enforcement is overstating the 
same claim that has been made by other panelists. I think the 
problem is that there's a fundamental disconnect between the 
way we see the world and the way law enforcement sees the 
world, and that's where I think we ought to be focusing.
    Mr. Murphy. And what is that disconnect? What is that two 
different world views?
    Mr. Sewell. The disconnect has to do with the evolution of 
technology in society and the impact of that technology in 
society. What you've heard from our colleagues in law 
enforcement is that the context in which encryption occurs 
reduces the scope of useful data that they have access to, this 
going-dark problem.
    But if you talk to technologists, we see the world in a 
very different way. We see the impact of technology is actually 
a burgeoning of information. We see that there's an abundance 
of information, and this will only increase exponentially as we 
move into a world where the Internet of Things becomes part of 
our reality.
    So you hear on one side we're going dark, and you hear on 
the other side there's an abundance of information. That circle 
needs to be squared. And the only way that I think we can do 
that is by cooperating and talking and engaging in the kind of 
activity that Madam DeGette was suggesting. We need to work 
together----
    Mr. Murphy. So let me bring this----
    Mr. Sewell [continuing]. So we understand their 
perspective, they understand ours.
    Mr. Murphy. I appreciate that, but I am not--it is a very 
compelling argument you gave, but I have no idea what you just 
said. So let me----
    Mr. Sewell. Sure.
    Mr. Murphy [continuing]. Try and put this into terms that 
we can all talk about.
    Mr. Sewell. Sure.
    Mr. Murphy. We heard testimony from the first panel of 
child predators who are able to hide behind this invisible 
cloak, from a murder scene where they could have perhaps caught 
who did this. We know that when it comes to crimes, there are 
those who just won't commit crimes because they have a good 
moral compass. We have those who will commit them anyway 
because they have none. We also have those who can be deterred 
because they think they might get caught. And when it comes to 
other issues such as terrorist acts where you can get into a 
cell phone or something from someone who has committed an act, 
you can find out if they are planning more and save other 
lives.
    So what do you tell a family member who has had their child 
abused and assaulted in unspeakable forms, what do you tell 
them about burgeoning technology? I mean, tell me what comfort 
we can give someone about the future?
    Mr. Sewell. I think in situations like that, of course, 
they're tragic. I'm not sure that there's anything which I or 
any one of us could say that would help to ease that pain.
    On the other hand, we deal with this every day. We deal 
with cases where children have been abducted. We work directly 
with law enforcement to try to solve those crimes. We had a 14-
year-old girl from Pennsylvania just recently that was abducted 
by her captor. We worked immediately with the FBI in order to 
use IP logs to identify the location where she had been 
stashed. We were able to get feet on the ground within a matter 
of hours, find that woman, rescue her, and apprehend----
    Mr. Murphy. And that is good and I appreciate that, but 
what about--I look at this case that was presented, though, 
when someone may have a lot of information hidden, and if they 
could get in there, whether it is child predators or it is a 
terrorist where we could prevent more harm----
    Mr. Sewell. And we're missing the point of technology here. 
The problems that we're trying to solve don't have an easy 
fix----
    Mr. Murphy. I know that. I know that. But tell me, I need 
to know----
    Mr. Sewell. So----
    Mr. Murphy [continuing]. You are working in a direction 
that helps here.
    Mr. Sewell. Absolutely.
    Mr. Murphy. That is what I am trying to help you elicit.
    Mr. Sewell. Photo DNA, hashing images so that when those 
images move across the Internet we can identify them, we can 
track them. The work that we do with Operation Railroad is 
exactly that. It's an example of taking technology, taking 
feet-on-the-ground law enforcement techniques and marrying them 
together in a way that fundamentally changes----
    Mr. Murphy. And for people who are using encrypted sources, 
whether it is by default or intention to hide their data and 
their intention and their harmful activity that they are 
planning on hurting more, what do we tell the public about 
that?
    Mr. Sewell. We tell the public that, fundamentally, we're 
working on the problem and that we believe strong, ubiquitous 
encryption provides the best and safest----
    Mr. Murphy. So does that mean Apple is going to be working 
with the FBI and law enforcement on this problem? I know that 
the response of Apple was we ought to have a commission. You 
are looking at the commission, the Energy and Commerce 
Committee Oversight and Investigation Committee, and we want to 
find solutions. We want to work with you. And I am pleased you 
are here today.
    And you heard many of us say we don't think there is right 
or wrong absolutes. This is not black and white.
    Mr. Sewell. Yes.
    Mr. Murphy. We are all in this together, and we want to 
work on that. I need to know about your commitment, too, in 
working with law enforcement. Could you make a statement on 
that?
    Mr. Sewell. Can I tell you a story, Congressman?
    Mr. Murphy. Sure.
    Mr. Sewell. Can I actually do that? I sat opposite my 
counterpart at the FBI, a person that I know very well. We 
don't talk frequently but we talk regularly. We're on a first-
name basis. I sat opposite from him and I said amidst all of 
this clamor and rancor, why don't we set aside a day. We'll 
send some smart people to Washington or you send some smart 
people to Cupertino, and what we'll do for that day is that 
we'll talk to you about what the world looks like from our 
perspective. What is this explosion of data that we can see? 
Why do we think it's so important? And you, talk to us about 
the world that confronts your investigators from the moment 
they wake up in the morning. How do they think about 
technology? How do they think about the problems that they're 
trying to solve?
    And we were going to sit down together for a day. We were 
planning that at the time that the San Bernardino case was 
filed. That got put on hold. But that offer still exists. 
That's the way we're going to solve these problems.
    Ms. DeGette. Mr. Chairman?
    Mr. Murphy. Yes.
    Ms. DeGette. Will you yield for one second?
    Mr. Murphy. Yes.
    Ms. DeGette. You know, Mr. Sewell, if we can facilitate 
that meeting in any way, I am sure the chairman and I would be 
more than happy to do that. And we have some very lovely 
conference rooms that are painted this very same color, 
courtesy of Chairman Upton, and we will have you there.
    Mr. Sewell. Madam, if we can get out of the lawsuit world--
--
    Ms. DeGette. You know what----
    Mr. Sewell [continuing]. Let's start cooperating.
    Ms. DeGette. That would be great.
    Mr. Sewell. Yes.
    Ms. DeGette. Thank you.
    Mr. Sewell. Great.
    Mr. Murphy. We want that to be facilitated. We have too 
many lives at stake and the concerns of many families and 
Americans. This is central. This is core.
    Mr. Sewell. I agree.
    Mr. Murphy. So thank you. I know I am out of time.
    Mr. Bilirakis is going to be recognized now for 5 minutes.
    Mr. Bilirakis. Thank you, Mr. Chairman. I appreciate it so 
very much. I want to thank everyone here on the panel for your 
technology leadership that helps keep us safe because that is 
what our priority here is in the United States Congress. At 
least it is mine and I know many others on this panel.
    We are here to find a balance between security and privacy 
and not continue to pit them against each other. I think you 
will agree with that.
    Mr. Yoran, how quickly does one lifecycle of encryption 
last as a secure system until vulnerabilities are found and 
exploited? Will this continually be a game of cat-and-mouse or 
are we at a level now where software and the processes are 
strong enough to make end-to-end encryption a stable system?
    Mr. Yoran. Systems are attacked and vulnerabilities are 
exploited almost instantaneously once computer systems, mobile 
devices are put on the Internet. Once crypto methods are 
published, there's an entire research community that goes to 
work. Depending on the strength of the encryption, 
vulnerabilities may be discovered immediately, or they may be 
discovered decades down the road, in which case all of the 
information may have been at risk while that crypto system was 
in use.
    And frequently, the exposure and the exploitation of crypto 
systems isn't necessarily based on the strength of the 
algorithms themselves but on how they're implemented and how 
the systems are interconnected. I might not have the key to get 
information off of a particular device, but because I can break 
into the operating system because I have physical access to it, 
because I can read the chips, because I can do all sorts of 
different things. I can still get information or I can get the 
key while it was resident in memory. It's just a very complex 
system that all has to work perfectly in order for the 
information to be----
    Mr. Bilirakis. Thank you.
    Mr. Yoran [continuing]. Protected.
    Mr. Bilirakis. The next question is for the entire panel. 
We have known for the past few years that any significant 
threat to our homeland will likely include a cyber attack. Will 
you agree on that?
    Can you elaborate on the role that encryption plays in this 
process of continuing national security? Certainly, the 
military has used forms of encryption for decades, but can you 
give us a contemporary snapshot of how encryption use by 
government or nongovernment users protect us against cyber 
attacks today? We can start over here, please.
    Mr. Sewell. I will answer the question, but I am not at all 
the expert in this space. I think the other panelists are much 
more expert than I am in the notion of encryption and 
protecting our infrastructure.
    The one point that I will say that I tried to emphasize in 
my opening statement was that we shouldn't forget about some of 
the changes that are happening in terms of the way that 
infrastructure can be accessed. I think we sometimes lose sight 
of the fact that phones themselves now are being used as 
authentication devices. If you can break the encryption and you 
can get into the phone, that may be a very easy way to get into 
the power grid, to get into our transport systems, into our 
water systems.
    So it's not just a question of the firewalls or the access; 
it's how--what is the instrumentality that you used to get into 
those things that we also have to be concerned about.
    Mr. Bilirakis. Thank you. Mr. Yoran?
    Mr. Yoran. I believe fundamentally that security is 
actually on the same side as privacy and our economic interest. 
It's fundamental. It's fundamental in the national security 
community. But it's also mandated by law to protect all sorts 
of other data in other infrastructures and systems such as 
financial services, health care records, so on and so forth, 
such that even folks who might not gain an advantage by having 
strong encryption available like General--I'm sorry, Admiral 
Rogers, the director of the NSA; and James Clapper, the 
director of National Intelligence, are on the record saying 
that they believe it's not in the U.S. best interest to weaken 
encryption.
    Mr. Bilirakis. Anyone else wish to comment, please?
    Mr. Blaze. I mean, encryption is used in protecting 
critical infrastructure the same way it's used in protecting 
other aspects of our society. It protects sensitive data when 
it's being transmitted and stored, including on mobile devices 
and over the Internet and so on.
    I just want to add that critical infrastructure systems are 
largely based and built upon the same components that we're 
using in consumer and business devices as well. There aren't--
critical infrastructure systems essentially depend upon mobile 
phones and operating systems that you and I are using in our 
day-to-day life. And so when we weaken them, we also weaken the 
critical infrastructure systems.
    Mr. Bilirakis. Sir?
    Mr. Weitzner. Could I just add very briefly that I actually 
thought Mr. Sewell's answer was pretty good. But--and what's 
critical about those systems that we rely on to protect our 
critical infrastructure is that when we find flaws in them, we 
have to patch them quickly. We have to fix them quickly. As Mr. 
Yoran said, you know, these systems are constantly being looked 
at.
    I'm concerned that if we end up imposing requirements on 
our security infrastructure, on our encryption tools, if we 
impose CALEA-like requirements, the process of identifying 
flaws, fixing them, putting out new versions rapidly is going 
to be slowed down to figure out whether those comply with 
whatever the surveillance requirements are. And I think that's 
the wrong direction for us to go in. We want to make these 
tools as adaptive as possible. We want them to be fixed as 
quickly as possible, not be caught in a whole set of rules 
about what they have to do and not do to accommodate 
surveillance needs.
    Mr. Bilirakis. Thank you very much. Thank you, Mr. 
Chairman, for allowing me to participate. I appreciate it, and 
I will yield back.
    Mr. Murphy. Thank you. I ask unanimous consent that the 
letter from CTA be admitted to the record. Without objection, 
that will be so.
    [The information appears at the conclusion of the hearing.]
    Mr. Murphy. And I believe, Ms. DeGette?
    Ms. DeGette. I would ask unanimous consent--Ms. Eshoo has a 
letter from TechNet dated April 19 that we would like to have 
put in the record.
    Mr. Murphy. Thank you.
    [The information appears at the conclusion of the hearing.]
    Mr. Murphy. And I also ask unanimous consent that the 
contents of the document binder \1\ be introduced in the record 
and authorize staff to make any appropriate redactions. Without 
objection, the documents will be entered in the record with any 
redactions the staff determines are appropriate.
---------------------------------------------------------------------------
    \1\ The contents of the document binder can be found at: http://
docs.house.gov/Committee/Calendar/ByEvent.aspx?EventID=104812.
---------------------------------------------------------------------------
    Mr. Murphy. And in conclusion, I want to thank all the 
witnesses and members that participated in today's hearing.
    I remind members they have 10 business days to submit 
questions for the record. I ask that the witnesses all agree to 
respond promptly to the questions.
    Thank you so much. We look forward to hearing from you 
more, and we will get you together. Thank you.
    Mr. Sewell. Good. Thank you, Mr. Chairman.
    Mr. Murphy. This committee is adjourned.
    [Whereupon, at 1:14 p.m., the subcommittee was adjourned.]
    [Material submitted for inclusion in the record follows:]
    
    
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    

    

                                 [all]