[Senate Hearing 114-739]
[From the U.S. Government Publishing Office]





                                                        S. Hrg. 114-739
 
 COUNTERTERRORISM, COUNTERINTELLIGENCE, AND THE CHALLENGES OF ``GOING 
                                 DARK''

=======================================================================

                                HEARING

                               BEFORE THE

                    SELECT COMMITTEE ON INTELLIGENCE

                                 OF THE

                          UNITED STATES SENATE

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                               __________

                        WEDNESDAY, JULY 8, 2015

                               __________

      Printed for the use of the Select Committee on Intelligence
      
      
      
      
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]     
      
      


         Available via the World Wide Web: http://www.fdsys.gov
         
         
         
         
         
         
                             _________ 

                 U.S. GOVERNMENT PUBLISHING OFFICE
                   
 27-896 PDF                 WASHINGTON : 2018       
____________________________________________________________________
 For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800         
         
         
         
         
         
         
         
                    SELECT COMMITTEE ON INTELLIGENCE

           [Established by S. Res. 400, 94th Cong., 2d Sess.]

                 RICHARD BURR, North Carolina, Chairman
              DIANNE FEINSTEIN, California, Vice Chairman

JAMES E. RISCH, Idaho                RON WYDEN, Oregon
DANIEL COATS, Indiana                BARBARA A. MIKULSKI, Maryland
MARCO RUBIO, Florida                 MARK WARNER, Virginia
SUSAN COLLINS, Maine                 MARTIN HEINRICH, New Mexico
ROY BLUNT, Missouri                  ANGUS KING, Maine
JAMES LANKFORD, Oklahoma             MAZIE K. HIRONO, Hawaii
TOM COTTON, Arkansas
                 MITCH McCONNELL, Kentucky, Ex Officio
                     HARRY REID, Nevada, Ex Officio
                    JOHN McCAIN, Arizona, Ex Officio
                  JACK REED, Rhode Island, Ex Officio
                              ----------                              
                      Chris Joyner, Staff Director
                 David Grannis, Minority Staff Director
                  Desiree Thompson-Sayle, Chief Clerk
                  
                  
                                CONTENTS

                              ----------                              

                              JULY 8, 2015

                           OPENING STATEMENTS

Burr, Hon. Richard, Chairman, a U.S. Senator from North Carolina.     1
Feinstein, Hon. Dianne, Vice Chairman, a U.S. Senator from 
  California.....................................................    58

                                WITNESS

Comey, Hon. James B., Director, Federal Bureau of Investigation..    59
    Prepared statement...........................................    63

                         SUPPLEMENTAL MATERIAL

Computer Science and Artificial Intelligence, Laboratory 
  Technical Report dated July 6, 2015, entitled ``Keys Under 
  Doormats''.....................................................     4
Letter from the American Civil Liberties Union dated July 7, 2015    38
Letter from the Business Software Alliance dated July 8, 2015....    47
Remarks of Director Comey to the Brookings Institution on October 
  16, 2014.......................................................    50


                           COUNTERTERRORISM,



                      COUNTERINTELLIGENCE, AND THE



                      CHALLENGES OF ``GOING DARK''

                              ----------                              


                        WEDNESDAY, JULY 8, 2015

                                       U.S. Senate,
                          Select Committee on Intelligence,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 2:33 p.m. in Room 
SH-216, Hart Senate Office Building, Hon. Richard Burr 
(Chairman of the Committee) presiding.
    Committee Members Present: Burr, Feinstein, Risch, Coats, 
Collins, Blunt, Lankford, Cotton, McCain, Wyden, Mikulski, 
Warner, Heinrich, and Hirono.

   OPENING STATEMENT OF HON. RICHARD BURR, CHAIRMAN, A U.S. 
                  SENATOR FROM NORTH CAROLINA

    Chairman Burr. Good afternoon. I call this hearing to 
order. I'd like to welcome our witness today, Director of the 
Federal Bureau of Investigation, James Comey. I would note that 
Director Comey appeared this morning before the Senate 
Judiciary Committee. Jim, I appreciate your appearing before us 
now and enduring a long day of Congressional testimony. I know 
the Vice Chair has had an opportunity to have a bite at you, 
but she wanted one more, she told me.
    As we often conduct hearings in closed session, I'd like to 
take this opportunity to publicly commend the Director and the 
men and women of the FBI for their outstanding efforts in 
keeping our country safe. It is due in no small part to FBI 
vigilance in concert with the intelligence community partners 
that our Nation's enjoyed peaceful and safe Independence Day 
celebrations this past weekend.
    Director Comey, as you're well aware, extremists fueled by 
anti-Western propaganda remain intent on inflicting harm on 
U.S. interests at home and abroad. Over the past year we've 
witnessed the Islamic State of Iraq and the Levant, also 
referred to as ``ISIL'' or the ``Islamic State'' or ``Daesh,'' 
attempt to inspire a wide range of individuals to conduct 
attacks against innocent civilians.
    Largely as a result of ISIL's media savvy, the number of 
U.S.-based individuals in 2015 seeking to conduct attacks in 
the homeland or overseas to join ISIL has already exceeded the 
combined number of individuals attempting these activities in 
2013 and 2014.
    Unfortunately, the threats facing our Nation are not 
limited to terrorist actors. Foreign governments remain intent 
on stealing our country's most valuable trade, intellectual 
property and national security secrets. The FBI is charged with 
confronting all these threats as well and is continually 
challenged by the capabilities and tradecraft employed by these 
nation-state actors.
    In addition to these fairly unique jurisdictional issues, 
the FBI conducts routine law enforcement investigations of drug 
trafficking, theft of government property, child pornography, 
robbery, extortion, murder, and the list goes on and on and on. 
These criminals are also turning to encrypted communications as 
a means of evading detection. These two issues that might at 
first glance appear unrelated are in fact closely linked.
    Communications between a terrorist organization's 
operational commanders and field soldiers require enabling 
technology. Communications between a foreign state and its 
spies also requires enabling technology. In both cases, the 
enabling technology used by terrorists and foreign state spies 
is increasingly secure encrypted communications. Both of these 
adversaries are taking advantage of the rapid advances in 
secure communications that are employing advanced--that are 
employing advanced commercially available encryption.
    Director, as I understand the issue, even when law 
enforcement has the legal authority to intercept and access 
communications pursuant to a court order, you may lack the 
technical ability to do so. This is what you've referred to and 
others have referred to as ``Going Dark.'' You've described it 
as one of the biggest challenges facing your agency and law 
enforcement generally. This challenge falls at the intersection 
of technology, law, freedom, and security.
    It results from the adoption of universal encryption. These 
applications are designed so that only the user has the key to 
decode their content. In these cases, when the FBI or any other 
law enforcement agency requests access to a user's 
communications via a lawful warrant, it is inaccessible or 
unreadable. It does not matter whether the user is a suspected 
terrorist, a child molester, a spy or a drug trafficker; law 
enforcement's blind and becoming so, and as a result we're less 
safe.
    I, like all Americans, desire privacy. As Americans we're 
guaranteed the right to be secure pursuant to the Fourth 
Amendment in our persons, houses, papers and effects. I'm also 
concerned, though, as are our fellow members, about the 
terrorist, counterintelligence and other criminal threats to 
those very same things. I strongly believe that we must 
identify a solution that first protects American privacy, but 
also allows for lawful searches under valid court orders.
    Director Comey, you said that the encryption now readily 
available--and I quote--``is equivalent to a closet that can't 
be opened or a safe that can't be cracked,'' unquote. You have 
an opportunity today to speak to the Committee and to the 
American people and to convince us that in order to keep the 
American people safe, you need to be able to open the closet or 
to crack the safe. There are no easy answers and we're 
embarking on what will be a robust debate that I think it was 
initiated by you and I think that's a good thing.
    Director, you wrote on Monday that part of your job is to 
make sure the debate is informed by a reasonable understanding 
of the cost. I look forward to your testimony, this discussion, 
and I appreciate you being here.
    Before I turn to the Vice Chairman for her remarks, I'd 
like to ask unanimous consent to enter several documents into 
the record. The first is the Computer Science and Artificial 
Intelligence Laboratory Technical Report dated July 6th, 2015, 
entitled ``Keys Under Doormats.''
    [The material referred to follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
      
    Chairman Burr. The second letter, from the American Civil 
Liberties Union to the Committee, dated July 7th, 2015, on the 
topic of this hearing.
    [The material referred to follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
        
    The third is a letter from the Business Software Alliance 
dated July the 8th, 2015, again to this Committee and the 
Senate Judiciary Committee, on the topic of today's hearing.
    [The material referred to follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]   
 
    And the fourth is the transcript of the Director's remarks 
to the Brookings Institute dated October 16th, 2014. Without 
objection, those four documents will be entered into the 
record.
    [The material referred to follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
    I now turn to the Vice Chairman for any remarks she might 
make.

 OPENING STATEMENT OF HON. DIANNE FEINSTEIN, VICE CHAIRMAN, A 
                  U.S. SENATOR FROM CALIFORNIA

    Vice Chairman Feinstein. Thanks very much, Senator. And 
thank you, Mr. Chairman, for holding this hearing. There was a 
crowded hearing this morning in Judiciary and I think the 
number of people here today is evidence that this a subject of 
great interest, so I thank you for holding this open hearing.
    Director Comey, welcome again back to the Committee, and 
let me just repeat what I said this morning in Judiciary. I 
want to thank you and the men and women of the FBI for really 
unparalleled service to protect this country and disrupt and 
prevent attacks. We are very grateful and I hope you will say 
that to your people, so thank you.
    For a period last month there were arrests almost every day 
as the Bureau worked to thwart attacks around the 4th of July 
holiday. Counterterrorism has been the top of the FBI's 
priority list since 9/11. And never has it included so many 
operations and threats to our country.
    The Assistant Attorney General for National Security, John 
Carlin, said last week in remarks in London that the United 
States Government was running hundreds of counterterrorism 
investigations involving every United States State. In addition 
to the growth in the number of terrorist incidents, the nature 
of the threat has changed significantly. Hundreds and perhaps 
thousands of Americans here at home are in contact with ISIL 
members and affiliates, ranging from those taking direction to 
those who were inspired by ISIL messages on social media 
platforms.
    As you know, I have been particularly concerned about 
terrorists' use of the internet to instruct, recruit, and 
inspire terrorism inside the United States. And you very 
graphically pointed that out and I hope you will again this 
afternoon, in what you said this morning. I believe that United 
States companies, including many founded and headquartered in 
my home State, have an obligation to do everything they can to 
ensure that their products and services are not allowed to be 
used to foment the evil that ISIL embodies.
    Last week I read a lengthy feature in the New York Times. 
The title was ``ISIS and the Lonely American,'' which described 
in detail how ISIL members used Twitter and other services to 
recruit a young woman over months to support a militant brand 
of Islam and try to get her to marry an ISIL fighter and travel 
to Syria.
    As Director Comey notes in his opening statement, quote, 
``The foreign terrorist now has direct access to the United 
States like never before,'' end quote. Foreign terrorist 
groups, as well as adversarial nation-states today, have 
greater awareness of how the United States intelligence 
community conducts its business to collect intelligence needed 
to protect the people of this country and to inform national 
security decisions.
    This Committee has heard from the FBI, the National 
Security Agency as late as yesterday afternoon, the National 
Counterterrorism Center, about how terrorist groups in 
particular have moved to forms of communications that are 
harder or impossible for the intelligence community and law 
enforcement to access. The increased use of end-to-end strong 
encryption by both new and established communications companies 
has exacerbated this trend.
    I understand the need to protect records and encryption is 
one way of doing so. Especially in this area of cyber-
penetrations of our government and our private sector 
companies, encryption is an important safeguard. That doesn't 
mean, however, that companies should configure their services 
in a way that denies them the ability to respond to a court 
warrant, a FISA order, or a similar legal process from the 
government.
    This is not a theoretical issue. The FBI has briefed this 
Committee on cases where it knows of communications involving 
ongoing terrorists by ISIL inside the United States, but it has 
no way to obtain the content of those communications even with 
a court order based on probable cause.
    It seems to me that if companies will not voluntarily 
comply with lawful court orders for information, then they 
should be required to be able to do so through legislation in a 
way that protects security of consumer data against 
unauthorized access. As Director Comey has said, we are not 
looking for a back door into American companies; we are looking 
to be able to use the front door.
    So, I welcome today's hearing and look forward to the 
Director's testimony on the ongoing threat of terrorism against 
the United States and the need to acquire lawfully and quickly 
information necessary to stop those threats from becoming real 
attacks. Thank you very much, Mr. Chairman.
    Chairman Burr. Thank you, Vice Chairman.
    For members, after the Director's comments members will be 
recognized for five minutes based upon their order of 
attendance today. And I would like to remind all members that 
we're in an open session, which is unusual. Therefore, I would 
ask you to be particularly careful in the questions that you 
ask. I trust, Director if in fact you have an answer that can't 
be given in an open session, you'll just tell the Vice Chairman 
and I that we'll carry this over to a closed session at an 
appropriate time, and we'll accommodate you on that.
    With that, let me turn it to you, Director Comey, for any 
of your comments that you'd like to make.

 STATEMENT OF HON. JAMES B. COMEY, DIRECTOR, FEDERAL BUREAU OF 
                         INVESTIGATION

    Director Comey. Great. Thank you, Mr. Chairman, Madam Vice 
Chair. Thank you for this opportunity. I really do like the use 
of the word ``conversation.'' I think this is a conversation we 
have to have as a country and this is a great opportunity to 
have it, to begin having it. I sometimes hear people talk about 
the crypto-wars and we're fighting the crypto-wars today, and I 
don't like that metaphor because I don't feel like I'm fighting 
anything. I am not here to win anything. I'm here, I hope, to 
explain the ways in which the change in technology and the 
change in which bad people are using technology affects the 
tools the American people through this body have given the FBI.
    I think we all care about the same things. We care deeply 
about the security of our information, of our healthcare, of 
our finances, of our innovations, of all the great things that 
travel over the internet. We all care about that. And I think 
we all care about public safety. We all care about the ability 
to keep the folks safe in this country. And so I don't see it 
as a war, I see it as an opportunity to talk about how one is 
in tension with the other and what should we do about it.
    I really do believe we stand at an inflection point that I 
felt not long after I became Director, which is why I started 
talking about this, where the technology has moved to a place 
where encryption, which was always available over the last 20 
years, has become the default. And that change has been 
accompanied by an explosion in apps that ride on the internet 
and offer end-to-end encrypted communication. Those things have 
put us at an infliction point most obviously, given my primary 
responsibility, with respect to counterterrorism.
    But this Committee knows from closed sessions what I think 
the American people may know less well, which is the terrorism 
threat today is very, very different and has changed just in my 
almost two years as Director. It is not the Al-Qaeda of old. 
The Al-Qaeda of old was interested in the multipronged, 
national landmark-based, careful, long-planned attack with 
carefully vetted operatives. We still face that challenge. The 
Al-Qaeda of old was very different from what see today. And the 
Al-Qaeda of old wanted to proselytize and it did so by posting 
magazines on websites, and if somebody wanted to consume 
propaganda they found the website and they went and read the 
propaganda and if they wanted to talk to a terrorist they sent 
an email into the magazine and maybe Anwar Awlaki would email 
you back.
    Here's what's changed. ISIL thinks about their terror in a 
very different way. They're not focused on the national 
landmark, multipronged, long tail event. They want people to be 
killed in their name. And they're coming to us with that 
message, with their propaganda and their entreaty to action 
through Twitter and other parts of the social media. And that 
is a very different thing than Al-Qaeda ever did.
    They come into our country through thousands and thousands 
of followers of ISIL tweeters who are based in Syria. They have 
a physical safe haven and so they broadcast a message, which is 
two-pronged: come to the Islamic State, join us here in this, 
you know, our version of paradise, which is a nightmare, but 
their version of paradise. And second, if you can't come, kill 
somebody where you are, videotape it. If you can cut their head 
off and videotape it, great. Please try and kill law 
enforcement or military; here's a list of names where you could 
kill somebody.
    And this message is pushed and pushed and pushed. Social 
media companies are worth billions of dollars because pushing 
to someone's pocket, whether you're selling shoes or cars or 
terror, works, right. ISIL has invested in this for about the 
last year and they have about 21,000 English language followers 
right now, and they're pushing this message. It's as if a devil 
sits on someone's shoulder all day long, saying kill, kill, 
kill and the terrorist, if you want to talk to them, is right 
there in your device.
    And so they're reaching and they're calling and they're 
calling, and it's having an effect on troubled souls in the 
United States. As the Vice Chair said, I have hundreds of these 
investigations in every single State, and we had disrupted just 
in the last few weeks very serious efforts to kill people in 
the United States. The challenge to us is, ISIL will find the 
live ones on Twitter and then we can see them say: Okay, here 
is my encrypted end-to-end mobile messaging app contact 
information; contact me there.
    And so our task, to find needles in a nationwide haystack, 
becomes complicated by the fact that the needle at that moment 
goes invisible, right. I know I'm giving information to bad 
people. We cannot break strong encryption, right. I think 
people watch TV and think the Bureau can do lots of things. We 
cannot break strong encryption.
    So, even if I get a court order under the Fourth Amendment 
to intercept that communication as it travels over the wires, I 
will get gobbledygook. That needle will remain dark to me. That 
is a big, big problem for us.
    And the second way in which this is enormously challenging 
is ISIL does something Al-Qaeda would never imagine. They test 
people by tasking them. Kill somebody and then we'll see 
whether you really are a believer. And these people react in 
ways that are very difficult to predict.
    What you saw in Boston was what the experts call flash to 
bang being very close, right. In Boston you had a guy who was 
in touch in an encrypted way with these ISIL recruiters and we 
believe was bent on doing something on July 4th. He woke up one 
morning, June 2nd, and decided he was going to go kill 
somebody. Right, thank goodness we were able to confront him. 
He confronted our people with a knife and unfortunately they 
had to use their weapons. But that's an example of sort of the 
unpredictability of this.
    So you combine the blindness with this broad reach and that 
flash to bang and we face a challenge that we've not seen 
before. This is not your grandfather's Al-Qaeda. This is a very 
new threat that we face.
    Now, some people say to me: Well, you have all kinds of 
other information you can get; we live in the golden age of 
surveillance; and I think of it differently. I think we live in 
the golden age of communication. Al-Qaeda--Osama bin Laden 
would never have dreamed that he could speak simultaneously to 
hundreds of Americans, find them and task them in ways that 
American law enforcement could not see and do it at the speed 
of light. The golden age of communication is posing enormous 
challenges for us.
    I'm not here to scare folks, though. I'm here to tell 
people there is a problem. I do not know the answer. A whole 
lot of good people have said: It's too hard; that we can't have 
any diminution in strong encryption to accomplish public 
safety, else it'll all fall down and there'll be a disaster. 
And maybe that's so. But my reaction to that is, I'm not sure 
that we've really tried. I think Silicon Valley is full of 
great people who when they were younger were told, your dreams 
are too hard. They were standing in a garage some place and 
they were told ``Can't be done.'' Thank goodness they didn't 
listen.
    I think we have the talent to think about this in a good 
way. My hope from this conversation is that folks will realize 
this really matters. And the FBI is not the source of 
innovation. We're just telling people we've got to talk about 
this, because I see the present and I see the future, which in 
many ways is more troubling, because the logic of it is 
inexorable.
    FBI is not some occupying force imposed on the American 
people from abroad. We belong to the American people. We only 
have the tools that they have given us through you. I'm here to 
tell the American people: The tools you've given us are not 
working the way you expect them to work in the highest stakes 
matters. I need help figuring out what to do about that. The 
companies are run by good people. I think they see the 
challenge, they want to help. We have to figure out a way to 
solve this, to crack this riddle.
    And maybe it's too hard, maybe we end up in that place. But 
I think this country has never been made up of people who say, 
``Can't be done.'' We really ought to talk about it more. So, I 
appreciate the opportunity to discuss it with the Committee.
    [The prepared statement of Director Comey follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
     
    Chairman Burr. Director, thank you. And I think it's safe 
to restate that we're at the start of the debate, even though 
we have had the conversations for some time privately. We've 
watched encryption grow more dominant and more dominant, and 
really, as you said, become the default. It's almost automatic 
now. And it places a huge challenge on your ability to fulfill 
your mandate, and our challenge is to work with you as an 
extension of the American people to provide you what tools 
America is comfortable with and I think as we go through this 
debate we'll figure out where that sweet spot is.
    With that, I'm going to turn to the Vice Chairman for her 
questions, and I would share with the members it would be 
Feinstein, Wyden, Heinrich, Cotton, Coats, Hirono, Mikulski, 
Collins, Warner, McCain, Blunt and Lankford in that order. Vice 
Chairman.
    Vice Chairman Feinstein. Thanks very much, Mr. Chairman.
    Director Comey, I think you spoke very eloquently, but can 
you quantify this at all? Can you tell us how often the FBI 
acting pursuant to a warrant or other lawful process encounters 
encrypted information you cannot access?
    Director Comey. Thank you, Senator Feinstein. The answer is 
I really can't at this point, for a couple of reasons. We're 
sort of at the beginning of this and we're going to work to try 
and collect that data.
    But the other thing is, it's a bit of like proving a 
negative. When my folks see that something is encrypted, they 
move on and try to find some other way to assess this bad guy, 
this potential bad guy. And so we obviously have incidents, the 
courts have collected incidents, where wiretaps were issued by 
courts and then encryption was encountered. But my numbers--I 
don't have good enough numbers yet.
    Vice Chairman Feinstein. Okay. I think it would helpful if 
the Department could gather some numbers to quantify this.
    The next question is BSA, which is known as The Software 
Alliance, sent a letter to this Committee and the Judiciary 
Committee stating that calls for weakened encryption, quote, 
``can create artificial commercial disadvantages for United 
States companies and barriers to market access.'' End quote. 
I'd like to have your reaction to that statement?
    Director Comey. First, I think--again, I'm not an expert. 
Public safety is my thing, but I think I take issue with the 
notion of weakening encryption. I also take issue with the 
whole back door notion. I think what smart people have told me 
is there are a number of companies already out there that use 
strong encryption on their data, including data in motion, that 
have the ability to access the data and comply with court 
orders, and they're able to do both in a pretty robust way in 
all different sectors, in the information--in the ISP world as 
well as in finance and a bunch of other places.
    So I don't know that it's going to be a question of 
weakening encryption. It's simply going to be a way of figuring 
out how do we comply with a judge's order, we the company, and 
I don't think the government is, frankly, smart enough to be 
able to impose a one size fits all solution. But I also think 
you're right that there are competitive and international 
implications in this. None of us want to do anything to damage 
the innovation of America. It's the great engine of this 
amazing country.
    And so I do think there are international implications that 
have to be considered. Every country that cares about the rule 
of law is grappling with this right now. All of them are trying 
to figure out a way to maximize safety on the internet, right, 
make sure there's strong encryption, and maximize public 
safety, and do it under the rule of law. Our friends in the 
U.K. are doing that right now. So I agree that there are 
implications to it internationally.
    Vice Chairman Feinstein. Well--and let me ask you to 
respond. This is another quote from the same letter: 
``Requiring technology that provides law enforcement access to 
information also risks undermining the security of all 
electronic communications and digitally stored information.'' 
End quote.
    Would you comment on that? As I understand it, what you 
would be talking about is some kind of a front door key? Is 
that--is that correct?
    Director Comey. Again, it's part--my reaction to that 
comment is ``Maybe.'' And if that's the case, well, I guess 
we're stuck. But I don't think the great innovative people of 
America have actually put their mind to this, frankly because 
they haven't been incentivized to do so.
    But again, I believe there are companies that provide 
significant portions of our internet activity that have 
encrypted--strongly encrypted data in motion and have the 
ability, because it's part of their business model, to see the 
data and comply with court orders.
    Vice Chairman Feinstein. So, you're saying that some do and 
some don't.
    Director Comey. Correct.
    Vice Chairman Feinstein. Is that what you're saying?
    Director Comey. Somehow they've managed to do it without 
the entire system crashing or without their own business being 
materially vulnerable in some way. But look, here's how I 
understand it. There's no such thing as secure. There's more 
secure and less secure. There's vulnerability in every system. 
The question is: So what can we do to maximize public safety 
that results in an acceptable level of security? And the answer 
is I don't know, but I think a lot of smart people should talk 
to each other to try and figure that out.
    Vice Chairman Feinstein. Thank you.
    Thank you, Mr. Chairman.
    Chairman Burr. Senator Wyden.
    Senator Wyden. Thank you very much, Mr. Chairman.
    Director Comey, I very much share Director--Chairman Burr's 
comment with respect to the respect we have for the men and 
women of the FBI, and you and I have policy differences on that 
matter, but we are not going to respect the men and women who 
work for you any less because of those differences.
    Every Senator who serves on this Committee understands that 
it is a dangerous world and the challenge is to make sure that 
we pursue approaches that promote security while not 
diminishing our liberty. Too often, we haven't been able to 
achieve either. And I think as we start this debate I want to 
emphasize how exactly we got here. Executive Branch agencies 
are now dealing with a problem that they largely created.
    Senior officials made the choice to secretly twist the law 
to support an ill-conceived secret program that vacuumed up 
millions of phone and email records of law-abiding Americans. A 
number of us spent years warning what the consequences would 
be, but obviously public confidence was dramatically 
diminished.
    That led to a very serious public backlash and in response 
to it, just as Senator Feinstein read, our hardware and 
software companies accelerated their efforts to provide 
customers with stronger protections.
    This obviously creates real challenges for you. But I will 
tell you, as of this morning statements are being made that do 
not inspire a lot of confidence. You talk about the need to 
strike the right balance. There hasn't been a lot of balance in 
the past, and as of what I heard this morning there still isn't 
too much balance in the so-called balance.
    The Deputy Attorney General, Ms. Yates, seemed to suggest 
this morning that companies should retain a stockpile of 
encryption keys for the government to access. Making this a 
mandatory requirement would obviously present huge problems 
since any such stockpile would be vulnerable to compromise or 
abuse. In my judgment, a mandate like that would be a huge gift 
to foreign hackers and criminals.
    So what I want to do with my time for questions is put this 
into context on a matter we all care about up here, which is 
cyber security. I've had companies in Oregon hacked for 
economic espionage and my constituents are not alone. So on the 
topic of encryption and cyber security, has the Executive 
Branch done any analysis of the impact that a requirement for 
U.S. companies to build weaker encryption or stockpile these 
encryption keys would have on U.S. cyber security?
    Director Comey. Not that I'm aware of, because that forms 
part of our concern that we not try to impose a solution. I 
didn't understand her to be saying--obviously, I sat next to 
her. I didn't understand her to be saying that. I understood 
her to be saying the end state we want is that companies, 
however they choose to do it, will be able to comply with 
judges' orders, but that we don't want to impose a one size 
fits all; we want companies to work with us to figure what 
works for you, because it seems that some companies have 
figured out how to do it.
    Senator Wyden. Well, she was suggesting in my view that 
there be a stockpile of these keys. She didn't want the 
government to have it. And once you're going down that route, I 
think it's trouble.
    Now, having said that you're not aware of any study, and 
that was my sense, is it fair to say that strong encryption 
improves cyber security and weaker encryption reduces cyber 
security?
    Director Comey. Yes. Strong encryption is great.
    Senator Wyden. Okay. Now, if a stockpile of encryption keys 
was created somewhere, because I took Ms. Yates' comment to not 
be the government but she wanted it somewhere, if you had a 
stockpile of these keys created somewhere, would you be able to 
guarantee that these keys would never be stolen by a hostile 
foreign actor?
    Director Comey. The hypothetical stockpile of keys, surely 
not. But again, please don't understand me to be suggesting, 
nor should you listen to me if I suggest, a technical solution. 
I don't know what the answer is.
    Senator Wyden. But I think you're right. I think that, 
based on my 14 years of service on this Committee, I don't have 
a lot of confidence that a stockpile of these encryption keys--
and as I say, I heard Ms. Yates said there ought to be some 
kind of arrangement to have these encryption keys somewhere. 
I'm not confident it wouldn't be compromised or abused. That's 
the flaw in the concept. We'll continue to have this debate.
    Thank you, Mr. Chairman.
    Chairman Burr. Senator Heinrich.
    Senator Heinrich. Mr. Chairman, I want to thank you for 
holding a public hearing on this topic and giving us an 
opportunity to discuss these issues. If I had one critique it 
would be that we're missing valuable insight from the 
technology, privacy and constitutional liberties experts who 
also have valid concerns around these ideas, potential 
proposals.
    So, you know, one of the things that I would suggest is 
that we consider holding a follow-up public hearing where we 
can hear from some of those individuals as well, particularly 
in the technology space. And in the meantime I ask unanimous 
consent that a number of letters and background materials that 
you did not include in your earlier unanimous consent be made 
part of the hearing record.
    Chairman Burr. Without objection.
    [The material referred to follows:]
    Senator Heinrich. Let's see. Director Comey, you know, this 
issue of losing access to encrypted communication is obviously 
complex, particularly from a technological point of view. And I 
guess I want to start by just commending you and, as I have NSA 
Director Rogers, for your willingness to address this publicly 
and to start the conversation. I think one of the challenges is 
that it's going to be very hard to address this issue without a 
specific technological proposal or fix to be able to discuss. 
And, you know, back in the 1990s we had a first crack at this 
which really came apart at the seams once it became solidified 
around the particular piece of technology and that's what I'm 
concerned about today.
    So, in the interest of time, I'm going to submit the rest 
of my opening statement for the record so I can get to a couple 
of questions. But I think that's going to be at the crux of 
this conversation for a while, is that we need to know what a 
potential fix looks like or in the case of if there are 
examples--and I'll get to that in my questions--what those look 
like, to be able to know whether a fix is really better or 
whether it creates inherent weaknesses that are exploitable by 
some of these very talented, nefarious actors that you brought 
up in your testimony.
    As you know, yesterday several respected computer and cyber 
security experts, people who are really well renowned in the 
area of cryptography, released a report that effectively 
concluded that you can't reliably provide the government or 
anyone else with exceptional access to software applications 
without introducing some critical weaknesses in that 
encryption.
    Given your interest in this issue--and I hope you've had a 
chance to at least familiarize yourself with that report--you 
know, one of the things I'm concerned about here I guess is 
that it seems like government and the technology interests are 
sort of talking past one another, and need to sit down and get 
at least the technology pieces of this on the table, so that we 
can all agree that we're talking about the same thing. And I 
think it would be a mistake with regard to exceptional access 
to leave the solution to a Congress that I would argue is not 
always the best judge of all things technical.
    As you mentioned, there are a lot of people in Silicon 
Valley who are doing a really good job of trying to manage 
these things. So, can you give some examples of programs that 
currently use some form of end-to-end encryption, so provide 
that security, but also are able to respond somehow to the law 
enforcement warrants that you need to put out there?
    Director Comey. Thank you, Senator. I agree very much, 
which is why I'm so excited about this opportunity, because I 
think things like this hearing will drive the conversation, 
because we need to do it together. They are the source of the 
innovation and the expertise. We need their help in solving 
this.
    I'd never heard until I read--I read the executive summary 
and I went through that paper pretty quickly, the rest of it, 
I'd never heard the term ``exceptional access.'' My reaction 
when I read it is I don't want exceptional access; I want 
ordinary access where a judge issues an order and folks are 
able to comply with the order that a judge issues. There are 
providers who, because of their business model, encrypt, as I 
understand, strongly encrypt the communications in motion, but 
they are visible to them on their servers that they control, as 
part of the business models, because they want to be able to 
sell you ads and so they need to be able to see the content.
    And for those providers, some of whom are huge providers, 
we are able to serve a judge's order and get the content in a 
counterterrorism case or an espionage case or serious criminal 
case of communications that the judge has authorized us to do. 
And I don't think those folks think that their system is 
materially vulnerable.
    And so I wonder. Again, folks should not be looking to me 
for technical advice. I wonder whether that isn't an example 
that we should use in our conversations with the companies. But 
every company is going to be different, which is why I don't 
think one size fits all, because some of the companies at issue 
that the terrorist use are three guys in a garage who started 
this end-to-end encrypted app. And so our ability to work with 
them may be very different than with some bigger companies.
    So, I don't think we want to be seen as we're going to 
impose this fix on all of you. We want to talk to you about how 
we can solve this. I don't want to demonize the companies, 
either. They love their country, they care about public safety. 
I know that from private conversations, and so it's about we 
care about these two things; how do we maximize both of these? 
Maybe it's impossible. Maybe the scientists are right. I'm not 
ready to give up on that yet.
    Senator Heinrich. Well, we're overtime here, so I'll wait 
for the second round. But I guess everybody has this concern 
about, you know, just having been one of the people who got a 
letter from OPM recently, that the government might not be the 
right folks to be holding the keys for end-to-end encryption. 
So we need to find a more elegant approach.
    Director Comey. Agreed.
    Chairman Burr. Senator Cotton.
    Senator Cotton. Thank you, Mr. Chairman.
    Thank you, Director, for being here to address this very 
important problem. To make sure I understand the issue here, 
what we're talking about is not some kind of extraordinary 
surveillance, not something that's unknown to the user of a 
device, but encryption technology that would thwart a lawful 
court order that has been taken in front of an independent 
Federal or State judge by law enforcement authorities to get 
access to data, and then you go to a company and the company 
says: Sorry, we can't provide you this information because we 
have designed a system in a way that prevents us from accessing 
it.
    Director Comey. That's correct. Or with respect to a device 
that's locked and the same judge issues a search warrant, and 
they tell us: We can't open it because we designed our system 
to make the phones--we cannot unlock them.
    Senator Cotton. And this is the Intelligence Committee, but 
I know you testified in front of the Judiciary Committee this 
morning. This is an issue not just for terrorist operations, 
but I would presume also for things like child molesters, child 
pornographers, sex traffickers, kidnappers, is that correct?
    Director Comey. Yes. This is an overwhelming issue in local 
law enforcement and prosecution, especially the data that's on 
a device that can't be opened, because they tell me that's a 
feature of all of the cases you mentioned as well as domestic 
violence, car accidents. The information on there can show you 
who the bad guy is, also tell you someone is not guilty, and so 
it's very important in all their work.
    Senator Cotton. In one of the recent Congressional 
recesses, I spent some time at the Little Rock field office for 
the FBI. First, I want to commend the agents and employees you 
have in that field office there for their dedicated public 
service. It was a very important afternoon for me. They 
specifically brought up the ``Going Dark'' issue and the way it 
has thwarted their operations to keep Arkansans safe.
    Furthermore, I was able to see in their lab an effort they 
had made to get access to a locked device, and they got access 
and it actually allowed them to recover a young girl who had 
gone missing. But they said that that was rare and that they 
were fortunate they were able to do it. I think that's just an 
example of what I suspect is the case, is that in your opinion 
in all 50 States of our Union is this an ongoing problem for 
both Federal law enforcement and local law enforcement?
    Director Comey. Yes.
    Senator Cotton. Do the companies with--with whom you deal 
in private settings, appreciate the fact that the technology 
that they are creating and marketing is being used by 
terrorists and some of the most heinous criminals in our 
society?
    Director Comey. They do and it bothers them, which is why I 
think we're starting to have more productive conversations, 
because they're good--they're good people.
    Senator Cotton. So we're not the only society to encounter 
this kind of problem, of course, and one argument you hear from 
American companies is that they need to compete in the 
international market because most people don't live in the 
United States.
    Director Comey. That's true.
    Senator Cotton. Have you taken a look at how countries 
like, let's say, the United Kingdom or France have addressed 
this issue?
    Director Comey. Yes. They are both grappling with it. 
They're both a little bit ahead of us. They both have passed 
legislation that as I understand it will require providers to 
give access, again with appropriate authority, in the course of 
investigations. So they--they're grappling with it just as we 
are. Everybody who cares about the rule of law and public 
safety has to grapple with the same thing.
    Senator Cotton. So about 20 years ago, this Congress passed 
something called CALEA, the Communications Assistance for Law 
Enforcement Act, saying, in the old days, essentially on 
telephones--that telephone companies had to provide the ability 
to let law enforcement with a lawful court order, a lawful 
court order, put in a wiretap. Could you look to CALEA or maybe 
what other countries have done to address the ``Going Dark'' 
program with data encryption as a model for this Congress to 
act?
    Director Comey. It's possible. I mean, it's one of the 
things that's being talked about, is that a model that can be 
adapted to deal with this challenge? And so we're still working 
on that.
    Senator Cotton. Okay.
    Director Comey. And by us I mean not just in the 
government, but I think the private sector has to be part of 
the conversation.
    Senator Cotton. Does the Executive Branch yet have 
legislative proposals that they are prepared for this Congress 
to take under advisement?
    Director Comey. Not yet.
    Senator Cotton. Is that because you're continuing to work 
with some of these companies to try to develop the technical, 
legal, and policy frameworks?
    Director Comey. Yes. Just as I think we all do, the 
President sees the problem, sees that these two things we care 
about tremendously are in tension and that's it's a really hard 
problem. And so he's commissioned a whole lot of work on 
different streams, but one of them is to figure out what 
legislation, if we decide to go that route, would make sense, 
and to get the input from the private sector on, so what would 
work for you folks?
    Senator Cotton. Well, thank you very much, Director, for 
your testimony. Thank you very much for what you represent, the 
tens of thousands of agents around the country who keep us safe 
on days like the 4th of July and every day. I just urge you and 
the men and women with whom you work in the Executive Branch to 
get us that kind of proposal as quickly as possible. We all 
recognize the tension between trying to protect data, which we 
want to do for American citizens, but also ensure that law 
enforcement has the tools they need, not just to stop terrorism 
but stop the most heinous kinds of crimes imaginable in our 
society.
    Chairman Burr. Senator Coats.
    Senator Coats. Thank you, Mr. Chairman.
    Director, we're having I think a very worthwhile discussion 
and I appreciate your being here, and also your open-mindedness 
in terms of finding humility in a sense in saying we don't know 
all the answers, but there are a lot of cooperative and smart 
people out there that can help us find the answers and 
hopefully attain that balance between privacy and that balance 
between protecting people's lives.
    I don't envy you your job, because every day I pick up the 
paper or turn on the television and the news, and there's an 
abducted child, there's a criminal act, there is a threat, 
terrorist threats from abroad. And the American public is 
demanding that your agency do everything possible to prevent 
that from happening, to recover that child, to address the 
blatant use of communication devices and so forth and so on 
that result in very, very bad criminal acts.
    By the same token, you get hit from the other side by 
saying, but don't you dare do anything that would give you--
that could potentially be used to violate someone's privacy.
    And so that's a very narrow path to try to walk down and 
achieve both of those goals. And I think your statement 
relative to the fact that we need to turn to those very people 
that are providing the encryption in order to protect people's 
privacy are part, a very essential part, of the solution.
    My question here though, is that, while we can make 
patriotic requests to all these technical companies, Silicon 
Valley, in other words to help us through this and there are 
patriotic Americans that say, yes, let's see if we can find 
that sweet spot, we also know that there are countries around 
the world that have no intent of helping us whatsoever. And 
within those countries or even some of those lawless areas like 
you mentioned in terms of ISIL occupying physical territory, 
the last thing they're going to want to do is cooperate with us 
in terms of finding a solution to this particular problem.
    And so it would be very easy--well, that turns us to the 
difficulty of, no matter how much we do, we're a global 
communications system in place, and it's easily to turn 
somewhere else. We've seen offshore gambling because we passed 
laws that say you can't do gambling on the internet here in the 
United States, and they simply find an island in the Caribbean 
and set up and through the ether, there it goes.
    So I'm wondering how you can continue to have the agency 
perform its role without some type of authority to allow you 
to, of course within the legal system, address the problem? And 
obviously, it's going to take time to develop any kinds of 
solutions. Do you--what do you have to do relative to manpower 
costs to fill the gap between now and then?
    Director Comey. Thank you, Senator. And I should have said 
this earlier, to thank the entire Committee, but Senator Cotton 
and you, Senator Coats, reminded me. Thank you for the nice 
things you said about the folks at the FBI. I sent them all a 
note, an email, before July 4th saying, thank you for the 
American people. I know we're grateful, I know that you're bone 
tired. My folks are bone tired, but they stopped the stuff that 
was trying to come at us for July 4th. But that--now, it's July 
7th and 8th, and they're on to the next thing. So thank you for 
that. I'm going to pass it along to them. It means a lot to 
them.
    We love walking that fine line right between public safety 
and privacy and civil liberties, right? Because we care--we've 
got families, we care about the same stuff. So we like walking 
that line. We do agree that there's an international component 
to this, as you said, Senator, that we're going to have to 
address. The folks, especially in Western Europe and here in 
North America, who care about the things that we care about, we 
have to figure out an approach together that makes sense, but 
America is the big dog. All right. The innovation is here, the 
energy is here, the infrastructure is here. What we do will set 
the tone and the pattern for the rest of the world. We can't 
fix the whole world, but for the world that thinks about things 
the way we do, values what we do, we can drive it.
    But that doesn't mean it's not--that it's an easy thing. We 
try to fill the gap by--if I can't see the communications of 
the terrorist, then I got to figure out, okay, can I get an 
informant in on them? Can I send an undercover in? Can I follow 
him 24/7--24/7 for weeks and weeks and see if I turn something 
up?
    All I'm telling folks is we will keep doing it. My folks 
will keep working no matter how tired they are. It's just the 
tools the American people thought we had are being diminished 
and I see that only continuing.
    Senator Coats. I think we all look forward to working with 
you trying to achieve that goal.
    Thank you, Mr. Chairman.
    Chairman Burr. Senator Hirono.
    Senator Hirono. Thank you, Mr. Chairman.
    Thank you, Director, for your work and of course all of the 
people who work for the FBI and protecting the safety of our 
citizens.
    I'd like to get a little bit more information on where we 
are now in terms of your ability to see information. For 
example, in how many cases have you seen a warrant for a device 
or a warrant that has been thwarted--completely thwarted by 
encryption? And how many Federal investigations had been unable 
to progress because of encryption?
    Director Comey. So the answer--as I said earlier, Senator 
Hirono, I don't know the answer to that. We're going to try and 
see if there's data we can collect on that. I'm not confident 
it's going to be very reliable for you, though, because what 
our investigators do is if they see someone is on an app that 
we know is encrypted, they're not going to bother seeking a 
wiretap for that. So we won't be able to count that, I don't 
think, as a wiretap thwarted. And if we see encryption, we just 
try and find another way to assess the situation and we try to 
use the other tools.
    We're going to try and do that for you, but I'm not 
optimistic we're going to be able to get you a great data set. 
There's no doubt that it is a real feature of our life. I think 
that's one thing everybody should be able to agree upon, that 
the logic of this is all of our papers and effects, all of our 
communications, will at some point be covered by strong 
encryption. I hope everybody agrees that will have profound 
consequences for law enforcement.
    Senator Hirono. I think that's one of the reasons that we 
have to be very careful in what--in what we decide to do. And 
so it always helps to define the extent of the problem in the 
current situation. And then, as you say, no system is secure, 
so we need to weigh the--what the risks are, et cetera, because 
at the same time, we have this very august group who have said 
that forcing companies to--to provide a back door to encryption 
is going to result in a lot of unintended possibly 
consequences, including we are told that some of our companies 
will lose a competitive advantage because of--for example, if 
we expand CALEA to including encrypted apps, that CALEA only 
would apply to our companies and therefore, if our companies 
have to provide a sort of a back door way to get to this 
information and foreign companies who are in the marketplace 
don't, then they are at a competitive disadvantage.
    So there are a lot of issues that we do have to weigh. And 
speaking of CALEA, by the way, did I understand you to say that 
expanding CALEA is just one of the things on the table, because 
I thought you had said at another forum perhaps that you think 
CALEA should be expanded to include encryption apps?
    Director Comey. I don't know whether I said that, but if I 
said it I'm smarter today than I was then. I think that's 
something that folks are discussing. But I don't know what that 
answer is. That's why we haven't come to the hearing with a 
proposal. We're trying to show the humility to say we actually 
don't know what will be best. But I agree with the competitive 
harm point, Senator.
    Senator Hirono. As we wrestle with this subject, though, 
meanwhile the companies are providing more and more encryption 
apps. I mean, at what point do you think that we will be 
prepared to take some sort of legislative action that would 
enable you to get access to information and yet still provide 
our companies with the--the kind of environment that they would 
like us to provide?
    Director Comey. I don't know.
    Senator Hirono. And what is the timeframe for that?
    Director Comey. I don't know, because I do think this is 
a--one of the most complicated problems I've ever seen in 
government, for the reasons that I have alluded to here, 
including what you said about competitive harm. We do not want 
to damage the engine of innovation that is America. And so we 
have to figure out, so how can we maximize safety on the 
internet and public safety in a way that makes sense for 
America.
    Now, it probably makes sense, we ought to figure out what 
kind of people we want to be first, what makes sense for our 
country. But I do think we've got to do that in league with 
international partners, so we don't create a situation where 
America is the only mover and that causes harm to our--our 
companies.
    Senator Hirono. I think that is a very important aspect of 
what we need to do going forward on the ``Going Dark'' problem, 
because it would be very unfair to our companies, as you say, 
if we're the only country that requires a back door way to this 
information. So I'm glad that that's on the table with--in our 
discussions with our--with other countries.
    So the president's review group, that's some--some other 
people I have already mentioned. But they said very strongly 
that we should not require a back door way. So in these 
discussions, is the technical, you know, technology companies, 
are they going to be at the table as we discuss going forward 
and what might be appropriate legislative action?
    Director Comey. They have to be, because I think we all 
think no one size fits all. So you've got to figure out what 
would work for different companies. And as I said before, I 
think that is the source of the innovation. That is the source 
of the creativity that we have to harness.
    Senator Hirono. Thank you, Mr. Chair.
    Chairman Burr. Senator Mikulski.
    Senator Mikulski. Mr. Director, it's very nice to see you 
again.
    Mr. Chairman, thank you for having this hearing, as well as 
the Vice Chair. I'd like to pick up on Senator Heinrich's 
recommendation about an additional hearing on this subject from 
the technical and civil liberties folks. In our briefing 
materials, I read letters from the ACLU, whose views we so 
value; The Software Alliance; and I saw a lot of criticism of 
what we're pursuing here for some type of opportunity to not go 
dark.
    But I didn't see any solutions. I saw a lot of criticisms, 
a lot of critiques, but I didn't see solutions. Now, I believe, 
again as Senator Heinrich said and others, we have tremendous 
technical know-how, and I believe that the people in Silicon 
Valley are indeed very patriotic people and they don't want 
drug dealers and international traffickers and child 
pornographers to be able to get away with nefarious things.
    So if we could actually perhaps get from those as well as 
the civil liberties community, how we can start working to a 
solution, that would be great.
    Mr. Director, in this year's appropriations funding we 
worked very hard to support you, both when I was chair of the 
subcommittee that funds you, as now as Senator Shelby. We have 
now put in $8.4 billion to fund you for this coming year. And 
we also put in $483 million for cyber security. My question to 
you is, do you feel that those resources and the type of 
workforce you have is able to be flexible enough to meet the 
ongoing threat?
    This is a--and no, I'm not being critical of what you have, 
but as you talk about the recruitment tools of ISIL, who are 
pretty talented using Twitter and other forms of social media, 
that's a whole different generation. And it's a whole different 
generation than the original cyber warriors that were hired 
under your predecessor. So do you feel you have enough 
resources to be able to recruit the people needed to deal with 
this, as well as the administrative flexibility to bring in 
teams? This is not going to be your traditional agent. Could 
you share with us, because we can have the best law in the 
world, but unless you have the best workforce and the 
flexibility and the resources to hire it, we're just creating 
hollow opportunities?
    Director Comey. Thank you, Senator. I think the answer is 
yes and no. Yes, I believe that the Senate and this Congress is 
giving us the resources I need for next year, the money I can 
responsibly spend. But I face a threat obviously that continues 
to grow, so I will be back to ask for additional help. But I 
think you have given us what we can reasonably spend, 
reasonably invest in.
    And I think the answer is yes, I think I can attract the 
talent. I cannot compete on dough, but the value proposition is 
totally different. If you're interested in dough, you don't 
want to work in the FBI, and that's--you didn't--you don't come 
here to get rich. But so many young people want to make a 
difference in the life of this country that they don't care 
about the dough. They want to be part of addressing these 
threats. That's pretty exciting, and so I'm optimistic 
actually.
    Now, once I get them in and they're here five, six years, 
start to have a family and there's no cost of living 
adjustment, maybe I start to lose their enthusiasm a little 
bit, but that's a problem I'll deal with down the road. I've 
got lots of smart young folks who want----
    Senator Mikulski. But what about the flexibility--so here--
there's the--you investigate breaches and a variety of things. 
You're also counterterrorism. That's the social media world 
that you're now operating in. Even a modern director like 
Director Mueller did not face what you have. He faced Al Qaeda; 
you face a variety of other challenges, as you so clearly said. 
Do you have the administrative flexibility to bring on people 
as you need them that might not be the traditional trade routes 
for recruitment of FBI personnel?
    Director Comey. I think so. There's a couple of things 
around that that I'm thinking about. But in the main the answer 
is yes. One of the things we have to consider is should we look 
at a different career proposition for people. Have them come--
once people come to the FBI, they almost never leave. They get 
addicted to it. But should there be a model where they come, 
then they go and do something in the private sector, then come 
back? That's something we haven't done before, but that may be 
a model I want to look at. But in the main, yes. I have the--
you've given me the flexibility.
    Senator Mikulski. My last question, and I think perhaps 
it's not appropriate to an open session. So we had three so-
called coincidences today: the fact that the technology has 
failed at United Airlines, the New York Stock Exchange, as well 
as the Wall Street Journal. I don't believe in coincidence. I 
believe a coincidence is an event that we don't have an 
explanation for. Is the FBI investigating these as breaches or 
have you not been called in, or you're not able to say?
    Director Comey. We----
    Senator Mikulski. I was very troubled by these so-called 
coincidences.
    Director Comey. Yes, as was--obviously, that caught my 
attention. We're not big believers in coincidence, either. We 
want to dig into that. So we've been involved in--all three, in 
contact with all three companies to understand what's going on. 
And we do not see any indication of a cyber breach or cyber 
attack. Actually, I think the Wall Street Journal piece is 
connected to people flooding their website in response to the 
New York Stock Exchange to find out what's going on. But it 
looks--again, in my business you don't love coincidences, but 
it does appear that there is not a cyber-intrusion involved.
    Senator Mikulski. Thank you very much, Mr. Director.
    Chairman Burr. Senator Collins.
    Senator Collins. Thank you, Mr. Chairman.
    Director, you've talked about the impact on terrorism cases 
and your counter-terrorism efforts. And you've said that it's 
very difficult to quantify what the impact is. But it's my 
understanding that this morning in testimony before the 
Judiciary Committee that the district attorney for Manhattan 
said that in the past six months alone there have been 74 cases 
where law enforcement had been stymied because they were unable 
to get information from lawfully seized cell phones. Is that 
accurate?
    Director Comey. I saw that in the written testimony of 
District Attorney Vance and so, knowing him, I believe it to be 
accurate.
    Senator Collins. As I look at this problem, which obviously 
has ramifications, as some of my colleagues have pointed out, 
for criminal cases as well as for counter-terrorism 
investigations, would an option be to require the companies 
themselves to be able to access the information to comply with 
a lawful court order, not the government having the keys or a 
back door in, but the company itself. Might that be a solution 
to this problem?
    Director Comey. Yes. And that's something the deputy 
attorney general talked about this morning, that it's possible 
to imagine a world where the companies figure out how to comply 
in a way that maximizes security of their information and 
complies with the judge's order, and that every company does it 
in a slightly different way. Yes, that's a possible outcome.
    Senator Collins. Now, there are some--most companies I 
suspect that are involved in developing this end-to-end 
encryption did so with the best of intentions. They were trying 
to increase the security of the data of their customers. But do 
you believe that there are some companies that have 
intentionally developed this kind of system in order to thwart 
their ability to respond to a lawful court order?
    Director Comey. I don't know, with respect to the intent 
question. I know there are companies that have, once they made 
the decision, advertised it as a solution that would be immune 
to a search warrant. Apple did that when they ruled out their 
new phone. But I don't know that the intention of the original 
change was to accomplish that result, if that distinction makes 
sense.
    Senator Collins. Well, it doesn't to me, because when a 
company is advertising that the information would be safe from 
a search warrant that's very troubling to me, because that to 
me implies an intent to keep information away from law 
enforcement despite the issuance of a lawful court order. And I 
think most people involved in the encryption process in 
developing these products would not want to thwart law 
enforcement, whether it's for a criminal case or terrorism. But 
that kind of advertising does trouble me. And I won't ask you 
to respond to that.
    I do want to switch to access to a different kind of 
information that suggests how much we need a computer--a cyber-
security law. I just met with the CEO of a large bank. He 
relayed to me an incident where the FBI knew that his bank had 
been targeted for a cyber attack. Here's what he told me had to 
happen.
    He said that the FBI under current law could not 
immediately go to this bank and convey the information. First, 
they had to go to the bank regulators, the OCC regional office. 
Then the information had to go from there to the OCC in 
Washington. From there, it had to go to the Department of 
Homeland Security. Then they had--the Department of Homeland 
Security approved the FBI contacting the bank to warn them of 
this imminent attack.
    Well, obviously--and he said this all occurred over a 
weekend. So it was difficult to reach people, there were cell 
phones involved, et cetera. That's a terrible system. And we 
need to be able to empower the FBI in real time to be able to 
notify a financial services organization, the electric grid, 
the air traffic control system, critical infrastructure, of an 
impending attack. Would you agree with that?
    Director Comey. Very much. And what you've described 
surprises me because I think the way we operate is we call 
them. If there's a threat to an institution of any kind, we've 
developed relationships with their chief information security 
officers, so what--I'm going to go back and track--maybe you 
can privately give me the information.
    Senator Collins. I will privately----
    Director Comey. Because it's not the way I understand it 
works or is supposed to work.
    Senator Collins. Well, this incident really troubles me, 
because by the time the information got to the proper people at 
the bank, it is nothing short of a miracle that the cyber 
attack hadn't already occurred.
    Thank you, Mr. Chairman.
    Chairman Burr. Senator Warner.
    Senator Warner. Thank you, Mr. Chairman.
    Director Comey, good to see you again, and let me add my 
comments to my colleagues' about the good work that you and the 
people of the FBI do.
    Building on Senator Collins' comment, I think again, even 
if this was a one-off, a notion that there's not clarity and a 
single point of contact is--speaks volumes about the need to at 
least take forward the legislation that this Committee passed 
in a bipartisan way and at least take a first step, it's not 
going to solve all the problems, but I think it would be a 
significant step forward.
    I have some technology background. I've--I have had some 
conversations with companies in the IT space and the encryption 
space who once they've created this entity I think in a sense 
are starting to understand the potential problems that are 
being created. Can you speak to any of that in terms of a 
recognition that, under the guise of either privacy or business 
protections, of a growing recognition within particularly the 
IT community that this is very much a double-edged sword and 
may have created a monster that is not controllable?
    Director Comey. Thank you Senator. I meant what I said. I 
think they are good people, and I--look, it's not their job to 
worry about public safety. And so I don't think it's something 
that's front and center for them. I think what's happened is, 
particularly this ISIL threat and how real it is and everywhere 
has focused them. And so they see it, and so we're having 
productive conversations. Again, they don't want people to die; 
they don't want kids to get kidnapped. These are regular folks. 
And so that's why I'm excited about the prospect of harnessing 
that innovation.
    They are good people who want to have successful businesses 
and they want to protect their country. And so--again, I'm not 
a naysayer. I know here people write papers that say it's just 
too hard, and I'm not buying that, because I don't think the 
great people of Silicon Valley and other places have said: You 
know what, let's see what we can do in a way that protects that 
which we have built and the country in which we live.
    Senator Warner. And Mr. Chairman, I'd just say I've got a 
series of these companies in Virginia and when the hundred-plus 
military personnel and their families' names were publicized in 
an attempt to intimidate, I think it woke up in at least the 
Commonwealth of Virginia a lot of IT companies about the notion 
of how very real and how obscene some of the actions that this 
ISIL group does in terms of threatening people.
    Let me move to--Senator Mikulski asked the question I was 
hoping to ask about the three events today and I hope you will 
get back to us. But I'm going to raise another issue that I 
think there has been a great deal of confusion around and 
concern about, and that's the OPM breach. We're literally 
months into this now and continue to get a series of different 
answers in terms of numbers. I've been very disappointed by 
OPM's reaction post-breach in terms of assuring those Federal 
employees current and past, both in terms of what actions the 
government's going to take to protect them going forward and 
some of the subcontractors they've been using and how ill-
equipped they've been.
    Not your topic, but if you can perhaps give a little more 
clarity about the overall scope of that attack within the 
confine or within the context of this public hearing? There's 
an awful lot of people listening for those kind of answers.
    Director Comey. It's something I have to approach carefully 
in an open hearing. And I know that the administration, OPM in 
particular, is working and is close to offering a more--a 
public and more detailed accounting of what we think was lost. 
But it is an enormous breach and a huge amount of data that is 
personal and sensitive to Federal employees, former Federal 
employees, people who applied for Federal employment was 
available to the adversary. And we have to--we have to assume 
that it was looked at and or ex-filled. So we--we're talking 
about millions and millions of people affected by this.
    And the challenge of it is it's not just--I'm sure the 
adversary has my SF86 now. My SF86 lists every place I've ever 
lived since I was 18, every foreign travel I've ever taken, all 
of my family, their addresses. So it's not just my identity 
that's affected. It's, you know, I've got siblings, I've got 
five kids, I've got--all of that is in there. And so the 
numbers quickly grow far beyond the number of Federal 
employees, which is millions over the last 20 years. And so it 
is a very, very big number. It is a huge deal.
    Senator Warner. And I understand an active investigation. 
But I also know that we're now running on 60 plus days, 
actually, more than a year since the first breach. And the lack 
of a single answer or even some sense of that answer overall 
from the administration is very troubling.
    Thank you, Mr. Chairman.
    Chairman Burr. Senator McCain. John, cut on that 
microphone, would you.
    Senator McCain. Is it true that you have stated on several 
occasions that ISIS poses over time a direct threat to the 
United States of America?
    Director Comey. Yes.
    Senator McCain. And that is the case today?
    Director Comey. Yes. Every day, they're trying to motivate 
people here to kill people on their behalf.
    Senator McCain. And every day that they take advantage of 
this use of the internet which you have described by going to 
unbreakable methods of communicating, the more people are 
recruited and motivated to--here in the United States and other 
countries, to attack the United States of America; is that 
true?
    Director Comey. Yes, sir.
    Senator McCain. So this is not a static situation. This is 
a growing problem as ISIS makes very effective use of the 
internet, is that correct?
    Director Comey. That's correct, sir.
    Senator McCain. So in all due respect to your opening 
comments, this is more than a conversation that's needed. It's 
action that's needed. And isn't it true that over time the 
ability of us to respond is diminished as the threat grows and 
we maintain the status quo?
    Director Comey. I think that's fair.
    Senator McCain. So we are now--and I've heard my 
colleagues, with all due respect, talking about attacks on 
privacy and our constitutional rights, et cetera. But it seems 
to me that our first obligation is the protection of our 
citizenry against attack which you agree is growing, is that a 
fact?
    Director Comey. With respect to the--I agree that our--that 
is our first responsibility. I also agree----
    Senator McCain. So the status quo is not acceptable if we 
support the--the assertion that our duty is to protect the 
lives and property of our fellow citizenry as our first 
priority, is that--do you agree with that?
    Director Comey. I agree that this is something we have to 
figure out what to do about.
    Senator McCain. So now we have a situation where the major 
corporations are not cooperating and saying that if we give the 
government access to their internet that somehow it will 
compromise their ability to do business, is that correct also?
    Director Comey. That's a fair summary of what some have 
said.
    Senator McCain. So we are discussing a situation in which 
the U.S. Government, i.e. law enforcement and the intelligence 
community, lack the capability to do that which they have the 
authority to do; is that correct?
    Director Comey. Certainly with respect to the interception 
of encrypted communications and accessing locked devices, yes.
    Senator McCain. So we're now in an interesting situation 
where your obligation is to defend the country and at the same 
time you're unable to do so because these telecommunications--
these organizations are saying that you can't and are devising 
methodology which prevents you from doing so if it's the single 
key only used by the user, is that correct?
    Director Comey. I wouldn't agree, Senator, that I'm unable 
to discharge my duty to protect the country. We're doing it 
every single day using all kinds of tools.
    Senator McCain. Are you able to have access to those 
systems that--which only have one key?
    Director Comey. No. We can't break strong encryption.
    Senator McCain. So you can't break it. And that is a 
mechanism which is installed by the manufacturer to prevent you 
from using the--that there's only one key that is available to 
them--to you.
    Director Comey. That's correct.
    Senator McCain. So suppose that we had legislation which 
required two keys, one for the user and one that, given a court 
order, requiring a court order, that you would be able to, with 
substantial reason and motivation for doing so, would want to 
go into that particular sight. What's the problem with that?
    Director Comey. Well, a lot of smart people, smarter than I 
certainly, say that would have a disastrous impact on broader 
security across the internet, which is also part of my 
responsibility to provide that.
    Senator McCain. Do you believe that?
    Director Comey. I'm skeptical that we can't find a solution 
that overcomes that harm. But a lot of--a lot of serious people 
say: Ah, you don't realize; you'll rush into something and it 
will be disaster for your country because it'll kill your 
innovation, it'll kill the internet. That causes me to at least 
pause and say, okay, well, let's talk about it.
    Senator McCain. Yes. But we've just established the fact 
that ISIS is rushing into trying--attempting to harm America 
and kill Americans, aren't we?
    Director Comey. They are.
    Senator McCain. So I say, with respect to my colleagues and 
their advocacy for our constitutional obligations and rights, 
that we are facing a determined enemy who is as we speak, 
according to you and the Director of Homeland Security, seeking 
to attack America, destroy America and kill Americans.
    So it seems to me that the object should be here is to find 
a way not only to protect Americans' rights, but to protect 
American lives. And I hope that you will devote some of your 
efforts and I hope this Committee and I hope the Congress will 
understand the nature of this threat and to have--to say that 
we can't protect Americans' constitutional rights and at the 
same time protect America is something that I simply won't 
accept.
    I thank you, Director Comey.
    Chairman Burr. Senator Blunt.
    Senator Blunt. Thank you.
    Director, thank you for being here and thank you for the 
work you do. Following up on the comments that Chairman McCain 
made, what are we really focused on here? A--the recruitment of 
somebody who's not already in a terror network? And the reason 
I'm asking this, it seems to me that if you want to use 
encrypted equipment from some other country and two of you were 
committed to do that, you could do that.
    I mean, when I'm out of the country, I can get on the 
internet, the wireless out of the country, the wireless 
network, use the equipment that I took with me, which is 
certainly not something I purchased there. So what I'm asking 
is if--even if we did something about encryption here, I'm no 
technical expert, but it seems to me that wouldn't stop two 
people who plan to communicate with each other on devices they 
got somewhere else from doing that.
    Is there something here I don't understand about that? And 
then the other part of the question is, or is our real target 
here to monitor the recruiting efforts or the internal efforts 
of people who aren't in a terror network but are talking in the 
United States among themselves about doing terrorist things?
    Director Comey. Thank you, Senator. The recruitment tends 
to take place in a way that we with lawful process can see it 
either--usually on Twitter or Twitter Direct Messaging, which 
are not encrypted. And then if it looks productive to the ISIL 
recruiters, they move them to the end-to-end encrypted 
communication. And so a major concern is what are the guys in 
Syria telling these guys and what are they telling them back, 
and what are they saying to their buddies using encrypted 
platforms in the United States? So it's both the international, 
right, and the local within the network in the United States.
    Senator Blunt. I guess what I'm asking is, if the 
international encrypted equipment is still available, is there 
anything we can do that stops that from being a problem that 
you can't penetrate?
    Director Comey. I think the answer is--again, I'm not an 
expert--if the servers are located entirely outside the United 
States, that we would have a heck of a time enforcing a regime 
that would require them to give us access.
    Now, I suppose an expert might say to you, well, but if it 
transits to United States, there's some way we can--we can 
impose our will on it. I just don't know well enough to 
evaluate that. So I do think one of the challenges that people 
have raised with us is to say, even if we fix our problem, you 
have to address it in some fashion internationally, because the 
really bad guys will move to infrastructure that is in Western 
Europe.
    And so to solve your problem, people say, you've got--
America has got to get its act together, and it's the big dog 
so you probably ought to do it first. Then your colleagues and 
allies in Western Europe have to get their act together to make 
sure there isn't a safe haven there. Now, that still leaves you 
with people who might want to move their infrastructure to some 
other less well governed part of the world. So you're always 
going to have a small part of that problem. But I think the 
main part of the problem could be dealt with with North America 
and Europe focusing on it.
    Senator Blunt. And is Europe focusing on it?
    Director Comey. Yes. As you--as I think I said earlier, the 
U.K. and France, they're a little bit ahead of us on this, the 
French in particular in the wake of Charlie Hebdo and the--and 
the Brits. Both--I know the British better--have legislation 
that requires access to communications. Their challenge is the 
reverse of what you're saying. The infrastructure is in the 
United States on which they want to compel access. And so 
trying to figure out how to deal with that is a--is a challenge 
we're still working through.
    Senator Blunt. And so the infrastructure is really the 
target, as opposed to the device somebody might be using? Even 
if the device is encrypted, what infrastructure it goes through 
may or may not accept that encrypted message?
    Director Comey. Well, I think the reason I was talking 
about the infrastructure is that would give you the ability to 
compel some--to impose a requirement that that provider, the 
owner of that infrastructure that sits in your country, comply 
with American law to give judge--traditional orders to make 
them effective.
    The challenge is, if the infrastructure is not in the 
United States, who are you compelling to give the judge's order 
effect?
    Senator Blunt. Mr. Chairman, I think I'm joining the group 
that's suggesting we have a more technical--does not--not to 
diminish either your ability in this area or mine. And probably 
in a closed session, so we could ask questions without being 
concerned about anybody telling us something that everybody in 
the world doesn't necessarily need to know so we'd understand 
this.
    But I think we have a bigger problem than we can deal with 
on our own, and to fight a big fight here that is easily evaded 
by somebody who wants to evade it would be of concern to me. 
But in conjunction with others who are perhaps even ahead of us 
on this, I think the director makes a--makes a good point that 
we need to be sure we all understand.
    Chairman Burr. I assure the Senator that Senator Feinstein 
and I were up conversing already about how we put together 
another hearing, if not a series of hearings, to try to get 
into this a little bit deeper and to better understand, along 
with the director, what our options might be as we proceed 
forward.
    This is--this is something I would recommend to all the 
members that they become educated in on a periodic basis, 
because this is not the end of technological advances. 
Therefore it's not the--this is not the last challenge we're 
going to be faced with from a technology standpoint.
    Senator Lankford.
    Senator Lankford. Thank you Mr. Chairman. And you're right, 
this is not the last one we're going to deal with. This is the 
latest technological battle we're going to deal with.
    Director Comey, thank you for all your work and please pass 
on to the folks who worked some very long hours leading up to 
July the 4th our appreciation for what they did for the Nation 
and for the citizens of my State and people all over the 
country. We do appreciate their work very much and you have a 
terrific team.
    The challenge that we face on this is not only the 
technology side in dealing with terrorism; it's also the 
benefit that is gained from this. I would tell you the folks at 
OPM would be glad to talk about encryption and the value of 
that right now. If they had kept their data in a more encrypted 
location and stored it better and had greater security on this, 
whether that be retailers around the country, whether that be 
banks, whether it be government agencies, we are benefiting 
from encryption and from the technology that has been invented.
    The hard part of this is the other side of it. And so what 
I'd like to talk about is we've got to have some kind of 
balance in the conversation because we absolutely need 
encrypted technology because we are very exposed and we're 
finding out all the ways that our information is exposed and so 
we need that technology to continue to advance on one side as 
we deal with cyber security, but on basic law enforcement and 
on real threats for physical security, we've got to have a 
different ability, and I think that's the complicating factor 
of this.
    With that in that conversation, talk to me a little bit 
about some legal frameworks here. If someone goes on social 
media and they have child pornography, that's a criminal issue. 
If someone goes on to social media and says, Here's a group of 
people to kill and we'd like you to kill them and here's some 
ideas to do that, talk to me about the legal frameworks between 
the two. Because there's a step before this when they move 
encryption that is the recruiting and that recruiting side is a 
group of individuals that are recruiting based on, we're 
looking for people who actively believe like we do, which is 
not the problem, but that will also act out and kill people. 
Help me understand some of the legal frameworks there?
    Director Comey. Well, the--if someone is on social media 
talking about the possibility or offering any kind of criminal 
activity, which includes terrorism because it's a criminal act 
as well, that that's obviously a predicate for an FBI 
investigation and for us using our lawful tools, including 
judicial orders, to find out what's going on there and who are 
these people.
    Senator Lankford. Okay. So I'm really talking the step 
before that then, and that's where you're not talking about 
now, that social media side of that. What does that trigger at 
that point, or is that you begin the investigation, you begin 
the process obviously of trying to track this down because 
they're encouraging a criminal act on American soil.
    But then you've got extra communication that's happening 
now on the encrypted level; is that what I'm picking up?
    Director Comey. Yes. Right. What's happening is they're 
broadcasting out this poison through Twitter. They have 21,000 
followers now in English and they'll have Twitter-following 
communications so it tweets back and forth. Then they may have 
direct messaging through Twitter.
    All of which again with lawful process we can get access to 
and evaluate. And if it looks like someone--and here's the way 
ISIL operates. If the person appears to be serious, they will 
then say: Okay, move to this mobile messaging app which is 
encrypted end-to-end. And that's when we lose them. And so--and 
we have--as I said earlier, we have no ability--If we intercept 
that mobile messaging app data traveling back and forth, we can 
intercept the data, but it's gobbledygook and we can't break 
that encryption.
    Senator Lankford. Yes. Right. Yes, that part I understand. 
So the social media platforms, they still see no issue, once 
it's clearly known that this is an illegal activity that's 
happening on their platform? Is their response to say ``You 
can't do that on our platform?'' Or their response is, ``Hey, 
we're just open for anything whether it's prostitution, child 
porn, or terrorism; you can use it?''
    Director Comey. Oh, I'm sorry. I misunderstood the 
question, Senator. They're being quite good about this, 
frankly, and it's gotten increasingly good over the last year.
    Twitter does not want people engaging in, soliciting, 
advertising criminal activity of any sort on their social media 
platform. But they're being particularly aggressive at shutting 
down and trying to stop ISIL-related sites. I think it actually 
led ISIL to threaten to kill their CEO, which helped them 
understand the problem in a better way. And so it's a--they are 
being quite good about that.
    Senator Lankford. Okay. And then you've alluded twice now 
to the U.K. and France are a little bit ahead of us on this, 
and then you said that they're discussing this. Can you give us 
greater detail to what they're discussing? When you say they're 
a little bit ahead of us on this, I think it's a rare moment 
for Europe to be ahead of us on anything, but that's a whole 
different issue. So help me understand what you mean by that?
    Director Comey. Right. I don't want to swell the Brits' 
heads. They're a little bit ahead of us, but then they're not. 
So let me explain what I mean by that. They have passed 
legislation that's called ``DRIPA''--I don't remember what that 
stands for--that imposes data retention requirements on 
communications providers and then also imposes access 
requirements that the providers must comply with lawful orders 
for data that's moving on their network.
    So they're ahead of us in that they've passed the 
legislative package that addresses in part what we're talking 
about here. Where they're not ahead of us is, they have to 
figure out, so how will that work when all the providers are in 
the United States? And so how will they enforce their 
legislation if they want data from someone who's located in 
California and all the infrastructure's in California? How will 
they actually make that a reality?
    Senator Lankford. Okay, thank you.
    I yield back.
    Chairman Burr. Senator Risch.
    Senator Risch. Thank you, Mr. Chairman.
    Director Comey, those of us on this Committee meet 
regularly with heads of state and people like you from other 
countries. Interestingly enough, their top question to us 
always is and their top concern to us is similar to what we get 
from the American press and the American people. And that is 
that this whole thing has gotten to the point where the most 
serious problem is these lone wolf people who are either 
inspired or directed from out of their country to do something.
    And of course, the most recent horrific example is what 
happened in Tunisia just last week. And without--obviously we 
are in an open session, I understand that. But I'd like to give 
you the opportunity to talk to the American people and tell 
them how--what a--what a concern this is for you, how this fits 
into your priorities, and what you're doing about this in 
matters that are unclassified. Could you do that for me please?
    Director Comey. Sure. Thank you, Senator. ISIL is reaching 
into the United States, to all 50 States, trying to motivate 
troubled souls and increasingly kids to either come to their 
caliphate or kill where you are. And social media, this 
investment in buzzing in your pocket all day long, actually 
works. It works to sell shoes, it works to sell cars, it works 
to motivate troubled souls to do bad things. We are now reaping 
the results of a year-long effort by ISIL to invest in this 
social media push, which is why you see so many arrests by the 
FBI. These are our disruptions stopping people from going and 
shooting innocent people or trying to behead them.
    And so this is going on all over the place. We're working 
very, very hard on it. I want the American people to know about 
it because it's an important thing, but we also need their 
help. In almost every case, someone saw something. Someone saw 
something weird that didn't seem right. We've got to get folks 
just to tell us. I mean, human nature is to write an innocent 
narrative over the hair standing up on the back of your neck 
and say: I must have misunderstood; he must be having a bad 
day. Okay, if it's just a bad day there won't be a problem. We 
investigate in secret so we don't smear innocent folks.
    But we've got to get folks, when they see something that 
makes the hair stand up on the back of their neck, say, that 
guy doesn't seem right, and tell somebody, so that we can check 
it out, right? We need the help--because this spans all 50 
States, we've got State and local law enforcement helping us 
all around the country. We need the good folks of America, if 
they see something that seems out of place just say something 
and we'll check it out. You can tell any police officer, any 
deputy sheriff in the entire United States. Since 9/11 we have 
gotten our act together and that information will get within 
minutes to the right people.
    Senator Risch. Director Comey, thank you for that, and I 
appreciate what you do and what your organization does. And we 
all know that you've got to be right every day 100 percent of 
the time. They've only got to be right once.
    And so you're doing--you're a good job, and keep up the 
good work. Thank you.
    Thank you, Mr. Chairman.
    Chairman Burr. Thank you Senator.
    Director, we're going to take just a few more questions and 
I'll just make this note for members. We've got a series of 
five stacked votes starting at 4:30.
    I want to try to sort of wrap a lot of things that you 
talked about because people have asked individual pieces of 
this question on ``Going Dark.'' Is your--is your greatest 
concern finding the balance between what we ask phone companies 
or service providers or manufacturers to do to their products 
or their system and where the breakpoint is before they become 
a foreign company versus a domestic company, where I would take 
from what your folks said to you, when you get to the point 
you've chased them out of the country you've just made your 
problem much worse versus better. Can you help us dissect that?
    Director Comey. Yes. The reason this is the hardest problem 
I've seen in my career in government is we have important 
public safety issues that we've talked about that I think 
everybody agrees are implicated by the universal strong 
encryption. And then we've got innovation, which is 
unbelievably important. It's the engine of our amazing country. 
And we've got security.
    As a number of Senators have said, I care a lot about cyber 
security. I love strong encryption. So how do we take those 
all--those things we care about, innovation and jobs, security 
on the internet and security for ordinary people from crime and 
terrorism, how do we maximize them all? How do we optimize them 
all? And as I said, some smart people say: Well, if you do 
anything, it will destroy the internet or it will chase all the 
business overseas.
    And so I do think we have to engage on the technical 
solution with smart people and creative people and we need to 
think about is there an international aspect to this? And 
again, I'm making this up, but ought not the civilized rule of 
law countries agree upon a framework that makes sense? 
Sometimes people say to me: Well, if we do this for you, we've 
got to do it for China. And my response is: Well, if China 
wants you to do for me--for them what I want you to do, which 
is require me to go to an independent judge, show probable 
cause, get a written order, right, be subject to all this, that 
would be great for the Chinese people. I don't think China 
wants you to do what I want you to do. So I'm less worried 
about what we agree to being used against us in China.
    But I am worried about this point that's raised about 
chasing business to other parts of the Western world, which is 
why I think we've got to be thoughtful about it.
    Chairman Burr. Well, we certainly--we get that part and 
we're going to follow that up with some tech company questions 
at a hearing.
    Now, before I turn to the Vice Chairman, I want to give you 
one opportunity. If there's something you want to share with 
the American people that you haven't already talked about as it 
relates to the Bureau, I want to give you the opportunity to do 
that about your folks at the Bureau and what the Bureau does 
and why the American people should care whether you're 
successful.
    Director Comey. Well as I said earlier, I--we work for the 
American people. We are the--I hope a lot of folks know folks 
in the Bureau. We're ordinary people who've chosen to do this 
with our lives. We use the tools you gave us. And I'm here not 
to scare the American people, but to say to the owners of the 
FBI: I've got a problem; I need help fixing it so that I can 
continue to do my job.
    But make no mistake about it, the folks who work for me, 
we're going to stay at it every single day round the clock. And 
if this tool goes away, okay, we'll do our absolute best. But 
we think it would be irresponsible not to tell the 
shareholders, the people who own the FBI, the challenges we're 
facing so that we can figure out whether we can address it.
    But my folks that--you know, on TV sometimes we look great, 
sometimes not. In movies sometimes good, sometimes not. In 
movies the director is often doing exciting things that I would 
rip an Achilles doing. But we are ordinary people who've 
chosen, not to make a good living but to make a different kind 
of life. We love this work. We love working for you, right? And 
we're simply here to tell you, sort of give you a status report 
on how's it going with the tools you've given us.
    Chairman Burr. Vice Chair.
    Vice Chairman Feinstein. Thanks, Mr. Chairman.
    We--this Committee passed out its intelligence 
authorization bill I think on June 24th. And in that bill we 
put a provision which would require technology companies to 
inform the appropriate authority when they obtain knowledge of 
terrorist activity. Now, this is modeled after an existing law 
which requires technology companies to notify authorities about 
cases of child pornography, but it doesn't require companies to 
monitor any user, subscriber, or customer. It is really the 
beginning of saying: Look, Look, Mr. and Mrs. American 
Technology, you have a responsibility, too. What do you think 
of that?
    Director Comey. It's an interesting idea. I've heard about 
it. My folks have told me about it. I haven't read it or 
studied it and so I haven't--I frankly can't give you an 
intelligent answer. It's an interesting idea. I do find in 
practice that they are pretty good about telling us what they 
see so--that's a--I have to give you a non-answer.
    Vice Chairman Feinstein. Well, it's really simple. We do 
that for child pornography. Don't you think we should do it for 
possible terrorist acts?
    Director Comey. Maybe, but I haven't heard--I'd want to 
hear out the other side.
    Vice Chairman Feinstein. Oh, dear.
    Director Comey. I want to make sure I'm not missing 
something. Again, I haven't read it. I'm dumb enough when I 
know something. This is something I haven't studied enough to 
give you an intelligent answer.
    Vice Chairman Feinstein. Okay.
    Thanks, Mr. Chairman.
    Chairman Burr. Senator Wyden.
    Senator Wyden. Mr. Comey, one last question. If the United 
States were to require our companies doing business here to 
ensure government access to encrypted communications, would you 
expect that foreign governments would create the same 
requirement for companies operating there?
    Director Comey. I think they might or might try to.
    Senator Wyden. And I will tell you that in my view would 
clearly be the outcome. I think that would make American 
individuals and businesses more vulnerable to surveillance by 
foreign governments.
    And I just want to leave you with one last thought. I've 
been on this Committee for 14 years, so I kind of get a sense 
where something is headed. And I think, Mr. Director, where 
this is headed is towards proposals for some kind of stockpile 
of encryption keys. I don't think we have it fleshed out where 
Senators are going to want to go, but I get the sense that's 
where this is going, that there should be some kind of stock 
pile of encryption keys for the government to access.
    I just want you to know that I'm willing to work with you 
on ideas here but I think this proposal is a big time loser. 
It's a on ideas here, but I think this proposal is a big-time 
loser. It's a loser on security grounds for the reasons that 
I've mentioned. It is a retreat on privacy. And I think it will 
do great damage to our cutting-edge digital companies that have 
jobs and pay good wages.
    So I hope we're not going to go there. I just want you to 
know my sense, having listened to a couple of hours of this and 
listening to this morning's testimony, where I think this is 
headed and I think it is the wrong way to proceed.
    Thank you, Mr. Chairman.
    Chairman Burr. Senator Heinrich.
    Senator Heinrich. Director Comey, you've heard this before, 
but I want to say it again. Please thank all of your personnel, 
not just for their efforts in recent weeks but their efforts 
that go unsung year in and year out.
    I want to thank you in particular for the amount of 
humility that you've shown today. I think it's really helpful 
at wrapping our heads around how we should proceed on this 
because I think--I think the most dangerous thing is to jump to 
a solution that turns out to be the wrong solution.
    I have some ideas that I won't share in open session, that 
I'll share with you and share with my colleagues here, about 
places we should be investing right now to address some of 
these concerns. And I'll just reiterate, I think we would be 
making a mistake if we immediately jump forward and say we 
passed a law tomorrow that prohibited strong end-to-end 
encryption with temporary expiring keys, and effectively what 
we did under that scenario, or at least what I would fear, is 
that a terrorist or a criminal would simply download an app 
from Pakistan or somewhere else that would allow them to get 
around this scenario. And it would put our Americans' data at 
risk, while protecting theirs effectively.
    So I think we just need to think through all of that to 
make sure that at the end of the day, we're getting at the 
people who are causing the problem and we're not building in 
weakness into the protection of our country's data, be it the 
government or just individuals who expect their financial data, 
their healthcare data, all the things that we use online now, 
to remain--to remain private.
    So with that, once again, I would ask you to share any 
final thoughts and thank you for realizing that there are going 
to be a lot of questions and realizing that we're not going to 
have all the answers immediately and we shouldn't jump to 
answers before we completely understand the problem.
    Director Comey. Well, thank you, Senator. I agree that 
something has to be approached carefully. As I said, I think 
it's the hardest problem I've seen in government. The stakes 
are very, very high on all sides of this.
    I think we care about the same things whether we're from 
industry or government, and I think that's one of the great 
things about this country. We do hard stuff when we talk about 
it together and figure out together, especially when the whole 
effort is around shared values.
    Senator Heinrich. I'll leave you with one last thought. 
We've heard a lot about the amazing innovations of Silicon 
Valley and I would tend to agree that, especially on the 
business front, incredible stuff comes out of there all the 
time. I think as we seek a solution to some of these things, we 
should not forget the incredible innovations that come out of 
our national laboratories. And some of--some of those solutions 
may make even better sense in this scenario.
    So thank you once again, Director.
    Chairman Burr. Thank you, Senator Heinrich. I'd think less 
of you if you didn't get that plug in there on the lab before 
you left.
    And I won't speak for the Vice Chairman but, you know, if 
anything I've been a little frustrated, frustrated that nobody 
in the administration, no agency, is coming up and saying: 
Here's what we think we need. I mean, we've been talking about 
``Going Dark'' for some time and I think you deserve a 
tremendous amount of credit for your restraint. Don't know that 
we know the answer yet, therefore we're not laying proposals on 
the table. We're not up saying: Here's a solution we think 
might work. We're--we'll come when we've got a solution we know 
will work, we know we can do.
    So I commend you for that. I hadn't heard anybody talk 
about thousands of keys until today. I'm sure there's some that 
sit at home at night and are concerned that maybe that's the 
choice we'll make. If it were that easy, I think we'd already 
have a solution proposed to us and we'd be considering 
legislation and Dianne and I would be hashing it out with our 
members. The fact is that we know that that's not going to meet 
the test of getting legislation, one, through Congress; two, 
possibly signed into law. And I think we're just as challenged 
as you are, Director, about what the solution is. We want to--
we want to be part of the solution. We want to work with you.
    I think it's safe to say that we're probably going to have 
some hearings. They may be closed, they may be open. CEOs of 
tech companies, the privacy groups. We're going to try to reach 
out to some experts. Not with the belief that we're going to 
come up with a solution that you haven't come up with, but that 
we're going to be knowledgeable enough as we go down that road 
together to write legislation that both sides are confident of 
where we're going and we're fairly confident that it's going to 
be beneficial to the end goal, which is defending the American 
people.
    So let me just add one note. When I left prior to the 4th 
after doing this now for 15 years since 2000, I was convinced 
that we were going to have an incident before I came back this 
Monday. It didn't happen. And I am convinced it did not happen 
because the Bureau and the intelligence community worked like 
it's designed to work, and you asked your folks all around the 
country to go on a different schedule and they did and they 
were on that tempo for weeks and may still be there.
    And the fact is that we were able to thwart a lot of things 
early and maybe postpone some things that might have happened. 
Your folks deserve a tremendous amount of credit and the entire 
intelligence community does. We know this is not going away 
with the 4th of July. Ramadan stays vibrant for a few more 
weeks. There will be another national holiday and there'll be a 
target and we'll pick up on some things. But we also have to 
recognize the fact that we've got some areas that we're going 
to be making decisions without the information we've had in the 
past because of the communication tools that these folks are 
using.
    We want to be able to address this as quickly as we can so 
that we can return to as robust of information sharing between 
intelligence and law enforcement, so that your folks feel 
confident they can do what they're asked to do versus just 
hoping that we're putting on a good enough face on Saturday 
that we're scaring the enemy or the opponent that well.
    But you deserve a tremendous amount of credit for how over 
the last three or four weeks the Bureau has defended the 
American people. And for that, please give our regards to all 
at the Bureau.
    And with that, Director, thank you for being here. Sorry 
that you had to pull a double-header today, but you're a strong 
guy. And hopefully your Achilles is still there. This hearing 
is adjourned.
    [Whereupon, at 4:20 p.m., the hearing was adjourned.]