FBI Director James Comey spent Wednesday on Capitol Hill warning that commercial encryption is foiling government surveillance and helping terrorists. However, the nation’s chief cop didn’t seem to have done his homework: He couldn’t say how many times the FBI has been thwarted by encryption, or how to solve the problem.
And even while Comey criticized the encryption offered by U.S. tech companies for endangering national security, a separate hearing on the massive hack at the Office of Personnel Management showed that it was the government’s own failure to implement the most basic cybersecurity practices that has put the nation at risk, by exposing the private details of millions of current and former feds to foreign spies.
Comey told the Senate Intelligence Committee on Wednesday that advances in consumer encryption would allow terrorists and child molesters to communicate beyond the means of the bureau to intercept and read them.
But aside from raising fear about the threats the country faces, Comey did not come prepared with a solution to a pressing civil liberties problem: how to find a way to read the messages of bad actors without infringing on the privacy of ordinary Americans who want to keep their communications private.
“We cannot break strong encryption. Even if I get a court order under the Fourth Amendment to intercept that conversation, I will get gobbledygook,” Comey said. “The FBI is not some occupying force, imposed on the American people from abroad. We belong to the American people. We only have the tools that they have given us. I’m here to tell the American people that the tools you’ve given us are not working...I need help figuring out what to do about that.”
Using encryption, Comey said, persons of interest could “go dark” and communicate without law enforcement being able to eavesdrop. He was unable to provide any statistics on how often the FBI encounters this problem. But according to the latest numbers from the federal government, only 22 of the 2,275 wiretaps authorized by state judges in 2014 ran into encryption issues.
“When my folks see that something is encrypted, they move on and try to find some other way [to gather information]…I don’t have good enough numbers yet,” Comey told Senator Dianne Feinstein (D-CA), who said she wanted to be able to quantify the problem. Asked again by Senator Mazie Hirono (D-HI) if the FBI could provide statistics, Comey said, “We’re going to try and see if there’s data we can collect on that. I’m not confident it’s going to be very reliable,” but the encryption problem is “a real feature of our life.”
Comey did not offer a legislative proposal to fix the problem, saying he simply wanted to start a conversation.
“I don’t know what the answer is,” Comey said, calling the encryption issue “one of the most complicated problems that I’ve ever seen in government.”
And he said the FBI had not conducted a study on what the effect would be to cybersecurity if one proposed solution—a hypothetical stockpile of encryption keys—were to be adopted.
Instead the FBI director spent much of his time before the committee emphasizing the threat he says the United States faces from ISIS, telling lawmakers that more than 200 Americans have traveled or attempted to travel to Syria to fight with the militant group there.
ISIS has invested heavily in social media to spread its message and recruit new members, and has 21,000 English-language followers.
“It’s as if the devil sits on someone’s shoulder all day long, saying, ‘Kill, kill, kill,’” Comey said, referring to the influence of Twitter and other social media outlets. “ISIL is reaching into the United States, all 50 states, trying to motivate troubled souls,” he said, using the government’s preferred acronym for the group.
Over the course of the hearing, a whole range of threats were presented as posing ways in which encryption could thwart law enforcement, from ISIS to domestic violence, from child molesters to trying to find out who is at fault for a car accident.
But there are two sides to encryption: While it may allow bad actors to hide their communications, it also is a vital measure for the cybersecurity of law-abiding Americans.
Cybersecurity and encrypted data are closely linked, noted Senator Ron Wyden (D-OR), an aggressive civil liberties advocate.
“Is it fair to say that strong encryption improves cybersecurity and weaker encryption reduces cybersecurity?” he asked.
“Yes,” Comey responded. “Strong encryption is great.”
While Comey and lawmakers dug into the nuances of complex technology, a separate hearing on the woeful state of computer security at the Office of Personnel Management showed that even when protecting sensitive information from spies, the government has failed to employ some of the most basic technology. The result: Millions of government records were stolen, Comey said Wednesday, including some of his own personal information.
The OPM has been beset for years by a “long-standing pattern of neglect” of computer security that continues to “haunt” the agency, its assistant inspector general told a House oversight committee.
In prepared testimony, Michael R. Esser said auditors found “material weakness” at the agency, which was recently overrun by hackers who stole personal information on millions of current and former government employees. “There was often confusion and disagreement” about how to protect the agency’s sensitive data, Esser said. What’s more, an office that technically had the security job was staffed by people who “frequently had no [information technology] security background and were performing this function in addition to another full-time role.”
While the OPM has made some improvements on its security, there are still numerous vulnerabilities that put sensitive information at risk, Esser said. For example, within the past year, 11 OPM technology systems that were due for a top-to-bottom security assessment didn’t get one on time and therefore were operating without a valid “authorization” that attests to their safety.
“Several of these systems are among the most critical and sensitive applications owned by the agency,” Esser said. More than 65 percent of the technology the OPM relies on for its work resides on one of two “general support systems” that haven’t received the full security review. Also, two systems used by the OPM’s Federal Investigative Services, which is the unit that facilitates background investigations for granting security clearances, weren’t given the necessary check.
“Any weaknesses in the IT systems supporting this program office could potentially have national security implications,” Esser said.
Indeed, they may already have. The hackers who breached the OPM’s systems, and who U.S. intelligence officials think are in China, stole sensitive information that is collected during background investigations, including details about people’s sex lives, their drug habits, financial and marital problems, and information obtained during polygraph tests.
The large number of unauthorized systems “is a drastic increase from prior years and represents a systemic issue of inadequate planning by OPM program offices to assess and authorize the information systems that they own,” Esser said. What’s more, he expects that this year the OPM could potentially be running as many as 23 unauthorized systems.
Esser noted that the number of unsecured systems has gotten so high because the agency is revamping its entire technology infrastructure and that officials made a decision to suspend requirements to do security checkups on the systems until all the new ones are in place. But that decision runs counter to instructions from the Office of Management and Budget, which is effectively the head office for all government departments and agencies, and sets rules and policies they are supposed to follow.
House members pressed for more details during the hearing, held jointly by the Subcommittee on Oversight and the Subcommittee on Research and Technology. OPM’s chief information officer, Donna Seymour, declined lawmakers’ invitation to testify. Her absence didn’t stop lawmakers from voicing their displeasure with her job performance.
“I understand she has ‘extensive involvement’ in repairing the system” that has been breached, said Representative Ralph Abraham (R-LA), paraphrasing Seymour’s earlier explanation for why she couldn’t attend. “Had she had extensive involvement in preventing this, we might not have been here.”
The witnesses suggested that human error, more than a lack of resources, was to blame in the government’s poor information security. Asked to grade federal cybersecurity, the director of information security issues at the U.S. Government Accountability Office, Gregory Wilshusen, offered a “D.”
“Resources is always an issue, but it’s not the sole answer,” Esser said. “Sometimes we feel the things we report don’t get the attention they should.”