New policy on encryption appears unlikely

The director of the National Security Agency and the undersecretary of Defense for intelligence told a Senate panel that encryption issues would continue to be handled on a case-by-case basis.

Marcel Lettre, Under Secretary of Defense for Intelligence

Undersecretary of Defense for Intelligence Marcel Lettre told the Senate Armed Services Committee that the Obama administration is not seeking a legislative or regulatory answer to the encryption conundrum.

As the Obama administration winds down, any policy action on law enforcement and intelligence community access to commercial encryption seems unlikely, according to top intelligence officials.

At a Sept. 13 hearing of the Senate Armed Services Committee, Undersecretary of Defense for Intelligence Marcel Lettre said that for now, executive agencies and law enforcement are not seeking a legislative or regulatory answer.

"Our view at this point in the dialogue and debate is that legislation that forces or requires a regulatory solution is not preferred," Lettre said. "What we have found is that on a case-by-case basis when leaders from the executive branch have been able to have an effective and quiet dialogue with leaders in industry, the nature of the conversation starts to shift in a couple of ways."

He cited the long history of cooperation between the military and industry as a path to forging more collaboration.

In 2014, FBI Director James Comey warned that commercial end-to-end encryption would make law enforcement and intelligence agencies powerless in the face of threats by keeping them from accessing certain kinds of evidence in investigations, even with a court order. Comey dubbed the phenomenon "going dark." His initial approach was to start a national conversation on encryption, with an eye to strengthening the ties between technology firms and the government.

Lettre acknowledged that the approach did not always work, as has been the case with Twitter and Apple. Neither the senators nor the witnesses referred to efforts to force companies to open their products and data using court orders, as was the case in the FBI investigation of a device linked to the San Bernardino, Calif., shooting in December 2015.

Testifying before the same panel, National Security Agency Director and Cyber Command chief Adm. Michael Rogers said that even if there were some solution that applied to U.S. companies, terrorists and other non-state actors would be able to find encrypted communication services from non-U.S. firms.

"Clearly any structure, any approach we come up with here has to recognize that there is an international dimension to this," Rogers said. "Encryption does not recognize arbitrary boundaries on the globe that we have drawn in the form of borders of nation-states. I don't know what the answer is, but I certainly acknowledge we have to think more broadly than one particular market."

Committee Chairman Sen. John McCain (R-Ariz.) said the Islamic State group was taking advantage of an "end-to-end encrypted safe haven" from which to plan and launch attacks against targets in Europe and the United States, and the White House was "ignoring" the issue.

Rogers said Islamic State was proving to be "the most adaptive target I've ever worked in 35 years as an intelligence professional."

Separately, he said other areas of outreach to the private sector are going well. He noted that Cyber Command has a team inside the Pentagon's Defense Innovation Unit Experimental, which was trying "to harvest partnerships with the private sector."

But he also said that every now and then, a situation occurs that leads to ideological posturing that he felt would be better solved with private, behind-the-scenes discussions.