Just a quick bit on passcode. We launched in february of this year. We bring some of the biggest issues facing the internet. If you were here this morning, youll agree this is one of them. We hope youll come to more of them, especially in october where we have a full slate of them here in d. C. We hope youll listen to our podcast. Subscribe to our newsletter. This is clearly an issue where it seems like theres this immovable force about National Needs and Law Enforcement being im sorry, immovable object, unstoppable forceover technology and business. Were here to figure out how to move this ahead. How to move this discussion passed what seems like the past. So let me welcome in brett hanson from dell. Bret is the executive director of dell Data Security. Is your mic on . Sounds good. Its on. Its on. Umhmm. Is it going . Good, good. You guys provide a sweet of conduct. Little devices, cloud, everything in between. Channel functions in the software industry. So weve had, in this town, were very aware of big breeches recently. Can you talk a little bit about mallware tactics . Well, like you said, the number has certainly increased as well as the effectiveness of this. What is often overlooked, at almost every one of these major breeches, it comes down to individual. The end users, people like ourselves, are the focal point of the attacks. The reason why, technology can do a lot of great things. We can do a lot of improvements. As long as theres a human being at the end point, thats where the target is. Theyre the one who is are going to be curious and click on the picture of the pretty kitten and want to find out more about how to buy that. It has to be more thoughtful than empowering users. Raise the fact that theyre going to have multiple devicesment lets do so in a way that allows me to manage and thats if they step up. Thats a change in the strategy that we need to itch leapt. So, given that, how do you get them . Theres going to be a combination. Cyber security contains lots of different parts. J theres not one silver bullet. I think thats important for everyone to understand. There isnt a silver bullet. Its going to require its going to require advanced policy and advances in education. However, were seeing a lot of really strong advances in the last few years. Indefinite User Security is increased significantly. And thats providing new technology with access today that and networks to better protect. So in the mobile work force, obviously, nations that do that and still stay secure. Is that a viable approach . It leads the combination above policy. And it needs to be involving the employees thems to make sure that theyre in. But for too long you think about data at the end point. Pcs, mobile devices, public clouds. Thats more of an after thought. Providing i. T. And the chief Security Officer the full visibility they need. Can you truly be protected from that . Theres a lot of noise out there about if youre going to be breeched,its about when. We started off 5 00nologying the fact that theyre difficult to stop. We shouldnt giver up on stopping it at the input. It cant just be about the technology. For many years, we depended on tradition fall signaturebased antimalware. And then saying okay, is that a good or bad executable. Clearly, that approach is no longer working. Their approaches are containerized. Theyre going to keep all the untrusted data, your browser and email attaches in a sand box arena that sprats it from your work flow. So, yes, the challenge is significant. Yes, we are challenged nearby. Theres a lot of companies out there that employees can utilize. Lets just pause there. Any question frs the audience . Anyone like to jump in here . If you had a greater ability of data, what would that change . Is there that opportunity on the horizon . Better visibility around your data forthcoming . So, answer the first part of the question is if you had better visibility or data . Absolutely. If you take that to the physical world, Companies Know where their physical assets are. So sf youre able to understand where my data is going, you should be able to detect if a breech has occurred. Companies have to be thinking about their data as an asset. Encrypting it. Ensmuring that theres true access control. And mitigating risks going forward. One last one, millenials in the workplace. Ets a very unique issue for companies. How do you kpent on that . It is not just millenials. Most of us have accepted the fact that youre going to have your work p. C. What we need to do is acknowledge that the work force has changed. How people access data has e volg ved tremendously. Trying to be regressive and say im going to lock you down certainly will work for a select number of organizations. So we need to be thinking about, again, how do i protect the assets and data itself . But thats where we need to go. I think theres a question. Hold on just one second. Well get you a mic here. We want everyone on cspan to hear you, too. Hi, ill put my coffee down. I have a question. I took my child on a Disney Baltic cruise. And i actually had to get a dodcompliant wipe on my come pulter. And now i dont want to restore my come pulter. A lot of that data, i dont need. Just information that we dont want out. There are people carrying around stuff. Their laptops. And i carry two laptops. But when i got that dod wipe, i felt so refreshed. I would really like one formula. I will say that theres an opportunity around data of what youre creating and what youre putting in the marketplace. The whole concept of creating data that if its launched into cyber space and can be used against you is something that we should be aware of. It is a growing need to be thoughtful of what am i putting out there . Any questions . Sure, one right here. Go ahead. How about pronlsing technologies and the appeal of them. How do you prevent or break the psychology of Companies Wanting to invest and then becoming so reliant that they dont continue to invest in new ones. It seems to be a common trap. What can your do to break that psychology . Thats good news for me. I think enr education is actually foremost. There is at this stage, a lot of excitement in the marketplace around Cyber Security. And i talked to customers, large and small every day, about how to improve their Cyber Security. What i stress to them is this is not a sprint. This is a marathon. This is going to take time. And then, to be really effective with Cyber Security, you need to stop thinking it as a as an end goal of itsds own and start to bring it as part of your business goals and your business objectives. So as youre considering where your business is going, you need to be thinking about Cyber Security. As an example. I was talking to a company that is increasingly outsourcing the production. That is creating opportunities to be more efficient. However, its also creating new risk, as theyre having to put more of their i. P into the hands of their partners. There need to be Cyber Security strategy. I think thats the change that we need to help drive. Rather than getting caught and just embracing it and being done, its how does the technology enable you Business Strategy and so much is Cyber Security strategy, as well. That ae thats a change in the mind set, but its absolutely critical. So my question is the solution that is youve focused on, the end users, the devices and how do we sort of secure those items. At a Communications Network level. What can be done there on that front to ensure Cyber Security . My name is andy from g data software. You mentioned the end users perspective. Other than a slap on the wrist or youre fired, how do you manage accountability. What is your idea . Network management. I obviously work for dell. We do have a big focus around the end User Security. I think thats been a neglected part of the security environm t environment. Security security,as i mentioned earlier, is all about solutions. Its the ability of different pieces to talk to each other. So as im collecting information around the attacks and the Threat Service at the end point, my threat is going to enhance its security and vice versa. Increasely wharks youre going to see are these different assets starting to communicate with one another and through that communication, be more e fiblgtive in terms of both addressing threats as well as being proactive and permitting them in the first place. Thats a journey were working on. Del has a great asset which we work very closely with. So were going to be taking those steps ourselves to really further integrate the two offerings to in realtime to make them more effective as a team. Both offered as a team together. Second question, accountability. Thats a tough question to answer. Theres a lot of different discussions about how to encourage work force. A lot of what ive seen successful is the care and approa approach. Thinking about how they can be safe. Those who go a certain amount of time about how to reach a violation, either receive an award or recognition. Theres also those companies focused on a shachling approach. Using a little bit of, okay, johns been reached five time ins the last month. John, youre a bad guy. And thats obviously a little more draconian. Its probably in the car rot and stick approach. But, certainly, at this stage, there is a lowlevel appreciation for work force employee acountability. I think the carrot is a great way to go. Notify worker who iss doing well. Give kudos. Acknowledge the fact that. Affecting data and addressing to protect or advance persistent threats. Were going to need to be much more effective in the long haul. Thank you, director. Thanks for coming. [ applause ] so, first, we have amy hess. She is the executive assistant director of the f. B. I. Science and technology branch. Criminal justice Operational Technology divisions and the f. B. I. Lab. Shell keep a few remarks and get to questions and i do want to get to audience questions, as well. Great, thank you, sir. Appreciate the invitation to talk about this very important topic this morning. So the f. B. I. Really used the going dark issue as having been a concern for us for a number of years. Its well beyond encrimination. It basically summarizes the issue we have with the proliferation of technology over the years. And how that might be impacting our ability to do our job. Our ability to get information, evidence or leads in criminal investigations or National Security investigations. And so as we see this proliferation of technology, we see that case accelerating. And, so, to that point, we have actually been more and more vocal about the issues were seeing, the concerns were having, the challenges that were encountering with respected to be able to do our job. So, as i said, the going dark problem is more than just encrimination. When were going dark, were referring to encrimination for, example, data in motion. Data thats transported across networks. Realtime electronic surveillance that we must do in the course of our investigations. We also view it as a challenge with encrimination on data at rest. Stored data. We also view it as a challenge when it comes to mobility. So people will bounce back and forth between, for example, cellular service, wifi service back and forth. And that presents a challenge to us, adds well. And then anonimty is another challenge. And then, in addition to that, we see, for example, foreign companies. That presents a challenge to us. We see a challenge where it will disappear as soon as you send a message. And that presents a challenge to us. All of those things factor in to what we refer to as the going dark problem. At the same time, the nafgs we used to keep in our homes are more and more on our electronic devices. And the same goes for bad guys. In trying to prevent those threats from happening or to bring those people to justice. Thats where we live as a society. We also have the foreign Intelligence Surveillance act. It does the same thing with National Security investigations. Search warrants. All of those orders signed by a judge that enables us to get access or at least authorizes us to get access. Unfortunately, unable to execute more and more because of increasing problems and issue. Not proposing a solution to that. From the governments pore spektive, we really need the companies to try to come up with a solution. To try to build the most secure systems. Yet, at the same and present an ord i with the search warnt or signed by a judge that were able to get the information that were seeking. The evidence, the data in readable texts. To start, lets go with encrimination. So strong, they say the company itself cant get access to the data. Lets distill what were talking about. Thats actually a back door. This is a bimtin weakness. What is the problem as the f. B. I. Views it and the proposals that have been flying around washington. Sure. I think the ability for us to prevent an attack or to bring someone to justice, thats the piece thats at issue. And for the encrimination piece of the discussion that weve been having, the issue comes down to whether or not the company is talking about Realtime Communications or stored communications, data at rest, it comes down to being able to access that. So in order to access that information, the question is how are we able to do that in the most secure way. I think starting with the premise that in the society we currently live in, currently to be able to get that information for some other consumerbased need. At the same time, the question comes down to whether or not the government should be proposing those type of solutions. Theyre able to build build in some type of accessibility. What is the specific problem. What happens in that process that is holdsing up Law Enforcement from getting that app . Sure, when it comes today that at rest, we see the issue and weve presented a number of examples in the past. Be ill start with a passive example. For example, we had a case involving a child pornographer who eventually was communicating with individuals. Based on a photograph, question got access to that persons iphone. And then that investigation led us to eventually identify additional victims that that person had molested. All of these individuals, these children, were under the age of 8 years old. But without that information, we might not be able to do that. We have Homicide Investigation where an individual is shot and killed answering the door. Now theres no one to serve the warrant on. The police were unable to access to try to find clues as to who might have been responsible for her murder. So how big of a scale it shall whats the scale at this point. You have a new York District attorney whos saying that, in 80 of the cases, involving iphones running ios 8, Law Enforcement was unable to access that data. Thats over the course of the example. I will be the first person to tell you that weve done a really bad job of collecting empirical data. We need to do a better job of that. One, for example, we can refer to the annual wiretap report. The problem is, to get it title free, to get a wiretap, its a very prolonged, dlib rat process. So in order to do that, not to mention the level of f. B. I. Headquarters authorities that we have to go through. An ajoent is not going to pursue all of those things. We have that same problem when it comes to, obviously, what were seeing across the board. We are seeing an increasing problem. We need to do better at capturing the data. Obviously, things like the annual wiretap report kind of presents the problem. Our investigators arent going to pursue something thats that. There are some who say that theres actually more Law Enforcement available than ever before. That Law Enforcement, for instance, could collect met data which includes telephone recorders and location data. But arent these tools enough . Thats a great question. I think that, personally, ive had discussions with all of the f. B. I. Field offices to have enough knowledge of how we investigate and, of course, having been in those field offices myself, and having investigated a number of different violations, agents will always try to get the information they need. So theyre going to try everything possible. In some cases, if were stymied by the inability to get information in, really, the most effective way of being able to directly access a device or access of realtime communication, were going to try to find a way around it. Sometimes the problem is if we can get to it, well have lots of examples where we could have got the information if we had the capableties. What about creting teams to break into the data once its been collected. Certainly, thats an issue too consider to discuss. We need to prove to a judge that we have exhausted all lesser means. To me, hacking sounds like a pretty intrusive means to be able to get the information. But on top of that, if they change that device, or if they upgrade to the latest upgrading system, they decide they dont like that anymore, its very fragile. It may not be timely. Yeah, especially for the state and locals. We have a lot of really, really smart technologists who can help think through these problems and challenges. We communicate with our Law Enforcement partners on a daily basis. But the problem is, fechb we might be able to solve a specific problem, even though it might take us a while to get there, the state or local Police Departments may never be able to have that luxury to have those types of people employed or available to them to be able to do the same thing. So tim cook, earlier this summer, said that hes a ceo of apple. And he said if you put a key under the mat for the cops, a particularer can find it, too. Im worried about security risks in general. The f. B. I. Supporting strong encrimination. Clearly, we also have the remit for when it comes to bringing people to justice. That includes cyber threats. At the same time, how do we get the evidence we need when served with a warrant, signed by a neutral judge, to a company. To try to come up with the best, most secure motion to do that. You bring up a good point. Both the government and the private sector encrimination is seen as the best practice. So do you see the how do you see the relationship between what youre asking for and the need to protect data. Do you see that at all . Certainly, to protect peoples communications. I any that goes back to just our first premise. We want people to be secure in those systems, for all the reasons i previously stated. But we also want to be able to get to the information with a warrant. When we do that, how do we get information that we need, but, yet, make sure that nobody else or at least people who build these systems can make it as secure as possible so that it limbs there will always be a risk. And i will readily admit that. There will always be a risk when someone other than the sender and the receiver can get that information. At the same time, how can we minimize that risk . What are your relationships like with skoourt secretary. If they can modify it someway, it can hurt them. Yeah, and we talk to the companies all of the time. Matter of fact, we have conversations to try to figure out the best way to get the information that we need in the course of an investigation. Certainly, why theyre conce concerned, and, clearly, they have legitimate concerns. Y glvrjts if we build this capableblety in, how do we minimize that risk . It is a concern to them. At the same time, what weve been trying to do is to balance the discussion to say here are the two things at play. And what is the American Public confidentble with when it comes to either going far perhaps one way or too far perhaps the other way when it comes to being able to access data presenting some risk inherent with that. And do you think if there is some kind of channelled access data as other countries are going to want the same thing that the u. S. Government is wanting now . I think thats always a concern. Thats part of our constant, daily discussions. Weve had a lot of conversations with other countries, who clearly want that information. Our allies in other countries certainly have the same concerns concern and they want access to that data. The question is how do you differentiate what presents good human rights records are and country that is perhaps dont have those good human rights records, for example. And then, at the same time, if your u. S. Companies, what are the obligations versus the. You have to give other countries nanding that access if they do and if this policy goes into effect. And lets say youll like to have similar access for china. And are you sympathetic that this might put them in more of a political or diplomatic role. I think its a very political discussion. The question is how might we enable Law Enforcement to do its job. They want to try to do their job, too. That is a huge policy discussion. How are we able to limit that . That brings up how we might see ourselves in the future. By doing business in this country, does that mean that youre subject to certain rules and laws . Are you concerned if they do, they can affect peoples overall ability to communicate securely . Sure. I think any country with poor human rights records thats why we have the laws in place that protects from that. But that is certainly a concern. And, again, it goes back to the policy discussion about how are we able to discern between countries with poor human rights records and countries who dont have thattish sue. And who will be subject to what laws. I do just want to ask you one more question. You mentioned how the number of devices is overshrill increasing. So walk me through what is happening now as youre investigating a terrorist. What were seeing is mr and more individuals associated with isil. To be able to recruit individuals. Who will use open social media platforms. But after seeing that that person might be more receptive, theyll try to move them to other platforms that we are unable to access. So what we see there is this going dark issue. How do we get passed that . If it doesnt work, what would . Maybe physical surveillance. The problem is, kwhiel were trying to figure that out, obviously, were wasting time. And were using more resources to get that information, which may never come to fruition. And so our concern and our fear and what keeps us up at night, you may not know whos communicating in that fashion. We dont know how many more people were there. I do want to turn it over to the audience for questions. Remember to say your name and where youre from. I just wanted to get youre views particularly to whats out and how easy its been for making Android Users to use this kind of encryptic space. And do you think some of the terrorist groups are taking advantage of the technology. I do think those who pose a threat to us are taking advantage. But they know and its been well publicized as to what communication methods we were able to access. I cant speak to specific capableties or companies. But at the same time, we do see that in the course of our regular investigations chlts we do see those type of investigations, as well. Yes, it is a concern. In the front . How would you address sorry, alyss sarks, wait for the mike . My name is alyssa vhavinsky. I wrote an article. How would you respond to the concerns raised by alex damos that special keys how do we grant them only to the United States and also to our other corporate friends. We do business in china and russia. Clooerly its against National Security interests. I washt to clarify again, one size fits all solution. The government is not promoting a folding key that will be the solution for all companies. Thats why i think it would be up to each individual provider to come up with what is the most secure solution for them that still achieves the end result. Which is just to get usdatdata. With that said, the larger part of the discussion is how do we make sure that u. S. Companies, and u. S. Data a, subject to do that type of access. Same time, considering what other countries may ask for, how do you factor it in to the larger policy discussion. Its a source of going debate. Yes . Its not here and now. When and when do you foresee that larger conversation taking place . About the access issues . About the larger policy question that you reference ad. Theres daily discussions going on about that type of thing. We are concerned about it. Certainly is here in washington, we had a number of discussions, with a number of different agencies. While we dont have the answers, discussions are occurring. Usa today, congressman, having experience on the incryption issue, would you like to see them get involved with the issue or would that do more harm than good . The discussions we have been having, is that we want to bring the jobs to the fore. To also, not take it off the table. I think that right now the, the idea and our goal is to ensure everybody understands what is at stake. For risks on both sides. And the equities on both sides. And so, currently, that is our goal without declaring whether or not we are seeking or pursuing or need that additional legislation. You said that you talk to the Companies Daily about the best ways to get information and the fbi has been talking about it for a year and you keep saying that you want to have this discussion out there to the forefront, and if you are talking to the companies, daily, im wondering, your opinion to reaction that you get from the companies, when you say that you need to be able to get around their incryption . The answer is, it depends. It depends on the company. Clearly. Some companies, some Companies May not are have, some are not subject to mandates. They dont have to build in the, those, that type of access. They have, of course, most Companies Want to help. They want to stop a threat or bring somebody to justice. But if they are not mandated to do it, the question comes down to a, do they need to take the resources and divert them to build in access . Or at the same time, do we have companies that really would not be part of their market plan to do that . And even if they want to cooperate, it could take years to be able to build in some type of access. So, all of those dynamics are built in, most companies will try to help us with whatever information we can provide. It may not be test. Test. Right here. Then we will go to yes. Russell shea im a law student here in d. C. , my question is about, in the context of Law Enforcement cooperation, in a scenario where data may be stored, physically outside of the United States, the, some Tech Companies some Tech Companies argue we should pursue this data through mutual assistance treaties. Could you comment on the efficacy of what the process is like and there have been calls that it needs to be updated were reformed, what do you think is the approach to this issue . Clearly we have challenges with the ability to get information on a timely fashion. Sometimes those processes may take months if not years. Sometimes theyre just ineffective. Sometimes theyre effective. But that seems to be more on the rarity side. So i do think this presents that challenge for us as to if its u. S. Data in the course of a u. S. Investigation and were seeking u. S. Data in furtherance of an authorized investigation pursuant to a warrant signed by a judge, then what is the discussion from . What is the appetite, if you will, by the American Public to say that the companies should have to provide that information . And really thats the debate were having at the moment, the discussion were having at the moment to find out what is the right balance and how do we get that information . What is the right mechanism to get that information . So, julie, the third or fourth row here. Hi, dave from politico. So chinese firms zte are persona non grata over concerns they can access whats transmitting. If it becomes apparent u. S. Firms are offering these same ability to u. S. Authorities iri irrespective if the chinese can have them, what impact will that have on the u. S. Industry . Again, i think thats a great question. How do we in the course of a u. S. Investigation with u. S. Company, u. S. Data, strictly limit ourselves to it all being about u. S. Investigations and what the u. S. Needs access to . Because the question naturally comes up as to other countries wanting that data, too, and how do you differentiate between when you have, for example, an investigation in the u. K. That presents a legitimate need in the course of a National Security investigation or Law Enforcement investigation versus another country who we may not have the same type of relationship or same type of, again, human rights record or whatever it might be with respect to what theyre going to do with that type of information. That is the larger policy discussion in this and how do we think about that . Do we and this point, again, i think that we need to have that more open discussion. Whats the right solution . We dont have that solution right now. We dont have the right solution for what should be mandated, should it even be mandated . Are we comfortable with the place were in now where the pendulum, i think, has swung so far postsnowden that weve come to a place where were continuing to see at least from a Law Enforcement perspective, were continuing to see society as a whole go to a place where more and more people are going to be botch the law. And if thats the case, are we comfortable with that as a society . Thats the larger question. And then the second question is what do we do about it if were not comfortable . And we have time for, i think, a few more questions right here, julie. Hi. Im Jana Mclaughlin with the intercept. Im curious if the fbi is concerned if these companies if you get them to agree to some sort of back door to build in some sort of capability, are you concerned that other Companies May leave darker companies, criminal entities, might provide these endtoend encryption and it will primarily be the average american user that loses out and no longer can protect their communications while criminals still might find access to these things . I think that and really the experience that weve had in this is if companies can build in such a way and thats why, again, i go back to the it shouldnt be the government thats proposing the solutions. Really the Companies Know their systems better than anybody. And so, in our opinion, really it should be the requirements should come from the government. Look, this is what were trying to accomplish, but really the companies to be able to build in the most secure systems, to be able to build the most secure systems to be able to do that. With that said, i think, yeah, the very tech savvy people that are out there are going to figure out ways to take advantage of any vulnerability as they do today currently. We currently live in a society where clearly that happens on a regular basis. How do we protect against that . But, again, to say that i think Service Providers today are 100 secure is a little bit of a misconception as well. And when were moving toward this world, how do we identify the best way to really attribute those types of attacks or those types of, i guess, protections, if you will, depending on the perspective that the hackers, the criminal element might be trying to move people towards. And we have our job to try to identify and rout out those individuals. Im thinking in my head about one of the conversations we have on a regular basis is about with respect to access to stored communications. Well, with, for example, a communication device like a smartphone, people will ask us on a regular basis, well, yeah, but that person backs up to the cloud. The problem with that is what we found in our investigations is that most people dont do that regularly. Most people dont do that on a regular basis. They may not do it at all. You can clearly turn that feature off. At the same time we also see in the course of investigations that the very tech savvy criminal also can find out if automatic backups are occurring or if for some reason that information is being diverted in some way off of a particular device. And so we have to be able to, i think, account for that as well in the course of our investigations. And last question we have yes . I have a question from twitter. Great. From a good friend of the fbi at the aclu. Im going to paraphrase what came in here so it comes out in a Family Friendly manner. No, im just kidding. This question is effectively does the fbi use encryption on its own on classified emails sent to other organizations . And how can the fbi engage this conversation with Tech Companies if they, themselves, are not operating at a very high level of technical sophistication. And i might add how do you think the federal government is doing in raising its own game to join this conversation with Tech Companies in a way that showing we, too, are doing our own good cyber hygiene . We need our information enkrift e encrypted the same way as the American Consumer does, as companies do in the country. Clearly youve seen as a result of recent breaches, recent hacks, we continue to focus on that. Im not obviously going to comment on what type of encryption is employed at what level and what systems but at the same time i think we as a government need to do clearly a much better job of that, and that goes back to my original point which was we support strong encryption. As ive said several times today. We support strong encryption, to be able to protect data, communications, to protect conversations. But the challenge for us is, again, just to tee up the issue, what is the American Publics appetite for if we go to 17 secure systems that nobody can access ever. Are we comfortable with that, even in the course of an authorized investigation in the course of trying to protect Public Safety or in order to prevent an attack, are we comfortable with that . And thats really the, i think, underlying question. Okay. And thats a great place to end on. Thank you so much for joining us. Thank you. [ applause ] now for round two. Weve just had a conversation about the Law Enforcements views on the encryption debate, and now we will include some other views as well into the conversation. We have next to me matt blaise, one of the leading cryptographers out of the university of pennsylvania. We have jon callas, chief Technology Office at silent circle, an encrypted communications firm. And we have kiran raj, senior counsell to the Deputy Attorney general at the u. S. Department of justice. So thanks to you all for joining me. We will, again, have some questions. We will open up to the audience for your questions as well. So just to start, why dont we i have a question for each of you actually. So what do you see as the benefit to society to having strong encryption and do you see those benefits outweighing or falling second to National Security concerns about getting access to encrypted data . So, matt, lets start with you. Okay. So its really easy to frame this as a debate with a tradeoff between National Security and Law Enforcement on one side and privacy and strong encryption on the other side and, you know, we everybody participating in this debate for the last two decades easily falls into this. Because its an easy way of reducing this to a simple principle, but i think thats completely wrong. This is a question of increasing National Security and Law Enforcement on and having encryption and decreasing National Security and our ability to prevent crime by having weaker encryption. Were both on the said side of want iing to prevent crime and both on the same side for wanting to make the country more robust against National Security threats and, unfortunately, its a battle were losing by not doing things like putting in strong encryption everywhere we can. So i would love to stop having this debate and get back to work. So, jon, what do you think . I think that this has brought up the central issue. This is a policy question. It really is a policy question. Its not a technology question. Those of us who are in business are already international. My company is a Swiss Company. Were not a u. S. Company. We dont have a technical way to make it so we can provide access to the good guys and not to the bad guys. Its hard to know whats going on. They were saying its extraordinarily hard to get a warrant. That what they need are neck nichls that can go beyond getting a warrant and that is a policy issue of what gets pr protected from a legal aspect of it. And were in a situation where we are forced to build devices in countries that are not particularly always friendly and yesterday we have to be immune from blackmail to them, that if they decide people in friendly countries have done Something Like not hand their data over because, you know, that they just happen to be in other countries, how do we handle this . What is the policy of juggling and deciding who is following what paperwork and who hasnt followed other paperwork . And, kiran, what are your thoughts . Ensuring that we have strong Public Safety and strong National Security and its a tool to do that. We do that within our strong commitment to the rule of law. As you heard amy and others talk about, its important because it helps secure our commerce, it helps freedom of expression, our Data Security. I think the rubber really hits the road for us when we Design Systems using strong encryption in a manner that they become warrant proof. That means the system is designed so only the end users can access the information. When we think about what those shared values are, how do we maximize both Public Safety and our Nation Security interests. And thats when we talk about the conversation, the debate of what were talking about. So, matt, you are a veteran of the crypto wars. Those that took place in the 1990s. How does the debate going on now compare to the debates back then . Its been a long time and we keep fighting the same battles. The main difference between this discussion in the 1990s and today is that in the 1990s a lot of this was hypothetical. We were saying this internet thing is going to be important some day. And were depending on computers and depending on this Network Infrastructure for an increasingly part of our daily lives and being able to secure it is going to be really important really soon. I believed that it was going to be as important as it ultimately became. Every aspect utterly depend on a secure Network Infrastructure and on being able to secure end points. This is so integrated into our daily lives. We cant even identify where. I think the stakes have gone up enormously since the last time around. You were the one who discovered a flaw in the clipper encryption system that had been proposed as a way for the public to allow access for Law Enforcement. As times have changed and Technology Becomes more integrated into peoples lives as you were mentioning, do you think that it is possible from a technical perspective now to create a solution like some of the ones National Security officials are proposing . One of the fallacies, i think, of this debate is that its often framed as weve solved so many hard technical problems. Look at all the wonderful things weve done. Surely if we can put a man on the moon, we can design a secure back door encryption system. Unfortunately, its not so simple. When i hear if we can put a man on the moon, we can do this, im hearing an analogy almost as if were saying if we can put a man on the moon, surely we can put a man on the sun. You know, this is an enormously hard problem, and its not even a new problem. Ultimately were talking about a set of requirements that somewhere along the lines involve making a relatively simple problem of encryption between two parties who know who each other are and can identify each other and only they can get access. Its a relatively simple conceptual problem. Turning that into a very complex problem. And securing systems with complex requirements and Building Systems of that level of interaction that work reliably and as we intend them to do has been a problem thats been around since the beginning of software and computing. And we dont know how to solve it. So you dont think that its technically possible to do this and still have systems be secure . A shorter version of my answer is no. So, kiran, what do you think . Do you think thats true that its impossible to do this . Well, i guess its a puzzling argument in some ways because when we look out empirically at what companies are doing today, we see that there are Large Companies, for example, some of the commercial email providers where they use strong encryption to protect the emails while theyre in transit, strong encryption when the emails are at rest on the servers, but for their own business purposes they have to be able to access the underlying content and one is for potentially to serve you advertisements and the other is Data Security so they can scan malware, scan for spam and things of that nature. We also see in the corporate environment as well where when corporations give laptops or phones to their employees they want to make sure that the employee leaves the phone in the taxi that someone is not going to be able to look at the information because its Sensitive Information so that information is generally protected with strong encryption yet the corporation also for Insider Threat purposes, for data backup purpose and the like will also be able to have access to that information. And so when we look out and we see that there are companies now who have been able to figure out how to do that balance, how to ensure they have strong protections and security for their data but also have access to it, its difficult when we hear that, oh, its technically impossible to do this. And so, again, i think we have to have that discussion about do we want to really encourage situations where we are Building Systems that are providing safe zones for criminal activity or do we want to have the larger discussion and say, hey, there are companies that do it today. Cant we do that as well . But going back to some points that we heard from amy, too, there doesnt seem to be one unified proposal, technical or otherwise, proposed by the u. S. Government. So why is that . Do you expect that the u. S. Government will, in fact, put forward something more concrete . So i think the reason why you dont see a single solution because it just doesnt make sense given the industry today. Each Company Knows their products and systems so much better than the government does or, frankly, anybody else does. And so when we think about this, it really is about how does a Company Respond to a warrant or court order . They are the ones who are going to be in the best position to figure that out, so it doesnt make sense for the government to mandate some type of golden key. It just doesnt, in the world we live in today, that situation doesnt really make sense. Its whats much better and frankly, i think, all of us would agree the government has to go to a company with a court order and the Company Provides the information. And thats why in the debate today we see a lot of articles that say the government is demanding actual access to the databases of companies and thats not the case. Theres not going to be one solution that fits every single company. Some companies will do this. Some companies will do that, and thats, frankly, the way they do it even today. One email provider might have a different way of accessing content than another email provider. The same thing with the corporate environment. You dont necessarily see the government as having a role in the system for some companies they might but for others they might not . Yeah, again, i think the main point for the government is congress and the American People have given the government certain authorities, the wiretap act, search warrants and the like. And when we have those authorities and we go to the companies and we serve them with an order, we just want the information that the order says that we can get. And how the company does that is their business. We want to work cooperatively with them. Some companies can do it on their own and thats why when we talk about how theres no one size fits all, thats what were talking about. Jon, what do you think about this . I mean, kiran is saying theres no one size fits all. And they do ultimately boil down to policy questions. Now to matts thing, there is a traditional way to land a man on the sun and that is hadthat you at night. I feel thats what were being asked to do is to come up with a way to land on the sun at night. The theme youre talking about with Corporate Access is the problem and there are present solutions to that. However, when you have, for example, an email provider that is holding other companies emails and i shut down an email system precisely because we were a provider that was using an encryption system that i built that was designed for an enterprise that doesnt really work in a model of third parties where i become the weakness that my customers have. And in that environment where there are cloud services, its very difficult to know who it is that you go to. There is a case thats going on now which is the Microsoft Case where microsoft has literally emails that they are dealing with in a cross jurisdictional boundaries and were having discussions just like this one with the Tech Companies saying if they put their things in other countries, then its in another country and my biggest fear as an american who has formed in switzerland, were going to be needing and it sounds like youre saying we need to take our cops out of the u. S. That this wouldnt be a problem if, say, apple were a european country because they would not be subject to the u. S. Things. You would have to get a warrant. Just to pick up on that, you didnt actually leave the u. S. For the switzerland. When we first incarpeted and created black phone we incorporated in switzerland because it was a joint venture between us and a spanish company. And then we moved to switzerland. If such a policy went into effect, how would it affect your business, your north American Business now that you are a Swiss Company . It depends on whats going on. Again, this is not a technical problem. If i am a Swiss Company that has servers in switzerland and someone who is not an american, how does u. S. Regulation law affect that . If i have an american customer, how does that do . If i have a customer that the chinese want something, how do i handle that . These are the policy questions and it becomes a much harder problem even for the larger companies. For an apple, what would this do from the business side to their operations . Would they have to be putting a back door in something . If they put a back door into phones which some of the encryption in there now is designed to stop crime, that two or three years ago mayor bloomberg said a third of all new york city street crime was people stealing idevices. You cannot get into a phone without the owners consent because they were being stolen and sold at a markup. That these are antitheft mechanisms. The things we are doing for counter espionage is what my whole company has revolved around. It is a huge wild west out there where anybody can get any information is doing so. So how do we adjudicate this two and three dimensional issue of where the customer is, where the warrant is coming from and where we are and what we want to do because we do want to get rid of the bad guys. What role do you see companies protecting security and privacy . I want to start with a confession here. We really dont know what were doing. Weve been fighting a losing battle to build strong, secure, complex systems for longer than the crypto wars since before i was even alive. And we are actually getting worse at it as time goes by. And the reason is that we have Computer Systems that can be large err and do more things. We have two things that work and they dont work universally well but these are the two techniques so far that my field has come up with to mitigate our inability to build large systems. One is crypto because that lets you not just more components of the systems. You dont have to trust storage to the same extent. The second is make the system as simple as possible. What we say when, you know, when were asked to put on our secure hats and evaluate a large system is how do i make it more secure . Make it as simple as you can, reduce the things it does and use encryption wherever you can. The back door requirements work against both of those things. And thats what worries me. I do want to ask you another perhaps more personal question as a cryptographer. Their whole job is and lifestyle in a way is to make these systems more secure as possible. Do you think that plays into why this debate has become in some cases so polarized . I think the polarization is so harmful. Its so easy to turn this into evil Government People who want to spy versus people who want personal privacy. I think in terms of the end goals theres more Common Ground here than maybe the debate lets on. I think the how we get there is where we differ from the fbis proposal. The goal of strengthening National Security and preventing crime is pretty well shared by almost everyone. So, kiran, i see you nodding. What do you think about this . I think its an important point. When we start with here are the shared values we all agree with and there could be disagreement about how we best effectuate those shared values and talk about this as a discussion, as an open and informed discussion devoid of some of the more terms and venom that has been a part of this debate. The policy points jon brought up from economic issues, competitive disadvantage, how do we ensure our Companies Remain the strongest in the world, those are all valid issues that we have to talk through and we have to understand what the implications of any decisions are. How do we do that balance. We all have shared value, improving and maximizing Public Safety, we have strong privacy and civil liberties. Thats a great start and how we go from there is how we move down on the discussion. Edward snowden and the leaks that happened two summers ago. Do you think some of the encryption debate is getting Security Agency was revealed to be doing and has this made your conversations with companies or even this case to the American Public harder . Sure. I think it certainly has affected some of the discussions and one of the things we tried to emphasize that going dark. Number one, i think we can all agree that reasonable minds may disagree on where the line is for lawful government but thats not the issue. Congress and the American People have given to us and the wiretap act, the search warrants and the like. So the issue here is when we already have that lawful authority, we already have a court order for a wiretap order, for example, and then we provide and the provider says we cant comply. Thats an issue of capabilities and not authorities. It was really a question of what authority should government have . Its a very different debate from that perspective. I think the important piece here, too, when we talk about the capabilities is what that really means in practice is no matter how serious the crime is, no matter the fact that a judge made a determination theres probable cause or criminal activity afoot, we are unable to get the information. And thats a very different issue than the nsa issue. Right. And so, jon, to pick up on that, do you think that if theres a warrant they should try or have access through the court access. Do you think its reasonable to Ask Companies to redesign their systems to make these warrants happen . We dont do that in any part of our society. A warrant is not a right that the government has to get data. It is a right to perform a search and to attempt to get the data and there may be a lot of reasons why they cant get to it. This is part of the u. S. Part of the policy issue. Back again to where technology and policy need is that we dont have a way to code intent. We do not have a way to code good guy into things. If i am makinging a system that will protect people in business against not only semifriendly countries but intramural stuff that goes on because we know that most countries are, in fact, spying on each other. And the country is specifically using its intelligence mechanisms to help the businesses in the country. In the u. S. Its one of the few countries where we have, i will say, antibribery. Theres the foreign corrupt practices act and so on. It is actually illegal for Law Enforcement and intelligence to help u. S. Business. Theres plenty of allegations thats going on, but at least its illegal. In many countries its not only legal but stated policy. So if we make a system that works in one place it works in another. Were having to lash ourselves to the mast. If we yield to one, we have to yield to all. And the policy issue that would need to come up would be a way that we would have an international, reasonable way to do things. If we had that where the u. N. Could say thats a reasonable request, you could talk about having a simple technical thing where, you know, the keys are also held by the u. N. Interesting. So walk me through if Something Like this went into effect and the u. S. Government gets a channel to access it and then the u. K. , which is a close ally, also wants to have its own system and china wants to have its own system, walk me through the position this would place companies in, american companies. A Single Organization can manage all of its encrypted data, all of its encrypted communications in a way that it can do oversight on itself. However, once you get into things like multitenanting, having cloud services, have any of these things like a provider that provides email to multiple other countries then the policy issue comes up of who gets to say to the provider im not getting satisfaction from your customer so i need to go to you. And so, matt, what do you think . I want to disagree with something that jon said. This is a policy question and i agree that its a policy question. Its also more than a policy question. So youve described the be a tract problems that you get if you could build Something Like this perfectly. But what you also get at the same time is making our whole infrastructure vulnerable to more of the opm attacks, more of the ashley madison, more of the breach du jour. Theres a thing that you can go after. Thats why our best decision is to make it so nobody other than the end user can get there. A fundamental problem is that if a Company Builds in a back door or an ability to provide access to mass market products that are used by companies and individuals and by government, that company suddenly becomes an extremely attractive foreign intelligence target. Absolutely. And extremely attractive organized crime target and an extremely attractive drooling teenagers in the basement target. And weve seen all three of those attackers receive wildly in recent years. And were going to see more of it on the requirements that would be very, very interesting to have for nefarious purposes. This is the lash yourself to the mast thing that i was saying. The only real solution we have to protecting our customers and ourselves is, in fact, to make it so we are not a target. Kiran, what do you make of this and whats at stake, too, if Law Enforcement doesnt get the access it needs . The idea companies will go where only the end users is not compatible to what we have today. Companies need to have access to data for their own business purposes. Whether in the Consumer Market but there are certain types of systems where they have a design where only the end user has access to it. The important thing for folks to know is that those are the systems where even with the warrant, even with the court order, the government will not be able to obtain the information and so from the threat perspective, amy talked a lot about that. It has real effects on real investigations and its important for folks to understand that almost every investigation we do at the department and state and local level involves electronic information. And so if we are really creating a class of information in a digital safe zone for criminal activity, thats a problem and a problem we want to highlight for folks because they need to know as Technology Advances its the fundamental question is do we want to have Technology Drive that or should we drive it from a policy perspective . And so thats really what is this discussion is about. I dont see a world where companies will not have access to information for their own business purposes. The real question is what happens with those specific platforms, certain applications, certain devices where there is a choice you could make to design it so its warrant proof so only the end user or so the Company Retains access and the ability to respond to a court order and a warrant. So i do want to open up to the audience. Say your name and where youre from. Up in the front here. Thank you. Eric geller from the daily dot. I wrote a feature on the crypto wars and all the experts said the government keeps saying we want to have this debate, to bring this out into the public but weve been doing that since the crypto wars yet the government says lets have this conversation. Lets listen to the Tech Companies. What would you say to the idea that this is settled, that they dont want to do this and that they cant see a way to do it securely . I guess a couple points, one, and matt talked about this earlier, were in a much different world than we were two decades ago with the proliferation of the Digital Information everywhere. They are much different than before. Number two, back in the two decades ago the government was asking for something different. There was an idea there would be a split key that one Government Agency would hold it and another would hold another key and that, again, is not what we are asking for today. We go to companies with a court order or warrant, theyre unable to comply. We would like them to comply with the court orders. How they do it is up to them, based on their own system and their own designs. They know their systems best. Weve been having discussions and back to the shared values, we all have those same shared values and so the more we can do to figure out how do we maximize the Public Safety and the National Security and also these important privacy similarities, Data Security, were in a different world now than we were two decades ago and i think a lot of the companies and even te technologists would agree. Another question up in the front. Sharon, voice of the moderate. I would like to ask about the issue with trust and the American People. I think that a lot of people see the selective prosecutions. Lets use the ones of the whistleblowers that their data was looked at and i guess with the fisa goes overseas so it can automatically get collected and were seeing some people that are higher up that might be like general petraeus got a slap on the wrist, leon panetta. A lot of people in the Intelligence Community leak. It happens all the time. Some people get prosecuted. Others dont. I think the encryption issue stems from the lack of trust in government because of some of the selective prosecutions. And how do you see addressing that issue because i think once we all trust each other then it will be easier to go forward. Thank you. I think most people would agree our country has one of the strongest commitments to the rule of law in the world and its something that we at the department of justice and, frankly, the whole administration, thinks is very important and so we try every day to ensure that were Building Trust and maintaining trust with the American Public because thats what the rule of law is based on, trusting the folks that are carrying out investigations, prosecutions and the like. So it is an important value to us and something that we strive every day to earn the trust of the American People. Any other questions . Yes . Russell, a law student. My question is from the government official. The issue is about conflict of law and the situation where some tech Companies May find themselves when they have to comply with a foreign law to hand over data, but that would bring them into conflict with u. S. Laws that basically would make them liable for crimes, for u. S. Laws. Tech companies are doing businesses globally and have to comply with multiple standards in laws and how does the doj address this issue . What are your views on that at least . Yeah, no, its a really good question and its a question that companies are facing more and more every day. I guess the point i would make just generally on that issue is that thats much broader than encryption or even going dark, our companies today face those choice of law conflicts whenever or in many cases when theyre operating in a foreign jurisdiction. And so the Companies Work through those issues. Sometimes they have to do something specific to a particular company. Its really just going to depend on the specifics laws, the specific facts and circumstances. It is a growing problem in our global economy, absolutely. And so just to loop you into this discussion as well, we had a question earlier for amy hess about what would happen if this policy goes into effect and the perception of American Businesses abroad. This plays into that a little bit. Maybe you both could take a stab at answering what would happen at least from a perception that companies are working with the government or giving data to the government kind of formally. So ill not even speculate on what that would do to trust in u. S. Products abroad, but, you know, theres also the issue of making our infrastructure less secure and i think well see a real tangible effect of the horrible security crisis that were in today becoming measurably more horrible because tools for securing it become less robust and less available and, you know, that would be horrible. Jon . I agree with matt on that, that it does make it less secure. It rules the security that were building into things and im going to disagree with him that i think were making progress. Did i say we were making progress . See . I think were making progress. Oh. But it would ruin the reputation of all of these Companies Worldwide because you know if there is a master key that it is only a matter of time to it gets leaked. It gets stolen. It gets misused. I mean, we have seen all across the board, whenever there is one of these databases, one of these central repos tories for information, that people use it to check up on their ex. They use it to find out what their neighbors really doing. And the fact that that would happen would ruin the reputation and it would also ruin the reality. The reputation would be ruined for real reasons because it really would be weaker. Jon is making progress. No one else is. Two points. One is, again, when we hear master key, golden back door, we have to be clear that no one is asking for that. Number two, when you hear sort of arguments that companies reputations are going to be ruined, its a puzzling argument because today we have Large Companies that can respond to court orders and warrants. We have billions of users around the globe who use their services, and were not seeing some of those issues. And so, again, i think its important to understand what we are, in fact, asking for which is that we dont want situations where theres warrant proof encryption which is different than securing data, to secure your i. T. Infrastructure, because that is something that we really value because of our mission in the in the cyber sec area, cyber crime area. It is only accessible. Except for all the companies who do it today for all the business purposes. We have companies who can respond to court orders today. There is no magic key, no golden uniform. They are able to do it. It is the companies that are putting in security that youre getting upset about. I mean the thing that has happened, i was agreeing with what you were saying before. That we have the shared values. We have all of this, but were putting in encryption precisely to stop crime. And the reason why apple, google, others are putting Device Security into the device is so that the system is there so that when you have exactly what youre asking for, but now that were doing it were being criticized for doing it. Again, this is i think its important because this really is an important point that i think is lost in the discussion. We want strong encryption. We want those devices to be secure. The question is, is the only way to secure it a manner where there is warrant proof encryption. There are a lot of companies today that disagree with that. They have built that system. If the answer is there is no way to do it. If they really believe it and they have tried super hard. They might answer. That is something that the American Public and folks should understand. People need to know that. And that again that is the discussion that we have to have. I will admit that im flattered by the fbis stake in my ability and my fields ability to produce these super secure products that you are worried will be warrantproof, but frankly im puzzled by the underlying assumption that we have any chance of actually doing that and that the internet that we have today is adequately secure for just about any purpose you could imagine. I mean, i think were in a National Security and Public Safety crisis as we rely on this horribly fragile, horribly weak infrastructure. The problem that were facing and i think its pretty close to an emergency. We do have another audience question. On the side here. And now my question. Its one thing that is often missed in the debate is that assuming that everything was encrypted, meta data will still be available to Law Enforcement when they serve companies a lawful order. It is showing that it is committing federal felony and the phone facility that we want to target is being used as part of that crime but we also have to show necessity. So that means we have done we have tried to do less intrusive techniques have failed. Some are physical surveillance, using an informant, records are considered meta data and someone has to write up. And those things sometimes run hundreds of pages. Hugs afidavits. It these be reviewed by the supervisor. Operations oeo in the Criminal Division that is then signed off by a high level criminal level official. At that point it goes to a federal judge who does his own so it isnt the first thing that we do. When we have that order, we have already had enormous amount of internal review. We have an internal judge and only then do we go to the company and say can we have the content of communications. I think its important to understand that in context. This is not something that just happens right away. Theres a huge amount of resources. We have time for one more question. Just hearing from you about all of the methods that we use prior to asking for content, im curious if the doj or fbi will provide numbers of how many times this actually happens. It feels like its such an extreme situation. Will that data be available to the public . We do need to do better and get better data on that. One of the hard issues is that investigators, when they hit a wall they dont stop. I do want to reiterate that. It is an important point that we make, we have to make an important sense of the scale. Anyone else have any questions . I will ask one more of each of you. I knew it would get heated at some point. Just to try to bridge some of the differences there. What do you think is the biggest thing that Tech Companies or Security Pros or just americans in general might be missing in the National Securities arguments . I think that the most important thing is to start with when we talk about this issue, we really do have shared values. That is one of the important points. We want to figure out what best way to maximize the values. But if were all trying to get to the same end goal, it is important. What do you think the ugs government needs to do . Part of it, we have to be clear about what the issues are, providing important data to folks as part of this discussion is helpful. Thats part of why we do the events so people can hear directly from us what were asking for and what were telling the American Public. To fund people like me to think about more. But i wont pretend that its a brand new problem but its one that i think is increasing National Priority but its one we dont know how to solve. We are in a multicountry world where there are values that are not shared across the countries. Im in a situation where i worry about what happens when a warrant comes in from another country where they say that even though this person wasnt even born there, their grandparent s were so they have a right to certain data. I worry about the costs of how those of us who build this would be able to do this. And that it effectively turns us into something that we dont want to be which is a super Government Authority that decides whos information which often is who lives and who dies goes out. And it isnt a matter of, we are only in one area where we have shared values. We are in a huge hostile world where there is Information Warfare going on or economic reasons for things that are theft and the techniques that we have that are as good as we are at them, i think that part after the reason this debate has come up again is that we are actually starting to make progress. And there is a very difficult problem in those of us who are international versus. All right. Thats all the time we have. Thank you everyone for coming. Thank you dell for sponsoring us today. Thank you to the department of justice and the fbi for sending out their good folks to talk to us. We would love to see you very soon. Take care. Now today im a reporter for nbc. Is this Marion Barrys place . I went back to the office and called me up and i said i have just been to club 55. Dont you realize your people are watching where you do and where you go and you sit there all the time and watch naked dancing girls. There was a pause on the phone and he says its nice, isnt it . He signed a letter and said what he did was politics and not bribery. He should have reported the gifts and that might be a crime but he didnt report the gifts. 15,000 for a childs wedding. 70,000 loan. Bob mcdonald has been considered a Vice President ial candidate. Was in over his head when he got into the governments office. This is another case where youre a public figure and you let your messy private life combine together. Its the first time a pope has done this and this is the scene. You can watch our live coverage on cspan or online at cspan. Org. And back here, u. S. Cyber command head and nsa director will testify before the Senate Intelligence committee today. He will brief the community on threats to the nation. You can see it right here on cspan 3. It starts at 2 30 eastern. And now ftc commissioner discuss the two main recommendations for how to best proceed in dealing with open internet rules on assuring Consumer Choice prooifty and trance parency