House Homeland Security Chairman Michael McCaul, R-Texas, never downplays the urgency of cybersecurity threats, but he is also one of the most patient legislators on Capitol Hill when it comes to fashioning a consensus around seemingly intractable policy issues.
That could make him the ideal candidate to find a way beyond the current stalemate over so-called strong encryption. These are communications technologies that are fully or close-to-unbreakable by law enforcement and intelligence services chasing terrorists and criminals.
McCaul was a key architect of compromise cybersecurity bills that were signed into law in late 2014 and at the end of last year. The hallmark of his efforts on both bills was quiet consensus-building on measured cybersecurity policy steps, even as rancorous debates raged over issues such as National Security Agency electronic snooping.
On strong encryption, the FBI and intelligence officials have asked the technology community to voluntarily come up with ways to access encrypted communications under a court order, but talks on the subject never really got off the ground.
The tech sector has been highly suspicious that government wants a “back door” into encrypted devices and is deathly afraid of how this would affect American technology companies in the global marketplace.
Further, such back doors are incompatible with the very notion of cybersecurity, tech and privacy advocates say, and would certainly be exploited at some point by the same bad actors the government is trying to fight.
McCaul and Sen. Mark Warner, D-Va., are proposing an alternative: creating a national commission that includes “the best minds” from all of the stakeholder camps to come up with options under a strict deadline.
McCaul, a former federal prosecutor, hails from the law enforcement side of the fence while Warner is a former technology entrepreneur.
“There have been attempts to have this discussion but they’re not fully engaged,” McCaul told reporters. “This is to get it started.”
McCaul added: “If the recommendation is a legislative solution, we’d pursue that. But a technology solution is more likely.”
Their plan is not without critics, including Senate Intelligence Chairman Richard Burr, R-N.C., who is writing his own bill along with Ranking Member Dianne Feinstein, D-Calif.
“I don’t think a commission is necessarily the right thing when you know what the problem is,” Burr told The Hill newspaper. “And we know what the problem is.”
Feinstein granted that the commission wasn’t “a bad idea,” but she also suggested the urgency around the issue demanded quicker action.
Burr and Feinstein’s nascent legislation would reportedly require tech companies to retain the capability to access encrypted material under a legal order.
Even with the urgency in mind, the Burr-Feinstein measure is still a work in progress and committee sources suggested its release isn’t imminent.
House Intelligence Committee leaders have their own approach.
Chairman Devin Nunes, R-Calif., and Ranking Member Adam Schiff, D-Calif., last fall asked the National Academy of Sciences to examine the issue; the NAS is assembling a panel of experts on the subject.
In addition, different perspectives among law enforcement groups at the federal, state and local levels must be massaged. What exactly the intelligence community is hoping to access still must be defined.
And the technology community is taking a wait-and-see approach to the commission idea, though it certainly isn’t as objectionable to the techies as is the pending Burr proposal.
“There has been outreach on the concept but we’re looking forward to the lawmakers sharing the text of their proposal to study the details further,” the tech source said.
Another business-sector source said: “Most organizations will refrain from taking positions on encryption until the commission does its work, presumably, and there are written proposals to critique. It’s Washington. Policy-and-legal-types need paper. Speculating on hypotheticals is useful, but at some point you must have text to guide decision-making.”
For now, McCaul and Warner are working the traps, both on Capitol Hill and among other stakeholders. They still need to resolve jurisdictional claims on an issue that falls under the purview of intelligence, judiciary and commerce committees, in addition to the homeland panels.
But here’s where the McCaul touch can probably help. In the past, the Texan managed to get the U.S. Chamber of Commerce and the American Civil Liberties Union on the same page when it came to cybersecurity and privacy protections.
Figuring out a consensus position on encryption may be a tougher issue to resolve, but McCaul and Warner seem to be offering a process that could yield the elusive answer.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers.
