Sen. Mark Warner (D-Va.) and House Homeland Security Committee Chairman Michael McCaul (R-Texas) introduced bipartisan legislation to both establish an independent commission on digital security issues on Monday.
The Digital Security Commission Act of 2016 (S. 2604 in the Senate and H.R. 4651 in the House) would establish a National Commission on Security and Technology Challenges meant to bring together all the stakeholders on cybersecurity and encryption security issues including tech leaders, law enforcement, the intelligence community, privacy and civil liberties advocates, computer science researchers, and global commerce leaders. It would be “charged with developing recommendations for maintaining privacy and digital security while also finding ways to keep criminals and terrorists from exploiting these technologies to escape justice,” the authors said in a statement.
Under the proposal, a 16-member commission would be appointed equally by the bipartisan leadership of the House and Senate. The Speaker of the House and Senate Majority Leader would jointly appoint eight commissioners from eight separate fields as well as the chairman. The fields include cryptography, global commerce and economics, federal law enforcement, state and local law enforcement, consumer-facing technology sector, enterprise technology sector, intelligence community, and privacy and civil liberties community. The House Minority Leader and the Senate Minority Leader would also jointly appoint eight commissioners for each field and a vice chairman.
The legislation also allows for the President to appoint one ex officio individual to serve on the commission in a nonvoting capacity.
The commission is mandated to issue an interim report within six months of enactment and submit majority recommendations for congressional consideration within 12 months.
This legislation comes amid concerns that increasing strong default encryption on electronic devices will decrease law enforcement’s ability to lawfully obtain information from the devices of suspected criminals and terrorists, called “going dark.” Law enforcement and government figures have sought ways for legal access to such protected data while technology, security, and privacy advocates note allowing any kind of “back-door” access for use by authorities would inevitably reduce the security and the partial access would eventually get into the hands of bad actors as well (Defense Daily, Feb. 2).
The commission was first announced by Warner and McCaul last week at an event at the Bipartisan Policy Center. It is meant to help solve this dilemma and larger technology security issues by examining the intersection of digital technology and national security as well as determining the implications for national security, public safety, data security, privacy, innovation, and American competitiveness in the global marketplace, the authors note in the announcement.
“I recognize that there are no easy or simple solutions to the challenges posed by the growing use of secure technologies. The same tools that allow terrorists and criminals to evade detection by American intelligence and law enforcement are also used each day by Americans who rely upon secure technologies to safely shop online, communicate with friends and family, and run their businesses,” Warner said in a statement.
“I believe that we can strike an appropriate balance that protects Americans’ privacy, American security, and American competitiveness, but we won’t achieve that while all sides continue to talk past each other.”
McCaul agreed with the sentiment. “The challenge of protecting national security and digital security simultaneously, is complex. The ongoing Apple vs. FBI dispute is only a symptom of a much larger problem.”
McCaul highlighted that law enforcement needs the ability to gain lawful access to information that can stop future attacks and sees the commission as a step towards finding a resolution.
“I am proud to partner with Senator Warner on this initiative and I urge our colleagues in both chambers to quickly establish this Commission so we may effectively address this challenge for law enforcement now and in the future.”
The legislation mandates the commission to provide assessments of, at minimum, several major issues, in its report to Congress including:
- multiple security interests (public safety, privacy, national security, and communications and data protection) both now and in 10 years;
- the economic and commercial value of cryptography and digital security and communications technology;
- the benefits of cryptography and digital security and communications technology to national security and crime prevention;
- the role of cryptography and digital security and communications technology in protecting the privacy and civil liberties of Americans;
- the effects the use of cryptography and other digital security and communications technology has on law enforcement and counterterrorism;
- the costs of weakening cryptography and digital security and communications technology standards; and
- international laws, standards, and practices for legal access to communications and data protected by cryptography and digital security and communications technology.
The commission is also directed to include policy and practice recommendations, with possible legislative proposals, all including several issues:
- methods to take advantage of the benefits of digital security and communications technology while mitigating the risk of abuse by bad actors;
- the tools, training, and resources that could be utilized by law enforcement and national security agencies to adapt to the new digital landscape;
- cooperation between the government and private sector to work together to impede terrorists’ use of digital security and communications technology to mobilize, facilitate, and carry out attacks;
- any revisions to current law regarding wiretaps and warrants for digital data, while preserving privacy and market competitiveness;
- proposed changes to procedures for obtaining warrants to increase efficiency and cost effectiveness for the government, tech companies, and service providers; and
- steps the United States can take to lead the development of international standards for digital evidence for criminal investigations, including reforming the mutual legal assistance treaty (MLAT) process.
The legislation is co-sponsored in the Senate by Sens. Cory Gardner (R-Colo.), Brian Schatz (D-Hawaii), Susan Collins (R-Maine), Michael Bennet (D-Colo.), Shelley Moore Capito (R-W.Va.), Angus King (I-Maine) and Dean Heller (R-Nev.). Co-sponsors in the house include Reps. Jim Langevin (D-R.I.), Patrick Meehan (R-Pa.), Suzan Delbene (D-Wash.), Mike Bishop (R-Mich.), Ted Lieu (D-Calif.), Will Hurd (R-Texas), Kathleen Rice (D-N.Y.), Blake Farenthold (R-Texas), Eric Swalwell (D-Calif.), Dan Donovan (R-N.Y.), Jerry McNerney (D-Calif.), Barbara Comstock (R-Va.), Mimi Walters (R-Calif.), Ryan Costello (R-Pa.), and Dave Reichert (R-Wash.).
The legislative announcement also received support from privacy advocates, legal scholars, the law enforcement and intelligence communities, and industry groups.
“[The commission] could help work through not only current issues, but future ones – this is a rapidly evolving field which deserves a thorough look and deep understanding before as far-reaching legislation is considered,” Professor Jonathan Zittrain, Co-Founder, Director and Faculty Chair of the Harvard University Berkman Center for Internet & Society, said.
Michael Leiter, former director of the National Counterterrorism Center agreed that it would be an important step in thoughtfully addressing the challenge of protecting privacy and civil liberties while enhancing national security and fostering technological development.
The U.S. Chamber of Commerce commended McCaul and Warner for introducing the legislation.
“The Chamber looks forward to working with Congress, the administration, and other stakeholders on this bill and to address the concerns of business,” Ann Beauchesne, senior vice president for national security and emergency preparedness at the U.S. Chamber of Commerce, said in a statement.
The Internet Association, an organization representing the interests of many major internet companies including Amazon [AMZN], Google [GOOG], and Facebook [FB], was encouraged by the legislation.
Although it stated the privacy and security of Americans will be best served by maintaining strong encryption, “The proposal has a worthy goal of promoting thoughtful dialogue between stakeholders in the encryption debate, including experts in cryptography, technology, privacy, and law enforcement,” Michael Beckerman, President and CEO of the Internet Association said in a statement.
“The Internet Association looks forward to working with policymakers to ensure that the best interests of our nation are served. Congress must avoid hasty legislative ‘solutions’ that could have unintended consequences for the security of the American people,” Beckerman added.