The Honorable Michael T. McCaul, Member of Congress/Chairman, House Committee on Homeland Security, United States House of Representatives. He is tasked with addressing the al Qaeda-Hezbollah terrorist threat, border security and cyber security.
During a well attended presentation at RSA Conference 2016, the Republican congressman attempted to explain the US government’s position on balancing the needs for national security with those of individuals. As he put it, his attendance at the conference was “timely, important and relevant not just for the security of the nation, but also for the security of our digital security”.
In the aftermath of 9/11, the US government focussed on preventing terrorists establishing safe havens. But whereas those safe havens were physical spaces in those days, today those havens are online.
McCaul noted that it was not possible to destroy adversaries by simply bombing them any more as they are so distributed. He said jihadist fighters were using virtual safe havens to shield themselves from retribution.
“There are literally 200,000 ISIS tweets per day to radicalise individuals all around the world”.
The use of encrypted applications came under specific attention by McCaul. Citing the bombings in Paris during November 2015, he said the terrorists used encrypted messaging platforms to conspire with each other while evading detection.
That debate over access to encryption has escalated with the recent San Bernardino case being fought between Apple and the FBI.
“This issue is not going away. It’s one of the greatest law enforcement and counter terrorism challenges of the 21st century. It’s also given enormous implications for our privacy and the security of our most sensitive information,” he says.
He noted that with the breach at health insurance provider ANTHEM, following others at Target, Neiman Marcus, Home Depot, as well as the Office of Personnel Management (OPM) – where McCaul’s own security clearance was one of the many millions of records that were stolen by Chinese hackers – have made digital security and privacy hot button issues.
McCaul says "The digital frontier is very much like the wild west” and “the effects are felt from kitchen tables to corporate board rooms”.
The adaptability of threat actors and their ability to change identities makes them extremely difficult to catch, particularly when they are supported by other nation states. It also makes attribution of a cyber-crime very difficult. McCaul mentioned the recent breach at a hospital in California where a hospital was the victim of a ransomware attack where they paid at US$17,000 ransom to the attackers.
The trouble, says McCaul, is our capacity to adapt to the shifting methods of the adversary are lagging. Many threats are in place for many months – the OPM breach was in place for well over a year before it was “detonated”. This has given rise to the concept of “digital bombs” with the impact lasting many years.
In response, McCaul says the US State department changed course and has agreed to negotiate and collaborate with the private sector.
In speaking about the use of encryption by cyber criminals, McCaul says “I’m not out to demonise encryption. Encryption is a bedrock of communications and electronic commerce".
He noted that it is used to protect state and personal information and communications but that same protection is used by nefarious groups that are acting against the American interest. While, on one hand, he says there are no known security threats at this time, encryption has made the pool of information we know nothing about much larger.
"How can we keep our country safe while keeping our personal data safe?" he asks.
Using the San Bernardino case as an example, he says it’s time to get the right experts in the room to find a path that supports the needs of law enforcement and the broader community and technology industry.
“Sadly, Americans have heard a lot of bluster, too little acceptance. The two sides are shouting at each other,” he says.
One of the steps McCaul has taken is to establish a national commission on security and technology challenges in the digital age. This has been done with Democrat senator Mark R. Warner, signalling a bipartisan approach to this challenging issue. The commission will include technology leaders, privacy experts and other non-politicians.