InsideSources

The chief lawmakers on the Senate and House Homeland Security Committees asked the Federal Communications Commission Monday if the agency is taking cybersecurity into account with its proposal compelling cable providers to open up their content to third-party set-top boxes.

Senate Homeland Security and Governmental Affairs Committee Chairman Ron Johnson, House Homeland Security Committee Chairman Mike McCaul and the committee’s ranking Democrats sent a letter to FCC Chairman Tom Wheeler Monday asking what cybersecurity measures, if any, the agency is considering in its draft proposal.

“The FCC’s rules and regulations for the communications sector can have a significant effect on the security of individual Americans, our critical infrastructure, and our national and economic security,” the lawmakers wrote Monday of Wheeler’s “unlock the box” proposal. “In particular, we are interested in learning more about the cybersecurity proposals within the rulemaking and urge further attention in this area. It is important that cybersecurity is fully addressed in any final rule.”

The agency voted in February to advance the proposal compelling cable providers like Comcast and DirecTV to make their video content accessible to third-party devices, giving consumers the opportunity to purchase a set-top box from a company like Google instead of renting one from the provider.

Lawmakers pointed to the National Institute of Statistics and Technology (NIST)’s voluntary cybersecurity framework as a guide for what the agency, in tandem with the communications industry, should consider with new regulations to combat “malicious actors” and “cybercriminals.”

“It is unclear how some of the FCC’s proposed rulemaking aligns with the framework’s recommended practices or how existing cable and satellite providers can adequately inventory devices attached to their network, including devices owned by a third party,” the letter reads. “For example, a core function of the framework is to identify a firm’s information technology assets and connections with other organizations and devices in order to ensure that it fully understands its risk posture and develops an associated cybersecurity risk management program.”

Representatives said that burden to ensure devices are secure would grow if third parties are allowed to enter the market, presently limited to devices from providers themselves.

Legislators asked Wheeler to answer a series of questions about the proposal’s cybersecurity considerations, including if and how device makers will self-certify they’re complying with cybersecurity standards, how the FCC will ensure third parties in hardware and software are meeting standards, including through their supply chains, if NIST was considered or how it will be in a future draft and whether the rulemaking addresses potential economic harm to content creators, businesses or infrastructure from cyberattacks.

Monday’s letter was the most recent inquiry among a growing number of concerns about the proposal from Congress, including in the Senate Judiciary Committee where Chairman Chuck Grassley wrote to Wheeler Monday with concerns about the proposal’s potential to make cable providers’ content more susceptible to copyright infringement, put new restrictions on the way providers can use consumer data and harm small rural cable operators.

Grassley said it was “unclear” how the new rules would extend consumer protections that already mandate providers keep user viewing habits private, limit advertising when appropriate, and provide emergency alerts and subtitles. He added the market is growing in competitiveness already via video streaming services and apps free of hardware, which some worry could let third parties manipulate cable providers’ content or make it more susceptible to pirating.

“I am concerned that this proposed rule making would replace marketplace solutions with greater government regulation,” Grassley wrote. “There are concerns that the proposed regulations will harm creators and impede innovation thereby ultimately hurting viewers.”

Members of the Congressional Black Caucus expressed their own concerns about the proposal’s potential impact on minority programmers, who they fear will be marginalized by third parties in the on-demand video market.

As justification for the rulemaking, Wheeler cited a congressional survey out of the offices of Sens. Ed Markey of Massachusetts and Richard Blumenthal of Connecticut, which found the country’s biggest cable companies charge the average U.S. household $231 annually in set-top box rental fees, pulling in almost $20 billion every year for providers.

Monday was the deadline to file comments on the proposal.

Follow Giuseppe on Twitter

The Republican chairman of the House Homeland Security Committee and a Democratic member of the Senate Intelligence Committee plan to introduce legislation next week creating a congressional commission to bridge the growing divide between law enforcement and encryption providers.

“We’re actually in very unique positions I think to bring the relevant stakeholders together to find a solution to this very great problem,” House Homeland Security Chairman Mike McCaul said Wednesday at the Bipartisan Policy Center. “And that’s the whole point of the bill and the commission — to find a solution to a Paris-style attack where the attackers are using end-to-end encryption on apps to conduct a major terrorist operation.”

In the December aftermath of the Islamic State-inspired attacks in Paris and San Bernardino, McCaul and Virginia Democratic Sen. Mark Warner announced their plan for a 9/11-style congressional commission to facilitate talks between the tech industry and law enforcement to seek solutions to the issue of terrorists “going dark.”

The lawmakers said they expect broad congressional and administration support for the bill, which will form a bicameral commission to discuss digital security issues facing law enforcement and national security, including encryption.

Those discussions will include all relevant stakeholders, including Silicon Valley, the FBI, local law enforcement, cryptologists, the intelligence community and privacy advocates.

McCaul and Warner said they expect the bill to be fast-tracked to passage, and gave a timeline of one year before the commission produces a report with recommendations for Congress.

Director of the FBI James Comey has spent well over a year warning Congress of a growing threat posed by potential terrorists communicating via end-to-end encrypted platforms, like those offered by default from Apple and Google.

Those warnings gained more attention between December and February when Comey testified before Congress the FBI has been unable in at least two instances to access the communications of known terrorist suspects, the most recent being those on an iPhone belonging to Syed Farook, who with his wife Tashfeen Malik executed the attack that left 14 dead in San Bernardino.

Last week a federal district court in California, citing an 18th-century law meant to act as a gap-filling statue when no existing law applies, ordered Apple to assist the FBI in unlocking Farook’s iPhone 5c by disabling the password attempt limit. If Apple complies, it would open the door for the FBI to brute-hack the phone.

Apple CEO Tim Cook refused the order on the grounds Apple does not possess the ability to comply with the FBI’s request, and that forcing the company to build it would create a dangerous tool and precedent that would likely be abused by the government and authoritarian regimes.

“We think there’s a better solution,” McCaul said.

The Cupertino-based company supports the McCaul and Warner commission, however others in Congress, including Warner’s fellow Intelligence committee members Sen. Dianne Feinstein and Chairman Richard Burr are working on their own bill to force companies like Apple to cooperate or suffer punitive damages.

“One option is to amend the CALEA (Communications Assistance for Law Enforcement Act) statue,” McCaul said. “Put a backdoor into this phone, so the government can get into it, but also the hackers can. And let’s not forget the majority of these apps are overseas, outside of our jurisdiction.”

Warner said amending CALEA, the ’90s-era legislation compelling telecommunications providers to assist law enforcement by facilitating wiretaps, doesn’t create a long-term solution, and would likely only drive criminals and terrorists onto encrypted platforms developed outside the U.S.

“The networks that were devised in the ’90s and the networks in 2016 and 2020s are dramatically different,” Warner said. “A static solution, which might simply drive smarter criminals and smarter terrorists to foreign-based systems and foreign based hardware, or even with American hardware a personal system they could unlock and then import from the cloud encrypted techniques, isn’t going to get it right.”

Warner said there are close to 2,000 apps being added to the App Store every day, half foreign-based and most encrypted.

“This genie’s not going to be put back in the bottle,” he said, adding any solution will have to include international operating standards the U.S. could lead in developing with the commission.

“There is no easy legislative knee-jerk response to this,” McCaul said. “Amending CALEA is not going to solve the problem, and more than half these companies are overseas anyway. That punitive measure against industry — I’m not sure that’s going to be the right answer, and it will hurt our economy and our international business.”

“And it may not make us safer,” Warner added.

Follow Giuseppe on Twitter

House Homeland Security Committee Chairman Mike McCaul on Wednesday said of all the national security threats facing the U.S., encryption and the threat of criminals and terrorists “going dark” online is the one that keeps him up at night.

“As chairman of the House Homeland Security committee, what keeps you up the most at night?” Kenneth Weinstein, president and CEO of the Hudson Institute, asked McCaul during a national security discussion at the group’s headquarters in downtown Washington Wednesday.

“It’s encryption,” McCaul answered. “It’s this dark, communication space in which the terrorists can communicate freely without our ability to detect it, even if we have a court order.”

McCaul said he’s had frequent discussions about end-to-end encryption with FBI Director James Comey, who’s repeatedly sounded the alarm before Congress in the year-plus since companies including Apple and Google announced the software as the standard for all users, making the companies, by default, unable to comply with subpoenas, search warrants or wiretaps.

Terrorists purported use of the technology to evade law enforcement and intelligence agencies climbed to the top of Congress’ national security agenda after Paris investigators found multiple attackers and plotters used encrypted platforms to communicate while planning the assaults in the French capital last year.

The Homeland Security chairman said eight of the attackers and some 20 co-conspirators responsible for killing more than 100 people on the streets of Paris used applications including Telegram on iPhones to hide their communications. McCaul said due to the lack of warning signs, he knew the Islamic State-inspired terrorists behind the attack used encryption before he was briefed and his suspicions were confirmed (and said as much before the investigators announced their findings).

“I know that as a former federal prosecutor, the way you stop bad things from happening is you get a Title III wiretap or a FISA, you listen to the communications, and then you intervene at the right time and stop the bad act from happening,” McCaul said. “So if they can communicate in darkness, and we can’t shine a light on their dark communications, we won’t have the ability to stop these terrorist events.”

The Texas Republican partnered with Virginia Democratic Rep. Mark Warner last month to announce their intention to create a congressional commission, similar to the 9/11 commission, to facilitate discussion on encryption between the private sector, lawmakers and representatives from law enforcement and intelligence agencies, including FBI, NSA and CIA, to work on a technological solution.

While McCaul said none of the necessary parties are currently talking, Comey has repeatedly told Congress he’s been in discussions with Internet service providers about encryption for the last year, and during his last report to Congress, said the tone of those talks was improving.

Last Friday the White House gathered top administration, law enforcement, intelligence and tech policy heads including Comey, NSA Director Mike Rogers, Director of National Intelligence James Clapper, Attorney General Loretta Lynch, Deputy Secretary of State Tony Blinken, Chief Technology Officer Megan Smith, White House Chief of Staff Denis McDonough and White House tech adviser Todd Park to meet with representatives from Silicon Valley including Apple, Google, Facebook and Twitter, to discuss encryption and the Islamic State’s use of social media to radicalize extremists.

After the attacks in Paris and San Bernardino last month, President Obama said his administration would engage in talks with Silicon Valley and announce a new policy proposal on encryption, which reports indicate the White House is poised to deliver.

“It’s a stalemate,” McCaul said. “And I think if Congress forces them to communicate and report recommendations and findings, that’s the best way to do that.”

The chairman added tackling terrorists’ use of social media to inspire homegrown attacks is an essential part of accomplishing the same goal.

“We’re seeing 200,000 tweets per day coming out of Iraq and Syria to do just that,” McCaul said. “We’ve had 79 ISIS-related arrests in this country. It’s hugely significant.”

McCaul criticized President Obama’s State of the Union address Tuesday night for downplaying the threat posed to Americans by ISIS. During the speech, the president said he recognized it’s a “dangerous time,” but criticized the “rhetoric” meant to scare Americans into votes coming out the GOP presidential nomination race.

“The United States of America is the most powerful nation on Earth. Period. It’s not even close,” the president said in his annual — and Obama’s final — address to Congress Tuesday night.

“I’m convinced there are cells we don’t know about that are actively plotting,” McCaul said. “And if we can’t see their communications, then that raises the stakes eve higher.”

Follow Giuseppe on Twitter