Rep. Ted Lieu has been an outspoken advocate of encryption on Capitol Hill and has sought to raise awareness of straightforward security practices that anyone can take to protect themselves in cyberspace. The California Democrat breaks down what’s at stake with these issues and discusses how he approaches them.
CyberScoop: In a 2014 speech, then-FBI Director James Comey famously threw gasoline on the “crypto wars” fire by lamenting a “going dark” problem that encrypted communications posed to law enforcement access to data. In the years since, as the FBI has frequently reiterated this concern, have lawmakers gotten more measured in their discussions of encryption?
Rep. Ted Lieu: I think it’s somewhat better than before largely because Comey made an issue of it, which then caused at least members of Congress on relevant committees [and their staffs] to engage on the issue.
So I think somewhat more members of Congress are aware of encryption and how important it is. We need to have stronger encryption, not weaker. And I think more and more people understand that encryption is what allows our banking system to operate, it’s what allows our military to conduct its missions, and to weaken it is just really dumb.
CS: In June, you were part of a bipartisan group of lawmakers that introduced a bill to preempt attempts to weaken encryption at the state level. What was the impetus for that?
TL: In my home state of California … a state legislator introduced a bill that was going to basically regulate encryption for consumer products such as the iPhone. And that just would not have worked. You can’t have different states with different encryption standards [for] consumer products. This really should be an issue that is dealt with at the federal level and I think we need to preempt states from engaging on it because it’s completely unworkable to have different encryption mandates for different states.
CS: The Trump administration in May eliminated the White House cybersecurity coordinator position, a move the administration says cuts down on bureaucracy but which you and other lawmakers have criticized and sought to reverse. What’s at stake in U.S. cybersecurity policy with this position?
TL: My view is we should actually be increasing the capacity and staff at the cyber coordinator’s office, not terminating that position. We should actually be trying to invest more in cybersecurity. And this administration, for whatever bizarre reason, chose to go the other way.
[White House national security adviser] John Bolton has a lot of experience in foreign policy. [It’s] not clear to me [that] he knows a lot about cybersecurity. And so if he wants to take on that challenge, more power to him. But I don’t think he’s particularly well suited to do that. [It’s] not clear to me why he wouldn’t want a cybersecurity coordinator. And I think it was the wrong move by the administration.
CS: When you were studying computer science as an undergraduate at Stanford decades ago, did you ever imagine that this issue would have such national and international importance?
TL: I was very aware of hacking. [At the time], I don’t think I fully understood all of the implications of it at the federal level.
So for example, more than 20 million security clearance forms were stolen from the federal government [in the 2015 Office of Personnel Management data breach]. That is a monumental amount of data that could result in a huge national security catastrophe. All sorts of blackmail can happen from that.
CS: Do you walk the walk by using encrypted communications and other recommended security practices?
TL: On my social media, I use two-factor authentication.
I’ve actually taken the position that whatever I do I should be comfortable with it appearing on the front page of The Washington Post the next day. And if I’m not, I probably shouldn’t do it.
CS: Do you use Signal?
TL: [I use] WhatsApp.
CS: During an April 2016 episode of “60 Minutes,” you highlighted the risk of someone using a flaw in the SS7 telephony protocol to intercept call data. How concerned are you today by that vulnerability?
TL: [It’s] still not fixed. It’s [been] mitigated, not fixed.
The chances of a foreign intelligence service or criminal syndicate doing that to an everyday American? Not high. But they could do it on a CEO or a member of the executive branch in national security affairs. So it still remains a problem.
I think it’s a huge problem, based on public reporting, if it’s true, that the president of the United States just goes and makes calls on his [personal] cell phone.
The chance of someone using the SS7 flaw to access your phone is probably not that high. But there are so many more easy ways for you to get hacked through your phone. One is just logging onto public Wi-Fi. And if you’re at Starbucks and if you see “Starbucks” or “Starbucks_1,” or “Starbucks 1” and you don’t know which one is the right one, and you click the one that’s a hacker sitting 20 feet away, you just lost all of your information.
So I advise people: Just don’t use public Wi-Fi unless you’re very certain of that address. And just spend a little money [to] get you on a mobile hotspot.