Hayes said having an update to CALEA or some other standard as well as financial incentives to break encryption would especially help investigators in ongoing investigations once they have recovered devices. While a U.S. law probably wouldn't apply to other countries or to many encryption app makers outside of the country, it could serve as a starting point for addressing a difficult problem, Hayes and others said.
Senate bill on encryption in the works
The chairman of the Senate Intelligence Committee, Sen. Richard Burr (R-N.C.) is working on encryption legislation, which has not yet been introduced, according to Hill staffers on Thursday. Details were not available.
Burr and U.S. Sen. Dianne Feinstein (D-Calif.) introduced separate legislation on Dec. 8 to require tech companies to report online terrorist activity to law enforcement. That legislation does not currently mandate tech companies decrypt communications and pertains primarily to social media activities by potential terrorists.
Sen. Mark Warner, D-Va., is also studying ways to deal with encryption used by terrorists, a spokeswoman said.
Tracking encrypted communications prior to an attack poses greater difficulties than trying to break encryption on a recovered terrorist's phone, since intelligence officials need to know which terrorist and which phone to pinpoint beforehand. It's a daunting task, considering the billions of phones in use, and the limitations of tracking technology.
"You won't listen [to] or track someone's encrypted communications unless [you] know they are a target," said Gartner analyst Avivah Litan. "You first have to narrow down who you are listening to and then start eavesdropping."
Litan said of FBI director James Comey and others: "They have a point about how they would like to read these encrypted communications and that tech companies are stopping them, but they don't recognize encryption is a moving target and that the bad guys will find their own private encryption."
Comey has repeatedly said he doesn't want to force tech companies to turn over encryption keys or provide back doors to encrypted data, and has urged companies to comply voluntarily.
In fact, FBI spokesman Christopher Allen said on Thursday in an email to Computerworld, "Just to be clear, the FBI supports strong encryption." He didn't elaborate.
Litan said the focus by Comey and lawmakers should be on better coordination between intelligence agencies inside the U.S. and in other countries, instead of primarily on breaking encryption.
Other tech tools outside encryption
"If intelligence groups can't decrypt messages, there are still others electronic signs to follow," Litan said. "Good intelligence people tell me that there is always other information available to correlate information for attacks. Sure, it's better to listen in, but not having that ability is not a showstopper."
Sign up for CIO Asia eNewsletters.