[House Hearing, 106 Congress]
[From the U.S. Government Publishing Office]
THE SECURITY AND FREEDOM THROUGH ENCRYPTION (SAFE) ACT
=======================================================================
HEARING
before the
SUBCOMMITTEE ON TELECOMMUNICATIONS,
TRADE, AND CONSUMER PROTECTION
of the
COMMITTEE ON COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTH CONGRESS
FIRST SESSION
on
H.R. 850
__________
MAY 25, 1999
__________
Serial No. 106-28
__________
Printed for the use of the Committee on Commerce
U.S. GOVERNMENT PRINTING OFFICE
57-448CC WASHINGTON : 1999
COMMITTEE ON COMMERCE
TOM BLILEY, Virginia, Chairman
W.J. ``BILLY'' TAUZIN, Louisiana JOHN D. DINGELL, Michigan
MICHAEL G. OXLEY, Ohio HENRY A. WAXMAN, California
MICHAEL BILIRAKIS, Florida EDWARD J. MARKEY, Massachusetts
JOE BARTON, Texas RALPH M. HALL, Texas
FRED UPTON, Michigan RICK BOUCHER, Virginia
CLIFF STEARNS, Florida EDOLPHUS TOWNS, New York
PAUL E. GILLMOR, Ohio FRANK PALLONE, Jr., New Jersey
Vice Chairman SHERROD BROWN, Ohio
JAMES C. GREENWOOD, Pennsylvania BART GORDON, Tennessee
CHRISTOPHER COX, California PETER DEUTSCH, Florida
NATHAN DEAL, Georgia BOBBY L. RUSH, Illinois
STEVE LARGENT, Oklahoma ANNA G. ESHOO, California
RICHARD BURR, North Carolina RON KLINK, Pennsylvania
BRIAN P. BILBRAY, California BART STUPAK, Michigan
ED WHITFIELD, Kentucky ELIOT L. ENGEL, New York
GREG GANSKE, Iowa THOMAS C. SAWYER, Ohio
CHARLIE NORWOOD, Georgia ALBERT R. WYNN, Maryland
TOM A. COBURN, Oklahoma GENE GREEN, Texas
RICK LAZIO, New York KAREN McCARTHY, Missouri
BARBARA CUBIN, Wyoming TED STRICKLAND, Ohio
JAMES E. ROGAN, California DIANA DeGETTE, Colorado
JOHN SHIMKUS, Illinois THOMAS M. BARRETT, Wisconsin
HEATHER WILSON, New Mexico BILL LUTHER, Minnesota
JOHN B. SHADEGG, Arizona LOIS CAPPS, California
CHARLES W. ``CHIP'' PICKERING,
Mississippi
VITO FOSSELLA, New York
ROY BLUNT, Missouri
ED BRYANT, Tennessee
ROBERT L. EHRLICH, Jr., Maryland
James E. Derderian, Chief of Staff
James D. Barnette, General Counsel
Reid P.F. Stuntz, Minority Staff Director and Chief Counsel
______
Subcommittee on Telecommunications, Trade, and Consumer Protection
W.J. ``BILLY'' TAUZIN, Louisiana, Chairman
MICHAEL G. OXLEY, Ohio, EDWARD J. MARKEY, Massachusetts
Vice Chairman RICK BOUCHER, Virginia
CLIFF STEARNS, Florida BART GORDON, Tennessee
PAUL E. GILLMOR, Ohio BOBBY L. RUSH, Illinois
CHRISTOPHER COX, California ANNA G. ESHOO, California
NATHAN DEAL, Georgia ELIOT L. ENGEL, New York
STEVE LARGENT, Oklahoma ALBERT R. WYNN, Maryland
BARBARA CUBIN, Wyoming BILL LUTHER, Minnesota
JAMES E. ROGAN, California RON KLINK, Pennsylvania
JOHN SHIMKUS, Illinois THOMAS C. SAWYER, Ohio
HEATHER WILSON, New Mexico GENE GREEN, Texas
CHARLES W. ``CHIP'' PICKERING, KAREN McCARTHY, Missouri
Mississippi JOHN D. DINGELL, Michigan,
VITO FOSSELLA, New York (Ex Officio)
ROY BLUNT, Missouri
ROBERT L. EHRLICH, Jr., Maryland
TOM BLILEY, Virginia,
(Ex Officio)
(ii)
C O N T E N T S
__________
Page
Testimony of:
Arnold, Thomas, Vice President and Chief Technology Officer,
Cybersource Corporation.................................... 41
Dawson, David D., Chairman and CEO, V-One Corporation........ 58
Gillespie, Ed, Executive Director, Americans for Computer
Privacy.................................................... 21
Holahan, Paddy, Executive Vice President, Marketing,
Baltimore Technologies, International Finance Services
Centre..................................................... 54
Hornstein, Richard, General Counsel, Network Associates, Inc. 31
Lee, Hon. Ronald D., Associate Deputy Attorney General,
Department of Justice...................................... 17
McNamara, Hon. Barbara A., Deputy Director, National Security
Agency..................................................... 27
Reinsch, Hon. William A., Under Secretary of Commerce for
Export Administration, Department of Commerce.............. 11
Schultz, E. Eugene, Trusted Security Advisor, Global
Integrity Corporation...................................... 47
Material submitted for the record by:
Goodlatte, Hon. Bob, a Representative in Congress from the
State of Virginia, prepared statement of................... 88
Schultz, E. Eugene, Trusted Security Advisor and Research
Director, Global Integrity Corporation, letter dated June
1, 1999, to Hon. W.J. Tauzin, enclosing response for the
record..................................................... 89
(iii)
THE SECURITY AND FREEDOM THROUGH ENCRYPTION (SAFE) ACT
----------
TUESDAY, MAY 25, 1999
House of Representatives,
Committee on Commerce,
Subcommittee on Telecommunications,
Trade, and Consumer Protection
Washington, DC.
The subcommittee met, pursuant to notice, at 10 a.m., in
room 2322, Rayburn House Office Building, Hon. W.J. ``Billy''
Tauzin (chairman) presiding.
Members present: Representatives Tauzin, Oxley, Stearns,
Gillmor, Deal, Largent, Cubin, Rogan, Shimkus, Ehrlich, Bliley
(ex officio); Markey, Eshoo, Wynn, Luther, Sawyer, McCarthy,
and Dingell (ex officio).
Staff present: Mike O'Rielly, majority professional staff;
Cliff Riccio, legislative clerk; and Andy Levin, minority
counsel.
Mr. Tauzin. The hearing will please come to order.
Let me welcome you again. We have assembled a very large
but extraordinarily intelligent and informed panel for our
subcommittee as we begin thinking in advance about how, in
fact, to enter the world of or--rather, the world will be more
and more in a digital, highly encrypted age.
We have learned over the past few years that encryption can
play an integral role in the development of the digital
economy. Individual consumers are looking for certainty and
trust when they operate on-line. Our business community wants
to integrate encryption into their products and into their
daily practices. They also want an opportunity to foil the
hacker, the spy, the crook, or competing company before it is
too late. Encryption is becoming the modern day door lock. It
literally is the dead bolt of the next millennium.
Unfortunately, for all the benefits in encryption, there is
a downside. For every legitimate company and person that uses
an encryption product, there is a good chance that product can
be used for illegal purposes as well. As complex, as
mathematically dynamic as they become, encryption products do
not discriminate. They treat each user the same, protect each
bit of information the same. Thus, the encryption product used
to protect the transfer of the new fashion designs from Milan
to New York can also be used by terrorists to protect plans for
the next attack on innocent civilians.
The Clinton administration and previous administrations
before it have treated encryption products guardedly. They see
the potentially harmful effects of encryption products and want
to keep these products from being used without proper caution
or proper approval. To be more accurate, the administration's
encryption policy reflects diverging purposes. On the one hand,
the administration, led by the intelligence community, wants to
contain encryption products from being used abroad more often
and interfering with their ability to conduct intelligence
gathering. On the other hand, the law enforcement community
wants to manipulate the design of encryption products to ensure
they can obtain access to the encrypted material as needed with
proper authorization.
The current policy, based on good and proper intentions, is
a failure. I believe that it is impossible to contain the use
of encryption products. In fact, the only encryption products
that we are containing are American products from being used
internationally.
The world economy is now interdependent. The digital
economy is even more dependent on interacting, communicating
and conducting business globally. Instead of recognizing this
fact, our containment strategy has put ankle-bracelets on
American companies. We expect them to thrive and compete, but
we put a roadblock in their way. I am glad to see we have a
foreign encryption producer here today to talk about
international treatment of encryption and how their business is
going.
The law enforcement community makes a stronger case for
their position, but it, too, does not survive scrutiny. If
there was successful, U.S. encryption products would dominate
the world, and they would contain a vital component that allows
for the decryption of sensitive material on command of a court
order. In their view, the faster acceptable American encryption
products are created and used, the better.
Unfortunately, this position ignores some very simple
facts: the back-door or recoverable mechanisms cannot be forced
on current encryption manufacturers. In some market segments,
recoverable products could be successful; in others, it will
not. In the meantime, the benefits of encryption are delayed or
prevented from reaching the needed user. Our law enforcement
community cannot force foreign producers in fact to build
recoverable products.
I am reminded of an analogy told by a high-technology
company on the subject of encryption. When asked whether they
could build recoverable products, he said this was like you
asking the creators of the atomic bomb to develop a mechanism
to put the world back together if it turns out that it
shouldn't have been detonated, or it is like asking a farmer to
put the egg back together after it has been cooked, eaten and
digested.
So I come from the perspective that there are two truths
about the debate over encryption products: One, we are
unsuccessfully hamstringing U.S. encryption producers and those
that want to incorporate encryption into their products based
on false pretenses; and, two, the only way that current policy
is going to change is for Congress to take action.
The administration likes to play both sides of the issue,
and when it looks as though the political pressure is too hot,
they make slight changes to the policy. They modified their
policy late last year to provide relief for certain market
segments, but what happens if you are not in one of those
targeted segments? The simple answer is, you are out of luck;
and this is no longer acceptable. That is why I am a supporter
and cosponsor of H.R. 850.
H.R. 850 would relax current restrictions to permit export
of encryption of any strength without being recoverable. I
would be remiss if I didn't point out that while H.R. 850 is a
step in the right direction, the bill is missing certain
concepts. The Commerce Committee did a great job, I think, on
the development of an encryption high-tech laboratory to
promote cooperation and the sharing of knowledge between law
enforcement and the encryption-producing community. It is our
hope that this concept will be continued.
In addition, encryption products have the ability to
protect and secure today's communications network, the
telecommunications network and the Internet, in ways that are
necessary, especially as the dependency of these networks on
foreign networks increases. With our jurisdiction over commerce
generally, and our expertise on communications policy
specifically, I hope we will take the necessary time to improve
this bill before us to reflect this aspect of the debate.
I should add, parenthetically, as you know, the Ninth
Circuit has entered into this debate. The Ninth Circuit has
generally declared the export ban on encryption products to be
unconstitutional on the theory that encryption is, in fact, a
part of free speech, that without encrypted products, our free
speech in this country and around the world would not
adequately be protected as the Constitution envisioned.
In that regard, the administration faces the prospect of a
decision on whether to appeal that decision. I will be joining
with a number of members in a letter to the administration
urging them not to appeal the Ninth Circuit decision, rather,
to work with us in this committee and in this Congress to pass
H.R. 850 with, as I said, with the work of this committee
perfecting it in the process; and I would urge other members to
consider joining me in that request to the administration to
join us in this legislative effort, rather than to pursue a
long and extended appeal of the Ninth Circuit decision to the
Supreme Court.
I look forward to hearing the witnesses and recognize now
the ranking minority member from Massachusetts, my good friend,
Mr. Markey.
Mr. Markey. Thank you, Mr. Chairman. Thank you so much for
having this hearing today.
This issue is a very difficult one from a public policy
perspective. Policymakers are asked to balance personal
security and freedom with national security and freedom to
enable better privacy protection but to also help law
enforcement fight crime and to simultaneously salute our clear,
economic interests in promoting commercial exporting
opportunities of encrypted products and services. During
committee deliberations on this encryption legislation in the
last session of Congress, I successfully offered an amendment
that tried to strike a balance.
There is no member of this committee who is unsympathetic
to the plight of law enforcement during this time of profound
and rapid technological change. There is no member of this
committee who is unwilling to place certain restrictions on the
most highly sophisticated encryption that would pose national
security risks. The problem is that our export controls today
have not fully kept up with advances in technology or with the
general availability of that technology in commercial products.
Last session I suggested that in headlong pursuit of trying
to help law enforcement officials fight crime we ought not rush
into adopting rules, regulations or instigating government
intrusion into the high-tech marketplace unless we are sure
that the proposed solution solves the problem.
I remain convinced that proposals from the law enforcement
community need additional work and further analysis. I
understand their frustration; and, last session, my amendment
tried to get law enforcement the additional tools they need to
fight crime. I suggested that the high-tech industry should
assist law enforcement and create a national electronic
technologies center, a net center, to serve local, State, and
Federal law enforcement authorities by providing information
and assistance regarding the encryption technologies and
techniques.
I still believe that this initiative is preferable to a
policy that would place for the first time controls on the
domestic use of encryption by American citizens and thereby
mandate how every American citizen protects his or her
electronic security. I pledge to continue to try to work with
the national security and law enforcement communities in trying
to fashion a common-sense encryption policy.
The high-tech industry has been highly organized in its
effort to liberalize and update U.S. policy toward the export
of encryption software and related policies. It has correctly
identified the commercial imperative by opening up
opportunities for U.S. companies to compete overseas in these
critical, knowledge-based industries.
The industry has also been quick to point out that strong
encryption can help thwart crime. Moreover, the high-tech
industry has noted that strong encryption can also avail
customers of greater privacy protection; and the industry has
been eager to assist consumers by creating products that permit
people to safeguard their personal conversations or data files.
For all of these efforts, I wholeheartedly commend the
high-tech industry. I only wish that the industry would be
equally zealous in protecting the privacies of consumers when
its commercial interests are more complicated, whether it is
the Intel Pentium III chip or unique identifiers in Windows
software or E-commerce products yet to come. With respect to
transactional on-line privacy, the industry has been less
attentive to balancing security interests with personal privacy
while consumers are on-line.
A recent survey conducted by the Georgetown Business School
of on-line websites found that upwards of 90 percent of the
sites collected personal information from consumers. However,
for the privacy criteria generally perceived as embodying fair
information practices, such as consumer notice, consumer
choice, access, security and contract information, the raw
numbers from the survey are sobering. Only 9.5 percent of the
entire survey sample contained these basic privacy criteria.
Even at the top 100 most visited websites, only 19 percent have
privacy policies consisting of accepting fair information
practice criteria.
It is one thing to post your privacy policy, but it is an
entirely separate issue as to whether or not that posted policy
is anything more than a grudging acknowledgment that a website
collects and discloses personal information without any
consumer control over such collection of disclosure.
I hope we can make progress on that issue, as well as
making progress on the encryption policy. It is the flip side
of the same coin, and I believe that the industry has the same
obligation to consumers in protecting them against companies
compromising personal information as they do protecting them
from the government compromising their personal information.
From the consumer's perspective, there is no difference; and I
am going to ask the witnesses today to tell me how they stand
on this issue.
I thank you, Mr. Chairman.
Mr. Tauzin. Thank you, Mr. Chairman, Mr. Markey.
We are pleased now to welcome the chairman of the full
committee, the gentleman from Richmond, Virginia, Mr. Bliley.
Since he is the most important member here, we will encrypt his
testimony. We will supply you with it encoded.
Mr. Bliley, for an opening.
Chairman Bliley. Thank you, Mr. Chairman. I want to thank
you for yielding to me and holding this hearing.
The subcommittee meets to consider H.R. 850, a bill to
provide export relief for certain encryption production. This
is not a new issue. The Commerce Committee reported export
relief legislation 2 years ago.
In 1997, we learned firsthand how contentious and important
this issue is to all parties involved. The law enforcement and
intelligence communities argued passionately that the current
policy is workable and necessary for them to do what we expect
from them. On the other hand, the high-tech community, the
companies that are fueling our Nation's economies and producing
dramatic innovation, argues strongly that the current policy is
based on faulty logic and is directly harmful to their ability
to compete internationally. They also point out that, while
they are harmed by U.S. policy, American consumers and the
growth of electronic commerce are harmed just as well.
The Commerce Committee has been a leader in opening the
landscape for electronic commerce. We take seriously our role
in promoting electronic commerce; and, for instance, I have
introduced legislation dealing with the electronic signatures
and the scope of data base protection, both of which the
committee will turn to very soon. I support the effort to
revise our Nation's export policy with regards to encryption to
reflect a current availability of encryption products and the
benefits of stronger products.
The administration's policy of today is unworkable and an
impediment to the U.S. encryption producers and users. We need
the policy to change. It is hard to restrict U.S. companies
from selling 128-bit encryption products when the same product
can be bought from an Israeli, French or Irish company. The
administration has tried to minimize opposition to its policy
by providing limited relief for certain sectors in certain type
of companies.
This policy is partly based on the idea that containing
U.S. encryption products will aid our national security. The
administration has attempted to sell this approach in an
international forum with little success or resulting in vague
promises.
The current piecemeal encryption policy does nothing for
the multiple companies that want to integrate encryption into
their products as an add-on future. For instance, foreign
software companies selling word processing products are using
the U.S. restrictions as a marketing tool to sell their
products over American companies. This current policy also lets
uncertainty rule the day. We have been in contact with numerous
electronic commerce firms that are trying to fight through the
new rules to figure if they qualify or don't qualify for
licensing exception and thus are able to provide service
consumers want.
With that said, I am always interested in trying to find a
compromise, if possible. If there is room for agreement that
can help law enforcement or protect national security without
codifying the current policy, I want to know about it.
We will move encryption legislation soon in this committee,
and is H.R. 850 the best approach to do this? Should changes be
made to the bill? Should we consider another approach like the
one introduced by Senator McCain in the Senate?
I look forward to hearing from the panelists today on these
important issues; and thank you again, Mr. Chairman, for
yielding me the time.
Mr. Tauzin. I thank you, Mr. Chairman, the leader of the
Virginia high-tech crowd. I read about you guys in The
Washington Post.
I am pleased now----
Chairman Bliley. Don't believe everything you read in the
Post.
Mr. Tauzin. The Chair is pleased now to welcome the ranking
minority member of the full committee, the Honorable John
Dingell from Michigan.
Mr. Dingell. Mr. Chairman, thank you for the recognition;
and, Mr. Chairman, thank you for holding this hearing today. It
is very important. This is not an easy subject. The committee
has grappled with this matter for a number of years.
Unfortunately, we have had little success in finding the right
solution.
As each day goes by, technological advances create a
greater need for a coherent national policy. I hope that, as
the need for that solution becomes more compelling, this
committee will redouble its efforts to find a sensible,
rational middle ground that balances the crucial interests at
stake.
We lead the world in production of computer hardware and
software. Technology is an engine which drives the global
economy and drives the U.S. economy. We should not idly sit by
and let U.S. companies lose in the marketplace because they
cannot deliver the kind of secure products and services
customers demand.
But as we will hear from our witnesses today, I am sure,
the advent of increasingly sophisticated technologies is a
double-edged sword. It can make global commerce and
communications more secure. It can also make national security
and law enforcement less so. We all know too well even in the
post-Cold-War era the wars against international terrorism,
espionage and human rights abuses continue unabated, and
significant threats exist to this country from activities of
people, not its friends, both in the military and espionage
sense, and also from the standpoint of crime, drugs and matters
of that sort.
Mr. Chairman, we have an important duty to see to it that
we protect all of the vital interests of the United States in
foreign commerce and communications. Thus, we have an important
need to address the concerns of the administration with regard
to security, which is very difficult. I am not quite sure how
it can done or how it will be done, but I hope that we will
work very hard on this particular point. And I am prepared to
work with you to try and craft a sensible, national encryption
policy we can all support.
I yield back the balance of my time.
Mr. Tauzin. I thank the gentleman from Michigan.
And the Chair is now pleased to recognize the vice chairman
of the subcommittee, the gentleman from Ohio, Mr. Oxley.
Mr. Oxley. Thank you, Mr. Chairman, and welcome to our
distinguished witnesses.
Mr. Chairman, I take a back seat to no one when it comes to
matters of international free trade, U.S. export promotion, and
support for our high-tech industries. You will find not a
stronger advocate for U.S. firms seeking to penetrate foreign
markets.
American companies are world leaders in encryption and
other cutting edge technologies. They should be able to export
their products to our trade partners around the globe. In fact,
I would support the legislation before us if it were needed and
took into serious account U.S. national security interests.
There is no doubt in my mind that American firms have the
ability to produce the most powerful, most impenetrable
encryption products in the world.
I do not question the value of this technology for purposes
of protecting electronic commerce, consumer privacy, and
proprietary information. We need this technology, and so do our
trading partners.
We do not, however, need this legislation. It is
unnecessary, given the administration's regular review and
modernization of U.S. encryption policy. More importantly, the
bill as drafted, it represents a real theft to national
security and public safety in the United States.
I would refer the members to the closed briefing that we
received last year from the various security agencies,
including the FBI and the CIA. I would certainly recommend that
we have a similar briefing before we move on this bill.
Mr. Chairman, there can be no doubt that the power of
encryption technology in criminal hands or the hands of enemies
of the United States can be turned to ill purposes with
devastating consequences for members of a free society. I am
speaking here of terrorists, antigovernment militants, rogue
regimes, organized crime syndicates, drug cartels, child
pornographers, kidnapers, pedophiles.
Not only would this legislation assist those who would use
this technology to conceal their crimes from surveillance by
our intelligence and law enforcement agencies, it would also
undercut international efforts to control the proliferation of
unbreakable encryption.
The enactment of H.R. 850 would make powerful encryption
all the more available to our adversaries. It would undermine
the agreement reached last December to improve multilateral
export controls under the Wassenaar Agreement. The 33
signatories to that agreement represent the bulk of encryption-
producing countries.
Furthermore, this legislation is not necessary. The
administration has provided significant relief from the export
controls where it can safely do so, which I applaud.
Fifty-six-bit encryption products may be exported after a
one-time review. Products above 56 bits may be exported for use
by the subsidiaries of American firms, except those located in
terrorist nations. They may be exported to 45 friendly nations
to be used by banking, financial, medical, insurance, and on-
line companies. Products above 56 bits may also be exported to
other commercial firms if they are recoverable, as in the
industry-developed ``doorbell'' approach.
Mr. Chairman, this is the kind of careful, reasoned
approach to relaxing our export controls that is called for in
a matter of this seriousness. I find it highly ironic that on
the day that we receive the recommendations of the bipartisan
commission report on high-tech transfers to China, which
includes suggestions to strengthen our export system, we are
considering legislation to undermine our multilateral export
control system for encryption. It is unwise, and I fear we will
live to regret it.
I yield back the balance of my time.
Mr. Tauzin. Thank the gentleman.
The Chair is now pleased to recognize the gentleman also
from Ohio, Mr. Sawyer, for an opening statement.
Mr. Sawyer. Thank you, Mr. Chairman, for the recognition
and for having this hearing.
It has been almost 2 years since the subcommittee held its
last hearing on this subject. The full committee passed it at
the end of September in 1997. This bill never came to the
floor, as you well know.
Not much has changed since that time in terms of the United
States' policy and allowing companies to manufacture, use, and
sell stronger encryption products. We continue to limit the
availability of strong encryption, while discouraging
exportation of encryption software.
What really has changed is we have a new chairman of the
Rules Committee. I am not sure what his positions on this kind
of legislation are, but it may make a difference.
I hope the subcommittee and the full committee will once
again have the resolve to address the issues that are raised by
H.R. 850.
Let me just say that I recognize the concerns of the law
enforcement community. I think we need, as several members have
mentioned, to find ways to address those concerns and make sure
they have the tools to do their jobs effectively. But it just
seems to me that for some time the genie has been out of the
bottle. In fact, we have a bottle whose neck is very tightly
sealed, the cork is embedded and very much in place, but there
is no bottom left on the bottle. And that is a reality that we
simply have to be able to address.
We are in a new era, as everybody is fond of saying. We
have simply got to alter our policy to give consumers greater
insurance that their communications and data are as private as
possible and so that we might compete with our international
counterparts, particularly American companies that find
themselves doing business throughout the world, in settings
where they need to be as protected as they like to feel at
home.
Mr. Chairman, let me thank you again for scheduling this
hearing. I look forward to hearing from our witnesses.
Mr. Tauzin. I thank my friend; and the Chair now yields for
an opening statement to the gentleman from Illinois, Mr.
Shimkus.
Mr. Shimkus. Thank you, Mr. Chairman.
I just want to welcome the panel, and I will turn back my
balance of time to get started.
Mr. Tauzin. The Chair will recognize the gentleman from
Maryland, Mr. Ehrlich, for an opening statement.
Mr. Ehrlich. I have no opening statement. I would like to
make a brief comment.
As a new member of the committee, this is certainly one of
the more difficult issues that has been brought to my
attention. I look forward to the comments of the panel, the
impressive panel before us. What makes it very difficult,
people for whom I have great respect in this area have quite
diverse views, to say the least. So I look forward to a very
good debate today.
Thank you, I yield back.
Mr. Tauzin. I thank the gentleman.
I might point out the Chair has presented to me a letter
from the Louisiana Sheriff's Association in favor of H.R. 850,
I don't know how it is in Maryland. The Sheriffs have a good
voice in Louisiana.
The gentleman from Georgia, Mr. Deal.
Mr. Deal. Mr. Chairman, I don't have an opening statement.
Mr. Tauzin. The gentleman from Oklahoma, Mr. Largent.
Mr. Largent. No.
[Additional statements submitted for the record follow:]
Prepared Statement of Hon. Cliff Stearns, a Representative in Congress
from the State of Florida
Mr. Chairman: Thank you for calling this hearing on the important
issue of encryption and the legislation before sponsored by our
colleague, Mr. Goodlatte.
After being briefed by FBI Director Freeh during the last Congress
before the mark-up of the same legislation, I was quite concerned with
the security implications of allowing unimpeded export of encryption.
With the current atmosphere of widespread espionage being committed
by the Communist government of China, I am even more concerned with the
export of such encryption products. just imagine the Chinese encrypting
the nuclear secrets, missile technology, or computer codes they have
stolen from us.
I want to be assured that the passage of this legislation will not
lead to dangerous China becoming more dangerous with the ability to
import U.S. encryption products.
Of course under this Administration, the Chinese have probably
already stolen whatever encryption material they could.
I voted in support of the Goodlatte bill last Congress in
Committee, but supported the effort of Mr. Oxley in his amendment to
restrict exportation for reasons of security and law enforcement. I
look forward to the testimony of the witnesses in regard to efforts to
amend this legislation to further protect U.S. national security.
I also look forward to the witness testimony regarding the
compromise plan that was put forward into use by the Department of
Commerce and whether new legislation is truly needed.
Finally, I would like the witnesses to address the economic impacts
that restriction of encryption products has on U.S. businesses and
whether current U.S. policy is simply forcing U.S. encryption producers
to move off shore and sell their products unimpeded.
Thank you Mr. Chairman.
______
Prepared Statement of Hon. Barbara Cubin, a Representative in Congress
from the State of Wyoming
Thank you, Mr. Chairman, for holding this important hearing on H.R.
850, the Security And Freedom through Encryption (SAFE) Act.
I was a cosponsor of H.R. 695, originally introduced by Rep. Bob
Goodlatte (R-VA) in the last Congress. Unfortunately that bill wasn't
passed into law.
However, I have once again joined Congressman Goodlatte in
supporting legislation, this year in the form of H.R. 850, to ensure
the confidentiality of electronic messages and provide for a realistic
and clear national encryption policy.
Among other things, H.R. 850 would somewhat ease U.S. export
controls on encryption products, thereby providing U.S. individuals and
companies with a greater ability to compete in the international
marketplace.
This Administration has an unfortunate reputation for not providing
a level playing field for American businesses to compete with overseas
competitors in a global market.
I will be interested to hear from the witnesses today to learn what
the Administration is doing to provide and maintain a business climate
that encourages the development of information technology and
encryption software and hardware.
If we expect e-commerce and other electronic transfers to continue
to grow by leaps and bounds we must ensure that those transfers are
safe and secure.
Currently, there are no federal restrictions on domestic encryption
use, and H.R. 850 would not change this situation. However, last year
there was a move in the full Commerce Committee to amend the bill to
place certain restrictions on domestic encryption use.
Instead of adopting domestic restrictions, I'm pleased that the
Commerce Committee approved a substitute amendment which would have, in
part, reaffirmed the policy of no domestic restrictions and would have
required the Commerce Department to conduct an expedited study of the
issue of mandating a system for encryption recovery.
Encryption policy is a difficult balancing act. It forces us to
walk a razor thin line between guaranteeing national security and
protecting people's privacy.
I believe H.R. 850 is an appropriate and realistic approach to
solving this vital national encryption issue.
Mr. Chairman, it is my hope that the Committee moves quickly to
pass this important piece of legislation. I yield back the balance of
my time.
______
Prepared Statement of Hon. Anna Eshoo, a Representative in Congress
from the State of California
Thank you, Chairman Tauzin, for calling this hearing on H.R. 850,
the SAFE Act.
I'm pleased that my constituent Tom Arnold representing
CyberSource, is testifying before our Committee today. After working
for NASA at the Ames Research Center in Mountain View, Mr. Arnold went
to the private sector. We look forward to your testimony.
The SAFE Act currently has 252 cosponsors, far more than a majority
of the Members of this House. A majority of the members of this
Committee are cosponsoring this bill. And this Legislation is virtually
the same bill that passed the full Commerce Committee last Congress.
Most if not all of us on the Commerce Committee have heard the
arguments for and against this legislation.
What some may not realize is the development of a cottage industry,
directly linked to the Administration's export control policy. We will
hear today about foreign companies like Siemens, Phillips, and Entrust
who face little or no restrictions on exporting encryption products.
CYBERNETICA, an Estonian data security company, is marketing its
encryption product as having ``No Export Restrictions.''
These companies are flourishing due to our Administration's
encryption policy. More importantly, U.S. companies are suffering.
Consumer demands and technological innovations have driven the
development of encryption technology globally. Commerce Secretary Daley
reported that consumers spent more than $9 billion online last year.
Further, Forrester Research has predicted that E-commerce sales will
reach $108 billion by 2003.
Recent studies also show that the Administration's encryption
policy threatens to cost our economy from $60 to $90 billion dollars
and 200,000 jobs over the next few years.
This legislation ensures that U.S. jobs are not lost to foreign
companies due to our outdated export control policy.
In a global economy that is increasingly not restricted by
boundaries, we no longer can maintain an export control policy
restricted solely to within our borders.
Strong encryption is a key building block of the emerging
information based economy. It is essential to high growth areas of the
New Economy such as E-commerce, online banking, and maintaining the
security of critical information.
Just over two weeks ago, the Ninth Circuit Appeals Court affirmed
an earlier decision that in the name of national defense, the U.S.
government should not restrict the very liberties it is supposed to be
defending, exemplifying the judicial branch's understanding of the
encryption debate.
It is now time for the Legislative Branch to follow suit and pass
the SAFE Act.
I look forward to working with you Mr. Chairman on passing this
bill through our Committee expeditiously.
Mr. Tauzin. Then the Chair is very pleased to welcome our
panel now.
I understand some of you, Ms. McNamara and Mr. Reinsch,
have time delays, so we will try and go through this quickly.
Let me urge you, with a large panel, we have your written
statements in front of us, which we can read and review. If you
would use your 5 minutes wisely, by summarizing, by
conversationally giving us your point of view and hitting the
high points, what you want us to remember about your testimony
today, we would appreciate it. That will give us time to engage
you in a dialog as soon as we can and give you time to make
your appointments this morning.
We will begin by introducing the Honorable Ronald D. Lee,
Associate Deputy Attorney General, United States Department of
Justice. And, Mr. Lee, we welcome your testimony, sir.
Mr. Lee. Thank you, Mr. Chairman. With the Chair's
indulgence, I would ask that Mr. Reinsch precede me.
Mr. Tauzin. If that is--I have no objection.
Mr. Reinsch, do you want to go first? You are on, sir.
Mr. Reinsch. We have a traveling show, Mr. Chairman; and we
usually present it in the same order.
Mr. Tauzin. This is William Reinsch, the Under Secretary of
Commerce for Export Administration, the United States
Department of Commerce.
Mr. Reinsch.
STATEMENT OF HON. WILLIAM A. REINSCH, UNDER SECRETARY OF
COMMERCE FOR EXPORT ADMINISTRATION, DEPARTMENT OF COMMERCE
Mr. Reinsch. Thank you. I wouldn't want the subcommittee to
think that we are incapable of innovation, but I think there is
some flow to our comments that might make more sense if
delivered in the right order.
Let me make an abbreviated version of my statement. I
appreciate you putting the full one in the record.
It is a pleasure to be back, Mr. Chairman, to discuss one
of my favorite subjects. We think we made some progress,
notwithstanding the comments of some of the members of the
committee, on our policy since the last time I appeared. It is
obvious, though, even from this morning's remarks, that
encryption remains a hotly debated issue.
We continue to support a balanced approach which considers
privacy and commerce as well as protecting important law
enforcement and national security equities. We have been
consulting closely with industry and its customers to develop a
policy that provides that balance in a way that also reflects
the evolving realities of the marketplace.
The Internet and other digital media are becoming
increasingly important to the conduct of international
business. My full statement supplies a number of statistics on
that point, and I won't go into that in detail.
It is clear, though, that in addition to the rapid growth
of E-commerce, businesses also maintain their records and other
proprietary information electronically. They conduct day-to-day
communications and business transactions through the Internet
and E-mail. An inevitable by-product of this growth is the need
for strong encryption to provide the necessary secure
infrastructure for digital communications, transactions and
networks; and we support that. That is precisely why developing
a new policy has been difficult--because we don't want to
hinder the legitimate use of encryption, particularly for
electronic commerce.
During the past 3 years, through extensive consultations
with the Congress, people at this table and many others in the
industry, we have concluded, among other things, there is no
one-size-fits-all solution; and we have put out a variety of
revisions to our policy to try to address the many different
aspects of encryption.
Last September 22nd, we published a regulation implementing
our decision to allow the export, under a license exception, of
unlimited strength encryption to banks and financial
institutions located in 46 countries, which allows U.S.
companies new opportunities to sell encryption products to the
world's leading economies.
A week earlier, on September 16th, the Vice President
unveiled an overall update to our policy that addresses a
number of the concerns that were expressed today by opening
large markets and further streamlining exports.
That update permits the export of 128-bit encryption
products and higher with or without key recovery to a number of
industry sectors. Now banks, financial institutions, health
facilities and on-line merchants can secure their sensitive
financial, medical and on-line transactions in an electronic
form. This update also allows U.S. companies to export 128-bit
or greater encryption products, including technology to its
subsidiaries located worldwide, to protect its proprietary
information and to develop new products.
Many of the updates permit the export of encryption to
these end users under a license exception. That is, after a
technical review it could be exported by manufacturers,
resellers and distributors without the need for a license or
other additional review.
Our policy is to approve exports of strong encryption to a
list of countries or a set of end users, rather than permit
exports globally, to help protect national security interests.
However, we do have a general policy of approval through
encryption licensing arrangements, similar to bulk licenses,
which allow unlimited shipments of strong encryption to these
sectors worldwide.
Furthermore, our update allows the export of 128-bit or
greater recovery capable or recoverable encryption products
under encryption licensing arrangements. Such products include
those that are readily available in the marketplace, such as
general purpose routers, firewalls and virtual private
networks. These recoverable products are usually managed by a
network or corporate security administrator.
There has been some talk in the opening statements about
our international efforts. In December, through the hard work
of Ambassador Aaron, the President's special envoy, the
Wassenaar Arrangement members agreed on several changes
relating to encryption controls.
Specific changes to multilateral encryption controls
include removing multilateral controls on all encryption
products at or below 56 bits and certain consumer items
regardless of key length.
Most importantly, the Wassenaar members agreed to remove
encryption software from the General Software Note and replace
it with a new Cryptography Note. Drafted in 1991, when banks,
governments and militaries were the primary users of
encryption, the General Software Note allowed countries to
export mass market encryption software without restriction.
That was created to release general purpose software on
personal computers, but it inadvertently also released
encryption. We believe it was essential to modernize the GSN
and close that loophole. Under the cryptography note, mass
market hardware has been added, and a 64-bit key length or
below has been set as an appropriate threshold. This enables
governments to review the dissemination of 64 bit and above
encryption.
Let me be clear, Mr. Chairman, this does not mean that
encryption products of more than 64 bits cannot be exported. As
I just said, our own policy permits that, as do the policies of
most other Wassenaar members. It does mean there has to be a
national review.
Mr. Chairman, let me just say, with respect to H.R. 850,
briefly, it will come as no surprise to you that the
administration opposes this bill, as we did before; and my full
statement goes into greater detail on that.
Let me just say that we believe the bill in letter and
spirit will destroy the balance we worked so hard to achieve.
It would jeopardize our law enforcement and national security
interests; and we believe that the best way to make progress on
this issue is through further constructive dialog with the
Congress, with the industry, and with its many customers.
Thank you very much.
[The prepared statement of William A. Reinsch follows:]
Prepared Statement of William A. Reinsch, Under Secretary for Export
Administration, Department of Commerce
Thank you, Mr. Chairman, for the opportunity to testify on the
direction of the Administration's encryption policy. We have made a
great deal of progress since my last testimony before this Committee on
this subject.
Even so, encryption remains a hotly debated issue. The
Administration continues to support a balanced approach which considers
privacy and commerce as well as protecting important law enforcement
and national security equities. We have been consulting closely with
industry and its customers to develop a policy that provides that
balance in a way that also reflects the evolving realities of the
market place.
The Internet and other digital media are becoming increasingly
important to the conduct of international business. There were 43.2
million Internet hosts worldwide last January compared to only 5.8
million in January 1995. One of the many uses of the Internet which
will have a significant effect on our everyday lives is electronic
commerce. According to a recent study, the value of e-commerce
transactions in 1996 was $12 million. The projected value of e-commerce
in 2000 is $2.16 billion. To cite one example, travel booked on
Microsoft's Website has doubled every year since 1997, going from
500,000 to an estimated 2.2 million this year. Many service industries
which traditionally required face-to-face interaction such as banks,
financial institutions and retail merchants are now providing cyber
service. Customers can now sit at their home computers and access their
banking and investment accounts or buy a winter jacket with a few
strokes of their keyboard.
Furthermore, most businesses maintain their records and other
proprietary information electronically. They now conduct many of their
day-to-day communications and business transactions via the Internet
and E-mail. An inevitable byproduct of this growth of electronic
commerce is the need for strong encryption to provide the necessary
secure infrastructure for digital communications, transactions and
networks. The disturbing increase in computer crime and electronic
espionage has made people and businesses wary of posting their private
and company proprietary information on electronic networks if they
believe the infrastructure may not be secure. A robust secure
infrastructure can help allay these fears, and allow electronic
commerce to continue its explosive growth.
Developing a new encryption policy has been complicated because we
do not want to hinder its legitimate use--particularly for electronic
commerce; yet at the same time we want to protect our vital national
security, foreign policy and law enforcement interests. We have
concluded that the best way to accomplish this is to continue a
balanced approach: to promote the development of strong encryption
products that would allow lawful government access to plaintext under
carefully defined circumstances; to promote the legitimate uses of
strong encryption to protect confidentiality; and continue looking for
additional ways to protect important law enforcement and national
security interests.
During the past three years, we have learned that there are many
ways to assist in lawful access. There is no one-size-fits-all
solution. The plans for recovery encryption products we received from
more than sixty companies showed that a number of different technical
approaches to recovery exist. In licensing exports of encryption
products under individual licenses, we also learned that, while some
products may not meet the strict technical criteria of our regulations,
they are nevertheless consistent with our policy goals.
Additionally, we learned that the use of strong non-recovery
encryption within certain trusted industry sectors is an important
component of our policy in order to protect private consumer
information and allow our US high tech industry to maintain its lead in
the information security market while minimizing risk to national
security and law enforcement equities. Taking into account all that we
have learned and reviewing international market trends and realities,
in 1998 we made several changes to our encryption policy that I will
summarize for you.
On September 22, 1998, we published a regulation implementing our
decision to allow the export, under a license exception, of unlimited
strength encryption to banks and financial institutions located in
countries that are members of the Financial Action Task Force or which
have effective anti-money laundering laws. This regulation also allows
exports, under a license exception, of encryption products that are
specially designed for financial transactions. This policy recognizes
the need to secure and safeguard our financial networks, and that the
banking and financial communities have a history of cooperation with
government authorities when information is required to combat financial
and other crimes.
As I mentioned earlier, we have been looking for ways to make our
policy consistent with both market realities and national security and
law enforcement concerns. For more than a year, the Administration has
been engaged in a dialogue with U.S. industry, law enforcement, and
privacy groups on how our policy might be improved to find technical
solutions, in addition to key recovery, that can assist law enforcement
in its efforts to combat crime. At the same time, we wanted to find
ways to assure continued U.S. technology leadership, promote secure
electronic commerce, and protect important privacy concerns. The
purpose of this dialogue was to find cooperative solutions that could
assist law enforcement while protecting national security, plus
assuring continued U.S. technology leadership and promoting the privacy
and security of U.S. firms and citizens in electronic commerce. We
believed then and now that the best way to make progress on this issue
is through a constructive, cooperative dialogue, rather than seeking
legislative solutions. Through our dialogue, there has been increased
understanding among the parties, and we have made progress.
The result of this dialogue was an update to our encryption policy
which Vice President Gore unveiled last September 16. The regulations
implementing the update were published on December 31. This will not
end the debate over encryption controls, but we believe the regulation
addresses some private sector concerns by opening large markets and
further streamlining exports.
The update reduced controls on exports of 56-bit products and, for
certain industry sectors, on exports of products of unlimited bit
length, whether or not they contain recovery features. In developing
our policy we identified key sectors that can form the basis of a
secure infrastructure for communicating and storing information: banks,
a broad range of financial institutions, insurance companies, on-line
merchants, and health facilities. Many of the updates permit the export
of encryption to these end-users under a license exception. That is,
after the product receives a technical review, it can be exported by
manufacturers, resellers and distributors without the need for a
license or other additional review. Specifically, the new policy allows
for:
exports of 56-bit software and most hardware to any end user
under a license exception;
exports of strong encryption, including technology, to U.S.
companies and their subsidiaries under a license exception to
protect important business proprietary information;
exports of strong encryption to the insurance and medical/
health sectors in 46 countries under a license exception for
use in securing proprietary medical and health information;
exports of strong encryption to secure on-line transactions
between on-line merchants and their customers in 46 countries
under a license exception.
``recovery capable'' or ``recoverable'' encryption products of
any key length, such as the ``Doorbell'' products developed by
a number of companies, can now be approved under a kind of bulk
license called an ``encryption licensing arrangement'' to
recipients in located in 46 countries. Such products include
systems that are managed by a network or corporate security
administrator.
I would note that these provisions apply to exports of products
with or without key recovery features. One of the aspects of our policy
update is to permit exports of strong encryption with or without key
recovery to protect electronic commerce while also minimizing the risk
to national security and law enforcement. For example, in some cases we
have limited our approval policy to a list of countries or a set of end
users, rather than permit exports on a global basis, to help protect
national security interests.
We have also expanded our policy to encourage the marketing of a
wider variety of ``recoverable'' products that may not be key recovery
in a narrow sense but which may be helpful to law enforcement acting
pursuant to strict legal authorities. Again, these are typically
systems managed by a network or corporate administrator. We also
further streamlined exports of key recovery products by no longer
requiring a review of foreign key recovery agents and no longer
requiring companies to submit business plans.
This past year, we also made progress on developing a common
international approach to encryption controls through the Wassenaar
Arrangement. Established in 1996 as the successor to COCOM, it is a
multilateral export control arrangement among 33 countries whose
purpose is to prevent destabilizing accumulations of arms and civilian
items with military uses in countries or regions of concern. Wassenaar
provides the basis for many of our export controls.
In December, through the hard work of Ambassador David Aaron, the
President's special envoy on encryption, the Wassenaar Arrangement
members agreed on several changes relating to encryption controls.
These changes go a long way toward increasing international security
and public safety by providing countries with a stronger regulatory
framework for managing the spread of robust encryption.
Specific changes to multilateral encryption controls include
removing multilateral controls on all encryption products at or below
56 bit and certain consumer items regardless of key length, such as
entertainment TV systems, DVD products, and on cordless telephone
systems designed for home or office use.
Most importantly, the Wassenaar members agreed to remove encryption
software from Wassenaar's General Software Note and replace it with a
new cryptography note. Drafted in 1991, when banks, government and
militaries were the primary users of encryption, the General Software
Note allowed countries to permit the export of mass market encryption
software without restriction. The GSN was created to release general
purpose software used on personal computers, but it inadvertently
encouraged some signatory countries to permit the unrestricted export
of encryption software. It was essential to modernize the GSN and close
the loophole that permitted the uncontrolled export of encryption with
unlimited key length. Under the new cryptography note, mass market
hardware has been added and a 64-bit key length or below has been set
as an appropriate threshold. This will result in government review of
the dissemination of mass market software of up to 64 bits.
I want to be clear that this does not mean encryption products of
more than 64 bits cannot be exported. Our own policy permits that, as
does the policy of most other Wassenaar members. It does mean, however,
that such exports must be reviewed by governments consistent with their
national export control procedures.
Export control policies without a multilateral approach have little
chance of success. Agreement, by the Wassenaar members, to close the
loophole for mass market encryption products is a strong indication
that other countries are beginning to share our public safety and
national security concerns. Contrary to what many people thought two
years ago, we have found that most major encryption producing countries
are interested in developing a harmonized international approach to
encryption controls.
At the same time, we recognize that this is an evolutionary
process, and we intend to continue our dialogue with industry. Our
policy should continue to adapt to technology and market changes. We
will review our policy again this year with a view toward making
further changes. An important component of our review is input from
industry, which we are receiving through our continuing dialogue.
With respect to H.R.850, the Administration opposes this
legislation as we did its predecessor in the last Congress. The bill
proposes export liberalization far beyond what the Administration can
entertain and which would be contrary to our international export
control obligations. Despite some cosmetic changes the authors have
made, the bill in letter and spirit would destroy the balance we have
worked so hard to achieve and would jeopardize our law enforcement and
national security interests. I defer to other witnesses to describe the
impact of the bill on their equities, but let me describe two of its
other problems
First, I want to reiterate that this Administration does not seek
controls or restraints on domestic manufacture or use of encryption. We
continue to believe the best way to make progress on ways to assist law
enforcement is through a constructive dialogue. As a result, we see no
need for the statutory prohibitions contained in the bill. Second, once
again we must take exception to the bill's export control provisions.
In particular, the references to IEEPA as I understand them might have
the effect of precluding controls under current circumstances and in
any future situation where the EAA had expired, and the definition of
general availability, as in the past, would preclude export controls
over most software.
In addition, whether intended or not, we believe the bill as
drafted could inhibit the development of key recovery even as a viable
commercial option for those corporations and end users that want it in
order to guarantee access to their data. The Administration has
repeatedly stated that it does not support mandatory key recovery, but
we endorse and encourage development of voluntary key recovery systems,
and, based on industry input, we see growing demand for them,
especially corporate key recovery, that we do not want to cut off.
The Administration does not seek encryption export control
legislation, nor do we believe such legislation is needed. The current
regulatory structure provides for balanced oversight of export controls
and the flexibility needed so that it can continue to promote our
economic, foreign policy and national security interests while
adjusting to advances in technology. This is the best approach to an
encryption policy that promotes secure electronic commerce, maintains
U.S. lead in information technology, protects privacy, and protects
public safety and national security interests.
As this Committee knows better than most, public debate over
encryption policy has been spirited. Many in the debate have had
difficulty grasping different views or realizing that there is a middle
ground. Our dialogue with industry has gone a long way toward bridging
that gap and finding common ground. We will continue this policy of
cooperative exchange, which is clearly the best way to pursue our
policy objectives of balancing public safety, national security, and
the competitive interests of US companies.
Mr. Tauzin. Thank you.
Mr. Reinsch, the reason--I will hear from all the
witnesses, but if you have to leave before we get to it, one of
the things that I want you to respond in writing to is, what
will be the administration's position if the Ninth Circuit
decision is upheld on that appeal, and how do you plan to
respond to it? It is going to be a serious question.
Mr. Reinsch. I can do that right now, Mr. Chairman.
Mr. Tauzin. I don't want to interrupt. I want to get
everybody in.
And the other thing we may want more information on is more
detail on why you think the draft of H.R. 850 inhibits the
development of voluntary key recovery systems. We would like to
understand that argument a little better.
Mr. Tauzin. The Chair will now turn back to Mr. Lee for his
testimony.
STATEMENT OF HON. RONALD D. LEE, ASSOCIATE DEPUTY ATTORNEY
GENERAL, DEPARTMENT OF JUSTICE
Mr. Lee. Thank you, Mr. Chairman. I have prepared a written
statement, and I will just try to summarize it here.
The Department of Justice and law enforcement agree with
the comments of several members and the Chair that strong
encryption is coming. It is needed. It is needed to protect the
privacy of American citizens. It is needed to promote the
security of, and the confidence that the public places in, our
information infrastructure.
We would be remiss, however, if we did not also state our
deep concern about the threat to public safety posed by the
widespread use of encryption in the hands of criminals and
terrorists. Law enforcement agencies, Federal, State and local
here in the United States, and their counterparts in foreign
countries, have already begun to encounter the use of
encryption in attempts to conceal criminal activity.
We believe that with the growth of encryption and the
growth of digital media generally, the number and complexity of
these cases will certainly increase as encryption becomes
increasingly a feature of our lives.
We must recognize the very real costs to public safety that
the use of encryption by criminals poses. The net result is
easy to state. Agents frequently will not be able to make
effective use of search warrants, wiretap orders and other
legal processes, authorized by Congress and ordered by the
courts after searching review, that are essential to effective
law enforcement investigations today. It will be harder and
harder to investigate, to find evidence of criminal activity
and to prosecute that activity.
In the light of these challenges, the Department of Justice
supports the carefully balanced approach to export controls
that Secretary Reinsch laid out.
The Attorney General, along with the Director of the
Federal Bureau of Investigation and other government officials,
has been engaging industry leaders in a continuing and
cooperative dialog. This dialog has gone on at several levels;
and it has provided us both with an opportunity to explain our
public safety concerns and, just as importantly, perhaps more
importantly for our learning curve, to learn about innovative
solutions that industry has presented.
Both we and industry have found the discussions to be
candid and productive. We are committed to continuing those
discussions. We believe that the current balanced approach is
most conducive to continuing this dialog and these lines of
communication.
The rapid elimination of export controls as proposed in the
Security and Freedom Through Encryption Act would upset this
balance. We believe that passage of the SAFE Act would cause
the further spread of robust encryption products that would be
used by terrorist organizations and other criminals to conceal
their activities and would frustrate the ability of law
enforcement to conduct effective investigations.
We realize that law enforcement has an obligation to
develop its own resources to deal with this problem, as well as
reaching out to others. We have begun initiatives such as the
funding of a centralized technical resource within the FBI
which will support Federal, State and local law enforcement
personnel to develop a broad range of expertise, technologies
and tools. These items will help us respond directly to the
threat of public safety that the use of strong encryption
poses. This resource will also help law enforcement stay
abreast of current technology.
We look forward with working with Congress, with
Congressman Markey and others in discussing this topic so that
law enforcement may continue its mission of protecting public
safety into the future. We do have to explain, however, that no
matter what technology, no matter what resources are developed,
there is no silver bullet, there is no one solution that the
administration and Congress can point to and say, this offers
law enforcement what it needs. Widespread use of nonrecoverable
encryption will quickly overwhelm any possible silver bullet
that could be developed now or in the future.
In light of that, we need to rely on the balanced approach
that we are pursuing. This approach balances the need for
secure, private communications with the equally important need
to protect the safety of the public against threats from
terrorists and criminals. We believe that our counterparts in
foreign law enforcement share these concerns. We look forward
to working with you on this important issue now and in the
future.
Thank you, Mr. Chairman.
[The prepared statement of Ronald D. Lee follows:]
Prepared Statement of Ronald D. Lee, Associate Deputy Attorney General,
Department of Justice
Mr. Chairman, thank you for the opportunity to testify about the
Department of Justice's views on export controls on encryption, and
particularly the proposed Security and Freedom through Encryption
(SAFE) Act, introduced by Mr. Goodlatte as H.R. 850. As you are aware,
export controls on encryption is a complex and difficult issue that we
are attempting to address with our colleagues throughout the
Administration. In my testimony, I will first outline the basic
perspective and recent initiatives of the Department of Justice on
encryption issues, and will then discuss some specific concerns with
the SAFE Act.
The Department of Justice supports the spread of strong,
recoverable encryption. Law enforcement's responsibilities and concerns
include protecting privacy and commerce over our nation's
communications networks. For example, we prosecute under existing laws
those who violate the privacy of others by illegal eavesdropping,
hacking or theft of confidential information. Over the last few years,
the Department has continually pressed for the protection of
confidential information and the privacy of citizens. Furthermore, we
help protect commerce by enforcing the laws, including those that
protect intellectual property rights, and that combat computer and
communications fraud. (In particular, we help to protect the
confidentiality of business data through enforcement of the recently
enacted Economic Espionage Act.) Our support for robust encryption is a
natural outgrowth of our commitment to protecting privacy for personal
and commercial interests.
But the Department of Justice protects more than just privacy. We
also protect public safety and national security against the threats
posed by terrorists, organized crime, foreign intelligence agents, and
others. Moreover, we have the responsibility for preventing,
investigating, and prosecuting serious criminal and terrorist acts when
they are directed against the United States. We are gravely concerned
that the proliferation and use of non-recoverable encryption by
criminal elements would seriously undermine these duties to protect the
American people, even while we favor the spread of strong encryption
products that permit timely and legal law enforcement access to the
plaintext of encrypted, criminally-related information.
The most easily understood example is electronic surveillance.
Court-authorized wiretaps have proven to be one of the most successful
law enforcement tools in preventing and prosecuting serious crimes,
including drug trafficking and terrorism. We have used legal wiretaps
to bring down entire narcotics trafficking organizations, to rescue
young children kidnaped and held hostage, and to assist in a variety of
matters affecting our public safety and national security. In addition,
as society becomes more dependent on computers, evidence of crimes is
increasingly found in stored computer data, which can be searched and
seized pursuant to court-authorized warrants. But if non-recoverable
encryption proliferates, these critical law enforcement tools would be
nullified. Thus, for example, even if the government satisfies the
rigorous legal and procedural requirements for obtaining a wiretap
order, the wiretap would be worthless if the intercepted communications
of the targeted criminals amount to an unintelligible jumble of noises
or symbols. Or we might legally seize the computer of a terrorist and
be unable to read the data identifying his or her targets, plans and
co-conspirators. The potential harm to public safety, law enforcement,
and to the nation's domestic security could be devastating.
I want to emphasize that this concern is not theoretical, nor is it
exaggerated. Although use of encryption is still not universal, we have
already begun to encounter its harmful effects. For example, in an
investigation of a multi-national child pornography ring, investigators
discovered sophisticated encryption used to protect thousands of images
of child pornography that were exchanged among members. Similarly, in
several major hacker cases, the subjects have encrypted computer files,
thereby concealing evidence of serious crimes. In one such case, the
government was unable to determine the full scope of the hacker's
activity because of the use of encryption. The lessons learned from
these investigations are clear: criminals are beginning to learn that
encryption is a powerful tool for keeping their crimes from coming to
light. Moreover, as encryption proliferates and becomes an ordinary
component of mass market items, and as the strength of encryption
products increases, the threat to public safety will increase
proportionately.
Export controls on encryption products have been in place for years
and exist primarily to protect national security and foreign policy
interests. The nation's intelligence gathering efforts often provide
valuable information to law enforcement agencies relating to criminal
or terrorist acts, and we believe that this capability cannot be lost.
Nonetheless, U.S. law enforcement has much greater concerns about the
use of non-recoverable encryption products by criminal elements within
the United States that prevent timely law enforcement access to the
plaintext of lawfully-seized encrypted data and communications relating
to criminal or terrorist activity.
The Department of Justice, and the law enforcement community as a
whole, supports the use of encryption technology to protect data and
communications from unlawful and unauthorized access, disclosure, and
alteration. Additionally, encryption helps to prevent crime by
protecting a range of valuable information over increasingly widespread
and interconnected computer and information networks. At the same time,
we believe that the widespread use of unbreakable encryption by
criminal elements presents a tremendous threat to both public safety
and national security. Accordingly, the law enforcement community
supports the development and widespread use of strong, recoverable
encryption products and services.
The Department believes that encouraging the use of recoverable
encryption products is an important part of protecting business and
personal data as well as protecting public safety. In addition, this
approach continues to find support among businesses and individuals
that foresee a need to recover information that has been encrypted. For
example, a company might find that one of its employees lost his
encryption key, thus accidentally depriving the business of important
and time-sensitive business data. Similarly, a business may find that a
disgruntled employee has encrypted confidential information and then
absconded with the key. In these cases, a plaintext recovery system
promotes important private sector interests. Indeed, as the Government
implements encryption in our own information technology systems, it
also has a business need for plaintext recovery to assure that data and
information that we are statutorily required to maintain are in fact
available at all times. For these reasons, as well as to protect public
safety, the Department has been affirmatively encouraging the voluntary
development of data recovery products, recognizing that only their
ubiquitous use will provide both protection for data and protection of
public safety.
Because we remain concerned with the impact of encryption on the
ability of law enforcement at all levels of government to protect the
public safety, the Department and the FBI are engaged in continuing
discussions with industry in a number of different fora. These ongoing,
productive discussions seek to find creative solutions, in addition to
key recovery, to the dual needs for strong encryption to protect
privacy and plaintext recovery to protect public safety and business
interests. While we still have work to do, these dialogues have been
useful because we have discovered areas of agreement and consensus, and
have found promising areas for seeking compromise solutions to these
difficult issues. While we do not think that there is one magic
technology or solution to all the needs of industry, consumers, and law
enforcement, we believe that by working with those in industry who
create and market encryption products, we can benefit from the
accumulated expertise of industry to gain a better understanding of
technology trends and develop advanced tools that balance privacy and
security.
We believe that a constructive dialogue on these issues is the best
way to make progress, rather than seeking export control legislation.
Largely as a result of the dialogue the Administration has had with
industry, significant progress was made on export controls. Recent
updates were announced by Vice President Gore on September 16, 1998,
and implemented in an interim rule, which was issued on December 31,
1998. The Department of Justice supports these updates to export
controls, which liberalized controls on products that have a bit length
of 56-bits or less, and permit the export of unlimited-strength
encryption to certain industry sectors, including medical facilities
and banks, financial institutions, and insurance companies in most
jurisdictions. These changes allow these sectors, which possess large
amounts of highly personal information, to use products that will
protect the privacy of their clients. We also expanded our policy to
permit recoverable exports, such as systems managed by network
administrators, to foreign commercial firms. We learned about these
systems through our dialogue with industry, and they are largely
consistent with the needs of law enforcement. In addition, the
Department, in conjunction with the rest of the Administration, intends
to continue our dialogue with industry, and will evaluate the export
control process on an ongoing basis in order to ensure that the balance
of interests remains fair to all concerned.
At the same time, the Department of Justice is also trying to
address the threat to public safety from the widespread use of
encryption by enhancing the ability of the Federal Bureau of
Investigation and other law enforcement entities to obtain the
plaintext of encrypted communications. Among the initiatives is the
funding of a centralized technical resource within the FBI. This
resource, when fully established, will support federal, state, and
local law enforcement in developing a broad range of expertise,
technologies, tools, and techniques to respond directly to the threat
to public safety posed by the widespread use of encryption by criminals
and terrorists. It will also allow law enforcement to stay abreast of
rapid changes in technology. Finally, it will enhance the ability of
law enforcement to fully execute the wiretap orders, search warrants,
and other lawful process issued by courts to obtain evidence in
criminal investigations when encryption is encountered.
The proposed Security and Freedom through Encryption Act raises
several concerns from the perspective of the Department of Justice.
First, we share the deep concern of the National Security Agency that
the proposed SAFE Act would harm national security and public safety
interests through the liberalization of export controls far beyond our
current policy, and contrary to our international export control
obligations. We are similarly concerned that a decontrol of unbreakable
encryption will cause the further spread of robust encryption products
to terrorist organizations and international criminals and frustrate
the ability of law enforcement to combat these problems
internationally.
The second problem is that the Act may impede the development of
products that could assist law enforcement to access plaintext even
when also demanded by the marketplace. The Administration believes that
the development of such products is important for a safe society.
Unfortunately, to the extent that this provision would actually
prohibit government from encouraging development of key management
infrastructures and other similar technologies, the provision could
preclude U.S. government agencies from complying with statutory
requirements and would put public safety and national security at risk.
For example, it might preclude the United States government from
utilizing useful and appropriate incentives to use key recovery
techniques. The government might not be able to require its own
contractors to use key recovery or demand its use in the legally
required storage of records regarding such matters as sales of
controlled substances or firearms.
It is also important to consider that our allies concur that
unrestricted export of encryption poses significant risk to national
security, especially to regions of concern. As recently as December
1998, the thirty-three members of the Wassenaar Arrangement reaffirmed
the importance of export controls on encryption for national security
and public safety purposes and adopted agreements to enable governments
to review exports of hardware and software with a 56-bit key length and
above and mass-market products above 64 bits, consistent with national
export control procedures. Thus, the elimination of U.S. export
controls, as provided by the proposed Act, would severely hamper the
international community's efforts to combat such international public
safety concerns as terrorism, narcotics trafficking, and organized
crime.
In light of these factors, we believe that the Administration's
more cautious balanced approach is the best way to protect our national
interests, including a strong U.S. industry and promoting electronic
commerce, while simultaneously protecting law enforcement and national
security interests. We believe that legislation that eliminates all
export controls on encryption could upset that delicate balance and is
contrary to our national interests.
The recent decision of the United States Court of Appeals for the
Ninth Circuit in Daniel Bernstein v. United States Department of
Justice and United States Department of Commerce has not changed our
view that legislation eliminating export controls is contrary to our
national interests. The Department of Commerce and the Department of
Justice are currently reviewing the Ninth Circuit's decision in Daniel
Bernstein v. United States Department of Justice and United States
Department of Commerce, and we are considering possible avenues for
further review, including seeking a rehearing of the appeal en banc in
the Ninth Circuit. In the interim, the regulations controlling the
export of encryption products remain in full effect.
We as government leaders should embark upon the course of action
that best preserves the balance long ago set by the Framers of the
Constitution, preserving both individual privacy and society's interest
in effective law enforcement. We should promote encryption products
which contain robust cryptography but that also provide for timely and
legal law enforcement plaintext access to encrypted evidence of
criminal activity. We should also find ways to support secure
electronic commerce while minimizing risk to national security and
public safety. This is the Administration's approach. We look forward
to working with this Subcommittee as it enters the markup phase of this
bill.
Mr. Tauzin. Thank you, Mr. Lee.
I want to turn to Mr. Ed Gillespie, the Executive Director
of Americans for Computer Privacy here in Washington, DC. Ed,
for your testimony, sir.
STATEMENT OF ED GILLESPIE, EXECUTIVE DIRECTOR, AMERICANS FOR
COMPUTER PRIVACY
Mr. Gillespie. Thank you, Mr. Chairman. Thank you for this
opportunity to testify in support of H.R. 850, the SAFE act as
sponsored by Representatives Goodlatte and Lofgren and
cosponsored by a bipartisan support of over 250 Members of the
House.
I serve as Executive Director for Americans for Computer
Privacy, a coalition of over 3,500 individuals, 40 trade
associations, and over 100 companies representing financial
services, manufacturing, high-tech and transportation
industries, as well as law enforcement, civil-liberty, taxpayer
and privacy groups. ACP supports policies that allow American
citizens to continue using strong encryption without government
intrusion and advocates the lifting of export restrictions of
U.S.-made encryption products.
We applaud the chairman and ranking member of this
subcommittee and majority of members of the Commerce Committee
who have cosponsored the bill and respectfully urge the
subcommittee to report it without amendments for full committee
consideration.
ACP believes strong encryption is essential to protecting
the Nation's infrastructure and ensuring the integrity----
Is that mine or his?
Mr. Tauzin. It is a very sophisticated--the technologically
sufficient system that we are working on.
Mr. Gillespie. We believe that strong encryption is
essential to also ensuring the privacy of electronic
communications of American citizens, businesses and
organizations; protecting our long-term national security
interests; safeguarding the public; and maintaining U.S.
leadership in the development of information technology
industries.
The United States must have a clear and realistic national
policy to assure that industry is able to develop the products
that will help us to meet our national objectives.
Traffic on the Internet doubles every 100 days. Predictions
of business-to-business Internet commerce for the year 2000
range from $66 billion to $171 billion; and, by 2002,
electronic commerce between businesses is expected to reach
$300 billion.
Consumers worldwide demand to be able to protect their
electronic information and interact securely, and access to
products of strong encryption capability has been become
critical to providing them with confidence that they will have
this ability.
Progress was made last year in the development of the
administration's policy as announced by the Vice President in
September and contained in the interim final regulations. ACP
commends the government for the hard work and thoughtful
consideration that went into the development of that policy and
those regulations.
However, the Clinton administration has yet to allow U.S.
encryption manufacturers to compete on a level playing field in
the global marketplace. The administration policy remains
highly problematic and does not represent the clear and
realistic national policy that this issue requires.
Primarily, ACP believes that the export policy shortchanges
our long-term national interest and that it puts at jeopardy
our current global leadership in this vital technology. Strong
high-quality encryption products are already widely available
from foreign makers that renders our export policy and exercise
in futility. We worry that America will lose this critical
market to foreign makers. When and if it does, it will be too
late to change U.S. policy and too late to preserve our
leadership in this vital arena.
There can be no doubt that U.S. national security
objectives are best served by an information technology world
in which U.S. companies are market leaders in all aspects,
especially encryption. ACP's industrial members have ample
evidence of the rapidly growing market share of foreign
encryption and examples of U.S. businesses losing out to
foreign manufacturers because of our U.S. export regulations.
A 1997 study found that 656 non-American encryption
products are available from 29 foreign countries. These
encryption manufacturers are located as far from the United
States as India and as close to our borders as Mexico. The
products in the study were purchased via routine channels or
directly from the foreign manufacturer or from a distributor.
Strong encryption is also available for sale and for free
on the Internet to anyone in the world with a computer. Here is
just one example of how you can obtain strong encryption with
just a few clicks: You can visit the international Pretty Good
Privacy Site: www.pgpx.com. From that URL, anybody in the world
can develop strong 128-bit encryption within 47 seconds. And
because any citizen in the U.S. can download encryption legally
from the Internet, the Internet makes controlling encryption
exports a very difficult proposition.
ACP strongly believes that our long-term national security
objectives can only be achieved if the United States
realistically acknowledges the inevitability of a world of
ubiquitous, strong encryption. Trying to control the
proliferation of encryption is like trying to control the
proliferation of math. That is what we are talking here.
Encryption algorithms are nothing more than sophisticated
mathematics. And while the U.S. may realistically hope to
remain the leader in such a field, it cannot realistically
expect to monopolize it.
ACP has advocated that the U.S. Government should work
cooperatively with our Nation's hardware and software
manufacturers to develop the technical tools and know-how to
achieve a policy that effectively responds to society's needs
for law enforcement, national security, critical infrastructure
protection, privacy preservation and economic well-being.
However, Congress must pass the SAFE act and establish a clear
and realistic national policy on encryption. That is the best
way to preserve U.S. leadership encryption technology upon
which the successful protection of our critical infrastructure
and achievement of national security objectives certainly and
inevitably depends.
Thank you again, Mr. Chairman; and I will look forward to
your questions.
[The prepared statement of Ed Gillespie follows:]
Prepared Statement of Ed Gillespie, Executive Director, Americans for
Computer Privacy
Mr. Chairman and members of the Subcommittee, Thank you for the
opportunity to testify before you on H.R. 850, the SAFE Act, sponsored
by Representatives Goodlatte and Lofgren and cosponsored by a
bipartisan group of over 250 House Members. I serve as Executive
Director of Americans for Computer Privacy (``ACP''), a coalition of
over 3,500 individuals, 40 trade associations and over 100 companies
representing financial services, manufacturing, high-tech, and
transportation industries as well as law enforcement, civil-liberty,
taxpayer and privacy groups. ACP supports policies that allow American
citizens to continue using strong encryption without government
intrusion, and advocates the lifting of export restrictions of U.S.
made encryption products.
ACP strongly endorses enactment of the SAFE Act, and we appreciate
the leadership provided by Representatives Goodlatte and Lofgren and
the majority of members of the Commerce Committee who cosponsored the
bill. We respectfully urge the subcommittee to report it without
amendments for full committee consideration.
As Vice President Gore said in September 1998 when he announced the
current administration policy, developing a national encryption policy
is one of the most difficult issues facing the country. It requires
balancing many competing objectives--all of which are of great
importance to the nation. As ACP has noted, strong encryption is
essential to:
Protecting the nation's infrastructure and assuring the
integrity of information;
Ensuring the privacy of electronic communications of American
citizens, businesses and organizations;
Protecting our national security interests;
Safeguarding the public; and
Maintaining U.S. leadership in the development of information
technology industry.
As we move into the new millenium, information technology will play
an increasingly important role in the way we govern ourselves,
communicate among peoples, conduct commerce, and operate and protect
our national infrastructure. Strong encryption is key to the continued
vitality and growth of all these activities. Accordingly, the United
States needs a clear and realistic national policy to assure that
industry is able to develop the products that will help us to meet our
national objectives.
Traffic on the Internet doubles every 100 days. Predictions of
business-to-business Internet commerce for the year 2000 range from $66
billion to $171 billion, and by 2002, electronic commerce between
businesses is expected to reach $300 billion. During 1997, one leading
manufacturer of computer software and hardware sold $3 million per day
online for a total of $1.1 billion for the year.
More and more individual consumers also are going on-line and
spending. More than 10 million people in North America alone have
purchased something over the Internet and at least 40 million have
obtained product and price information on the Internet only to make the
final purchase off-line. Imagine the boost in volume of e-commerce if
all of these consumers had enough confidence in the security of the
Internet to purchase on-line.
Consumers worldwide are demanding to be able to protect their
electronic information and interact securely worldwide, and access to
products with strong encryption capabilities has become critical to
providing them with confidence that they will have this ability.
Significant progress was made last year in the development of the
Administration's policy announced by the Vice President in September
and contained in the interim final regulations of December 31, 1998.
ACP commends the government for the hard work and thoughtful
consideration that went into the development of that policy and those
regulations. Last year, ACP had several productive meetings with the
Administration's inter-agency task force, including representatives
from law enforcement and the Justice Department. Those meetings were
conducted in good-faith on both sides and led to a greater
understanding on both sides of the needs and concerns of the other. The
Clinton Administration incorporated many of our interim recommendations
into its updated export policy, including: export relief for encryption
products that use symmetric algorithms up to and including 56-bits;
products that use asymmetric algorithms up to and including 1024-bits;
and relief for various sectors of the business community.
The Clinton Administration, however, has yet to allow U.S.
encryption manufacturers to compete on a level playing field in the
global marketplace. The Administration policy remains highly
problematic and does not represent the clear and realistic national
policy that this issue requires.
First, the Administration has entered into an agreement with 32
other countries--the Wassenaar Arrangement--containing certain export
controls on encryption. Unfortunately, the Administration's encryption
export regulations impose greater restrictions on American companies
than those called for under the arrangement. As a minimal interim step,
we believe the Administration should at least eliminate all controls on
encryption software and hardware for products up to 64-bits, and should
eliminate all reporting requirements on higher- level encryption
exports. Such actions would make U.S. controls consistent with the
revised Wassenaar Arrangement.
We also believe that the Administration's efforts to develop a
global approach to this issue through the Wassenaar Arrangement are
doomed to failure. We recognize that this is a global problem and if it
were truly possible to achieve universal agreement that was fairly
enforced, industry would no doubt be supportive. But Wassenaar only has
33 members and does not include encryption-producing countries such as
China, India, South Africa, or Israel. Further, the Administration
should recognize that the Wassenaar Arrangement is only as effective as
the implementing regulations adopted by the member countries. Some of
the member nations will promulgate regulations that are less
restrictive than those of the United States, thereby providing those
nations with a competitive advantage over domestic encryption
manufacturers. In short, the Wassenaar Arrangement is a toothless
tiger.
As an example, I would point to a December 6, 1998 New York Times
article that highlights the difficulty the Wassenaar Arrangement has
encountered in attempting to restrict sales of combat aircraft and
tanks to Ethiopia and Uganda; clearly, the problems associated with
Wassenaar would be compounded when attempting to restrict products that
fit on a compact disk or can be sent over the Internet.
Second, the Interim Rule falls short on a number of short-term
points. For example, the Interim Rule does not fulfill the mandate
promised by Vice President Gore on September 16 to allow all 56-bit
encryption products to be eligible for export to all end-users (except
terrorist states). In reality, the Interim Rule does not allow the
export of 56-bit encryption chips, integrated circuits, toolkits, and
executable or linkable modules for export under license exception
except to U.S. subsidiaries.
Further, the Interim Rule is so complex that a number of the
benefits in the new policy are undermined by provisions of the Interim
Rule. For example, the reporting requirements are so onerous to
companies that reporting costs may exceed the price of some products,
much less the profit. It is simply impractical to expect manufacturers
to collect reporting data on mass-market encryption products. My
personal experience is that I never return registration cards on coffee
makers, answering machines, or software products--I expect most people
in this room have similar experiences.
We have made these points in a letter providing our official
comments on the regulations to the Administration. However, the
Administration's new policy, as grateful as we are for this limited
progress, remains flawed even on its own terms.
Beyond this, in the encryption debate in the larger sense, we
continue to have good-faith disagreements with the Administration about
its current policy, which Congress should address in this legislation.
Primarily, ACP believes that the export policy short-changes our
long-term national interest in that it puts at jeopardy our current
global leadership in this vital technology. Strong, high-quality
encryption products already are widely available from foreign makers.
That renders our export policy an exercise in futility. We worry that
America will lose this critical market to foreign makers. When and if
it does, it will be too late to change U.S. policy and too late to
preserve U.S. leadership in this vital arena.
If we do lose that U.S. leadership position, what will that mean?
It will mean that the national security agencies will be confronting
ubiquitous encryption made not by U.S. companies, but by foreign
companies. Where then will the national security agencies go for
technical help on encryption, if the most sophisticated encryption
experts and product-makers reside abroad? It will also mean that the
protection of our critical national infrastructure may depend on
foreign-made encryption--and that's unacceptable.
We must retain leadership in this vital technology if we are to
meet our long-term national security objectives. That is why we must
assess our encryption export policies from a long-term, not a short-
term, perspective.
In the long run, there can be no doubt that U.S. national security
objectives are best served by an IT world in which U.S. companies are
market leaders in all aspects, especially encryption. ACP's industrial
members have ample evidence of the rapidly growing market share of
foreign encryption and examples of U.S. businesses losing out to
foreign manufacturers because of the U.S. export regulations. For
example, a December 1997 study conducted by Trusted Information System
found that 656 non-American encryption products are available from 29
foreign countries. These encryption manufacturers are located as far
from the U.S. as China and as close as Mexico. The products in the
study were purchased via routine channels, either directly from the
foreign manufacturer or from a distributor.
RSA Data Security has lost business opportunities with major
foreign conglomerates such as Lloyds TSB PLC, SAP AG, and Siemens Ag
because of U.S. export control regulations. U.S. software companies
estimate they have lost millions of potential users of their software
due to the encryption regulations. ACP believes these foreign customers
are purchasing strong, non-American encryption products. These foreign
products are also of high quality and we do not accept the belief that
these foreign entities are forgoing strong encryption just because they
can't get American-made encryption.
Further, foreign encryption manufacturers are marketing their
products by using U.S. encryption regulations against American
companies. For example, Baltimore Technologies, an Irish encryption
manufacturer that President Clinton highlighted during his trip to
Dublin last year, specifically points out the shortcomings of U.S.
encryption products in the marketing of their product, WebSecure. The
opening paragraph of its website states that the export versions of
U.S. browsers ``are limited to 40 bits of encryption, which is not
secure enough for most applications.'' In contrast, WebSecure provides
128-bit encryption for ``real security.'' 1
---------------------------------------------------------------------------
\1\ Located at the following URL: www.baltimore.com/products/
websecure/index.html
---------------------------------------------------------------------------
Strong encryption is also available for sale and for free on the
Internet to anybody in the world with a computer. Here is just one
example of the ease with which a person outside the United States can
obtain strong encryption with a few clicks on their computer: They can
visit the international Pretty Good Privacy site: www.pgpi.com. From
that URL, anybody in the world can download strong, 128-bit encryption
within 47 seconds. And because any citizen in the U.S. can download
encryption legally from the Internet, and anyone in the world with a
computer has access to the Internet, the Internet makes controlling
encryption exports a very difficult proposition.
ACP also believes it is vital to our national interests that our
critical infrastructure is secure and we praise President Clinton for
recognizing this vulnerability in his speech earlier this year. We
wish, however, that the President recognized the importance that strong
encryption produced by U.S. high technology companies plays in
protecting our infrastructure. How does the United States protect its
critical infrastructure? With strong encryption, that's how. And the
current export controls are threatening the health of the very industry
in which the protection of our critical infrastructure relies.
We do not believe we have all the answers to questions about
national security, but ACP strongly believes that our long term
national security objectives can only be achieved if the United States
realistically acknowledges the inevitability of a world of ubiquitous,
strong encryption. Trying to control the proliferation of encryption is
like trying to control the proliferation of mathematics. For that is
what we are talking about here. Encryption algorithms are nothing but
sophisticated mathematics. And while the United States may
realistically hope to remain the leader in such a field, it cannot
realistically expect to monopolize it.
We are joined in this view by the Center for Strategic and
International Studies (``CSIS''). CSIS recently conducted a study of
our nation's technical vulnerabilities; the study was chaired by
William Webster, the former director of the FBI and Central
Intelligence and former U.S. Circuit Judge. The subsequent report,
entitled Cybercrime . . . Cyberterrorism . . . Cyberwarfare . . .
Averting an Electronic Waterloo, calls for the ``intelligence gathering
communities--law enforcement and foreign intelligence--to examine the
implications of the emerging environment and alter their traditional
sources and means to address the SIW [strategic information warfare]
needs of the twenty-first century. Continued reliance on limited
availability of strong encryption without the development of
alternative sources and means will seriously harm law enforcement and
national security.''
For instance, ACP proposed last year the creation of a ``NET
Center'' (and, since then, ``Tech Center'' has been created) to help
law enforcement officials understand how to deal with encryption and
other technological advances when encountered in a criminal setting. We
have been cooperating with law enforcement agencies on these projects
in an educational sense, and we are pleased with the development of
this forward-thinking strategy.
On the national security side, Senator Bob Kerrey recently
suggested that (1) the President should convene a public-private panel
to examine the implications of this new technological age for our
national security, and (2) the creation of a new national laboratory
for information technology to perform research and to act as a forum
for further discussions on technological breakthroughs. These views may
deserve further exploration, and ACP wants to play a leading role in
crafting industry cooperation.
ACP wishes to emphasize that it recognizes a legitimate
governmental need to obtain access to the plain text of communications
when authorized by proper legal authority. ACP and its members are
responsible citizens of the nation and the globe and have no wish to
facilitate the commission of crime, the spread of terrorism or the
acquisition and delivery of weapons of mass destruction. Similarly, we
are committed to strengthening the nation's infrastructure, enhancing
the privacy of American citizens and ensuring the security of
electronic commerce. We believe that these sometimes competing
objectives can be met, but only if government does not seek to force
solutions on the industry that are not compatible with the development
of technology and market demands.
ACP has advocated that the U.S. Government should work
cooperatively with our nation's hardware and software manufacturers to
develop the technical tools and know-how to achieve a policy that
effectively responds to society's needs for law enforcement, national
security, critical infrastructure protection, privacy preservation, and
economic well-being.
I would also like to point out that earlier this month, the Ninth
Circuit Court of Appeals upheld a district court ruling in Bernstein v.
U.S. Department of Justice which found that the export controls at
issue here are an unconstitutional prior restraint on speech. The
Appeals Court affirmed the lower court's decision, and concluded that
the Government's policy on encryption unconstitutionally burdens speech
because it ``applies directly to scientific expression, vests boundless
discretion in government officials, and lacks adequate procedural
safeguards.''
The Ninth Circuit Court of Appeals also found, ``In this
increasingly electronic age, we are all required in our everyday lives
to rely on modern technology to communicate with one another. This
reliance on electronic communication, however, has brought with it a
dramatic diminution in our ability to communicate privately. Cellular
phones are subject to monitoring, email is easily intercepted, and
transactions over the internet are often less than secure. Something as
commonplace as furnishing our credit card number, social security
number, or bank account number puts each of us at risk. Moreover, when
we employ electronic methods of communication, we often leave
electronic ``fingerprints'' behind, fingerprints that can be traced
back to us. Whether we are surveilled by our government, by criminals,
or by our neighbors, it is fair to say that never has our ability to
shield our affairs from prying eyes been at such a low ebb. The
availability and use of secure encryption may offer an opportunity to
reclaim some portion of the privacy we have lost. Government efforts to
control encryption thus may well implicate not only the First Amendment
rights of cryptographers intent on pushing the boundaries of their
science, but also the constitutional rights of each of us as potential
recipients of encryption's bounty. Viewed from this perspective, the
government's efforts to retard progress in cryptography may implicate
the Fourth Amendment, as well as the right to speak anonymously, see
McIntyre v. Ohio Elections Comm'n, 115 S. Ct. 1511, 1524 (1995) , the
right against compelled speech, see Wooley v. Maynard, 430 U.S. 705,
714 (1977), and the right to informational privacy, see Whalen v. Roe,
429 U.S. 589, 599-600 (1977).''
In closing, Secretary of Defense William Cohen gave a speech at
Microsoft earlier this year in which he stated: ``To maintain peace and
stability in this uncertain world, we have mapped out a strategy
defined by three words: Shape, Respond, Prepare.'' ACP and its member
companies are willing to do our part in helping the Government prepare
for an uncertain 21st century, and we look forward to working with the
Government on these projects.
However Congress must pass the SAFE Act and establish a clear and
realistic national policy on encryption. That is the best way to
preserve U.S. leadership in encryption technology, upon which the
successful protection of our critical infrastructure and achievement of
our national security objectives certainly and inevitably depend.
Mr. Tauzin. Thank you, Mr. Gillespie.
We are now pleased to recognize the Honorable Barbara
McNamara, Deputy Director, National Security Agency. I want to
tell how pleased we are that you grace this hearing. We thought
NSA folks were all in dark suits and dark glasses, and you look
great today. Thanks for being here.
STATEMENT OF HON. BARBARA A. MCNAMARA, DEPUTY DIRECTOR,
NATIONAL SECURITY AGENCY
Ms. McNamara. Thank you very much, I am glad I can lighten
your life. Thank you for the opportunity to appear before you
today. And you do have my statement for the record.
Mr. Tauzin. Yes, ma'am.
Ms. McNamara. NSA plays a critical role in our national
security. We as an agency have two missions. One is to ensure
that the U.S. Government communications are secure and
protected against prosecution by foreign hostile services. For
that mission and that mission alone, we could support and do
support a very strong U.S. industry in order to provide that
service to the U.S. Government.
But we also have another mission, and that other mission is
the one that I would like to speak to you today about. It is a
mission to provide foreign intelligence to the U.S. Government
and policy makers and military commanders. We have a
responsibility and do intercept and analyze the communication
signals of foreign adversaries to produce critically unique and
actionable intelligence reports for our national leaders and
military commanders.
Very often time is of the essence. Intelligence is, first
and foremost, perishable. It is worthless if we cannot get it
to the decisionmakers in time to make a difference.
Signals intelligence proved its worth in World War II. The
United States broke the Japanese naval code and learned of
their plans to invade Midway Island, significantly aided the
U.S. defeat of the Japanese fleet and helped shorten the war.
Today, NSA provides exactly that same service to U.S.
forces and coalition forces operating today in the Balkans. We
have that responsibility to perform that support to our troops
wherever it is that they operate in the world. Demands on NSA
for timely intelligence support have only grown since the
breakup of the Soviet Union and have expanded into national
security areas of terrorism, weapons proliferation, and
narcotics trafficking.
Currently, many of the world's communications are
unencrypted. And let me address, Congressman Sawyer's comments
about the genie being out of the bottle. We acknowledge that
there is strong encryption out there. In fact, my colleague
here on my right addressed PGP. It is out there. But it is not
being used broadly, and we know it is not being used broadly
because that is our business. It is out there, it is not being
used broadly and will not be used until a global security
management infrastructure allows it to be used commonly across
international borders.
If not controlled, encryption will spread and be widely
used by foreign adversaries that have traditionally relied upon
unencrypted communications. As a result, much of the crucial
information we are able to provide today could quickly become
unavailable to U.S. decisionmakers. The SAFE Act mandates the
immediate decontrol of most encryption exports which will
greatly complicate our mission because it will take too long to
decrypt a message if, indeed, we can decrypt it at all and
respond to our global mission.
The bill would also prevent us from conducting a meaningful
review of a proposed encryption export. These reviews provide
us with valuable insight into what is being exported, to whom
and for what purpose.
Congressman Oxley and Mr. Reinsch addressed the
liberalization that occurred last year on the part of the
administration, and Mr. Reinsch also addressed the
international agreement.
Let me say in answer to your statement, Mr. Chairman, that
what about--or your question--what about the other sectors that
are not addressed in the liberalization that occurred last
year? We do not automatically deny export of strong products to
anyone. In fact, sectors of nations--we have approved export of
very strong encryption products to areas of the world that are
not part of the sectors that Mr. Reinsch described.
It is not automatic denial. We view them all in an
individual licensed approach. So I would just like to put that
statement on the record.
In summary, the SAFE act will harm national security by
making NSA's job of providing critical actionable intelligence
to our leaders and military commanders difficult, if not
impossible, thus putting our Nation's national security at
considerable risk. The United States cannot have an effective
decisionmaking process or a strong fighting force or a
responsive law enforcement community or a strong counter-
terrorism capability unless the information required to support
them is available in time to make a difference.
Let me close by taking advantage of Mr. Oxley's statement
earlier. I would be more than pleased to talk in more detail in
a classified hearing.
[The prepared statement of Hon. Barbara A. McNamara
follows:]
Prepared Statement of Barbara A. McNamara, Deputy Director, National
Security Agency
Mr. Chairman, thank you for giving me the opportunity today to
discuss the important issue of encryption. I will be discussing the
national security needs for export controls on encryption and why we
oppose legislation that would effectively lift those controls. I will
then address specific concerns NSA has with provisions of the SAFE Act.
However, I would like to begin by briefly introducing the National
Security Agency (NSA) and its mission.
The National Security Agency was founded in 1952 by President
Truman. As a separately organized agency within the Department of
Defense, NSA provides signals intelligence to a variety of users in the
Federal Government and secures information systems for the Department
of Defense and other U.S. Government agencies. NSA was designated a
Combat Support Agency in 1988 by the Secretary of Defense in response
to the Goldwater-Nichols Department of Defense Reorganization Act.
The ability to understand the secret communications of our foreign
adversaries while protecting our own communications--a capability in
which the United States leads the world--gives our nation a unique
advantage. The key to this accomplishment is cryptology, the
fundamental mission and core competency of NSA. Cryptology is the study
of making and deciphering codes, ciphers, and other forms of secret
communications. NSA is charged with two complementary tasks in
cryptology: first, exploiting foreign communications signals and
second, protecting the information critical to U.S. national security.
By ``exploitation,'' I am referring to signals intelligence, or the
process of deriving important intelligence information from foreign
communications signals; by ``protection'' I am referring to providing
security for information systems. Maintaining this global advantage for
the United States requires preservation of a healthy cryptologic
capability in the face of unparalleled technical challenges.
It is the signals intelligence (SIGINT) role that I want to address
today. Our principal responsibility is to ensure a strong national
security environment by providing timely information that is essential
to critical military and policy decision making. NSA intercepts and
analyzes the communications signals of our foreign adversaries, many of
which are guarded by codes and other complex electronic
countermeasures. From these signals, we produce vital intelligence
reports for national decision makers and military commanders. Very
often, time is of the essence. Intelligence is perishable; it is
worthless if we can not provide it in time to make a difference in
rendering vital decisions.
For example, SIGINT proved its worth in World War II when the
United States broke the Japanese naval code and learned of their plans
to invade Midway Island. This intelligence significantly aided the U.S.
defeat of the Japanese fleet. Subsequent use of SIGINT helped shorten
the war. NSA continues today to provide vital intelligence to the
warfighter and the policy maker in time to make a difference for our
nation's security. Demands on us in this arena have only grown since
the break-up of the Soviet Union and have expanded to address other
national security threats such as terrorism, weapons proliferation, and
narcotic trafficking, to name a few.
Because of these growing serious threats to our national security,
care must be taken to protect our nation's intelligence equities.
Passage of legislation that immediately decontrols the export of strong
encryption will significantly harm NSA's ability to carry out our
mission and will ultimately result in the loss of essential
intelligence reporting. This will greatly complicate our exploitation
of foreign targets and the timely delivery of intelligence to decision
makers because it will take too long to decrypt a message--if indeed we
can decrypt it at all.
Today, many of the world's communications are unencrypted.
Historically, encryption has been used primarily by governments and the
military. It was employed for confidentiality in hardware-based systems
and was often cumbersome to use. As encryption moves to software-based
implementations and the infrastructure develops to provide a host of
encryption-related security services, encryption will spread and be
widely used by other foreign adversaries that have traditionally relied
upon unencrypted communications. The immediate decontrol of encryption
exports would accelerate the use of encryption by many of these
adversaries and as a result, much of the crucial information we are
able to gather today could quickly become unavailable to us. Immediate
encryption decontrol will also deprive us of the opportunity to conduct
a meaningful review of encryption products prior to their export. In
the past, this review process has provided us with valuable insight
into what is being exported, to whom, and for what purpose. Without
this review and the ability to deny an export application, it will be
impossible to control exports of encryption to individuals and
organizations that threaten the United States. For instance, immediate
decontrol will undermine international efforts to prevent terrorist
attacks, and catch terrorists, drug traffickers, and proliferators of
weapons of mass destruction.
Please do not confuse the needs of national security with the needs
of law enforcement. The two sets of interests and methods vary
considerably and must be addressed separately. The law enforcement
community is primarily concerned about the use of non-recoverable
encryption by persons engaged in illegal activity. At NSA, we are
primarily focused on preserving export controls on encryption to
protect national security.
While our mission is to provide intelligence to help protect the
country's security, we also recognize that there must be a balanced
approach to the encryption issue. The interests of industry and privacy
groups, as well as of the Government, must be taken into account.
Encryption is a technology that will allow our citizens to fully
participate in the 21st Century world of electronic commerce. It will
enhance the economic competitiveness of U.S. industry. It will combat
unauthorized access to private information and it will deny adversaries
from gaining access to U.S. information wherever it may be in the
world.
To promote this balanced approach, we are engaged in an ongoing and
productive dialogue with industry. The recent Administration update to
the export control regulations addresses many industry concerns and has
significantly advanced the ability of U.S. vendors to participate in
overseas markets. Of equal significance, the Wassenaar nations,
representing most major producers and users of encryption, agreed
unanimously in December 1998 to control strong hardware and software
encryption products. The Wassenaar Agreement clearly shows that other
nations agree that a balanced approach is needed on encryption policy
and export controls so that commercial and national security interests
are addressed. Both are positive developments because they open new
opportunities for U.S. industry while still protecting national
security. These are examples of the kinds of advances possible under
the current regulatory structure, which provides greater flexibility
than a statutory structure to adjust export controls as circumstances
warrant in order to meet the needs of Government and industry. We want
U.S. companies to effectively compete in world markets. In fact, it is
something we strongly support as long as it is done consistently with
national security needs. NSA supports the recent updates to the
Administration's policy. The export provisions were carefully designed
to open up large commercial markets while trying to minimize potential
risk to national security. We believe significant progress was made.
As you review the SAFE Act, it is very important that you
understand the significant effect certain provisions of this bill will
have on national security. If enacted, the bill would effectively
decontrol most commercial computer software encryption and specified
hardware encryption exports to all destinations, even regions of
instability. It would also deprive the Government of the opportunity to
conduct a meaningful review of a proposed export to assure it is
compatible with U.S. national security interests and would also
eliminate the ability to deny an export application if national
security concerns are not adequately addressed.
The bill would permit exports of encryption based on products that
are permitted to be exported for foreign financial institutions. The
criteria for exporting encryption to these institutions should not be
the basis for decontrolling other encryption exports. Allowing
favorable treatment for specific classes of end-users may be
appropriate in cases such as those involving banks and other financial
institutions which are well regulated and have a good record of
providing access to lawful requests for information. Requiring the
blanket approval of exports to all other end-users in a country would
eliminate important national security end-use considerations for these
exports.
In summary, the SAFE Act will harm national security by making
NSA's job of providing vital intelligence to our leaders and military
commanders difficult, if not impossible, thus putting our nation's
security at some considerable risk. Our nation cannot have an effective
decision-making process, a strong fighting force, a responsive law
enforcement community, or a strong counter-terrorism capability unless
the intelligence information required to support them is available in
time to make a difference. The nation needs a balanced encryption
policy that allows U.S. industry to continue to be the world's
technology leader, but that policy must also protect our national
security interests.
Thank you for the opportunity to address the Subcommittee and I
would be happy to answer any questions you may have.
Mr. Tauzin. And we have noted Mr. Oxley's request, and we
will probably give you that opportunity, Mrs. McNamara.
We are pleased now to welcome Mr. Richard Hornstein, the
General Counsel of Network Associates, Inc. of Santa Clara,
California.
Mr. Hornstein.
STATEMENT OF RICHARD HORNSTEIN, GENERAL COUNSEL, NETWORK
ASSOCIATES, INC.
Mr. Hornstein. Good morning.
My name is Richard Hornstein. I am the General Counsel of
Network Associates. We are the world's leading provider of
security products, software products. We are based in Santa
Clara, California. Last year, Network Associates did
approximately $1 billion of revenue. We have 2,700 employees
worldwide, and we have offices located in 30 countries
throughout the world.
I am also here to speak on behalf of the Business Software
Alliance, the BSA. The BSA's members include, among others,
Adobe, Lotus Development and Microsoft.
We would like to thank you, Mr. Chairman, as well as
ranking member Mr. Markey, for your strong support in this and
previous Congresses. We also want to thank the other 19
subcommittee members who are among the approximately 253
cosponsors of the SAFE act.
You may not know what Network Associates is. We were just
recently born about a year ago through a merger of several
companies, but probably you do know our products. Our products
include Virus Scan, an antivirus product; Pretty Good Privacy,
or PGP, an encryption, virtual private network; PKI products;
Gauntlet firewall, that product is used by the NSA; Cybercop,
which is an intrusion detection product.
These products we sell as individual point products, and we
also sell them as an integrated suite. We look to providing to
our customers solutions for their needs, and more and more our
customers are demanding comprehensive solutions for their
corporate needs.
If I can give you an example of how these products work. If
you look upon a corporation as a village and if the village is
going to need around it a castle wall to protect it, that will
be a firewall. They would need soldiers to travel inside around
the castle patrolling, checking I.D., making sure people aren't
going where they are supposed to. That would be intrusion
protection.
When the king needs to travel from his castle, travel
across the countryside and go visit another castle, that will
be either a virtual private network of communication or an
encrypted E-mail message. I mean, this is in simplistic forms,
really, what we are talking about here.
What I am looking at right now is, for us to grow as a
company, we need to grow on a global basis. The time to market
for our products is today. Our customers right now are looking
for answers and solutions for us to provide today.
Foreign companies out there with comparable products are
out there selling to our customers, the customers who buy Virus
Scan today. Checkpoint, an Israeli company, is selling firewall
products on a worldwide basis. They have $150 million of
revenue.
Baltimore Technologies, my counterpart is sitting down
here, which is the UK Irish company, is selling virtual private
networks and encryption products. They are a serious threat to
our viability as an entity.
What I would like to do is give you a couple of examples of
some deals that right now that we are looking at and
questioning whether or not we actually will be able to get
these deals.
One is with a company called DaimlerChrysler. It is a
German company that is a major worldwide automaker. They also
are a major U.S. company through their acquisition of Chrysler
Motors. They are a customer of mine from the past because they
lead license Virus Scan.
There is a seven-figure deal on the table today to license
by a pretty good privacy PGP product. However, in competing on
the bid on this product, on the sale of this product, I am up
against a company called Eudomoako. Eudomoako is a German
software security company. They did $35 million last year in
revenue, and they are going rapidly right now all throughout
Europe.
Right now, DaimlerChrysler, as I understand it in
discussions with my sales folks, is stating that, yes, I can
get your product, but I can't support--under the current rules,
any sort of support that will be necessary for such a deal,
hundreds of thousands of nodes today being sold to this
customer, hundreds of thousands of nodes, would require
technical support across the network. The only people
appropriate to give such support are my engineers back in Santa
Clara. They could not communicate with the German MIS
departments without violating the technical assistance rules,
exposing us to economic penalties and potential criminal
sanctions.
A similar deal is for a company called Robert Bosch. This
is an equipment company based out of Switzerland. Tens of
thousands of nodes, six-figure deal, and I am in jeopardy of
losing them to a company called Ascom, which is a billion
dollar revenue Swiss hardware and software security company
which is making inroads in the growing market.
Once these products are sold by our foreign competitors, it
is like plumbing. You can't pull them out of the house. They
are not going to replace me if in 2 or 3 years we liberalize
these rules.
A third example is a company called Orient Overseas
Container Line. This is a Pac Rim company. There, again,
another company of mine that uses Virus Scan. This is, again,
another six-figure deal.
I am up against in that transaction with Checkpoint, an
Israeli company that sells a firewall--world-class firewall
product and a VPN solution; and they are also bundling in the
PKI Search Server, which is a Canadian product.
In speaking with my salesperson, as I understand it, Orient
Overseas is not probably going to buy our product. Why?
Because, in marketing, Checkpoint is looked to be the world
leader. They are an Israeli company, and they are looked to be
a dominant of 50 percent of the Pac Rim's market on firewalls
and VPN products, virtual private networks.
Also, because of their VPN product or at least the network
product has to be registered when such sales are made with the
U.S. Government, the privacy concerns of my foreign customers
are violated, and they don't want to buy my products because
they don't to have a product that is being registered with any
foreign government.
In closing, I would like to thank you for allowing me to
speak here at this proceeding. I would like to thank you for--
those of you for supporting the SAFE act. I can be available
for any questions at your leisure.
Thank you very much.
[The prepared statement of Richard Hornstein follows:]
Prepared Statement of Richard Hornstein, Vice President of Legal
Affairs, Taxation and Corporate Development, Network Associates On
Behalf Of The Business Software Alliance
introduction
Good Morning. My name is Richard Hornstein, and I am Vice President
of Legal Affairs, Taxation and Corporate Development at Network
Associates, Inc., at its headquarters in Santa Clara, California.
Network Associates, Inc., is the leading independent worldwide supplier
of enterprise-wide network security and management software. The array
of security products offered by Network Associates includes: PGP e-mail
and file (the leading e-mail encryption product providing secure
encrypted communications for over six million users worldwide), the
Gauntlet firewall (one of the leading commercial software firewall
products originally developed for use by the NSA), PGP VPN (a
revolutionary new Internet desktop communication product allowing users
to communicate securely over the Internet distributing audio, video and
text information on a secure encrypted channel across the Internet),
and Cybercop (an intrusion software product which protects the computer
network from internal/external intruders).
I greatly appreciate the opportunity to appear today before this
Committee on behalf of Network Associates and the Business Software
Alliance (BSA). Since 1988, BSA has been the voice of the world's
leading software developers before governments and with consumers in
the international marketplace. BSA promotes the continued growth of the
software industry through its international public policy, education
and enforcement program in 65 countries throughout North America,
Europe, Asia and Latin America. Its members represent the fastest
growing industry in the world. BSA worldwide members include Adobe,
Attachmate, Autodesk, Bentley Systems, Corel Corporation, Lotus
Development, Macromedia, Microsoft, Network Associates, Novell,
Symantec and Visio. Additional members of BSA's Policy Council include
Apple Computer, Compaq, Intel, Intuit and Sybase. BSA websites:
www.bsa.org; www.nopiracy.com.
But we really are here today to speak on behalf of the tens of
millions of users of American software and hardware products. The
American software and hardware industries have succeeded because we
have listened and responded to the needs of computer users worldwide.
We develop and sell products that users want and for which they are
willing to pay.
One of the most important features computer users are demanding is
the ability to protect their electronic information and to interact
securely worldwide. American companies have innovative products which
can meet this demand and compete internationally. But there is one
thing in our way--the continued application of overbroad, unilateral,
export controls by the U.S. Government.
The Security and Freedom through Encryption (SAFE) Act, H.R. 850,
modernizes U.S. export laws regarding software and hardware with
encryption capabilities to permit American companies to compete on a
level international playing field and to provide computer users with
their choice of adequate protection for their confidential information
and critical infrastructures.
For these reasons, BSA strongly supports the SAFE Act. We urge the
Committee to report the SAFE Act unamended and look forward to its
passage by the House this year.
We want to thank both you, Mr. Chairman, as well as Ranking Member
Mr. Markey, for your strong support in this and previous Congresses. We
also want to thank the 19 other Subcommittee members who are among the
253 cosponsors of the SAFE Act.
This morning I want to make four points:
The worldwide standard is 128-bit encryption;
Mass market software and hardware is uncontrollable;
U.S. manufacturers face unnecessarily a significant
competitive disadvantage; and
BSA strongly supports the SAFE Act because without relaxation
of export controls, our critical infrastructures remain at
risk. The inevitable result of the Administration's current
policy will be widespread deployment, not of weak American
software and hardware, but of foreign designed and manufactured
strong encryption software and hardware throughout our
infrastructures both in America and abroad.
widespread deployment of encryption is not only desirable, it is
critical
Secure Networks And Confidential Information In The Internet Age Are
The Key To Privacy And Commerce
American individuals and companies are rapidly becoming networked
together through private local area networks (LANs), wide area networks
(WANs) and public networks such as the Internet. Combined, these
private and public networks are the economic engine driving electronic
commerce, transactions and communications. This engine is being choked
by the lack of availability of strong encryption products.
Traffic on the Internet doubles every 100 days. Predictions of
business-to-business Internet commerce for the year 2000 range from $66
billion to $171 billion, and by 2002, electronic commerce between
businesses is expected to reach $300 billion. During 1997, one leading
manufacturer of computer software and hardware sold $3 million per day
online for a total of $1.1 billion for the year.
More and more individual consumers also are going on line and
spending. Five years from today, we anticipate nearly 60 percent of all
Americans to be using the Internet. More than 10 million people in
North America alone have already purchased something over the Internet,
and at least 40 million have obtained product and price information on
the Internet only to make the final purchase off-line. Altogether last
year, consumers spent nearly $8 billion online. Nearly 1.5 million
Americans join the online population every month, and the number of
worldwide online users is expected to reach 248 million by 2002.
The incredible participation by American consumers in the Internet
phenomenon clearly demonstrates that the need for strong encryption is
no longer merely the purview of our national security agencies
concerned about securing data and communications from interception by
foreign governments. Today, every American even merely dabbling on the
Internet requires access to strong encryption. Imagine the boost in
volume of e-commerce if all of these consumers had enough confidence in
the security of the Internet to purchase on-line. Yet in 1996 the
Computer Security Institute/FBI Computer Crime Survey indicated that
our worldwide corporations will be increasingly under siege: over half
from within the corporation, and nearly half from outside of their
internal networks.
Network users must have confidence that their communications and
data--whether personal letters, financial transactions or sensitive
business information--are secure and private. Electronic commerce is
transforming the marketplace--eliminating geographic boundaries and
opening the world to buyers and sellers. Companies, governments and
individuals now realize that they can no longer protect data and
communications from others by relying on limiting physical access to
computers and maintaining stand-alone centralized mainframes. Instead,
users expect to be able to pick up their e-mail or modify a document
from any computer anywhere in the world simply by using their Internet
browsers. Thus, consumers worldwide are demanding to be able to protect
their electronic information and interact securely worldwide, and
access to products with strong encryption capabilities has become
critical to providing them with confidence that they will have this
ability.
Full Deployment Of Strong Encryption Is Vital For Protecting America's
Critical Infrastructures
Governments also are recognizing that without encryption, the
electronic networks that control such critical functions as airline
flights, health care functions, electrical power and financial markets
remain highly vulnerable. The U.S. General Accounting Office in its
report issued in May of 1996 entitled ``Information Security: Computer
Attacks at Department of Defense Pose Increasing Risks'' found that
computer attacks are an increasing threat, particularly through
connections on the Internet, such attacks are costly and damaging, and
such attacks on Defense and other U.S. computer systems pose a serious
threat to national security.
As the President said on January 22, 1999, before the National
Academy of Sciences, ``[w]e must be ready--ready if our adversaries try
to use computers to disable power grids, banking, communications and
transportation networks, police, fire and health services--or military
assets. More and more, these critical systems are driven by, and linked
together with, computers, making them more vulnerable to disruption.''
The President has been so concerned that he established a
Commission on Critical Infrastructure Protection to provide him with
guidance and issued two Presidential Directives based on the
Commission's recommendations.
In the Report of the President's Commission on Critical
Infrastructure Protection entitled Critical Foundations: Protecting
America's Infrastructures (October 1997), the Commission emphasized
that ``Strong encryption is an essential element for the security of
the information on which critical infrastructures depend.'' In fact
``[p]rotection of the information our critical infrastructures are
increasingly dependent upon is in the national interest and essential
to their evolution and full use. A secure infrastructure requires the
following:
Secure and reliable telecommunications networks.
Effective means for protecting the information systems
attached to those networks . . .
Effective means of protecting data against unauthorized use or
disclosure.
Well-trained users who understand how to protect their systems
and data.''
An earlier blue ribbon National Research Council (NRC) Committee
similarly concluded in its (May 1996) CRISIS Report (``Cryptography's
Role in Securing the Information Society'') that encryption promotes
the national security of the United States by protecting ``nationally
critical information systems and networks against unauthorized
penetration.''
Thus, the NRC Committee found that on balance the advantages of
widespread encryption use outweighed the disadvantages and that the
U.S. Government has ``an important stake in assuring that its important
and sensitive . . . information . . . is protected from foreign
government or other parties whose interests are hostile to those of the
United States.''
In recognition of the risks and threats to information, on January
15, 1999, the National Institute of Standards and Technology (NIST)
established a new draft Federal Information Processing Standard (FIPS
46-3) to require the use of stronger encryption in government systems.
NIST stated that it ``can no longer support the use of the DES for many
applications'' and that all new systems must use the significantly
stronger Triple DES ``to protect sensitive, unclassified data''. Under
the FIPS, all existing systems are now expected to develop a strategy
to transition to Triple DES, with critical systems receiving a
priority.
Information security is critical to the integrity, stability and
health of individuals, corporations and governments. While cryptography
is but one element of security, it is the keystone of secure,
distributed systems. Frankly, there is no substitute for good,
widespread, strong cryptography when attempting to prevent crime and
sabotage through these networks. The security of any network, however,
is only as good as its weakest link. Thus, private businesses who are
responsible for running our critical infrastructures and the millions
of consumers transacting business over these infrastructures--
depositing money in banks and purchasing airline tickets--must have
access to the strongest security. This access cannot be limited to only
American companies, however, as America's infrastructures cannot be
protected if they are networked with foreign infrastructures limited to
weak encryption.
In the long-term, we believe it is in America's best interest to
have America's critical infrastructures and national security be
protected by widespread reliance on strong American encryption products
both here and abroad. The SAFE Act's encryption policy will ensure that
Americans can use and sell any encryption that they want domestically,
prohibit both Federal and State governments from imposing encryption
standards or techniques, and relax export controls on products with
encryption capabilities in a manner that is based on technological and
market realities. Just because law enforcement and national security
interests wish that they could turn back the clock and limit consumers'
access to strong encryption approved by the government, it will not
happen, especially on a worldwide basis. This is especially true for
mass market software and hardware, which by its inherent nature is
uncontrollable.
america's export policy should promote widespread deployment of
american products with encryption capabilities in the worldwide market
Relaxation Of Export Controls On Encryption Products Is Vital For
Ensuring America's Global Competitiveness
American companies do have exciting and innovative products that
can meet the demand for 128-bit encryption and compete internationally.
But unless the current unilateral U.S. export restrictions are changed
to allow the use of strong encryption, American individuals and
businesses will not be active participants in this new networked world
of commerce--let alone continue to be the leaders in its development.
Furthermore, American companies will no longer be providing the world,
and its critical infrastructures, with the answers to their security
problems. Instead foreign companies will. It is unclear how U.S.
national security or law enforcement will be aided or how our critical
infrastructures will be secure when foreign encryption products
dominate the world market.
The computer software and hardware industries are American success
stories, but they are being threatened. America's software and hardware
industries are important contributors to U.S. economic security.
Information technology industries now are directly responsible for over
one-third of real growth of the U.S. economy. Between 1980 and 1992,
the computing and software industry grew at an annual rate of over 28%,
while overall domestic growth was less than 3%. From 1990 through 1996,
the software industry grew at a rate of 12.5%, nearly 2.5 times faster
than the overall U.S. economy.
More than 7 million people work in IT industries. In 1996, the
software industry provided a total of over 619,000 direct jobs and $7.2
billion in tax revenues for the U.S. economy. The software industry is
expected to create an average of 45,700 new jobs each year through
2005. If piracy were to be eliminated in the United States, the number
of new software jobs created would double to an average of 93,000 a
year.
Moreover, the computer software industry has achieved tremendous
success in the international marketplace with global sales of packaged
(i.e., non-custom) software reaching over $118.4 billion in 1996, and
rising to $135.4 billion in 1997. American produced software accounts
for 70% of the world market, with exports of U.S. programs constituting
half of the industry's output.
The incredible growth of the industry and its exporting success
benefits America through the creation of jobs here in the United
States. Many of these jobs are in highly skilled and highly paid areas
such as research and development, manufacturing and production, sales,
marketing, professional services, custom programming, technical support
and administrative functions. In the U.S. software industry, workers
enjoy more than twice the average level of wages across the entire
economy--$57,319 versus $27,845 per person.
All of these revenues and jobs are dependent upon American software
and hardware producers remaining the market leaders around the world,
especially as the major growth markets continue to be outside the
United States. Strong export controls on products with encryption
capabilities are crippling the ability of these companies to compete
with foreign providers and are only ensuring that foreign products are
securing worldwide critical infrastructures, not American products.
Unilateral U.S. Export Controls Harm American Interests
Currently, there are no restrictions on the use of cryptography
within the United States. However, the U.S. Government maintains strict
unilateral export controls on computer products that offer strong
encryption capabilities.
American companies are forced to limit the strength of their
encryption to the 56-bit key length level set late in 1998. The
recently announced regulations will also permit companies to export
stronger encryption on a sector-by-sector, user-by-user basis. However,
this policy ignores the fact that:
The minimum strength now required by new Internet applications
is 128-bit encryption;
The most widely used encryption program, PGP, with over six
million users worldwide, uses the Swiss developed IDEA
encryption algorithm, with a 128-bit key;
American companies cannot export encryption products to a vast
majority of non-U.S. commercial entities. Foreign manufacturers
provide 128-bit encryption alternatives and add-ons--filling
the market void created by U.S. export controls;
Providing sector-by-sector relief is unworkable for mass
market products and does not reflect commercial realities for
sales of custom products;
56-bit encryption has been demonstrated to be vulnerable to
commercial let alone governmental attack. (In the beginning of
this year at the RSA Encryption Conference, a 56-bit DES
encoded message was broken by private companies and individuals
working together in 22 hours and 15 minutes--imagine what a
hostile government with serious resources could do.); and
New developments in technology are introduced everyday that
speed up decryption time. Adi Shamir, an Israeli computer
scientist, recently announced ``Twinkle'', which is a proposed
method for quickly unscrambling computer-generated codes that
have until now been considered secure, at the International
Association for Crypytographic Research's latest meeting in
Prague.
Export controls also have made American companies less competitive
and opened the door for foreign software and hardware developers to
gain significant market share ``decreasing our national and economic
security.
Without Export Relief, Foreign Consumers Will Purchase Their Products
From Foreign Suppliers, Keeping U.S. Manufacturers At A
Competitive Disadvantage
As a result of U.S. unilateral export controls, encryption
expertise is being developed off-shore by foreign manufacturers who now
provide hundreds of encryption alternatives and add-ons. The
Administration's export controls are in no way preventing foreigners,
let alone those with criminal intent, from obtaining access to
encryption products. In fact, foreign software and hardware
manufacturers have seized the opportunity to create sophisticated
encryption products and to capture sales.
As long ago as 1995, the General Accounting Office confirmed that
sophisticated encryption software is widely available to foreign users
on foreign Internet sites. In 1996, a Department of Commerce study
again confirmed the widespread availability of foreign manufactured
encryption programs and products. An on-going industry study by Trusted
Information Systems (TIS Study) highlights the ever-increasing
availability of foreign developed and manufactured products as it
discovered there were 656 foreign programs and products available from
29 countries as of December 1997.
Further demonstrating the worldwide availability, use and
sophistication of encryption abroad is the Department of Commerce's
National Institute of Standards and Technology (NIST) efforts to work
with the private sector to develop an Advanced Encryption Standard
(AES). Individuals and companies from eleven different countries
proposed 10 out of the 15 candidate algorithms submitted to NIST:
Australia's LOKI97; Belgium's RIJNDAEL; Canada's CAST-256 and DEAL;
Costa Rica's FROG; France's DFC; Germany's MAGENTA; Japan's E2; Korea's
CRYPTON; and the United Kingdom, Israel and Norway's SERPENT
algorithms. Only 5 out of the 15 candidate algorithms were submitted by
U.S.-based individuals or companies.
If an encryption product is combined with other applications such
as Internet browsers and application servers, U.S. companies will
generally lose both sales. In fact, companies risk losing sales of
entire systems because of inability to provide necessary security
features. This permits foreign manufacturers to gain entry into
companies as well as gain credibility--providing the foreign
manufacturers with further opportunity to take away future sales in the
same and other product lines.
I would like to mention a few specific examples with respect to
foreign availability of encryption products. The Apache Group, based in
the U.K., announced in April 1997 that its Apache Unix Internet Server
software with very strong encryption had a 29% market share of Web
server software. Today the Apache web server serves over half--50%--of
the domains on the Internet.
Companies such as Brokat Informationssysteme, a German company, are
developing products that are more than simply add-ons to American
products. Brokat's modular e-services platform, Twister, which
companies use to offer their customers secure and simple electronic
services via various electronic channels, such as the Internet or
mobile communications networks, is already being used by more than
1,500 companies worldwide. Brokat's sales outside of Germany, including
to the United States, have now increased to be 56 percent of the
company's total sales. The American market research institute Meridien
Research described BROKAT as the leading company worldwide for Internet
banking solutions. Apparently, in just a few years, we have already
begun to loose our dominance of this critical infrastructure to a
German company founded only in 1994.
The merger of two foreign companies, Zergo Holdings (U.K.) and
Baltimore Technologies (Ireland), into a new company called Baltimore
only further illustrates that foreign companies are flourishing solely
because there is no U.S. competition. According to the Gartner Group in
a Research Note dated January 28, 1999, the new company is ``a
competitive participant in providing e-commerce and enterprise
security, with 11 international offices and a global partner network .
. . with customers in 40 countries.''
U.S. Encryption Export Controls Hurt American Companies Without Helping
Law Enforcement Or National Security
U.S. export controls have had the effect of creating an encryption
expertise outside the United States that is gathering momentum.
Unfortunately, every time research and development of an encryption
technique or product moves off-shore, U.S. law enforcement and national
security agencies lose. We believe that continuing down this path will
be ultimately more harmful to our national security and law enforcement
efforts as American companies will no longer be the world leaders in
creating and developing encryption products.
In fact, as long ago as 1996, the NRC Committee concluded that as
demand for products with encryption capabilities grows worldwide,
foreign competition could emerge at levels significant enough to damage
the present U.S. world leadership in information technology products.
The Committee felt it was important to ensure the continued economic
growth and leadership of key U.S. industries and businesses in an
increasingly global economy, including American computer, software and
communications companies. Correspondingly, the Committee called for an
immediate and easy exportability of products meeting general commercial
requirements--which is currently 128-bit level encryption!
To summarize:
Foreign competitors not subject to outdated U.S. export
controls are ready to take sales and customers from U.S.
companies today.
Complex and cumbersome U.S. export controls make American
companies less competitive. They significantly increase the
costs of developing, marketing and selling products with
encryption capabilities, delay the introduction of new products
or features, and encourage foreign customers to purchase from
foreign suppliers due to the uncertainty and delay in obtaining
a comparable American product.
Current export controls do not keep strong encryption out of
the hands of foreign customers; they just keep U.S. products
out of their hands.
In the future, if export controls on encryption are not
relaxed, both American and foreign infrastructures will be
secured by foreign encryption products, creating a significant
problem for American law enforcement and national security
agencies.
the bernstein case
The absurdity of the existing export control regime is further
highlighted by the recent decision of the 9th Circuit Court of Appeals
in Bernstein v. DOJ. In that case, the court held that the existing
restrictions on the export of source code, the language in which
programmers communicate their ideas to one another, are an
unconstitutional prior restraint on first amendment rights of free
speech. So now we have a situation where it is permissible to export
jobs (because one can export source code to teach foreign programmers),
but not American products (because one cannot embody that source code
in a product). We are only further accelerating the placement of
foreign security products throughout the world in all industry
infrastructures.
More generally, Judge Fletcher's opinion raises some very valid,
more general questions and points out how important encryption is to
the mainstream life of Americans rather than merely to obscure
technologists. Judge Fletcher states:
In this increasingly electronic age, we are all required in our
everyday lives to rely on modern technology to communicate with
one another. This reliance on electronic communication,
however, has brought with it a dramatic diminution in our
ability to communicate privately. Cellular phones are subject
to monitoring, email is easily intercepted, and transactions
over the internet are often less than secure. Something as
commonplace as furnishing our credit card number, social
security number, or bank account number puts each of us at
risk. Moreover, when we employ electronic methods of
communication, we often leave electronic ``fingerprints''
behind, fingerprints that can be traced back to us. Whether we
are surveilled by our government, by criminals, or by our
neighbors, it is fair to say that never has our ability to
shield our affairs from prying eyes been at such a low ebb. The
availability and use of secure encryption may offer an
opportunity to reclaim some portion of the privacy we have
lost. Government efforts to control encryption thus may well
implicate not only the First Amendment rights of cryptographers
intent on pushing the boundaries of their science, but also the
constitutional rights of each of us as potential recipients of
encryption's bounty. Viewed from this perspective, the
government's efforts to retard progress in cryptography may
implicate the Fourth Amendment, as well as the right to speak
anonymously, . . . , the right against compelled speech, . . .
, and the right to informational privacy. While we leave for
another day the resolution of these difficult issues, it is
important to point out that Bernstein's is a suit not merely
concerning a small group of scientists laboring in an esoteric
field, but also touches on the public interest broadly defined.
bsa strongly supports the safe act because it provides freedom for
americans to use and sell any encryption domestically and provides
greatly needed export control relief
The SAFE Act Preserves Americans' Domestic Encryption Freedom
The SAFE Act ensures that Americans may use and sell whatever kind
of encryption they want domestically. It ensures that the U.S.
government may not require or provide other incentives for Americans to
use encryption products ``approved'' by the government or meeting
certain standards. Also, the Act does not permit the government to link
electronic signatures to the use of certain types of encryption
products.
The SAFE Act Provides Law Enforcement With Important Safeguards
Importantly, the SAFE Act does permit the Secretary of Commerce to
continue preventing exports to countries of terrorist concern or other
embargoed countries pursuant to the Trading With The Enemy Act or the
International Emergency Economic Powers Act. The bills also contain
safeguards when relaxing export controls for strong encryption
products--the Secretary of Commerce is not required to permit such
exports if there is substantial evidence that the software or hardware
will be diverted or modified for military or terrorist use or re-
exported without requisite U.S. authorization.
The SAFE Act Recognizes That Mass Market Products Are Uncontrollable
And Should Be Exportable
U.S. export controls still ignore the realities of mass-market
software and hardware distribution. Mass-market hardware manufacturers
and software publishers sell products through multiple distribution
channels such as OEMs (i.e., hardware manufacturers that also pre-load
software onto computers), value-added resellers, retail stores and the
emerging channel of on-line distribution. Thus, mass market products
are available to the general public from a variety of sources.
The mass-market distribution model presupposes that hardware
manufacturers and software publishers will take full advantage of these
multiple channels to ship identical or substantially similar products
worldwide (allowing only for differences resulting from localization)
irrespective of specific customer location or characteristics. As mass
market products are uncontrollable, BSA believes U.S. companies should
be able to export the current market standard of 128-bit encryption.
Unfortunately, the Administration has only proposed permitting easy
exports of 56-bit encryption even if foreign products exist in the
marketplace.
Uncontrollable products at 56-bits cannot suddenly become
controllable products at 128-bits. The SAFE Act recognizes as a
fundamental proposition that the United States should not try to
control the export of something that is, by its very nature,
uncontrollable. Trying to control the uncontrollable squanders the
limited resources of companies trying to comply with unrealistic export
controls as well as the resources of the government as it tries to
enforce unenforceable export controls, undermining the credibility of
the entire system of export controls.
The SAFE Act Permits Exports Of Custom Software And Hardware
The SAFE Act ensures that if strong encryption products have been
permitted to be exported to foreign banks, then custom software and
hardware with comparable encryption capabilities should be exportable
to other foreign commercial purchasers in that country. The U.S. should
not control exports of competitive custom products embodying world
encryption standards. Note that the type of software and hardware we
are talking about here is a ``custom'' product (if it were generally
available it would not need an individual license under the bill's
other provisions).
the administration's concerns about the safe act ignore legal,
technical and market realities.
The Administration Took The First Step Towards Developing A Sensible
Long-Term Encryption Policy, But They Still Have Not Gone Far
Enough.
The BSA members welcome the Administration's efforts to relax
export controls on select products used by select users. We especially
appreciate the Administration's apparent abandonment of its key escrow
policy that would have required all encryption exports (except for 40-
bit and less encryption) to be capable of providing third parties with
immediate access to the plaintext of stored data or communications
without the knowledge of the user. Foreign companies and consumers
simply would not purchase such products as a multitude of foreign
products without key escrow are readily available.
However, the Administration's actions are merely a first step.
Ultimately, any truly successful, sensible encryption policy must be
based on technological and market realities, and should not create
winners and losers in the encryption marketplace on a sector-by-sector
basis. It would recognize that:
The worldwide encryption standard is 128-bit encryption;
Mass market software and hardware is inherently
uncontrollable; and
It is in America's national and economic security interests to
have American designed and manufactured encryption products
deployed worldwide.
We believe it is preferable for Congress to put encryption policy
on a statutory basis rather than continuing to leave it up to
inconsistent Administration regulations--sending a strong message
around the world that encryption is important for a strong defense, for
protecting the privacy of citizens and for preventing crime.
The SAFE Act Is Entirely Consistent With U.S. Obligations Under The
Wassenaar Arrangement
Please do not be fooled by any claims from the Administration that
the Wassenaar Arrangement is the multilateral agreement to restrict
strong encryption that they have been touting was just around the
corner for the past several years.
The Wassenaar Arrangement is a non-binding agreement among 30
countries to report on their sensitive exports that has not been
approved by Congress; therefore, there is nothing requiring Congress to
comply with the Agreement. Also, many countries, such as Israel and
South Africa, who export strong encryption are not signatories to the
Arrangement.
Regardless, the SAFE Act is still consistent with its terms. The
countries agreed to decontrol all 56-bit encryption and 64-bit mass
market software and hardware with encryption and to permit, but not
require, participating countries to restrict exports of encryption
stronger than 64-bits. They also agreed to remove any reporting
requirements--the sole official means for actually monitoring what
countries are doing.
The Administration already permits certain categories of strong
encryption to be exportable under a license exception after a one-time
review. The SAFE Act merely adds strong, mass market encryption
products to these categories by permitting exports of such products
under a license exception after a one-time, 15 day technical review.
We are skeptical that countries will individually control 128-bit
encryption or do anything more than technically comply with the
Arrangement, while still permitting easy exports of strong encryption.
Even France, traditionally the country which placed the greatest
restrictions on its own citizens by limiting them to the easily broken
40-bit level of encryption, has recognized that technology has
progressed. Near the end of 1998, France relaxed controls on the
domestic use of encryption and is now permitting, and in fact
encouraging, the use of 128-bit encryption by its citizens.
The SAFE Act Provides For Continued Export Controls On Encryption
Products
The SAFE Act only relaxes export controls on encryption products
that are ``generally available'' in the commercial marketplace and
custom products if they have been approved for use by foreign banks or
are commercially available from foreign companies. It does not
eliminate export controls on military application encryption products.
Under the SAFE Act, encryption products are ``generally available'' if
they are widely available for sale to the public (i.e., sold over the
Internet, through a telephone transaction or at retail selling points),
are not specifically tailored for specific purchasers or users and do
not require further substantial support by the supplier for
installation except for basic help line services. Thus, the SAFE Act's
definition of ``generally available'' consists of the same elements
required for 56-bit encryption software to qualify for mass market
treatment under the current Department of Commerce's regulations.
The SAFE Act Ensures That Americans Can Manufacture, Buy, Sell Or Use
Any Type Of Encryption Domestically
The SAFE Act explicitly affirms that Americans can sell or use any
encryption domestically. It does nothing to inhibit the development of
key recovery for American consumers or corporations. As I stated
before, consumers are demanding and we are developing and selling them
recoverable products.
It is disingenuous to state that restricting the government from
mandating the use of key recovery type products, except for the
government's own internal uses, and preventing the government from
requiring American citizens to use recoverable encryption if they want
to do business with the government will somehow ``inhibit'' the
development of key recovery. It only ``inhibits'' the government from
using its great powers to effectively force American citizens to use a
government approved type of encryption.
Thus, the SAFE Act importantly provides statutory prohibitions that
prevent the U.S. Government from achieving domestic controls on
encryption through regulation or other governmental powers which it
cannot otherwise achieve legislatively.
The SAFE Act Maintains The Status Quo On The Administration's Powers
Under The International Emergency Economic Powers Act, The
Trading With The Enemy Act, And The Export Administration Act
of 1979
The SAFE Act permits the President to stop exports to terrorist
nations and to impose embargoes on certain countries under the Trading
With The Enemy Act, The International Emergency Economic Powers Act and
The Export Administration Act. It also permits the Secretary of
Commerce to stop the export of specific encryption products to specific
individuals or organizations in specific countries if there is
substantial evidence that such products will be used for military or
terrorist purposes. The SAFE Act, however, does ensure that the
President may not use his authority to further extend encryption
controls beyond those contemplated in the SAFE Act.
the time for action is now
To keep American vendors on a level international playing field and
American computer users adequately protected, U.S. export controls must
be immediately updated to reflect technological and international
market realities.
Thank you.
Mr. Tauzin. Thank you very much.
We are now pleased to welcome Mr. Tom Arnold, the Vice
President and Chief Technology Officer of CyberSource
Corporation, San Jose, California.
Mr. Arnold, you have got a mike coming the other way.
STATEMENT OF THOMAS ARNOLD, VICE PRESIDENT AND CHIEF TECHNOLOGY
OFFICER, CYBERSOURCE CORPORATION
Mr. Arnold. Good morning, Mr. Chairman and members of the
committee. Thank you very much for the opportunity to speak to
you today.
In general, I think you will hear a slightly different
story from me, not being a provider or a developer necessarily
of encryption products, not being an exporter of encryption
products in the industry.
We are a very small and emerging company right now, and we
specifically provide real-time electronic commerce transaction
processing services to Internet merchants. We are in the very
heart of what is happening in electronic commerce today on the
public Internet.
Specifically, just and very briefly, our services today
include global payment processing, we process in 115 currencies
today; fraud prevention and detection, which is a major issue
for us that I will tell you several things about today; tax
calculation; export compliance rules for our merchants;
territory management; and delivery of both physical and digital
products.
We were founded in 1996 and actually began our existence as
software.net which is now beyond.com as a merchant selling
software.
And I am struck by a very fond reminder that in 1994, when
software.net began, we opened our doors in November 1994
believing that we had the greatest little software store on the
entire public Internet and suddenly realized by February 1995
that our Internet fraud rate was well over 30 percent and
growing rapidly. We were rapidly going out of business.
And we immediately realized that when you open a store in
the public Internet, it is totally global. You are in the best
and the worst of neighborhoods simultaneously. So I am coming
here today also representing the software and information
industry association, and we are very strong supporters of H.R.
850.
Today's CyperSource Corporation, we process transactions
for over 400 merchants on the Internet and have generated over
5.8 million transactions specifically. I don't have the revenue
number for the merchants themselves, but that is the number of
transactions that have actually been processed since the
Internet--Christmas in 1998. So we see an extreme ramp-up
coming up.
My own background spans both technology and law enforcement
fields. I actually began as a patrol officer, working in the
city of San Francisco, and moved my career into law enforcement
computing very quickly, so I do have a background in those
areas as well; and then on to NASA Ames Research Center and
Silicon Graphics and then CyperSource.
Let me open by stating that the environment for electronic
merchants is wrought with issues and challenges; and, like any
community, the Internet population includes its fair share of
criminals, including crackers, frauds, industrial terrorists,
spies and professional and casual hackers.
The Internet is a very convenient and expensive medium for
someone to go into as far as business, but it is absolutely
wrought with risks, including the issues of consumer privacy.
So how do we look at using encryption devices? How does my
company use encryption today?
First, we use it to authenticate, authorize and audit for
transactions coming from a merchant site. These messages help
us identify who is making a request for a transaction to take
place.
Integrity is a major issue. Integrity verifies the fact
that the message has not been tampered with and can also be
related to the fact that a message is not replayed against a
merchant's site. A very common malicious denial of service
attack is to attack messages in flight, replay them against a
merchant site; and in a matter of minutes you have taken the
merchant out of business entirely because this site cannot
handle the traffic that is suddenly hitting his business.
Privacy is the most widely recognized use of encryption and
has been discussed by my colleagues on the panel here today,
and it involves scrambling the communications in order to
conceal business information and the confidentiality of
consumer data, which are the two key points I would like to
stress here, the business information and the consumer data.
Nonrepudiation is another issue that we use for--or another
use for encryption, if you would. And nonrepudiation is a
mechanism by which the sender of an electronic message
requesting something to take place cannot later deny in fact
that they sent us the message and asked us to perform a
transaction.
Finally, there is intellectual property protection. And I
was struck by a news story and I have included it with my
written testimony which I hope will be added to the record.
And, in fact, it was a news story out of the San Jose Mercury
News that I was reading here on the way here describing the
Dark Net and the fact that copies of those, the Star Wars film,
are readily available for download right now off the public
Internet through the dark sites that are out there already.
So protection of intellectual property is extremely
important, and using weaker encryption all the way through
hardened encryption I think are mandatory in this area. For
instance, weaker technologies can be used to protect a software
markets newsletter, where the life of a newsletter itself or
the information that is being protected may only be 24 hours in
time. But much stronger encryption is required to protect and
water-marking is required to protect intellectual property or
material like music or videos that may last for 5 to 10 years.
So what are the types of the things that we have seen out
there in our short lives as a business here in processing
transactions? We have seen this use of competitive and market
information. We have watched as merchants look at other
merchants' information on the Net and try to figure out what is
going on. There is the threat of theft of private sales
information going on, where transaction information from
specifically public companies can be watched and viewed to
determine if they are about to achieve their results. You can
imagine the stock trading implications as a possibility here.
There is theft of products and intellectual property. Then
there is identity theft, which is the theft of consumer
information, which is specifically the method that was used to
attack our little software store when we first started, people
masquerading as another person.
Many of us in this room today, our identities could be
being used right now on the public Internet. Our credit card
information could be being used, and transactions could be
produced as though they were us. And, in essence, on the public
Internet, nobody knows you are a dog.
Attacks by hackers and crackers--and one recent attack
includes a hacker acquiring information to an on-line
transaction where a real consumer had just completed a
transaction requesting a product to be shipped. The hacker then
went back into the system as that consumer and merely changed
the shipping address. The product was shipped by the merchant,
thinking it was going to a changed shipping address, and the
consumer was billed but never received the product.
Okay. These types of attacks are absolutely nothing new.
Twenty-three years ago while I was working as a patrol officer
I responded to petty larceny, burglary and grand theft calls;
and today there is hardly a law enforcement presence that can
effectively address the daunting challenge of the global
Internet.
I was actually speaking to a hacker who was stealing
software, and we were trying to prosecute and locate him. And
they love to flaunt their capabilities out there in the net,
and he made a statement to me that has always stuck with me
and, that is, basically he stated that he was driving a Ferrari
on the Internet superhighway, while the cops were driving
broken-down bicycles.
In a nutshell, merchants need full access to cryptographic
technologies without any mandatory key escrow or key recovery
systems to protect us. I am struck by the level of access that
a lot of hackers have to both public and private systems
specifically, and I am struck by the concept and the amount of
effort that it would take to protect any sort of key escrow or
any sort of recovery system in place related to these business
transactions. It would be absolutely catastrophic if our
private keys were compromised without our knowledge of the
compromise of the keys.
I can imagine the Fort Knox-like facility that would be
required to store this information and the huge infrastructure
required to store the data on the keys for these transactions;
and the reality is, as my colleague on the panel had stated
earlier, the sites are available today from the download of
hardened encryption products.
Let me leave you with one other thought. On the Internet,
the hackers are going a little bit deeper underground as it
stands right now.
Mr. Arnold. There are now ``Dark Nets'' that are showing
up. These are private hacker networks and ``warez'' is a term
that is used as the tools that the hackers use. They have
crypt-analysis tools. They have cryptographic tools. They have
password and network cracking tools that are available there.
As long as you are willing to donate a new tool or a new
technique or some passwords to the site, they will grant you
access to the dark site and will allow you to begin downloading
the products for use for your own nefarious gains.
So let me leave you with a closing remark that--first off,
thank you very much for allowing me to speak to you today. My
written testimony goes into much greater details, and I would
strongly urge the committee and the Congress to pass the SAFE
Act. Thank you.
[The prepared statement of Thomas Arnold follows:]
Prepared Statement of Thomas Arnold, Chief Technical Officer and Vice
President, Engineering, CyberSource' Corporation
Good morning, Mr. Chairman and Members of the Committee. Thank you
for the opportunity to speak with you this morning about this important
topic.
My name is Tom Arnold and I am the Chief Technical Officer and Vice
President of CyberSource Corporation based in San Jose, CA. CyberSource
is a developer and provider of real-time e-commerce transaction
processing services. Our products and services offer solutions to
online merchants for global payment processing, fraud prevention, tax
calculation, export compliance, territory management, delivery address
verification and fulfillment management. Founded when electronic
commerce was just beginning to flourish, CyberSource has become a
leading provider of e-commerce solutions for businesses all around the
world.
I am pleased to be testifying this morning on behalf of the
Software & Information Industry Association (SIIA), the result of a
merger between the Software Publishers Association and the Information
Industry Association. SIIA represents 1400 member companies engaged in
every aspect of e-commerce and strongly supports H.R. 850, the Security
and Freedom through Encryption (SAFE) Act.
Let me begin briefly by describing our company's background and my
experience in developing and supporting electronic commerce on the
Internet and cover the primary uses and issues related to the open and
free use of cryptographic technology.
CyberSource Corporation commenced Internet commerce service
operations in March 1996, as a division of Software.Net (now
Beyond.com), a Web site selling software products that could be
downloaded on-line or purchased for traditional physical delivery.
While Software.net was on the cutting edge of an exciting trend, it
faced the challenge of fraud, identify theft, product theft and a host
of similar problems. Within a few months of opening the online store,
the number of fraudulent credit card transactions surged beyond 30% of
Software.net's total transaction volume. It seems online thieves were
stealing individual identities from various Internet sources, then
masquerading as the person and using the credit card associated with
the identity to steal software and other products. The primary problem
was examining the information provided by a consumer and determining
immediately if this person is who they claim to be.
CyberSource has since expanded its offerings to a full suite of
electronic commerce transaction processing services, which today
include on-line payment processing; advanced fraud detection and
screening technologies; export screening; distribution control; sales
and VAT tax systems; and, digital product deliver systems (software,
music and video download technologies).
Today over 400 merchants have chosen to use CyberSource, generating
millions of transactions per month.
My own background spans patrolling the streets as a police officer
to implementing some of the early law enforcement computer systems for
the State of California. I have worked at NASA Ames Research Center,
designed and built the first e-commerce platforms at Silicon Graphics
Corporation, and designed the systems for CyberSource Corporation.
Privacy and Security are Critical Factors to the Success of e-Commerce
Let me open by stating that the environment for electronic
merchants is wrought with issues and challenges. The Internet is first
and foremost a global community and provides a huge opportunity for
merchants to offer the products and services to the broadest possible
community of potential customers. Unfortunately, the Internet
population includes its fair share of criminals, including but not
limited to hackers, crackers, frauds, industrial terrorists, spies, and
even casual hackers.
It is clear that without the ability of companies like mine to
protect the privacy and security of online consumers and merchants, e-
commerce will not flourish. While the Internet is a convenient,
inexpensive and increasingly popular medium, companies and individuals
cannot afford to take advantage of the benefits of the Internet. Simply
put, no amount of price competitiveness, convenience or marketing will
entice an online consumer if they fear that their privacy and security
will be compromised.
To foster the confidence needed to ensure that e-commerce continues
to grow, encryption is vital. In short, cryptographic technology is
used to protect e-commerce transactions in five major functions:
(1) Authentication, authorization and auditing: This is a method for
identifying who is making a request, authorizing access or
capabilities, and tracking what action is taken.
(2) Integrity: This refers to verification that a message is intact;
that the message was not intercepted and tampered with; or,
that the message has not been replayed (a common, malicious
denial of service attack that can put merchant out of business
in a matter of minutes).
(3) Privacy: This is the most widely recognized use for encryption
technologies. It involves scrambling the nature of the
communication or data so as to conceal business information,
ensure privacy of consumer data, conceal financial or payment
information, and protect product and pricing information.
(4) Non-repudiation: In the virtual, electronic world, this ensures
that any initiated message cannot later be repudiated by the
sender of the message. In essence, by guaranteeing that the
keys used to generate the encrypted message are certified and
remain in the sole control of the sender, and that no keys can
be derived through a recovery process that has been attacked,
the sender cannot repudiate that they initiated the message.
This is a very important concept and is at the heart of
electronic commerce.
(5) Intellectual property protection: This includes a spectrum of
cryptographic technologies that protect downloaded products to
applying digital water-marks. The level and use of hardened
encryption versus weaker encryption is directly related to the
useful life of the product being protected. For instance, a
weaker technology may be used to protect a stock market
newsletter that will be out of date by the next morning, while
hardened encryption and watermarking might be applied to a
piece of music that might have life of five to ten years.
Under the current encryption export policies, we are generally
allowed to license the weaker 56-bit encryption methods for export, and
for certain financial information like a customer's credit card number,
we may be allowed to use strong encryption in limited markets. However,
our inability to use robust protection throughout the e-commerce sales
process unfortunately places our merchants, manufacturers, and
distributors at risk.
Encryption Export Restrictions Place US Companies at Competitive Risk
Competitive information, products, and information about customers
and their transaction are at risk without strong encryption products to
provide security and protection. Foreign competitors, beyond the reach
of US law, have full access to hardened encryption technologies. Here
is a brief list of the risks today:
(1) Consumer information can be acquired by competitors and used to
attack markets.
(2) Transaction information about products being sold and the number
and size of orders being received. This information could be
used, for example, to make stock trades by determining if a
public company is going to achieve its sales goals at the end
of a quarter.
(3) Products and intellectual property.
(4) Consumer identities acquired by a hacker and used to commit fraud.
(5) Products and valuable intellectual property that is acquired and
posted on dark nets. While flying to this hearing, an article
in the local San Jose, California paper stated that pirated
copies of the new Star Wars films were already available on-
line.
(6) A list of ever changing attacks by hackers and crackers. One recent
attack involved hackers acquiring access to an on-line purchase
transaction. This data was used by the hacker to contact the
merchant and have the merchant change the shipping address. By
the time the problem was discovered, the thief was long gone.
There is nothing new in these types of attacks on businesses.
Twenty-three years ago, while working as a patrol officer, I responded
to petty larceny calls, burglaries, and grand theft. Today, there is
hardly a law enforcement presence that can handle the global Internet
environment. I'm reminded of a comment made to me by one hacker
flaunting his accomplishments when he stated that he was driving a
Ferrari on the Internet super highway, while the cops were on broken
down bicycles.
In a nutshell, merchants need full access to cryptographic
technologies without mandatory key escrows or key recovery systems to
protect themselves. Think of these as the deadbolt locks or the alarm
system on our electronic business.
Encryption Protects a Wide Variety of Information
I fully respect the needs of the Justice Department and our law
enforcement agencies to protect US citizens and interests from domestic
and international threats, from criminal activity, and from terrorist
acts. Unfortunately, it is clear that the current encryption policies
restrict only law abiding companies and individuals since cryptographic
and encryption technology is freely available on the Internet.
Additionally our foreign competitors routinely use hardened encryption.
Encryption can be used to protect a wide variety of information,
sensitive data and transactions. While the need for encryption has
greatly increased with the growth of online commerce, computer systems
of all types rely on encryption to provide privacy and protection.
Encryption is used in network operating systems, communications
software and hardware, data storage products, and even in common
products like word processors or spreadsheets. Encryption is an
incredibly useful technology, and high-tech companies and their
customers need to be able to use the most robust tools available to
ensure that their information is secure.
For online companies, encryption restrictions erect a daunting
barrier to the expansion of markets. As e-commerce grows, online
companies are offered a tremendous opportunity yet are denied the
ability to fully take advantage of this shift in the market. More
importantly, however, encryption provides companies a means to protect
their products in ways that can help prevent misuse by even the most
determined of software thieves.
To complicate matters even more, hackers and crackers share their
``warez'' (tools) throughout the public Internet and through ``Dark
Nets'' (private hacker networks--something like a private club where
new members have to share some new ``ware'' to gain entry). Some of the
tools on these sites include: crypt-analysis tools, cryptographic
tools, password cracking tools, network cracking tools, stolen
passwords to sensitive networks and sites, and full technical
information on using the tools. In one case, a major telecommunication
companies own systems were attacked, and used by hackers to host a
illegal ``warez'' site for several months. The hackers were freely
delivering stolen products, credit card numbers, credit card
generators, personal information on people who threaten the hacker
world, and information on breaking into numerous sensitive and critical
computer systems.
The strong encryption key recovery or key escrow schemes being
proposed as middle-ground are inherently insecure and must be strictly
administered. I'm sure members have heard stories about hackers who use
strong encryption to scramble data files on their machines, thereby
thwarting law enforcement investigations. What may not have been
explained is where the hackers obtained the encryption technology and,
further, the level of access to sensitive systems. Between 1993 and
1995, a couple of key hackers being pursued by the FBI access to:
cellular networks, public telephone taps, ability to access private
email accounts and files. In many of these cases, the hackers used
social engineering techniques to get people in sensitive positions to
voluntarily allow access this information and capabilities.
It is extremely naive to believe that key recovery systems or key
escrow cannot and will not be compromised, either through insider abuse
or external penetration. I can think of little worse than the
undetected lose of private encryption keys from our systems or any
merchant system. The business impact would be catastrophic. In response
to this type of threat, any government funded and mandatory key
recovery or escrow system would surely have to be secured on the scale
of Fort Knox, or the level of security required to protect our
Country's most valuable assets. Surely it would be hardly cost
effective for the number of electronic wire-tap orders where a key
would be recovered and information monitored. I doubt seriously that
any hacker, criminal or terrorist would use recoverable encryption
technology when strong, unrecoverable encryption is available on the
Internet or Dark Nets.
For this reason, the use of recoverable encryption and key escrow
technologies need be voluntary and under the complete supervision of
the user.
In conclusion, I'd like to highlight that the Internet community
offers a great opportunity for merchants. The Internet Christmas
shopping season of 1998 proved the viability of this marketplace,
Christmas 1999 promises to be even better.
As these new opportunities develop, Internet merchants make
substantial investments in new computer systems and technologies to
help them address the growth. The advertising outlays to attract new
customers is also substantial. It may take as much as $128 to get a
single consumer to press the buy button.
The risks for merchants in this growing segment of our economy from
the loss of critical business information and private consumer
information is extremely high. A major manufacturer of computer
hardware estimated their loss from theft that resulted from fraud and
compromise of proprietary consumer information is 7% of their annual
revenues and is growing faster than sales.
Merchants need open access to strong encryption to protect their
investments, technologies, products, and consumer information. As new
payment or merchandising technologies are implemented, hackers and
information mercenaries will develop tools to attack these technologies
for their illicit gain. For these reasons, we fully support the
Security and Freedom Through Encryption Act and urge its prompt
passage.
Thank you.
Mr. Tauzin. Mr. Arnold, thank you very much. Indeed, your
written testimony is very illustrative of all of these problems
on the Internet. Thank you for that.
I might mention to you that you are correct about on the
Internet no one knows whether you are a dog. A newspaper in
Louisiana successfully registered four dogs to vote in
Louisiana. I don't know whether they were blue dogs or yellow
dogs.
Somebody else that I mentioned--remember we took up WIPO? I
think ``Titanic'' had just been down loaded on the Internet
that same week. So we have seen this over and over again. But,
of course, if the critics are right about ``Star Wars,'' it
might not make a whole lot of difference.
Dr. Gene Schultz, trusted security advisor of Global
Integrity Corporation of West Lafayette, Indiana. Dr. Schultz.
STATEMENT OF E. EUGENE SCHULTZ, TRUSTED SECURITY ADVISOR,
GLOBAL INTEGRITY CORPORATION
Mr. Schultz. Good morning. I work for Global Integrity
Corporation, which is a wholly owned subsidiary of SAIC,
Science Applications International Corporation. It is a very
large consultantcy. It is international in nature. I am not
here to represent the interest of anybody who makes any
encryption product. I hope they make a lot of money in their
endeavors, but that is not why I am here.
I am here to speak my conscience. You see, I have an
unusual background. I have been in the trenches there, and I
see what is going wrong in computer security. I started and
managed for 4 years the U.S. Department of Energy's incident
response team called CIAC.
After that period of time, I worked out with industry when
I was at SRI consulting down in Menlo Park, California. We
worked with some of the largest corporations, not only in the
United States but in the world.
I have been a witness to over a thousand different
security-related incidents in the computer security area. I
have seen what breaks down. I have seen what goes wrong. I have
worked with law enforcement. I know many people in the law
enforcement community.
And if you read books such as ``At Large'' by David
Freedman, you will see some of the details of what really goes
wrong. What really goes wrong isn't that some bad guy goes out
and uses encryption against you or anything like that. It's
hard enough for this community to deal with the evidence that
is at hand in clear text.
I would like to, therefore, switch the topics just a little
bit to the area of technology itself and tell you that what we
have out here in the area of networking isn't what we had 2 or
3 or 4 or 5 years ago.
What we have in terms of telecommunications networks, in
terms of computer networks, are considerably more complex now
than they were just even a few years ago when encryption or
restrictions certainly were considered a very, very reasonable
thing to have.
You see, today somebody from a major vendor company said
that the network is the computer, and that's really true.
Today's computers aren't these stand-alone computers that sit
on desk tops, and whether or not you have encryption may not
make that much different because you can control who gets those
computers by locks, keys, guards, and guns.
Today's computers are really meant to interface with
networks. In fact, sometimes they don't work so well if they
are not interfaced with a network. In addition to that, when
you set up a computer now, you are opening up the possibility
that somebody from potentially anywhere in any part of the
world could possibly make a connection to that computer.
Your computer could be connected to people from Hong Kong,
from people from Beijing, people from Melbourne, Australia, and
on down the line. There are no distinct boundaries in networks
anymore.
It used to be that we had a nice little ARPNET and that
split into what was called NSFNET which we call the Internet
and MillNet.
But it's not like that anymore. In fact, networks are
largely in control of people who are Internet service
providers. Metropolitan area networks, they are regional
networks tied together through some massive backbone kind of
structure.
Even the Internet as we know it now is rapidly breaking
down. You see, it is too slow. It doesn't meet our purposes
very well. And vendors are developing new networks that will
supersede and far by pass network. We don't really have control
over this technology as it proliferates.
In addition to that, I don't need to be very smart to
attack a computer off the network. I just need to download a
program from one of the dark sites that Mr. Arnold talked
about, or one of many others, and simply startup a program and
it does things for me.
And so I can be older or younger. It is not true, by the
way, that hackers are all young people. There are many older
and experienced hackers out there. But the state-of-the-art of
attacking networks, it has been proliferating over the last few
years, much above when, again, we were first concerned about
the problem with encryption control.
Network services you get--web services for file transfer
services generally demand no or at least little identification.
And probably the worse threat to corporate America today from
my experience is somebody planning a network capture devise
that captures the traffic that goes through the network and
grabs the memo that goes from the CFO to the CEO or the CEO to
the CIO.
And because of that--and people don't realize it. They
think that it is external hackers that are trying to get you.
But the real threat in which encryption technology can protect
you lies from within your own organization itself.
Finally, I would say that networks are radically different
in that now transactions occur over networks in which it is
possible to repudiate transactions. No, I didn't buy this;
don't bill me this. But you keep whatever goods or services
have been shipped to you.
I have seen some pretty bad incidents. I was one of the
principal observers of the break-ins into U.S. military systems
during Operation Desert Storm and Desert Shield. I saw people
from foreign countries break into U.S. computers with impunity.
Had we had a better level of encryption practiced during
that time, we could have virtually stopped the bad guys from
getting information about, for instance, our munitions
movements in the Middle East, about what battleships were
moving overseas, how many troops were going from which Army
base here in the United States over to which destination.
Now we can say, well, yes, that is all within the
government. But the fact is encryption technology was not that
advanced in terms of its actual deployment at that time.
I have seen a company recently that had somebody try to
break in, did break in, to their network, got into a machine,
attempted to initiate a $20 million financial transaction.
Fortunately they failed.
Better cryptology could have addressed that problem and
should have addressed that problem, but it was not in place.
Frankly, that corporation was lucky. I saw another corporation
in which somebody did break into their network. They did
transfer files with impunity. The financial loss is
immeasurable. Many of their pending copyrights were transferred
off to some unknown location.
In this particular case, again, encryption could have made
a big difference. I have seen network capture devises used
against corporations where people have captured virtually
everything out of a major corporate network.
Again, encryption could and should have helped address this
problem also, in the telecommunications arena. Don't think that
the only danger is the Internet. We have lots of PBX to
Internet, PBX to private networks kinds of links.
In those arenas, again, voice goes across in clear text,
voice conversations between a CEO and critical business
partners. We don't use encryption sufficiently because we have
too many barriers on that encryption.
We don't have sufficiently strong encryption. And you can't
fool industry. If they know that somebody is faulty, they are
not going to invest the money in it. We know also that the
industry has to put up with the least common denominator.
They know that the third party business partners are out
there with weaker crypto. They are going to have to lower their
crypto capabilities to this weaker capability if they are going
to maintain encrypted links. Therefore, often they do not.
Finally, something that has not come out, I believe, up to
now. I believe that the U.S. Government is sending a strong
negative message to industry. I think they are saying somehow
that there is something wrong with this technology, that
somehow there is something not very good about it.
It is something that, gee, well, maybe pedophiles,
terrorists, criminals, and all of this are associated with it.
I think that industry is very quick to see that if the
government is not giving it a green light, that it is going to
be slow to deploy it.
What we have, in effect, is a situation where we have an
arid land. We desperately need water, but we are afraid that
the outlaws are going to get the water, so we poison the well.
I think that is what happened. Maybe that worked 5 years ago.
Maybe that worked 10 years ago. But today technology has
changed.
We have to come to grips with the changes in technology. We
are, in fact, worse off now in protecting our critical national
infrastructure than we were 3, 4, 5 years ago. Technology has
advanced that far, but the ability to use encryption has not. I
strongly urge you to pass the SAFE Act.
[The prepared statement of E. Eugene Schultz follows:]
Prepared Statement of E. Eugene Schultz, Trusted Security Advisor and
Research Director, Global Integrity Corporation
New Directions and Opportunities for Cryptography
abstract
This paper addresses the issue of U.S. cryptographic restrictions.
Committees in both the U.S. House of Representatives and Senate are
considering legislation that relaxes these restrictions. The main
reasons for closely guarding cryptography (i.e., protecting U.S.
military and law enforcement interests) have historically been
legitimate. They now, however, constitute considerably less
justification for keeping these restrictions. Networks and the
computing systems that connect to them are now much more complex; they
are thus more subject to a myriad of attacks. Networking itself is an
integral part of the U.S. critical infrastructure. The use of strong
cryptography in securing these networks is now virtually a necessity in
controlling against attacks and misuse such as stealing files from
remote systems, preventing perpetrators from stealing plaintext message
traffic containing valuable information and passwords, and proving that
someone who initiates a financial or other kind of transaction has
indeed done so. Strong cryptography is also equally necessary in the
telecommunications arena, in which valuable data also traverses
telecommunications links. The current U.S. policy on cryptography has
played a major role in the commercial sector's inability and
unwillingness to deploy it where it is needed. The result is
substantially elevated security-related risk within critical sectors
(e.g., financial services and hospitals) within the commercial world.
The fact that the U.S. Government has also sent a distinct, negative
message to the U.S. commercial arena concerning the use of cryptography
is perhaps the most serious of the obstacles the Government has
created. Equally disturbing is that the current U.S. policy will
eventually ensure that the U.S. loses its leadership in the
cryptographic arena. It is thus now time to change the U.S. policy on
cryptography by relaxing current restrictions.
Background
What should the U.S. do about its policy concerning cryptography?
Should, as several key agencies of the Government argue, cryptography
continue to be restricted to the same degree that it has been in the
past, or should it be more freely available, both within the U.S. and
internationally?
Not surprisingly, polarized positions have emerged. Proponents of
restricting cryptography argue that doing so is in the best interests
of national security in addition to law enforcement needs. Hostile
foreign powers and criminals who have access to powerful encryption can
use it in potentially harmful ways--to maintain a secrecy of
communications that U.S. interests cannot tolerate, store evidence in a
form that cannot be deciphered by anyone but themselves (and thus in a
form that is unusable to law enforcement), and so on. Those who
advocate these restrictions also propound that cryptography is
currently not sufficiently cost-effective, useable and manageable to
justify the risk of making it more freely available.
This paper advocates a different position--that whereas U.S.
restrictions on cryptography may have made sense in the past, they are
no longer appropriate as is. They need to be eased.
Changes in Security-Related Threats
The computing world has shifted focus considerably during the last
decade. Whereas a reasonably large proportion of computers was still
standalone one decade ago, now it is rare to see a standalone computer.
The computing as well as the telecommunications world is massively
networked. Networks are extremely difficult to defend from attacks for
several important reasons:
Today's computers are considerably more sophisticated than
they were a decade--even a half decade--ago. Today's computers
are in fact built for networking. Virtually anyone--friend and
foe alike--can obtain one or more of these computers and
utilize network services. Unfortunately, this also means that
virtually anyone can perpetrate attacks over networks.
Networked computers are in most respects a bigger target than
computers that do not connect to one or more networks.
Depending on how a network is configured and a large number of
additional factors, it may be possible for anyone in any part
of the entire world to be able to remotely reach a given
computer, and thus to attack it.
Where networks start and where they end are both nearly
impossible to determine. In general, it is difficult to defend
something that has a well-defined boundary.
The state of the art for attacking computers over networks has
evolved dramatically over the last few years. Many software
programs that allow even the most naive of computer users to
launch powerful attacks over networks are now freely available
over the Internet as well as through other sources.
Networks offer services that typically demand little or no
identification of the people who utilize these services.
Avoiding being identified is usually trivial for network
attackers. Being anonymous over the net emboldens network
attackers.
A perpetrator who has access to one point in a network between
a computer from which someone sends a message or a file and the
computer on which someone receives it can capture traffic that
is sent. By default, all such traffic is in plaintext, meaning
that whoever captures it can read it right away. Privacy over
networks is thus a major concern.
Networks make electronic transactions possible, yet dishonest
people can order goods and services over the net, then deny
ever authorizing the order.
My experience in the world of computer security spans nearly 15
years. During this time I have been faced with many challenges and seen
many eye-opening experiences. One of the most startling sets of
experiences occurred nine years ago when intruders from the Netherlands
broke into U.S. military computers with impunity, stealing information
about weapons systems, U.S. troop movements, ordinance shipments, and
so forth in the midst of Operation Desert Shield and Operation Desert
Storm. The U.S. military community had the cryptography available to
protect the sensitive information that the intruders stole but did not
use it.
Approximately five years ago a small number of perpetrators
installed software programs that captured network traffic that went
through Internet service providers throughout the U.S. The main target
(although not the exclusive target) was passwords--the perpetrators
used the passwords they captured to break into the computer accounts of
tens of thousands of users, mainly in the U.S.A., but also in other
countries. The perpetrators obtained so many passwords that they were
not even able to use a significant proportion of them during the time
span in which the attacks occurred. Encrypting the traffic that went
into and out of the Internet service providers' computers would have
prevented these attacks.
I recently helped a client corporation respond to what was a very
potentially serious attack. The client has a number of networks, one of
which contains computers that initiate and control major financial
transactions. Someone, apparently not a company employee, obtained
access to this network through a connection with one of the
corporation's business partners, then attempted to initiate a multi-
million dollar financial transaction. Fortunately for the corporation,
the attacker did not know quite enough about the procedures for
initiating such transactions and thus failed. Use of cryptography that
strongly assured the identity of the person who initiates these
transactions would have considerably lessened the probability of
success in this scenario.
Another corporation was not so fortunate. A remote attacker broke
into one of a corporation's networks and transferred many proprietary
files to another computer that the attacker had taken over. The exact
amount of financial loss remains unknown, but it is not unreasonable to
think in terms of tens of millions of dollars. Had the stolen files
been encrypted with strong cryptography, they would have been of no
value to the attacker and the people to whom he undoubtedly sold them.
The fear of attacks such as breakins into computing systems often
overshadows concern for other types of attacks. In reality the
potentially most devastating attack in the corporate world is one in
which someone plants a device or software program that captures all the
network traffic that goes by a certain part of the network. The
attacker can capture not only passwords, but also critical data files,
messages sent between corporate officers, and a variety of other
sensitive and valuable information. This information is almost without
exception transmitted in plaintext. Indeed this kind of attack occurred
several years ago at the headquarters of a major manufacturing
corporation. Perpetrators planted a device that captured all incoming
and outgoing network traffic. Luckily, someone discovered the plot to
capture and sell corporate information before the perpetrators were
able to sell it. Again, the use of cryptography to prevent plaintext
traffic from being sent over this network would have deterred the
perpetrators from carrying out this kind of plot in the first place.
Computer networks are not the exclusive targets of attack;
telecommunications links are also vulnerable to being tapped. The
corporate PBX is a particular target. The fact that voice and data
traffic is by default sent in plaintext over many telecommunications
links is once again a cause for major concern. Unbelievably, some
organizations encrypt network traffic but do not encrypt traffic that
moves through telecommunications links, even though these links feed
into the computer networks and vice versa.
Why Restrictions on Cryptography Serve as Obstacles
In today's hearings we will once again be reminded of reasons for
restricting cryptography and why, if and when restrictions are relaxed,
we will have reached what some will call a dramatic, irreverseable
point in U.S. ability to maintain control of cryptography. On the
surface, these views make sense, but they do not make as much sense now
as they did two or three years ago. The problem with the logic of these
views today is that (as discussed previously) networks are now so much
bigger, more complex, and more pervasive. Corporate America is now
considerably more reliant on computer networks than it was only a few
years previously. And, with a few notable exceptions (mainly in the
banking and financial services arena), corporate America is not
deploying cryptography to a great extent. Why? Several reasons stand
out among the primary probable causes:
1. Cryptographic presents a myriad of practical difficulties,
including the problem of cryptographic key management and the fact that
using cryptography causes slowdowns in system and network performance.
2. The financial cost of using of cryptography is still rather
high. For many corporations, the benefits do not currently outweigh the
cost.
3. Strong cryptography is for the most part not available to
corporations, even in the U.S. With magazines and newspapers running
articles about how someone else has broken one, then another
cryptographic algorithm, corporations hesitate to make the financial
investment to widely deploy cryptography that they perceive may be
flawed.
4. Businesses are now truly global in nature more than ever before.
The fact that businesses do not exist in isolation means that a given
U.S.-based corporation is likely to have offices in other countries
(something that generally causes only minor complications in terms of
ability to deploy encryption). More significant, however, is that fact
that many third-party business partners are headquartered in countries
in which U.S. cryptographic restrictions are enforced. The U.S.-based
corporations are thus forced to choose between implementing the
relatively weak cryptographic solutions generally available to these
non-U.S. entities (to create a common encryption link with these
entities) or to not deploy encryption at all. Too often the more
reasonable choice is the latter.
5. Whether or not the U.S. Government realizes this, its policies
on cryptography are sending a distinct, negative message to industry.
On one hand, some U.S. Government agencies and institutes encourage
industry to use encryption, but then others talk about the dangers of
strong encryption and the harmful effects of allowing it to be too
widely disseminated. At the same time elements from within the
Government have publically voiced concern about the cost and
performance decrements associated with the encryption that is currently
available. The message to industry is that there is something wrong
with encryption, that strong encryption is something that is used by
spies and pedophiles, or that, even if industry uses encryption, it
must understand that the ``best'' encryption is reserved for inner
pockets of the Government. The net effect is that industry's motivation
to deploy encryption has been undermined.
The most unfortunate result is that organizations such as financial
service providers and hospitals that have the greatest need to use
encryption too often do not use it. The U.S. Government has in effect
``poisoned the well'' in a desert to keep outlaws from drinking from
it. Unfortunately, the nearby villagers meanwhile are dying of thirst.
Other countries are developing cryptographic technology and making
it available to the rest of the world anyway. Any country (regardless
of the status of its relationship with the U.S.) can obtain strong
cryptography today independently of what the U.S. makes available.
Worse yet for the U.S., with supportive policies by foreign governments
in which strong cryptographic technology is developing and strong
international demand for strong encryption technology, this technology
will some day in the not-too-distant future exceed the U.S.-based
technology. The unfortunate result for the U.S. is that our ability to
control cryptography (a major goal of those who advocate strong
restrictions) will have passed us by anyway. Our ability to control
cryptography depends to a large extent on our ability to be the leader
in cryptography technology.
Additional Pseudoreasons for Restricting Cryptography
Suppose that, as opponents of easing cryptographic restrictions
often assert, the U.S. relaxes cryptographic controls, then finds that
some adversarial or criminal element is using strong cryptography in a
manner that is significantly harmful to U.S. interests. These opponents
too often, however, fail to consider the available brainpower and
resources within the U.S. available to crack the cryptography.
Overlooking the impressive historical achievements of U.S.
cryptanalysts in what amounts to a proactive concession of defeat--
saying that the U.S. may or will not be able to cope with any fallout
that strong cryptography brings should it become more widely available.
Furthermore, ironically, numerous hostile foreign powers, terrorist
groups, and criminal organizations almost certainly have the ability to
break at least some of the cryptography that the U.S. is trying so hard
to protect.
Opponents of relaxing U.S. cryptographic restrictions additionally
fail to come to grips with another firmly established historical
precedent of which the U.S. is all too aware (e.g., the Walker spy
case). A cryptographic system, no matter how strong, is only as strong
as the weakest link. The weakest link is normally a person--a greedy,
disgruntled, or idealogically-motivated person who thoroughly knows the
system. If the U.S. needs to crack a cryptosystem that is not
technically feasible to crack, it can always attempt to crack this
system by courting the people who know about and work with the system.
Conclusion
In conclusion, those who have opposed relaxation of cryptography in
the past have taken a reasonable stand. The major problem today,
however, is that the technology of the past is not the technology of
today. Today's networking technology in particular has introduced many
new, security-related threats, most of which can be addressed by
today's encryption technology. Computer and telecommunications
networking are absolutely essential to the U.S. critical
infrastructure. The sectors within the U.S. that most need to deploy
this technology, unfortunately, either do not deploy it at all or do
not use it to its potential. The result is that we are now worse off
with respect to protecting our critical infrastructure than we were a
few years ago. This trend will become exacerbated if not reversed. Only
one reasonable solution exists--to relax restrictions on cryptography
as soon as possible.
Mr. Tauzin. Thank you very much, Dr. Schultz. Compelling
testimony.
Now, we will hear from a fellow that Mr. Hornstein fears so
much, Mr. Holahan, executive vice president, marketing,
Baltimore Technologies, from Dublin, Ireland. Mr. Holahan.
STATEMENT OF PADDY HOLAHAN, EXECUTIVE VICE PRESIDENT,
MARKETING, BALTIMORE TECHNOLOGIES, INTERNATIONAL FINANCE
SERVICES CENTRE
Mr. Holahan. Good morning, Mr. Chairman and members of the
subcommittee. My name is Paddy Holahan, executive vice
president of marketing for Baltimore Technologies. I am
responsible for the design and marketing of all of Baltimore's
products.
I am testifying today to provide the viewpoint of a leading
information security company that originates from outside the
USA. I would like to put my comments in context by giving you a
brief instruction to Baltimore technologies.
We are a publicly listed company on the London Stock
Exchange. We develop and market commercial security products
for use in business and e-commerce. Most of these products use
encryption technology.
We have software and hardware development centers in
Ireland, the UK, and Australia and have sales offices in 16
cities worldwide and customers in over 40 countries. Many of
these customers are governments, government bodies, large
corporations of some of the world's leading financial
institutions.
We have business and technology relationships with many
companies including U.S. corporations such as Intel, Cisco,
IBM, Netscape, and Security Dynamics/RSA. While we do not
develope software inside the U.S.A., we are successfully
selling our products and growing our business throughout
America.
We are one of the leading global security companies in the
world. We export the majority of our products from the country
of development. These exports are regulated by national
government of the relevant country, all of which are
signatories to the Wassenaar Arrangement.
Accordingly, Baltimore has unrivaled experience in
operating in the most international of export regulation
environments. Our business objective is to provide the world
with the underlying electronic security infrastructure to
support world commerce.
The underlying framework of world commerce requires a
reasonable regulatory environment that transcends national
boundaries. This framework has to be acceptable to the trade
requirements of international governments and freedom of the
individual. Encryption is now a common requirement for almost
any Internet or e-commerce product.
This is in contrast to a few years ago when encryption was
only necessary for specialist products. It is now clear to
everybody that the regulatory system designed to control
cryptography in the past cannot be sustained into the future.
The next move is highly important, and we will encourage
and support all initiatives to develop the structure that
supports the requirements of industry and of governments.
The SAFE Act will completely alter the nature of the
security market both inside the United States and the rest of
the world. We welcome the use of cryptography for the
development of a safe, secure e-commerce structure within the
United States as proposed within the SAFE Act.
Security and trust are essential parts of commerce, and
cryptography is an essential part of e-commerce. The
prohibition on mandating key escrow will also remove a
potential technological obstacle to the adoption of secure
systems.
The export provisions of the SAFE Act will potentially
revolutionize the worldwide international e-commerce markets.
It will clear the way for full-time encryption of a vast range
of security and general-purpose applications, including Web
browsers, e-mail, and fine encryption.
The act will enable the vast majority of non-American
corporations and consumers to conduct business with each other
over the Internet using strong security. However, this
unilateral move comes up soon after 33 leading countries,
including the United States of America, agreed to harmonize a
base level of crypto regulation in the Wassenaar Arrangement.
The SAFE Act may solve a single problem of U.S. export but
may cause other difficulties in selling and using U.S. security
products between other countries, as many U.S. corporations
have development and manufacturing and distribution facilities
throughout the globe.
This is not a U.S.-versus-the-rest-of-the-world issue. The
United States is in a unique position in that it is the largest
single market for development, export, and purchasing of high-
technology products.
I would encourage the committee to consider a more
international approach to the export section of the SAFE Act so
that we recognize the international aspect of industry and of
the Internet. I also wish to refute the widespread perception
that non-U.S. security companies flourish solely because of
inability of U.S. companies to export products with strong
crypto.
As part of my research for this testimony, I was astounded
by some of the claims presented to other subcommittees. It is
vital that this subcommittee is not misled into developing
legislation based on incorrect information. We welcome any
moves to encourage open markets for encryption products
throughout the world.
The current U.S. regulations may appear to give non-
American companies a massively unfair advantage, but in truth
the advantage gained is slight.
U.S. companies dominate in the software and technology
worldwide and will continue to do so. There are tens of
millions of users of Microsoft and Netscape products outside of
America, most of whom have reduced-strength cryptography.
Even though freeware products exist to reinstate the strong
crypto, a tiny percentage of people have done so. We derive a
high percent of our revenues from the financial sector, but
U.S. companies are free to offer strong cryptographic products.
We compete successfully in the same way as any technology
does, by bringing the best products to market first. I do not
know of any significant non-American companies who deliberately
set out to build a business based on the U.S. export situation.
The only situations we encounter of companies deliberately
side stepping U.S. regulations are the international
subsidiaries of American corporations. While U.S. companies are
subject to export restrictions, they have a domestic market
that is the most active and sophisticated in the world,
comprising 260 million people.
Many of Baltimore's products emanated from our Ireland
development center with a domestic market of only 4 million
people. American companies are not losing the technology, nor
will they.
There exist many significant impediments to the development
of security products, and many American companies would cite
the commercialization of various patents as being more
significant. The SAFE Act presents a highly significant
opportunity to change the security landscape within the United
States and beyond. It will impact both U.S. and non-U.S.
security and encryption companies and potentially alter the way
in which e-commerce and the Internet are secured.
I would like to thank you for your invitation to present
here today.
[The prepared statement of Paddy Holahan follows:]
Prepared Statement of Paddy Holahan, Executive Vice President of
Marketing, Baltimore Technologies
introduction
The Subcommittee on Telecommunications, Trade and Consumer
Protection has requested that Baltimore Technologies present testimony
on the SAFE Act.
We would like to thank the committee for the opportunity to present
views and assist the committee with its work. As a leading non-US
originated developer of security and encryption products with sales
throughout the world, including the United States of America, we can
provide a different perspective on the implications of this
legislation. We are not encouraging the members to vote in a particular
direction.
Cryptography is being incorporated into more and more technology
products every day. The general technology boom and the Internet in
particular fuel this explosive increase in use of crypto. It is
apparent to everyone that a regulatory system designed to apply to a
small number of specialist products cannot be sustained into the
future.
Baltimore Technologies is a publicly listed company with
headquarters in Ireland, UK, Australia and the USA. As a leading global
supplier of security products for use in enterprise and e-commerce
systems, we welcome all attempts to encourage worldwide open markets
for cryptographic products. As a global company, we wish to compete on
a level playing field and let the consumer choose the best product and
supplier.
Baltimore Technologies, along with many other non-American
originated companies, has no reservations with the underlying concepts
in the SAFE Act. Indeed, we would welcome the global availability of
products such as browsers, secure email and emerging technologies that
will encourage generate the environment for world e-commerce.
A large portion of Baltimore's business comes from customers who
are free to choose products from our competitors from the USA, Canada,
Europe. These customers are either American corporations or financial
institutions who can obtain export licenses for US products. We believe
that a very small percentage of our business comes as a direct result
of American export restrictions.
Baltimore has technology and business relationships with many
world-leading technology companies. These relationships are based on
mutual business benefits and not because Baltimore is a non-US company.
In the past three years we have worked with companies such as Intel,
Cisco, IBM, Security Dymanics/RSA, Netscape. These relationships exist
both inside the United States and in other countries where Baltimore
operates.
(A) Comments on SAFE Section 2: Sale and Use of Encryption
As a growing supplier of security and cryptographic products within
the USA, Baltimore Technologies welcomes the provisions of section 2
which ensure that businesses and individuals will continue to have the
right to buy and use security products for legitimate personal or
business use.
The prohibition on mandatory key escrow is also welcomed. Key
recovery has certain legitimate uses in commerce and it remains an
important optional security system for certain industries.
(B) Comments on SAFE Section 3: Exports of Encryption
Baltimore Technologies does not develop products in, nor re-export
products from the USA. As such the provisions in the SAFE Act will not
change the manner in which we do business--but it will completely
change the way US companies compete in the global market.
In considering liberalising cryptography export policy the
committee should consider the following:
1. Passing the SAFE Act will not solve all export problems for US
corporations and will not create the international environment that is
fundamental for world commerce. US companies develop, manufacture and
distribute products from many countries worldwide. The SAFE Act will
enable export from the US, but thereafter companies will have to comply
with the export regulations of other countries. It is fundamental to
the success of world commerce that the SAFE Act is consistent with the
regulatory environment in all key world economies.
2. The US's current export stance impacts the vast majority of
computer users worldwide. For example the overwhelming majority of
Internet access is conducted using US products such as Microsoft
Windows and Internet browsers that remain crippled at 40-bit encryption
outside of the US.
3. This Act will completely revolutionise the Internet and e-
commerce internationally, giving international free access to full
strength secure Internet browsers and email along with a range of other
products.
4. The passage of this Act may encourage other countries to bring
their export regulations in line with the USA. This will create a freer
market for cryptographic products worldwide.
5. Most countries have a cryptography export policy. These policies
vary from country to country, but it is wrong to assume that the US is
currently out of step with the rest of the world. The unique part of
the US export system is the use of restricted key-lengths.
6. It is true that all security and encryption companies are prone
to losing business as a result of export, import and usage restrictions
imposed by national governments. It is important to recognise that US
companies are not unique in this regard. The United States, as the
largest exporter of software and high-technology products in the world,
feels the effects of export restrictions more noticeably than other
countries.
7. The SAFE Act, if passed, may contradict the terms of the
recently agreed Wassenaar Arrangement signed by the governments of 33
leading nations, including the USA. While the Wassenaar Arrangement
imposes unwelcome restrictions on cryptographic products, Baltimore
welcomes the attempts at international consistency and harmonisation.
8. The SAFE Act correctly distinguishes between products that
include cryptographic functionality and pure cryptographic
products.Many technology products now include cryptographic elements in
order to provide security for Internet users. These products provide
functionality that is simply made secure by crypto. For example Web
Browsers and conventional email systems are in widespread use, but they
also include cryptography which can secure communications if necessary.
Pure cryptographic products, on the other hand, can be used in a
more general-purpose manner and can be used to build a wide range of
security systems for almost any use.
other commentary
The US cryptography debate has generated a great deal of interest
and debate, but there is much misunderstanding of the global situation.
1. It is misleading to state that non-American companies are
flourishing because of the current US policy. Surveys are often
presented stating the number of programs available internationally that
include strong crypto (e.g. PGP, Fortify). What these surveys neglect
to mention is that the dollar value of the sales of all these products
is very small when compared with sales of similar products in the US.
The United States dominates the world's software market and will
continue to do so. While there is no argument that some US companies
are obviously limited in their non-US markets for strong-crypto
products, it is not the case that non-US companies are flourishing at
an exaggerated rate.
2. Most countries do have effective export restrictions that
regulate export of cryptographic products. Baltimore Technologies has
to deal with three export administrations in Ireland, the UK and
Australia who regulate encryption product exports in different ways.
3. US Companies operate in the best global environment to develop
and sell high-technology products including cryptography. A US software
development company can operate without any restriction on use of
cryptography. US companies have unregulated access to a market of 260
million people who are the most advanced and wealthy consumers in the
world. Contrast this with the situation of non-US developers who cannot
access the security building blocks provided in operating systems. For
instance, Baltimore Technologies cannot utilise the cryptographic
subsystem offered in Microsoft Windows, the most popular operating
system in the world.
Non-US companies have always been at a distinct disadvantage to
their US counterparts, and have only succeeded by building better
products.
4. Operating in the international market, Baltimore deals with an
array of cryptographic regulations that require us to modify our
products. We, as well as being developers of cryptographic systems,
support competitive cryptographic systems from many other vendors.
5. Baltimore will welcome the global availability of strong-crypto
versions of popular software such as browsers, email programs etc. The
widespread availability of these products will encourage secure e-
commerce and will enable Baltimore and other American and non-American
companies to expand their business of providing security systems based
around these software systems.
6. In our experience, export licenses are generally available to US
companies for a great number of sales that Baltimore bids for
throughout the world. Additionally, many US companies have bought
foreign companies or establish non-American corporations to enable them
to sell to a wider market. American companies are a formidable force in
the global security marketplace.
recommendations
1. The SAFE Act export provisions will let the ``genie out of the
bottle'' in an inconsistent manner to that of other countries. An
international approach to addressing the regulation of cryptography
already exists in the form of the Wassenaar Arrangement.
Baltimore Technologies suggests that the issue of cryptographic
export regulations be addressed on an international basis rather than
in isolation. This is not a matter of the USA versus Rest-of-the-World
. The twin concerns of the government and citizens of the United States
are not dissimilar to those in other countries. US-based security
companies have by-and-large similar experiences to that of non US-based
companies.
2. Baltimore Technologies suggests that the differences in
regulations between general products that include cryptography (e.g.
Browsers) and pure cryptographic products are maintained.
3. As the leading nation in world commerce, the United States of
America has an opportunity to create a global framework for e-commerce
that incorporates the appropriate encryption policy.
Mr. Tauzin. Thank you Mr. Holahan.
Now, Mr. David Dawson, chairman of and CEO of V-One
Corporation of Germantown, Maryland. Mr. Dawson.
STATEMENT OF DAVID D. DAWSON, CHAIRMAN AND CEO, V-ONE
CORPORATION
Mr. Dawson. Thank you, Mr. Chairman. It is a pleasure to be
with you today. V-One is a public company that has been
providing network security solutions for over 7 years, which
sort of makes us an old timer in this space.
Although we got our start providing security solutions to
agencies of the Federal Government, Department of Defense, and
so forth, today our commercial business outstrips our
government business by two to one.
Our products are used by some of the world's largest
companies, largest global corporations, so we have had exposure
to both the public and private sector perspectives on this
issues. We support the efforts of this committee to make
electronic commerce viable and U.S.-developed encryption
products competitive.
We agree that such commerce demands strong encryption
capabilities. We also believe that H.R. 850's goals can be
achieved through current regulations on the export of strong
encryption in a matter that satisfies law enforcement, the
courts, and the concerns of the private sector.
The issue is how to balance the interests of law
enforcement while providing protection under the first and
fourth amendments in an approach that is commercially viable.
Implementation of a mechanism for recovering encryption
keys does not need to compromise these protections. We have
seen techniques attempted and failed because they create undue
administrative burdens and security risks that are clearly
unacceptable to the private sector, such as third party or key
escrow approaches or because they create back door access to
plain text data.
Just because these attempts failed does not mean that the
interests of all parties cannot be served by other solutions.
V-One has developed a technique for recovering encryption keys
that leaves the control of the keys with the company while
providing limited conventional mechanisms for law enforcement
to recover those keys.
This method, called ``Trusted First Party,'' was recently
approved by the Department of Commerce and is shipping today.
If law enforcement wanted to obtain a document from your
organization's file or safe, they would first have to convince
a court that they had probable cause to believe that the
document was being used in the commission of a crime.
If they were successful in convincing the court, the court
could issue an order to have the organization turn over those
documents to the appropriate law enforcement agent. We have
lived by these laws and protections from excessive force and
illegal search and seizure for some time and it would seem that
they have served us well.
In crafting the requirements for industry to manage
encryption, we believe that the Department of Commerce has
merely attempted to apply current laws and protections for
recovering documents to recorded secure electronic commerce.
Properly implemented key recovery simply extends current
laws to the encrypted electronic world. Key recovery, when
under the complete control of the corporate entity, is not in
and of itself a security boon or bane.
In the realm of data communications, we would concur that
it serves no useful purpose to the company. What the Trusted
First Party approach does do is to provide key recovery that
satisfies the concerns of law enforcement in a way that upholds
the private sector's privacy and security.
Recently the U.S. Court of Appeals for the 9th Circuit in
Berstein v. USDOJ determined that the requirements on Mr.
Berstein to obtain export approval for his academic research
constituted prior restraint of his freedom of speech. V-One has
eliminated need for entities using the Trusted First Party
technique to obtain prior approval from the Department of
Commerce.
Because of this approach's approval by the Department of
Commerce, individual case-by-case export approval is not
necessary, thus eliminating the prior restraint issues raised
by the 9th circuit.
In conclusion, our Trusted First Party solution works
within current U.S. encryption law and satisfies, first, the
courts by eliminating the need for government case-by-case
export approval, thus avoiding the prior restraint of freedom
of speech issues cited in the 9th circuit court.
Second, law enforcement, by providing a reliable mechanism
for recovering individual session keys with a valid court order
giving them the same ability they have today with nonelectronic
communications.
And third, the private sector by allowing them to keep
control of their own session encryption keys in a way that
poses no additional security risks and by allowing them to use
strong U.S. encryption technology today. This means that under
the current law, any customer in a nonembargoed country can use
any strength encryption to protect any application without a
case-by-case U.S. Government approval.
And Trusted First Party has proven that this can be done
today with virtually no additional finance or resource
requirements on the customer's part. Therefore, we believe that
current U.S. law relating to encryption exports can meet the
interests of the private sector, law enforcement, and the
courts.
The V-One Trusted First Party technique is a patent pending
solution which requires significant expenditure and development
on the part of V-One. In order to accelerate the acceptance of
U.S.-developed strong encryption solutions without compromising
the needs of law enforcement, we are willing to share this
technology with other U.S. companies.
We appreciate the opportunity to be a constructive part of
this debate on these important issues facing this committee and
our country. Thank you for your time and attention.
[The prepared statement of David D. Dawson follows:]
Prepared Statement of David D. Dawson, Chairman and CEO, V-ONE
Corporation
V-ONE Corporation supports the efforts of H.R. 850 to make
electronic commerce viable and U.S. developed encryption products
competitive. We agree that such commerce demands strong encryption
capabilities. We also believe that H.R. 850's goals can be achieved
through current regulations on the export of strong encryption in a
manner that satisfies law enforcement, the courts and the concerns of
the private sector.
The issue is how to balance the interests of law enforcement while
providing protection under the 1st and 4th Amendments in an approach
that is commercially viable. Implementation of a mechanism for
recovering encryption keys does not need to compromise those rights.
We have seen techniques attempted and failed because they create
undue administrative burdens and security risks that are clearly
unacceptable to the private sector--such as third party or key escrow
approaches--or because they create ``backdoor'' access to plaintext
data. Just because these attempts failed does not mean that the
interests of all parties cannot be served by other solutions.
V-ONE has developed a technique for recovering encryption keys that
leaves control the keys with the company while providing limited
conventional mechanisms for law enforcement to recover those keys. This
method, called Trusted First Party, was recently approved by the
Department of Commerce and is shipping today.
If law enforcement wanted to obtain a document from your
organization's files (or your safe), they would first have to convince
a court that they had probable cause to believe that the document was
being used in the commission of a crime. If they were successful in
convincing the court, the court could issue an order to have the
organization turn over the documents to the appropriate law enforcement
agent.
We have lived by these laws and protections from excessive force
and illegal search and seizure for some time and it would seem that
they have served us well. In crafting the requirements for industry to
manage encryption, we believe that the Department of Commerce has
merely attempted to apply the current laws and protections for
recovering documents to recorded secure electronic communications
Properly implemented key recovery simply extends current laws to
the encrypted electronic world. Key recovery--when under the complete
control of a corporate entity--is not in and of itself a security boon
or bane. In the realm of data communications, we would concur that it
serves no useful purpose to the company. What the Trusted First Party
approach does is to provide key recovery that satisfies the concerns of
law enforcement in a way that upholds the private sector's privacy and
security.
Recently, the U.S. Ninth Circuit Court of Appeals in Berstein vs.
USDOJ determined that the requirement on Mr. Bernstein to obtain export
approval for his academic research constituted a prior restraint of his
freedom of speech. V-ONE has eliminated the need for entities using the
Trusted First Party technique to obtain the prior approval from the
Department of Commerce. Because of this approach's approval by the
Department of Commerce, individual case-by-case export approval is not
necessary, thus eliminating the prior restraint issues raised by the
court.
In conclusion, our Trusted First Party solution works within
current U.S. encryption export law and satisfies:
First, the courts by eliminating the need for government case-by-case
export approval, thus avoiding the prior restraint of freedom
of speech issues cited by the Ninth Circuit Court;
Second, law enforcement by providing a reliable mechanism for
recovering individual session keys with a valid court order,
giving them the same ability they have today with non-
electronic communications; and,
Third, the private sector by allowing them to keep control of their own
session encryption keys in a way that poses no additional
security risks, and, by allowing them to use strong U.S.
encryption technology today.
This means that under current law, any customer in any non-
embargoed country can use any strength encryption to protect any
application without case-by-case U.S. government approval. And, Trusted
First Party has proven that this can be done today with virtually no
additional financial or resource requirements on the customer's part.
Therefore, we believe current U.S. law relating to encryption exports
can meet the interests of the private sector, law enforcement, and the
courts.
The V-ONE Trusted First Party technique is patent pending solution,
which required a significant expenditure in development on the part of
V-ONE. We are also keenly aware of the strong encryption export debate
that has ensued. In order to accelerate the acceptance of U.S.
developed strong encryption solutions without compromising the needs of
law enforcement, we are willing to share this technology with other
U.S. companies.
We appreciate the opportunity to be a constructive part of the
debate on this important issue facing this committee and our country.
Thank you for your time and attention.
Mr. Tauzin. Thank you, Mr. Dawson.
The Chair recognizes himself for 5 minutes. Quickly, Mr.
Schultz, what is your take on Mr. Dawson's solution?
Mr. Schultz. I would like to see it.
Mr. Tauzin. Grab a mike. I want to hear Mr. Arnold's take
on it, too.
Mr. Schultz. I would like to see it. The idea sounds good.
I would like to see how it actually works. I would like to see
how the protocols function; and, if it does work, it would seem
to squarely address, I believe, some of the problems that have
been raised today.
Mr. Tauzin. Mr. Arnold.
Mr. Arnold. I am not directly familiar with the solution
itself or its implementation, so I would have to actually take
a look at it and review it. It may hold a great deal of
interest to us.
As it stands right now, I am struck by the fact that there
is such wide availability through 128-bit cryptography out
there that people who would be using this that would be
investigated or, slightly nefarious, would probably not use
key-recovery technology.
So any additional expense as far as managing the key-
recovery technology or managing the resources and systems to do
this would be borne by the people implementing it, basically
legitimate businesses much like ourselves.
Mr. Tauzin. Do me a favor. Take a look at and comment in
writing to us on it. I would like to hear your comments on it,
your take on it. Anyone else that would like to do that, I
would appreciate that, just to see if we can get a balanced
look at what is being proposed.
Mr. Reinsch, I want to turn to you and Ms. McNamara and Mr.
Lee. One of the criticisms you make of the bill is that it
would discourage the growth of voluntary systems. Mr. Lee
pointed out in your testimony that the witness--that businesses
already are key recovery to meet their own needs. I assume this
is because it is in their interest to do so.
Why would a prohibition as contained in H.R. 850 on
mandatory key recovery inhibit the growth of voluntary key-
recovery systems or the use of Mr. Dawson's concept if
businesses saw it in their interest to use that patented
technology?
What is in the bill that would say that his solution
couldn't work for people who wanted to use it and then
voluntary key recovery is not now available and would continue
to be available if businesses who want that type of a system?
Any one of you.
Mr. Lee. Mr. Chairman, the provision that I was referring
to is the provision in H.R. 850 that states that the government
may not require or condition any approval on the requirement
that the key be built in the hardware or software for any----
Mr. Tauzin. Right. It is a provision that government cannot
mandate key recovery. Why is that provision bad for businesses
who want key recovery, might voluntarily want to adopt one of
these things?
Mr. Lee. I think the point is that the government is
encouraging businesses to take a look, as several of the
panelists have testified here, at the requirement, the business
requirement for key recovery.
One of the points that we would make is that in some cases
the business requirement, that is the requirement of things
that you have to do to make a profit and sell your product and
be out there in the marketplace, includes complying with
government requirements, regulations, and oversight.
In some of those cases it may be necessary to meet that
business requirement for private companies to take a look at
various systems that will enable them to guarantee them that
they have access to plain text when they need it for a business
purpose.
Mr. Tauzin. You are saying the capacity of the government
to mandate it serves as an encouragement of citizens to look at
it. But we know from your testimony that citizens are not
looking at it. Businesses are now developing it. What is wrong
with that?
Mr. Lee. Mr. Chairman, it wasn't my testimony that the
government seeks to mandate key recovery. Independent of key-
recovery technology--the government has requirements that
businesses make available certain records for governments, for
agencies to perform their regulatory functions.
To meet those requirements, industry may need to take a
look at various systems that guarantee that they can make plain
text available. That was the point that I was trying to make.
Mr. Tauzin. I need to move on, but I am going to ask you to
please, any one of you, submit to me in writing a clear
explanation of why you think a prohibition against mandatory
key recovery in the bill operates to discourage voluntary key
recovery for those businesses who like it, who want to use it.
I missed that very badly. I don't understand the argument.
Quickly, I want to hear something more importantly from
you, Ms. McNamara and Mr. Reinsch. Mr. Schultz and Mr. Arnold
made a very compelling case that the national security interest
of this country are threatened today, even our Gulf War
operations were threatened because of the lack of highly
capable encryption technologies being out there, and that
absent policy to encourage the development of extremely capable
encryption technologies, that national security is threatened.
You make the argument that the export and development of
these encryption technologies itself threatens national
security. We are getting it from both sides here. And the
national security argument is very compelling to us in the
Congress, as you might know, particularly on the day that the
Cox Committee report is being released.
But we are hearing it from both sides. We are being told
don't let this encryption stuff go forward because it will
threaten national security. We are hearing national security is
already threatened because of the fact--as well as business
security and privacy and confidentiality all of the other
things you are talking about, Mr. Arnold--are threatened
because of the lack of a good strong encryption policy. Which
is it? Ms. McNamara?
Ms. McNamara. Mr. Chairman, first let me comment on our
concerns about the prohibition of key recovery.
Mr. Tauzin. Please do so.
Ms. McNamara. As we read the language, it would prohibit
the U.S. Government from also specifying that key recovery was
the choice that they wanted to make.
Mr. Tauzin. You mean in terms of its own procurements?
Ms. McNamara. In terms of the U.S. Government's own way of
dealing with U.S. Government communications. Correct. As
currently written, it would prevent the U.S. Government from
specifying that key recovery was an element of choice for them.
Mr. Tauzin. But your concern is that the bill would prevent
the government in its procurement policies from choosing a key
recovery system?
Ms. McNamara. Yes. In fact, the Department of Defense a
year and a half ago--Bill, help me--specified that they would
only use by date certain products that were key recoverable.
Mr. Tauzin. Your concern is this bill would prevent that?
Ms. McNamara. That is absolutely correct. That is our
interpretation. And the government may choose to use that as a
means of recovering data that they require.
Mr. Tauzin. That is a separate argument from saying that
others would not choose voluntary key-recovery systems.
Ms. McNamara. And I am addressing our concern as the agency
of government that is responsible for providing security for
U.S. Government sensitive communications.
Mr. Tauzin. I understand that concern. That one makes
sense. The other doesn't and that is where I am lost.
Ms. McNamara. I wanted to address that from our point of
view. Regarding Dr. Schultz's remarks, I would say that he
reinforced my statement that while encryption is available, it
is not being widely used.
During the Desert Storm/Desert Shield arena, we have
records where we did have strong encryption products available
for use by U.S. Government forces, U.S. military forces
involved in Desert Storm, Desert Shield; and we know that they
weren't being used. People don't use it if they have to elect
to use it.
Mr. Tauzin. Let me touch on that quickly. Mr. Reinsch, you
are saying you are amending government policy by granting
encryption products at 128 bits or higher on request under
waivers and certain circumstances. Mr. Gillespie points out in
47 seconds you can down load 128 bit encryption software if you
want to use it.
But if I am a bad guy and I want to use it. I can get it
off the Internet in 47 seconds. What purpose does your policy
serve in hamstringing or handicapping the sale or the use of
encryption products and export faith by America when the bad
guys can already get it in 47 seconds.
Mr. Reinsch. I think there are several answers to that, Mr.
Chairman. First of all, I think the downloading is, from our
point of view, a question of confidence. If you have confidence
in what you download from the Internet without necessarily
knowing its providence, then fine, you can use that encryption.
Mr. Tauzin. You are saying that it is not a good system?
Mr. Reinsch. I am saying that you don't know that when you
download it. Sometimes it is and sometimes it isn't. And it is
not easy for the customer, in particular, to know with
certainty what he is getting when he obtains encryption through
that device.
Now, if you want to do that, that is fine. We have never
claimed in any of our statements that the effect of our policy
is perfect in the sense that it prevents terrorists, drug
dealers, or whoever from obtaining robust encryption and
utilizing it if that is what they choose to do.
We are trying to influence market developments at the
margin. We are not attempting to deal, because we cannot for
the reasons that you said, with every possible contingency.
Mr. Tauzin. My time is up, but I want you to comment
quickly on one of Mr. Hornstein's arguments that the
regulations of our government, particularly in incapacitating
his executives from communicating with companies overseas in
these contracts to which he is saying he is handicapped, is
harming U.S. companies' abilities to win those contracts. Your
comments, quick.
Mr. Reinsch. Well, Mr. Hornstein and I probably need to
have a private conversation about the particular cases. Let me
just say with respect to the first one, he has correctly stated
the status of the item that he wants to export. He came in for
an advisory opinion, and we told him what he said.
As far as we know they have not actually applied for a
license to export that item, and I don't think that it is fair
to assume that such an application would be denied if he were
to submit one. We try to work with companies to address the
kinds of problems that he is reflecting here, and I am not sure
that we are entirely responsive in his case.
Mr. Tauzin. I think what he said was in the meantime his
people can't communicate without violating your regulations. Is
that true, Mr. Hornstein?
Mr. Hornstein. Yes.
Mr. Tauzin. Is that a real problem?
Mr. Reinsch. What we said in the first case was, in order
to provide technical assistance to his people, in order to
provide that communication, his people would need an export
license. He is correct about this.
If he would come in and ask us for an export license, which
he has not done, and then we were to deny it, he would have a
better point.
Mr. Tauzin. I want to understand how that works a little
bit better, and maybe we will get to that later. The gentleman
from Massachusetts.
Mr. Markey. Thank you. Mr. Holahan, thank you so much for
coming from Dublin. It is no wonder you have such a keen
interest in encryption issues, because without question the
first commercially available encryption technology did come
from Ireland. It was James Joyce's ``Ulysses.''
It was the greatest book every written, although very few
people have read it; and those that have concluded, finished
reading, the book have no idea what it was that they read.
Mr. Holahan. You do have to decrypt it. Ten pints of
Guinness will decrypt it.
Mr. Markey. The Irish would be good at this. So my question
will be this. For instance, as I said earlier that security and
privacy are the flip sides of the same coin. Obviously,
Americans want both. The people here can help us maybe to
square this all up today.
So when I encrypt my cell phones by subscribing to a
digital technology so that the contents of my conversation is
pure and private, at the same time there is a company who knows
who I called, when I called, from what location I called; and
that is very highly valuable information. It is both.
So the company has my valuable information now. That is why
we have laws and rules over how telephone companies can
disclose our phone calls. They just can't hand this stuff out
to people. It is very private, who we call, when we call, from
where we call.
Similarly, on the Internet making my on-line purchases more
secure, my on-line stock trading encrypted and secure and
encrypting the contents of e-mails and computer files helps to
foster electronic commerce and promote privacy. And that is
good. I don't want people to be able to crack in.
Yet, regardless of whether I send an e-mail or consummate
an on-line transaction, simply knowing which on-line sites I
visit, when I visit those sites, how long I linger on certain
pages is also highly valuable and may be highly personal
information.
Shouldn't companies have an obligation as telephone
companies do today to allow me to protect the confidentiality
of what places and sites I call upon with my computer?
Mr. Schultz, do you believe that I should have a legal
right to block a company from using that information for any
other purpose other than that which I originally attempted?
Mr. Schultz. I am hesitant to plunge into that arena from
the standpoint that the behavior is so firmly established as
far as being able to tell who hit your web site, who hit your
file transfer site, and things like that. To reverse that
around is a radical departure from computing norms.
Mr. Markey. So your concern is that the government could
crack in, but you are not concerned that others could crack in?
Mr. Schultz. In terms of being able to grab the information
and thus reveal information about individuals, right. And if I
actually hit Playboy.com or some other site and there is some
concern now because they are the priest of a church or
something----
Mr. Markey. That is very scary.
Mr. Schultz. But it is well-established behavior.
Mr. Markey. I know, but we have to reverse that. You are
here representing ordinary people. You are saying that they
should be given security. They should be given privacy from the
government.
And yet when I raise the question of companies compromising
or individuals compromising my privacy, my electronic commerce,
you say it is gone, it is lost. Whereas we could pass a law
here to get protection for that as well. You don't you think we
should?
Mr. Schultz. I don't think that you should.
Mr. Markey. You think we should.
Mr. Schultz. I don't think that you should.
Mr. Markey. Why not?
Mr. Schultz. The reason is that when you play in a public
playground, which the Internet and the many other public
networks are----
Mr. Markey. Do you consider the telephone network a public
playground?
Mr. Schultz. Less so.
Mr. Markey. Do you think Americans consider their on-line
commerce, their on-line trading, their children heading out to
web sites to be in any less need of privacy than the telephone
calls their children make or their families make? You think
Americans believe that?
Mr. Schultz. I believe that many Americans believe that it
is a different ball game playing out.
Mr. Markey. You couldn't be more wrong on that. People
don't want as they move over from the telephone to the computer
making the same transactions to have that stuff out into the
public domain so that any company can compromise it.
My problem with you, Dr. Schultz, is that you can't square
up this policy. You can't sit here and testify about how
concerned that we should be that the government could crack
into the privacy of Americans.
By the way, I would trust them more in many instances than
I would trust many of the companies that you are representing
in terms of preserving and protecting the privacy, the
security, the integrity of this information.
I see you here representing corporations, but I don't see
you here representing the American people today. I support your
policy on encryption. I think that I have a right to that
encryption, sir.
But I think I have a right to be protected against your
company, too, reusing my information. Is there anyone here, any
company here, that believes that we should be able to pass a
law to protect against the reuse of the information which is
gathered by your companies for purposes other than that which
the individual, the family intended? Will anyone here testify
to that? Good. Mr. Arnold.
Mr. Arnold. Let me jump into this fray if I may, Mr.
Markey. I think there is several issues on the table with
regards to privacy and subsequent use of the information both
by the company and then unintended use by someone who either
penetrates the system.
One of the major concerns that I think that we have is the
longevity that the data sits in various data bases and the
length of time it may be accessed. I think that is one of the
major arguments for the use of hardened encryption to these
systems. It is also to keep private information on individuals,
on customers, on consumers from being seen by people who have
absolutely no need to see it within the organization and
outside the organization.
Mr. Markey. My question is should you give the individual a
right by law to deny the reuse of that information? Should it
remain in the company's purview as to when it is used and
whether it is sold to other people? How do you believe? What do
you think?
Mr. Arnold. I can answer. Personally, I believe that it
should be up to the person to deny subsequent use.
Mr. Markey. Thank you. Does anyone else on the panel agree
with Mr. Arnold? No one else? That is a problem for me.
Essentially, the policy is burglary is okay as long as the
company leaves a note saying, well, we took this information,
and we are giving you notice that we are selling it all.
But you don't have any legal right to block us from
reselling any of this information. We can burgle all of your
private information. All of the information we want to keep
governments from gaining access to, we can burgle and sell for
profit for our company.
I have a problem. Mr. Arnold, at least you believe that the
individual has some right to protection from a company
compromising that which we don't want the government to
compromise.
Mr. Arnold. I would add also that the major thing that a
consumer looks for is the fact that they don't want somebody
masquerading as them on the Internet.
Mr. Markey. Exactly. Mr. Hornstein.
Mr. Hornstein. I am just confused at the comparison. I
understand that we are debating here about encryption and the
exports internationally. But your example, which is just with
the Internet, how is that different from Visa and the paper
process of obtaining information or somebody sending a letter
in the mail with an address or return address on the corner and
then people processing that in a manual system. I don't
understand how those two are brought together in the context of
this discussion.
Mr. Markey. Because you are telling us that everything is
going digital, everything is going on line, all commerce is
going on line and as a result everything is much more
vulnerable.
My question to you is as we move through this era and you
warn us what the government can do as we move into this era,
should we also be apprehensive of what it means for individual
privacy, for children's privacy in our country?
In other words, the point that I am making again, it is the
other side of the same coin, privacy and security, the
government and the private sector. And the question is whether
or not the industry can have it both ways.
They can say it is a serious issue when the government is
going to be able to intrude, but it is not a serious issue if
they are going to compromise the very same. I don't think that
you can have it both ways. I think you have got to be on one
side of the issue or the other. I don't think that you can have
it both ways. And I genuinely--I will be glad to yield.
Mr. Stearns. This might be supporting what you are saying.
If I bought products from L.L. Bean, is L.L. Bean able to make
public my selections; or, for example, can the telephone
company make public all of my calls? No. I think that is the
case that you are making.
Mr. Markey. The telephone cannot.
Mr. Stearns. Can L.L. Bean?
Mr. Markey. Yes.
Mr. Stearns. So then what you have to decide is
differentiate between a company like L.L. Bean can make it
public, but if a phone company can't, the phone company is sort
of quasi-regulated. We have to be consistent.
Mr. Markey. If I may----
Mr. Stearns. Can't MasterCharge and VISA disclose too?
Mr. Markey. Yes, quite briefly, as all of the health care
information goes from being in a file where you walk in and the
doctor and the nurse have your file and have had it and your
children's files since the day they were born.
We are moving into an era where the HMOs and the larger
health care consortiums are now taking all of those files out
of their hands, computerizing it, finding out who has all of
these various ailments and whatever; and now they can market it
to other companies who they would never market it to.
So what happens is that as we move from this era of where
we had privacy keepers, we now have the capacity where the data
mining keepers are able to take it and create information, DNA
about our families. That's what all of these industries are all
about.
They don't want the government to be able to crack in for
their security. My question is should, as the new era unfolds,
should we put a set of protection upon the books because it has
never been possible before. Yes, in limited cases, L.L. Bean or
whatever, but now we are talking about all of your financial
records and all of your health care records for you and your
family.
I think that we should discuss it. I don't think that as
yet the industry has squared up their concern about privacy and
security with the American individuals that also need to be
protected. You haven't done it.
Mr. Tauzin. The gentleman's time has expired. Let me, for
the purposes of the committee, point out that the weekend
retreat we have scheduled in July we will be focused on this
and very similar issues involving the movement to digital in
the Internet.
I would again encourage you all to make sure that you put
aside time for that weekend, 14, 16, 17, sometime around then
to be with us for that retreat. CATO just completed a privacy
session on many of these issues that Mr. Markey has raised. We
are going to be faced with them very shortly as the Internet
becomes a place for telephony.
You know, the AT&T cable merger is designed specifically in
that area, to define a new way of us reaching each other over
the Internet with pictures and audio services. That Internet
telephony is not covered by the prohibition that prevents the
telephone companies from marketing that information. That and
similar issues will be raised at that retreat.
I use the occasion of Mr. Markey's comments and questions
to remind you these issues are going to be before us rapidly.
Make sure that you make time to be with us. We are going to
have some healthy discussions about them at our retreat. The
Chair now recognizes the gentleman from Ohio, the Vice
Chairman, Mr. Oxley.
Mr. Oxley. Thank you, Mr. Chairman. Mr. Dawson had a
response, I think, to Mr. Markey's question.
Mr. Dawson. I was just going to add to what you said. Your
idea of the company being able to use that information, I think
if someone visits my web site, the fact that they visited my
web site as V-One is information that the company has a right
to, not a right to necessarily to share with other entities. I
think that's your point.
I appreciate web sites, when I go to a web site that if I
put some information about myself and it says check this box,
do you care if we provide this information to others. I think
you are correct, that that should be regulated some way to
prevent massive invasion of privacy. I think that is a bit
different issue than the encryption export issue.
Mr. Tauzin. Would the gentleman yield a second? I will give
him--just for 5 minutes. I want to point out that there is in
the marketplace today, however, just as you have developed a
marketplace solution for key recovery, there are marketplace
software solutions being developed.
Novell, I know, has one that will allow you to control
completely your entry into cyberspace, all of your medical,
financial, all of your records, all of your information in a
way that you define your own identity in cyberspace.
There are several other companies. I don't want to cite
just Novell. There are quite a number of others. We are going
to get a look at all of those at the retreat again. We have the
option of either legislating or facilitating the development in
the private sector, some of these technologies. The gentleman
is now recognized.
Mr. Oxley. Thank you, Mr. Chairman. Let me just say we
discussed this last time. Had we had a situation like the World
Trade Center bombing, the Oklahoma City disaster, the Littleton
rampage, and had it been revealed later that the perpetrators
had planned all of this using encrypted communications, what do
you think the public outcry would have been had this
legislation passed?
My guess is that the public outcry would be strong against
your department, Mr. Lee, perhaps against yours, Ms. McNamara,
and perhaps all of us who saw fit to not provide the kind of
protection for the public that is our solemn responsibility.
Does anybody have a different feeling about that? If indeed
that is the case, then doesn't Mr. Dawson's proposal start to
point us in the right direction as to how we can solve the
problems of technology with technology?
I was going to ask Mr. Reinsch, because of the Commerce
Department's biennial review, whether, as I view it, this
legislation is unnecessary. Let me ask Ms. McNamara, based on
your review, is this legislation necessary and if so, why?
Ms. McNamara. Thank you very much for that question. On
behalf of the administration, I would say that the
administration does not believe that export control legislation
with regard to encryption is either necessary or desirable.
We believe that relaxation as we demonstrated last October
and as the Wassenaar Arrangement signaled in December that we
can relax much more quickly under the current regulatory regime
that we have.
Were legislation to be passed each time we wanted to relax,
we would have to come back to Capitol Hill and say, mother may
I, or father may I. In this particular case under the
regulatory process, we have relaxed to a substantial part of
the world's economy recognizing that there were segments of the
world's economy that needed to be afforded protection and that
was with consultation with industry.
Now we excluded some segments of the world's economy from
blanket release of encryption or relaxation of encryption and
encryption products. But we still maintain on a case-by-case
review the possibility of individual licenses being issued for
the export of strong encryption and encryption technology to
other segments that are not covered by the broad relief.
Those individual licenses are being granted today. They
have been granted this year. They have been granted because,
through the technical review afforded under the current
regulatory regime, we have a technical review of products so
that we understand how they are going to be used, by whom they
are going to be used, and what purpose they are going to be
used.
Mr. Oxley. Mr. Lee, do you agree with that?
Mr. Lee. Mr. Oxley, the Department of Justice fully
supports the administration's view that H.R. 850 is not
necessary. Our primary interest and mission, of course, is
domestic, but we fully support the needs of the national
security community, and we are, of course, a customer or
partner with the national security community.
We believe that the existing regulatory regime in which the
Department of Justice and FBI participate is a flexible one
that takes into account all of the needs that have to be
balanced here, the needs of the commercial sector, law
enforcement, national security, and the needs of individual
users.
Mr. Oxley. Would the President veto this legislation, Mr.
Lee?
Mr. Lee. I don't have a view or information about that.
Mr. Oxley. Ms. McNamara?
Ms. McNamara. I don't have a view, sir.
Mr. Oxley. I was hoping to ask Mr. Reinsch that, and he had
to leave. But I would be interested in what the President's
senior advisors may recommend.
Mr. Tauzin. If the gentleman would submit a written
question, he has agreed to answer in writing any questions we
give him.
Mr. Oxley. That would be fine. I would appreciate the
opportunity to do so.
Mr. Hornstein. Can I make one comment on the licensing
program we are talking about here? We have done many, many
licenses for filing with the Commerce Department, and we find
the process is arbitrary. We have identical consumers, foreign,
in different countries who for whatever reason when we actually
did them, we filed for the export license.
One was denied and one was approved. There is no guarantee
when you are out there trying to sell a product to a legitimate
global 1,000 consumers why in one situation they would be
approved and one situation they would be denied.
Mr. Oxley. Mr. Hornstein, you mentioned the product from
Israel?
Mr. Hornstein. The double check point.
Mr. Oxley. That you are competing against? Do the Israelis
have some form of key recovery?
Mr. Hornstein. Do the Israelis have key recovery? No. Let
me go through key recovery, if I could take 1 minute with you.
There is a difference between government key recovery and a
corporate key recovery. We have had the other panelists down
there explaining they had a key recovery product. We have had
key recovery products for years.
Mr. Oxley. The Israelis have no key recovery at all?
Mr. Hornstein. I don't know the answer to that. It depends
upon the consumers, if they want them. We have a corporate key
recovery product.
What it does is if you have an individual who is
communicating within a corporation and if they get hit by a bus
and they cannot go back and find out what was the
communications they have had this very day, the CIO or the MIS
director in that company has a corporate key which will allow
the person to open up all of the communications within that
company.
We have had that as an offering for many years. That is
something that is built in as a customer offering. But if you
are talking about whether an international company will
actually implement that and make a requirement for them to make
a corporate key recovery, that is something on an individual
basis.
But there is an ability for a centralized location in many
of our products to have a key recovery as a--after the
corporation, but it is not held by a trust or third party and
it is not held by a government entity. We have found in
experiences that nobody will buy that internationally.
Mr. Oxley. Ms. McNamara?
Ms. McNamara. Mr. Oxley, first let me say that I don't know
whether Israel has key recovery or not, but I do know they have
an export control regime. The Israeli government has in place a
process to review all products for export. We know that because
we have had those conversations. That is the first part.
The second part is we will always have different answers
through the licensing regime because end use and end users are
what we use to justify the national--to understand and vote on
from a national security perspective, whether or not somebody
should export to a certain end user or particular location.
That is a matter of U.S. Government policy as well.
There are a series of pariah nations that fall into that
category, and the U.S. Government uses that for the enforcement
of our own foreign policy. With regard to the number of
denials, this year, 1999, one, precisely one, license has been
denied.
Mr. Oxley. Thank you. Mr. Schultz?
Mr. Schultz. I would just like to add that I think the
problem is not being adequately scoped. The problem is we are
fighting battles over encryption which now is really considered
fairly weak by international standards, but we are still
drawing the line there.
We need to move our sights up into even stronger encryption
and let go the little battles over the weaker encryption. I
will tell you right now most 128-bit encryption is weak
encryption now.
Second of all, real important, and I will yield, but it is
important to understand that crypto doesn't work unless you
establish a culture of cryptography within your organization,
within your institution, within your industry. That is the
problem with this license-by-license application problem.
It does not let encryption enfuse itself in the culture. It
now becomes an ``iffy'' question for corporations, for
industry, whether or not they are going to use it. I therefore
strongly do not favor that.
Mr. Oxley. Mr. Dawson and then we will----
Mr. Tauzin. Yes.
Mr. Dawson. I think Dr. Schultz makes a good point about
establishing a culture of crypto and people won't use it if it
is difficult to use. I want to clarify one thing. The key
recovery mechanism that we are talking about, we have included
free of charge to our customers.
So No. 1, it doesn't create that kind of a burden. And from
an administrative burden, I think it is reasonable if a company
has a security administrator for the corporation, which most
do, that person is also the key recovery agent, should a court
order appear on the doorstep. Beyond that, there is very little
required. I just wanted to clarify that, that this isn't an
onerous hard-to-use burdensome-type of approach.
Mr. Tauzin. Thank you, Mr. Dawson. The Chair is going to
have to excuse Ms. McNamara on her time request as well. Before
you leave, Ms. McNamara, let me ask you to respond in writing.
Our language in the SAFE Act, H.R. 850, says that encryption
products are allowed to be exported when they are generally
available, I think is the term we use in the act in the world
market.
If that is not a workable standard--and it may not be--we
should hear from you on it. I would very much like to you hear
from you if there is a better standard. If we are going to pass
an act what should be in the act other than this generally
available standard and whether you could suggest one, and would
you be willing to suggest one. No need to respond now, but
perhaps you could communicate this in writing.
Mr. Largent. Would the gentleman yield? If she is leaving,
I just have a question I would like her to respond to.
Mr. Tauzin. Let me do this. Let me ask each one of you to
do that right now. Anna Eshoo is up next. Anna, if you have a
question for Ms. McNamara, go ahead and ask it now, and we will
get a response in writing.
Ms. Eshoo. Thank you, Mr. Chairman. Since you need to
leave, I want to pursue what the chairman just brought up about
standards and your concern that if the standard is not correct
it opens the flood gate to exporting any and all encryption
products.
My frustration on this issue since January 1993 is that the
administration has really never come up with anything. The
administration has shopped around different ideas and there
have not been takers.
But the responsibility still lies with the administration
and all of its agencies to come up with something and to work
with the Congress. Now, the Congress has a bill on the table, a
bipartisan bill that has, I think, today 253 cosponsors.
So I understand that the agencies have come to the Hill;
they have literally scared the heck out of members that don't
know very much about encryption, saying you are going to have
blood on your hands if there is another World Trade Center
bombing.
There isn't any Member of the Congress that doesn't want
the security of our Nation protected, but we also want our
economic security to continue to expand.
Ms. Eshoo. So I really urge the administration in every
way, shape and form to come up with something. I think that you
need to come back to this committee, as we do our
consideration, to place before us language that would agree to
allow the export of encryption products and to find what is
currently available--what is out there in the business world
that is currently available, you are rejecting today. So you
are going to have to come up with something.
Another question that I want to ask you is, just over 2
weeks ago, the Ninth Circuit Appeals Court affirmed an earlier
decision that in the name of national defense the U.S.
Government should not restrict the very liberties it is
supposed to be defending, which really exemplifies the judicial
branch's understanding of the encryption debate. Would you
comment on that?
Ms. McNamara. I believe the chairman asked that question
earlier, Congresswoman; and I believe Mr. Reinsch agreed to
submit in writing an answer to that question, if I recall.
Ms. Eshoo. But do you have views on it?
Ms. McNamara. The administration----
Ms. Eshoo. I can read the record. I am asking you.
Ms. McNamara. I have my own personal views, and we are----
Ms. Eshoo. Not personal, public views on it.
Ms. McNamara. We--we as part of the administration--are
looking at that decision and deciding what our options are.
Mr. Tauzin. Will the gentlelady yield?
Ms. Eshoo. Yes.
Mr. Tauzin. Just to point out, then I will ask you to yield
to gentleman from Oklahoma, too, that the Chair announced at
the beginning of this session that we will be joining in a
letter to the administration urging them not to appeal that
decision, rather to work with us on appropriate legislation,
and the gentlelady may have an interest in that.
Would the gentlelady now yield to the gentleman from
Oklahoma?
Mr. Largent. Yes. I have just have a brief question, so you
can respond in writing. I won't keep you any longer.
I found it interesting when you responded to Mr.
Hornstein's comments about denying certain questions and your
consideration is the end user. And I guess my question that I
want to have you respond in writing is, what is the NSA's view
as an end user of the People's Republic of China and the Red
Army in terms of transferring military, missile, computer
technologies?
So if you could respond to that question, I would
appreciate it, too. You don't need to respond now.
Ms. McNamara. Let me just tell you, I am pleased with the
question. I was expecting a question related to China
particularly, because of the Cox Commission report being
released today; and as part of my homework assignment, I read
the Chinese regulations with regard to the use of computers,
Internet, and encryption and what the impact of that is on--
both in terms of both import and exports. So I will be happy to
answer that question, Congressman.
Mr. Tauzin. The gentlelady's time is extended.
Ms. Eshoo. Thank you, Mr. Chairman.
Thank you, Mr. Arnold, for coming across the country. Mr.
Arnold, I should state for the record, is a constituent.
I am sorry that I wasn't here for everyone's testimony, but
I want to thank you for being here today and working with us on
this. You can tell from my statement to Ms. McNamara that this
is an area, both in terms of encryption and export control,
this is highly frustrating and an area where, in my service in
the Congress, we have made very, very little progress on. So we
have to try to keep pushing the edges of the envelope out.
For Mr. Lee, currently, the 128-bit encryption is generally
available, we know, from many domestic companies for sale
within our own country and from a number of companies for sale
abroad. Does the Department of Justice oppose raising the
allowable exportable limit to 128 bits; and, if so, why?
Mr. Lee. Congresswoman, as you are aware, the
administration in the recent export regulation updates
permitted the export of 128-bit encryption to a number of very
important sectors, and those include U.S. companies for their
internal use, and they include the use of on-line merchants for
use in securing transactions with their customers abroad and
other sectors. So the Department of Justice fully supports the
spread of 128-bit encryption when we believe it is consistent
with the public safety needs of our Nation.
We would be pleased to participate, and we are in ongoing
regulatory reviews that look at to what extent encryption can
be made available, very strong encryption to other users, other
sectors abroad, consistent with public safety and law
enforcement needs.
Ms. Eshoo. How do you define public safety in this area,
just briefly?
Mr. Lee. We define----
Ms. Eshoo. You are responding to it in your response to me.
Mr. Lee. Yes, ma'am. We use public safety to refer to our
mission and our responsibilities to enforce the laws of the
United States. That accounts for any number of statutes. It is
a very broad reach.
Ms. Eshoo. Very broad. It is just--it really is quite
instructive to me how the element of fear, which is one of the
most powerful emotions on the scale for human beings that has
been used very effectively in this whole debate, and I don't
know how we can, Mr. Chairman, move that one aside, to set it
aside and have the discussion about the technologies.
My sense is that both within security agencies, the law
enforcement agencies, that they are having an enormously
difficult time keeping up with the technologies and being able
to handle the codes and break them in the work that they do,
very legitimately, in law enforcement. And, as a result of
that, the national emergency brake has been pulled up and said,
no, no, no, wait a minute, we have to slow this down, we have
to keep a lid on it, because we can't keep up with you.
I can't help but sense, after all of the hearings I have
been in, and I have gone from one committee to the other to
hear the presentations that both national security and law
enforcement have made, and I can't help but come to that
conclusion.
Did you have a comment that you wanted to make?
Mr. Gillespie. I did, Congresswoman. Thank you very much. I
think you raise a very valid point.
And we saw here today even and we have seen it in the past,
is that administration has shifted the nuance of their argument
quite a bit. You know, they used to come up here and say, we
have to stop this. We have to have these export restrictions.
Because, if we don't, this strong encryption is going to become
very widely available. And, of course, they can't counter the
fact that there are now over 650 products on the market from
over 29 different countries.
And so, if you noticed today, the nature of the arrangement
changed to be, well, yes, it is widely available, but nobody is
using it yet, and we ought to stop them before they start using
it. Of course, it is widely available because of the consumer
command.
I think in terms of the point that you made about the
national security aspect, there is some new thinking going in
the national security community. I would commend to the
committee's attention a report released by the Center for
Strategic International Studies. The report was chaired by
Judge William Webster, who is a former director of the FBI and
the CIA, and a former U.S. circuit judge. That report is called
Cybercrime, Cyberterrorism, Cyberwarfare, Averting Electronic
Waterloo.
And if I may just read one quote from the report released
by Judge Webster, he notes here that it calls for the
intelligence-gathering communities, law enforcement and foreign
intelligence to examine the implications of the emerging
environment and alter their traditional sources and means to
address the strategic information warfare needs of the 21st
century. Continued reliance on limited availability of strong
encryption within the development of alternative sources and
means will seriously harm law enforcement and national
security.
That is not industry saying that.
If I may make one other point, Congresswoman and Mr.
Chairman, there has been a lot of discussion today about the
Cox report. And if the committee is amenable, perhaps
Congressman Cox's own OpEd in the San Jose Mercury News from
March 27th in which he says some have inferred from his report
this should mean clamping down on commercial exports. To the
contrary, the committee found--his committee found the current
export licensing processes riddled with errors and plagued with
delays. It often does very little to protect our national
security, while frequently doing a great deal to damage
America's competitiveness in world markets. He says, I disagree
with the Clinton-Gore administration that the current
prohibition on American businesses export encryption software
is necessary for our national security.
So I think, in terms of the implications of the Cox report,
perhaps we ought to have the chairman's words speak for--rather
than some others representing and inferring from it.
Ms. Eshoo. Mr. Chairman, just--thank you for that, Mr.
Gillespie.
I just have a quick question to Mr. Arnold. While I have
this going through my mind, I think that we should have a
review of that report presented by someone that helped to write
it when we have our retreat, because I think it fits into that.
For Mr. Arnold, you covered briefly in your opening
remarks, but I would like you to expand a little bit on what
effect you see the administration's current encryption policy
having on emerging E-commerce? It is a huge area in our
country. It is a great interest not only of the chairman of
this full committee but all of its members. Maybe you can tell
us what you have found with your international customers. Are
they demanding stronger encryption products than you are
currently allowed to offer? Just throwing you a softball ball,
because I think I know the answer. I think it is important to
have it in the record.
Mr. Arnold. I think they are demanding, there is no
question about that. And, given the current policy, we had an
encryption--we had a permit issued to us 2 years ago for a
product that we had to the merchant sites to allow the
merchants to communicate securely with us, and we made
application of a new product going out.
The application went out in the January timeframe, and the
product was launched in the March timeframe, and only as of
late last week we were told we have another 60 days to wait
before we are reviewed. We have not even seen an office action
or even a question back to what we are doing.
And I think there is a great deal of confusion when we look
at Internet commerce and electronic commerce here. Because
looking at individual uses and what is the user who, you know,
is getting it out there, there is hundreds of merchants out
there, and what we are protecting is private information of the
company, delivery information potentially that is going out
there, that they are using to communicate with the delivery
source.
We are protecting, of course, the financial information on
the credit card; and we are protecting the information on the
consumer themselves, is what is actually happening there.
But the individual end users are wide and varied. There are
hundreds of them. And for the products that they themselves are
selling, there is tons of those products as well that they are
selling out there. So, you know, that has been probably one of
the major issues for us going forward, is just trying to
educate and to allow people to understand what this marketplace
is that is expanding on the Internet.
On the other side of it, I would suggest to you that the
criminal and nefarious acts that are going on, on average, run
about 12 percent of the total transactions per day. And trying
to gain some visibility within the law enforcement community
over the past several years has been extremely hard to do and
to educate on this.
And I really applaud the administration recently on setting
up the Internet Fraud Council through the FBI. I think that is
an absolutely excellent first start. I think the piracy work
that the FBI is beginning to step in and do is absolutely
excellent. But they are just barely touching the surface of
what is actually going on out there.
Ms. Eshoo. Thank you.
Mr. Tauzin. Thank the gentlelady.
I might out point out, before I yield to my friend from
Illinois, that our sessions have indicated several things; and
maybe you all can think about that in terms of responding for
us.
One is that, FBI, the reason we put the language in the
bill regarding the establishment of a lab at the FBI was the
concerns we heard from the FBI. While they can use the NSA
labs, they can't necessarily use the NSA personnel in a case to
try to catch the criminal and can't necessarily use the people
as witnesses to try the criminal because that would compromise
NSA facilities and personnel. There is some real problems there
that we are going to invite a lot of you to think about and
help us resolve.
The gentleman from Illinois, Mr. Shimkus.
Mr. Shimkus. Thank you, Mr. Chairman.
As a cosponsor of this legislation, I found the debate and
discussion very interesting. I also found it interesting of the
continued comments about there is no need for this legislation.
And I would submit, Mr. Chairman, that because of our movement
on legislation last year that maybe the administration has, as
I said, moved to at least relax some of their export controls.
And whether you don't get the end result by passing laws, the
movement of the legislative process does make some--you know,
starts opening up the competitive market field. So the question
what comes first, the chicken or the egg in this case, and I
think our legislation which we tried to move last year.
Mr. Lee, in reference--since you are the only
administration person left, I guess I have to direct this
toward you. The administration's current policy doesn't require
encryption product exported to certain market segments to be
recoverable, that is, new relaxed plan. Doesn't this undermine
your claim that all encryption products should be recoverable?
Mr. Lee. I think what I have testified both in this forum
and other fora is that law enforcement has needs that, in order
to continue to protect public safety, need to be met. There is
a balance here. We participated in and fully supported the
balance that was struck with the updates last fall.
We recognize, as with all encryption, as many of the
members have stated, that there is an upside and a downside. It
seems to us that the needs for strong encryption in those
sectors, which we supported, really outweighed the possible
harm to the public safety, but it would be remiss of me not to
say on this record that there is a possibility that that strong
encryption out there can be used for nefarious purposes by
criminal elements.
So, again, there is a balance. We are trying to participate
in that balance, but the ultimate goal is, when there is lawful
authority for an interception or to seize stored data that
happens to be encrypted, the ultimate goal would be that we
able to obtain the plain text of that information.
Mr. Shimkus. When we relax export controls, you are, in
essence, shut out of some communications, use in these market
segments, am I correct?
Mr. Lee. When you say ``you,'' are you directing that at
me?
Mr. Shimkus. The administration, the Department of
Commerce. When we decide, when we make a decision--I mean, it
is really just follow-up to what you just said. We can't be--if
we are going to allow and ease export controls, you can't
assure me that that possibility now--there is a possibility out
there that you can't have access to some information?
Mr. Lee. I think you have put your finger on the central
dilemma with any effort to relax export controls. That is
correct.
Mr. Shimkus. And let me move to Mr. Holahan.
I was interested in your statement, and I think we have
this perception, you probably said it in your opening comments,
but I would like you to elaborate. And I am a cosponsor of the
legislation, and I like our high-tech industry. I want it to be
competitive.
But just elaborate on, you say that Baltimore Technologies
refutes suggestions often made that nonAmerican companies
flourish solely because of the current export policy.
Mr. Holahan. Yes.
Mr. Shimkus. If you mentioned it before, I apologize----
Mr. Holahan. No problem. That was actually a comment taken
from the testimony before the Committee on the Judiciary. That
phrase was used, ``flourish solely,'' because--just to give
some examples, and this probably applies to Checkpoint software
from Israel. We actually do sell our products inside the United
States, and we were the first people to offer a job of
cryptolography, not because we could do it, we just did it. And
we sold it to, at the time, the leading security company,
Security Dynamics; and they licensed it.
So we set inside the U.S., based on just our technical
merits, not because we have got some advantage outside. So if
it is a question of us not on a level playing field, why would
we actually succeed in here?
We also--the major people that buy security, you know, the
criminals don't come to us and buy security. Criminals will
steal the security software if they want to. The people that
buy security from us are people like banks, okay?
Banks--if a bank comes up with a requirement for security,
they will go to a U.S. corporations, to Baltimore Technologies.
They will go everywhere. And they can get an export license for
the U.S., and we regularly compete against American
corporations and win deals purely based on technical merits.
I would like to add that actual crypto is available
everywhere, but the industry, you know--crypto is available
everywhere, including the United States, but people are not
even using it. The reason they are not using, because the
software companies don't exist.
What we do is not just write crypto, we actually use crypto
from the U.S., from the UK, from Canada, from France and
Ireland. And what we do is build products on top of it to
encourage people, as Dr. Schultz said, to actually use the
crypto. Because crypto has been around for 25 years, but no one
needed to use it. So it has been incorporated into the software
products.
And that is--our job is not writing crypto. A very small
percentage of our business is based on crypto, as is here is
something that generates keys for you. The vast majority of our
business is in the management systems which--actually, what we
call cryptoagnostic. We don't care what crypto you use--U.S.,
recovered key crypto, IBM crypto, Intel crypto. We don't care
what it is, because our value is in the management of crypto
which is, in general, encouraging them to use, and that is why
we succeed inside the U.S. So flourish solely, absolutely
refute that, yes.
Mr. Shimkus. So you probably have multiple product lines
then, in essence.
Mr. Holahan. Yes.
Mr. Shimkus. And there is a separate one for U.S. import?
Mr. Holahan. Unfortunately, yes.
Mr. Shimkus. Yes, sir.
Mr. Gillespie. Mr. Chairman, I was going to point out that
the fact is perhaps Baltimore does not flourish solely because
of the encryption laws. But there are a number of companies who
aren't flourishing because of the encryption laws.
And, in fact, if you go on to the Siemens website, you will
see where they market specifically directed at the export
restrictions; and it says, here is where you can purchase the
strong encryption products that American companies are not
allowed to sell you. And that is the kind of marketing that is
taking place across Europe.
I should also point out, because the Wassenaar Arrangement
isn't brought up here, it was brought up by Mr. Holahan and
others, the fact is that the Wassenaar Arrangement sets a
floor, not a ceiling, in terms of crypto policy. And, frankly,
our administration is below the floor that it set in the
Wassenaar Arrangement, because Wassenaar allows for 64 bit, and
we are still operating at 56 bit. So it would be nice if they
would bring our policy up consistent with the floor at least in
the Wassenaar.
Mr. Shimkus. And that is one of my questions I would have
asked the Commerce guy. When do they perceive moving up to that
level of 64?
Mr. Hornstein. I don't know.
Mr. Tauzin. A good question. Submit it in writing. We will
do that for you.
Mr. Gillespie. If I might, Mr. Shimkus, in terms of
Wassenaar, there were a number of points I would like to have
cleared up about that, I think, for the record.
It should also be noted that H.R. 850, the SAFE Act, is
completely consistent with Wassenaar's. It was inferred that
maybe it wasn't. Somehow, it would violate the Wassenaar
Arrangement. It does not at all. In fact, it allows for the
very kind of review process that Wassenaar calls for.
It contains, among other things, a provision that gives the
Secretary of Commerce a one-time, 15-day technical review of
all crypto products prior to export. Second, it allows the
President to stop exports to terrorist nations and to impose
embargoes. And, third, it provides the Secretary of Commerce
with the ability to stop the export of specific encryption
products to specific individuals or organizations in specific
countries if there is substantial evidence that such products
will be used for military or terrorist purposes.
So the bill itself is completely consistent with Wassenaar.
I think that ought to be on the record here today.
Thank you.
Mr. Shimkus. Mr. Holahan, did you want to follow up?
Mr. Holahan. Just in terms of companies marketing
themselves as being able to sidestep U.S. regulations, it is
actually different from the companies actually flourishing.
Someone like Siemens, they don't flourish because U.S. export
restrictions--I can't speak for them. But an awful lot of
people would say, we have got, you know, strong crypto outside
of the States. You can actually get a freeware and shareware.
Shareware and freeware companies don't flourish because of
that. They may offer it.
But the question is, if used, people want it in American
software products. The desktops of the world are populated by
U.S. software products, and people do want it in the American
products. Being able to offer it for free or a small amount of
money will not cause us to flourish because of that. We have to
offer something better than that. So the commercial argument is
different from the actual technical argument.
Mr. Shimkus. We understand marketing.
Mr. Holahan. Okay. So don't confuse the idea of having 650
products with actually some kind of a business market being out
there, which is massively beyond belief, and we are all out
there making tons of money just because we can develop crypto.
Anyone can do that. That doesn't matter.
Mr. Shimkus. Does anyone else also want to add--I was also
interested on the comments by Mr. Gillespie, the Wassenaar by
Mr. Holahan. Anyone else want to add on the agreement?
Mr. Holahan. Just on the Wassenaar, my term was it may
violate the Wassenaar Arrangement. My point is that I would
like to encourage--to perhaps look at if it sort of wouldn't
violate----
Mr. Tauzin. Would the gentleman yield? Where? Where might
it violate Wassenaar?
Mr. Holahan. Because if--my understanding of the act is
that the Department of Commerce can regulate it. So if--for
instance, there is no actual requirement to notify export of
crypto above 64 bit or whatever it is that might do it or
outside the 33 countries of Wassenaar.
I think there could be a few points whereby this might, you
know, literally open the floodgates, rather than be contained,
potentially. It depends on what way it is implemented.
Mr. Hornstein. Can I point out Wassenaar is only for 33
countries? I mean, Israel is not a Wassenaar member, and they
are not subject to the regulations of other countries, India
and so on. So a lot of our serious competitors out there in the
world are not subject to this regulation at all.
Mr. Shimkus. It has been a good panel, Mr. Chairman. I
yield back the balance of my time.
Mr. Tauzin. Thank the gentleman.
Mr. Hornstein, before we wrap, in regards to your comments
about the handicaps to some of the contracting you are trying
to engage in. Once the Commerce Department does, in fact, give
you an export license, does Commerce Department regulations
prevent you from servicing after the sale in any way or inhibit
you from servicing after the sale?
Mr. Hornstein. No. As Under Secretary Reinsch said, once
you do get a license, then you would be able to support that.
Mr. Tauzin. So there is no problem with servicing the
contract once you get your export license and you do your sale.
Your problem is in communicating prior to the award of the
contract?
Mr. Hornstein. Can I walk through a quick process with you?
Mr. Tauzin. Quickly do that for me.
Mr. Hornstein. No problem. You develop a product, and then
you have to go for a review. Your engineers are developing it.
They have got to keep the export people involved so we can
actually go through, and it takes 90 to 120 days to get this
product reviewed by Commerce.
Mr. Tauzin. By Commerce.
Mr. Hornstein. It goes out, and then you try to sell the
product. Now you have a review. It is potentially--it may be
exportable, it may not be, may be restricted or regulated. I
now go out there. I have--most of the transactions I do are
small deals, $25,000, $50,000. I am a billion dollar software
company. Can you imagine 30 or 40 percent?
Mr. Tauzin. Everyone takes that review.
Mr. Hornstein. If I actually had to go through that sort of
a process for a mass--I am selling mass market products. These
are products that come off the store shelf and turnkey, and my
consumers can use them for nonnefarious purposes.
Mr. Tauzin. You don't have a general waiver on them. You
have to go contract by contract?
Mr. Hornstein. Correct, contract by contract.
Mr. Tauzin. While your product is being reviewed, you are
in the process of negotiating with the company who wants to buy
it who is also negotiating with these foreign suppliers as
well, right--well, maybe?
Mr. Hornstein. I wouldn't file a license before I have a
sale. Many times customers come to me and want the products
that day, and there are other competitors out there. It takes
90 days or whatever period of time to get clearance from the
Commerce Department.
Mr. Tauzin. So even if you were able to clear all of these
hurdles within the timeframes, your competitors have no such
hurdles?
Mr. Hornstein. Exactly.
Mr. Tauzin. They can sell that day to the purchaser?
Mr. Hornstein. Baltimore, based out of Ireland and the UK,
has no restrictions whatsoever.
Mr. Tauzin. Mr. Holahan, do you do that? Can you sell on
a----
Mr. Holahan. The way we regulate what is under Wassenaar
and the European Union and the national legislation, that we
actually allowed certain products to be exported on a
notification basis.
Mr. Tauzin. So you just notify them and then export?
Mr. Holahan. Correct.
Mr. Tauzin. You have no review process? You don't have to
wait for anyone to say it is okay?
Mr. Holahan. There is a continuing review process.
Mr. Tauzin. Nobody has to tell you it is okay?
Mr. Holahan. Okay.
Mr. Tauzin. You can just notify and sell?
Mr. Holahan. Correct.
Mr. Tauzin. He has to go through an okay process.
Mr. Holahan. Actually, I contest that, because Network
Associates have bought two non-U.S. companies who are quite
capable of exporting. My understanding, correct me----
Mr. Hornstein. I can't export anything. All of my engineers
are in the United States.
Mr. Holahan. Do you have PGP engineers in Europe?
Mr. Hornstein. No, PGP is in United States.
Mr. Holahan. In Holland, no?
Mr. Hornstein. No. I just have my sales people out there.
Mr. Holahan. My understanding is that PGP is available
internationally, downloaded free of charge, and that is outside
the U.S.; is that right?
Mr. Hornstein. That is correct.
Mr. Tauzin. But his engineers are here, and you can't
communicate before the sale; is that the problem?
Mr. Hornstein. Correct.
Mr. Holahan. Actually, I would contest. I think the term in
the contract is render technical assistance in the development
of products. I think you can actually market products outside
the States. You can say, this product does this, this, this,
and this. You can't get an engineer to help someone that is
outside of the States. So, as far as we see, U.S. companies are
able to market the products. If someone wants to build a
product, they can't render engineering assistance----
Mr. Hornstein. I can market, but most of my marketing is
done by my borrowers who are international people. And for me
to give them a demonstration version is another violation of
the U.S. laws.
Mr. Tauzin. I think we have the picture.
Mr. Holahan. I am not arguing for those certain things. I
am not trying to stop him from competing. But I think a
demonstration of a product is actually allowed under the
current legislation----
Mr. Hornstein. As long as it is under my control and a
controlled environment. I don't install it. My customers----
Mr. Tauzin. There are a type of restrictions on which you
can or cannot do?
Mr. Holahan. I would agree with that.
Mr. Tauzin. Right.
Mr. Dawson, do you want to add something before we wrap?
Mr. Dawson. Quickly. By way of a quick walk-through, there
is no prior approval required with the approach that we have
implemented under the current resolution.
Mr. Tauzin. Because Commerce has approved it?
Mr. Dawson. Commerce has approved this, and there is no--
our customers have no preapproval. It is preapproved for any
customer, and they simply have to register themselves on our
website, not with the U.S. Department of Commerce. So that is
within the current regulations, et cetera. So I think it works,
and I think it works without----
Mr. Tauzin. But only people using your product?
Mr. Dawson. Only people that are using that technique.
Mr. Tauzin. That technique. That is correct.
Mr. Schultz.
Mr. Schultz. If I can, just for 1 more second. Just with
respect to law enforcement, I would like to give some
encouragement in that area. If we relax our current encryption
restrictions, there will be ways of getting keys even if the
crypto is stronger.
Look at the Walker spy case, right? People reveal keys. We
must always keep in mind the role of people in any technology.
That is very important. That means one person in an
organization that is using crypto for criminal purposes may be
aware of that key and reveal the key. We must never lose the
fact that we always have a very strong potential form of
control.
And, second of all, with respect to crypto, we have heard
somebody from the NSA tell us that, yeah, they monitor what
goes on out there. And now some special vigilante organization
that is very scary starts encrypted traffic lot using strong
encryption. That is a heads-up. There are signs, there are
telltales that the law enforcement community will get from the
use of stronger encryption that will enable them----
Mr. Tauzin. Mr. Schultz, that makes my point; and that is
it is not sufficient for FBI purposes that NSA have that
capability. FBI has to have its own capability, and that is the
reason why the lab language, and perhaps we need to talk more
about that. If we are going to successfully pass a bill that
relaxes these export restrictions and, in fact, encourages
stronger and stronger encryption products, which I support, we
are going to have to make sure that there is strong cooperation
between the industry and the manufacturers and the product
developers and the FBI in terms of a lab that gives them
capability to serve this country's needs in terms of catching
the bad guys when they are out there using those products.
Mr. Hornstein.
Mr. Hornstein. Can I just give a couple of examples?
Network Associates in the past couple of years has worked
very closely with the FBI. In the last year, I had 12 different
meetings and conversations with different agencies.
Mr. Tauzin. That is what I am talking about.
Mr. Hornstein. For instance, you have heard of the Melissa
virus potentially.
Mr. Tauzin. Of course.
Mr. Hornstein. The moment the Melissa virus was discovered,
Network Associates worked very, very closely with the FBI, not
only detecting and cleaning and decrypting the virus but we
also worked with the FBI in assisting them on backtracking and
locating the person who was out of I think it was New Jersey.
And we worked very closely with them, the Remote Explore Virus.
Mr. Tauzin. I think the FBI gave some credit to the
industry for its assistance.
Again, thank you for that. That is exactly what we are
going to be looking for if we can develop successful
legislation.
Mr. Hornstein. I guess my point is, for a company like
Network Associates, which is trying to grow a security company,
we are a global company, not a local company; and for us to
remain viable and to be able to provide support to the FBI, we
need to build and grow as a business. If our business isn't
growing, we will lose our engineers.
Mr. Tauzin. This has been an excellent discussion. I will
just reaffirm, Mr. Markey and I have always been able to
appreciate and enjoy James Joyce. What I can't appreciate and
enjoy is that 7 million word Tax Code, and if any one of you
can decipher that book, I would be happy.
Let me thank you very much. It has been very enlightening.
We may call upon some of you again as we move toward our
retreat. We want to understand a great deal more of some of--
you raised some extraordinary problem areas for us in your
testimony, with Mr. Arnold and Mr. Schultz, that I want to
pursue further. We may want to come back to you with some
additional questions.
And, all of you, your written record is a part of the
record by unanimous consent. All members' written records are a
part of the record. And the Chair will grant 30 days for anyone
to submit additional and other information for the record.
Mr. Gillespie, you have the article from Mr. Cox that will
be made a part of the record, as well as my letter from the
Louisiana Sheriff's Association. Without objection, so ordered.
[The information referred to follows:]
[March 27, 1999--San Jose Mercury News]
China: Export of technology would be liberating force
By Christopher Cox
American policy toward the People's Republic of China should
proceed from this central premise: It is our sincere hope for the
Chinese people that they will no longer live under a communist
government.
To this end, America's--and California's--world leadership in high-
tech enterprise promises far more than economic benefits. The export of
these products to the Chinese people can be a great democratizing and
liberating force.
In January, the People's Republic sentenced Lin Hai, a 30-year-old
software executive and Web page designer, to prison for supposedly
``inciting subversion of state power.'' His so-called ``crime''
consisted of exchanging e-mail addresses with an anti-communist group
in America. But if Lin Hai had been able to keep the contents of his
computer messages away from the prying eyes of the Ministry of State
Security--using strong encryption in commercially available software--
he would be a free man today.
That is why America's companies, the leaders in encryption
technology, must be able to export their products to China and around
the world. Strong encryption is--as Beijing's communist leadership is
well aware--a massive threat to totalitarian regimes and their
government-maintained monopoly on information, because it permits
individuals to communicate privately without fear of government
eavesdropping or interception.
In this and the previous Congress, I have sponsored the Security
and Freedom through Encryption Act, together with a broad coalition of
Republican and Democratic lawmakers. I disagree with the Clinton-Gore
administration that the current prohibition on American businesses
exporting encryption software is necessary for our national security.
Yet the Clinton-Gore administration would go beyond the current
prohibition, endorsing not just restrictions on encryption exports, but
also requiring every encryption program sold--even within the United
States--to have a secret key to permit eavesdropping by law enforcement
officials or foreign governments.
The Clinton-Gore administration seems to place a higher priority on
stopping the export of encryption software to the Chinese people than
on preventing the theft of our nuclear weapons technology by the
People's Liberation Army.
This is exactly backward. Rather than control commercially
available computers, software and technology, we should safeguard our
most critical military secrets.
Transfer of technology
For the past nine months, I've chaired a congressional select
committee investigating the transfer of militarily sensitive technology
to the People's Republic of China. The committee's classified report,
unanimously approved by all five Republicans and four Democrats, found
overwhelming evidence that such transfers--including theft through
espionage--have caused serious harm to U.S. national security, and
continue to this day.
But some have inferred that this should mean clamping down on
commercial exports. To the contrary: The committee found that the
current export-licensing process is riddled with, and plagued by
delays. It often does very little to protect our national security--
while frequently doing a great deal to damage America's competitiveness
in world markets.
The committee has therefore recommended streamlining export rules.
The United States should provide a new ``fast track'' for most items,
while focusing greater resources and expertise on the limited targets
that we know from our intelligence are the subject of specific
collection efforts by the People's Republic of China and others.
Trade in innovative technologies, goods and services can help
undermine inefficient state-run industries and bring hope of a better
life to the Chinese people.
In areas like transportation, telecommunications and financial
services, it is the means by which communist China--whose economy is
smaller on a per capita basis than Guatemala's--can become a developed
nation.
In fields such as medicine, biotechnology and farming, U.S. trade
offers hope for the desperately poor millions who are still China's
majority that they will be able to eat and survive.
Encouraging exports to China that promote individual freedom and
well-being is in the United States' national security interest. For
this reason, in addition to allowing the export of encryption software,
U.S. policy should focus on unleashing the Internet as an engine of
freedom in China. Among the 1.2 billion people in the People's Republic
of China, only one in a thousand is an Internet user. But Internet use
is growing at a rate that threatens the Communist Party's grip on
China.
As Chinese journalist Sang Ye has observed: ``New ways of thinking,
of communicating, of organizing people and information--the Net takes
aim squarely at things that since Mao's earliest days have been the
state's exclusive domain.''
Today, China's communist dictatorship is working hard to re-route
its citizens away from the information superhighway and onto the state-
controlled ``Intranet.'' This new Intranet allows communication only
among approved users who share communist-approved content. The Ministry
of Post and Telecommunications supervises and approves all networks,
and it screens virtually all news and even financial information that
citizens may receive from foreign sources. While the Chinese Communist
Party argues, on the Internet home page of the People's Daily, that the
open flow of communications would be destabilizing, Americans know from
our own experience that technology is best used as a means to an end: a
promise of greater freedom. The United States should move aggressively
to frustrate the Chinese government's censorship of the Internet by
condemning it as a barrier to free trade, an impediment to joining the
World Trade Organization, and a violation of the several human rights
covenants it has signed. And we should encourage the construction of an
expanded Internet architecture that frustrates censorship and control
by repressive states.
At the same time, the United States should work with all nations
for the establishment of the Internet as a global free-trade zone,
which not only will make it increasingly difficult for governments
including China's to choke off access but also will pressure them
further to reduce protectionist trade barriers.
Finally, we should recognize that while our currently limited trade
with China's protectionist government may be better than nothing, the
object of U.S. policy must be a liberalization of trade that is
fundamentally at odds with the nation's communist system.
Truly free trade
Despite America's free-trade policy, we still sell less to the
billion-plus People's Republic of China than to the 22 million people
of Taiwan. Instead of business ventures being approved one at a time by
the Communist Party's Politburo, truly free trade means a billion
Chinese interacting independently with a quarter-billion Americans.
A policy toward the People's Republic of China that frustrates this
objective is both shortsighted and cruel.
The recent public attention to espionage raises proper concerns
about our lack of security, but it should not distract us from our
objective of freedom for China's people--a result that American
technology exports can help bring about.
Today, we have the worst of both worlds: Military technology that
the communist government can use to hold the Chinese people in terror
is being stolen, while commercial technology that can liberate the
Chinese people is delayed in the export-licensing bureaucracy.
It's time to focus not on whether to engage--we should all be
agreed on that--but rather on the terms of engagement. We should have
no illusions about with whom we are dealing. We should have no doubt
about where our policy is taking us. Freedom--not engagement and
possibly marriage to a communist dictatorship--is what our policy
toward China should be seeking to achieve.
U.S. Rep. Christopher Cox, R-Newport Beach, is chair of the House
Select Committee on U.S. National Security and Military/Commercial
Concerns with the People's Republic of China. He wrote this article for
the San Jose Mercury News Sunday Perspective section.
______
Louisiana Sheriffs' Association
May 17, 1999
The Honorable John C. Cooksey
U.S. House of Representatives
434 Cannon House Office Building
Washington, D.C. 20515
Dear Congressman Cooksey: I am writing today to call your attention
to H.R. 850, the SAFE Act, which will be heard tomorrow in the
International Economic Policy & Trade subcommittee of the International
Relations Committee. This legislation deals with issues that are of
some concern to the sheriffs in Louisiana and law enforcement in
general. I hope that you will work to prevent any weakening amendments
and report this bill favorably to the full House of Representatives.
Our association passed the enclosed resolution last year in
opposition to a proposal that would have ``escrowed'' encryption keys
for use by the government. This resolution speaks to the concerns and
problems that such a proposal would create. This year we are seeking to
guarantee the security of encryption by preventing the government from
taking such steps as ``escrowing'' encryption keys. That is why we need
H.R. 850 passed favorably without any amendments.
Please review the enclosed resolution and support H.R. 850 in the
subcommittee hearing tomorrow. Should you have any questions regarding
this issue, please contact me at the number above.
Sincerely,
A.R. ``Trey'' Hodgkins, III
Manager of Governmental Relations
RESOLUTION
WHEREAS, In today's digital age, individuals, private organizations
and government agencies store and transmit ever-increasing amounts of
confidential information within and over computer and
telecommunications networks; and
WHEREAS, This activity necessitates that individuals, organizations
and agencies need to protect their confidential information with the
strongest available computer encryption technology to deter access or
theft of this information; and
WHEREAS, Without powerful encryption security in Louisiana's
information networks, the computer and telecommunications systems that
control such critical law enforcement functions as communication and
emergency response, as well as the vital services providing air traffic
control, financial systems, the power grid and the public telephone
system would become vulnerable to attack from high tech terrorists; and
WHEREAS, The confidential nature of a number of law enforcement
functions, including investigative evidence keeping, witness
information and prison and corrections records keeping would also be
vulnerable to unauthorized access without these powerful encryption
systems; and
WHEREAS, Legislation proposed by the Federal Bureau of
Investigation would require all users of encryption to deposit a key
with a ``key escrow'' agent that would be available to FBI access; and
WHEREAS, This FBI access would create and maintain a dangerous and
unnecessary vulnerability to Louisiana's information and computer
infrastructure while failing to offer any increased level of protection
these systems require; and
WHEREAS, While the FBI's efforts toward recovering information
about criminal access to high security encryption are well intentioned,
the ``key escrow'' plan poses too many severe threats to public safety,
confidentiality and legitimate computer users that far outweigh the
isolated benefits it may provide; and
WHEREAS, Americans for Computer Privacy is a broad-based national
coalition of groups representing law enforcement, industry, taxpayers,
financial institutions, civil liberties and online commerce dedicated
to ensuring that all Americans are permitted to protect their privacy
with the strongest possible encryption without mandatory government
access to information; now, therefore, be it
RESOLVED, That the Louisiana Sheriffs' Association, at it's meeting
on May 20, 1998 registers its' opposition to any compromise to the
security and privacy that strong encryption affords the ability of law
enforcement to provide public safety, and, be it further
RESOLVED, That the Louisiana Sheriffs' Association wishes to become
an active member of the Americans for Computer Privacy coalition and
win devote any available resources to passage of pro-computer privacy
legislation and opposing any ``key escrow'' mandates; and
RESOLVED, That the Louisiana Sheriffs' Association wishes that a
copy of this resolution be sent to each member of the Louisiana
Congressional Delegation.
CERTIFICATION
This is to certify that the above and foregoing is a resolution
adopted by the Executive Board of the Louisiana Sheriffs' Association
on May 20, 1998.
DATE 5-20-98
R.B. ``Bucky'' Rives, Jr.
Executive Director
Mr. Tauzin. The hearing stands adjourned. Thank you very
much.
[Whereupon, at 12:50 p.m., the subcommittee was adjourned.]
[Additional material submitted for the record follows:]
Prepared Statement of Hon. Bob Goodlatte, a Representative in Congress
from the State of Virginia
Mr. Chairman, I would like to thank you for holding today's
important hearing on legislation I have introduced--H.R. 850, the
Security and Freedom through Encryption (SAFE) Act of 1999--to
encourage the use of strong encryption.
This much-needed, bipartisan legislation, which currently has 255
cosponsors, including a majority of the Republican and Democratic
leadership, three-fifths of the members of the Commerce Committee, and
over two-thirds of the members of this Subcommittee, accomplishes
several important goals. First, it aids law enforcement by preventing
piracy and white-collar crime on the Internet. Several studies over the
past few years have demonstrated that the theft of proprietary business
information costs American industry hundreds of billions of dollars
each year. The use of strong encryption to protect financial
transactions and information would prevent this theft from occurring.
With the speed of transactions and communications on the Internet, law
enforcement cannot stop thieves and criminal hackers by waiting to
react until after the fact.
Only by allowing the use of strong encryption, not only
domestically but internationally as well, can we hope to make the
Internet a safe and secure environment. As the National Research
Council's Committee on National Cryptography Policy concluded, ``If
cryptography can protect the trade secrets and proprietary information
of businesses and thereby reduce economic espionage (which it can), it
also supports in a most important manner the job of law enforcement. If
cryptography can help protect nationally critical information systems
and networks against unauthorized penetration (which it can), it also
supports the national security of the United States.''
Second, if the Global Information Infrastructure is to reach its
true potential, citizens and companies alike must have the confidence
that their communications and transactions will be secure. The SAFE
Act, by allowing all Americans to use the highest technology and
strongest security available, will provide them with that confidence.
Third, with the availability of strong encryption overseas and on
the Internet, our export controls only serve to tie the hands of
American business. Due in large part to these export controls, foreign
companies are winning an increasing number of contracts by telling
prospective clients that American encryption products are weak and
inferior, which is robbing our economy of jobs and revenue. In fact,
one noted study found that failure to address the current export
restrictions by the year 2000 will cost American industry $60 billion
and 200,000 jobs. Under the current system, America is surrendering our
dominance of the global marketplace.
The SAFE Act remedies this situation by allowing the export of
generally available American-made encryption products after a 15-day,
one-time technical review. Additionally, the bill allows custom-
designed encryption products to be exported, after the same review
period, if they are commercially available overseas and will not be
used for military or terrorist purposes.
Removing these export barriers will free U.S. industry to remain
the leader in software, hardware, and Internet development. And by
allowing our computer industry to market the highest technology with
the strongest security features available, America will lead the way
into the 21st century Information Age.
This bipartisan legislation enjoys the support of members and
organizations across the entire spectrum of ideological and political
beliefs. The SAFE Act enjoys this support not only because it is a
common-sense approach to solving a serious problem, but also because
ordinary Americans' privacy and security is being assaulted by this
Administration.
Amazingly enough, the Administration wants to mandate a back door
into peoples' computer systems in order to access their private
communications. In fact, the Administration has stated that if people
do not ``voluntarily'' create this back door, it may seek legislation
forcing them to give the government access to their information, by
mandating a ``key recovery'' system requiring people to give the keys
to decode their communications to a government-approved third party.
This is the technological equivalent of mandating that the government
be given a key to every home in America.
The Administration is proposing an Industrial Age solution to an
Information Age problem. The SAFE Act, on the other hand, prevents the
Administration from placing roadblocks on the information superhighway
by prohibiting the government from mandating a back door into the
computer systems of private citizens and businesses. Additionally, the
SAFE Act ensures that all Americans have the right to choose any
security system to protect their confidential information.
With the millions of communications, transmissions, and
transactions that occur on the Internet every day, American citizens
and businesses must have the confidence that their private information
and communications are safe and secure. That is precisely what the SAFE
Act will ensure. I urge each of my colleagues to support this
bipartisan legislation, and thank you for holding today's hearing.
______
Global Integrity
West Lafayette, IN 47906-1182
June 1, 1999
The Honorable W.J. Tauzin
Chair
Committee on Commerce
U.S. House of Representatives
316 Ford Building
Washington, DC 20515
Dear representative Tauzin: In response to your request for
additional information at the Committee on Commerce hearing on H.R. 850
last Tuesday, I am pleased to submit this letter.
Your first question was whether the cryptographic product
(SmartGate) described at the hearing by Mr. David Dawson of V-ONE
corporation provides a solution for the concerns associated with
relaxation of current U.S. encryption export restrictions. After
visiting the V-ONE web site and reading the descriptions of V-ONE's
SecureGate product, I learned that this product provides encryption for
pager devices using Triple-DES (a reasonably strong encryption
algorithm). It was certainly generous of Mr. Dawson to offer to share
the code used to implement this product. On the other hand, SecureGate
is a rather specialized product that does not address many of the
issues discussed at last week's hearing. This product does not, for
example, encrypt network links to web servers, nor does it help in
securing telecommunications links. As such, SecureGate does not provide
a sufficiently general solution--the kind of solution, unfortunately,
that would be needed to address the many issues related to U.S.
encryption export controls.
Your second question was whether prohibitions against mandatory key
recovery would discourage voluntary key recovery. It seems to me that
the critical issue here is not the relationship between the two, but
rather the particular party that would be in charge of voluntary
recovery. If the U.S. Government establishes the role of voluntary key
recovery agent and postures itself accordingly, I am confident that the
result would be firm resistance even to voluntary key recovery. The
fiasco with the Clipper Chip and Capstone should by now have taught us
that not only U.S. commercial entities, but also especially foreign
organizations are less than enthusiastic about the U.S. Government
serving in the role of key recovery agent. In short, few organizations
trust the Government and its potential intentions sufficiently. If, on
the other hand, commercial entities continue to provide key recovery
services on a widespread basis, I am confident that the negative
reaction towards voluntary key recovery will in general soften over
time.
The only possible link between prohibition of mandatory key
recovery and the popularity of voluntary key recovery might result from
the inference that somehow since the U.S. Government prohibits
mandatory key recovery, something must be wrong with key recovery in
general (regardless of whether it is mandatory or voluntary). I do not,
however, believe that such an inference is sufficiently logical to be
held widely among those who are considering key recovery solutions.
Thank you for allowing me to serve the Commerce Committee. I look
forward to the possibility of working with you and the others on this
Committee in the future should your needs so dictate. I am in
particular eager to explain the concept of an ``encryption culture''
and to show its bearing on H.R. 850.
Sincerely yours,
E. Eugene Schultz, Ph.D., CISSP
Trusted Security Advisor and Research Director
�