[Congressional Record Volume 143, Number 83 (Monday, June 16, 1997)]
[Senate]
[Pages S5699-S5700]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. McCAIN (for himself, Mr. Kerrey, and Mr. Hollings):

  S. 909. A bill to encourage and facilitate the creation of secure 
public networks for communication, commerce, education, medicine, and 
government; to the Committee on Commerce, Science, and Transportation.


                       Secure Public Networks Act

  Mr. KERREY. Mr. President, earlier, I sent to the desk a bill that I 
introduced on behalf of myself, Senator McCain of Arizona, Senator John 
Kerry of Massachusetts, and Senator Fritz Hollings of South Carolina. 
The bill is called the Secure Public Networks Act of 1997, and it 
establishes as a priority that we are going to try with our law to 
develop a mechanism whereby, in collaboration with the private sector, 
the U.S. Government can work to secure these public networks upon which 
our commerce depends, our Government operations depend, and 
increasingly our national security depends.
  Secure public networks are essential to the protection of personal 
privacy and the promotion of commerce on the Internet and other 
communications networks. Without trust in the system, the Internet will 
never reach its full potential as a new form of communications in 
commerce.
  I believe there is an urgent need to enact legislation this year 
which can promote the creation and use of new networks, provide the 
security American citizens require in their communications and balance 
America's compelling interest in commerce and public safety.
  Congress has been gridlocked for more than a year in the debate about 
the Nation's export policy for encryption products. Our Nation's policy 
on encryption is only a single piece of the puzzle, however. We need to 
ensure that the whole system of our public communications networks 
provides the security required.
  There are three large interests, as I see it, at stake in this entire 
debate. One of the reasons there is an urgency to develop new 
legislation and enact new legislation that the President will be able 
to sign this year is that unless these networks are secure, we risk all 
three.
  The first is in the area of commerce. The increasing amount of 
business that is being done on the network and the failure to be able 
to establish security on an international basis risks the full 
development potential of commercial networks.
  The second is in the area of Government operations itself. Not only 
are there concerns in the private sector but on the Government side, 
from the Internal Revenue Service even to the operations of schools, 
that we need to have a secure public network. Obviously, if we are 
going to develop fully the electronic filing system--and for 
colleagues' reference, less than 1 percent error rate occurs in 
electronic filing, where nearly a 25-percent filing rate occurs in 
paper filing, there is a potential for saving money.
  In addition to that, there is an increasing amount of education that 
is occurring on the network, once again offering a tremendous amount of 
savings for individuals who look for ways to leverage intellectual 
property and increase the efficiency of education. You need look no 
further than what is going on now in the area of education on the 
network, but it needs to be secure.

[[Page S5700]]

  In the area of law enforcement, again, there is an offensive and 
defensive capability, and I am addressing at this instance the 
defensive capability, our ability to be able to communicate, for 
national security reasons, and our ability to be able to communicate 
for law enforcement reasons and know those communications are secure is 
the first order of business of the Secure Public Networks Act of 1997.
  Our commercial interests, Mr. President, lie in maintaining American 
companies' leading position as producers of software and in the 
promotion of commerce on-line on the Internet. I do not believe we can 
fully achieve either of these objectives if the current law remains 
unchanged.
  Second, the American people should be able to have secure access to 
their Government, as I indicated before, not just with the IRS, but 
also a whole range of other services, including the Government job of 
educating our people. There is a tremendous requirement in every single 
operation of Government for the consumer of those services to know that 
their communication is secure, that there is no manipulation of the 
data, no transference of that data.
  And as I said, again, thirdly, there is a public safety interest in 
meeting the needs of law enforcement and national defense. Here a 
secure public network can provide both defensive and offensive 
security.
  Mr. President, the greatest threat to our citizens' privacy is very 
often described by some advocates of change as being the Government. 
They are afraid of the Government interfering with their privacy. But I 
urge my colleagues to consider what the marketplace sees out there, 
which is that increasingly it is the private-sector interests that are 
the greatest threat to the privacy of citizens.
  For example, the FBI reported last month that a hacker collected 
100,000 credit card numbers from an Internet provider and then 
attempted to sell these numbers for cash. This is a private-sector 
individual out there, obviously very skilled. These hackers and 
crackers are skilled way beyond my capacity to understand what they are 
doing, except to know that they have the ability to come in and steal 
information that has great value, to manipulate that data and do not 
just a little bit of mischief but put our commercial and our national 
security interests at risk.
  There was a story in the New York Times last week, Mr. President, 
that detailed the trauma and the horror faced in 1994 by a Texas woman 
who received a letter full of threatening sexual comments from an 
inmate in a Texas prison. She asked the question, ``How did this inmate 
get access to the information?'' and was surprised to discover that her 
personal life had become available as a result of a private-sector 
company's use of Texas inmates to do input into their data bases.
  There was another example in this same article about a 1993 employee 
at a car dealership in New Jersey using their company's access to 
credit information to open false accounts in their customers' names and 
charging up thousands of dollars of merchandise with the fraudulent 
cards.
  Another example, in 1995, a convicted child rapist, working in a 
Boston hospital, used a former fellow employee's password to access 
information on the hospital's patients. He found the phone numbers of 
young patients in the area, and then made obscene phone calls to girls 
as young as 8 years old.
  There are many other examples that one could give. The point that I 
am trying to make, Mr. President, is, as this debate unfolds, one of 
the things you will hear immediately is that this legislation is an 
attempt by Government to gain access over the privacy of individuals. 
That is simply not true. There is protection after protection after 
protection in this legislation guarding against that.
  This is an attempt to tighten up the security so that we know that a 
private individual, as I indicated here earlier with three or four 
examples, does not have the opportunity to either come in and intercept 
your communication or go into your data base and retrieve information 
that they will use against you or manipulate a data base so as to 
engage in fraudulent transactions that could cost not only the 
companies but could cost the individual substantial amounts of money.
  To provide privacy protection and help prevent abuse of public 
networks, the Secure Public Networks Act makes it illegal for a person 
to use encryption to commit a crime; to exceed lawful authority in 
decrypting data or communications; to break the encryption code of 
another for the purpose of violating privacy, security, and property 
rights; to steal intellectual property on a public communications 
network; and to misuse key recovery information.

  This act fully protects and strengthens the privacy rights of the 
individual without damaging the interest of public safety. Law 
enforcement will be granted access to key recovery information only if 
they have authority based on existing statute, rule or law. Audits will 
be performed by the Department of Justice which will ensure this 
process is not circumvented or abused, and I would expect these audits 
to be available to the appropriate congressional oversight committees.
  Both the Government and the private sector need to work together to 
create the infrastructure and technology that will give the users total 
confidence in the security of commercial transactions and personal 
communications. As the largest purchaser of computer software and 
hardware, the Federal Government can create important incentives to 
help the market fulfill this need.
  The idea here, Mr. President, is to say that the Federal law can 
provide incentives for market-based solutions. It will be for the most 
part the market that solves these problems and determines what kind of 
technology will be used in the solution of these problems. The Secure 
Public Networks Act of 1997, however, provides a framework and some 
standardization to make certain that we expedite that happening.
  This act also sets up a voluntary registration system for public key 
certificate authorities and key recovery agents which help build 
confidence in the secure public network. Since the Internet is 
international and online commerce will be worldwide, the United States 
alone cannot develop a secure public network on the scale necessary to 
address this technology. Our legislation therefore, Mr. President, 
calls on the President to continue consultations and negotiations with 
foreign countries to ensure secure public networks are built on a 
global scale.
  The Secure Public Networks Act creates an advisory panel with 
industry representatives to assist the Government in adapting policies 
to meet changing technology and changing commercial situations. This 
panel will also advise the Secretary of Commerce on the commercial 
situation American companies face overseas and recommend changes in 
U.S. policy to assist industry.
  The act also calls for additional Federal research to facilitate the 
creation of secure public networks and the cooperation and coordination 
of departments and agencies on both Federal and State levels to ensure 
the development of secure public networks.
  Mr. President, I believe the Secure Public Networks Act of 1997 will 
move our Nation closer to secure computer and telecommunications 
networks and help resolve the debate on encryption as well. The 
alternative to the rule of law in this dynamic area is chaos and 
anarchy, a condition which will prevent Internet-type networks from 
reaching their full potential and which will hurt the interests of 
industry, the interests of the public, and the interests of law 
enforcement and national security. Congress' duty to make laws to 
strengthen these networks is clear. I suggest we set a public goal of 
getting a bill to the President by October 1. I believe if we set a 
goal of this kind and stick to it, we will enable not only the market 
to develop, but it will enable us to provide the security needed for us 
to be able to move Government operations into the new paradigm of 
network activity.
                                 ______