[Congressional Record Volume 143, Number 93 (Friday, June 27, 1997)]
[Senate]
[Pages S6724-S6726]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                        ENCRYPTION POLICY REFORM

  Mr. LOTT. Mr. President, I rise today to thank the junior Senator 
from Montana for his leadership on the important issue. Senator Burns 
has led a valiant effort to address an area that I believe is in great 
need of reform. He has championed the cause of allowing citizens to 
protect their information through readily available strong information 
security technology. In the 104th Congress, he introduced legislation 
that set the stage for our reform efforts in this Congress. Again, last 
week, Senator Burns offered a compromise version of his original bill 
before the Commerce Committee, but unfortunately this measure did not 
pass. I hope that now we can go through a process to bring all parties 
together, industry and Government, to try to relieve some of the 
problems created by current law. We did not accomplish everything that 
I wanted in Committee, but I am confident that there is still time to 
improve this legislation. I want to congratulate Senator Burns and 
others on the committee like Senator Ashcroft and Senator Dorgan who 
have taken the time to understand the technology and to attempt to 
effectively guide us through these difficult issues.
  Mr. President, the demand for strong information security will not 
abate. Individuals, industry, and governments need the best information 
security technology to protect their information. The Administration's 
policy and the McCain-Kerrey bill allow export of 56-bit encryption, 
with key recovery requirements. How secure is 56-bit encryption? That 
question was answered the day before the Senate Commerce Committee 
acted. Responding to a challenge, a secret message encoded with 56-bit 
encryption was decoded in a brute force supercomputing effort known as 
the ``Deschall Effort.'' The message that was decoded said ``Strong 
cryptography makes the world a safer place.''
  Now that 56-bit encryption has been cracked by individuals working 
together over the Internet, information protected by that technology is 
vulnerable. The need to allow stronger security to protect information 
is more acute than ever.
  Mr. BURNS. Mr. President, I appreciate the comments of the majority 
leader. I too was opposed to the legislation approved by the committee 
last week, but know that we still have the opportunity to pass a 
meaningful bill that will allow American industry to compete with the 
rest of the world in the global information marketplace. I believe that 
we can pass a bill that will not compromise our national security or 
law enforcement interests. As I sat through the markup last week, it 
occurred to me that we had allowed the issue of encryption to be framed 
as the

[[Page S6725]]

issue of child pornography or gambling. I want to be sure that all 
parties understand that the reform of encryption security standards is 
not related to these issues.
  I have often said that encryption is simply like putting a stamp on 
an envelope rather than sending a postcard because you don't want 
others to read your mail. Encryption is simply about people protecting 
their private information, about companies and governments protecting 
their information, from medical records to tax returns to intellectual 
property from unauthorized access. Hackers, espionage agents, and those 
just wanting to cause mischief must be restrained from access to 
private information over the Internet.
  When used correctly, encryption can enable citizens in remote 
locations to have access to the same information, the same technology, 
the same quality of health care, that citizens of our largest cities 
have. Perhaps most importantly, it is about ensuring that American 
companies have the tools they need to continue to develop and provide 
the leading technology in the global marketplace. Without this 
leadership, our national security and sovereignty will surely be 
threatened.
  Mr. DORGAN. Mr President, I would like to make a few comments to 
associate myself with the comments of the majority leader and the 
Senator from Montana. These two gentlemen have demonstrated great 
leadership on this issue, and I especially admire their dedication to 
educate our colleagues about this important issue. I believe that at 
the bottom line, if we allow this critical technology to be stifled in 
the United States I believe our national interests will be severely 
undermined. We must do our best to allow U.S. companies to compete in 
the world marketplace, and do so without in any way undercutting our 
national security interests.
  I believe that the bill that was reported last week out of the 
Commerce Committee does not achieve those objectives. In fact, I fear 
that bill may be nothing more than an attempt to ensure that no bill 
passes in Congress this year. This would be a victory for the 
administration, which has rigorously resisted changes to their outdated 
and obsolete policies. I must say that I try to support the 
administration on many issues, but on this issue, I have found that 
their arguments and policies simply do not withstand scrutiny.
  And, Mr. President, I was an original sponsor of the Burns bill and I 
worked very hard with the Senator to help shape the consensus position 
that was rejected by the committee. I would like to take a few moments 
to set the record straight about the true differences between the 
McCain-Kerrey bill and the Burns' approach.

  The bill that passed the committee certainly represents a victory for 
those within the administration opposed to any relaxation of export 
controls in this area. In fact, it may be a perfect bill from their 
standpoint. It allows them to begin the process of domestic control 
while actually freezing exports to a weak enough level of encryption 
technology that was actually decoded by amateurs the very day before. 
And it is very unclear to me exactly where the McCain-Kerrey reaches a 
compromise position.
  The Burns' bill however, merely allows that we would allow export of 
56-bit encryption immediately, but we would establish a process for 
understanding the level of encryption that is generally available 
throughout the world. That review process would include panels and 
advisory boards consisting of government and industry representatives 
equipped to determine the security strength of particular software that 
is available in the world market. Our belief was that it was in the 
national interest for American software companies to maintain 
leadership in this area. The very notion that we would let foreign 
companies get a head start on new technology while forcing American 
companies to come to a government entity to plead for the right to 
catch up was troubling enough to both Senator Burns and myself. But, we 
agreed to this compromise because we thought it represented the 
appropriate middle ground.
  As the majority leader reminded us, we did not accomplish what many 
of us had hoped that we would while in Committee, but we will continue 
to work within the process to improve the legislation. I remain 
committed to encryption reform and will do everything possible to try 
to educate my colleagues about this issue.
  Mr. ASHCROFT. Mr. President, I would like to add my comments on this 
important issue. For over 2 years, I have participated in Commerce 
Committee hearings to learn more about on encryption and the technology 
issues that it encompasses. Last week, I voted for Senator Burns' 
substitute and was disappointed when it was not approved by the 
committee.
  I am concerned about the tone of the discussion at last week's 
markup. It appeared to me that many on the committee are seeking ways 
to outlaw the Internet. We are all troubled by any type of child 
pornography or gambling on the Internet. These are not areas where any 
member of Congress, any software or hardware vendor, or any member of 
the general public I know, argues for anything less than the strictest 
legal provisions. These matters are distasteful and wrong, but even if 
we eliminated the Internet, we would not eliminate these offensive 
concerns.
  As I said during the markup, we all know that cameras are used in 
child pornography, but we don't talk of outlawing photography. And, we 
also know that rental vehicles are often used in terrorist activities, 
but we don't make it illegal to rent a car or truck.
  Mr. President, it appears to me that at the most fundamental level, 
this debate is about the relationship of our citizens to our 
Government. We all must take steps to insure that the rights of our 
citizens are not violated. Our citizens should be able to communicate 
privately, without the Government listening in--that is one of our most 
basic rights.
  We have to be careful to ensure our law enforcement can have just the 
necessary amount of access and then only in a manner consistent with 
our Constitution.
  I am persuaded that a number of the new provisions in the McCain-
Kerrey bill are not necessary.
  I believe that many of the provisions will not even succeed at 
achieving the end they seek. For example, a false choice has been 
offered indicating that if the U.S. continues to enforce the export 
policy on encryption that is currently in place, 40 bit and with 
special permission up to 56-bit, then law enforcement could apprehend 
terrorists, stop illegal gamblers and arrest pornographers. However, 
this argument assumes that these criminals cannot find stronger 
encryption elsewhere than in the United States. As has been shown 
several times, this assumption is false. Robust encryption is 
available. Germany, Japan, and the United Kingdom all have companies, 
such as Siemens, Nippon and Brokat, that have developed and promote 128 
bit encryption. Last week even the supporters of the administration's 
approach, as expressed in the current legislation, admitted that 
criminals who want the robust encryption can find access and use strong 
encryption in their current dealings. This issue is a red herring.
  Moreover, the administration announced Wednesday that they will allow 
the export of 128-bit encryption for bank transaction use involving 
bank software in an apparent admission of the vulnerability of the 56-
bit strength. Also, the administration has continued to tell us during 
the hearings on encryption and in private meetings with the FBI and 
NSA, that 128-bit use outside the United States would end in terrible 
consequences, and now 128-bit use outside the U.S. is being advocated. 
We should remember that the Burns compromise only wanted to export 128-
bit with key recovery for trusted parties. The administration now 
advocates 128-bit length encryption without any key recovery device, a 
position that goes beyond the Burn's compromise, which they opposed. My 
point, Mr. President is that this debate must change. We cannot 
continue to focus on the key length since these standards become 
obsolete on a daily basis. We need to focus on allowing trustworthy 
parties to use robust encryption, not necessarily to sell as encryption 
but to use in their transactions and in the development of software and 
hardware.

[[Page S6726]]

  No nationwide key recovery system, or a new licensing requirement for 
certificate authorities should be brought to the floor without thorough 
examination, analysis and understanding. We must further study the 
impact of these provisions well before this bill is brought to the 
Senate floor.
  Mr. LOTT. Mr. President, I too would like to work with my colleagues 
to improve the McCain-Kerrey bill before it is brought to the floor. I 
would like to ask my good friend from Missouri to pay special attention 
to this bill while it is under consideration by the Judiciary 
Committee. I know that I can count on him to work hard to improve this 
important legislation.
  Mr. ASHCROFT. Mr President: I want to indicate my willingness to 
continue to work on this issue. As the majority leader well knows, I am 
privileged to serve on the Senate Judiciary Committee where we will 
address this issue after the July recess. I pledge to work with members 
on that Committee and with other interested Senators and the leader to 
try to move a bill in that committee that will capture the essence of 
Burns substitute.
  Mr. LOTT. It remains my hope that we can work with Chairman McCain 
and other members of the Committee to produce a bill that more of us 
can support. We need to recognize that American industry will have 
increased difficulty of competing in the international marketplace 
unless we provide some real reform. It is as if we erected a 30-foot 
wall between the United States and the rest of the world. The problem 
is that in today marketplace, American industry only has a 10-foot 
ladder while their foreign competition has a 35-foot ladder. Foreign 
firms are able to climb the wall while our American industry faces an 
insurmountable obstacle. This is both short-sighted and wrong.
  If we follow our current path, we will rue the day when we allowed 
our policies drive world leadership of the important information 
security business to shift to Germany, Russia, Japan or China. I fully 
intend to work toward a legislative solution that will help solve the 
problem while protecting American security interests. We need to create 
the mechanisms that will allow American companies to have the same 
sized ladders that the rest of the world can use.
  Mr. President, we all appreciate the legitimate law enforcement and 
national security issues involved in this debate. Our national security 
and law enforcement agencies need to work with industry to ensure that 
our interests are protected. I remain convinced that we can do this in 
a way that insures that our national security and sovereignty remains 
protected.

                          ____________________