[Congressional Record Volume 144, Number 141 (Friday, October 9, 1998)]
[Senate]
[Pages S12151-S12152]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




          56 BIT ENCRYPTION IS A GOOD START, BUT IS NOT ENOUGH

  Mr. LOTT. Mr. President, the White House recently announced that it 
would allow some relaxation of its encryption export controls to allow 
the sale of strong encryption products to companies in the finance, 
insurance, and health sectors and to certain companies engaged in 
electronic commerce. While the specific details have yet to be 
articulated in revised regulations, it appears that the Administration 
is finally heeding Congress' calls to modernize its export control 
regulations. While this action is a step in the right direction, I 
believe the Administration is still moving too slowly and 
incrementally. Even with these proposed changes, there are still a 
number of other businesses and consumers who will not be able to 
utilize strong American-made encryption products. Since export 
restrictions will remain in place, foreign suppliers will continue to 
develop and sell strong encryption products in the international 
marketplace without real competition from U.S. providers. Putting $60 
billion and over 200,000 American jobs in jeopardy over the next few 
years.
  Unfortunately, the Administration continues to pursue an outmoded 
policy that supports the broad use of 56-bit encryption for the vast 
majority of computer users. As my colleagues are aware, the government-
approved 56-bit Data Encryption Standard was recently cracked last July 
in just 56 hours. This is particularly alarming because it was 
accomplished using a single computer instead of the thousands that were 
linked together just a few months ago to achieve the same result in 39 
days.

[[Page S12152]]

  Fortunately, this code-breaking effort was undertaken by contest 
participants as part of an international challenge instead of by 
hackers or thieves preying on a vulnerable, unsuspecting target. It is 
truly scary to see how easy it is for someone's medical, financial, or 
personal records to be accessed and read by unauthorized persons. 
Ironically, the decoded message read, ``It's time for those 128-, 192-, 
and 256-bit keys.''
  This feat proves what many in Congress have been stating for some 
time, that 56-bit encryption can no longer protect individual or 
corporate computer files from unauthorized access. Yet, 56- bit 
encryption continues to be recognized as the government standard and 
U.S. companies can only sell advanced encryption software and hardware 
to a finite community abroad. Let us be clear; the Administration's 
export regime affects American citizens everywhere. Whether you 
communicate via the Internet, or work in the technology business, you 
are likely to be adversely affected by the Administration's current 
encryption policy. A policy that does not allow the sale of strong 
encryption to energy suppliers, telecommunication providers, the 
transportation industry, human rights organizations and the vast 
majority of legitimate and responsible business entities and consumers 
throughout the globe. Ultimately, this approach promotes the use and 
development of weak encryption. While I welcome the White House's 
recent announcement to relax some export controls, the Administration's 
proposal simply does not go far enough.
  Mr. President, it is encouraging that the Minority Leader has 
actively engaged himself on the encryption issue. In a floor speech 
last July, Senator Daschle agreed that America's encryption policy 
needs to strike a balance between privacy protections and national 
security and law enforcement interests. The Minority Leader recognizes 
that the development and use of strong encryption products promote 
international commerce and Internet use as well as ensure privacy and 
aid national security. Senator Daschle is also equally alarmed that, 
``maintaining existing encryption policies will cost the U.S. economy 
as much as $96 billion over the next 5 years . . .'' I agree with 
Senator Daschle's comments that the Administration needs to articulate 
and advance an encryption agreement that is ``good for consumers, good 
for business, and good for law enforcement and national security.'' 
Similarly, we agree that it is time to move beyond endless discussion 
and debate and on to a balanced and complete solution.
  Mr. President, with every passing month, consumers across the globe 
turn to foreign suppliers for their advanced encryption needs. If a 
solution that reverses this trend is not found soon, then America's 
computer industry will fall so far behind its foreign competitors that 
U.S. suppliers will lose forever their technology market share to 
European, Asian, and other foreign manufacturers. Congress and the 
Administration cannot allow this happen.
  As Senator Daschle pointed out, the computer industry and privacy 
groups are serious about reaching a compromise on encryption. In May, 
for example, Americans for Computer Privacy (ACP), a technology policy 
group, submitted a seven-point proposal to the Administration which 
would provide U.S. manufactures the ability to sell the kind of 
encryption technology that is already widely available abroad. In July, 
an industry consortium announced the ``Private Doorbells'' proposal to 
assist law enforcement. This proposal was a reasonable attempt to find 
an alternative to the White House`s call for a national key escrow 
framework. Fortunately, the Administration finally appears to recognize 
that a third party key recovery system is technically unworkable and 
unnecessary.
  I believe Congress is still interested in modernizing the Nation's 
encryption policy based on current realities. As Senator Daschle 
observed, several cryptography bills have been offered during this 
session. Clearly though, they are not all created equal. Some of these 
legislative proposals would turn back the clock by putting controls on 
domestic encryption where no such controls currently exist. Others 
would completely sacrifice constitutional protections by allowing law 
enforcement to read personal computer files without a court order and 
without the target ever knowing their files had been accessed. There 
are also proposals that would require an expensive, technically 
unworkable key escrow system. Finally, some members advocate linking 
encryption with other technology issues which could in the end result 
in no legislation being passed at all.
  The encryption debate cannot be resolved by settling on a specific 
bit-length, giving particular industry sectors export relief while 
denying others the same, or by sanctioning one technical solution over 
another. Moreover, this debate will not be resolved by building secret 
backdoors, frontdoors or any doorways into encryption software.
  Mr. President, I look forward to working further with Senator 
Daschle, my colleagues from both sides of the aisle, the 
Administration, and the computer industry to help close the gaps that 
still exist. As the Minority Leader recognizes, this is not about 
politics or partisanship. This is an urgent matter that requires us all 
to work together to forge an appropriate solution. One that balances 
the needs of industry, consumers, and the law enforcement and 
intelligence communities. In the end, we must have a consensus solution 
that brings America encryption policy into the 21st Century.

                          ____________________