[House Report 106-117]
[From the U.S. Government Publishing Office]
106th Congress Rept. 106-117
HOUSE OF REPRESENTATIVES
1st Session Part 4
_______________________________________________________________________
PROTECTION OF NATIONAL SECURITY
AND PUBLIC SAFETY ACT
__________
R E P O R T
OF THE
COMMITTEE ON ARMED SERVICES
HOUSE OF REPRESENTATIVES
ON
H.R. 850
together with
ADDITIONAL AND SUPPLEMENTAL VIEWS
[Including cost estimate of the Congressional Budget Office]
July 23, 1999.--Committed to the Committee of the Whole House on the
State of the Union and ordered to be printed
__________
U.S. GOVERNMENT PRINTING OFFICE
58-132 WASHINGTON : 1999
C O N T E N T S
----------
Page
Purpose and Background........................................... 4
Legislative History.............................................. 9
Section-by-Section Analysis...................................... 9
Section 1--Short Title....................................... 9
Section 2--Exports of Encryption............................. 9
Section 3--License Exception For Certain Encryption Products. 9
Section 4--One-time Product Review........................... 10
Section 5--Eligibility Levels................................ 10
Section 6--Encryption Licenses Required...................... 10
Section 7--Waiver Authority.................................. 10
Section 8--Encryption Industry and Information Security Board 10
Section 9--Market Share Survey............................... 10
Section 10--Definitions...................................... 11
Committee Position............................................... 11
Fiscal Data...................................................... 11
Congressional Budget Office Estimate......................... 11
Congressional Budget Office Cost Estimate.................... 11
Committee Cost Estimate...................................... 12
Oversight Findings............................................... 12
Constitutional Authority Statement............................... 13
Statement of Federal Mandates.................................... 13
Record Vote...................................................... 13
Additional views of Congressman J.C. Watts, Jr................... 15
Supplemental views of Congressman Patrick J. Kennedy............. 16
(iii)
106th Congress Rept. 106-117
HOUSE OF REPRESENTATIVES
1st Session Part 4
======================================================================
PROTECTION OF NATIONAL SECURITY AND PUBLIC SAFETY ACT
_______
July 23, 1999.--Ordered to be printed
_______
Mr. Spence, from the Committee on Armed Services, submitted the
following
R E P O R T
together with
ADDITIONAL AND SUPPLEMENTAL VIEWS
[To accompany H.R. 850]
[Including cost estimate of the Congressional Budget Office]
The Committee on Armed Services, to whom was referred the
bill (H.R. 850) to amend title 18, United States Code, to
affirm the rights of United States persons to use and sell
encryption and to relax export controls on encryption, having
considered the same, report favorably thereon with amendments
and recommend that the bill as amended do pass.
The amendments are as follows:
Strike out all after the enacting clause and insert in lieu
thereof the following:
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Protection of National Security and
Public Safety Act''.
SEC. 2. EXPORTS OF ENCRYPTION.
(a) Authority to Control Exports.--The President shall control the
export of all dual-use encryption products.
(b) Authority to Deny Export for National Security Reasons.--
Notwithstanding any provision of this Act, the President may deny the
export of any encryption product on the basis that its export is
contrary to the national security interests of the United States.
(c) Decisions Not Subject to Judicial Review.--Any decision made by
the President or his designee with respect to the export of encryption
products under this Act shall not be subject to judicial review.
SEC. 3. LICENSE EXCEPTION FOR CERTAIN ENCRYPTION PRODUCTS.
Encryption products with encryption strength equal to or less than
the level identified in section 5 shall be eligible for export under a
license exception if--
(1) such encryption product is submitted for a 1-time
technical review;
(2) such encryption product does not require licensing under
otherwise applicable regulations;
(3) such encryption product is not intended for a country,
end user, or end use that is by regulation ineligible to
receive such product, and the encryption product is otherwise
qualified for export; and
(4) the exporter, at the time of submission of the product
for technical review, provides the names and addresses of its
distribution chain partners.
SEC. 4. ONE-TIME PRODUCT REVIEW.
The President shall specify the information that must be submitted
for the 1-time review referred to in section 3.
SEC. 5. ELIGIBILITY LEVELS.
(a) Initial Eligibility Level.--Not later than 180 days after the
date of the enactment of this Act, the President shall notify the
Congress of the maximum level of encryption strength that may be
exported from the United States under license exception pursuant to
section 3 without harm to the national security interests of the United
States. Such level shall not become effective until 30 days after such
notification.
(b) Periodic Review of Eligibility Level.--The President shall, at
the end of each successive 180-day period after the notice provided to
the Congress under subsection (a), notify the Congress of the maximum
level of encryption strength, which may not be lower than that in
effect under this section during that 180-day period, that may be
exported from the United States under a license exception pursuant to
section 3 without harm to the national security interests of the United
States. Such level shall not become effective until 30 days after such
notification.
SEC. 6. ENCRYPTION LICENSES REQUIRED.
(a) United States Products Exceeding Certain Bit Length.--An export
license is required for the export of any encryption product designed
or manufactured within the United States with an encryption strength
exceeding the maximum level eligible for a license exception under
section 3.
(b) Requirements for Export License Application.--To apply for an
export license, the applicant shall submit--
(1) the product for technical review;
(2) a certification identifying--
(A) the intended end use of the product; and
(B) the expected end user of the product;
(3) in instances where the export is to a distribution chain
partner--
(A) proof that the distribution chain partner has
contractually agreed to abide by all laws and
regulations of the United States concerning the export
and reexport of encryption products designed or
manufactured within the United States; and
(B) the name and address of the distribution chain
partner; and
(4) any other information required by the President.
(c) Post-Export Reporting.--
(1) Unauthorized use.--Any exporter of encryption products
that are designed or manufactured within the United States
shall submit a report to the Secretary at any time the exporter
has reason to believe that any such product exported pursuant
to this section is being diverted to a use or user not approved
at the time of export.
(2) Distribution chain partners.--All exporters of encryption
products that are designed and manufactured within the United
States, and all distribution chain partners of such exporters,
shall submit to the Secretary a report which shall specify--
(A) the particular product sold;
(B) the name and address of the end user of the
product; and
(C) the intended use of the product sold.
SEC. 7. WAIVER AUTHORITY.
(a) In General.--The President may by Executive order waive the
applicability of any provision of section 3 to a person or entity if
the President determines thatthe waiver is necessary to protect the
national security interests of the United States. The President shall,
not later than 15 days after making such determination, submit a report
to the committees referred to in subsection (c) that includes the
factual basis upon which such determination was made. The report may be
in classified format.
(b) Waivers for Certain Classes of End Users.--The President may by
Executive order waive the licensing requirements of section 6 for
specific classes of end users identified as being eligible for receipt
of encryption commodities and software under license exception in
section 740.17 of title 15, Code of Federal Regulations, as in effect
on July 17, 1999. The President shall, not later than 15 days after
issuing such a waiver, submit a report to the committees referred to in
subsection (c) that includes the factual basis upon which such waiver
was made. The report may be in classified format.
(c) Committees.--The committees referred to in subsections (a) and
(b) are the Committee on International Relations, the Committee on
Armed Services, and the Permanent Select Committee on Intelligence of
the House of Representatives, and the Committee on Foreign Relations,
the Committee on Armed Services, and the Select Committee on
Intelligence of the Senate.
SEC. 8. ENCRYPTION INDUSTRY AND INFORMATION SECURITY BOARD.
(a) Encryption Industry and Information Security Board Established.--
There is hereby established an Encryption Industry and Information
Security Board. The Board shall undertake an advisory role for the
President on the matter of foreign availability of encryption products.
(b) Membership.--(1) The Board shall be composed of 12 members, as
follows:
(A) The Secretary, or the Secretary's designee.
(B) The Attorney General, or his or her designee.
(C) The Secretary of Defense, or his or her designee.
(D) The Director of Central Intelligence, or his or her
designee.
(E) The Director of the Federal Bureau of Investigation, or
his or her designee.
(F) The Special Assistant to the President for National
Security Affairs, or his or her designee, who shall chair the
Board.
(G) Six representatives from the private sector who have
expertise in the development, operation, marketing, law, or
public policy relating to information security or technology.
Members under this subparagraph shall each serve for 5-year
terms.
(2) The six private sector representatives described in paragraph
(1)(G) shall be appointed as follows:
(A) Two by the Speaker of the House of Representatives.
(B) One by the Minority Leader of the House of
Representatives.
(C) Two by the Majority Leader of the Senate.
(D) One by the Minority Leader of the Senate.
(c) Meetings.--The Board shall meet at such times and in such
places as the Secretary may prescribe, but not less frequently than
every four months.
(d) Findings and Recommendations.--The chair of the Board shall
convey the findings and recommendations of the Board to the President
and to the Congress within 30 days after each meeting of the Board. The
recommendations of the Board are not binding upon the President.
(e) Limitation.--The Board shall have no authority to review any
export determination made pursuant to this Act.
(f) Termination.--This section shall cease to be effective 10 years
after the date of the enactment of this Act.
SEC. 9. MARKET SHARE SURVEY.
The Secretary shall, at least once every 6 months, conduct a market
share survey of foreign markets for encryption products. The Secretary
shall publish the results of the survey in the Federal Register. The
publication shall include an assessment of the market share of each
foreign encryption product in each market surveyed and a description of
the general characteristics of each encryption product.
SEC. 10. DEFINITIONS.
In this Act:
(1) Encryption.--The term ``encryption'' means the
transformation or scrambling of data, for the purpose of
protecting such data, from plaintext to an unreadable or
incomprehensible format, regardless of the techniques used for
such transformation or scrambling and regardless of the medium
in which such data occur or can be found.
(2) Export and exporter.--The term ``export'' includes
reexport, the term ``exporter'' includes ``reexporter''.
(3) Secretary.--The term ``Secretary'' means the Secretary of
Commerce.
Amend the title so as to read:
A bill to protect national security and public safety
through the balanced use of export controls on encryption
products.
PURPOSE AND BACKGROUND
H.R. 850 is similar to a bill (H.R. 695) with the same name
and chief sponsor introduced in the 105th Congress. It would
decontrol the export of encryption software products, and
computers that contain encryption software, considered to be
``generally available.''
The committee recognizes that the impetus for the bill
stems from the explosive growth of the Internet and the rise in
electronic commerce in recent years, which has led to increased
concerns over information security. A growing number of
individuals and businesses now have access to the Internet and
the capability to transmit volumes of personal and proprietary
data from one user to another nearly instantaneously. As
technology advances, the risk that the secure transmission of
this information may be compromised by computer ``hackers'' is
increasing. This risk has resulted in calls for greater
encryption capabilities.
Encryption is a means of scrambling or encoding electronic
data so that its contents are protected from unauthorized
interception or disclosure. Many software application programs
already feature encryption capabilities to afford users a
degree of privacy and security when conducting electronic
transactions. For example, Netscape Communications
Corporation's World Wide Web browser can transmit information
in a secure, encrypted mode that allows individuals to order
products and services by credit card over the internet with a
reasonable expectation that any personal information
transmitted will be protected.
The domestic use of encryption products is presently
unrestricted, since their use by law-abiding citizens and
companies can increase public confidence in the security of
electronic transactions. However, in the hands of terrorists or
criminals, the capability to scramble communications or encode
information may hinder efforts to thwart planned terrorist acts
or apprehend international drug smugglers. Therefore, the
export of encryption capabilities is controlled for important
national security and foreign policy reasons.
In particular, the committee notes that the U.S. military
has made information warfare a key element of U.S. military
strategy. It is a tenet of this element of U.S. strategy that
the United States must be able to protect its own
communications from interception while exploiting the
weaknesses in the information systems and communications of
potential adversaries. Much of the U.S. military's battlefield
advantage relies on information dominance and the ability to
decipher the communications of the enemy. Capabilities that
make it more difficult for the United States to detect the
plans and activities of hostile military forces could
significantly degrade the technological advantage presently
held by U.S. combat forces.
The Institute for National Strategic Studies at the
National Defense University has identified seven areas of
information warfare that could play decisive roles in combat,
including electronic warfare, cyber warfare, command and
control warfare, intelligence-based warfare, and so-called
``hacker'' warfare. The Institute's 1996 Strategic Assessment
study noted the growing importance of information warfare and
the desirability for U.S. exploitation of a potential
adversary's vulnerabilities. The study declared that ``if the
United States could override an enemy's military computers, it
might achieve an advantage comparable to neutralizing the
enemy's command apparatus.'' In addition, it noted the value of
attacking an adversary's commercial computer systems, i.e.,
banking, power, telecommunications, and safety systems. The
ability to ``wreak havoc'' on these systems, the study noted,
``would be a powerful new instrument of power.'' However, as
technology advances, the proliferation of increasingly
sophisticated and difficult to decipher encryption capabilities
overseas may make it more difficult for the United States to
maintain its military superiority and achieve tactical
battlefield advantages.
The capabilities and security of encryption products
generally depend on the length of the encryption algorithm or
electronic ``key'' required to decrypt the data, as measured by
the number of data ``bits'' in the key. Generally speaking, the
longer the key (or number of key bits) the more secure the
encryption program and the more difficult it is to ``break the
code.'' Until January 1997, U.S. policy allowed the
unrestricted export of encryption software with keys up to 40
bits in length. As a result of growing concerns over the
ability to protect the integrity and contents of personal and
proprietary data, and in response to industry demands to market
more capable encryption software overseas, export controls on
U.S.-origin encryption products were relaxed in 1996 and again
in 1998. This has led to concerns that U.S. export control
policy is weighted more heavily toward privacy and economic
concerns rather than national security considerations.
Because of their national security implications, the United
States has traditionally considered encryption products to be
sensitive ``munitions'' items and their export has been
controlled by the State Department. However, in October 1996,
the Clinton Administration decided to transfer jurisdiction
over the export of commercial encryption products from the
State Department to the Commerce Department, which is
responsible for export controls on ``dual use'' items with
military and civilian application. In addition, the
Administration agreed to allow the export of encryption
products with keys of up to 56 bits in length, beginning in
January 1997, provided that the exporting companies develop a
``key recovery'' plan over the next two years that would allow
access to the decryption keys by government law-enforcement
agents or intelligence officials, if necessary, in order to
decode scrambled information. The Administration's key recovery
plan was criticized by industry as unworkable and a
disincentive for foreign customers to purchase American
encryption products. However, U.S. companies appeared to be
complying with the key recovery requirements necessary to
obtain U.S. government export approval, as the number of export
licenses granted for encryption software increased.
In announcing the liberalized export control policy, Vice
President Gore stated that it would ``support the growth of
electronic commerce, increase the security of the global
information (sic.), and sustain the economic competitiveness of
U.S. encryption product manufacturers * * * .'' However, an
Administration talking points paper on the decision noted that
``this export liberalization poses risks to public safety and
national security. The Administration is willing to tolerate
that risk, for a limited period, in order to accelerate the
development of a global key management infrastructure.'' In
addition, in a letter to Congress in November 1996, President
Clinton acknowledged that ``the export of encryption products
transferred to Department of Commerce control could
harmnational security and foreign policy interests of the United States
even where comparable products are or appear to be available from
foreign sources.''
The purported availability of comparable encryption
products from foreign sources remains a major argument used by
industry to support further liberalization of export controls.
According to a recently-released study conducted by George
Washington University's Cyberspace Policy Institute (CPI), more
than 800 encryption products are now available overseas in 35
countries--a 22 percent increase in the past year and a half.
However, the national security community has argued that many
of these products do not perform as advertised or are not
effectively utilized. In addition, as the CPI study notes, only
20 percent of these products contain ``strong'' encryption. In
testimony before the committee on July 1, 1999, Deputy
Secretary of Defense John Hamre stated, ``The foreign
availability argument is seductive, but flawed.'' Strong
encryption ``is not, in fact, ubiquitously available
overseas,'' he stated, adding that ``we see no advantage in
accelerating the general availability of such products to those
who would wish us ill.'' Deputy Attorney General Jamie Gorelick
testified in September 1996 that the availability of encryption
software over the internet ``does not undermine the utility of
controls on exports of software or hardware products. The
simple fact is that the majority of businesses and individuals
with a serious need for strong encryption do not and will not
rely on encryption downloaded from the internet.'' Lifting U.S.
export controls, she argued, would ``[damage] our own national
security interests'' and may not provide the expected benefits
to industry if the removal of U.S. export controls leads to the
introduction by other countries of import restrictions.
In spite of these national security concerns, controls over
the export of U.S.-origin encryption products continued to be
liberalized. In June 1997, Netscape Communications Corporation
and Microsoft Corporation received permission to export
encryption products up to 128 bits in length for use
exclusively for banking and financial transactions. On
September 16, 1998, the Administration announced a further
relaxation of export controls on encryption. As part of this
liberalization, the export of encryption products with key
lengths up to 56 bits was completely decontrolled. Moreover,
strong encryption products of any key length are now allowed to
be exported, license-free, to several sectors of industry in 44
countries. These include subsidiaries of U.S. firms; insurance
companies; health and medical organizations; and on-line
merchants. The Administration also abandoned its insistence on
development of a mandatory key recovery infrastructure.
H.R. 850, and companion legislation in the Senate,
represent a further attempt to significantly liberalize U.S.
encryption policy. In particular, H.R. 850 would:
(1) prohibit the government from requiring the use of
key-recoverable encryption systems;
(2) prohibit the government from controlling the
export or re-export of commercially-available
encryption-capable software or computers using such
software;
(3) grant the Commerce Department exclusive authority
to control exports of all hardware, software, and
technology for information security, except that
designed for military use; and
(4) direct the Secretary of Commerce to allow the
export or re-export of encryption-capable software for
non-military end-uses in any country, or computers
using such software based on considerations of foreign
availability.
By prohibiting the government from requiring the use of key
recovery-capable encryption products, section 2 of H.R. 850
would seriously impact the ability of the Department of Defense
to effectively monitor the thousands of business and contract
actions taken each day by the Department. In addition, this
section would undermine government efforts to foster the
voluntary development by industry of a key management
infrastructure.
The committee notes that section 3 of H.R. 850 carries the
most serious implications for U.S. national security. This
section removes virtually all controls on the exportability of
encryption products and greatly increases the likelihood that
strong encryption products will be used by international
terrorists to hide their plans. The committee notes that
encryption is already being used by terrorists, and believes
that the United States should not facilitate the spread of even
stronger, unbreakable encryption capabilities to individuals or
entities that seek to harm Americans. H.R. 850, as introduced,
would do just that.
In his testimony before the committee on July 1, 1999,
Deputy Secretary of Defense John Hamre stated, ``I can
unequivocally tell you Osama bin Laden (the accused mastermind
of the U.S. Embassy bombings in Kenya and Tanzania) and other
bad guys in the world are not only using information technology
but encrypted information technology.'' Testifying before the
committee on July 13, 1999, FBI Director Louis Freeh noted that
Ramzi Yousef, convicted conspirator in the World Trade Center
bombing, used encrypted computer files to mask his plans to
blow up 11 U.S. airliners. It took ``months and months'' to
decrypt that information. Director Freeh noted that ``if those
were plans that were imminent and we were in the possession of
that [encrypted] information, we would not have been able to
solve that.''
The committee also notes that section 3 of H.R. 850 would
remove all controls on the export of high-performance computers
(so-called ``supercomputers'') if those computers contain
encryption products or software that are ``generally
available.'' In the committee's view, this is one of the most
significant and potentially dangerous flaws in H.R. 850. In
light of the evidence that U.S. supercomputers were
inappropriately transferred to entities of concern in Russia
and China, and the recommendations to tighten export controls
on high-performance computers contained in the report of the
Congressionally-mandated Select Committee on U.S. National
Security and Military/Commercial Concerns With the People's
Republic of China (the ``Cox Committee''), the removal of
export restrictions on such machines would have significant
consequences for U.S. national security. Further, this section
would also supersede section 1211 of the National Defense
Authorization Act for Fiscal Year 1998 (Public Law 105-85),
which is designed to prevent the inadvertent export of
supercomputers to questionable end users in countries of
proliferation concern.
In summary, the committee concludes that H.R. 850, as
introduced, would harm U.S. national security interests.
According to Deputy Secretary of Defense Hamre, H.R. 850
``would seriously weaken our national security.'' In a March
24, 1999 letter to House Judiciary Committee Chairman Henry
Hyde, Secretary Hamre stated, ``The passage oflegislation that
immediately decontrols the export of strong encryption will result in
the loss or delay of essential intelligence reporting because it may
take too long to decrypt the information--if indeed we can decrypt it
at all * * *. H.R. 850 threatens our ability to do just that.'' In a
May 24, 1999 letter to Chairman Spence, Secretary Hamre concluded that
``H.R. 850 is anything but safe legislation.'' In his testimony before
the committee on July 1, 1999, Secretary Hamre declared that the
``unregulated release of the strongest encryption is going to do one
thing: put more troops' lives at risk. Period.'' In her testimony
before the committee on July 1, 1999, National Security Agency (NSA)
Deputy Director McNamara testified that it will ``greatly complicate
our exploitation of foreign targets'' and make NSA's job ``difficult,
if not impossible.'' She argued that ``the immediate decontrol of
encryption exports as proposed in the SAFE Act * * * [would] put
national security at serious risk.''
The committee notes that the Administration has also
criticized the move to decontrol the export of encryption
products on law-enforcement grounds. For example, in a July 16,
1999 letter to Chairman Spence, the President of the
International Association of Chiefs of Police stated that H.R.
850 ``would pose an enormous danger to both law enforcement and
to society as a whole.''
In response to these concerns, the committee agreed to
amend H.R. 850 by deleting all after the enacting clause and
substituting language that would grant the President authority
to control exports of all dual-use encryption technology. The
amendment also would allow for export without a license
(referred to as a ``license exception'') for the export of
encryption products with a strength at or below the maximum
threshold established by the President. Export of these
products would only occur under a ``license exception'' after a
one-time government review. The President would also be able to
waive an export under license exception for national security
reasons. The amendment would also direct the President to
notify Congress on a semi-annual basis of the appropriate
threshold for the strength of encryption products that may be
exported without harm to U.S. national security. The Congress
would have a 30-day period to review the appropriateness of the
notified level.
The amendment would establish licensing criteria for the
export of encryption items with a strength that exceeds the
maximum threshold established by the President for license
exception. It would also be consistent with current
Administration policy that allows the export of strong
encryption to certain industry sectors, such as financial and
medical institutions. In addition, the amendment would
establish an encryption industry and information security board
to review and advise the President on the foreign availability
of encryption products.
LEGISLATIVE HISTORY
H.R. 850, the ``Security and Freedom through Encryption
(SAFE) Act,'' was introduced by Representative Bob Goodlatte
(R-VA) on February 25, 1999. The bill was reported April 27,
1999 by the House Committee on Judiciary (H. Report 106-117,
Part I), and was reported (amended) on July 2, 1999 by the
House Committee on Commerce (H. Rept. 106-117, Part II). The
bill was also referred to the Committee on International
Relations, the Permanent Select Committee on Intelligence, and
the Committee on Armed Services.
On July 1, 1999 the Committee on Armed Services held a
hearing on H.R. 850. Testimony was taken from Deputy Secretary
of Defense John Hamre and Deputy Director of the National
Security Agency Barbara McNamara. The focus of the hearing was
to assess the bill's impact on U.S. national security.
On July 13, 1999, a second full committee hearing was held.
Testimony was received from Attorney General Janet Reno, FBI
Director Louis Freeh, Under Secretary of Commerce for Export
Administration William Reinsch, and industry witnesses
regarding the legislation's impact on national security, law
enforcement, and public safety.
On July 21, 1999, the committee held a mark-up session to
consider H.R. 850. The committee adopted an amendment in the
nature of a substitute by a record vote of 47 to 6. The amended
version of the bill was reported favorably by a voice vote. The
record vote result can be found at the end of this report.
SECTION-BY-SECTION ANALYSIS
The following is a section-by-section analysis of the
amendment in the nature of a substitute adopted by the
committee.
Section 1--Short title
This section would cite the Act as the ``Protection of
National Security and Public Safety Act.''
Section 2--Exports of encryption
This section would grant the President authority to control
the export of all dual-use encryption products and would allow
the President to deny the export of any encryption product if
such export would be contrary to the national security
interest. It would also ensure that any Presidential decision
with respect to the export of encryption products is not
subject to judicial review.
Section 3--License exception for certain encryption products
This section would allow an encryption product of a
strength less than or equal to the threshold established by the
President in section 5 to be exported without a license
(``license exception'') if certain conditions are met,
including submission of the product for a one-time technical
review.
Section 4--One-time product review
This section would require the President to specify the
information that must be submitted for the one-time product
review.
Section 5--Eligibility levels
This section would require the President to establish,
within 180 days of enactment, the maximum level of encryption
strength that may be exported under license exception without
harm to U.S. national security interests. It would also require
the President to review this threshold level every six months.
In both cases, the level would not take effect until 30 days
after the Congress is notified. In effect, this section would
grant the President the flexibility to adjust the export
licensing threshold as the level of technology advances,
consistent with U.S. national security requirements.
Section 6--Encryption licenses required
This section would require an export license for an
encryption product with a strength that exceeds the threshold
level established by the President in section 5. It would
require an exporter seeking an export license to submit the
encryption product for technical review and to provide a
certification identifying the intended end use and end user of
the product. In instances where the export is to a distribution
chain partner, it would require submission of the name and
address of the partner, along with proof that the partner has
contractually agreed to abide by all U.S. export and re-export
laws and regulations. This section would also require exporters
to notify the Secretary of Commerce if they have reason to
believe that their encryption product is being used in an
unapproved manner or by an unapproved end user. This section
would also require distribution chain partners to submit a
report on the intended end use and end user of the product.
Section 7--Waiver authority
This section would allow the President to waive the license
exception requirements in section 3 for national security
reasons. It would also allow the President to exempt certain
industry sectors from the licensing requirements in section 6
after notifying Congress. This would be consistent with current
Administration policy which allows the unlicensed export of
strong encryption products to certain sectors of industry, such
as financial and medical institutions.
Section 8--Encryption industry and information security board
This section would establish an advisory board to review
and advise the President on the foreign availability of
encryption products. The board would be composed of six
government officials and six members from the private sector.
The findings of the board would be conveyed to the President
and the Congress.
Section 9--Market share survey
This section would require the Secretary of Commerce to
conduct, at least once every six months, a market share survey
of foreign markets for encryption products.
Section 10--Definitions
This section would define terms used in this Act.
committee position
On July 21, 1999, the Committee on Armed Services, a quorum
being present, approved H.R. 850 as amended, by a voice vote.
fiscal data
Pursuant to clause 3(d)(2)(A) of rule XIII of the Rules of
the House of Representatives, the committee attempted to
ascertain annual outlays resulting from the bill during fiscal
year 2000 and the four following fiscal years. The results of
such efforts are reflected in the cost estimate prepared by the
Director of the Congressional Budget Office under section 402
of the Congressional Budget Act of 1974, which is included in
this report pursuant to clause 3(c)(3) of rule XIII of the
Rules of the House.
Congressional Budget Office Estimate
In compliance with clause 3(c)(3) of rule XIII of the Rules
of the House of Representatives, the cost estimate prepared by
the Congressional Budget Office and submitted pursuant to
section 402(a) of the Congressional Budget Act of 1974 is as
follows:
July 22, 1999.
Hon. Floyd Spence,
Chairman, Committee on Armed Services,
House of Representatives, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for H.R. 850, the
Protection of National Security and Public Safety Act.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Mark Hadley.
Sincerely,
Dan L. Crippen, Director.
congressional budget office cost estimate
Protection of National Security and Public Safety Act
H.R. 850 would clarify the President's authority to control
the export of encryption products. The effectiveness or
strength of contemporary encryption products is measured by the
number of bits that make up the key for the encryption
algorithm. (The term ``key'' refers to the mathematical code
used to translate encrypted information back into its original,
unencrypted format.) Under current policy, domestic producers
may export encryption products with key lengths of up to 56
bits and stronger products for specified industries.
Under the bill, the President would determine the maximum
strength of encryption products that may be exported (with
review and potential updates of that maximum every 180 days).
In addition, the bill would allow the President to deny the
export of any encryption product if the export of such product
is contrary to the national security interest of the United
States. H.R. 850 would establish a board to advise the
President on the export of encryption products. Finally, the
bill would require the Department of Commerce to conduct a
market share survey of foreign markets for encryption products
every six months.
Based on information from the Department of Commerce, CBO
estimates that implementing H.R. 850 would cost about $1
million a year, subject to appropriation of the necessary
mounts. H.R. 850 would not affect direct spending or receipts;
therefore, pay-as-you-go procedures would not apply. H.R. 850
contains no intergovernmental or private-sector mandates as
defined in the Unfunded Mandates Reform Act and would impose no
costs on state, local, or tribal governments.
CBO has completed numerous other estimates of bills
affecting the export of encryption products, including three
versions of H.R. 850. Differences between this estimate and our
previous estimates reflect differences between the bills. On
April 21, 1999, CBO transmitted a cost estimate for H.R. 850 as
ordered reported by the House Committee on the Judiciary on
March 24, 1999. On July 1, 1999, CBO transmitted an estimate
for H.R. 850 as ordered reported by the House Committee on
Commerce on June 23, 1999. On July 16, 1999, CBO transmitted an
estimate of H.R. 850 as ordered reported by the House Committee
on International Relations on July 13, 1999. And on July 9,
1999, CBO transmitted an estimate for S. 798, the Promote
Reliable Online Transactions to Encourage Commerce and Trade
(PROTECT) Act of 1999, as ordered reported by the Senate
Committee on Commerce, Science, and Transportation on June 23,
1999. CBO estimated that the versions reported by the Judiciary
Committee and the International Relations Committee would each
cost between $3 million and $5 million over the 2000-2004
period and that the House Commerce Committee's version of H.R.
850 and the Senate bill (S. 798) would each increase costs by
at least $25 million over the same period.
The CBO staff contact is Mark Hadley. This estimate was
approved by Robert A. Sunshine, Deputy Assistant Director for
Budget Analysis.
Committee cost estimate
Pursuant to clause 3(d) of rule XIII of the Rules of the
House of Representatives, the committee generally concurs with
the estimate contained in the report of the Congressional
Budget Office.
oversight findings
With respect to clause 3(c)(1) of rule XIII of the Rules of
the House of Representatives, this legislation results from
hearings and other oversight activities conducted by the
committee pursuant to clause 2(b)(1) of rule X.
With respect to clause 3(c)(2) of rule XIII of the Rules of
the House of Representatives and section 308(a)(1) of the
Congressional Budget Act of 1974, this legislation does not
include any new spending or credit authority, nor does it
provide for any increase or decrease in tax revenues or
expenditures. The fiscal features of this legislation are
addressed in the estimate prepared by the Director of the
Congressional Budget Office under section 402 of the
Congressional Budget Act of 1974.
With respect to clause 3(c)(4) of rule XIII of the Rules of
the House of Representatives, the committee has not received a
report from the Committee on Government Reform and Oversight
pertaining to the subject matter of H.R. 850.
constitutional authority statement
Pursuant to clause 3(d)(1) of rule XIII of the Rules of the
House of Representatives, the committee finds the authority for
this legislation in Article I, section 8 of the United States
Constitution.
statement of federal mandates
Pursuant to section 423 of Public Law 104-4, this
legislation contains no federal mandates with respect to state,
local, and tribal governments, nor with respect to the private
sector. Similarly, the bill provides no unfunded federal
intergovernmental mandates.
record vote
In accordance with clause 3(b) of rule XIII of the Rules of
the House of Representatives, a record vote was taken with
respect to the committee's consideration of H.R. 850. The
record of this vote can be found on the following page.
The committee ordered H.R. 850, as amended, reported to the
House with a favorable recommendation by a voice vote, a quorum
being present.
ADDITIONAL VIEWS
Mr. Chairman, I submit the following additional comments
for inclusion to the committee report for H.R. 850 and thank
you for your considerations.
As an original co-sponsor of the Security and Freedom
Through Encryption Act (SAFE) I demonstrated my support for an
open market. It is my belief that we can and should be the
world's leader in the development and marketing of
technologies, and as a member of Congress we have a
responsibility to protect the security of the American people.
The amended version of H.R. 850 is the first step to take a
serious look at what is required to release technologies and
protect National Security. I look forward to continued
discussions on this issue and the establishment of a
performance threshold for encryption that will serve both the
private and public sector.
J.C. Watts, Jr.
SUPPLEMENTAL VIEWS
As a Member of the House Armed Services Committee, I am the
first to stand in support of our national security. But now is
the time to legislate a balanced encryption policy in the
United States.
Over the course of the 106th Congress, I have met with and
talked to numerous experts in the computer and security field.
The experts I spoke with represented various views on export
controls to encode, or encrypt, electronic communications. Now
is the time for Congress to make a decision for a well thought
out encryption policy for this great country of ours.
It is my belief, that current U.S. regulations limit the
export of encryption and unfairly handicap American high-
technology companies. Even though we are the leaders in
information technology, it is vital that we maintain our
strategic information dominance. What is imperative is that our
law enforcement and national security agencies must do more to
develop alternative means for achieving their missions while
focusing on strong encryption.
The provisions of the SAFE Act would remove most license
requirements for exports of recoverable products. It would
remove existing barriers to secure e-commerce and business-to-
business transactions. The SAFE Act, however, would not absolve
the computer industry of its obligations, to law enforcement,
or to the intelligence community.
We all acknowledge that the United States leads the world
in the production of computer hardware and software, and
technology is the engine driving the global economy. We as a
country, should not sit idly by and let U.S. companies lose
their edge in the world market because they can't deliver the
kind of secure products and services that customers demand.
H.R. 850 ensures that safety and security become the
cornerstones of the information superhighway. If U.S.
encryption continues to be restricted, foreign products may
soon dominate the worldwide market, hindering our ability to
gather intelligence against terrorists and criminals.
I would also like to state for the record that for reasons
stated above, I would not have voted for the Weldon, Sisisky,
and Andrews Substitute Amendment, had I been present.
Patrick J. Kennedy.
�