Segment 2 Of 2 Previous Hearing Segment(1)
SPEAKERS CONTENTS INSERTS
Page 7 PREV PAGE TOP OF DOC Segment 2 Of 2
H.R. 695, THE SECURITY AND FREEDOM THROUGH ENCRYPTION ACT
House of Representatives,
Committee on National Security,
Washington, DC, Wednesday, July 30, 1997.
The committee met, pursuant to notice, at 10:05 a.m., in room 2118, Rayburn House Office Building, Hon. Floyd D. Spence (chairman of the committee) presiding.
OPENING STATEMENT OF HON. FLOYD D. SPENCE, A REPRESENTATIVE FROM SOUTH CAROLINA, CHAIRMAN, COMMITTEE ON NATIONAL SECURITY
The CHAIRMAN. The meeting will please be in order.
On June 26, the committee received sequential referral of H.R. 695, the Security and Freedom Through Encryption Act, a bill intended to liberalize the use and export of encryption-related technologies.
Encryption technology consists mostly of computer programs that translate electronic communications into a form for secure communications transmission. Encryption capability is essential for a number of uses, including the secure transmission of military message traffic, commercial banking wire transfers, and individual credit card purchases on the Internet.
Page 8 PREV PAGE TOP OF DOC Segment 2 Of 2
However, law-abiding citizens, banks, and the Department of Defense are not the only users of encryption software. Encryption software can also be used by drug dealers, terrorists, and countries with interests counter to our own. The unchecked proliferation of sophisticated encryption technology will certainly complicate the ability of the United States military forces to operate effectively on tomorrow's battlefield.
As a result, it may always be necessary for United States law enforcement and national security officials to at least have the capability to decipher encrypted communications when deemed necessary in the national interest.
For these reasons, the immediate task before the committee is to evaluate the implications that decontrol of encryption technology could have on national security. While there are legitimate arguments for developing an encryption technology policy that recognizes the explosive growth in telecommunications over the past few years, we have, I believe, a higher obligation to understand the national security implications of any such policy. Since the legislation before us today has been referred to four other committees to ensure that it receives broad scrutiny in the House, our principal charge is to consider this bill and its implications from the national security perspective.
It is my intention, working in concert with Mr. Dellums and interested members on both sides of the aisle, as well as the administration, to use the weeks ahead to better understand these issues in order to arrive at a set of recommendations that we can report to the House in early September.
Page 9 PREV PAGE TOP OF DOC Segment 2 Of 2
While I have not reached any final conclusion myself, I do have concerns with changes being proposed by H.R. 695 that could have serious national security implications. It is my hope that some of these concerns will be discussed today so that members might have a fuller appreciation of the importance of these issues.
Our first panel today consists of administration witnesses who will address their concerns with H.R. 695 and encryption decontrol: Mr. William Reinsch, Under Secretary of Commerce for Export Administration, and Mr. William Crowell, Deputy Director of the National Security Agency.
Our second panel will consist of witnesses from industry who will provide different perspectives on the legislation and the broader issue of encryption decontrol: Mr. Thomas Parenty, Director of Data and Communications Security at Sybase, Inc., representing the Business Software Alliance in support of H.R. 695; and Mr. Stephen Walker, President and CEO of Trusted Information Systems, Inc., which specializes in research, product development, and consulting in the fields of computer and communications security.
The CHAIRMAN. Before proceeding, I would like to first recognize the committee's distinguished ranking member, Mr. Dellums, for any comments he would like to make.
STATEMENT OF HON. RONALD V. DELLUMS, A REPRESENTATIVE FROM CALIFORNIA, RANKING MEMBER, COMMITTEE ON NATIONAL SECURITY
Page 10 PREV PAGE TOP OF DOC Segment 2 Of 2
Mr. DELLUMS. Thank you very much.
Mr. Chairman and members of the committee, today promises to be an intriguing and intellectually challenging exercise for this committee. I join with you in welcoming our distinguished witnesses here this morning. You have already identified the opening panel. We also will be joined by Mr. Thomas Parenty and Stephen T. Walker, as you indicated, who will represent industry.
I would just like to point out that Mr. Parenty comes from a very enlightened and very informed part of the country, the 9th Congressional District in the State of California, and I would like to personally welcome the gentleman and look forward to his testimony.
Mr. Chairman, I note that today's hearing will be challenging because it wraps up in one subject an extremely complicated technical issue that touches on several significantly important public policy issues. This committee, of course, will focus on the traditional national security interests at stake. For example, what will the release of encryption software do to make more effective or less effective the ability of our intelligence and military services to perform their missions and at what increases in the risk to personnel in the field? In this vein, Deputy Director Crowell will be very helpful to this committee and inform our insights in that regard.
In addition, though, are the related issues of the promotion of trust in the means of electronic commerce and the confidence that people will have that their financial affairs remain private. If a healthy economic base is a critical component of a comprehensive national security strategy—and I believe that it is—then we must assure ourselves that we will not needlessly imperil the development of such an economy.
Page 11 PREV PAGE TOP OF DOC Segment 2 Of 2
In addition, our citizens reasonably believe that the Constitution protects their privacy from unwarranted government intrusion. This, too, is a critical issue of national security and must be weighed in the balance if we are to craft an intelligent policy to monitor and control, to the degree necessary, the proliferation of such technology.
Mr. Chairman, I would be the first to confess that the complexity of the technical issues here can and, I believe, will be numbing. Thus, it becomes even more tempting for this committee just to go along with the actions of the previous committees of jurisdiction rather than to delve into these matters and try to reformulate policy in a better balanced fashion. I hope that today's witnesses can provide us with the information needed to avoid the easy route and take up the more difficult task of producing a U.S. Government policy on encryption software that makes the best balance between security, commerce, and privacy. That, indeed, is our challenge, and I would like to hope that at the end of the day that becomes an achievable goal.
With those remarks, Mr. Chairman, I would yield back the balance of my time.
The CHAIRMAN. The Chair thanks the gentleman.
Without objection, the statements of our witnesses will be submitted for the record. Mr. Secretary, you can lead off as you would like.
STATEMENT OF WILLIAM REINSCH, UNDER SECRETARY FOR EXPORT ADMINISTRATION, DEPARTMENT OF COMMERCE
Page 12 PREV PAGE TOP OF DOC Segment 2 Of 2
Secretary REINSCH. Thank you very much, Mr. Chairman. Let me deliver an abbreviated version of my statement since the entire thing will be submitted.
As members know, the President has decided on an encryption policy, and we are well on our way to implementing it. It is intended to balance of the competing interests in this issue: Privacy, electronic commerce, law enforcement, and national security.
Making strong commercial encryption widely available is in the best interest of the United States. We believe it is inevitable as powerful computers and advanced telecommunications rapidly lead to the creation of broad electronic networks which will form the basis for communication and commerce in the future. The ability to encrypt electronic messages and data will be essential for electronic commerce and for the full development of information technology. Businesses and individuals need encrypted products to protect sensitive commercial information from fraud and industrial espionage and to preserve privacy, and their demand for those products will further facilitate the spread of strong encryption. We need to shape our export control policies to allow American companies to take advantage of their strengths in information technology in their pursuit of global markets.
At the same time, though, this inevitable increased use of encryption carries with it serious risks for public safety and our national security. Any policy on encryption must address these risks as well if it is to be in the national interest. The President's policy is intended to provide that balance, and it does so by working in close consultation with the private sector and by attempting to work with the market rather than against it.
Page 13 PREV PAGE TOP OF DOC Segment 2 Of 2
Our policy is based on trying to promote key recovery in the marketplace, and by key recovery, I refer to a range of technologies, some in existence, some under development, some still being conceived, that are designed to permit the plaintext recovery of encrypted data or communications. And I think Mr. Crowell in his comments may have some more to say about that particular technology.
In order to facilitate that development, we have taken a number of steps, only several of which I would like to mention in the interest of time, and the rest are in my statement. And then I would like to use my remaining time to make a comment on the bill that is pending before you.
On December 30, we published new regulations that set forth several procedures to support the development of a key management infrastructure. The most important of those is the creation of a license exemption which allows recoverable encryption products of any strength and any key length to be exported freely after a single review by Commerce, Justice, and the Department of Defense.
At the same time, to encourage the further development of those kinds of products—that is, products that contain key recovery features—we have also created a special 2-year liberalization period of export controls during which companies may export 56-bit DES or equivalent products, provided they submit plans and show that they are working to develop the key management infrastructure that the administration envisions. And I believe that both of the witnesses in the second panel will be able to speak to their experiences with this part of our policy.
Page 14 PREV PAGE TOP OF DOC Segment 2 Of 2
Perhaps the best gauge of industry response to our efforts has been the flow of applications since we changed our policy at the 1st of the year. In the first 7 months, we have received over 1,000 license applications for exports valued over $500 million. Thirty-three companies have submitted commitment plans which lay out how they will build and market key recovery products, and we know that others have them in preparation. These companies include some of the largest software and hardware manufacturers in the country. We have approved 29 of these plans, and we expect to approve more shortly. None have been rejected.
One issue that is repeatedly raised in the encryption debate is that of foreign availability. We often hear that encryption products are widely available overseas, that other countries do not control their export, and that American firms are suffering grievous losses. We have been hearing these predictions since at least 199 0, but to date, they do not seem to have come true. Commerce and NSA studied the foreign availability of encryption in 1995, and at that time we did not find that claims of widespread foreign availability of encryption products were accurate. While the pace of change and the market for information technology is rapid and there is, without question, a growing number of strong encryption products in existence, we do not yet see widespread foreign use of these encryption products.
Precise figures are difficult to come by, and the estimates which one sees in the press tend to reflect more the estimator's desires than actual market share. What we do know is that only a few countries produce encryption products at this time. Some, like Switzerland, produce only specialized products for a small segment of the market. Others, like Japan, produce primarily hardware products. These countries have export controls on encryption, and we are engaged in regular discussions with them, primarily through Ambassador David Aaron, our Ambassador to the OECD, whom the President has appointed our Special Ambassador for Cryptography, who is undertaking a comprehensive effort to develop with our trading partners a multilateral approach to this problem.
Page 15 PREV PAGE TOP OF DOC Segment 2 Of 2
We believe assertions, therefore, of foreign availability are premature, but we agree, nevertheless, that it is something that we have to monitor closely as we implement our policy. And it is also clear that if we cannot come to some consensus with our trading partners on this issue, over the long term the assertions of the business community about foreign availability and use will turn out to be accurate.
Now, we have stated on numerous occasions we do not support mandatory key escrow or mandatory key recovery. We do, however, support legislation that is intended to achieve the following objectives:
Expressly confirm the freedom of domestic users to choose any type or strength of encryption: Explicitly state that participation in a key management infrastructure is voluntary; set forth legal conditions for the release of recovery information to law enforcement officials pursuant to lawful authority and provide liability protection for key recovery agents who have properly released such information; criminalize the misuse of keys and the use of encryption to further a crime; and offer, on a voluntary basis, firms that are in the business of providing public cryptography keys the opportunity to obtain government recognition, allowing them to market the trustworthiness implied by government approval.
In that regard, I want to tell the committee that H.R. 695, which is pending before you, would not be helpful, and the administration does not support it. The bill proposes export liberalization far beyond what the administration can entertain and which we believe would be contrary to our international export control obligations and detrimental to our national security.
Page 16 PREV PAGE TOP OF DOC Segment 2 Of 2
In particular, as drafted—and I emphasized ''as drafted,'' Mr. Chairman, because I am not entirely sure it was the intent of the author to do this. The bill as drafted would decontrol all software, including that software which is controlled for national security purposes for other reasons, such as software which is used to operate five-axis machine tools and proprietary software for the design of individual particular semiconductor chips.
Further, the bill as drafted would decontrol virtually all computers, certainly any computers, for example, that contain a Pentium chip, including those computers which the Congress, via an amendment offered by the chairman and the ranking member, placed under additional controls by a large vote on June 20. This bill as drafted would undo that action and would also decontrol many other computers as well.
As I said, I am not sure that is the intent of the authors of the bill, but that would be the effect. And I think, intended or not, it is clearly an effect that goes way beyond the issue of encryption and would, in fact, have a significant adverse effect on national security.
Now, in our view, S. 909, the Secure Public Networks Act, is the best vehicle for creating the legal framework the United States needs for electronic commerce. S. 909 contains many elements we support, and its explicit recognition of the need to balance competing objectives will let industry, the law enforcement community, and other interested parties work together to reach a consensus. In that regard, Mr. Chairman, I would like to insert in the record a letter from the President that was sent to the Senate Republican leader, Senator Lott, with respect to S. 909.
Page 17 PREV PAGE TOP OF DOC Segment 2 Of 2
The CHAIRMAN. Without objection.
Secretary REINSCH. Thank you.
[The letter can be found in the appendix on page 98.]
Secretary REINSCH. We need legislation this year to assure the confidence necessary for electronic commerce to move forward and to preserve our leadership in information technology, and we look forward to working with the Congress and with this committee to reach a consensus on this issue.
Thank you.
[The prepared statement of Secretary Reinsch can be found in the appendix on page 50.]
The CHAIRMAN. Mr. Crowell.
STATEMENT OF WILLIAM P. CROWELL, DEPUTY DIRECTOR, NATIONAL SECURITY AGENCY
Mr. CROWELL. Thank you, Mr. Chairman, and thank you for inviting me to testify today to this committee on the implications of H.R. 695 for national security.
Page 18 PREV PAGE TOP OF DOC Segment 2 Of 2
For decades, NSA has been the core of the Nation's cryptologic expertise. We provide vital intelligence to national leaders and military commanders, and we provide cryptographic safeguards that allow our leaders to communicate securely with each other.
Since NSA has both a foreign signals intelligence mission and an information security mission, encryption and policies related to it are of direct concern to us.
On the national security issue, there is no doubt but that the passage of H.R. 695 would negatively impact NSA's missions. H.R. 695 would decontrol the export of commercial software encryption and some hardware encryption products. While NSA did agree to a liberalization of export controls earlier this year, the immediate decontrol of strong encryption products without restriction would make our signals intelligence mission much more difficult and ultimately result in the loss of intelligence.
Immediate relaxation of export controls will likely result in the spread of strong encryption globally and the use of encryption at multiple levels within a communications network. This would greatly complicate our exploitation of foreign targets, including military targets.
Today we obtain a significant amount of intelligence from unencrypted communications. Some of these contain information on high-priority national security and foreign policy issues. The decontrol of encryption exports as proposed by H.R. 695 would have the likely result of rendering much of this vital information unavailable to us. The bill would also deprive us of the opportunity to review encryption products prior to their export.
Page 19 PREV PAGE TOP OF DOC Segment 2 Of 2
In the past, this review process has provided us with valuable insight into what is being exported, to whom, and for what purpose. Without this review, it would be impossible to control exports of encryption to pariah states.
H.R. 695 would undermine international efforts to catch terrorists, spies, and drug traffickers. Quite simply, such efforts save American lives and protect our society. The Secretary of Defense, Secretary Cohen, and Attorney General Reno sent you letters last week that very clearly state their support for encryption policies that support these national security and public safety issues, and if you will, Mr. Chairman, I have copies of those letters to submit for the record.
The CHAIRMAN. Without objection.
[The letters can be found in the appendix on page 99 and 104.]
Mr. CROWELL. H.R. 695 will do irreparable harm to national security and public safety while doing nothing to achieve the administration's goal of getting strong encryption used widely and increasing the public trust in the use of networks. Despite the availability of domestic and foreign products that contain encryption, encryption is not being used widely in the United States or abroad. Unfortunately, many people are caught up in counting the number of encryption products that are available instead of focusing on the fact that these products are not being used widely.
The solution to this encryption debate is a balanced national policy which takes into consideration the many interests at stake. H.R. 695 is not the answer. It does nothing to encourage the development of the national or the international framework that would facilitate the wide and trusted use of encryption, but it does harm national security.
Page 20 PREV PAGE TOP OF DOC Segment 2 Of 2
Late last year, the administration changed export policies to allow companies to obtain export licenses for strong encryption for banking and financial applications or when the key or the underlying information is recoverable. This opened major markets for U.S. exports to further electronic commerce. It is unclear to me what additional markets H.R. 695 is intended to enhance.
A balanced encryption policy, a policy that addresses how we protect the Nation's public safety and national security, and how we get strong encryption to be used widely requires more than just encryption hardware or software. It also requires encryption support services called key management infrastructures and key recovery.
Key management infrastructures provide the trust that binds cryptography to real applications. They provide essential support services to encryption users by helping with the generation, certification, distribution, and revocation of keys. Until these trusted infrastructures are developed, the promise of encryption and electronic commerce will remain largely unfulfilled. H.R. 695 does nothing to address this issue, despite Mr. Goodlatte's public statement in support of key management and key recovery.
I would like to quote from Mr. Goodlatte's statement at the 8th of May House International Relations Subcommittee hearing.
You're absolutely right, Mr. Crowell, that we have to promote the use of key management and key recovery, because if anyone sets up a heavily encrypted communications system and loses their key or hasn't the ability to communicate with some aspect of their communications system, they have created an enormous problem for themselves, risking huge economic loss by doing so.
Page 21 PREV PAGE TOP OF DOC Segment 2 Of 2
In electronic transactions, encryption is of little use, no matter how strong or how widely available it is, if you don't know who you are communicating with, who you are doing business with, whether the information is authentic, or whether the other person can protect the information that you are entrusting them with to the same degree you can, or even how to get in touch with the person in the first place and authenticate their address and their signature. These are the services that key management infrastructures do for encryption, and without them, people won't trust and use encryption widely.
The more important your information, the more damaging it will be to lose it. People will find that they will need the ability to recover their information when they have encrypted it, but do not have the key.
Yesterday, I was talking to a renowned author, someone that this committee would all know if I mentioned his name, and he had lost the password to one of his latest works, and he was in great distress.
Key recovery is a value-added service offered as a part of key management infrastructures. It is like an insurance policy. If you lose your key, you can recover it easily from the loss. This insurance policy is invaluable to an individual or to a company who loses their key to a critical encrypted file, and it also provides the mechanism by which we can protect law enforcement interests to conduct court-ordered wiretaps.
In summary, Mr. Chairman, H.R. 695 will harm national security interests. It will make NSA's job of providing vital intelligence to our leaders much more difficult. And America needs a balanced encryption policy, one that addresses how we get strong encryption to be used widely, and how we also protect the Nation's public safety and national security.
Page 22 PREV PAGE TOP OF DOC Segment 2 Of 2
This is a tough public policy issue, one of the toughest I think we have faced in a great while. It demands more serious treatment than it has received in the past, more leadership, more structure to the debate. This issue is really about how to achieve balance in public policy and how to achieve trust in the networks that are becoming so pervasive in our lives.
Thank you very much, Mr. Chairman.
[The prepared statement of Mr. Crowell can be found in the appendix on page 54.]
The CHAIRMAN. Thank you both.
Mr. Dellums.
Mr. DELLUMS. Mr. Chairman, on this side, we have, in anticipation of this hearing, prepared several questions that I would like to pose to this panel for the purposes of establishing a beginning point for, as I think Mr. Crowell pointed out, a very significant and important public policy discussion.
What military applications do commercial encryption products have that would be useful to potential adversaries, Mr. Crowell?
Mr. CROWELL. The encryption that we are seeing in the commercial marketplace today provides for—if used properly and with proper infrastructure, provides for incredible protection. If used in the military application, just as an example—and, by the way, that has a strong possibility as we begin to encourage this more and more—they provide an incredible degree of protection. I will give you an example.
Page 23 PREV PAGE TOP OF DOC Segment 2 Of 2
If a product of 56-bit strength, which you recently saw was addressed by an attack on the Internet, was used by a military organization, it took the Internet participants 78,000 computers in 96 days to break one message. If NSA were to use its capabilities, the time would not be significantly shorter.
If you were to use a 65-bit encryption, that time for recovery of one message would increase to about 6,000 to 7,000 years. And if it were 128-bit cryptography, it would increase to 8.6 trillion times the age of the universe to recover one message.
So the advantage to military forces in using this kind of encryption is significant.
Mr. DELLUMS. Well, you anticipated my second question because my question was: As the length of the encryption code increases from 40 to 56 to 128 and beyond, how does this complicate the ability of the military or our intelligence agencies to perform their national security mission?
Mr. CROWELL. Essentially, every bit that is added to the key length doubles the difficulty of recovering the information, whether it is for intelligence purposes or for your own purposes and recovering your own information.
Mr. DELLUMS. Doubles for each——
Mr. CROWELL. For each bit. So if it takes 78,000 computers 96 days to recover 56 bits, 57 bits takes twice that length of time, 58 four times, and so on.
Page 24 PREV PAGE TOP OF DOC Segment 2 Of 2
Mr. DELLUMS. Thank you.
My third question is: What has been the historic position of the United States Government to control the dissemination of these technologies? And I would direct this to Mr. Reinsch.
Secretary REINSCH. These technologies have historically been subject to strict export controls, both under COCOM and also currently under the Wassenaar arrangement. What has changed, I think, Mr. Dellums, is the development of the Internet and the widespread availability of these technologies to private citizens. Historically, even up through the 1950's, 1960's, and 1970's, these technologies were primarily the province of the military and diplomats and were used for those purposes. The development of the mathematics or the creation, shall we say, of the mathematics that permitted the development of public-private key encryption was an event that occurred—when?
Mr. CROWELL. 1978, I think.
Secretary REINSCH. OK, 1978, and the development since then of very fast computers, along with this mathematics, as well as the development of the Internet, is what now makes this an issue because it is now widely available.
Mr. DELLUMS. Mr. Crowell, in your opening remarks, you touched upon this issue that I will raise in my question, and I would appreciate it if you would amplify. How would the various encryption-related legislative initiatives currently under consideration affect U.S. warfighting and intelligence capabilities?
Page 25 PREV PAGE TOP OF DOC Segment 2 Of 2
Mr. CROWELL. Well, H.R. 695, as I testified, would have the effect of immediately decontrolling strong encryption, both software and hardware, and, therefore, would amplify and accelerate the impact on national security.
The other pending legislation, to include the Senate bill, the McCain-Kerrey bill——
Mr. DELLUMS. S. 901?
Mr. CROWELL. S. 909 has a much more measured approach to the decontrol of exports outside of certain specific sectors like banking, financial institutions, and all of the areas which the administration has already liberalized.
Mr. DELLUMS. How will the administration's efforts to establish a key escrow system affect the military and intelligence-gathering aspects of the availability of encryption software?
Mr. CROWELL. Well, the principal role of key recovery in the administration's policy is to provide a means for promoting in the United States and in markets abroad an approach to the use of encryption that protects the interest of law enforcement organizations and counterintelligence and counterterrorism and other organizations who would conduct lawful kinds of access.
The impact of key recovery on our national security mission is not significant. It is more in order to protect the law enforcement interest.
Page 26 PREV PAGE TOP OF DOC Segment 2 Of 2
We have a very tough job ahead of us with regard to making sure that we are able to keep up with this technology in the national security area.
Mr. DELLUMS. To what degree will this policy be effective with less than universal participation and with low levels of participation?
Mr. CROWELL. I think, as Mr. Reinsch pointed out, if there were lack of participation, it would severely undermine the administration's approach, and I think that is one of the reasons that we have emphasized the need for a consistent approach in this country in order to gain the support of our allies in protecting their interests, as well as our own interest.
I think we will find in any kind of reasonable discussion, as our Ambassador, Ambassador Aaron, has found, that all nations of the world have a concern about the impact of strong encryption on their national security and domestic interests. They just don't agree on how to approach it.
Mr. DELLUMS. I just have one last question, I will say to my colleagues, in establishing the record on this matter.
How does the availability of encryption technology that is produced out of the United States affect the decision-making choices regarding the control of U.S.-origin technology? The B part of that, is it the case that the cat is already out of the box and that efforts to control this technology will indeed be futile? And that takes me back to a hearing, Mr. Chairman, when we talked about high-end computers. But I would like to get the response to that.
Page 27 PREV PAGE TOP OF DOC Segment 2 Of 2
Secretary REINSCH. Yes, I remember that hearing, Mr. Dellums.
Mr. DELLUMS. It is interesting the players are in fascinating positions on this particular matter.
Secretary REINSCH. I am not unaware of some of the ironies in my remarks. And I am tempted to talk about the computers, too, but I will spare the committee that particular sermon, although we have a different view of that technology.
In this case, I think the answer is, as I said, that there are lots of products in existence that are foreign produced, that are not American or American derived, that are strong encryption and that would create problems for us from an intelligence point of view and also from a law enforcement point of view.
We believe at the present time that those products are not widely used, notwithstanding the fact that they exist, and they are not widely used, we believe, for three reasons.
One is that the key management infrastructure necessary to make them usable, as Mr. Crowell discussed, really does not exist in any significant way yet.
Second, we believe they are not widely interoperable, which is a significant obstacle to communicating back and forth. If you don't have an interoperable system, it is difficult to communicate with someone who has a different system.
Page 28 PREV PAGE TOP OF DOC Segment 2 Of 2
And, third, they lack—because the system doesn't exist, the infrastructure doesn't exist, trust is missing. As Mr. Crowell tried to indicate in his remarks, to have secure communications involves not only encryption, it involves having confidence that your message is going to its intended recipient and not someone else. If I am sending a message to Ms. Harman, for example, I need to have confidence that my message is going to her and only to her, that it is not going to be intercepted by some third party, for example, masquerading as her, or some third party who is a hacker who is simply tapping into the system who is obtaining, for example, were it a financial transaction, my credit card information or something like that.
That kind of trust and confidence is something that is not embodied solely in the fact that the message is encrypted. And there are other techniques, like digital signature and other means, of verifying the parties to the transaction that make the system operational. In the absence of those other features, which are slow-growing, we do not see the encryption being widely used. It does, however, exist. And to amplify on Mr. Crowell's point, if we cannot bring the other producing or manufacturing countries, shall we say, into, you know, pursuing a policy that is similar to the one that we have designed, then we are going to have a serious problem because we have not opted for import controls, we have not opted for domestic use restrictions. The result is that foreign products can be imported into this country and can be used in this country if there are foreign producers out there making those products and if the systems exist within which they can be used and those countries don't restrict their export in the same fashion as others, then we will have a problem.
What we have discovered is that most countries are going through the same internal debate that we are. Most of them are behind us, which is not unusual in a sector like this where the Americans are in the lead. Some countries, such as Germany, are having a very public debate about this. Some are not. Some countries, such as France, have adopted already a more restrictive policy than ours. Some other countries have proposed a more restrictive policy than ours. Some are waiting to see which way the wind is blowing.
Page 29 PREV PAGE TOP OF DOC Segment 2 Of 2
Mr. CROWELL. And if I could add, Mr. Dellums, just to punctuate that last point, I was handed this morning, as I was traveling to the committee hearing, an article that has been translated from a Japanese newspaper that indicates that a major, very major Japanese manufacturer of cryptographic products is considering shifting its crypto-chip development and production business to the United States because of the uncertainty about Japanese policy in this area.
So it is a very interesting twist on this whole debate that we are not the only ones that find this issue very difficult to resolve.
Mr. DELLUMS. Thank you very much.
Mr. Chairman, thank you for your generosity, and I appreciate the committee's indulgence.
Mr. WELDON (presiding). Thank you, Mr. Dellums.
Gentlemen, thank you for being here today. I have a number of very specific questions that I want to raise because I think this issue has not gotten the attention and focus on the Hill that it deserves.
I chair the Research and Development Subcommittee for this committee and chaired a 5-hour hearing on information superiority in the 21st century back on March 20 of this year. I only wish that the 24 members of this committee who have cosponsored this bill would have sat through those 5 hours of hearings and heard some of the defense implications of what this bill may, in fact, do to us.
Page 30 PREV PAGE TOP OF DOC Segment 2 Of 2
I am one who is very supportive of the movement into the 21st century in terms of technology. In fact, I am working—I have been working for the last 2 years on developing the first smart region in the country linking the four States of New Jersey, Delaware, Pennsylvania, and Maryland into one massive high-speed system, with the capability of storing 1 pentabyte of data and transmitting up to 10 terabytes instantaneously between several hubs and a number of subhubs throughout the four-State region. And in that process, I have been working with all the major players who are involved with this debate today.
But I can tell you that while I am aware of the criticisms of the administration in terms of the current policy relative to encryption technology and to the information age and believe that there needs to be change, I do not think that this bill moves us in the right direction. In fact, I think it takes us in exactly the opposite direction without proper consideration of security implications.
And I would say very emphatically that I would encourage the members of this committee, as I am going to do to each of them personally, that they need to look at the implications of this bill in detail.
Now, what has been amazing to me is that, as more information has gotten out about this bill, members are now starting to remove their names from the list of cosponsors. Members have not paid enough attention to this issue, and members need to pay attention to what will happen if, in fact, we remove all of the limitations on encryption technology.
As I heard in the testimony from Duane Andrews—and Duane Andrews was chairman of the Defense Science Board—when they issued the report on information warfare last summer—Duane Andrews, by the way, is now executive vice president of SAIC Corporation, arguably one of the leading corporations in the world in terms of consulting on information technologies and applications. If members would read the report of the Defense Science Board, they will come to the same conclusion that I have come to, that information warfare is going to be one of the greatest threats of this Nation in the 21st century. This committee has tended to focus on weapons systems and missiles and guns, but I think the area of weapons of mass destruction, terrorism, and information warfare are going to be the concerns of this country in the free world in the 21st century.
Page 31 PREV PAGE TOP OF DOC Segment 2 Of 2
The Defense Science Board report, as a matter of fact—and members can get a copy of this document if they so choose—recommended that we spend an additional $3 billion over the next 5 years on protecting our information systems.
Now, in a tough budget environment like we are in, the Defense Science Board, chaired now by the executive vice president of SAIC Corp., recommended that we increase funding by $3 billion because of our concerns in protecting the information systems that control our smart weapons and that control the systems relative to our intelligence and defense establishments. I cannot imagine what the cost would be if we totally remove the limitations on encryption technology.
At our hearing back on March 20, we heard testimony from DOD that in one year alone, last year, there were over 10,000 hits on our defense systems. Over 10,000 hits on our defense systems. But because of encryption capabilities, all of those hits were, in fact, unsuccessful.
I heard testimony that one bank in New York had an illegal electronic transfer take place that involved well over—well, close to—I don't want to give the exact amount—close to $100 million that actually was done by a foreign operation.
So the control of data and the control of information and managing systems in this country is of vital concern to us. And while I think, as I said at the outset, we have to make change, I think this bill goes too far much too quickly, and it seems to me that someone has placed this on a fast track.
Page 32 PREV PAGE TOP OF DOC Segment 2 Of 2
Now, we have heard—and I know we will hear later on today—that both the International Affairs Committee and the Judiciary Committee has, in fact, reported this bill out. I would note for the record that both chairmen of those committees expressed reservations as the bill passed through their committees. But I can tell you that as one member of this committee and chairman of the Research Committee, I plan to make it my personal effort to educate members of this committee and the Congress to the implications of moving this fast in terms of removing controls on encryption technology.
What is interesting to me is that, arguably, one of the most sophisticated companies in the world in terms of encryption technology, IBM, the manufacturer of Crytolope and Databolt, two of the most sophisticated encryption technologies, is not supportive of this bill. They are not one of the companies that says that this Congress should move on this bill, yet they are, in fact, the major manufacturer of both Crytolope and Databolt. That tells me something.
And so I think this committee, more than anything else—and I say this to my friend, the ranking member, and to all of my colleagues on both sides of the aisle—we had better look hard and fast because we are going to have to pay the price if we move too quickly in removing the controls on encryption technology that are so important to us as we move into the 21st century.
Now, those are the opening statements I wanted to make. I do have some specific questions which I will ask and will also ask our second panel.
A major component of the argument for the free export of encryption is the strength of foreign encryption and the necessity of a level playing field for our corporations. At this time, however, there are only limited assessments of the strength of foreign cryptography, although policy is under way to address this issue. It is my understanding that foreign encryption is still no match for the American-made product, and I think you have said that today.
Page 33 PREV PAGE TOP OF DOC Segment 2 Of 2
Is it correct to say, then, that deregulation of encryption exportation would substantially improve the encryption capabilities of foreign and possibly rogue nations and individuals?
Secretary REINSCH. Yes.
Mr. WELDON. Mr. Crowell.
Mr. CROWELL. I certainly agree with that. It would make available to them considerable capability in the products as well as continue to increase the amount of information they would have about how to build good products.
Mr. WELDON. This next question applies to a number of members of our committee who, in fact, have seen fit to cosponsor the bill that is partly the subject of this hearing, and it is kind of ironic to me because many of these same members were railing about the sale of Cray computers to Russia, which just occurred in the last year, and totally criticizing the administration over giving a Russian academic institute the ability to use one of our super computing systems for offensive systems and capabilities in Russia.
My question is: Given the outcry over the exportation of super computer technology, what kind of message are we sending to industry when we restrict super computing hardware for fear that it might be used for the design of weapons, and in the same stroke completely deregulate the exportation of software that would provide the highest level of encryption for military purposes? What kind of signal are we sending?
Page 34 PREV PAGE TOP OF DOC Segment 2 Of 2
Secretary REINSCH. Well, I think that—oh, I love these questions. [Laughter.]
I think, clearly, Mr. Chairman, you are sending confusing signals, and I think that is something that has distressed us. I think at the same time the reason the signals are confused is that we need to have a better, clearer, more extended dialogue about the nature of these technologies.
As you know from my previous testimony on the other subject, I do think that when something is out there and is available, we need to recognize that and not be unrealistic in our ability to control it. I think there is a difference between the status globally of relatively low-level high-performance computers and very high-level strong encryption in terms of its availability and use. But I think that sometimes you see—and the Congress is not unique in this respect, but neither is it different—a tendency to not really appreciate the rapid pace of change in these areas and not to appreciate the dilemmas that the dissemination of technology provide, and an effort simply to propose solutions that, you know, will stop the change, whether that is realistic or not.
If I may, one of the points you made in your comments I thought was very well taken about the attacks on the Defense Department computer system, for example, which suggests something of the dilemma that we all have in the encryption area. We need strong encryption. One of Mr. Crowell's agency's mandates is to provide and to secure encryption and the integrity of America's own transmissions and America's own communications. And it is the existence of these products and our ability to use them and ability to develop the infrastructure to use them that enables the Pentagon and other agencies to withstand those attacks.
Page 35 PREV PAGE TOP OF DOC Segment 2 Of 2
So we don't want to do things that retard the growth of strong products, and we don't want to do things that hurt this industry. At the same time, we need to, you know, try to in this case control the export of it so that we are not faced with a lot of adversaries with the same capabilities.
Mr. HUNTER. Would my friend yield on that question?
Mr. WELDON. I would be happy to yield.
Mr. HUNTER. I thank the chairman.
I can tell you, as one of the people who did a lot of the work on the Cray—or on the transfers of super computers to the Soviet Union and China, I am not a member of this cosponsor cabal here on this bill. And I find—just looking over the initial information you have provided, I think that this thing is terrible, and I don't think that the—I know Mr. Dellums, who is another member, and the chairman of the full committee were our leaders on the transfer of super computers, and I don't think there is any mixed message there. They were both strongly against that, and neither one of them have cosponsored Mr. Goodlatte's bill. If anything, I am concerned that the liberalization that did take place in the administration, which the Administration said did involve some risks of national security—that is the liberalization that was announced by Vice President Gore—went too far. So, it went too far and this bill certainly goes far beyond the pale.
So, I thank you for having the hearings here, Mr. Chairman. Let me make this clear as a guy who has really worked hard on the super computer transfers. I still think they were a terrible mistake. I think we sent a mixed message. I think the chairman and Mr. Dellums' amendment was right on target and I hope we can knock some sense into the folks who are going to be working the other side of the conference to be with us on that one.
Page 36 PREV PAGE TOP OF DOC Segment 2 Of 2
But I am certainly not in favor of this.
Mr. WELDON. Thank you, Mr. Hunter.
Let me just say before I turn to my colleagues for questions. I guess I did not want to come out as apparently negative on this bill, but it offends me that I think a lot of my colleagues have been sold a bill of goods. I do not know whether it is by one company or by one group but one company in its zest to perhaps raise its profits, has not given members perhaps both sides on the issue. And that is what I want to make sure and my colleagues on this committee know that is what I always strive for—the argument on both sides.
And as I talk to my colleagues, they are not aware at all of the implications of this piece of legislation from the security standpoint. And what I really want to get to the bottom of is why it is apparently being put on the fast-track by someone in this Congress to rush it through without giving members equal and ample time to look at the impact that it would have on our defensive capabilities.
And, as I said at the outset, I am not totally happy with the current way we are regulating this industry and I think at every possible opportunity we should, in fact, provide deregulation, but to do that in a vacuum and totally remove all controls and give our adversaries the capability to harm this country's security in the future in a way that we could not deal with, I think is just unexplainable.
And, so, I can just say for the record—I might as well put the supporters of the bill on notice—that I will be using my influence to educate members as to the severe concerns that I have about this bill. And I hope that my colleagues on this committee will join me because this bill is not just about free trade, it is not just about a new level in terms of information and the ability of Americans to have their civil liberties protected—all of us want that—but it is also about fundamental security and not giving rogue nations and rogue States the capability to encrypt technology that, in fact, may in the end be used against our soldiers. And that is, in fact, what could happen, I think, if we remove all the limitations that currently exist.
Page 37 PREV PAGE TOP OF DOC Segment 2 Of 2
So, with that, I will now move to our other members. Mr. Skelton?
Mr. SKELTON. Thank you.
I find, Mr. Chairman, that my colleague from California, Mr. Dellums, has covered the waterfront quite well in his questioning. However, there are two bottom line questions I would like to ask you, gentlemen.
I assume both of you are opposed to this piece of legislation, H.R. 695?
Mr. CROWELL. That is correct.
Secretary REINSCH. That is correct, Mr. Skelton.
Mr. SKELTON. Can you tell me—this is going to call for an intellectual self-evaluation—can you tell me what differences, if any, each of you has or represents regarding this whole issue of encryption, Mr. Reinsch, between the other?
Secretary REINSCH. Between us——
Mr. SKELTON. Mr. Crowell and his National Security Agency?
Mr. CROWELL. Between the two of us?
Page 38 PREV PAGE TOP OF DOC Segment 2 Of 2
Secretary REINSCH. Between the two of us, sir?
Mr. SKELTON. You bet, between the two of you.
Secretary REINSCH. I do not think you could put a piece of paper between us on this issue.
We spend a lot of time together, a lot of it at witness tables but we have approached the issue from different perspectives, Mr. Skelton.
Mr. SKELTON. That is the reason I asked the question.
Secretary REINSCH. But I think Mr. Crowell's bottom line is correct, we have ended up in accord. My perspective, my portfolio, of course, is more commercial and I have a deep and abiding concern about the need to sell to, well to, yes. [Laughter.]
To ensure the economic strength of this particular sector and the jobs that go along with it. But my responsibility in the export control business is to preserve national security and we intend to do that in this area. And I share Mr. Crowell's view that our national security will be jeopardized if this bill were passed.
Mr. SKELTON. Would that be the position of your Secretary and of your director, respectively?
Secretary REINSCH. In my case I have discussed this matter with my Secretary and he is in the same place.
Page 39 PREV PAGE TOP OF DOC Segment 2 Of 2
Mr. SKELTON. All right, Mr. Crowell?
Secretary CROWELL. In my case, General Minnehan has been extremely clear on his position on this and I would agree, sir.
Mr. SKELTON. I sure thank you.
Mr. WELDON. I thank the gentleman.
Mr. Pickett from Virginia.
Mr. Reyes.
Mr. REYES. Thank you, Mr. Chairman.
I have read with a degree of interest, having spent 26.5 years in law enforcement, the letter from the Attorney General and I am more than anything curious to know how we got to this stage without the concerns that are expressed both here this morning in the hearing and also by the Attorney General and virtually every member of the departments that she supervises.
Is there a perspective or a background on that?
Secretary REINSCH. Well, I would say, Mr. Reyes, that those concerns have, I think, been well expressed to the committees. The judiciary committee marked up this bill, addressed those issues, held at least two hearings on the subject. I participated in one of them at which the Justice Department was represented extensively. We have had private meetings with members of that committee on the subject.
Page 40 PREV PAGE TOP OF DOC Segment 2 Of 2
When the international relations committee marked up the bill, one of the things that occurred during the markup was that several members of the committee, Mr. Hamilton and Mr. Bereuter in particular, invited several representatives of the administration including a representative from the FBI and a representative from the DEA, as well as myself and as well as the representative from the NSA, to come to the table and address specifically the concerns of the law enforcement community about the legislation. Those concerns were articulated by those representatives.
The letters that you have were made available to the members of the committee. Mr. Gilman offered an amendment that would have provided for a national security waiver from the export de-control requirements of the bill and the waiver was rejected notwithstanding the testimony by those witnesses.
Mr. CROWELL. Could I just add, Mr. Reyes, that over the last 3 1/2 years that I have been involved in this debate there have been countless interactions between the law enforcement community, the national security community, and the industrial sector that is interested in this bill. And in each case we have challenged them to help us technically to find solutions that would help us balance public interests with their own. And we do not have any suggestions or proposals on the table that would do that; only suggestions that we release our authority to protect the public and allow them to export.
Secretary REINSCH. I think you will also find, if I may, Mr. Reyes, that other members with backgrounds like yours are, by and large, not cosponsors of this bill.
Page 41 PREV PAGE TOP OF DOC Segment 2 Of 2
Mr. REYES. And I did doublecheck to make sure I was not. [Laughter.]
But one of the things that I guess comes clear—and I just want to kind of reaffirm my own observation—is that the bottom line profit, is that what I am looking at here? Because I am reading a letter from the Business Software Alliance and they are citing a number of different issues—intellectual property rights, security, taxation, consumer protection, privacy, and so on and so forth—in citing their support for this bill.
But what I think I deduce here is the bottom line is profit, is it the motivation?
Mr. CROWELL. I personally would like to make sure that we are very fair if we are going to be asked to address their interests and say that, no, they have, in fact, an interest in trying to protect their customers' interest as well for security and networks and being able to protect all of the things that are in that list.
The issue is not whether or not those are legitimate interests, the issue is whether or not we can balance those interests with the public interest.
Secretary REINSCH. I would say also that a good number of companies, both hardware and software, have come to us and expressed a desire to work out a common approach to this problem and those discussions are going on. We have not reached a result and I do not have anything to tell the committee about that today but, in fact, there is a dialog that has been going on for a long time. It does not yet, unfortunately, involve every company but it involves many of them including many of the large ones.
Page 42 PREV PAGE TOP OF DOC Segment 2 Of 2
And I, personally, am optimistic that we will get to a point where we can have a common approach that a very large percentage of both industry and the administration and, I hope, the Congress will be able to sign onto, but we are not there today.
Mr. REYES. OK. Thank you, Mr. Chairman.
Mr. WELDON. Thank you, Mr. Reyes.
Mr. Snyder.
Mr. SNYDER. Thank you, Mr. Chairman.
Continuing with what you were discussing there, you do not have alternative legislation that you all are pushing at this point, is that a fair statement?
Secretary REINSCH. What I have said was that we would favor what is known as the McCain/Kerrey bill, which is S. 909, which the Senate Commerce Committee has reported. We have not introduced a bill of our own, frankly, on the advice of Members, both here and in the other body, that it would not have been the most useful thing to do at the time.
Mr. SNYDER. Now, do you see that there is a need for legislation at this point, as you have talked about coming up with a common approach, or do you think that something needs to be done but this is just the wrong route to go or are you content to stay where we are at right now?
Page 43 PREV PAGE TOP OF DOC Segment 2 Of 2
Secretary REINSCH. Well, we believe legislation is both important and necessary perhaps for a different reason than the industry. We believe that it is necessary in order to facilitate the development of secure public networks, the development of the kind of key management infrastructure that Mr. Crowell talked about. And maybe I should defer to him on that point.
Mr. CROWELL. I think that we believe that the proper legislation would give foundation to the essential elements of trust that are needed in the use of encryption in public networks. The American public needs to know that that foundation is there, that it is backed by solid reorganizations and rules and that there is a way of reviewing how well we are meeting the obligations of putting trust into the system.
There are all kinds of issues that are involved. There are liability issues, there are issues of what happens if you carry on encrypted communication with what you think is your bank and it is not your bank, who pays, who is responsible? There are international issues. How will we reach international agreement on a framework that will allow for interoperability? The list of issues is a very long one and one that I think is part of that debate that I said has not taken place yet. Instead, we have centered this on export controls.
Mr. SNYDER. As you all look ahead from the national security perspective, is this one of these issues that we could foresee that you will come up with what you describe as a common approach and we will pass some legislation that will be appropriate differing from the one that is on the table right now and that that will take care of us for a considerable length of time or do you foresee with the changing technology that every 3 and 5 years from now, for years ahead, we will be having to revisit this issue to have our laws stay ahead of the technology and the efforts to penetrate our systems here?
Page 44 PREV PAGE TOP OF DOC Segment 2 Of 2
Secretary REINSCH. I would hope, Mr. Snyder, that it would be the former and not the latter in this case. That if we can arrive at a solution that embodies the elements that we have discussed that that would be a long-term solution that would not have to be revisited.
Now, in a fast-moving sector like this, we can never rule out some technological innovation that none of us have thought of yet that could force rethinking. But we are looking at a long-term fix. We think that we are going to get there. We are optimistic that we are going to get there. We are having the discussions that I suggested. We would hope that the Congress would not preempt us by passing something else in the short run.
Mr. SNYDER. I was going to say, since you are talking about something, since it is your opinion that we will not be revisiting this every year or two or three as technology changes than we ought to do it right the first time.
Secretary REINSCH. Yes, sir.
Mr. SNYDER. Thank you, Mr. Chairman.
Mr. WELDON. Thank you for your questions.
We will now go to Mr. Taylor.
Mr. TAYLOR. I have got to go to Transportation.
Page 45 PREV PAGE TOP OF DOC Segment 2 Of 2
Mr. WELDON. Thank you for being here, we appreciate your involvement.
Mr. ABERCROMBIE. I have his proxy, Mr. Chairman, do not worry about that.
Mr. WELDON. And I will get beat up by the rest of the Members if I do that, Neil.
Ms. Harman.
Ms. HARMAN. Thank you, Mr. Chairman.
I am happy to welcome the witnesses and I just want to tell you I have double-checked again, I am not a Member of the gang of 24. [Laughter.]
But nor was I a supporter of Mr. Hunter's effort or I guess it was the chairman and Mr. Dellums' effort to come up with some kind of a compromise proposal to further limit or to roll back limits on computer exports. I think this is a tough issue and I totally agree with Mr. Crowell that balance is the requirement.
Since this is the national security committee, I would like to ask a few questions specifically focused on the national security aspects of this bill.
Page 46 PREV PAGE TOP OF DOC Segment 2 Of 2
First of all, I think, as you both know, Joint Vision 2010 and other administration documents stress the importance of information dominance in future conflicts. Many of those involved in the revolution in military affairs make the same point. Information dominance means being able to acquire and protect information necessary for successful operations, while simultaneously denying such information to an adversary.
You indicate that liberalized encryption exports may endanger America's information superiority and my question is, what specific assessments have been conducted to analyze and determine the extent of this risk and how much of what you suggest is based on detailed assessments and how much is an educated guess? That is my first question.
The second question is, you made some, both of you, I think especially Mr. Reinsch, talked about the fact that all these threats of foreign competition have not materialized and you listed the factors why. But I would just like to ask in more detail about that. Presumably you have looked at the dynamics of the international encryption market. What is the current U.S. market share worldwide? Who are the major foreign competitors? What is the quality of foreign products? And how is market share changing and how fast?
Mr. CROWELL. First of all, on your question, Ms. Harman, regarding whether our perspective on all this is assessment versus guess. I think, as you know from your visits out to our agency, we have worked quite diligently on two aspects of this problem: One, assessing the threat that it poses for us and the second is making sure that should widespread availability and use become fact, how would we deal with it?
I can address the first, I cannot address the second for reasons of classification. But we have done detailed assessments of our current capability and what they cost and what the availability would do to us and what the increased cost and time would be to be able to make up the difference. I can tell you that there is significant risk that we will reduce our capabilities, increase the cost and reduce the timeliness or increase the amount of time it takes us to do our job.
Page 47 PREV PAGE TOP OF DOC Segment 2 Of 2
Ms. HARMAN. Mr. Reinsch, do you have any additional comment on my first question?
Secretary REINSCH. No. I only have a comment on the second question.
Ms. HARMAN. OK.
Secretary REINSCH. On the second question, let me give you some numbers if I may. In 1996, the total worldwide software market, not encrypted specifically, but software market was $109 billion. Of that $109 billion, $50.4 billion was inside the United States. So, by far, the largest market is the domestic one and not the international one.
Looking, nevertheless, at the global market, we have consistently estimated that the U.S. producers have 75 percent of the global market share. Nine of the top 10 firms are U.S.-based, as are 45 out of the top 50. And I did not bring the names along but I can supply that if you are interested.
In terms of other producers, there are many other countries where software is manufactured, in a number of cases, by contract with American companies. So, the capacity is elsewhere but the arrangements are from here. India is a very good example of that.
The countries that we are dealing with primarily as sort of other producers we like to develop an understanding with are inside Europe: the United Kingdom, France, Germany, Netherlands and Sweden, also, Japan and Canada. In addition, however, we have also had discussions with Finland, South Africa, Israel, Australia, Singapore, Brazil, and I think several others. Those are, I think, pretty much the universe of producers but the ones I named first are the most important.
Page 48 PREV PAGE TOP OF DOC Segment 2 Of 2
Ms. HARMAN. The final piece of my second question was, how is market share changing and how fast?
Secretary REINSCH. In terms of—you might ask this question of the next panel as well—in terms of U.S. market share of all encryption—let me say, by the way, I have been talking about the software market, essentially.
If you want to look only at software which is encryption software and that is its only feature that market is much, much smaller. We would estimate it at only around 3 percent of the total. In fact, though, a lot of general purpose software contains encryption capability. So, it is really more appropriate to look at the larger number.
We have found over the years that the U.S. share has been consistently in the 75 percent range. My guess is that for reasons that have nothing to do with this issue, that share will decline somewhat over time, it usually does. But we are the market leader and will remain the market leader, I think, for some time to come.
Now, the industry has said that this issue means that $60 billion are at stake. They have used that figure. As near as I can tell that figure is derived by subtracting the U.S. market from the global market, because that difference is $59 billion. To say that $60 billion is at stake is to assume that if the Government does the wrong thing on encryption, 100 percent of the foreign market will be lost which, I think, is a gross exaggeration.
Ms. HARMAN. Thank you, Mr. Chairman.
Page 49 PREV PAGE TOP OF DOC Segment 2 Of 2
Mr. WELDON. Thank you, Ms. Harman.
Mr. Redmond.
Mr. REDMOND. Thank you, Mr. Chairman.
I am Bill Redmond from New Mexico and this is my first appearance at this committee and I just want to thank the chairman for giving me the opportunity to speak.
I am from New Mexico, Los Alamos, and I sleep within 1,000 feet of where Fat Man and Little Boy were assembled when I sleep at home.
And as I drive past my house to get out of my neighborhood there is a museum, and inside the museum there is a replica of both those bombs. And, so, I am keenly aware of the need for national security.
There is also another phenomenon in the State of New Mexico that precipitated our victory in World War II that many people are not aware of and that is the Navajo code talkers that we used in the South Pacific.
We were able to have decisive victories in the South Pacific because none of the Japanese could speak Navajo and that is—we are basically dealing with the same thing here where we have information that is sensitive and we have to communicate it among ourselves but we do not want the information to fall into the hands of people who would use that information against us and the Navajos provided that security for us and, so, where I stand on this issue is anything that jeopardizes the security of this Nation in any way, there is no way that I could support it.
Page 50 PREV PAGE TOP OF DOC Segment 2 Of 2
The issues that you raised earlier, for instance, problems with banking and the transfer of information in the private sector, those in my estimation, those reasons for jeopardizing national security, I think, are very minor. I do not think that at any point we should risk the security just so that we can have a freer transmission of information in the free market place.
And the other thing we need to realize is that there is always going to be a threshold of technological development and if we are disseminating the technology we have that just raises the threshold that our scientists have to cross the next time that there is a problem. And every time we export what we have learned through our research we have to work harder to get another leg up on the ladder. And I think that that is more funding for research so that what we have already developed does not come back.
The human mind has a propensity to always be developing something else that is going to come back and get us and I think that the dissemination of the encryption codes is one of those things. So, I need to continue to research it but I would just discourage, you know, number one, doing anything no matter how minor it is that will jeopardize the national security.
Thank you.
Mr. WELDON. Thank you, Mr. Redmond.
And your presence is welcome. You will make an outstanding contribution here, we thank you.
Page 51 PREV PAGE TOP OF DOC Segment 2 Of 2
Mr. REDMOND. Thank you.
Mr. WELDON. Mr. Hunter, the distinguished chairman of the acquisition subcommittee.
Mr. HUNTER. Thank you, Mr. Chairman.
Mr. WELDON. And bashful member.
Mr. HUNTER. And bashful member. This distinguished chairman does not know much about this encryption. Tell me a little bit about this key recovery system because that seems to be a part of the plan by the administration to allow some transfer, some sales and, yet, keep the blueprints at home where we can get this stuff back if we have to.
How does that thing work?
Mr. CROWELL. We have used the term, key recovery, and very often are criticized for it, because what our policy really means is not necessarily recovery of the keys, although that is certainly one way to recover the underlying information, but essentially some technical means of being able to get at the information in unencrypted form.
We believe that customers of encryption need that and we know that that is necessary in the case of law enforcement. So, what we have tried to do is encourage a wide range of technical solutions from industry that would meet that objective and we have put very few requirements on them with regard to how they do that. Only that it be able to provide that service to the customers and that it provide that service for use by law enforcement.
Page 52 PREV PAGE TOP OF DOC Segment 2 Of 2
And, I would like to emphasize that we have said that that would be a voluntary system, market-driven, as Mr. Reinsch said in his earlier testimony.
Mr. HUNTER. OK. But is that not—up until recently the U.S. policy allowed the unrestricted export of encryption software with keys up to 40 bytes in length. That was the limit.
Mr. CROWELL. That is correct.
Mr. HUNTER. It is now higher than that and I thought that one of the conditions on the higher number being exported was some type of a key recovery system. But now you say, well, it is voluntary.
Mr. CROWELL. That is correct, sir.
Mr. HUNTER. Well, it is not voluntary if it is a condition.
Secretary REINSCH. Well, let me clarify, if I may. The restriction in our policy was that it set up a quid pro quo, Mr. Hunter, that we would liberalize the exports to 56 bytes if the company in question made a commitment and submitted a plan to verify its commitment to build key recovery products. Those products at the time we initiated this policy, by and large, did not exist. What we wanted to do was give companies an incentive to produce them so they would be the predominant form of product in the marketplace and we provided a 2-year window for that purpose.
Page 53 PREV PAGE TOP OF DOC Segment 2 Of 2
Now, the window closes at the end of 1998 and after that point what we foresee being exported are key recovery products. So, the liberalization in question is an incentive to get where we want to be in the marketplace.
Mr. HUNTER. OK. What is the total, the general amount of money we are talking about with respect to the market? The encryption software market that the companies want to be able to exploit and feel that it is available for the American economy? How much money are we talking about?
Secretary REINSCH. If you are talking about—it is hard to break it down—if you are talking about the total software market—and we usually do because there is a lot of software including your standard word processing software, Lotus Notes, your standard spreadsheet software which contains encryption capabilities, although that is not the primary reason why people buy it, it is, nevertheless, in there—if you are talking about that larger market last year it was $109 billion and continues to grow.
Now, we estimate that the market for encryption-specific software is approximately 3 percent of that.
Mr. HUNTER. OK. So, you are talking about $3.5 or $4 billion annually?
Secretary REINSCH. That would be, for encryption-specific software, yes.
Page 54 PREV PAGE TOP OF DOC Segment 2 Of 2
Mr. HUNTER. Now, is the claim made that the entire market, the $109 billion market is at risk if we do not make some accommodations with respect to the encryption technology?
Secretary REINSCH. I believe the software manufacturers have argued that the foreign part of that market, $60 billion, is at risk if we do not do what you suggest.
Mr. HUNTER. I see. So, in other words, other companies will be making software that does have the more liberal or the more effective encryption or the more liberal encryption restrictions.
Secretary REINSCH. That is their argument.
Mr. HUNTER. Thereby, they will market this as being more secure than the American product.
Secretary REINSCH. And we will be displaced there and, presumably to some extent in the domestic market, is the argument.
Mr. HUNTER. But you are quite confident that the key recovery system or working with the companies to come up in a creative way with a safeguard system, key recovery system, if you will, takes care of that problem?
Page 55 PREV PAGE TOP OF DOC Segment 2 Of 2
Secretary REINSCH. Well, we would like—it takes care of that problem so if our trading partners are prepared to go down the same road. And we think they will be because they have the same national security law enforcement problems that we do. And, so, they have exactly the same interest in developing a system where they can recover encrypted messages within their societies.
And if we are all going down the same road, then it is going to be competition neutral from the standpoint of our industry.
Mr. HUNTER. Are you engaged with them right now on this issue?
Secretary REINSCH. Yes, sir.
Mr. HUNTER. OK.
Thank you, Mr. Chairman.
Mr. WELDON. Thank you, Mr. Hunter.
Finally, the distinguished member from Hawaii, Mr. Abercrombie.
Mr. ABERCROMBIE. Thank you very much, Mr. Chairman.
Mr. Chairman, preliminarily, my guess is considering the amount of effort that has already been made with me by those who would have this legislation passed, I have no objection to being romanced legislatively speaking but I am not usually the object of that kind of attention, to that same degree in any event. So, it must be clear to them from previous, I will not say, pronouncements, exactly, Mr. Chairman, but from the position that I have taken with respect to the transfer of technology in other instances that I would oppose what is being done here.
Page 56 PREV PAGE TOP OF DOC Segment 2 Of 2
Mr. Chairman, I think we have got an uphill fight here. But I think it is one that is necessary to undertake and I think it is important for us to get the message out to the American people as to what is involved here.
I feel that the legislation likely to be dealt with in the Congress is such that we could very well find ourselves using arguments or being subject to arguments and this is the question then that I would like to pose to the two gentlemen.
Am I correct that that part of the discussion that is taking place now will involve the idea of how encryption works or does not work domestically with respect to law enforcement and that that will take place in a context which ordinarily I would be attracted to, that is, civil libertarian issues, civil liberties, I should say civil liberty issues, which naturally have as their foundation reverence for and reference to the Constitution of the United States, as opposed to utilizing the same kinds of arguments, if you will, that would apply if this encryption capacity and the key information variables were applied in an overseas context, in a foreign context in which the Constitution of the United States is not applicable, either domestically or in the military application overseas.
So, that the arguments, as I see them, that may be made as to what we might or might not do here domestically, cannot possibly apply in those contexts where the Constitution of the United States does not apply. Is that relevant?
Secretary REINSCH. Well, let me make two points.
Page 57 PREV PAGE TOP OF DOC Segment 2 Of 2
Yes, it is. And it is a very apt question, Mr. Abercrombie. Let me make two points, if I may.
First of all, your point about the domestic context of the discussion is correct and well taken.
Mr. ABERCROMBIE. And it should be discussed, right?
Secretary REINSCH. And that is correct or I certainly agree with that. And a key set of participants in the discussion between the administration and the private sector are organizations like the Center for Democracy and Technology and the people who can generally be classified as the privacy people or the civil liberties people and they are a significant part of the discussion. In fact, I had a lengthy meeting with them only last Friday to discuss both this bill and the Senate bill that I referred to.
You are correct that the situation with respect to foreign countries does not raise exactly the same issues. From a law enforcement perspective, however, there are longstanding procedures and precedents that relate to the exchange of information that are relevant to criminal cases between countries. And we work through our judicial process and they work through their judicial process to exchange information. If we, for example, believe that evidence exists in France or wherever that would be material to a case here, there is an existing procedure for obtaining that information.
What we will attempt to do is to apply those kinds of procedures to this kind of information consistent with the way we have done it in the past.
Page 58 PREV PAGE TOP OF DOC Segment 2 Of 2
Mr. ABERCROMBIE. But how that information is acquired in those nations could be significantly different than how that information is allowed to be acquired in the United States.
Secretary REINSCH. Well, it would be—that is right. It would be consistent with the legal procedures of the other countries.
Mr. ABERCROMBIE. Such as they might be or not be.
Secretary REINSCH. Well, the countries that I have been talking about—the United Kingdom, France, Germany, The Netherlands, Sweden—have procedures that I think are not that different from ours.
I can understand situations where you may be going with this where we would be dealing with countries that do not have those procedures. Those are not the countries we are talking to right now.
Mr. ABERCROMBIE. I understand. Let me reverse that then. Having said that, and understand, Mr. Chairman, my point really is here is that I think arguments about civil liberties and all that are a separate issue entirely from what we need to be dealing with here, and I think only serve to confuse the issue with respect to national security interests.
I am a civil libertarian; you are, I understand. Mr. Dellums is. Mr. Hunter is. And I know that for a fact. And, so, I do not propose to be side-tracked in that as we consider this legislation.
Page 59 PREV PAGE TOP OF DOC Segment 2 Of 2
Mr. CROWELL. Mr. Abercrombie, it is useful, I think, to look back and see how we got to where we are today. The administration was trying to quietly work on three major areas of concern with regard to public policy.
The first was international agreement so that we could have a global approach to the use of encryption for electronic commerce. The second was a concern for a domestic policy that, in particular, protected law enforcement and centered around some technical means of doing that, key recovery happened to have been a way. And the third was export controls and its interrelationship with and impact on national security and how national security would deal with that.
Unfortunately, legislation, H.R. 695, had the effect of concentrating all of the discussion on only one of those aspects and we are trying now to build back into all three.
Mr. ABERCROMBIE. May I, Mr. Chairman, conclude my section with thank you very much for that because that leads me to my other proposition I wanted to take up under the time allotted to me.
Mr. Chairman, I want to make absolutely sure before I make this point as to what I am quoting. In our material, we have here bill 695, with the introduction from some of the folks who are supporters of it and so on, a bill short title, et cetera. In that is a section-by-section analysis of H.R. 695, is that the committee staff's interpretation or is that what comes officially from those who put this forward? Do you know, offhand?
Page 60 PREV PAGE TOP OF DOC Segment 2 Of 2
Mr. WELDON. If the gentleman would yield?
Mr. ABERCROMBIE. Yes.
Mr. WELDON. That is, in fact, the committee staff's summary.
Mr. ABERCROMBIE. OK. Then I wanted to ask you, both, if this is the correct interpretation because if it is I think this gives us the foundation, platform, Mr. Chairman, for engaging our colleagues and the American people in a conversation as to the meaning of this.
Under section 3, exports of encryption, the summary I have before me says the following and I would like your assessment as to whether this is a correct summation. This section would amend the expired Export Administration Act, EAA, of 1979, by adding a subsection that would—and this is the crucial part for me—grant the Secretary of Commerce exclusive authority to control exports of all computer hardware, software, and encryption technology except that which is specifically designed for military use.
Is that a correct summation in your estimation?
Secretary REINSCH. It is a correct statement for the first two lines of that section of the bill. It also happens to be a correct statement of the status quo. It is the rest of the section that causes us the problems.
Mr. ABERCROMBIE. On the validated licenses, et cetera?
Page 61 PREV PAGE TOP OF DOC Segment 2 Of 2
Secretary REINSCH. Well, on the decontrol requirements that are contained in the section and, in fact, even the paragraph that that particular statement is referring to contains a parenthetical later on that would effectively remove from the Secretary the very authority that the first part of the sentence grants him.
Mr. ABERCROMBIE. OK. What about this. This section would also direct the Secretary of Commerce to authorize the export or re-export of software with encryption capabilities for nonmilitary use unless there is substantial evidence it will be diverted or misused for military or terrorist purposes.
Secretary REINSCH. Well, that is a very interesting provision, Mr. Abercrombie. That is a correct statement of what that provision says. But if you look at section 3 in total you would never reach that provision because the software in question would have been decontrolled by a previous provision in that section.
Mr. ABERCROMBIE. That is what I was thinking. Mr. Chairman, I appreciate that, thank you.
Mr. Chairman, I think one of the problems we are going to have here is that when you are explaining you are losing. That is a political rule that I am familiar with. And this requires inordinate explanation, convolution of talmudic proportion in my estimation and we know where that has led over the years.
Secretary REINSCH. We are trying very hard to be clear, Mr. Abercrombie.
Page 62 PREV PAGE TOP OF DOC Segment 2 Of 2
Mr. ABERCROMBIE. Yes. No, no, I am not—it shows the difficulty that is involved here.
Secretary REINSCH. That is true.
Mr. ABERCROMBIE. I am talking about goodwill here. I am not citing this with any conspiratorial connotations at all, believe me. It shows how difficult it is but for precisely that reason, to have this even the implication that it is going to be that easy to figure out what is designed for military use, Mr. Chairman. That which is a nonmilitary use based on substantial evidence it will not be diverted or misused, is an incredible burden, if you will, to place on the Secretary of Commerce, if you put the best connotation on it. If you put the worst connotation on it, it is a clear dereliction of our duty as a national security committee to allow the Secretary of Commerce to make those kinds of decisions.
So, Mr. Chairman, I think rather than—I hope that this dialog—and by the way, may I say parenthetically on that that our two witnesses here have helped enormously in getting to the position I would like to take which is rather than—get into a confrontation with those who favor this legislation from those of us who do not favor the legislation, where, you know, all good is on our side and all evil is on the other side, that we just say that all ignorance is on the other side and all wisdom is on our side and take it from there from the point of view of trying to indicate that the national security interests of this country and, I think, by extension those who are concerned about freedom everywhere in the world, should not be compromised by commercial interests.
Page 63 PREV PAGE TOP OF DOC Segment 2 Of 2
And where those interests are primarily commercial, I think that needs to be pointed out. I can understand it. I do not want to dispute with someone about it but I do not want to be put in the position, I do not think we should take, stand for, intellectually stand for the position that this is all out there anyway, other people are going to do it if we do not. I am perfectly aware of the argument that the intellectual conception, perception, understanding of these issues is not something you hide in a box. There are no secrets here any more than fission and fusion could be kept a secret. I understand that.
But the commercial application or the technological application of these concepts and precepts and the fruit of the human intellect in this is not something that I think we should accept as simply being able to be given away and that there is nothing we can do about it. On the contrary, I think that it is our obligation to do everything we can to prevent that.
Thank you, Mr. Chairman.
Thanks to the panel. I think they have done a terrific job of enlightening us today.
Mr. WELDON. Thank you, Mr. Abercrombie. I know that the distinguished ranking member wants to make a statement and we have two more questioners, Mr. Blagojevich and Mr. Pappas, and I would suggest, do you want to try to get that done before we break for the vote? There are two votes here. I would like the members to come back because I would like to have the same intensity or perhaps even enhanced intensity of questioning of our next panel and have you all here for that questioning.
Page 64 PREV PAGE TOP OF DOC Segment 2 Of 2
So, I would like to encourage all of our colleagues and to encourage our colleagues from the full committee, which I will do on this vote, to come over here for the second part of this hearing where we can have a full enlightened airing of this issue.
Mr. Dellums.
Mr. DELLUMS. Thank you very much, Mr. Chairman.
First, I would like to ask the ranking member on behalf of myself and members on this side of the aisle, welcome, Mr. Redmond to this committee. We look forward to working with you and to say to you that I listened very carefully to your comments and, as a long-time member of both this committee and the House, hopefully my comments will be reassuring to you that I have not met one Member of the Congress, certainly of this committee, who is interested in undermining the national security of the United States. But from time to time, we have a very vigorous debate on what are, indeed, national security issues and what, indeed, is undermining or not. That is what the political process is all about.
I would like to say to my distinguished colleague from Hawaii sometimes explaining is both challenging and educative and I think that an important part of a responsibility of a public official is to be educative. In that regard, I would like to remind my colleagues that I mentioned that this today would be both intriguing and intellectually challenging. It is, indeed.
And the two witnesses have demonstrated that and I appreciate Mr. Crowell picking up on the comment that I made at the end when I said I hope today's witnesses can provide us with the information needed to avoid the easy route and take up the more difficult task of producing a U.S. Government policy on encryption software that makes the best balance between security, commerce, and privacy.
Page 65 PREV PAGE TOP OF DOC Segment 2 Of 2
There are security issues here that need to be addressed and they are complex. There are certainly issues that affect our economy, issues of commerce that are extremely complex. Both of our witnesses have raised these issues. Mr. Crowell has laid out a list and a short list of examples of how complex these issues of commerce are in this regard.
There are also privacy issues and I would like to say to the gentleman from Hawaii, I do not agree with the gentleman that issues of privacy are not national security issues. I think the Framers of the Constitution were visionary when they laid out the fourth amendment that would protect the American citizens from unwarranted Government intrusion upon their lives and in this period of extraordinary technological advances the Government can be the ultimate hacker.
And, in that regard, it is important for us to look at these questions very carefully and I think to achieve a balance here is very, very important. And even though we are on a committee that calls itself national security, I have always been one member that believes that national security issues go far beyond this committee and embrace certainly the functions of other committees and I cannot compartmentalize my brain. I think as we address this issue we need to look at all three of these issues and balance these matters. Often that is ultimately the challenge. And I thank the witnesses for their contribution here, Mr. Chairman.
Mr. WELDON. Thank you, Mr. Dellums.
The chairman misspoke, we actually have three members for questioning. The first, upon return, will be Mr. McHale, the second will be Mr. Blagojevich, and the third will be Mr. Pappas. And I would encourage you all to come back.
Page 66 PREV PAGE TOP OF DOC Segment 2 Of 2
We will stand in recess until this series of votes, which is two, it should be about 15 minutes, is over.
[Recess.]
Mr. WELDON. The committee will come to order.
As we left before the recess, we had three Members who were in line to ask questions. I know that one of them will not be coming back. Mr. Blagojevich had indicated to me, he wanted to come back—I do not see him yet—as did Mr. Pappas.
So I will make a few comments and ask any other colleagues who might want to make comments, and I would ask, would each of you be able to stay for the second panel, so that if we have questions come up, that you could provide for us kind of a counter, if we need that, during the second panel? Is that possible? That would be helpful to us.
Secretary REINSCH. Yes, Mr. Chairman, I can.
Mr. WELDON. That would be very helpful to us.
Mr. CROWELL. Yes, Mr. Chairman.
Mr. WELDON. Thank you.
Page 67 PREV PAGE TOP OF DOC Segment 2 Of 2
We are both supposed to be in the conference, Mr. Dellums and I and Mr. Hunter, and we are going to have to leave, also. So we will try to expedite it, but we think it would be important to have you here.
Secretary REINSCH. We appreciate your interest.
Mr. WELDON. I might just say at the outset that this bothers me because, when I went over on the floor with a list of cosponsors, I went up to five Members who had cosponsored the bill, each of whom had the wrong understanding of what this bill did, and I plan to ask that question of our industry friends when they appear here. The title of the bill is the security through encryption measure. I said, ''Is it your impression that this bill tightens up export controls on encryption or loosens them?,'' and one Member, who is a very well-known security leader in the Congress said, ''Oh, it tightens up the controls.'' I said, ''Are you sure?''
So I am going to ask that question of our industry colleagues to see if that is, in fact, their interpretation of this piece of legislation because what has clearly been said here today in the statements that are going to come up is that 250 Members have cosponsored this bill. Do 250 Members understand the defense implications of this bill, is the question, and if they do not, then they have been done a disservice, and I am offended by that. As someone who believes that there needs to be change, I am offended by Members being given, rightly or wrongly or deliberately or not deliberately, the wrong information about why they should or should not cosponsor a particular bill, and of the Members that I talked to, all of whom are involved in security issues, every one of them did not have that impression.
Page 68 PREV PAGE TOP OF DOC Segment 2 Of 2
Secretary REINSCH. May I make a comment, Mr. Chairman, about that?
Mr. WELDON. Yes.
Secretary REINSCH. Let me say, without getting into something I know nothing about which would be why individual Members make decisions, there has been a lot of misunderstanding about this issue on many sides, and I want to clarify something I said earlier in that regard, namely that I would not want to leave the committee with the impression that we believe the author's, the author of the bill, intent was to go as far in decontrolling as I said, but I do stand by my interpretation of what the bill would actually do. I think there is no question about that. I suspect it is beyond what was intended.
I would say also, if I may, Mr. Chairman, that there has been a good bit of misunderstanding of the administration's policy on this issue, and a lot of people have characterized it as mandatory key escrow or mandatory third-party key escrow, a whole bunch of things, which, in fact, it is not. I hope in the second panel, you might also get into a discussion so that it is clear that everyone understands what, in fact, we have proposed because it is not what we have been accused of proposing from time to time.
Thank you.
Mr. WELDON. Thank you for that clarification. I think you made your point well, as Mr. Dellums has just said.
Page 69 PREV PAGE TOP OF DOC Segment 2 Of 2
Let me ask you a question as a followup to what one of the Members said to me in my questioning on the floor, just 5 minutes ago. He said, ''Well, no, Curt, I was told that this bill does not prevent any sales of encryption technology abroad. It does not in any way remove that or impose any export controls. What it does is allow,'' I think he said, ''like a quid pro quo system, where an American company in our industry could respond to what other foreign software manufacturers or others were doing.'' Is that, in fact, correct?
Secretary REINSCH. Well, it is correct in the sense that by removing all restrictions here, it would permit American companies to respond.
Mr. WELDON. Only when there is a foreign company?
Secretary REINSCH. No, no.
Mr. WELDON. Well, clearly, that is what this Member was told.
Secretary REINSCH. Well, that would be inaccurate.
Mr. WELDON. This Member was told—and I need to get it so on the record, and I am going to ask the industry folks, because this Member, I am going to go back to personally and ask him to read the statement.
This Member, who is a member of this committee, was told that it only applied where a foreign operation did something in the encryption area and then we could have a like response in that particular case, and that is the only case where exports were relaxed.
Page 70 PREV PAGE TOP OF DOC Segment 2 Of 2
Secretary REINSCH. That would not be correct, Mr. Chairman.
Mr. WELDON. This really offends me personally, especially when you have a bill that has worked its way through two committees. Maybe Members have gotten misimpressions on their own. Maybe it is because they have not had a chance to hear all the sides of the argument, but I can tell you that I think before this bill moves through this House, we had better have a clear airing of what this bill does and does not do and not leave Members to think, ''Well, I think it does this,'' or, ''I was told it does that,'' or, ''It may do this,'' or as one Member said, ''Oh, no, I support it because, as the title says, it provides more security through tighter controls of encryption from this country being able to go abroad to foreign nations.''
Well, clearly, from what my understanding is of what is being said today, that is not the case.
Mr. Dellums, do you have any additional comments you would like to make before we move on?
Mr. DELLUMS. Just one comment. When I mentioned the privacy issues, one privacy issue that related, an international issue that further complicated the process, it is the issue of human rights organizations operating in foreign countries where the governments are repressive governments. So it also raises that issue, you know, the encryption issue. You do not necessarily have to respond to that, but it seems to me that that further complicates the process and bodes for some kind of effort to be balanced in our approach with these matters.
Page 71 PREV PAGE TOP OF DOC Segment 2 Of 2
I would suggest, Mr. Chairman, since my other colleagues are not here and you have asked the two witnesses to stay for a few moments that we proceed because you and I do have to——
Mr. WELDON. I agree with the gentleman, and we do have to run to the conference.
So we thank you for your testimony. We look forward to working with you. We would like you to be here to respond, and Mr. Hunter has suggested, if you would not mind, to stay at the table.
Let me say also, at the end, do not misinterpret my statement as being an endorsement of the administration's current policy, and I think I made that point clear. I am not endorsing an administration policy. I think there needs to be change made. I think we need to provide flexibility, but it needs to be a controlled process that is done very thoughtfully in cooperation with our security interest. I do not think this bill does that, but we thank you both for being here. You did an excellent job in responding to our questions.
Mr. WELDON. With that, we will assemble our second panel and welcome Tom Parenty, director of Data and Communications Security for Sybase, Inc., and Stephen Walker, president and CEO of Trusted Information Systems, Inc.
Thank you both for being here. We have read your statements and your background and bio. We will, without objection—Mr. Blagojevich—I am sorry—you will be the first to ask questions in the next round. We asked the other panelists to stay here.
Page 72 PREV PAGE TOP OF DOC Segment 2 Of 2
We thank you for being here, and we look forward to your testimony. Hopefully, you did not take any of my concerns personally. This is a professional hearing, but we do have serious security concerns. This is not a new issue for me. As I said before, information warfare comes under the jurisdiction technology-wise of my subcommittee. I have worked this issue for 4 years. I am very concerned.
In our defense authorization bill, we plussed up by $88 million over what the President asked for, funds to assist our private sector in dealing with information security issues, partly as a response to Duane Andrew's Defense Science Board report. I do have serious reservations about this bill. I told Mr. Goodlatte that during the last vote, but I welcome your comments and welcome your insights because perhaps we are missing the point or perhaps we need to be educated on why we are, in fact—why I am moving in the wrong direction.
So welcome, and, Mr. Parenty, we will start with you.
STATEMENT OF THOMAS PARENTY, DIRECTOR, DATA AND COMMUNICATIONS SECURITY, SYBASE, INC., ON BEHALF OF THE BUSINESS SOFTWARE ALLIANCE
Mr. PARENTY. Thank you, Mr. Chairman, for the opportunity to address your committee this morning—I should say this afternoon—and also I appreciate the concern and diligence that this committee is applying to this issue.
I am speaking here on behalf of the Business Software Alliance, which is an association of major software vendors in the United States, including, among other companies, Lotus, Microsoft, Novell, as well as my own company, Sybase. Speaking as a representative of the software industry, I can say that there is complete and absolute support for H.R. 695 in the U.S. software industry.
Page 73 PREV PAGE TOP OF DOC Segment 2 Of 2
I am also here speaking as a former employee of the National Security Agency, someone who was very proud of his service there and was called upon to advise the director of NSA at that time on internal NSA security issues and also provided advice to other compartmented programs run by other agencies.
Most recently, I have been acting in an advisory capacity to the President's Commission on critical infrastructure protection, and it is from that national security perspective that I also believe that H.R. 695 has very definite and marked benefits for our national security.
What I would like to do is spend a couple of moments to talk about the real-world national security implications of the administration's policy as it is currently being executed and compare those with some of the consequences that could happen with the passage of H.R. 695.
In particular, one very real consequence of the administration's policy right now is that it is hindering and delaying the incorporation of strong cryptographic features into U.S. software products that are used as the basis, the foundation, and the back bone for all of the critical infrastructures upon which our Nation depends, whether you are talking about banking, health care, telecommunications, transportation, State and local government. All of them rely upon U.S. software to function reliably, safely, and securely.
The administration's current policy, whether intended or not, is having the effect of discouraging the incorporation of strong security into our products to provide a safer infrastructure for America, and that is a bad thing.
Page 74 PREV PAGE TOP OF DOC Segment 2 Of 2
Second, the policy is prompting—no, I would say forcing the rest of the world to look outside of the United States for software with encryption capabilities that are strong enough for protecting their legitimate business and personal needs.
Here, I would like to digress for a moment that just this past week, I was talking with the New Zealand Ministry of Health that is building a national infrastructure for the managing of health care and medical information for the entire country of New Zealand. Because of the sensitivity of that data, they have a requirement for 128-bit keys and no kind of third-party key recovery because of recognizing the vulnerabilities associated with the kind of government-directed key recovery plans that have been talked about.
Now, when looking at S. 909 with its domestic key recovery provisions, I am discouraged to know that if S. 909 were enacted into law, it would effectively mean that the U.S. Government does not value the confidentiality and integrity of U.S. citizens' medical records, as much as the New Zealand cares about its citizens.
The New Zealand Ministry of Health has identified two companies, one in Switzerland and one in England, that they are going to purchase the products to build their health care system if they cannot get those products from the United States.
In making these statements, I have to qualify them by saying that the conversations that I have had privately with Deputy Director Crowell and Under Secretary Reinsch are very encouraging, and I think there is a great deal of commonality in our thought. It is, however, not the way in which the policy is being implemented today.
Page 75 PREV PAGE TOP OF DOC Segment 2 Of 2
The one thing that the administration's policy is not capable of doing is to keep strong cryptography out of terrorist, criminals, and enemies of our state, just as it is possible for the New Zealand government to go to Switzerland or England or any number of other places to get security products that satisfy their legitimate business needs, so it is possible for criminals and countries-in-interest hostile to the United States to get those products as well. That is something that I find very disturbing, but it is something that is beyond the control of the U.S. Government.
Mr. HUNTER. Excuse me.
Mr. Chairman, I know this is extraordinary, but the point you just made is a real key point to this, to, I am sure, your point of view and with respect to the administration's point of view. I think on that point, we ought to just ask if there is any dissent from the administration on the point that if the bad guys do not get this stuff from American-made services, they are going to get it from somebody else, the other-guys-have-it theory. Do you accept that, gentlemen? Were you listening to that statement? Because that is a real key statement.
Mr. CROWELL. Cryptography is, as we said earlier, widely available. It is not widely used. One of the reasons is that there is no infrastructure to support it. So, if a bad guy gets it, he can carry on a very limited conversation with other bad guys by simply exchanging public keys among them, but if he goes into the regular marketplace to use his electronic credit card or to deal with a bank or to do any of the other kinds of things that will be a part of electronic commerce in the future, they will have to use systems that would be supported by key management infrastructures and, if the policy succeeded, have key recovery associated with them and be available to warranted law enforcement access. That is the concept behind the administration policy, and it would have some effect, but not total effect. It would not prevent people from using encryption privately among themselves.
Page 76 PREV PAGE TOP OF DOC Segment 2 Of 2
Mr. PARENTY. In looking, on the other hand, at some of the consequences of H.R. 695 in terms of beneficial effects that it would have with respect to our national security, it is that it would eliminate and remove current restrictions on the incorporation of cryptography into U.S. software products, which would mean that U.S. software products will be more secure than they are now and more secure faster. So that, as they provide the infrastructure for, again, all of the electronic-based system upon which America depends, from air traffic control, to power grids from major metropolitan cities, to health care, the foundation for those systems will be stronger, and that is——
Mr. WELDON. Are you saying there are limitations on those systems now?
Mr. PARENTY. What I am saying is that the current export controls are hindering the development of those security features into U.S. products.
Mr. WELDON. You are not saying there are limitations now.
Mr. PARENTY. No, I am not saying that.
Mr. WELDON. OK, thank you.
Mr. PARENTY. Not at all.
No, I am saying in a very practical sense, because the development cost is so much higher, because of the regulations we have to deal with, the security protection mechanisms are not being incorporated at the rate that our country needs.
Page 77 PREV PAGE TOP OF DOC Segment 2 Of 2
Now, another consequences of the safe legislation would be the broader use of American software products with cryptography throughout the world. It is the case that there is a long history of cooperation between the U.S. software industry and the National Security Agency to provide NSA with detailed information, designed functional specifications, source code of how we implement cryptography so as to assist NSA in their mission.
It is my belief that in a world full of encryption, specifically encryption used by interests hostile to the United States, it is better for them to be using U.S. software products than it would be foreign, and it is something that while I would agree with the gentleman to my right that, currently deployed today, there is not widespread use of encryption, I think the gentleman to my right would also agree that that is going to change dramatically in the near future, and I think we would all agree that it is in our Nation's best interest that the software used to encrypt data worldwide is U.S. So that is another benefit that would accrue from H.R. 695.
Mr. HUNTER. On that point, why isn't it in our interest to promote these key recovery systems that the administration is working with industry on?
Mr. PARENTY. OK. Actually, I am very glad that you mentioned that because, with respect to key recovery, I think that it is important to distinguish between industry-driven key recovery, which is designed to meet jointly the needs of the users of cryptography, as well as address law enforcement concerns, and contrast that with a Government-mandated, global, top-down key recovery infrastructure.
Page 78 PREV PAGE TOP OF DOC Segment 2 Of 2
In terms of what the software industry is doing anyway, because there is a need for it, it is to provide means for the legitimate users of encryption, to have spare copies of their keys in case, in the instance of a company, the employee who encrypted the information is not available. That is a very good and useful thing, and that is something that the U.S. computer industry will do regardless of what the administration says because it is the right thing to do.
Mr. HUNTER. Then I have a question for the administration. Is that right that these guys are going to have the spare keys, anyway, in case your Chevy gets locked up while you are at a speaking engagement and you cannot get into it?
Mr. CROWELL. We are industry-driven, too. We use products in the U.S. Government. We are going to be using a lot of encryption products to protect public interest and public records.
Mr. HUNTER. He is saying basically that they are making the spare keys, anyway, so there is no need for you folks to engage industry in the key recovery systems.
Mr. CROWELL. No, we believe that there is a need to incentivize that process, both domestically and internationally.
Bill, do you want to add?
Secretary REINSCH. I was just going to say, Mr. Hunter, that I think that what Mr. Parenty said is not a correct characterization of our policy. It is not a top-down—I do not know if he said the word mandatory, but it is not the kind of key management structure that he envisions.
Page 79 PREV PAGE TOP OF DOC Segment 2 Of 2
We envision a structure that is not that different from the structure that he envisions, and we see the market going in the same way that he sees the market going.
What we would like to do with our policy is give the market a push to make sure it goes in that direction.
Mr. CROWELL. And just to go further and illustrate that, the policy encourages the use of certificate authorities within a particular company, industry, or a group of industries, their choice. It is strictly a market kind of thing.
What it does is provides the mechanisms for liability protection should they comply with law enforcement, lawful, warranted access. So what we are saying is if Visa or MasterCard wanted to use encryption for their next electronic MasterCard, they would build their own key management infrastructure from the bottom up, not from the top down, and not mandated by the U.S. Government, but voluntary with the proper incentives in terms of liability protections and so on.
Secretary REINSCH. But that would meet our needs. That would meet our law enforcement needs.
Mr. WELDON. Do you agree with that?
Mr. PARENTY. I agree with actually what both of the gentlemen have just said. My difference is that the way in which the process is actually working right now, it does not work that way.
Page 80 PREV PAGE TOP OF DOC Segment 2 Of 2
Mr. WELDON. So you want us to remove all limitations because the process does not work that way. You are not talking about a gradual move or a tweaking of the system, like I would want to support. You think that a bill that removes all limitations, worldwide, is the way to solve the problem. Is that correct?
Mr. PARENTY. That is not correct.
Mr. WELDON. OK. Tell me what you do support.
Mr. PARENTY. OK. I am in support of H.R. 695 because I believe that it is an excellent starting point for developing a comprehensive encryption policy that covers both domestic and international needs. It is not my intention by any extent to say that I would like the U.S. Government to basically throw up its hands and say there is nothing we can do, let's forget about it, the world will take care of itself.
Mr. WELDON. But isn't the perception of the industry that this bill would remove controls over selling encryption technology abroad?
Mr. PARENTY. It would remove many of those concerns.
Mr. WELDON. Isn't that the perception?
Mr. PARENTY. In terms of the perception in the industry or the world at large, that I cannot speak to.
Page 81 PREV PAGE TOP OF DOC Segment 2 Of 2
It is my understanding of the bill that this would be a substantial improvement over the current state of affairs and would similarly be a substantial improvement over S. 909.
Mr. WELDON. For the record, I will put into the record some of the statements that have been used to cosponsor this bill, and that is exactly what has been said, that this, in fact, will remove limitations on selling encryption technology abroad.
Mr. Dellums, did you want to——
Mr. DELLUMS. I just wanted to make a procedural point. I think this exchange is very useful, but in the spirit of fairness, I think we ought to just allow the two present witnesses to have the opportunity to lay their case on the table and then we could have at it.
Mr. WELDON. OK, good point.
Mr. PARENTY. Thank you, Mr. Dellums.
Actually, because of the insightful questions from members of the committee, I confess, actually, that my case is made. So I would say it is very nice that there is a cooperative effort, even when this is a very sensitive subject.
Mr. HUNTER. Yes; I would say to my friend, I am just trying to understand this instead of just listen to it, and on those key points, it is good to have the back-and-forth because it is hard to see the difference.
Page 82 PREV PAGE TOP OF DOC Segment 2 Of 2
Mr. DELLUMS. I appreciate that. I think this is a very challenging issue, and if that is useful and everybody sees it as fair and appropriate, let's have at it.
Mr. PARENTY. Thank you. My statement is complete.
[The prepared statement of Mr. Parenty can be found in the appendix on page 63.]
Mr. WELDON. Thank you.
Mr. Walker.
STATEMENT OF STEPHEN T. WALKER, PRESIDENT AND CEO, TRUSTED INFORMATION SYSTEMS, INC.
Mr. WALKER. Thank you. I appreciate the opportunity to be here, also, and I find myself in an interesting and somewhat difficult position of understanding, I think quite well, the positions of both of the protagonists here and actually having a difficult situation because I am trying to propose a middle-ground solution here that probably will get them both angry at me, but that is OK.
I do not support H.R. 695, and I represent that there is an amount of industry that does not support it. I will try to talk about that in a minute, but I also do not completely support the administration's position in this area, and I would like to try to explain that.
Page 83 PREV PAGE TOP OF DOC Segment 2 Of 2
Before I do, I spent 20 years with the Defense Department at NSA—we all seem to be from NSA except Mr. Reinsch—and at the Defense Advanced Research Project Agency and at the Office of the Secretary of Defense. I was the director of Information Systems in CQ Die in the early 1980's, and I understand the Government's position in this area. For the last 14 years, I have been running my own company which started with myself. Actually, Mr. Parenty was an employee of TIS twice in his career. We are now a 300-person company selling information security products around the world. So we understand industry's position here, too.
I had the opportunity for 5 years to be on the Computer System Security and Privacy Advisory Board during the time of the Clipper debate, the Clipper disaster, and part of the problem we are having here today goes back to those days. Maybe people do not remember that, but I know a lot of the civil libertarians and a lot of the industry folks do remember it.
Clipper was a proposal by the administration back in 1993 to allow strong encryption to be available, but the Government kept the keys. The Government had databases of keys. They were split in two so no one place could run away with them. There was put forth as a solution to this problem back in 1993 and summarily rejected.
Following that, in late 1993 and early 1994, there were bills before Congress—I testified twice in those days—that were essentially similar to 695 in saying that, hey, we should get rid of export controls altogether.
Those were defeated. They were turned into a study of the availability of cryptography, which has already been referred to here today.
Page 84 PREV PAGE TOP OF DOC Segment 2 Of 2
I was involved in that process both as a member of the advisory board and as a citizen trying to figure out is there a middle-ground solution here that might work, and my company began in 1994 to look at alternatives that might happen. We realized then, as many people have come to realize, encryption really is a two-edged sword. You desperately need it to protect your sensitive information from being stolen by the adversaries out there in the world, but if you lose the keys, just like if you lock your car keys in your car, the lock is just as effective in keeping you out as it is keeping others out.
So we began to realize and we have discovered a number of companies around the world that have realized that some form of systematic way to recover your own keys is essential to the use of cryptography, never mind export control or any of the rest of this.
So I began talking to my friends at NSA and the FBI in late 1994 and early 1995 saying if this were to become widespread, if industry user-controlled key recover systems became widespread, this would go a long way to satisfying law enforcement and national security interest in obtaining keys when they have legal authority to do that.
I was very pleased that in August of 1995, the administration announced an interim policy that said you can export up to 64-bit encryption as long as there is a key recovery system. My company began building products going after that, and we obtained our first approval in early 1996. We got approval about a year ago for a Royal Dutch Shell in the Netherlands to run a worldwide system where they have their own key recovery capability in the Netherlands, no connection with the United States whatsoever. The U.S. Government gave export approval to that.
Page 85 PREV PAGE TOP OF DOC Segment 2 Of 2
In October of 1996, as has been stated, the U.S. administration said you can export any encryption, any key length, as long as there is a key recovery system with it, and that is today the current policy. We have been seeking approval for export of a number of products along these lines and, in fact, have approval to run a Microsoft-compatible crypto-engine that runs triple data or 128-bit encryption that can be shipped essentially anywhere in the world. We got approval for that in March under the new rules.
Mr. HUNTER. Excuse me for one second, Mr. Walker.
Mr. WALKER. Yes.
Mr. HUNTER. You are saying that the present law is that you can have any length encryption as long as you have with it a key recovery system.
Mr. WALKER. As long as the user has the capability to recover their keys.
Mr. HUNTER. Gentlemen, do you disagree with that, that that is a precise statement of current law? I am just trying to get a fix on our differences here.
Secretary REINSCH. That is essentially correct. We do not permit the export to the pariah states.
Mr. WALKER. I am sorry. There are seven or eight countries that you cannot ship anything to.
Page 86 PREV PAGE TOP OF DOC Segment 2 Of 2
Secretary REINSCH. You cannot ship it to Iran or——
Mr. HUNTER. OK.
Secretary REINSCH. If it contains a key recovery feature, we will permit it at any bit length.
Mr. HUNTER. Mr. Parenty, how does the bill change that law?
Mr. PARENTY. OK. In the first case, it is my understanding from the reading of Commerce regulations today that, while the Commerce Department in some cases, as has been the case with Royal Dutch Shell, say that a corporation or entity can hold their keys themselves, that the default rule is that the keys must be available to some third party approved of by the U.S. Government.
The technological challenge of being able to provide an infrastructure that would ensure key availability to some third party out of the organization that is the primary user of encryption is, from a technical perspective, much more difficult, much more expensive, and is something that is a very distinct impediment to the use of U.S. software products abroad, and it is Sybase's own experience that when we applied for an application under the new rules in the beginning of March to develop a key recovery mechanism that would allow an organization, a company, a bank, whatever, to hold their own keys, that after time passed, the Commerce Department did, in fact, say, yes, we have approved you. However, in the ensuing time, there were follow-on letters of clarification that made it very unclear to me as somebody trying to build a product that satisfies Government requirements what I would need to do for my products to actually be exported.
Page 87 PREV PAGE TOP OF DOC Segment 2 Of 2
It is now the end of July, and I still do not have an answer from a question that was proposed at the beginning of March. It is something that I fault not under Under Secretary Reinsch, but rather that the current administration process does not work
Mr. HUNTER. So the bill and your understanding takes away the key recovery system requirement.
Mr. PARENTY. It takes away the key recovery system requirement. However, in practice, as I said before, U.S. industry——
Mr. HUNTER. Everybody keeps a spare key.
Mr. PARENTY. Exactly.
Mr. HUNTER. OK. Mr. Walker has been dying to talk to that. Go ahead, sir.
Mr. WALKER. There are two approaches that we have received approval for here. One is for companies to operate their own key recovery center in the United States and outside of the United States. Another one is for third-party companies, companies that are in the business of escrowing software or medical records or whatever to be able to provide a key recovery capability to which companies who do not want to run their own, but rather would out-source that to some third party can operate. We have received approval both for third-party key recovery centers—I disagree with Tom in that that is not fundamentally difficult.
Page 88 PREV PAGE TOP OF DOC Segment 2 Of 2
There are companies now in the United States, and we have shipped to five countries in Europe, key recovery centers that can be operated either by the company itself or by a company as a third party that other companies can subscribe to.
It is not difficult to build a key recovery center that scales. My concern, and the difficulty I have with the administration's bill or with the Kerrey bill, is that the administration has chosen to link the public key infrastructure, which is an essential part of making all of this happen.
They have chosen to link those together so that you have to have a public key infrastructure that the Government approves that combines key recovery in order to get export approval.
My point here today, if we are running out of time, is I do not see the necessity—I believe it is ill-advised—to link those two together. There are very significant private sector and Government initiatives to build public key infrastructures. It is a very difficult job. That is the thing that is difficult to make scale and reliable. Key recovery on the part of the user, whether it is a third party or yourself, is not that difficult to do, and we are building products. There are 60 companies in the Key Recovery Alliance that was formed by IBM and ourselves and others last October that are meeting on an almost daily basis to work out inter-operability standards for key recovery systems, and there is no need to link key recovery mechanisms to this public key infrastructure.
So the problem I have with the Senate bill is that it is an attempt—and I do not know whether it is law enforcement or whoever is trying to insist on this—to link the public key infrastructure with key recovery. It is my belief that that linkage is giving the people who remember Clipper and Government key escrow the justification for saying, ''Oh, but the Government is really just trying to get what it tried to get with Clipper in a public key infrastructure,'' and it is that, that smacks of domestic control that I think is the situation that a lot of people in industry, a lot of civil libertarians are complaining about.
Page 89 PREV PAGE TOP OF DOC Segment 2 Of 2
If the administration would back away from that linkage to public key infrastructure and, in fact, proceed with what today we are getting approval to do, I think a lot of the objections to this would go away, and that is the essence of the points that I wanted to make today.
[The prepared statement of Mr. Walker can be found in the appendix on page 81.]
Mr. WELDON. Well, thank you, Mr. Walker, and thank you, Mr. Parenty, both for your statements and your comments. We appreciate it. You have helped shed some new light on this issue.
Mr. Walker, then what you are saying is that you do not support the Goodlatte bill, but think there is a need for some kind of reform, and you have outlined one of the key positions.
Mr. WALKER. Yes.
Mr. WELDON. Having been in this job now for 11 years, we get extremes all the time, on both sides of an issue, and that is really what has, I guess today, sparked my—I will not say outrage, but my concern over this piece of legislation.
While I share the concerns that you have from my own—and I mentioned a 4-State project that I had been working on for 2 years—to establish an infrastructure network involving all of our hospitals, universities, businesses, K-to-12 schools, and Government processing centers in 4 States. We have now reached a point that no other region has in this country working with the large——
Page 90 PREV PAGE TOP OF DOC Segment 2 Of 2
Mr. WALKER. We are actually working with our local high school under that program that you have said.
Mr. WELDON. Right, and so I support this.
What we want to do as we bring this up is to provide encryption capability in that system so that, in fact, we can demonstrate that civilian systems can have proper protection built in relative to patient records and student records and information that has trademark and patent classification for companies, but I think my perception of the bill is that you basically want to remove all export controls. Am I oversimplifying that in your opinion?
Mr. WALKER. No. In my opinion, the bill—I mean, I testified here, as Tom and the others did, a few months ago on this——
Mr. WELDON. Right.
Mr. WALKER [continuing]. And Mr. Goodlatte was there. He basically said, no, no, no, we are just trying to get a level playing field. So if triple DES is available in Finland, then a U.S. company should be able to sell triple DES, too. Well, call it what you want. That is doing away with export controls.
As a digression, we have talked about this, the survey of worldwide cryptography. My company has been doing this for 4 years, and it is the basis on which the Government's survey was done in 1995. I actually have the latest statistics, which I will leave for the record, if you like.
Page 91 PREV PAGE TOP OF DOC Segment 2 Of 2
Mr. WELDON. Without objection, we will enter those into the record.
[The information referred to can be found in the appendix on page 126.]
Mr. WALKER. The point is that cryptography is available around the world. There are 7- or 800-different products that are available around the world from several hundred companies. So the effect of what Mr. Goodlatte was saying is that, I mean, triple DES is available, 128-bit encryption is available. That means, in order to get a level playing field that U.S. companies should be able to export those same products.
The difficulty here, and I agree with Mr. Crowell on this, there are a lot of products out there, but they are simple ad hoc products. They are not integrated into Microsoft Office Suite or Novell Office Suite or whatever. They are not integrated into the products that you and I and people around the world are using today.
So the fact that they are there would, under 695, be justification for the United States just randomly exporting all of these things, and I do not think that that is correct.
The National Research Council last year concluded what is probably the most comprehensive study that may ever be done on encryption, let alone has been done, and their recommendation was that export controls on cryptography should be progressively relaxed, but not eliminated, and they had comments in the report. I commend all of you. It is the Crisis Report that was issued just about a year ago, and there are very good recommendations in there. There are comments about key recovery and concerns about it, saying we need to try this and understand it, do not just plunge into it, but their comment, too, was progressively relax export controls, do not eliminate them.
Page 92 PREV PAGE TOP OF DOC Segment 2 Of 2
I think the current U.S. position on this, they have allowed as an interim basis for DES to be exportable for 2 years. Well, I do not know how you put the genie back in the bottle or the cow back in the barn or whatever the term you want to use. Once this is out, I am afraid DES is exportable.
I understand their position is that on January 1, 1999, that goes away, but there is going to be a lot of trouble with that.
I think we have DES exportable throughout the world now without key recovery, and we are going to have that. I think that satisfies a lot of the people who say I do not want key recovery because, in fact, somebody is going to steal my stuff.
On the other hand, the New Zealand medical records that Tom was talking about or your program that you are doing, suppose somebody makes a mistake and the key is lost and you have got critical information that you cannot get back. You do not want somebody else to have the ability to recover those keys, but you certainly want the ability to do it yourself.
If you are willing to do that, under the current rules that are in place now for which we are getting export, you can, in fact, have triple DES exportability in this country or in any other country if you are dealing with people in Europe or in the Pacific Rim or whatever, and you have the ability to recover your own keys, either yourself or through a third party that you have chosen.
I actually think we have the system here working now that will accomplish what we are trying to do. The difficulty, again, is the administration has tried to link this with a public key infrastructure, which has caused all the Clipper 47 things to come out again, and all the heat and rhetoric.
Page 93 PREV PAGE TOP OF DOC Segment 2 Of 2
The reality of it is we are very close to a solution to this.
Mr. WELDON. Excellent statement, and I will make sure that members of this committee look at that very statement because I think you have hit at the crux of the problem and the fact that we should not be pulled to either extreme in terms of where we go because this is an evolving technology that is going to keep changing very dramatically over the next decade or so.
I want to get back to the point that really bothers me about this bill, and that is, as a Member of Congress, we are all pulled in a thousand different directions every day, and we rely on advice and input from people who are knowledgeable.
I talked to five Members on the last vote who are cosponsors of the bill, and I asked them. Perhaps they understood this because of the title of the bill, which is Security and Freedom Through Encryption Act. I said, very simply, ''In your opinion, the bill that you have cosponsored, does it tighten the export limitations on encryption, or does it remove them?,'' and they said, ''Oh, no, it tightens them. That is why I cosponsored it.'' Is that really what the bill does, Mr. Parenty? Are they right? Are those Members right if they said that?
Mr. PARENTY. The bill does not tighten export controls on cryptography. That is not its intent. Its intent is, rather, to, on the one hand, allow U.S. vendors to provide products that meet a worldwide market that are becoming increasingly available overseas.
Page 94 PREV PAGE TOP OF DOC Segment 2 Of 2
Mr. WELDON. So—I am sorry. Go ahead.
Mr. PARENTY. And also to remove current impediments, the practical impediments—not regulatory—practical impediments to the incorporation of strong cryptography into U.S. products that are used by U.S. companies and Government agencies.
Mr. WELDON. The reason why I asked that question is that many of the Members who cosponsored the bill are conservatives who, in fact, were leading the fight against the administration, not taking aggressively enough action on the sale of the Cray computers to Russia.
My point is that these same Members who were leading—and I was not one of them. I was more relaxed in that effort, but these same Members believe that this bill that you are advocating would, information act, more severely tighten and restrict, and from what you have just said, that is not what the bill does.
Mr. WALKER. That is correct.
Mr. WELDON. Thank you, for the record, on that.
Let me add this point. Mr. Parenty, if we take the scenario that is being proposed under the Goodlatte bill for software and encryption, should we take a parallel action with computers and relax the ability? If a company manufactures a very high-speed, high-capable system, say, in China, then we should be able to sell that same system overseas. Do you agree with that?
Page 95 PREV PAGE TOP OF DOC Segment 2 Of 2
Mr. PARENTY. Actually, I think that the issues are sufficiently complex that I would rather separate export controls with respect to encryption from those relating to high-end computer systems. I think the issue itself is sufficiently complex just dealing with encryption that the world becomes far too muddied to bring auxiliary issues in as well.
Mr. WELDON. You cannot just say you do not want to talk about it. I mean, this is an issue that we have to deal with. In terms of information technology, there is a request by this Congress and many of the cosponsors of the bill that you are advocating who want us to put tighter controls on the sale of hardware systems and on the sale of super capable systems. Should we do that or not? Yes or no?
Mr. PARENTY. I think that the rules that we apply towards the export of high-end computers in terms of restricting their use for specific military applications or for specifically hostile or pariah countries is actually a good thing.
In terms of the prohibition of export of high-end computers in general, it is a very evolving technology, and at every moment that you put alliance, saying we will not export anything above this, in a very short time, that rule, that prohibition becomes obsolete.
Mr. WELDON. So, then, should we remove the export controls? That would solve the problem.
Mr. PARENTY. That would be my personal opinion, but I am not expressing that opinion as a representative of a particular software association or group of vendors.
Page 96 PREV PAGE TOP OF DOC Segment 2 Of 2
Mr. WELDON. How about the Cray sale? Would you think that that was correct that we allow that sale to go forward or that we should have stopped it?
Mr. PARENTY. If you really want to pursue the high-end computer line of discussion, that would be perfectly fine.
Mr. WELDON. The Cray sale. I am just asking one question.
Mr. PARENTY. I actually think that that was the right thing.
Mr. WELDON. The right thing, OK. All right.
My point is that when Members of Congress are asked to cosponsor a bill, they need to be given not the title of the bill and base their support on what the title of the bill is, ''Oh, cosponsor this. It is security through encryption,'' thinking one thing is happening when, in fact, when you talk to the Member personally, not their staffer, not their consultant to the Member or not somebody in their district, but to the Member, they have the completely opposite opinion, and that is what I think, in a very short assessment I have done with five Members, who are all on this committee. That is what they thought.
Mr. PARENTY. I think it is unfortunate if there are misunderstandings with respect to the effect and intent of a particular piece of legislation. However, with regards to H.R. 695, the one facet or aspect of it that would improve national security is specifically in that it would facilitate the incorporation of strong cryptographic features, and that is a good thing.
Page 97 PREV PAGE TOP OF DOC Segment 2 Of 2
In the discussions that I have had with Members and their staff, that has not been mentioned as one of the benefits of the bill. So, just as there have been misunderstandings on one side with respect to the bill, some of the positive consequences of this bill have not been highlighted either.
Mr. WELDON. I do not know how you could make that statement when the bill sailed through two committees on as fast a track as I have ever seen a piece of legislation in this city, moved through the Justice International Affairs Committee. I think the proponents of the bill have had ample time and have very successfully made their case.
The question is not that there is disagreement over the need for change. It is whether or not this change will take us too far. That is my concern.
Mr. Dellums.
Mr. DELLUMS. Thank you very much, Mr. Chairman. As you and other members are aware, the General Issues Panel of the conference with the Senate on fiscal year 1998 authorization bill is convening, and in my role as ranking member, it is imperative that I go there.
I just want to ask one question of Mr. Crowell and then make a very brief observation.
Given the comments that have been made by our two distinguished panelists, Messrs. Parenty and Walker, does key recovery help you with your NSA mission? I think that is an important answer to get on the record.
Page 98 PREV PAGE TOP OF DOC Segment 2 Of 2
Mr. CROWELL. Key recovery, per se, does not help the National Security Agency do its foreign intelligence mission, but NSA is a national agency concerned with both aspects of national security, including protection.
The Defense Department today uses primarily open commercial networks in order to do its job, and so we will benefit in national security by the user of encryption.
We believe that there is a need for strong infrastructure to support that or we will actually embark on weaker structures, and encryption will not enhance our national security, but will weaken it because we will count on it providing security when, in fact, it will not. So that is one aspect.
The second thing is that we have a statutory obligation that we, in this case, all of Government—to maintain control of and return to the public, public records when they are no longer classified or when they should be made available to the archives or to the public in general.
The use of strong encryption without key recovery by the Government would be tantamount to violating our statutory responsibilities in that regard because it would hand every Government employee the equivalent of an electronic shredder, just by losing the key. They would lose the opportunity to recover those records and make them available to the public.
We pointed that out countless times to Representative Goodlatte, and I believe on the record, he has said that, yes, that is an area that should be addressed, but he, in fact, has not addressed it in his bill.
Page 99 PREV PAGE TOP OF DOC Segment 2 Of 2
Mr. DELLUMS. Thank you.
Mr. Chairman, before I leave, I would like to say to Messrs. Parenty and Walker that I am sorry, but duties require that I leave. I have tried to listen with rapt attention to date to a very complex set of issues, and I have the belief that there have been a number of very fundamental assertions made here, and I have the feeling that if we close the door, that among all four of the panelists, there would be an extraordinarily high level of agreement on those fundamental assertions, probably well above the ninetieth percentile. It would seem to me that what we are about here are the tactical differences that have to be addressed. My hope, Mr. Chairman, is that this is a beginning point for us and that, in that regard, we move with reason and deliberation.
I would certainly like to thank the witnesses and my distinguished constituent for his journey to Washington and your contribution to these proceedings.
Thank you.
Mr. WELDON. Thank you, Mr. Dellums, for being here, and I will join you shortly.
I will now turn for as much time as he would like to our member who was originally going to be able to ask questions, Mr. Blagojevich, for as much time as you would like to have.
Page 100 PREV PAGE TOP OF DOC Segment 2 Of 2
Mr. BLAGOJEVICH. I will be brief. I was just hanging around because I thought you needed me to ask a question.
Let me just address this question to the members of the administration. What role would a key recovery system play in combatting, if you can speak generally, terrorism, drug-smuggling, the proliferation of weapons and so forth?
Mr. CROWELL. After a great deal of discussion and debate within the administration, we came to believe, and I think have been supported by many of the people that we have talked to in the legislature and in industry, that the use of encryption will really spread widely primarily in the commercial end of business; that is, in credit cards and in doing business over the Internet, in doing your banking and so on.
In fact, the current state of products is such that the widespread use, trusted use, of encryption for carrying on nefarious deeds is an added burden and not easy to do and not necessarily safe to do. Just because you are encrypted does not mean you know who you are talking to.
Therefore, we believe that most encryption will be something, if it has key recovery, that lawful warrants will be able to recover information about terrorist activities or about criminal activities and soon when they are in the public sector.
Would we lose a lot of access? Absolutely. If my colleague, Director Louie Freeh, were here, he would tell you that he would be losing some capability to deal with criminal aspects, but he thinks that overall, this answer is better than no answer and he supports it.
Page 101 PREV PAGE TOP OF DOC Segment 2 Of 2
Mr. BLAGOJEVICH. Yes.
Mr. WALKER. I would like to comment on that, too. Our motivation in getting involved in key recovery back in the 1994–1995 time frame was not to help the director of the FBI or the director of NSA with terrorists or criminals. We have got a different situation here.
Right now, or the rules as they were in those days, no one could get cryptography because only 40-bit could be exported and nobody wanted products that were only 40 bits.
Our motivation in this was to, if you will, enfranchise the honest business people to allow them to have strong encryption in a way that did not harm the interest of law enforcement or national security. Criminals and terrorists can do whatever they want, and they will do whatever they want. They may use key recovery systems and get caught. They may not. I cannot help that problem, but the situation we had was a tragedy in that honest people could not get cryptography because it was not available, because it was not exportable. So we were struggling to find a way to enfranchise the honest people in a way that did not harm the interests of the Government in this country or in any other country, and that has really been the motivation for the establishment of the key recovery mechanisms that we are talking about, and I think that is a fundamental point that does not come out very often.
Mr. BLAGOJEVICH. Anybody else?
Page 102 PREV PAGE TOP OF DOC Segment 2 Of 2
[No response.]
Mr. BLAGOJEVICH. Thank you.
Mr. WELDON. Thank you, Mr. Blagojevich.
Mr. Snyder.
Mr. SNYDER. Thank you, Mr. Chairman.
Picking up on what Mr. Dellums was talking about, about the four of you getting in a room and sorting through all of this, it seems to me, one of the problems with that is that not everybody is at this table right now. I mean, there are still a lot of players out there, I would think.
It seemed to me, Mr. Parenty, you commented on the fact that you were encouraged by some of the things you had heard the administration say and the administration talk about how they sense there is a lot of common ground out there and Mr. Walker talked about a solution not being very far away.
It seems, Mr. Parenty, would you not be better off by slowing down this bill a little bit and not attaching your wagon to this particular horse? Once these folks start jumping off this ship, that ship is not going to go anywhere. That is just a way of encouraging you to perhaps—I mean, it does seem to me that you all are trying to address the problems from all the perspectives of both security and Government, but also the economic concerns of private business; that it might be better done in a context of you all sorting it out amongst all your players out there in the community and not trying to do it in committee rooms. That is just a comment.
Page 103 PREV PAGE TOP OF DOC Segment 2 Of 2
Thank you, Mr. Chairman.
Mr. WELDON. Thank you.
I want to thank our panelists for coming in. Let me just say at the outset, one of the problems this committee has had is that when the bill was originally introduced, it was not originally referred to this committee. I do not see how anyone could expect a bill that would have this kind of an impact on national security issues not be referred to the National Security Committee, and I understand there are even some attempts not to have this committee involved.
Let me just say, there are 53 members of this committee who represent the broad spectrum of conservatives to liberals. If that, in fact, were the case or if there is a case made to move this bill without this committee being involved, that would be the surest mistake for this particular piece of legislation.
This committee has been involved in this issue, will be involved in this issue, and will have input to this legislation. I will assure you of that.
You have given us some very reasoned insights into the pros and cons of the issue and this bill. We are now laying out a strategy, even though we unfortunately have only been given 1 month to come up with an appropriate response, but we will prevail. We will come up with an appropriate response, and we will do the networking necessary to make sure that when we address this issue on the floor of the House, if that time comes, it is done in a reasoned manner and is not a rush to judgment that just benefit the profit-makers or, in fact, nothing happens just to benefit those who have maintained the status quo of an industrial age, but rather, to find the middle ground.
Page 104 PREV PAGE TOP OF DOC Segment 2 Of 2
Thank you all for being here today.
The committee stands adjourned.
[Whereupon, at 1:10 p.m., the committee was adjourned.]
"The Official Committee record contains additional material here."