03/04/99 Committee on the Judiciary

The United States Needs a Clear and Realistic Encryption Policy

Statement of Edward Gillespie

Executive Director,

Americans for Computer Privacy

March 4, 1999

Mr. Chairman and members of the Subcommittee,

Thank you for the opportunity to testify before you on H.R. 850, the SAFE Act, sponsored by Representatives Goodlatte and Lofgren and over 200 members of the House. I serve as Executive Director of Americans for Computer Privacy (ACP), a broad coalition of 40 trade associations, over 100 companies and over 3,000 individuals. The coalition includes the financial services, manufacturing, high-tech, and transportation industries as well as law enforcement, civil-liberty, taxpayer and privacy groups. ACP supports policies that allow American citizens continued use of strong encryption without government intrusion, and advocates lifting export restrictions on U.S. made encryption products.

ACP strongly endorses enactment of the SAFE Act, and we appreciate the leadership provided by Representatives Goodlatte and Lofgren very much. We urge your subcommittee to report it promptly for full committee consideration.

As Vice President Gore said in September 1998 when he announced the current administration policy, developing a national encryption policy is one of the most difficult issues facing the country. It requires balancing many competing objectives - all of which are of great importance to the nation.

As ACP noted in our policy paper of May 8, 1998, strong encryption is essential to:

n Protecting the nation's infrastructure and assuring the integrity of information;

n Ensuring the privacy of electronic communications of American citizens and organizations;

n Protecting our national security interests;

n Safeguarding the public; and

n Maintaining U.S. leadership in the development of information technology industry.

As we move into the new millenium, information technology will play an increasingly important role in the way we govern, communicate, conduct commerce, and operate and protect our national infrastructure. Strong encryption is key to the continued vitality and growth of all of these activities. Accordingly, the United States needs a clear and realistic national policy to assure that industry is able to develop the products that will help us to meet our national objectives.

Significant progress was made last year with the Administration's policy announced by the Vice President in September and contained in the interim final regulations of December 31, 1998. ACP commends the government for the hard work and thoughtful consideration that went into the development of that policy and those regulations. Last year, ACP had several productive meetings with the Administration's inter-agency task force, including representatives from law enforcement and the Justice Department. Those meetings were conducted in good-faith on both sides and led to a greater understanding on both sides of the needs and concerns of the other. The Clinton Administration incorporated many of our interim recommendations into its updated export policy, including: export relief for encryption products that use symmetric algorithms up to and including 56-bits; products that use asymmetric algorithms up to and including 1024-bits; and relief for various sectors of the business community.

The Clinton Administration, however, has yet to allow U.S. encryption manufacturers to compete on a level playing field in the global marketplace. The Administration policy remains highly problematic and does not represent the clear and realistic national policy that this issue requires.

First, the Administration has entered into an agreement with 32 other countries - the Wassenaar Arrangement - containing certain export controls on encryption. Unfortunately, the Administration's encryption export regulations impose greater restrictions on American companies than those called for under the arrangement. As a first step, we believe the Administration should at least eliminate all controls on encryption software and hardware for products up to 64-bits, and should eliminate all reporting requirements on higher- level encryption exports. Such actions would make U.S. controls consistent with the revised Wassenaar Arrangement.

We also believe that the Administration's efforts to develop a global approach to this issue through the Wassenaar Arrangement are doomed to failure. We recognize that this is a global problem and if it were truly possible to achieve universal agreement that was fairly enforced, industry would no doubt be supportive. But Wassenaar only has 33 members and does not include encryption-producing countries such as China, India, South Africa, or Israel. Further, the Administration should recognize that the Wassenaar Arrangement is only as effective as the implementing regulations adopted by the member countries. Some of the member nations will promulgate regulations that are less restrictive than those of the United States, thereby providing those nations with a competitive advantage over domestic encryption manufacturers. In short, the Wassenaar Arrangement is a toothless tiger.

Second, the Interim Rule falls short on a number of short-term points. For example, the Interim Rule does not fulfill the mandate promised by Vice President Gore on September 16 to allow all 56-bit encryption products to be eligible for export to all end-users (except terrorist states). In reality, the Interim Rule does not allow the export of 56-bit encryption chips, integrated circuits, toolkits, and executable or linkable modules for export under license exception except to U.S. subsidiaries.

Further, the Interim Rule is so complex that a number of the benefits in the new policy are undermined by provisions of the Interim Rule. For example, the reporting requirements are so onerous to companies that reporting costs may exceed the price of some products, much less the profit. In the same vein, the Government has shown little understanding of mass-market distribution techniques. It makes no sense that the Government does not expect manufacturers to be able to control mass-market encryption products using 56-bit encryption, but does expect manufacturers to be able to control mass-market encryption products using algorithms higher than 56-bits. Furthermore, it is simply impractical to expect manufacturers to collect reporting data on mass-market encryption products. My personal experience is that I never return registration cards on coffee makers, answering machines, or software products - I expect most people in this room have similar experiences.

And so the Administration's new policy, as grateful as we are for this limited progress, remains flawed even on its own terms.

Beyond this, in the encryption debate in the larger sense, we continue to have good-faith disagreements with the Administration about its current policy, which only Congress and this legislation can address.

Primarily, ACP believes that our current export policy short-changes our long-term national interest in that it puts at jeopardy our current global leadership in this vital technology. Strong, high-quality encryption products are now widely available from foreign makers. That renders our export policy an exercise in futility. We worry that America will lose this critical market to foreign makers. When and if it does, it will be too late to change U.S. policy and too late to preserve U.S. leadership in this vital arena.

If we do lose that U.S. leadership position, what will that mean? It will mean that the national security agencies will be confronting ubiquitous encryption made not by U.S. companies, but by foreign companies. Where then will the national security agencies go for technical help on encryption, if the most sophisticated encryption experts and product-makers reside abroad? It could put us in the untenable position of protecting our critical national infrastructure with foreign-made encryption.

We must retain leadership in this vital technology if we are to meet our long-term national security objectives. That is why we must assess our encryption export policies from a long-term, not a short-term, perspective.

In the long run, there can be no doubt that U.S. national security objectives are best served by an IT world in which U.S. companies are market leaders in all aspects, especially encryption. ACP's industrial members have ample evidence of the rapidly growing market share of foreign encryption and examples of U.S. businesses losing out to foreign manufacturers because of the U.S. export regulations. For example, a December 1997 study conducted by Trusted Information System found that 656 non-American encryption products are available from 29 foreign countries. These encryption manufacturers are located as far from the U.S. as China and as close as Mexico. The products in the study were purchased via routine channels, either directly from the foreign manufacturer or from a distributor.

RSA Data Security has lost business opportunities with major foreign conglomerates such as Lloyds TSB PLC, SAP AG, and Siemens Ag because of U.S. export control regulations. U.S. software companies estimate they have lost millions of potential users of their software due to the encryption regulations. It is naïve to believe these foreign customers and entities are forgoing strong encryption to protect their proprietary information because it is not available from U.S. manufacturers, rather than purchasing strong, non-American encryption.

Further, foreign encryption manufacturers are marketing their products by using U.S. encryption regulations against American companies. For example, Baltimore Technologies, an Irish encryption manufacturer that President Clinton visited during his trip to Europe last year, specifically points out the shortcomings of U.S. encryption products in their marketing of their product, WebSecure. Their opening paragraph of their website states that the export versions of U.S. browsers "are limited to 40 bits of encryption, which is not secure enough for most applications." In contrast, WebSecure provides 128-bit encryption for "real security."⁽¹⁾

Strong encryption is also available for sale and for free on the Internet to anybody in the world with a computer. Here is just one example of the ease with which a person outside the United States can obtain strong encryption with a few clicks on their computer. One, they can visit the international Pretty Good Privacy site: www.pgpi.com. From that URL, anybody in the world can download strong, 128-bit encryption within 47 seconds. And because any citizen in the U.S. can download encryption legally from the Internet, and anyone in the world has access to those same web sites, the Internet makes controlling encryption exports a very difficult proposition.

ACP also believes it is vital to our national interests that our critical infrastructure is secure and we praise President Clinton for recognizing this vulnerability in his speech earlier this year. We wish, however, that the President recognized the importance of the role of strong encryption produced by U.S. high technology companies.

We do not believe we have all the answers to questions about national security, but ACP strongly believes based on our knowledge of the technology and global markets that our long term national security objectives can only be achieved if the United States realistically acknowledges the inevitability of a world of ubiquitous, strong encryption. Trying to control the proliferation of encryption is like trying to control the proliferation of mathematics. For that is what we are talking about here. Encryption algorithms are nothing but sophisticated mathematics. And while the United States may realistically hope to remain the leader in such a field, it cannot realistically expect to monopolize it.

We are joined in this view by the Center for Strategic and International Studies ("CSIS"). CSIS recently conducted a study of our nation's technical vulnerabilities; the study was chaired by William Webster, the former director of the FBI and Central Intelligence and former U.S. Circuit Judge. The subsequent report, entitled Cybercrime… Cyberterrorism… Cyberwarfare… Averting an Electronic Waterloo, calls for the "intelligence gathering communities - law enforcement and foreign intelligence - to examine the implications of the emerging environment and alter their traditional sources and means to address the SIW needs of the twenty-first century. Continued reliance on limited availability of strong encryption without the development of alternative sources and means will seriously harm law enforcement and national security."

For instance, ACP proposed last year the creation of a "NET Center" (and, since then, "Tech Center" has been created) to help law enforcement officials understand how to deal with encryption and other technological advances when encountered in a criminal setting. We have been cooperating on these projects, and we are pleased with the development of this forward-thinking strategy.

On the national security side, Senator Bob Kerrey recently suggested that (1) the President should convene a public-private panel to examine the implications of this new technological age for our national security, and (2) the creation of a new national laboratory for information technology to perform research and to act as a forum for further discussions on technological breakthroughs. These views may deserve further exploration, and ACP wants to play a leading role in crafting industry cooperation.

ACP wishes to emphasize that it recognizes a legitimate governmental need to obtain access to the plain text of communications when authorized by proper legal authority. ACP and its members are responsible citizens of the nation and the globe and have no wish to facilitate the commission of crime, the spread of terrorism or the acquisition and delivery of weapons of mass destruction. Similarly, we are committed to strengthening the nation's infrastructure, enhancing the privacy of American citizens and ensuring the security of electronic commerce. We believe that these sometimes competing objectives can be met, but only if government does not seek to force solutions on the industry that are not compatible with the development of technology and market demands.

ACP has advocated that the U.S. Government should work cooperatively with our nation's hardware and software manufacturers to develop the technical tools and know-how to achieve a policy that effectively responds to society's needs for law enforcement, national security, critical infrastructure protection, privacy preservation, and economic well-being.

In closing, Secretary of Defense William Cohen gave a speech at Microsoft two weeks ago in which he stated: "To maintain peace and stability in this uncertain world, we have mapped out a strategy defined by three words: Shape, Respond, Prepare." ACP and its member companies are willing to do our part in helping the Government prepare for an uncertain 21^st century, and we look forward to working with the Government on these projects. But Congress needs to pass the SAFE Act and establish a clear and realistic national policy on encryption. That is the best way to preserve U.S. leadership in encryption technology, upon which the successful protection of our critical infrastructure and achievement of our national security objectives certainly and inevitably depend.

⁰ Located at the following URL: www.baltimore.com/products/secure_web/mn_secure_web.html