[H.A.S.C. No. 106–16]
U.S. ENCRYPTION POLICY
COMMITTEE ON ARMED SERVICES
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTH CONGRESS
JULY 1, 13, 1999
HOUSE COMMITTEE ON ARMED SERVICES
One Hundred Sixth Congress
FLOYD D. SPENCE, South Carolina, Chairman
BOB STUMP, Arizona
DUNCAN HUNTER, California
JOHN R. KASICH, Ohio
HERBERT H. BATEMAN, Virginia
JAMES V. HANSEN, Utah
CURT WELDON, Pennsylvania
JOEL HEFLEY, Colorado
JIM SAXTON, New Jersey
STEVE BUYER, Indiana
TILLIE K. FOWLER, Florida
JOHN M. McHUGH, New York
JAMES TALENT, Missouri
TERRY EVERETT, Alabama
ROSCOE G. BARTLETT, Maryland
HOWARD ''BUCK'' McKEON, California
J.C. WATTS, Jr., Oklahoma
MAC THORNBERRY, Texas
JOHN N. HOSTETTLER, Indiana
SAXBY CHAMBLISS, Georgia
VAN HILLEARY, Tennessee
WALTER B. JONES, Jr., North Carolina
LINDSEY GRAHAM, South Carolina
JIM RYUN, Kansas
BOB RILEY, Alabama
JIM GIBBONS, Nevada
MARY BONO, California
JOSEPH PITTS, Pennsylvania
ROBIN HAYES, North Carolina
STEVEN KUYKENDALL, California
DONALD SHERWOOD, Pennsylvania
IKE SKELTON, Missouri
NORMAN SISISKY, Virginia
JOHN M. SPRATT, Jr., South Carolina
SOLOMON P. ORTIZ, Texas
OWEN PICKETT, Virginia
LANE EVANS, Illinois
GENE TAYLOR, Mississippi
NEIL ABERCROMBIE, Hawaii
MARTIN T. MEEHAN, Massachusetts
ROBERT A. UNDERWOOD, Guam
PATRICK J. KENNEDY, Rhode Island
ROD R. BLAGOJEVICH, Illinois
SILVESTRE REYES, Texas
VIC SNYDER, Arkansas
JIM TURNER, Texas
ADAM SMITH, Washington
LORETTA SANCHEZ, California
JAMES H. MALONEY, Connecticut
MIKE McINTYRE, North Carolina
CIRO D. RODRIGUEZ, Texas
CYNTHIA A. McKINNEY, Georgia
ELLEN O. TAUSCHER, California
ROBERT BRADY, Pennsylvania
ROBERT E. ANDREWS, New Jersey
BARON P. HILL, Indiana
MIKE THOMPSON, California
JOHN B. LARSON, Connecticut
Andrew K. Ellis, Staff Director
Peter Berry, Professional Staff Member
Ashley Godwin, Staff Assistant
C O N T E N T S
CHRONOLOGICAL LIST OF HEARINGS
Thursday, July 1, 1999, H.R. 850, A Bill to Amend Title 18, United States Code, to Affirm the Rights of United States Persons to Use and Sell Encryption and to Relax Export Controls on Encryption
Tuesday, July 13, 1999, H.R. 850, The Security and Freedom Through Encryption (SAFE) Act
Thursday, July 1, 1999
Tuesday, July 13, 1999
THURSDAY, JULY 1, 1999
H.R. 850, A BILL TO AMEND TITLE 18, UNITED STATES CODE, TO AFFIRM THE RIGHTS OF UNITED STATES PERSONS TO USE AND SELL ENCRYPTION AND TO RELAX EXPORT CONTROLS ON ENCRYPTION
STATEMENTS PRESENTED BY MEMBERS OF CONGRESS
Skelton, Hon. Ike, a Representative from Missouri, Ranking Member, Committee on Armed Services
Spence, Hon. Floyd D., a Representative from South Carolina, Chairman, Committee on Armed Services
Hamre, Dr. John, J., Deputy Secretary of Defense
McNamara, Barbara A., Deputy Director, National Security Agency
Hamre, Dr. John, J.
McNamara, Barbara A.
Skelton, Hon. Ike
Spence, Hon. Floyd D.
DOCUMENTS SUBMITTED FOR THE RECORD:
Letter submitted to Hon. Floyd D. Spence from Dr. John Hamre
QUESTIONS AND ANSWERS SUBMITTED FOR THE RECORD:
H.R. 850, THE SECURITY AND FREEDOM THROUGH ENCRYPTION (SAFE) ACT
STATEMENTS PRESENTED BY MEMBERS OF CONGRESS
Skelton, Hon. Ike, a Representative from Missouri, Ranking Member, Committee on Armed Services
Spence, Hon. Floyd D., a Representative from South Carolina, Chairman, Committee on Armed Services
Bowcock, Matthew, Executive Vice President of Corporate Development, Baltimore Technologies
Freeh, Louis J., Director, Federal Bureau of Investigation
Kaufman, Elizabeth, Senior Director and General Manager for Security, CISCO Systems, Inc.
Reinsch, William A., Under Secretary for Export Administration, Department of Commerce
Reno, Hon. Janet, United States Attorney General
Freeh, Louis J.
Reinsch, William A.
Reno, Hon. Janet
Spence, Hon. Floyd D.
DOCUMENTS SUBMITTED FOR THE RECORD:
[There were no documents submitted.]
QUESTIONS AND ANSWERS SUBMITTED FOR THE RECORD:
[There were no questions and answers submitted.]
H.R. 850, A BILL TO AMEND TITLE 18, UNITED STATES CODE, TO AFFIRM THE RIGHTS OF UNITED STATES PERSONS TO USE AND SELL ENCRYPTION AND TO RELAX EXPORT CONTROLS ON ENCRYPTION
House of Representatives,
Committee on Armed Services,
Washington, DC, Thursday, July 1, 1999.
The committee met, pursuant to call, at 9:45 a.m., in room 2118 Rayburn House Office Building, Hon. Floyd D. Spence (chairman of the committee) presiding.
OPENING STATEMENT OF HON. FLOYD D. SPENCE, A REPRESENTATIVE FROM SOUTH CAROLINA, CHAIRMAN, COMMITTEE ON ARMED SERVICES
The CHAIRMAN. The meeting will please be in order.
The committee meets this morning to renew its consideration of encryption and the impact on our national security of pending legislation that proposes to remove controls on the export of encryption products.
The issue of encryption, the encoding or scrambling of electronic data to protect its contents from unwanted disclosure, is technical and complex but its importance to our national security cannot be overemphasized.
The committee has a bill, H.R. 850, the Security and Freedom Through Encryption or so-called SAFE Act on sequential referral until July 23. Due to serious national security implications of H.R. 850, I plan to hold a markup session during the legislative week of July 19th.
As many of my colleagues know, H.R. 850 is similar to legislation proposed two years ago, legislation which the committee amended in order to retain some export control on encryption software. The committee alternative was adopted two years ago on a strong bipartisan vote of 45-to-1.
This little-noticed element of H.R. 850 would essentially gut the tightened restrictions Congress mandated two years ago on the export of supercomputers to potentially dangerous end users like China.
In the context of the recent Cox committee report and growing concerns over the transfer of sophisticated United States technologies to country of proliferation concern, H.R. 850's decontrol of encryption and some computer exports makes no sense to me.
But let me be also clear about what this debate is and is not about. This is not a debate over the right of American citizens to use strong encryption products here at home to conduct financial transfers or transactions or to send secure communications over the Internet with confidence. With the growth in electronic commerce and communications, the need for information security is well recognized. However, I believe that removing controls on the export of strong encryption products will significantly weaken the ability of our country to protect its citizens against terrorists, drug dealers, and other criminals in the future. It would be tragically ironic in my opinion for the Congress to make it easier for terrorists to conceal their planning at the same time we are working to enhance the security of all Americans against terrorist threats through initiatives such as improved embassy security and by devoting additional resources to counterterrorism.
Unfortunately, the unchecked proliferation of sophisticated American encryption technology will only complicate the ability of our military forces to fight and win future battles.
We all realize that as technology continues to advance, preventing its spread and its use against us becomes more challenging. Despite this challenge, however, I strongly believe that our government should not, as a matter of policy, do anything to make it easier for a terrorist to harm Americans, drug dealers to ply their deadly trade, or an enemy on the battlefield to gain technical advantage over our forces that might result in higher casualties or a protracted conflict.
This is what the national security debate over encryption is all about. In my view, H.R. 850, the inappropriately named SAFE Act, will in fact increase the risk to Americans. Accordingly, we are fortunate to have before us this morning two Department of Defense witnesses who are uniquely qualified to address the serious national security implications of H.R. 850. They are the Honorable John Hamre, Deputy Secretary of Defense, and Ms. Barbara McNamara, Deputy Director of the National Security Agency. I welcome both of you to the committee.
Before we proceed, though, I would like to recognize the Ranking Democrat from Missouri, Mr. Skelton, for any opening remarks he would like to make.
[The prepared statement of Mr. Spence can be found in the appendix.]
STATEMENT OF HON. IKE SKELTON, A REPRESENTATIVE FROM MISSOURI, RANKING MEMBER, COMMITTEE ON ARMED SERVICES
Mr. SKELTON. Mr. Chairman, thank you very much. It is a pleasure for me to join you in welcoming our two distinguished witnesses, the Honorable John Hamre, Deputy Secretary of Defense, and Barbara McNamara, Deputy Director for the National Security Agency, to our hearing. I look forward to the testimony today.
Today we are again confronted with the challenge of addressing an extremely complicated technical issue with significant personal, commercial, and national security implications.
While we will focus our attention today on national security concerns, I am reminded that there are many other pressing aspects to this issue that will affect each of us. There is an increasing reliance by individuals, institutions, and businesses, on electronic networks to conduct their activities. It is not just a local, State, or national issue, it impacts on how we as individuals and how we as a Nation interact in the global arena.
Mr. Chairman, while we extol the merits of technological progress, the growth of electronic commerce, and the importance of retaining American technological advantage, we here on this committee must respond to the challenges posed by the rapidly changing new technologies in the protection of national security interests. We increasingly rely on the vulnerable commercial information systems and electronic networks where the desired security and privacy is not assured. What we do here in this committee on this bill will make a difference. We have the opportunity to influence the confidence that we as a Nation will have in our ability to exploit the advantages of the new technology, while at the same time maintain the technological lead we now enjoy, provide for the public safety, and accommodate our national security requirements.
Mr. Chairman, I know that this is a very complex and complicated issue, but I am committed to seek the right balance of the measures needed to meet all of our critical needs. The testimony of the witnesses here today provides us with one part of this issue. Thank you.
[The prepared statement of Mr. Skelton can be found in the appendix.]
The CHAIRMAN. Thank you, Mr. Skelton.
As you probably already know, we are having difficulties with our communications system this morning, so if you kind of speak in the mike, we will try to go on through it. Without objection, the full text of your prepared remarks will be submitted for the record. You can proceed as you would like. Dr. Hamre.
STATEMENT OF DR. JOHN J. HAMRE, DEPUTY SECRETARY OF DEFENSE
Secretary HAMRE. Mr. Chairman, thank you very much. We are genuinely honored to be invited to be here. This is an enormously important subject. I would like to begin by thanking this committee for having had the courage and the foresight last year to have addressed the national security implications of this issue. Had it not been for this committee, we would have had a steamroller that would have taken away one of the most important tools that law enforcement has in America and that we in the national security arena have to protect this country. And we are counting on you again. We cannot simply for the sake of the convenience of marketing interests set aside the national security of this country.
We just concluded an 11-week air campaign. There are a lot of things that we need to study from that campaign. One of the dimensions which we cannot go into in this hearing was that we were significantly affected by the lack of our ability to get communications on our opponent, and frankly we had some of our communications that were compromised during this. We feel very directly the need for strong encryption to be able to protect our military operations. We also have a requirement to be able to do everything we can to find out what the bad guys are going to try to do to us.
Every one of those soldiers and airmen and Marines and sailors that has been fighting for this country is in exactly the same shoes that you are in now, but you are in a much larger role. The ability to protect and defend this country over the next 10 years sits in your hands as you look at this issue. It is that important.
Now, we in the Defense Department feel both sides of this problem. We need to protect ourselves in cyberspace. We have had hearings in front of you and we have told you how important it is for us to be able to protect ourselves in cyberspace, and encryption is a very important dimension to that. We have to be able to encrypt our communications.
At the same time, we need to know who is operating inside our networks. We need to have a key recovery system so that we know whoever we are talking to we can identify who they are and confirm their identity. We are not imposing it on anybody. I think there is this backdrop fear that a lot of Members of Congress have that this is simply something that we put down everybody's throats in America. That is not the case. This Administration is not pushing that.
One of the most objectionable parts of this bill is the prohibition on the Department of Defense from being able to put in place the ability to identify who we are talking to in an encrypted environment. Now I will tell you what that means. That means that if we have a spy in one of our laboratories, we wouldn't be able to monitor them if this legislation passes. So the very sort of thing that everybody is outraged about and decries, you would absolutely open the door and let it happen without any ability for us to do anything about it if you pass this bill. It is that important.
Now, get to warfighting. I am telling you the world that is out there increasingly is an electronic world. We have got to do everything we can to protect our troops and our soldiers and sailors when they go in harm's way, and that means using all the resources that are available to the Department to be able to do that. We cannot afford to have troops go into combat not knowing as much as we can possibly give them, information in advance. And just simply unregulated release of the strongest encryption is going to do one thing: put more troops' lives at risk. Period. And that is why this is so important.
So far, everybody that has held hearings on this subject has only looked at issues of privacy. I honor that. That is why we go to war. The Constitution insists that that is one of the rights for all Americans and we will fight for that.
But at the same time, we have got to protect this country, and there are a lot more bad guys out there than we think. And you mentioned them in your statement, Mr. Chairman. It is not just the terrorists in the world. It is the organized militaries in the world that want to do harm to us every day. It is the pedophiles and the smut peddlers. It is the drug dealers. They are all increasingly using these tools, and if you want your security agencies to be able to protect this country, you can't strip away from us some of the tools we are going to need. And that is what this bill would do.
Now, I think there is a lot of misinformation that is being peddled in this town about encryption and the Administration's position. The Administration is not prohibiting the export of strong encryption. As you know, right now you can export the strongest encryption to anybody in the finance sector, anybody in insurance, in health care, any U.S. corporation that has overseas subsidiaries and its trading partners. They all can get the strongest encryption today. That is not being restricted.
If you listen to a lot of the lobbyists you get the impression that the American software industry is absolutely hobbled and can't do a darned thing and that is not true. A significant part of this market is wide open and the Administration is willing to relax it even further. And we are working very much in deliberations and I think you will see something in a matter of weeks, further relaxation.
I was once asked in a hearing, aren't you just trying to hold back the rising tide, an inevitable tide of progress, technical progress? And the answer to that is yes. But I am trying to keep it from becoming a tidal wave. You have got to give us a chance to stay ahead of this rising tide so that we can manage it and we can give you genuine security and protection for this country.
But if you were to drop everything tomorrow, which is what H.R. 850 would do, it would be a tidal wave that would crush your national security and law enforcement agencies that are protecting this country.
Now, we are absolutely open to working with anybody. We are not mindless about this because we need this protection ourselves. We have got to have encryption for ourselves. But we have got to balance it. And this committee is the one that has to insist that that happens. If it isn't going to happen by this committee, it is lost. We have got to stand up, we have got to make sure that when it comes to fighting the bad guys here in the United States and fighting the bad guys overseas, you don't strip away what we need to be able to do our job and we can do it in lawful means.
There is not a darned thing that we are proposing that is not fully protected through the constitutional procedures that are developed to protect all of our privacy and we all want that. We will fight for that. But we can't simply hobble your defense establishment and your law enforcement establishments just because we think we have got an inevitable tide of technology. We have to manage it, and that is what we are asking to be able to do Mr. Chairman.
And I would be glad to answer any questions, but I think you need to hear first from Ms. McNamara who is our expert.
The CHAIRMAN. Thank you for your usual good job.
[The prepared statement of Dr. Hamre can be found in the appendix.]
The CHAIRMAN. Ms. McNamara.
STATEMENT OF BARBARA McNAMARA, DEPUTY DIRECTOR, NATIONAL SECURITY AGENCY
Ms. MCNAMARA. Good morning, Mr. Chairman, and thank you for this opportunity. Let me say that I had to refrain from applauding after your opening remarks because I don't think I can say it any better than you have said it.
We really do need to appeal to this committee for your help in stopping the SAFE Act from passing. Why am I here? And I think I need to explain our role in this. The NSA secures information systems for the Department of Defense and other U.S. Government agencies and provides information derived from foreign signals that we decode to a variety of users in the Federal Government. It is this foreign intelligence role that I want to address today.
NSA intercepts and analyzes the communications of foreign adversaries to produce critically unique and actionable intelligence reports. Very often, time is of the essence. Intelligence is perishable. It is worthless if we cannot get it to the important intelligence—sorry—if we can't get it to the policymakers and the military operators in time to make a difference.
As you said, Mr. Chairman, with our ability to read the encoded messages of Japan and Germany during World War II, and we learned their plans and intentions, we actually were able to help save lives and the war ended sooner than otherwise would have been expected.
That same crucial support was provided during Desert Storm and Desert Shield and it is being provided today in Kosovo, and in the past, in the recent past, elsewhere in the Balkans.
We live in a dynamic and unpredictable world. And in that world intelligence is, in fact, the Nation's security over the horizon capability. We give warning. Demands on NSA for timely intelligence have only grown since the breakup of the Soviet Union and have expanded into other areas of terrorism, weapons proliferation, and narcotic trafficking—national security areas that have no geographical or national boundaries.
Today, many of the world's communications are unencrypted, despite what you hear to the contrary. Historically, encryption has been used primarily by governments and the military. As encryption moves to software-based implementations and the infrastructure develops to provide a host of encryption-related security services, like authentication to which Dr. Hamre referred, encryption will spread and will be used widely by foreign adversaries that have traditionally relied upon unencrypted communications.
The immediate decontrol of encryption exports as proposed in the SAFE Act would place encryption in the hands of many of these adversaries and, as a result, much of the crucial information we are able to provide today could quickly become unavailable to those who would need it and rely upon it to guide their actions and decisions and thus put national security at serious risk.
As you consider the SAFE Act, it is very important that you understand the significant effect certain provisions of this bill will have on national security. If passed, the SAFE Act would immediately decontrol the export of strong unbreakable encryption. It would deprive us of the opportunity to conduct a meaningful review of a proposed encryption export to assure its compatibility with national security interests. Historically, this review process has provided us with valuable insight into what is being exported, to whom, and for what purpose.
Without this review and the ability to deny an export application if necessary, it will be impossible to control exports of encryption to countless bad guys.
For instance, immediate decontrol would undermine international efforts to prevent terrorist attacks, to catch terrorists, drug traffickers and proliferators of weapons of mass destruction. Immediate decontrol of encryption exports will likely result in the global spread of strong encryption among our adversaries and the use of encryption as multiple levels within communications networks.
This will greatly complicate our ability to exploit foreign targets and provide the delivery of timely and usable intelligence because it will take too long to decrypt a message if, indeed, we can decrypt it at all. And if we are to provide timely support to our deployed military forces, we must be able to do better than that.
As the Chairman so articulately described, the SAFE Act would eliminate all controls on the export of computers. Encryption, gentlemen, raises as many national security concerns as satellites and supercomputers; if not more, because of its widespread applicability.
I apologize, ma'am, I didn't see you come in.
You will hear others say that the genie is out of the bottle. Encryption is available overseas so why try to control it from this country? It is true that strong encryption is available overseas, but it is not yet widespread. We are employing export controls not to prevent U.S. industry from competing successfully in the international marketplace, but rather to prevent the proliferation of robust encryption to hostile forces. We support the availability and the use of strong encryption to secure electronic commerce, and that can be done today; to protect banking and financial transactions, and that is being done today; and to ensure confidentiality in corporate communications, and that is being done today. In fact, we allow U.S. companies to export unlimited strength encryption to most locations for these and other purposes, as Dr. Hamre said, under current relaxation.
However, we cannot allow the same free flow of encryption to those entities that would harm our Nation's security. Through export controls, we shape the environment in which we must conduct our code making, our signals intelligence, our foreign intelligence mission, by focusing our attention on end use and end users. Can we stop some foreign adversary from getting strong encryption if he really wants it? No, we cannot. But we can use individual solutions to solve those individual problems and use export controls to keep robust encryption out of the hands of most of our foreign adversaries.
Without some control on its export, encryption will become ubiquitous and we will be severely hampered in our ability to support our military forces, policymakers, and the law enforcement community with timely intelligence reports.
In summary, the SAFE Act will harm national security by making our job of providing critical, actionable intelligence to our leaders and military commanders difficult, if not impossible, thus putting our Nation's security at considerable risk. The United States cannot have an effective decision-making process or a strong fighting force or a responsive law enforcement community or a strong counterterrorism capability unless the information required to support them is available in time to make a difference. The Nation needs a balanced encryption policy that allows U.S. industry to continue to be the world's leader, but that also protects the security of our Nation.
Mr. Chairman, since this is an open hearing, I cannot discuss in complete detail the negative impact of the SAFE Act, but would offer a classified hearing if that would be acceptable and you would be willing to do that. And I will close now and thank you for your time and attention and be happy to take your questions.
The CHAIRMAN. Thank you very much.
[The prepared statement of Ms. McNamara can be found in the appendix.]
The CHAIRMAN. Mr. Skelton.
Secretary HAMRE. Sir, what I said was if H.R. 850 were to pass, one of the most objectionable features of that is a prohibition on the government from having a key recovery system. In other words, I would not be able to have in the Department of Defense an ability to know who of my employees is talking to who. I wouldn't be able to reconstruct that. And so all of a sudden, the bad guy who is inside our midst who wants to send his stolen secrets back to headquarters could do it and we wouldn't have the ability to control that or monitor it.
So I decry these people that want to spy on America, especially our own people who want to be traitors to this country. But we need to do something to be able to protect, and that provision would prevent us from ever doing it. So anything that you found objectionable, that I find objectionable with somebody selling out on this country, you are basically giving them the keys to do it if you pass this bill.
Mr. SKELTON. Thank you. I have another question. What is to prevent the bad guys, whoever they may be, from getting the encryption from the lawful sources who have it such as commercial interests? What is to prevent them from getting it from them? You say in your testimony—.
Secretary HAMRE. Yes, sir.
Mr. SKELTON. —that commercial interests, financial interests and the like, can have encryption—.
Secretary HAMRE. Yes, sir.
Mr. SKELTON. —that is exportable. And what is to prevent the unsavory souls from getting it from them?
Secretary HAMRE. Sir, bad guys today can get strong encryption products where we have relaxed the controls in areas, where we find other ways that we can still get access when we need to get access in a lawful manner. Now, it isn't 100 percent. We are managing a security risk here. I mean, we would love to have it otherwise. This technology doesn't let us have perfect security and we are trying to find ways in which we can manage it. The areas in which we have relaxed the export of strong encryption has been in areas where we feel we can tolerate; there isn't a significant security risk in those areas. They also represent the bulk of the market, by the way. So it is in the areas that we know there is a considerable risk of the bad guys talking to each other and communicating to each other in ways that we can't get at it. That is the part we are trying to regulate. That is what we are trying to control.
Let me ask Ms. McNamara to respond as well.
Ms. MCNAMARA. Yes, sir, Mr. Skelton. There isn't anything that will prevent every bad guy from getting access if they want to break the law. But we have solutions to individual problems. We just don't have a global solution, if encryption became globally used as this bill would—as the SAFE Act would permit and foster.
In the case of the export of strong encryption to the financial sector, that in particular is application-specific. And so it would not necessarily be imminently usable or useful by people—.
Mr. SKELTON. By someone else?
Ms. MCNAMARA. By someone else, exactly.
Mr. SKELTON. How many times have you heard the argument that the cat is already out of the bag, the foreign competitor is already producing and selling what we are currently trying to restrict? What are our policies to be in light of that? Or is that true?
Secretary HAMRE. It is not entirely true. It is true in some small dimension, but it is not really true and it is an overstatement. There are 33 countries that have signed up in the Wassenaar Agreement and they are regulating encryption products to the same standard that we are. We are frankly a little too tight and we will loosen up to meet the Wassenaar standards. That is the bulk of the industry and they are being regulated internationally. The cat is not out of the bag.
Is there an encryption package that is out there that somebody, a couple of bad guys could download and use to talk to each other? Yes, there is. But that doesn't mean that the case is closed against us. We have other ways that we can take care of that problem. And it isn't a broad-scale environment that we can't get through. That is what we are trying to prevent.
Mr. SKELTON. Thank you, Mr. Chairman.
The CHAIRMAN. Mr. Hunter.
Mr. HUNTER. Thank you, Mr. Chairman. Dr. Hamre and Ms. McNamara, thank you for being with us. And I agree totally with your position. I just wish Dr. Hamre that you were working the supercomputer issue also.
Secretary HAMRE. Well, I am doing that, too, and I will talk to you about that if you ask.
Mr. HUNTER. This is one place where it seems like the Administration is a lot tougher than it has been with other species of exports. And I would like to see you—maybe we could have some discussions in the future with respect to supercomputers and how we could make that policy work.
But a question for you on this: Why is industry so intent on having the unregulated export of this encryption technology without this key recovery system? Why should it make a difference to them? Because I understand that is what you want to have is a key recovery system.
Secretary HAMRE. We want to have it on a voluntary basis. We are not trying to impose key recovery on anybody else. But I don't want have to have a law passed that says we can't have it for us. That is what is so objectionable about H.R. 850. But I think there is a very strong interest in America for encryption and wanting to have protection. And we agree with that. We are not opposed to that. We also believe that there is a natural interest in the business community to want to know what their employees are doing. And again, by totally lawful means.
But I used to be the Comptroller. We got out at Columbus, Ohio, where we have a payment center. We have disbursed about $43 million an hour. I am certainly not going to give a bad actor out there some encryption where he can send a check to his own personal bank account and I can't reconstruct that. It is voluntary. I want it for us. I am not trying to impose it on anybody else.
Mr. HUNTER. Understanding that, though, the proponents of 850 came last year with this bill, they really worked this thing, there is an enormous commercial interest in being what you would call—and I think I would agree—is a strongly unreasonable position. I am just trying to understand why they are so tenacious and why that is so important to them.
You have laid out a path that they can take that will allow reasonable export and you have pointed out that this is multilateral; we have other nations that are working with us on the control. Usually these folks don't come to this town and spend big money unless they have something that is extremely important to them. Why should they be so tenacious in this area? What is it that they object to so strongly?
Secretary HAMRE. Sir, my personal characterization of that would be unfair. I think you need to ask them about that.
Mr. HUNTER. Well, go ahead. We like to hear unfair characterizations.
To give a fair representation, there are some out there who are cyber-libertarians, but that is a different bunch. I mean, the business interests I think are worried that we are not going to move fast enough to accommodate the change in the marketplace and we need to prove to them we can.
Mr. HUNTER. Just a last question. COCOM dissolved with the demise of the Soviet Union. We have gone through a number of areas where we need—supercomputers included—where we need to have perhaps a reestablishment of that multilateral control mechanism. What do you think?
Secretary HAMRE. Sir, we in the Defense Department would like to have as strong an instrument as possible so that we, with other governments, can regulate the movement of goods and commodities that have potentially damaging national security implications.
Mr. HUNTER. Do you think we should reconstitute COCOM?
Secretary HAMRE. COCOM collapsed because none of the participants wanted to abide by it any longer. What you have with Wassenaar is the next best thing. This has been one area during the last 12 months where we have been asking to buy time because it is—we are buying time here. During that period, we have been working with our counterparts in Wassenaar to get stronger enforcement of export controls so that we are not punishing American companies, and I honestly don't think that they are being punished because of it. And we are all working together here and there is not a single product that can't be exported with an appropriate license review, even the strongest things to the bad guys. We still want to look at it. Other than that, the market is wide open for where the bulk of the market is right now.
Mr. HUNTER. I think I may be a little more conservative on this issue than you are.
Secretary HAMRE. Yes, sir, you may be. And I would be happy to talk about supercomputers if there is time later on.
Mr. HUNTER. Thank you.
The CHAIRMAN. Mr. Ortiz.
Mr. ORTIZ. Thank you, Mr. Chairman. Maybe you can help me. What percentage of the global market for encryption product is currently captured by the United States industry? Do we have any idea?
Secretary HAMRE. Mr. Ortiz, I will have to try to get an answer back for you. I don't know the answer to that. I think the way to look at it is in value terms, not in numbers of programs. There are lots of programs that people are trying to sell. But the bulk of the market is still very much dominated by the United States. By the way, we want it to be that way. We want American companies to dominate the world, not just because we deserve it and we are better than anybody else, but it is good for national security. I will have to get you an answer.
[The information referred to can be found in the appendix.]
Mr. ORTIZ. Just one more question. If this legislation passes, what do you expect will happen within the next 5 to 10 years? What kind of serious problems will we be facing?
Secretary HAMRE. I will defer to Ms. McNamara to describe with greater precision. My view is that almost immediately we would see very, very strong encryption products fall into the hands of foreign governments, foreign militaries, many of whom we have to meet on the battlefield. And so almost right away we are going to lose one of the huge advantages that the United States has when it goes to war, and that is the ability to stay ahead of the other guy because we are able to know more about him. And that is what would happen almost immediately.
Ms. MCNAMARA. I would second that, and I would add that in those areas, nonmilitary areas, we would see the export of strong encryption, but there is not yet an infrastructure that will allow it to be used globally. The reason—and as I acknowledged during my remarks, there is strong encryption out there in places. We are not seeing it used broadly today because there is no management infrastructure which will allow the global exchange of keys to allow it to be used. It is being used in industries, it is being used in multi national corporations, it is being used in sectors.
Mr. ORTIZ. Thank you very much.
The CHAIRMAN. Mr. Bateman.
Mr. BATEMAN. Thank you, Mr. Chairman. It will become apparent very quickly that I know little or nothing about the technical aspects of this subject. That does not mean I am not interested in them and concerned about them. And I can assure you that I sense it is beyond my ability to fathom on a technical level, I put great credence in the people who are looking after the interests of this country which I think are most important. And that means I am going to follow the advice and the guidance of those who are seeking to protect our national security interests, even if there is some jeopardy of our economic interests.
Now, I have read the memorandum that is in front of us. I have listened to your statements. I want to read a part of this memorandum and have you all try to explain to this very lay mind why we have not already given away the store as it relates to this issue.
I read from the memorandum that says: In spite of these national security concerns, controls over the export of U.S. origin encryption products continue to be liberalized. In June, 1997, Netscape Communications Corporation and Microsoft Corporation received permission to export encryption products up to 128 bits in length for use exclusively in banking and financial transactions.
Well, if they can market it to someone who says they are going to use it for banking and financial transactions, what prevents a drug billionaire from setting up a banking and financial corporation, getting the stuff, and then using it for reasons having little or nothing to do with the front that has been created? Are we not already inviting difficulties?
There is more of this, but the last and most significant remaining item is: The Administration also abandoned its insistence on development of a key recovery infrastructure.
If we have abandoned insistence on that, what is there left to argue about in terms of whether or not we are going to allow encryption or how much encryption we are going to allow? Can you all clarify that for me?
Secretary HAMRE. Ms. McNamara can do a great deal better than I. But I think the example of banking is a great example. We talked a lot about this a year ago when we were looking at the liberalization and the reason we agreed to do it in the banking sector, this is a fairly highly regulated industry and there are other ways for us to get lawful access to transactions to be able to find out something if we feel that there are reasons, that there are drug dealers that are laundering drug money, et cetera. There are other ways to get at that without having to have the ability to break a code.
That is exactly why we thought we could liberalize it, because we thought about this very carefully, and there are other areas where we cannot do that because there is not such a strongly regulated environment that lets us get lawful access to the information. I think that is a very good example of why we could tolerate it in that area and it doesn't constitute a major security risk.
Now, on the issue of key recovery, key recovery is anathema to an awful lot of Americans and it is because it has this specter that America's government is going to be listening in on every conversation or looking at every e-mail message we send back and forth. First of all, that is a terrible mischaracterization of the situation, because there is absolutely nothing that we are going to ever do that is not done through absolutely lawful means worked out that we do to protect everybody's privacy in this country.
Frankly, you do a lot better job protecting Americans for privacy when it comes from the government than do you from the private sector. I mean right now, the private sector is selling your personal phone records to anybody that wants to buy them and there is only one party that can't buy them, and that is the United States Government, for your privacy. That is the kind of irony we have in this situation. But it is the Fourth Amendment to the United States Constitution. And if you call us to go off and fight and protect and defend this Constitution we will do it. And that is part of it. It is part of the encumbrance that we gladfully accept because this is a great country.
Now, key recovery, there is a difference from mandating key recovery on everybody else and preventing us as a Department from buying key recovery for ourselves. We have to have it for ourselves. I am not going to try to impose it on anybody else, but, for crying out loud, don't keep it from us. We have to have it just for our own network security.
Mr. BATEMAN. Perhaps I am not properly understanding this sentence. It says: The Administration also abandoned its insistence on development of a key recovery infrastructure.
Are you telling me that we have retained that which we need to retain and that there is no problem with a policy decision to abandon development of a key recovery system?
Secretary HAMRE. Sir, I think what whoever authored the memo was saying that we abandoned any requirement on a national level to have a nationwide key recovery system. That is true because that is just not acceptable to Americans. But we have not abandoned the goal to try to have voluntary key recovery for the government where the government wants it and needs it, and that is us.
Ms. MCNAMARA. I would second that, Mr. Bateman. I think perhaps in the writing of the memorandum the word ''mandatory'' may have been eliminated or forgotten. But what we abandoned was a requirement for mandatory key recovery in the U.S. and that gets at—it was unacceptable for a whole host of reasons but we absolutely need to have it on a voluntary basis.
If I may add to the Secretary's answer about finance, we have long, as a government, given preferential treatment to the banking industry for the use of strong encryption because we always recognized that as a crucial element of our ability to have a strong government and a strong financial world, and that continues in the relaxation policy to the banking sector and the financial sector because they are heavily regulated industries.
If a bad guy were to gain access to what you cited as having been approved for export, and we needed to for whatever reasons, because it was a national security issue and we needed to be able to provide foreign intelligence about that bad guy, we would know how that product works. Because as I said in my testimony, a component of the licensing regime is a technical review of products even for those that are being exported as approved, so we would understand how that product works and the best minds in this Nation would be put to work on solving the problem, as long as it was an individual problem, and we would not expect to see them take—be able to take maximum advantage of a product that was released for the banking sector.
Mr. BATEMAN. I would be more comfortable with less liberalization, as long as you have a procedure in place where the government cannot go around snooping on anybody and everybody's communication without some necessity for showing good and proper cause for being able to do so, that it affects the national security interest of the Nation. If that safeguard is in place, I would be much more, much more restrictive on encryption than I even hear from the witness table.
Also, I see this memorandum references to a Senate bill that has been reported out of the committee. Are you as concerned about the Senate bill as you are the House bill?
Secretary HAMRE. Yes.
Ms. MCNAMARA. Yes.
The CHAIRMAN. Thank you, we will break for the vote and then come back.
The CHAIRMAN. The meeting will please be in order. I understand Dr. Hamre has to leave before too much longer and we want to try to go ahead and get to the Members to have the opportunity to ask him some questions. Mr. Kennedy.
Mr. KENNEDY. Thank you, Mr. Chairman. Let me begin by saying that it is always a pleasure to have you, Dr. Hamre. Ms. McNamara, I want to thank both of you for the tremendous work that you do on behalf of our government and national security. At the outset, I just want to say how much we appreciate on this committee all of those who dedicate themselves to protecting this great country of ours.
I am interested in this issue because I think it is a cutting edge issue. I have been in some of those closed door briefings to fully appreciate the enormity in your task to try to determine what our intelligence, how our intelligence is so crucial to deploying our resources accurately. I really appreciate the fact that you are concerned about being overwhelmed by what encryption, letting go of encryption will do to your efforts in terms of trying to keep track of the various and myriad arrays of intelligence data that you need to keep track of in order to be able to keep a handle on things.
The way that I feel we are operating to try to choose a kind of a metaphor is that we are trying to hold back a tide here that is busting loose. And that is technology now bursting onto the scene like we knew it would and like we have heard it is for the last several years that I have been in this committee and you have been telling us about this impending problem. The fact of the matter is the problem is here, it is now, and that tidal wave is right at our ears.
The question is how are we going to address this. It seems to me, and I have studied this issue and talked to many people in the field, that the United States when it comes to this technology needs to definitely partner with the high tech community. The reason I say this is it certainly seems to me when you said that it is important that over the next few months, Dr. Hamre, we intend to show the tech community how we are going to try to keep pace, we intend to keep pace.
I remember you saying it because I jotted down notes. Everybody that I heard, and I travel quite extensively and meet with these tech people, I am constantly amazed at how quickly things are changing. Things that are here today are gone tomorrow and outdated. The notion that we could even presume to keep pace within our current bureaucratic system, and I appreciate your spirit in which you said that. And in the next few months we intend to show that. If you just hear that language, that language itself doesn't keep pace with the ever changing technology, changes that are happening in the high tech arena.
What I am trying to say is when we have a number of closed door briefings on X program or Y program, I am always amazed at how quickly it ends up in the commercial market. It is like we come up with it; and before long, we are selling it. I am saying to myself, how come we are selling it? It took us so long through the R&D process to come up with this, once we have arrived at the technology we are deploying it. Of course, for us for procurement reasons, we procure it and then we need to sell it for us to maintain a low per unit cost in whatever we are purchasing. So we end up selling it worldwide.
So this notion that we are somehow giving away the store doesn't rest well with me because the fact of the matter is I think from all of my experience here with all of the R&D programs that we come up with, we are always a few years just ahead of the curve, in this case probably a few months to a year ahead of the curve; but we are never that far ahead of the curve. By and large, our commercial interests, the commercial interests of the world to keep track with us are always there banging on our door. Whatever we come up with is immediately out there. Then we have to begin that whole long R&D process all over again to maintain that cutting edge.
What I am trying to say is in this tech area, I think that we need to co-opt, if you will, American high technology because we are the leaders in the world. The fact of the matter is if we are going to intend to be the leaders in the world for our national security purposes, it seems to me we want to work with them and make sure that this stuff is going to be sold anyway, why not make sure they are on our side. If the product is being sold all over the world, why not make sure it is our product, domestic companies that have some allegiance and some interest in this country because they know about and appreciate the values of this great country of ours.
I would ask you in a general sense given that kind of horse-out-of-barn-trying-to-shut-the-door-now, and given the fact that even with the treaty that you acknowledge, even France and the UK, I understand, are backing out or changing their encryption laws. Basically, what we are seeing is the devolution of that notion that there is going to be a consensus. There is no uniform encryption now of standards. It is starting to even eat away at our allies, and France and the UK are starting to give some relaxation to their key escrow encryption. But with that, let me just ask you whether you don't think that with all of these comparable foreign design manufactured encryption that is being sold internationally, don't you think it is important for us to keep hold of our—the world marketplace that the U.S. companies have so that we can somehow co-opt this bronco that has gotten out of the barn and let's ride this thing as opposed to think that we are going to help protect ourselves by just shutting the barn door after this horse is out.
I might add, finally, if you could comment on-we are operating here it seems to me in sort of a flat earth environment here with respect to this technology and we are in a round world. With that, what are you doing to get up to speed to deal with the ways around encryption now that we know we are facing the onslaught of encryption? What are we doing to address the human intelligence angles and other areas where we can begin to continue to monitor these areas that we know are vulnerable?
So, with that I would like to thank you both for your presence today.
Secretary HAMRE. Thank you very much, sir. First, I don't think anybody is trying to close the door on a barn when the horse has run out. I think the analogy, as I mentioned earlier, is one of trying to live with the rising tide and not have it become a tidal wave.
We know this is changing. Nobody is going to stop that. Nobody is going to reverse that and nobody is proposing that. It is a matter of how fast can we move ourselves and regulate the environment where it is truly dangerous so it doesn't get into a truly dangerous area before we can get there and have some solution to the problem. So we are really trying to manage a problem, not prevent a problem. You can't prevent the spread of this technology, first of all.
Second, I think this gets to a reason why it has to be done and it is best done in a regulatory environment not in a statutory environment. The very problem we are wrestling with some super computers was ''super computer'' was defined in law two years ago as being a 2,000 MTOP machine. This fall it is going to be a laptop that meets the 2,000 MTOP machine. Which means you can't really do it in a statutory environment. You need to do it in a regulatory environment.
The problem is that you don't trust us. You are skeptical that we, the Administration, are going to be on the one hand moving fast enough for some people and on the other hand protecting security. So that is a backdrop of everybody's resistance right now. We are going to have to reestablish a pattern of confidence and trust with each other. We are trying just as hard as you are to protect national security. We are not more for national security and you are less just because you feel that you are trying to push us on this technology issue. We are all trying to work on these issues together, but it is best to do it on a regulatory environment and we have to reestablish in you confidence in us. I think that is an important part. That is what we are going to demonstrate with some of the changes that we are making.
You said about France and the UK, they have been pretty good models about how we should all evolve. The UK when Prime Minister Blair said, I am going to promulgate new regulations in the laws for encryption, he brought everybody in and he said, you companies are going to watch out for national security interests at the same time.
That is exactly the model that we are trying to establish around the world. Think that I—what France is doing—France is actually very strong on these issues. The UK is very strong on these issues. They are trying to do exactly what we are trying to do, to create a regulated environment where everything is done through lawful means, but we can stay ahead of the bad guys in the areas where there is the greatest risk and not hurt commercial interests in the process.
I actually think that is exactly what our policy is. That is what we are trying to do. It turns out that we need to move fast because this technology moves fast and that is exactly where we are trying to be at, sir.
Mr. KENNEDY. If I could just follow up briefly. The notion I have here is if we are going to bring the tech folks into the room, the only way they are going to be of use to us is if they have market share and they stay ahead of the technology. But they can't stay ahead of the technology and have market share if we are hamstringing them at the outset. In other words, for them to be effective for us, we can't micro-manage them or else it is belying the purpose of us partnering with them because they won't have the ability to help us when we need them to help us, and that is to give us the best scientists who are working on this to help us find ways that we can cope with these new technological advances.
Secretary HAMRE. Again, sir, I don't mean to be disputatious, but I don't believe we are hamstringing them like the lobbyists are telling you we are. I think that is overstatement.
Ms. MCNAMARA. May I comment? First of all, we agree that national security wants and needs U.S. industry to dominate the marketplace. We are unequivocal on that point. So you and I, none of us is in disagreement in that regard.
A licensing regime allows us to manage what we are confronted with overseas and fosters an environment for U.S. industry to talk to U.S. Government on the development of their products. The licensing regime and regulatory regime fosters that type of environment. Absent that, there is no rationale or reason why U.S. Government and U.S. industry would, as a natural act, have those conversations. So the licensing regime would do it.
If you eliminate it, export controls which the SAFE Act does, thus doing away with the licensing regime because there would be nothing to license, there would be no environment that would—there would be no environment or any means to foster that environment. Yes, that could be voluntary. I am not saying that industry wouldn't come as a voluntary act in some cases. But the regulatory regime fosters that environment.
With regard to the change in the UK, the French and the UK are both signatories of the Wassenaar Agreement which gives them an umbrella document against which to form their own export control regimes. Those regimes are following what the U.S. regime is today. The change that you read about, about the UK, was their abandonment of the requirement for mandatory key recovery. Key recovery is an enforcement issue. It is not a national security issue. We need to separate those two. Key recovery is an information assurance aspect. It is not a national security aspect. So they haven't backed off at all except to follow suit as the U.S. Government has, and that is to abandon the mandatory requirement for key recovery. In terms of their export control processes, they are exactly in track at the moment with the U.S.
Mr. KENNEDY. Thank you. Thank you, Mr. Chairman.
The CHAIRMAN. Mr. Weldon.
Mr. WELDON. Thank you, Mr. Chairman. I appreciate both of our witnesses coming in today and the conversation I had with Dr. Hamre at length over this issue. Last year I offered the amendment in this committee that passed 45 to 1 to maintain the security concerns that you have told us about. I only wish the debate on this bill in the Congress weren't so much being heavily driven by the absolute desire of both parties to curry favor with Silicon Valley for campaign donations. That is offensive to me because while it may benefit my political campaign financially, in the end on this committee our concern should be national security.
All of us in this country want to see our companies prosper and be able to lead the world market. There are none of us that want us to be isolationist and hurt our companies. I think for any of us to think that there are some Members who want to hurt American industry is trivial at best and certainly totally false. But the question is we have an obligation as committee members to listen to people like John Hamre and Ms. McNamara, who I have the highest respect for.
John, you know this, I said this publicly, you are one of the stars of this Administration. I don't often give many stars to this Administration, but you certainly are one of them for your work, and I respect your integrity. We need to listen to what you say not because you want to hurt industry but because you want to make sure that our security concerns are being met. I want to tell you, and I know I am going to offend some industry people in the room and that is the way it goes, I am not going to shed crocodile tears for companies that back in 1992, 1993, 1994, led the effort, and in some cases illegally, to transfer sensitive technology abroad and then come back to us and complain that our export controls aren't loose enough to allow them to maintain their market share.
They were so aggressive in the early 1990s and in some cases got approvals, one of which I have some documents, Mr. Chairman, which I would like to submit for the record. One is a letter dated July 5, 1995, to Ron Brown thanking him for giving approval to the export process for an encryption algorithm to China. During our China committee hearings, that is all we heard about. And while that whole Cox Committee report is being spun to be China's espionage, the bulk of our problem in the 1990s was the total relaxation of the controls that we had and the ability of the Defense Department to play a legitimate role in monitoring technology that was being made available.
I disagree with Ms. McNamara on the Wassenaar process as many of my colleagues do. I think it has not been the success that perhaps we would have had in our co-com. I would like to see the Administration take a more direct leadership role in bringing the nations of the world together to see if we can't put into place a stronger mechanism of cooperation to stop this auctioning off to the higher bidder of who can gain the most market share simply because of their ability to influence their government's export policies.
Mr. KENNEDY. Could you yield?
Mr. WELDON. Not yet, I want to finish my comment first.
I would just ask for the record, Dr. Hamre, if you would, in fact, agree to a letter that you sent me dated May 24, for those who were saying that we are hurting our export policies. This is the quote that I am reading from if you could just confirm this. I would like to put the entire letter, Mr. Chairman, into the record if that is okay with you.
[The information referred to can be found in the appendix.]
The CHAIRMAN. Without objection.
Mr. WELDON. You said last year we actively worked inside the regulatory process to update our export policies opening approximately 70 percent of the world's economies to U.S. encryption products.
Is that correct?
Secretary HAMRE. Yes, sir, and it will get even wider here.
Mr. WELDON. 70 percent?
Secretary HAMRE. Yes, sir.
Mr. WELDON. So to characterize this as an attempt to try to limit the effort, I think is certainly false on the surface and utterly ridiculous, in fact, in depth. Let me also say, Mr. Chairman, I think as we look at this issue we need to look at the backdrop that occurred in the past several years in allowing certain companies to get access to sell their encrypted products abroad.
In particular, I am very concerned about the 1996 decision to allow RSA Data Security to reach an agreement with the People's Republic of China in terms of sharing encryption technology for use on government networks. I think that is going to come back to bite us as a country because we, in fact, have helped China develop the most capable encryption because of the capabilities that we give them.
This gets back to the heart of the issue of making sure that the Pentagon and the intelligence community and the NSA have a role in the process of what we are selling. I am not saying that we should have a veto authority, but they should have a role in that process. They should be able to share with Members of Congress and the Administration the very real concerns of security and the implications that could come back to cost us significant amounts of dollars.
Dr. Hamre, do you have any idea as to what the cost would be, first of all, for establishing a counter-encryption effort if, in fact, we had to do that? That is one question.
Number two, can you confirm an article that was in today's Christian Science Monitor that quotes the author from a recent Rand Corporation report, Tom Regan, as saying that Osama bin Laden is, in fact, using information technology to facilitate his terrorist activities, and wouldn't it be logical then to assume that if Osama bin Laden is using information technology that perhaps there would be some attempt to use encryption technology to mask these activities from national security agencies and officials? I don't know whether you saw the article today or not, but it ran in this morning's Christian Science Monitor.
Finally, as a question, maybe we ought to look at the fact of perhaps if this policy were to be changed, and we totally removed the ability of monitoring or stopping encryption exports, maybe we ought to look at the idea of perhaps having those companies that are involved in selling their encrypted technology to an individual or entity that we then find out who is involved in a criminal act, to hold them liable and hold them accountable for the use of that highly capable encrypted technology to pay the price for the damage they have done because of a criminal activity that could not have occurred perhaps without the support of this highly capable encryption. Dr. Hamre.
Secretary HAMRE. Mr. Weldon, first, let me thank you for the leadership that you provided last year when this was crucial. If it hadn't been for you, this would have just rolled right over the national security, and I thank you for that.
On the first question about the dollars for counterintelligence if this were to disappear, it would be an enormous number. I don't have one right now, but I will try to give you a reasoned assessment. We still have to do better on counterintelligence in this country even if we were not to pass the Goodlatte bill. We are just not protecting ourselves well enough across the board. We are going to have to spend more on counterintelligence, period. This would just swamp us if all of a sudden we had to find ways to get around this problem. But I will give you a more reasoned answer.
Sir, I did not see the article in the Christian Science Monitor and I am somewhat constrained obviously in an open setting to talk about this openly, but I can unequivocally tell you Osama bin Laden and other bad guys in the world are not only using information technology but encrypted information technology.
Mr. WELDON. For the record, if you could go maybe in a classified setting for us in more detail because Members need to get into this issue in-depth and that can only take place in a classified setting and not the public where the rhetoric overtakes the substance of what is involved with this issue.
Secretary HAMRE. I will, sir.
Mr. WELDON. I see all of my industry friends shaking their heads back there because they don't want to see it happen, but I can tell you as a Member of Congress, we will demand that take place.
Please focus on the third point.
Secretary HAMRE. On the issue of liability, it seems to me everyone has a requirement. It is not terribly different than someone else uses a product to commit a crime. I don't know how we could accept that. Now, I can't get into—you are not talking about issues that only Members of Congress can resolve when you start talking about assessing liabilities and passing laws and that sort of thing. What I do is I welcome very much the attention that you are placing on the responsibility of every American, not just your law enforcement and national security people, to worry about the protection and security of this country, and I thank you for that.
Mr. WELDON. If my Chairman will allow me, and you may not want to answer, but if this were to pass, could we look at perhaps passing some kind of a liability or penalty on those companies whose encrypted products are sold and we find that that encrypted product has, in fact, been used in the course of illegal activity by a foreign national or a terrorist group.
Secretary HAMRE. Sir, the reason that I was ducking your question, and I was ducking your question, is because if I were to give you that answer it would come across as an official position of the Department of Defense.
Mr. WELDON. How about a personal answer.
Secretary HAMRE. Personally, I would pass it in a heart beat.
The CHAIRMAN. Mr. Andrews.
Mr. ANDREWS. Thank you very much, Mr. Chairman. I thank the witnesses for their testimony this morning.
This appears to be an issue where there appears to be broad consensus or even unanimity about the right propositions or answers, but almost no understanding of the facts.
And I think what you have done this morning is to lay out some very important factual questions that must be answered before the Congress can take action on the legislation that is before us.
It is interesting that the hearing room is almost about half empty, half full, depending on your point of view today. You don't see any television cameras here. If we will put out a release saying that we were having a hearing this morning on whether we were going to be able to stop an international terrorist group from hacking into the launch codes for nuclear weapons and redirecting the nuclear weapons at the continental United States, our weapons, if someone had the ability to do that whether we would have the ability to break in and stop them from doing that we would have to shut the room off because the place would be overflowing with people.
It is not an exaggeration to say that is what this hearing is about. It is about whether someone gets that kind of capacity, whether we are in a position to stop them from using it. It is also true that if we are ever going to have a hearing about the loss of tens of thousands of American jobs because we were artificially cutting off exports of our companies and that we were going to pass a law that would lead to the loss of tens of thousands of jobs, we would have the room filled with angry constituents, I am sure.
I think there is unanimity. No one in either party on either side of this debate wants to cripple the defense capability of the country or the law enforcement capability of the country. On the other hand, no one on your side of the debate wants to deprive American employers of opportunities that are rightfully theirs. You can start with that proposition, we are all trying to go to the same place.
I think the key factually to this whole debate is found on page 8 of your statement where you address the argument of the proponents of this bill, that the elimination of encryption export controls wouldn't really make any difference because these products are already out there being broadly sold and distributed by our international competitors. So their argument sort of is that eliminating the export controls won't do us any harm because these products are all out there anyway. I think that you raise what is the key point when you say that the foreign availability argument is seductive but flawed.
We know that not all products reported as available overseas are actually available. We also know that some of the products in the foreign market are poorly implemented. Others have non-existing user support or may not be widely used. The key importance of that fact is that if these encryption products are not broadly available on the international market, we would then not be asking our companies to give up a competitive edge. The question becomes relatively easier. I think that we in the Congress need to talk about a method for answering the question that you have raised both on a classified and unclassified basis. Because for products that are clearly available in the international market now anyway, it makes great sense for us to cut back on the bureaucratic process of gaining an export opportunity. If something is already out there, we are foolish to deprive our own companies of the ability to traffic in that marketplace.
But where it is unclear that it is out there, that is when the hard question comes in. When it is clear that it isn't out there yet, then it seems to me to be a compelling argument that we ought to create some licensing process, some meaningful security review that before our companies are given the chance to put the product out there that we have thought through all of the security ramifications of putting it out there.
I think that we have to divide the world into three components: Products that are clearly out there where there is no security loss to permitting free competition by our people; products that are clearly not out there, where I think it makes great sense to have a thorough vetting review process, whereas Mr. Weldon just said, there is a significant role, not a veto role, but a significant role for national security agencies; and then products that are in between where it is not clear, there ought to be some fact-finding system that helps us understand that.
I am quite convinced that the bill in front of us does not do that, does not create that discrimination among cases. I think that it very clearly raises the risks that in order to rush to commercial opportunity, we may be stumbling onto a security risk that we don't want to do.
I want to ask you a question based on that analysis, and that is are the intelligence data available, or the technological data available to conduct such a review that I just outlined for you? Is the Department prepared, either on a classified basis or unclassified basis, to tell us and the public, if appropriate, which encrypted products are really viable for use around the world and which are not?
Secretary HAMRE. Let me defer to Ms. McNamara to give you a technical answer, but let me make a pledge to you. We will come back to work with you in any form or venue. Some of it will have to be classified to give you exactly our assessment of that question. And we will be honest. We are not going to try to skew it and try to win talking points for a debate on the floor of the House. Where there is a very strong product out there and the foreigners are marketing it and it is hurting our companies, we will admit to that and we will agree to that. We are not trying to hurt our companies. We also think that American companies ought to be honest about the market that is hugely available that they are misleading you to pretend that it is not available to them, and it is. We will be glad to sit down and go through that, but let me defer to Ms. McNamara.
Ms. MCNAMARA. Mr. Andrews, thank you. We actually did such a study in 1996. We have not done one since. The results were classified. It was a tremendous undertaking. It is tremendously manpower-intensive after one gathers up products around the world. So it has been done in the past, it could be done in the future, and it is not something that is done easily, lightly, or in short order. I think that it took us one full year to, first of all, round up all of the products and we do spot checks now. But anything that would come from our agency would have to be a classified answer.
Now, some of the industries do annual reports on availability, but it doesn't get at the issue all the time that you actually raised. Does it, do they actually function the way they do, is there accuracy in packaging?
Mr. ANDREWS. I would go back to the Chairman's statement of June 9 which Dr. Hamre makes reference to in his statement. I think the Chairman of the committee is exactly right in suggesting that it is our job on the week of the 19th of July in this markup to try to strike the balance that we just talked about here. I think the underlying legislation strikes the wrong balance. Our goal should be to institutionalize a process where the review that you undertook in 1996 goes on on an ongoing basis and, most importantly, where you reach a conclusion that there is a potential security risk to the country that there are consequences to that decision, that it is not just a decision that you reach.
So I would associate myself with the Chairman's June 9 remarks and I would offer my interest in cooperating with the Chairman and with the Administration to try to strike the proper balance when this bill comes before us next month, or this month.
Thank you, Mr. Chairman.
The CHAIRMAN. We are going to break for this vote. I understand, Dr. Hamre, you have to leave while we are—.
Secretary HAMRE. I apologize. I am supposed to be at the White House at 11:30. If I might take my leave, I will come back at any time, either at a hearing or to brief anybody. I would be honored to.
The CHAIRMAN. Well, we appreciate you being here today and we will call on you again in the future. But we will break now for this vote and be right back.
The CHAIRMAN. The meeting will please be in order. Mr. Taylor.
Mr. TAYLOR. Thank you, Mr. Chairman. I am going to be very, very brief. I want to thank Ms. McNamara for expressing her concerns about this. I was recently given a copy of a letter dated October 27, 1993, signed by a number of members of the California delegation, Republicans and Democrats, including some real surprises. And the quote on it is to Secretary Christopher and it is arguing against the State Department's recently imposed category 22 MTCR sanctions against China. It is written on behalf of Hughes Corporation.
And, of course, the great quote in there is: ''You will find that Hughes' satellites are guarded around the clock by U.S. Government and Hughes personnel during their time in China, and the Chinese have no opportunity to touch or even view the embedded MTCR technology; therefore no technology transfer is possible at this time.''
I think our Nation, having been burned at least once in trying to commercialize things that have a military applicability, needs to be extremely cautious in the future; and I commend Ms. McNamara and I commend Dr. Hamre for expressing their concerns today and I hope this committee is listening.
Ms. MCNAMARA. Thank you for your support, Mr. Taylor.
The CHAIRMAN. Mr. Smith.
Mr. SMITH. Thank you, Mr. Chairman. I guess I should preface my remarks by saying when Congressman Weldon referred to the 45-to-1 vote last year, I was the one. So I have a different viewpoint on this.
And I also want to say—I am sorry Mr. Weldon is not here. I do not in any way question his motives on this. I do not believe he is arbitrarily trying to shut down the industry or blindly supporting national security. I just wish he wouldn't be so quick to question the motives of everybody else and say that we are willing to sell national security out for a few campaign checks from Silicon Valley. I don't think those sort of statements help debates like this in the least bit and for my part, they are not accurate. There are legitimate differences of opinion on this issue that should be aired and should be presented. And my difference of opinion starts with a couple of points.
One, it was asked earlier, Why does the industry care about this? It is not a hard question to answer. They care about this because encryption is very, very important to a large number of products.
They care about it because the best encryption is going to sell. As e-commerce expands, as a variety of different technologies expand, having the ability to encode that data, whether it is a credit card or financial information or anything, is going to be a critical part of a product; and the person that has that best product is going to get a tremendous advantage.
And I guess the analogy in all of this for me is because it is so important, trying to control it is going to be difficult. I mean, you can think of prohibition, gun control. The bottom line is people really, really want alcohol and in our country really really want guns, so passing laws to prevent them is going to be difficult. And I think everyone would agree with that. I want to make sure that the committee members understand how important encryption is to these products and how, if you have the best encryption in your product, you are likely to get the sale and if you don't, you are likely to come in second place. And second place in the information technology business means that you don't sell anything. So it is very important and that is why it is important for people to be able to export it.
And I guess the first question I have, and I have several, is there is a report out now that says—let me get the numbers right—there are 805 foreign cryptography products being sold from 35 countries out there. This stuff is becoming widespread and at least 167 of those are top of the line. And it is also important in this debate to get the top of the line. When Mr. Weldon said that we will allow exportation of a lot of products, we do; 56-bit encryption which can be broken in, gosh, I don't know what it is down to now—a while ago it was 4 or 5 days, it is probably down to 4 or 5 hours now—how quickly you could break that 56-bit code so the person with the 128-bit, that is what they are looking for, is going to be able to sell that product.
And the Wassenaar Agreement is not binding in any way. I mean, it is not like if somebody were to export tomorrow, we would have any way to punish them. There is already evidence that a lot of this exportation is happening so it seems like the product is out there a lot more widely.
And one more final point before I turn over to answer the question. We mentioned the Christian Science Monitor article about bin Laden having access to IT technology. We agree with two things on that: Number one, I am certain that he does; and number two, I am certain it is very, very important and very dangerous. No question about it. But he has that technology within the existing export regime.
If this export regime we had was working so well, if this was, you know, what we needed to do to prevent bad guys from getting access to technology, what is he doing with it? And the answer to that question is because the technology is so widespread.
And I think there is one other attitude that has permeated this hearing that is wrong, and that is that somehow only people in the U.S. can come up with the best product. There is no way somebody in India or Argentina could develop this technology on their own, which is ludicrous. The nature of technology is that incredible leap-ahead advancements have been done in the most obscure places. Just some very, very bright guy with a lot of time working on equipment has developed incredible software and incredible new technology products and it will continue to be that way. And I just don't think at the outset that we are fully explaining in this hearing the degree to which that technology is in fact out there.
Ms. MCNAMARA. I can't argue with your numbers, Mr. Smith, because I just don't know whether those numbers are 100 percent accurate or not. There are a lot of countries, as I said. There are 33 signatories to Wassenaar, each of those signatories is a producing nation of encryption. So in terms of the overall products, I can't tell you that.
In terms of strong encryption, yes, there is strong encryption out there. A lot of it is U.S., and a lot of it has been approved through the licensing regime. I think I need to correct the fact that there is top-of-the-line U.S. encryption that has been approved for license in very large areas of the world.
Mr. SMITH. I agree with you on that.
Ms. MCNAMARA. We are not approving only 56-bit encryption. There is 128-bit encryption that has been approved for the finance sector, the health sector, the insurance sector, the banking sector, U.S. corporations and their international subsidiaries for the purposes of e-commerce and the like.
So I think the statement that it is only 56-bit encryption that is being approved by the Administration is dated.
Mr. SMITH. Some of it is. Some of it is only 56-bit.
Mr. SMITH. What are you prohibiting from being exported?
Ms. MCNAMARA. We are prohibiting for end use and end users so that we can shape the environment to be able to sustain our capability to prosecute in foreign intelligence—by foreign intelligence means, foreign militaries and foreign governments for the most part. And that is not prohibited either, let me say. There is no prohibition.
When I say that we are looking at it, it is through the process of individual licenses based on the end use and end user. All of those other sectors that I described are not individual licenses. They are in some cases license exception, which means for the most part they are license exception. They have to be looked at—a product has to be looked at, one, by the government, and anybody else who designs that product or a similar product is allowed to export. So for the record, there is a lot of very strong top-of-the-line U.S.-designed encryption out there recognizing the market and the use.
Mr. SMITH. And I think that is good. What I question is the limitations we place on it because of the availability of this data elsewhere that is out there. And I want to say, I mean I completely share the national security concerns. I know encryption technology is of national security importance. What I question is our ability to keep up with it. And I think there is a lot more out there than we are admitting and that we are hearing.
And on the bin Laden point, that is sort of what this is all about. We do this to prevent people like bin Laden from beginning access to encryption technology, that is the definitive argument. And yet here we have an article that says he has it. How does that not argue that the policy is failing?
Ms. MCNAMARA. Well, as both Dr. Hamre and I said, you are never going to prevent an individual from breaking the law. Individuals speed through school zones all the time, but our response is not raising the speed limit in a school zone. And our response to the fact that an individual like bin Laden does have access to high-tech, high-end technology should not be the rationale for eliminating, in their entirety, export controls. And that is what the SAFE Act does.
Mr. SMITH. Two quick points. First of all, there is no downside to limiting the speed in a school zone. You are not costing your economic advantage. And particularly if you add that on to a comment that has been made a couple of times that U.S. domination of encryption technology is critical to national security. You have made that point several times and I couldn't agree more. And there is a substantial downside to placing restrictions on our companies and limiting their ability to develop it and that we will slowly lose that U.S. domination. And I will let this go.
There are other people who I am sure want to testify, but early on you said, without encryption controls, strong encryption would become ubiquitous. That was your argument. I guess what I would say is what technology has told us in terms of how quickly it has advanced is that with or without encryption controls, encryption will become ubiquitous in a very short time frame. The degree to which other countries are leaping ahead on technology, other countries that either don't belong to the Wassenaar Agreement or countries like Canada that I believe does belong to the Wassenaar Agreement and still exports 128-bit encryption technology are out there. Soon it will be ubiquitous. We will have the ubiquity that we fear without the leadership that we need to deal with it. That is my argument.
Ms. MCNAMARA. And I would only add to that, sir, that Canada is a signatory to Wassenaar. They do export 128-bit encryption, but so do we for specific end use and end users.
Mr. SMITH. Canada doesn't have that limit, though.
Ms. MCNAMARA. They do in terms of—the product that you are talking about was exported by Canada to their signatory—their signature to Wassenaar—prior to the Wassenaar Agreement, and since then they have put controls on. I am just explaining the facts as I understand them. And so there is a lot of disinformation out there. There are lots of generic statements being made. In fact and in practice they are not true. And I don't know how else to comment on that.
In terms of what we are denying, we are not denying what we are saying is the licensing process allows U.S. Government to review products that industry is manufacturing and proposing for sale. The elimination of export controls would essentially eliminate or does eliminate any need for regulatory review of those products. When those products are reviewed and we understand the end use and the end user, and the national security implications of such, we work with the companies and many, many products are exported because there is no national security issue at risk.
Mr. SMITH. Thank you.
The CHAIRMAN. Thank you. Mr. Abercrombie.
Mr. ABERCROMBIE. Thank you very much, Mr. Chairman. Ms. McNamara, thank you for being here today. I am especially pleased that you are, because to the degree and extent your testimony has not been read by other members who couldn't make it today, I am certainly going to try to make it my obligation on this committee to see to it that everybody does.
Ms. MCNAMARA. Thank you very much, sir.
Mr. ABERCROMBIE. I want to take issue with just one of your statements in here, but not for the purpose of engaging in an argument with you about it but to try to make a point which I hope will complement what you had to say.
On the end of page 2 in your last paragraph there, ''the interests of industry and private groups as well as the government must be taken into account'', the sentence before that: ''While our mission is to provide intelligence to help protect the country's security, we also recognize there must be a balanced approach to the encryption issue.''
I take the balanced approach to mean what you just discussed previously; that if there is no national security interest, obviously you don't want to do it. But we don't mean balanced here in terms of letting industry badger you or anybody else into trying to sell something that you believe is against the national security interest?
Ms. MCNAMARA. Your first characterization is correct, sir. I meant balanced if there is no national security interest, then we are pleased to see U.S. industry populate the marketplace.
Mr. ABERCROMBIE. But this bill then as it is written right now, I guess, is trying to be sold to us on the grounds that it somehow strikes a balance. It doesn't do anything of the kind as far as I am concerned. It tips the balance way to the other side and eliminates the national security side of it at all.
Now, my good friend, Mr. Weldon over here, has made a case about trying to modify this bill and I believe he said in the course of his comments that he wanted this to be voluntary or he was not trying to give a veto, give a veto power to the National Security Agency or the Department of Defense. But I feel very strongly that you should have a veto power, because there is going to be no balance.
The question was asked of Dr. Hamre and you, what was involved in these companies? Can you see this from down there? Do you have an idea what I am holding in my hand here?
Ms. MCNAMARA. I noticed what you raised when the question was originally asked.
Mr. ABERCROMBIE. This has a picture of George Washington on it. They may change the size of the George Washington and so on over time and the design, but it still comes to the same thing. It is for money. And we spend $270-plus billion in this country every year on our defense and this committee has votes on literally life-and-death issues over people. And I could care less about somebody trying to make a buck off of the defense of this country and the lives of the people that are involved in it and that is what the bottom line is here.
Now, I think that you should have, and I think the National Security Agency within the Department of Defense should have veto power over anything with respect to encryption that it believes endangers the national security interests of this country. That puts a tremendous burden on you, but you may see an amendment to that effect come forward from this committee depending on what else evolves out of these hearings. And I just wanted to alert you that some of us feel very, very strongly. Do I sound like I am speaking strongly on this? I think so.
Ms. MCNAMARA. I find you very believable sir.
Mr. ABERCROMBIE. Thank you. Let me just very quickly move to page 3. I won't take that as an encouragement so you can't get yelled at after. You said if—let me go backwards. If we take for conversation's sake here on page 3 in the middle of the page: ''If enacted, the bill would effectively decontrol most commercial computer software encryption and specified hardware encryption exports to all destinations, even regions of instability. It would also deprive the government of the opportunity to conduct a meaningful review of proposed exports to ensure its compatibility with national security interests.''
If we were able to put another amendment which would address specifically the signals intelligence role of the National Security Agency—and there I refer you back to your first page of your testimony—you say, It is the signals intelligence role that I want to address today. If we could craft an amendment that would specifically address that aspect, I am operating now on the premise for conversation's sake that we are not able to beat these companies who will give us all of this pious crap about what other countries will sell and all the rest of it and this is available generally and all the rest, but by the way—I am sure that is what we are going to hear. How they get up in the morning and take a look in the mirror and justify it is beyond me.
But if we are able to deal with an amendment that deals specifically with that, could that be done? Could we craft such an amendment that would address the specific issue or issues surrounding signals intelligence? Because I take it from your testimony you consider that the most crucial and fundamental aspect of the national security interests you represent.
Ms. MCNAMARA. From my vantage point, sir, I am speaking now from the National Security Agency, the impact of the export—the elimination of export controls on encryption impacts directly the signals intelligence mission of this Nation, and we have that mission for the Department of Defense and for the United States Government.
So in terms of the export control process, the elimination of export controls directly affects that mission.
Now, there are other aspects of this bill that we also have concerns about as Dr. Hamre talked, because it also denies the U.S. Government agencies the opportunity to use key recovery for their own purposes.
Mr. ABERCROMBIE. Yes.
Ms. MCNAMARA. And the National Security Agency has a second —another mission. I can't call it second because they don't like to think of themselves that way. And that mission is the information systems security advice and service and equipment for United States classified systems. And we feel very strongly as well about the aspect of the bill that deals with the prohibition of key recovery for government's own use.
Mr. ABERCROMBIE. Okay. Then with respect to the question of signals intelligence and key recovery, does the Department of Defense and/or the National Security Agency have language or could we request of you language that you think would address those questions in a manner, legislatively speaking, that would cover your concerns?
Ms. MCNAMARA. We would try and work with you on that. I don't have language to give you. We don't have language to give you. But we would happily work—.
Mr. ABERCROMBIE. You understand the reason for my question. I am not trying to put you on the spot so much as I don't want to come up with something where I am dreaming it up as we go along because I am outraged by the fraud of this bill. That doesn't get us anywhere. It gets us back on the rhetorical side of things. We will hear plenty of that back and forth anyway.
But if you have these concerns, I think it will be very useful if, in conjunction with the committee or with myself or with anybody else who is concerned this way, that we develop an amendment or amendments which would address specifically the questions—the two central questions that you have raised here today; because in the context of the bill as it is written, then, we would have to come up with an alternative that would address those questions and meet the concerns of those members of the committee which feel that that is legitimate and needs to be covered.
Ms. MCNAMARA. We will happily work with you.
The CHAIRMAN. Point well made, Mr. Abercrombie. Mr. Snyder.
Mr. SNYDER. I have no questions.
The CHAIRMAN. Well, it looks like that is about it, then. Ms. McNamara we apologize for keeping you so long but we appreciate your contribution. It is important, as Mr. Abercrombie just said, that people understand the national security implications of this legislation. We are going to be looking into it further. We will probably take some other action and have a markup on it and then we will see where to go from there. But we couldn't do these things without your expertise in these matters and we appreciate it.
Ms. MCNAMARA. Thank you very much, Mr. Chairman, and members of the committee for your time. Speaking for Dr. Hamre and myself, we absolutely welcome your help and your support in taking on this bill and giving us the opportunity to be heard and to provide you with the information that we hope will be helpful to you in your deliberations. Thank you very much.
The CHAIRMAN. Again, thank you for your contribution. If there is no further business, the meeting will be adjourned.
[Whereupon, at 12:09 p.m., the committee was adjourned.]
A P P E N D I X
July 1, 1999
July 1, 1999
[This information can be viewed in the hard copy.]
DOCUMENTS SUBMITTED FOR THE RECORD
July 1, 1999
[This information can be viewed in the hard copy.]
QUESTIONS AND ANSWERS SUBMITTED FOR THE RECORD
July 1, 1999
QUESTIONS SUBMITTED BY MR. ORTIZ
Mr. ORTIZ. ''Thank you, Mr. Chairman. Maybe you can help me. What percentage of the global market for encryption product is currently captured by the United States industry? Do we have any idea?''
Secretary HAMRE. U.S. industry clearly dominates the world market with respect to encryption products. It not only has unregulated access to a domestic market of approximately 260 million savvy consumers, but it also has streamlined export access to roughly 70% of the world market in sectors such as: banks, securities firms, and their customers; subsidiaries of U.S. companies operating abroad; insurance firms and their customers; medical and health firms and their customers; and e-commerce applications to on-line merchants and their customers. U.S. industry is also allowed to export, in streamlined fashion, key recovery products to any end user and recoverable (e.g., network administrator controlled) products to most foreign commercial firms to protect their sensitive company data.
The Department hesitates to provide, at this time, percentages for U.S. industry's share of the global market. There have been numerous studies on the ''foreign availability'' of encryption products. Determining the ''foreign availability'' of encryption products is somewhat complex because a balanced policy on this issue requires a more nuanced metric than that of a linear count. Not all products reported available are actually available for sale and acquisition. In some case, the advertised strength of a product's encryption is not the actual strength. Certain factors determine or undermine the usability of a product, even if a product is available, e.g., the requirement for a key management infrastructure, the lack of user support, a poorly implemented encryption algorithm, and availability of the product in only one country or market versus global availability. The government is current assessing the extent and detailed composition of the global market to determine as accurately and scientifically as possible U.S. industry's share of the encryption market.
QUESTION SUBMITTED BY MR. KUYKENDALL
Mr. KUYKENDALL. As sophisticated encryption devices become more readily available to enemy forces or terrorists, either through enactment of this legislation or through foreign markets, what additional resources—personnel, technology, equipment, research and development—will be needed by the Department of Defense for national security purposes to protect our own systems and provide intelligence support?
Secretary HAMRE. [This information is classified and retained in the committee files.]
H.R. 850, THE SECURITY AND FREEDOM THROUGH ENCRYPTION (SAFE) ACT
House of Representatives,
Committee on Armed Services,
Washington, DC, Tuesday, July 13, 1999.
The committee met, pursuant to call, at 10:37 a.m. In room 2118, Rayburn House Office Building, Hon. Floyd D. Spence (chairman of the committee) presiding.
OPENING STATEMENT OF HON. FLOYD D. SPENCE, A REPRESENTATIVE FROM SOUTH CAROLINA, CHAIRMAN, COMMITTEE ON ARMED SERVICES
The CHAIRMAN. The committee will please be in order. The committee meets this morning to continue its examination of the encryption issue and to receive the testimony on legislation that proposes to remove our control on the export of United States encryption products.
H.R. 850, the so-called SAFE Act, is before the committee on sequential referral until July 23. As I announced last week, it is my intent to schedule a markup of this bill next week. Prior to markup, the committee will also receive a detailed classified briefing in closed session from the National Security Agency concerning the serious national security implications of the unmonitored and unregulated export of encryption products. I urge my colleagues to take advantage of the opportunity presented by that briefing next week.
Two weeks ago, the committee heard testimony from the Deputy Secretary of Defense and the Director of NSA regarding the national security problems that H.R. 850 would create for our government's efforts to battle international terrorism and to combat a range of other crimes directed against Americans. There does not seem to be too much debate among those who have lived with this issue over the fact that strong encryption in the hands of terrorists, drug dealers, and other bad actors will make it harder for our government to protect American lives.
The national security impact of unregulated encryption exports ought to be, in my opinion, the central element in any debate over whether or not we should allow highly capable encryption products to be freely exported.
As I indicated two weeks ago, it would be both tragically ironic and unconscionable for Congress to make it easier for an adversary to do harm to Americans, and at the same time we are working as a government to improve security for Americans all over the world through numerous counterterrorism and other initiatives.
Beyond the so-called criminal element, which we will hear more about today, H.R. 850 will also put at risk the safety of our men and women in the armed services. Secretary Hamre was straightforward in his testimony earlier this month when he said, and I quote, ''unregulated release of the strongest encryption is going to do one thing: Put more troops' lives at risk, period,'' end quote.
Our witnesses this morning are here to help us better understand the serious national security implications of H.R. 850, and accordingly, we are pleased to have with us today the Honorable Janet Reno, Attorney General of the United States; the Honorable Louis Freeh, Director of the Federal Bureau of Investigation; and the Honorable William Reinsch, Under Secretary of Commerce for Export Administration.
After taking testimony from our Administration witnesses, the committee will hear next from a panel of outside witnesses representing industry. They will be Matthew Bowcock, Executive Vice President of Corporate Development of Baltimore Technologies, and Elizabeth Kaufman, Senior Director and General Manager for Security at Cisco Systems. Let me thank all of our witnesses this morning for being with us.
Before turning to our panel of witnesses, however, I would like to recognize the committee's Ranking Democrat Mr. Skelton for any remarks he would like to make.
[The prepared statement of Mr. Spence can be found in the appendix.]
STATEMENT OF HON. IKE SKELTON, A REPRESENTATIVE FROM MISSOURI, RANKING MEMBER, COMMITTEE ON ARMED SERVICES
Mr. SKELTON. Mr. Chairman, thank you. It is a pleasure for me to join you in welcoming our distinguished witnesses on this encryption export policy hearing today.
I understand, Attorney General, this is your very first venture before the Armed Services Committee. We welcome you.
Director Freeh, it is good to see you, and we welcome you, sir.
And Secretary Reinsch, thank you for joining us.
Today is a very, very important hearing that we are embarking upon. The subject we are addressing is very complex, it is highly technical, yet it touches every part of our national being. It impacts on all of us individually and in a variety of ways. While this committee has a primary interest in protecting our national security interest, we cannot ignore the potential effects of what we do on our personal and private concerns and the commercial infrastructure activities of our wonderful Nation.
In our initial hearing on the first of July, I then expressed my belief that what we do in this committee on H.R. 850 will make a difference. We have the opportunity to influence the confidence of our Nation as well as the ability to exploit the advantages of our new technology while at the same time maintaining the technological lead we enjoy, provide for the public safety, and accommodate our national security requirements, remaining committed to the task of seeking the right balance, the right balance needed to meet all of our critical needs. We can do it. Actually we must do it and be responsible for us to arrive at a narrowly focused series of solutions that consider all of the environments of our Nation.
Mr. Chairman, I hope the witnesses here today will be able to provide us with additional information we need that will assist us in understanding the multifaceted technical, sometimes difficult-to-understand issue. We thank them for being with us. Mr. Chairman, thank you for calling this hearing.
The CHAIRMAN. Thank you, Mr. Skelton.
Without objection, the prepared remarks of all of you will be submitted for the record.
You may proceed as you would like. Ms. Reno, the floor is yours.
STATEMENT OF HON. JANET RENO, UNITED STATES ATTORNEY GENERAL
Attorney General RENO. Mr. Chairman, Congressman Skelton, members of the committee, it is indeed an honor to be here for the first time, and I thank you for the privilege of testifying.
Encryption provides many important benefits to society and protects the security and privacy of citizens from intrusions by criminals into their personal documents, files, and communications. Our citizens expect that a ledger book in a person's home or a personal telephone conversation will remain private. Both the Constitution and Congress fully support this expectation of privacy, but both also recognize that the good of society requires narrow exceptions to this normal expectation of privacy. If law enforcement agencies follow detailed procedures set forth by Congress and present probable cause to a court, they can be given the authority to obtain the ledger with a search warrant or intercept the telephone call with a wiretap order. The widespread use of encryption, however, will effectively eliminate these exceptions and prevent law enforcement, even with a search warrant or a court order obtained under procedures established by Congress and the courts, from obtaining information which may be critical to protecting public safety.
Congress must recognize the needs of law enforcement soon, or it will become far more difficult for the FBI, DEA and other Federal and State and local law enforcement agencies faced with the rising threat from the criminal use of commercially available encryption to protect the public from crimes such as terrorism, narcotics trafficking, economic fraud, and child pornography. In fact, we have already seen cases where child pornographers have encrypted child pornography, depriving the law enforcement of critical evidence, including the possibility of identifying abused children and getting them the help they need.
Terrorists are now actually using encryption, which means in the future we may wiretap a conversation in which the terrorists discuss the location of a bomb soon to go off, but we will be unable to prevent the terrorist act when we cannot understand the conversation. Narcotics traffickers and computer hackers are now using encryption technology, thus defeating efforts to collect evidence.
As a prosecutor in Miami, Florida, for 15 years, I can tell you the ability to wiretap pursuant to court order and the constitutional procedures authorized by Congress is absolutely essential to maintaining our efforts against the traffickers. The issue that Congress and the Administration must consider is whether law enforcement should have the ability to obtain usable evidence in these and other types of cases, and whether if so—and if so how, criminals will be caught. It is because of my concern for public safety—.
The CHAIRMAN. Ms. Reno, I think your microphone is not working. Could you use Director Freeh's?
Second, to deal with the threat of dangerous criminals using encryption, law enforcement needs enhanced tools to obtain usable evidence and the legal authority and practicability to use those tools if we are to maintain our current ability to protect public safety. Today, for example, we have the ability to use search warrants and wiretaps with the permission of the court and under its strict supervision.
These tools, wiretaps, and search warrants, as I have said, have proved absolutely essential in obtaining evidence in fighting crime, but encryption can turn a warrant or order into a practical nullity. We will obtain only meaningless encrypted information that cannot be used as evidence. Therefore, in order to maintain our ability to use court-authorized tools, we are enhancing the technical ability of the Federal Bureau of Investigation and other law enforcement entities to obtain the plaintext of encrypted communication and stored data.
We will very much need Congressional support both in terms of additional funding and authorizations for developing and deploying technical capabilities that will allow us to obtain the plaintext, the unscrambled version. However, we must also recognize that technical abilities do not offer a silver bullet. The widespread use of nonrecoverable encryption by criminals would quickly overwhelm any possible law enforcement technical response.
The bill under consideration by the committee, the proposed Security and Freedom Through Encryption Act, the SAFE Act, raises several concerns from the perspective of the Department of Justice. First, we share the deep concern of the National Security Agency that the immediate decontrol of all export controls through the SAFE Act is not in the national interest. Second, we are concerned that the act may retard the development of products that could assist law enforcement in obtaining access to plaintext. In my view, any legislation should support public safety, not impair it. The proposed SAFE Act does not include any provision aimed at improving law enforcement's ability to perform its public safety mission in an encrypted world.
In conclusion, unless Congress recognizes the need of law enforcement soon, the widespread use of commercially available encryption that does not preserve the ability of law enforcement to obtain the plaintext of messages under appropriate legal authority will soon greatly impair law enforcement's ability to protect public safety, and it is not just law enforcement at the Federal level. It is law enforcement as well at the State and local level.
The National District Attorneys Association has written to the Speaker describing their deep concerns about the need for addressing law enforcement concerns as deal with the encryption effort. We will still investigate no matter what happens, and we will prove criminal cases, but when the criminals use encryption, it will be much harder, and we will be much less likely to succeed. As a result, criminals will escape justice, and our attempt to make the world a safer place for law-abiding Americans will have been far less successful. That, to me, is an unacceptable result, which should not happen.
Thank you, Mr. Chairman.
The CHAIRMAN. Thank you, ma'am, very much.
[The prepared statement of Attorney General Reno can be found in the appendix.]
The CHAIRMAN. Director Freeh.
STATEMENT OF LOUIS J. FREEH, DIRECTOR, FEDERAL BUREAU OF INVESTIGATION
Mr. FREEH. Thank you, Mr. Chairman, Mr. Skelton, members of the committee. Let me just add my own appreciation to you for holding this hearing. It is a very important hearing, and I know the committee has taken testimony and done some extensive research into this matter.
If I might, just for a few minutes, I would like to talk about this issue as a public safety issue. We have a tendency to divide it between national security, and, of course, your particular jurisdiction is focused now in this legislation on the export controls of national security. We would like to just blend that in with the domestic side, home defense, if you will, because public safety is the issue that cross-cuts both the national security and the domestic law enforcement piece. So if we can think of this issue as a public safety issue, we can avoid, I think, some of the artificial dichotomies.
I would like to start with the Fourth Amendment, if I will. December 1791, the Framers decided that a balance had to be struck. Mr. Skelton, you mentioned balance in your opening statement. I think that is the theme of what we are asking for with respect to this legislation.
The Framers looked at the law enforcement powers, enormous powers that the State was about to be given, and it decided to strike a very reasonable and historically unprecedented balance between the freedom that people would have to have in their homes, papers, effects, and lives, that balanced prudently against the need for the constable to breach those rights when not the police, but when a neutral detached magistrate made a finding, and according to our common law and statutory law, a probable cause finding, that someone had committed a crime or is about to commit a crime and particular evidence of that crime could be found. And that balance has served law enforcement and the Constitution well for over 200 years.
Whenever we make an application to a court for an order to conduct electronic surveillance or to conduct a search warrant, whether it be an electronic search or otherwise, we have to make our case to a neutral detached magistrate, and that judge has to decide that there is sufficient probable cause to believe that a crime is about to be committed, has been committed, or evidence of that crime can be found in a specific location. The protection of the Fourth Amendment is then breached, but breached not by the police, not by the Department of Justice, but by a judge. And that is the Framers' balance set up over 200 years ago.
The technology of encryption, if it is misapplied, and we certainly know it will be misapplied by organized criminals, by spies, by terrorists, will radically upset that balance, an unprecedented turnaround in that balance, unless some provision is made for the law enforcement authorities to get through this technology.
Now, what is this technology? This technology on 128-bit, which is a classification of strength for encryption, a fairly high and robust strength, for us to understand the plaintext, what's being said in the use of 128-bit encryption, it would take a 250-computer network 26 trillion times the age of the universe to break down one message bit. Neither me nor anybody in the government nor anybody in industry, as far as we know, has the technical ability to break that down.
Now, encryption, we all say simultaneously, is a tremendous technology, an important technology, and one which we wholeheartedly support, particularly those of us in law enforcement. We want our companies, our government, and the people that we protect to have that protection in their papers, effects, trade secrets, all the things that need to be protected. What we are asking for, however, is that a reservation be made similar to the one that the Framers set forth that will give us the ability to go to a Federal judge, not to do this on our own, but to go to a Federal judge in our case and get the authority to find evidence of a crime that otherwise will be denied to us.
The impact of commercially available, nonplaintext-retrievable encryption proliferating all over the country will be devastating to law enforcement. The bill which you are considering in its current form will harm law enforcement, will harm public safety, will harm national security, and lives will be lost if the practical impact of this legislation results in the denial of the technique of court-authorized law enforcement surveillance to those of us represented here.
Now, one argument we hear all the time, well, the government only does a small amount of electronic surveillance. We do. In 1998, the total number of court orders signed by Federal, State, and local judges, 1,329; not 13,000, not 130,000, 1,329. The majority of those cases, you would be interested to hear, I think, 763, are not Federal orders. These are State and local orders signed by your district attorneys applying to courts and State and local magistrates around the country. Five hundred sixty-six are federal orders. Seventy-two percent of all those orders are related to drugs, to law enforcement efforts against narcotics.
I was up in New York yesterday. I spent some time with four of the seven prosecutors in New York City. New York City is unique. We have seven prosecutors, five State district attorneys, and two U.S. Attorneys. Just some numbers which I think you would be interested in hearing, 270 of those 1,329 orders were State and local orders in New York City. Thirty-five percent of all of the 1998 State and local orders came out of New York City, and the district attorneys who I spoke to reminded me that that was the technique, as in the Federal Government, that we reserve for the most difficult targets, for organized crime, for terrorists, for spies, and in their cases predominantly for drug dealers.
In New York City, as you know, over the last 8 years, the homicide reduction has gone from 2,200 homicides 8 years ago to 633 last year. The district attorneys credit, at least with respect to the organized drug gangs in New York City, the technique of electronic surveillance as being the most important.
I not only speak this morning for the Federal Bureau of Investigation, and, as I said, the Federal Government does the minority share of court-applied electronic surveillance orders, I speak for the International Association of Chiefs of Police, which represent 17,000 police chiefs, your police chiefs; District Attorneys Association, which unanimously supported this position; the Sheriffs Association; all 50 State attorneys general and everybody on the National Security and Intelligence Community. Your men and women who are responsible for public safety both on national security and home defense are telling you that the current statute as proposed will harm and damage our ability to protect people and will result ultimately in the loss of lives unless some reservation is made to protect what is our most important technique.
The other argument we hear all the time is, well, the government is trying to increase its powers. That is not accurate. There is no attempt or suggestion or argument that we have made, and myself in six years, that would in any way enhance our power or authority. We ask for no new powers or authority. We ask to maintain the balance of the Fourth Amendment to give us a chance to protect the people who we are responsible for protecting with the technique which is the most important in terms of counterdrugs, organized crime, terrorists, and national security.
You know, if the organized crime individuals could get together as a summit, and they could align themselves with terrorists, with spies, the technique—of all the techniques that the Federal Government uses to enforce the law criminally and to protect national security, if they had their choice of eliminating or harming or compromising one technique, you could bet that the technique they would pick would be electronic surveillance, because that is the one, the only one, that is used successfully in our most difficult cases.
Now, I can give you a litany of cases where this particular technique has been critical and singular in preserving and saving lives as well as solving cases. And I don't think I need the time to do that for you this morning. I would like to address in a few minutes some of the arguments that you hear from industry about why this can't be done and why this is such a difficult issue.
It is a difficult issue. It is complex. You have to make a choice between commercial interests and public safety, national security and law enforcement interests. I submit to you it is not an either/or choice; that what we are looking for is a balance, an even playing field, no new powers, no new authorizations, but please don't compromise for us the technique which has been most important in protecting the country.
One argument we hear from industry, well, it is too late, they tell us. This stuff is all over the Internet, and you can download it, so why are we wasting our time trying to put the genie back in the bottle? Well, I have a lot to say about that. Encryption right now is like an electric car. You can make one, you can drive one, but you probably wouldn't take it on the highway because it would be very difficult to service, take care of, and no one is driving one, so you would look a little bit like an anomaly.
That is where we are right now with encryption, but the legislation you are looking at will quickly, quickly move us forward, I think, over the edge, because what it will do is immediately dismantle not just the export controls, but any incentive industry has to come forward with what we want, which is a voluntary consensus approach to try to solve this problem.
Seventy percent of the cocaine coming into the United States comes over the Mexican border, but I haven't heard anybody say, well, it is too late, there is nothing we can do about this, we just have to accommodate ourselves to the problem. I don't think we need to do that. I don't think we can afford to do it as a country.
The oil industry says, we don't want to be regulated here. This is an area that industry can solve on our own, and we will work with law enforcement and talk to them. And to their credit, they do speak to us. The Attorney General and I have met with all the major CEOs. You have a panel this afternoon which includes companies who are working responsibly to solve this problem. Thirteen companies are making products that have the capacity, in response to a court order, to deliver up plaintext so we can do our job. There is no argument, by the way, in industry that this is too expensive or it can't technically be done. We have not heard that argument because it is not accurate.
Will industry be harmed by this? I don't think so. I don't think the software industry of the United States is in dire threat of losing its profit-making ability if they make an accommodation which is not only responsible, but one that maintains the balance that we have enjoyed for many, many years working very cooperatively with companies.
Other countries, by the way, are working very hard to solve this problem, too. It is not just an American problem. Prime Minister Blair several weeks ago brought in all the CEOs in U.K. to 10 Downing Street and said, look, this is a national security problem which has to be solved, and I want you to work with my government to solve it. Minister Straw is working on legislation now which will go to Parliament very quickly, which will give the police the even playing field that they need to do their job. And we are asking for the same thing here in the United States.
With respect to privacy, we hear and we speak to the privacy interests, which are very legitimate, but there is nothing about what we are asking for that intervenes or compromises that privacy. We would like the same authority that your colleagues gave us in 1791. That is all we are asking for. There is nothing at risk with respect to privacy except the privacy of a drug dealer, a spy, a pedophile, an organized criminal whose activities have come to the attention of a Federal, State, or local judge to the extent that that judge has found probable cause and a warrant has been issued to hear those conversations.
I will finish up in just one minute here, please.
The problem is not just relegated to communications. We talk about electronic surveillance, but we also deal with the issue of stored data, stored data done electronically, again with encryption. When Ramzi Yousef left an apartment in Manila several years ago in a hurry because he thought the police were after them, and they were, he left behind a laptop computer. The laptop computer included in its cells among other things a plan to blow up 11 U.S. airliners on a single day in the Western Pacific. Part of that plan was on the laptop computer. There were several files in his computer which were encrypted which took months and months for the best minds in the country to get access to, and if those were plans that were imminent, and we were in the possession of that information, we would not have been able to solve that. The issue goes both to stored data and to communications.
I know you probably have a lot of questions that you would like to follow up on. We are happy to do that.
I will say just in closing that industry has been responsive to this. There is not one of the CEOs that we met with, and the Attorney General and I met with six of them, who don't recognize this as a significant public safety problem, but their response doesn't solve our problem. One of them told me, well, Director, you have got to get bigger computers. Well, I don't have a computer that will give me what I need in a particular case if I have to wait 26 trillion times the age of the universe and nobody else was.
If you were a Federal judge or a State or local judge for a moment, and you found evidence that someone was committing a crime, and you gave the sheriff or the police officer or the agent a warrant, and you said, okay, go and get that evidence, you have identified it, I am satisfied with the legal standard, it is in this specific place, and the constable came back to you and said, I can't get it, Judge; I can't execute the warrant, and you said, why, and he said, well, I don't know how to open the safe, I don't think would you take that as a reasonable response.
I don't think the people that we protect will take as a reasonable response, well, we don't have the technical ability to find out where your child is, God forbid; where the tons of cocaine are coming into the United States; who is going to steal what secret and commit what espionage; who is going to blow up 11 U.S. airliners. I don't think you want the response, and I don't think the people you protect want the response, that it is too late, we can't do anything about it, it is too complicated, and we don't want to harm the profit-making ability of American business. Well, I don't either, but I think a balance has to be struck between profits, commercial opportunities, and public safety.
The industry would like not to be regulated. Well, you know, we regulate door openers in the United States, garage door openers, because you have made a decision that the use of the airwaves is important enough for public safety and public usage that some accommodation has to be paid for safety and security.
That is what we are asking for here, and again, I really ask for your consideration and your judgment and your experience when you look at this bill. This bill will harm law enforcement. It will make it very hard for us to protect people, and I submit to you if you have all your State, local, Federal agencies telling you that, if you have all of your Intelligence Community telling you that, you have a letter from Bill Cohen, you have a letter from General McCaffrey, this is a serious matter, and one that I applaud you for having a hearing on and spending the time that you spend. Thank you.
The CHAIRMAN. Thank you very much, Mr. Freeh.
[The prepared statement of Mr. Freeh can be found in the appendix.]
The CHAIRMAN. Mr. Secretary, you have been here before. Welcome again, and proceed as you would like.
STATEMENT OF WILLIAM A. REINSCH, UNDER SECRETARY FOR EXPORT ADMINISTRATION, DEPARTMENT OF COMMERCE
Secretary REINSCH. Thank you very much, Mr. Chairman. It is always a pleasure to be here. It is particularly a pleasure to be here on a matter where we agree. I am not always quite that lucky with some of my other topics, but I do want to pick up on Director Freeh's last comment and say you are also going to hear the same message from the Department of Commerce that you have heard from the Department of Justice and the FBI.
What I would like to do, if I may, is abbreviate my testimony, since I think you have heard a lot of it before, make a brief statement that is general, and then talk a little bit about our international activities which might be of interest to members of the committee, and then make a specific comment on the bill that is before you.
As both my colleagues pointed out in their testimony, the Administration continues to support a balanced approach which considers privacy in commerce as well as protecting important law enforcement and national security equities. We have been consulting closely with industry and industry's customers in order to develop a policy that provides that balance in a way that also reflects the evolving realities of the marketplace. As Director Freeh has said, that has not been easy. We do not want to hinder the legitimate use of encryption, particularly for electronic commerce. We want to promote secure electronic commerce, and that inevitably involves the use of encryption. At the same time we want to protect our vital national security foreign policy and law enforcement interests.
During the past three years, we have learned there are many ways to assist in lawful access, and that there is no one-size-fits-all solution. We have proposed over that time a number of policy revisions that are described in detail in my full statement, and I won't repeat those for you now. We have, in the process of making those changes, provided a means for making strong encryption available to destinations that we believe are consistent with our national security priorities.
It is simply not correct to say that the government does not let robust encryption out of the country. We let it out of the country on quite a wide variety of circumstances, but all of them tailored to be consistent with the priorities that all of us have reflected today.
We have, pursuant to the Vice President's commitment of last September, also under way a further policy review right now, again taking a look at the market and comparing it to what we are permitting to leave the country, and we expect to have an announcement about that shortly.
We have also been very active, Mr. Chairman, internationally, based on the theory that this is not an area where unilateral action by the United States can solve the problem. In December, through the hard work of Ambassador David Aaron, the President's special envoy on encryption, the Wassenaar Arrangement members agreed on several changes related to encryption controls. Most important was their decision to remove encryption software from the general software note and replace it with a new cryptography note.
Drafted in 1991 when banks, governments, and militaries were the primary users of encryption, the general software note allowed countries to export mass marketing encryption software without restriction. That note was created to release general-purpose software used on personal computers. It inadvertently released encryption. We believe that it was essential to modernize the note and close the loophole that permitted the uncontrolled export of encryption with unlimited key length.
Under the new cryptography note that Wassenaar Arrangement members agreed to, mass market hardware has been included along with software, and a 64-bit key length or below has been set as an appropriate threshold. This will enable governments to review the dissemination of 64-bit and above encryption.
Now, finally, Mr. Chairman, with respect to the bill before you, H.R. 850, the Administration opposes this bill, as we did its predecessor in the last Congress. The bill proposes export liberalization far beyond what the Administration can entertain and which would be contrary to our international export control obligations. Despite some cosmetic changes that the authors have made, the bill in letter and spirit would destroy the balance we have worked so hard to achieve and which my colleagues have described, and it would jeopardize our law enforcement and national security interests.
I want to reiterate that this Administration does not seek controls or restraints on domestic manufacture or use of encryption. We continue to believe the best way to make progress on ways to assist law enforcement is through the constructive dialogue that the Attorney General and Director Freeh described. As a result, we see no need for the statutory prohibitions that are contained in this bill.
Second, once again we must take exception to the bill's export control provisions. In particular, the references to IEEPA, as we understand them, would preclude controls under current circumstances and potentially in future situations where the Export Administration Act had expired. As well, Mr. Chairman, the definition of ''general availability'' as in the past would effectively preclude export controls over most software.
In addition, whether intended or not, we believe the bill as drafted could inhibit the development of key recovery even as a viable commercial option for those corporations and end users that want it in order to guarantee access to their data. The Administration has repeatedly stated that it does not support mandatory key recovery, but we do endorse and encourage development of voluntary key recovery systems, and based on industry input, we see growing demand for them, especially corporate key recovery, that we do not want to cut off, and we believe the provisions of this bill would be a significant deterrent to the growth of key recovery.
The Administration does not seek encryption export control legislation, nor do we believe such legislation is needed. The current regulatory structure provides for balanced oversight of export controls and the flexibility needed to adjust our economic—adjust it to our economic foreign policy and national security interests in light of advances in technology. This is the best approach to an encryption policy that promotes secure electronic commerce, maintains the U.S. lead in information technology, which is very important for our national security, protects privacy, and also protects our broader public safety and national security interests.
Thank you, Mr. Chairman.
[The prepared statement of Secretary Reinsch can be found in the appendix.]
The CHAIRMAN. Thank you very much, all three of you. I will reserve my questions until later on and give others the opportunity to proceed.
Mr. SKELTON. I have two questions. First is for Secretary Reinsch. One of the most significant differences between the Administration's present encryption policy and the policy that would be set forth in H.R. 850, and for either Attorney General Reno or Director Freeh or both, could you give me some examples of law enforcement degradation should H.R. 850 pass, examples that we can explain to folks at home that ask about the decision?
Secretary Reinsch, could you answer my first question?
Secretary REINSCH. I didn't hear. I am sorry.
Mr. SKELTON. I have two questions. First is what are the most significant differences between the Administration's present encryption policy and the policy set forth in H.R. 850, 25 words or less?
Secretary REINSCH. The main difference is H.R. 850, we believe, would decontrol—remove export controls on virtually all encryption software. We do not support that. We have a more conservative policy in that regard.
Mr. SKELTON. Now, for the examples, either Attorney General Reno or Director Freeh or both of you, give us examples of how H.R. 850 would hamper law enforcement—.
Mr. SKELTON. Examples that we can explain to people who ask us about—.
Mr. FREEH. Everyone seems to be in agreement that we are going to have a voluntary solution to this problem, industry working not only with the Federal Government, but all the governments to solve it. One of the things that the current statute as drafted would undercut quite dramatically is the incentive that industry has to make a product that has a plaintext feature available to a court order in terms of responding to a request for evidence. The legislation prohibits encryption and key recovery abilities and does not allow corporations who want to develop it, as the Secretary mentioned, to actually develop those protects. What it does, it actually hinders and takes away the incentive from the industry who want to make products that have recoverable features and deal with us. Ultimately that would lead to a situation where, if the products proliferated enough, we would not have any plaintext features because nobody would be making them because there is no reason to make them.
Attorney General RENO. To answer your questions about specific examples, right now there are assistant district attorneys and assistant United States attorneys who are investigating drug traffickers. We are beginning to run into encryption now, and as it goes along, if we do not have that capacity for law enforcement to get a court order to authorize the interception of that communication, we are going to be more and more limited in our ability to deal with traffickers. I know from my experience that very few drug traffickers are caught in significant cases without the ability to intercept electronically their communications.
Mr. SKELTON. Thank you very much.
The CHAIRMAN. Thank you.
Mr. BATEMAN. Mr. Chairman, I think my principal area of concern here is not with any disagreement with policy position that any of the witnesses take. I am in agreement with them. I am interested in having them expound briefly at least on whether or not we are going to get the bad results that we want to avoid through foreign companies providing encryption capabilities if we restrict that on American industry. Can you shed some light on that argument that is made and which I don't have the technical competence to evaluate?
Mr. FREEH. Yes, I would be happy to, sir. The argument that everybody will buy foreign encryption products and not American encryption products, I think, is a misnomer for the following reasons. Foreign encryption products which are currently available, and some of them can be downloaded on the Internet, those are not, I would submit to you, as reliable as the manufacturers promote them to be for a lot of reasons, some of which I would be happy to go into with you in a closed session. I also think when people buy software products, whether you are buying them in the United States or someplace around the world, you don't factor into that purchase decision, I don't believe, embedded security features in a particular product because when you buy telephone service here, nobody sits down before they choose their carrier and says, now, what will happen if a judge finds probable cause in using my phone to commit a crime? Maybe I want to pick another phone company or another carrier.
I think when people are buying software, leaving aside encryption for a moment, they are looking for spreadsheets. They are making decisions about products which, at least in the overwhelming number of cases, come down to the proficiency and the strength and the versatility of American products. I don't think the American software industry is going to lose its edge or ability to make profits because people are going to be worried about an embedded security feature which can only be activated by the act of a judge under very strict conditions.
I also think that the foreign countries have the same problem that we have. We talked about the U.K. Mr. Reinsch talked about the Wassenaar group. This is not just the law enforcement and national security unanimity in the United States. All of our colleagues overseas and their governments and their Parliaments have the same concern. So what will happen and hasn't happened yet because these products have not proliferated is every country is going to take steps to protect its own public safety, and this is going to have to be done by Wassenaar treaties and arrangements. But I don't think American companies are going to lose their edge. I think they are going to be the leaders, and many, many countries around the world and many companies are looking to see what the American companies and what the American Congress does to deal with this problem. So I think we have the opportunity here to show the leadership.
Mr. BATEMAN. Thank you very much.
The CHAIRMAN. Thank you.
Welcome to all our witnesses. My colleague Mr. Bateman asked a very basic question, because that is what I hear all the time. If they can buy it on the foreign market, then what difference does it make? Certainly you explained it, not entirely because you did relate to a little bit that we would have to tell you the rest of the story in a closed hearing, but—and I happen to agree with you. If I am going to err, it is going to be on the side of public safety and, of course, our national security. But basically what we are really talking about is stalling for some length of time.
What is our long-range plans as it relates to this? How much longer can we go? And having asked that question—go ahead and answer that first.
Mr. FREEH. From a law enforcement point of view, I can't give you what I believe would be an accurately predicted answer. I know that in the last four years in our computer cases, the cases where our technicians deal with computers, we have gone from 2 percent to 20 percent of the cases that have some encryption features and some password features that are causing us problems. I know the Drug Enforcement Administration has shut down court-authorized wiretaps in California because they could not deal with the level of encryption being used. But it is not accurate, nor would I say that this is a problem which is now disabling law enforcement, but the problem is once this stuff begins to proliferate to the ISPs, to the networks, and you can walk into Radio Shack and for $50 bucks buy an encrypted phone so when you conduct your kidnapping, nobody can hear what you are saying, even if they have a court order, then the window slams shut real fast and hits everybody on the head. Whether that is in the next 5 years or 10 years, I hope it doesn't happen, but looking at the statistics in terms of the incidents where we see this, it is happening much more quickly than we thought.
Mr. SISISKY. It is true that American companies can sell encryption overseas; am I correct in that?
Mr. FREEH. Yes, sir.
Mr. SISISKY. They can sell to financial institutions.
Mr. FREEH. Insurance companies.
Mr. SISISKY. And businesses that are associated in the United States, so it isn't that they are without the ability to sell encryption.
Mr. FREEH. Absolutely not. As the Secretary mentioned, there is huge amount of stuff which is sold according to the current export control regime.
Mr. SISISKY. Thank you.
The CHAIRMAN. Mr. Buyer.
Mr. BUYER. Thank you, Mr. Chairman.
I would like to give one opening comment. I no longer serve on the Judiciary Committee. I left the committee immediately after the impeachment trial, but after many of us here in Congress had an opportunity to review the Cox report and to also then receive our classified brief about the China espionage, campaign finance scheme, how it appeared to us to be synergistically intertwined, I now understand more some of the legitimate constructive criticisms contained in the LaBella memo.
I went back—after receiving the classified brief, I went back and reread, Attorney General, a letter that the Majority members of the Judiciary Committee had sent to you regarding independent counsel, and then I went back and read your response to that letter. Of course, it is interesting to read it after passage of time and more information has come out, so I want to be careful in my own personal opinions and critique.
But I do want to take this moment to pay high compliments to the Director of the FBI, because at a time when it was very difficult and not everybody had a lot of information, you stepped forward at a time when it was very difficult; you made recommendations to the Attorney General for which her own reasons differed with you, but, Mr. Freeh, this is the first time I have had an opportunity to look back on this record and compliment you for standing up for law enforcement and calling it as you see it.
Mr. BUYER. Not everyone will completely understand what I am saying here today, but you understand what I am saying. We don't have to detail it. I just want to compliment you for what you did.
Attorney General RENO. I would compliment him, too.
Mr. BUYER. Thank you, but I can't spread the compliment completely around the table, as you well know, Ms. Attorney General.
Attorney General RENO. I understand you, and I disagree and would be happy to talk to you about it at any time.
Mr. BUYER. Right. But I don't want to take up this forum, nor our dialogue here, with that.
Attorney General RENO. Well, I am always available to do so, sir.
Mr. BUYER. Thank you, ma'am.
My question to the Director of the FBI, often we hear from our own companies and corporations that if we don't have this ability to market these products in the United States, we lose our prestige, our market share, our position; it is U.S. jobs, and, oh, by the way, foreign encryption is comparable with our encryption, and there is such a proliferation anyway, it is already being used. We hear that. That is what they come tell us. Then we get to hear from your input.
So now here is my direct question to you, it is based on your knowledge and your ongoing investigations: How much is encryption being utilized out there by the international crime syndicates, the drug cartels, the major criminal organizations that have far-reaching impacts into our society that many people don't understand?
Mr. FREEH. That is a great question. Thank you.
It is being used in a very small percentage of the cases, but these particular cases are the ones that represent the largest drug traffickers. For example, the Cali cartel has hired—you may know this—but has on payroll software engineers. One of the things they do is they write code and procure encrypted channels so they can arrange to bring tons of cocaine into the United States, drop it off at the Virgin Islands or San Juan using GPS, and being confident that both the command and control discussions bringing that stuff to the United States and the conversations bringing the money back will not be intercepted.
So that may be a very small percentage of the drug cases that we do as a government, but this is the organization that makes not only $8 billion a year in profits, but affects every American, every street, every community and the whole issue of public safety.
So the number of cases are small. The incidents are fairly numerically low at this point, but they represent the most difficult targets.
The people who know about this stuff and are using it are not the kidnappers, not the small entrepreneurs, but the drug cartels, the organized crime groups, people who know how to organize themselves. Some of the fundamentalist groups, I could talk about this at a different session, use communications which are designed to avoid the surveillance. And encryption is, of course, a tool that is known to them and available to them.
Mr. BUYER. Thank you.
The CHAIRMAN. Mr. Meehan.
Mr. MEEHAN. Thank you, Mr. Chairman.
I would like to thank the panelists. I guess in response to my friend, Mr. Buyer, I want to congratulate the FBI Director, as well as the Attorney General, for the competent way they have handled the messes in the campaign finance system that we have, and particularly the Justice Department for the investigations and convictions in many cases around the country. And I guess I would point out, and I am sure that they would agree, that the Congress ought to pass campaign finance reform as well. Maybe that would be a good idea.
In any event, I think it is clear that the decisions that we make in this legislation will have a tremendous impact on domestic law enforcement, our national security, as well as our national security strategy, and I would like to take a moment to address some of the perceptions that deregulated encryption would empower a new, unstoppable crime wave, and then ask each of you in turn to sort of respond to these perceptions.
Advocates of encryption regulation claim that if there were no limits, encryption-using criminals would run roughshod over the U.S. law enforcement. Former Deputy Secretary of the National Security Agency William Crowell once testified that unregulated encryption would undermine international efforts to catch terrorist spies and people engaged in drug trafficking.
On July 1st of this year, the current National Security Agency Deputy Director Barbara McNamara said that H.R. 850 would complicate the exploitation of foreign targets and would make the NSA's job difficult, if not impossible. She went on to argue that the immediate decontrol of encryption exports as proposed would put national security at serious risk. In fact, in 1997, in testimony before a Senate subcommittee, Director Freeh said that if we are unable to access and decrypt in real time, with a court warrant in hand, conversations with people who would commit crimes, we would be hard-pressed to defend the country in many respects.
Now, the opponents argue that the—have alleged that while fears of encryption used by criminals may be founded, there are three reasons why the arguments used by law enforcement officials don't always ring true.
Third, encryption regulators, it is often said, unfairly put the interests of law enforcement above the interests of business and individuals. Law enforcement and intelligence agencies should be expected, they say, to respond to private sector innovations with innovations of their own rather than additional regulations.
And I was wondering if each of the members of the panel could respond to sort of this perception.
Mr. FREEH. Thank you, Mr. Meehan. Sure.
With respect to, you know, national security being a narrow concern, I would say in the context of using techniques that depend on not just electronic surveillance, but the plain-text comprehension of what is being obtained, it is a fairly narrow number of cases, but, of course, these are the cases that most directly affect the national security of the United States. The Aldrich Ames case. He was told, you remember, by his Russian handlers to use encryption with respect to his communications, commercially available encryption; nothing that was being done in the KGB laboratory.
So it is a narrow range of cases, but if somebody is planning to blow up the World Trade Tower or two embassies in East Africa, although it may be a technique, a singular technique, which is necessary to apply in those cases, it is one that is obviously critical, and there is no parity for it.
The argument that we have the ability to decrypt is just not accurate. The 128-bit strength would take, and I can't even calculate it, but 26 trillion times the age of the universe for me to figure out what the building is that is going to be blown up at 2:00 tomorrow, if the building which is a part of that is denied to me in plain-text. So we don't have that ability.
Mr. Gates told me, he says, well, you have got to get bigger computers. Well, he knows there is no computer and there is no brute force that is going to break down 128-bit or 68-bit strength encryption when I don't know—need to know it. I don't need to know it 26 times the universe later. I need to know about it 2:00 this afternoon so I can take some measures to prevent it.
With respect to the regulators, or the people who are arguing for this, putting the interests of law enforcement over the companies, I plead guilty to that. I will put the interests of public safety any day over the profits of a corporation, and I think anybody in this country who is responsible will put saving lives and public safety above the profits of an industry that makes billions and billions of dollars, because we think it is an important decision to make.
Mr. MEEHAN. Thank you.
Attorney General RENO. I think the Director has made most of the points, but I—as Mr. Buyer has pointed out, we disagree sometimes. Where you have to balance interests, there will be a balancing. And I think every day of the year both Director Freeh and I take into consideration privacy interests and business interests and pay focused attention to that.
But there are situations where the law enforcement interests in balancing will be more important, and he and I are in emphatic agreement that there the public safety of the United States must prevail.
I think, however, having talked, as the Director points out, to industry and to representatives of industry, there is a real feeling that if we can work together, we can solve so many of these problems without interfering with the development of technology and with due regard to the interests of law enforcement. That is the reason the technical support center that the Bureau is building is so critically important, because it provides an opportunity for the private sector and the public sector to work together in solution.
It may be one way of providing plain-text in this situation; it may be another situation, and if we work together we can solve the problem.
To answer the longer-range question, I think the Department fully supports the current policy of a balanced, but steady update of export control. I think there will always be some provision to ensure that we do not export to terrorist countries, but I think we can, if we work through these issues, achieve the ultimate result, and that is what they made very clear when they met with the Director and myself. They put the national security and the public safety of this country as one of their uppermost objectives, and I think that they have in recent days indicated a real willingness to come together to see if we can't work these issues out.
Mr. MEEHAN. Thank you.
This is a fast-moving technology, as you well know, Mr. Meehan, and I wouldn't want to rule out things that haven't been invented yet. But in my experience so far, clearly encryption technology is outrunning decryption capabilities at a significant pace, and I don't see anything on the horizon right now within the spectrum of technologies that we know about that will change that.
I think the premise of your question was quite correct. This is an area where legitimate equities collide, and that is unfortunate. We try to balance them, but they collide nevertheless.
I can tell you personally that I think there are real national security and law enforcement costs to the policy that is articulated by the bill that is before you. There is no question in my mind of that.
I also think that at some point in time there will be commercial damage if we pursue a policy of strict control.
Now, I agree with the Director that we haven't reached that point, and the real question is the one I think that Mr. Sisisky asked, which is how much time are we talking about, and what can we do in the interim? Because if we can fully and completely and successfully multilaterlize our policy, then commercial damage is de minimis. That is an issue that we are engaged in.
Otherwise, it is a question of timing and the extent to which policy reviews that we undertake keep up with the marketplace.
That latter point is important because as we discover products that either can be exported without national security or law enforcement risk or products which, in fact, help law enforcement in its tasks, and there are some, then it is in our interest to flood the market with those and to promote them to the extent that we possibly can.
That is what our policy is about now. That is what the dialogue that the two people to my right have had with industry in the past, to try to identify products that are law-enforcement-helpful.
As we identify those, we want to export them, because it is in our collective interest to do so.
The CHAIRMAN. Thank you.
For the benefit of those that are wondering what all of those lights and bells mean, it is not an air raid. We just have a 30-minute recess.
With that, we will recognize the gentleman from Maryland, Mr. Roscoe Bartlett.
Mr. BARTLETT. Thank you very much, Mr. Chairman.
Thank you, members of the panel. Your unanimity makes our job easier.
Mr. Secretary, to what extent can 64-bit encryption now be exported?
Secretary REINSCH. Well, our policy has been to generally decontrol 56 bits and below. We haven't drawn a 64-bit line yet.
With respect to above 56-bit exports, we don't make a distinction between 64, 128 or any other number that you want to pick as long as it is higher than 56.
We permit its export generally to subsidiaries of American companies, banks and financial institutions, health care organizations and on-line merchants.
With respect to what we refer to as recoverable encryption, which I can define for you if you like, we permit its export at any bit length broadly under certain defined circumstances that we construct in negotiation with the exporter.
Mr. BARTLETT. Mr. Freeh, you indicated to us the near impossibility of decrypting 128-bit encryption. How difficult is the task of decrypting 56-bit encryption as compared to 128?
Mr. FREEH. In terms of real time, it would take us hundreds and hundreds of days if we could be successful in mustering all of the gray power computers and networking them. That is still an uncertainty that we are not confident about exploiting. We would look at certainly 64-bits as nonbreakable by any kind of brute force, which is using standard as well as innovative encryption techniques. We could not do it in real time. It would take hundreds and hundreds of days, if not years, in many cases to get anyplace where we would need to be.
Secretary REINSCH. May I add a comment to that, Mr. Bartlett?
Mr. BARTLETT. Yes, sir.
Secretary REINSCH. I think the issue with decryption by brute force is twofold. Even if you get the time down to hours, and there has been a contest done in the private sector that was able to achieve a 56-bit decryption in a matter of hours, I think the law enforcement problem is also a problem of quantity. You know, you can get that time down for a single message when you know where that message is and you know it is in English and you know approximately how long it is, and then it still takes you hours to do it. Their problem is not quite so convenient. They don't know when a message of importance is coming along. They are dealing with thousands of messages, not all of them in English. That poses a whole separate set of difficulties. So when you read these statements that, well, it only takes so long do decrypt, from a law enforcement point of view it is much more complicated than that.
Mr. BARTLETT. What you are saying then is that unless you have the key, 56-bit encryption is a problem?
Mr. FREEH. A key or the owner, network user, has the ability to give us a plain-text in response to a court order. We don't necessarily do it by key technology. In fact, what we have said before is we don't relegate this to one particular technique. We certainly would rely on the companies and the users to come up with the abilities to retrieve text in response to court orders.
Mr. BARTLETT. You indicated that encryption technology is now running well ahead of decryption technology. Is that because there has been more interest in encryption than there has been in decryption, or is it because of a fundamental difference in the difficulty between encryption and decryption?
In other words, the question I am asking is, are we likely to catch up with encryption, or will encryption always be running ahead; will it always be a problem we will have to focus on controlling?
Mr. FREEH. Well, again, I am not a technical expert in this area, but based upon what I know about our capabilities, industry's capabilities, including the people who make and write these codes, decryption will always be well behind encryption because it is much easier technically and algorithmetically, if that is the right word, to encrypt something than decrypt it. So I think the technology will always be well behind unless some 20-year-old engineer comes up with a solution, which is probably what is going to happen, and we would very much like to speak to him or her when that occurs.
Mr. BARTLETT. That being true, Mr. Secretary, it would follow then that to protect national security and the public interest, that we are going to have to be very vigilant in control of distribution of this technology?
Secretary REINSCH. Yes, sir. We believe we are.
Secretary REINSCH. Yes, sir.
Mr. BARTLETT. Thank you very much.
The CHAIRMAN. The gentleman from Texas, Mr. Reyes.
Mr. REYES. Thank you, Mr. Chairman.
I want to thank the panel. I appreciate all the information in an area that is highly complex and technical.
And even though I have had an opportunity to try to listen to both sides of the issue, before I ask a question on this I was just informed that Rafael Resendez-Ramirez has just given himself up, and that is germane because in my previous career, and from my district, he had been in custody and had been turned loose. I was just wondering, maybe you have a comment on that?
Mr. FREEH. Just that we knew about it. It was the result of a lot good work by FBI, State and local investigators and we—.
Mr. REYES. Any particular circumstances in terms of—I mean, this is unusual in that he is—.
Mr. REYES. Do you know where he gave himself up?
Mr. FREEH. Yes, at the INS checkpoint in El Paso.
Mr. REYES. Thank you. Chalk one up for El Paso.
In the context of this, I have a couple of questions that—this is an area where we deal in intellectual property, and one of the things that I have found—I was recently in Bangalore, India, and that is one of the world-renowned centers for intellectual property and technology.
My question to the panel is this: In dealing with this kind of issue and because we are constantly hearing about the shortage of available expertise in this country and the necessity for the H1Bs and those kinds of issues, how is it that we feel that we have a lock, a very strong lock, on encryption technology in this country versus what is available overseas and how do we know that, in the context of the encryption technology that we are familiar with, there isn't something out there that is better and that prevents, I guess, our industry from being competitive worldwide?
I don't know if you understand my question, but I am trying to find out where we sit worldwide on this thing, when we are being told on the one hand that we don't have enough people in this very technical field and that it is an intellectual property field and we are having to import them into this country and yet at the same time we are trying to protect ourselves from exporting the technology. Can you help me with that?
Secretary REINSCH. Well, there is a lot of skill in this country in the development of these products. There are a lot of skilled people elsewhere. This is a sector, particularly in software, that has the advantage of being sort of a low-capital-intensive sector. You don't need a lot of expensive, large machinery. What you need is some smart people who know how to write the code.
We don't have a monopoly on smart, and these people exist in many other countries, and in some cases the Indians have shown a great facility for software code generally, not encryption code in particular. There is a lot of contract work done there on the part of American companies.
Where we do lead the world, I think, more than elsewhere, is in the market. That is, by far, the largest piece of demand for software generally, and encryption software specifically, it is in the United States. So we do have a role as a market driver, if you will, in terms of the kinds of products that we are interested in, the kinds of products that we are demanding.
Whether there are foreign products that are better, that is sort of a qualitative term that I think I am not the best person to comment on. There are certainly products that advertise themselves as being better, and I think that it is fair to say there are products out there that are technically comparable to products that are available from American sources.
One of the unusual characteristics of this sector is that it is hard to tell what the quality of a product is simply by observing it for the layperson. If you are buying a car, you go kick the tires, you drive it around, you check the doors. You know, you can do a number of things to come to your own conclusion.
Software is software. You know, it is a diskette and there you are. You put it in, and a little padlock opens up or the key turns or something, and you think it works but you don't really know, without a lot of difficulty.
So there is not always in the marketplace a sifting process between products that are good and products that are not good because the average customer may not be able to tell.
Mr. REYES. But can I assume that in the context of quality we have our experts that are buying up whatever is available worldwide to evaluate it and to try to come up with keys or counters or those kinds of things?
Secretary REINSCH. Yes, sir. That goes on. The people that do that are not primarily the ones that are at this table right now, though.
Attorney General RENO. And I would point out, in addition to the market, you have a law enforcement effort in this country that is much more sophisticated than most law enforcement efforts. So Director Freeh has done so much in terms of preparing the Bureau for the use of cyber-tools and against cyber-criminals, but State and local law enforcement need the same expertise.
And I think one of the things that has been so important, Mr. Chairman, is that we properly utilize the military know-how in this area properly to develop a capacity in law enforcement that will share with State and local law enforcement equipment, expertise, so that we don't duplicate it but that we use it as wisely as possible.
I think that is where the demand is created and the need that we have to address for H1Bs, but I have another idea. We used to send people to ROTC in return for—they would do service after college in return for part of their education being paid for. And I would suggest to you that we consider a cyber-corps that gets us through this transition so we don't have to rely on all the 17-, 18- and 19-year-olds, and we will be prepared in law enforcement and in other areas for the utilization of these tools to the maximum benefit of this Nation.
The CHAIRMAN. Thank you.
Mr. REYES. Thank you, Mr. Chairman.
The CHAIRMAN. The gentleman from Alabama, Mr. Riley.
Mr. RILEY. Thank you, Mr. Chairman.
I thank the panel for being here.
Attorney General Reno, let me publicly say again how much I appreciate everything that you have done for our Center for Domestic Preparedness in Fort McClellan, Alabama. I want to re-extend my invitation for you to visit. It is a truly unique place, and I hope you can, if your schedule allows, to come within a few years.
I guess I have one problem with everything, and I am probably one of the more computer illiterate people sitting on this panel. But the one thing that begins to bother me is, are we beginning to create a disincentive for our own skilled people, as the Secretary mentioned a moment ago, to develop these new technologies? If this is a program that, as Mr. Sisisky said, is well-developed over the next year or so, is it inevitable that we are going to handicap our own development of additional products or of additional technology if we tell the companies that develop this that there is no economic incentive for them to go ahead and do it because they will be regulated, when the rest of the world, with the skilled people that you mentioned a moment ago, are out there developing it every day? It almost seems like we are telling the rest of the world, we will give you time to play catch-up and then have to compete on an equal footing with American users. There is something about that, if this is inevitable, why should we go ahead and economically disadvantage our own companies today if we know that within a year or six months or next week someone else will have something that is commercially available?
Mr. FREEH. Yes. I guess two things. The encryption component of the software industry is a tiny, tiny component. You are talking about technology, innovation and leadership. I don't think there is any possibility in the world, as far as I know, that some type of—not regulation, you mentioned regulation—not some regulation but some incentive-building, voluntary, good corporate citizenship, public safety protecting protocols and things that are done to preserve a law enforcement technique that I think we would all agree saves lives. That is a tiny part of this industry, of this network that dominates the world, as the Secretary says, and by everybody's estimation will continue to dominate the world.
We are not talking about regulation. We are talking about preserving something.
There are many, many companies, 13, I think, that make recoverable products where you can get a plain-text statement in support of a subpoena or a court order, and you are going to hear from one of them today. Those companies have not been adversely affected, and I would say that the large software companies that have testified in different hearings who you have seen, know and have gotten briefings from, the leadership and the dominance that they enjoy in the world, and it is an absolute dominance reflected not only in their profits but by, in the estimate of every other company and country around the world, is not threatened by some type of good public citizenship and a tiny component of what their industry is and will continue to be. They just don't like regulation.
Mr. FREEH. Sure.
Mr. RILEY. The reason we have the ability today is because someone thought they had an economic incentive to develop it. Once we take that economic incentive away, do we allow other countries in the world to go ahead and develop products that will be commercially available and we, again, create a disincentive for our own companies to be able to do exactly the same thing?
Mr. FREEH. No, I am very concerned about that. But I think that we address that. Let me just give you one quick analogy.
If you have an American encryption product that has a plain-text capacity, everybody who uses that product, every lawful person who uses that product in the United States and anybody who lawfully uses that product overseas, knows that for the United States Government or the government of the country where that product is being used, for them to get access to that plain-text they have to go through a very difficult, in this case in the United States, scrutinized regime to get a Federal court order, a very large, complicated process.
So when the American product is at issue, whether it is used in the United States or outside the United States, because they would have to come to the United States and the maker to get the keys or the plain-text feature, this is going to be done through lawful means, through government regulation, through oversight, as opposed to a foreign product made in a foreign country, who I would submit in many cases, and we can go into this in a different session, the access, the keys to that product, can be gotten very, very easily and not through any lawful process, not through anything except a regime which nobody in this room or this country would support or contemplate.
So the American product that has those features is going to be a much more trustworthy product, not just for American people using it overseas.
Mr. RILEY. Do you have any idea what time period we are talking about before the rest of the world does have that unique ability to catch up? We are not talking about third-world countries. We are talking about some of the Asian countries where they would have essentially the same type of capabilities we would. Are we talking about six months, a year, a year and a half?
Mr. FREEH. In terms of the capability of the product, the strength of the encryption, I think that is prolific. I think many, many countries have that.
In terms of the capacity to get plain-text by other than some lawful access or feature made and maintained and available by the maker or the user, I don't think they are going to have that capacity. We are not going to have it here in the United States.
Mr. RILEY. Thank you, Mr. Chairman.
The CHAIRMAN. Thank you.
The gentleman from Arkansas, Mr. Snyder.
Mr. SNYDER. Thank you, Mr. Chairman. Thank you for having this series of hearings on this bill. I think it has been very good.
We appreciate you all being here today and taking time to be with us.
I want to ask Director Freeh, I got a little concerned when you started talking about the murder rate in New York City. It has seemed to me, as somebody who was in the State Senate for six years before coming here, that when we start discussing causation and crime control we have to be very, very careful. I am not sure we always understand what causes crime. I am not always sure we understand what diminishes crime. And to start selecting out one specific factor I think that, you know, we politicians are notorious to do that. We tend to select the bills that we cosponsored as being the key to the reduction of the crime rate, and I am not sure I think that our current encryption policy is the key to dropping crime rates throughout the country.
I wanted to ask, Mr. Director, you made mention about the balance between public safety and the commercial interests, but if you could just amplify on that a little bit. It seems to me that that may not be completely fair to the commercial interests. We mentioned that—the kidnapping portion of it. My guess is that some folks around the world are interested in encryption technology to keep their people from being kidnapped, to keep people from listening in.
I mean, that is a big problem, as you know, internationally, in some countries. Isn't it fair to say that a lot of the interest in the private sector for encryption technology is a public safety purpose?
Mr. FREEH. Well, surely, and I said that, which is why the people at this table are the strongest proponents of robust, unbreakable encryption because of the public safety benefits that it has. But if you are using an encryption product to protect your home and your papers and your children, which you may well do, if that product does not have a plain-text feature and somehow the product doesn't work and you lose, God forbid, a family member or a child, when you call me, when you dial 911, what you are going to say is I need everything you have to bring the solution to this case and the rescue of this person. And if the technique that I have to employ is electronic surveillance and the people who are responsible for this crime are using a product that has no plain-text feature or access, I can't help you, and I can't do what you want me to do.
In terms of the first part of your question, 72 percent of all of the electronic surveillance orders in the country relate to drug crimes. Anybody who knows law enforcement in terms of the operational aspects of it, whether they be in public safety or outside, will tell you that most of the violence, particularly in the big cities, is narcotics-related, narcotics driven. So when the district attorneys in New York, all five of them, say that this is the technique most important in terms of fighting drug gangs and drug cartels, they believe, and I agree with them, that this is the portion of their work that affects more lives and saves more lives.
Mr. SNYDER. Maybe I will just make a follow-up on that.
It has seemed to me that most of the violent deaths, however, do not occur necessarily at the—I mean, most of the violent deaths are at that street level, are they not? That has certainly been our experience—.
Mr. FREEH. Absolutely.
Mr. SNYDER. —at Little Rock.
Mr. FREEH. But who is responsible for the narcotics products and the violence related to drug trafficking except the people who are sitting offshore who have hired, as I mentioned, software engineers to help encrypt their communications? So, sure, most of the people, most of the victims, are not the drug lords.
But, Mr. Secretary, I just wanted to ask you, there has been several comments made about, as we are trying to look ahead, where we are going to be down the line. Would you just give your impression of where you see us in this discussion 5 years from now, 10 years from now, 20 years from now, in terms of developing technology and where we want the law to be?
Secretary REINSCH. I think, frankly, the pace is moving faster than that. I don't think we are talking about 5 or 10 years. I think we are talking about 3 to 5 at the most.
Our policy really is premised on our ability to get our friends and allies, who are largely the other encryption producers in the world, not exclusively but almost exclusively, marching in the same direction and doing the same things.
What we have discovered in the cases—those countries have to go through the same internal debate that we have been going through. Their justice departments or interior ministries tend to have the same view as my colleagues. Their economics ministries tend to have a different view and, you know, they fight it out. They tend to end up pretty much where we have ended up, which is encouraging, but we need to move quickly.
If we cannot successfully multilateralize what we have been trying to do here, then I think there is a risk that we are simply going to be overrun by products from elsewhere, and the commercial concerns that I think you will hear from at least one member of the next panel, which we don't believe have occurred yet, will become a serious issue. And I think it is in the time frame, and I think it is shorter than five years, significantly.
Mr. SNYDER. Thank you all for being here. I appreciate you.
Thank you, Mr. Chairman.
The CHAIRMAN. Thank you very much.
The gentleman from New Jersey, Mr. Andrews.
Mr. ANDREWS. Thank you, Mr. Chairman. I also thank you for your continuing interest in this very vital issue, and I thank the witnesses. I think it speaks volumes about the importance of this matter, that these three witnesses have given us this much time this morning given the other priorities they have, and I appreciate that.
There seems to be a consensus, if not unanimity, that with respect to encryption technology that is already broadly available in international markets we should liberalize export controls, and with respect to technology that is not available at all or not broadly available we shouldn't.
There would be those who disagree with that, but that seems to be a common-sense proposition.
That proposition has implicit in it, a factual proposition that we can tell the difference, that we have some body of knowledge about which encryption technologies are broadly, commercially available overseas and which are not.
My question is: Do we? Who in the government—there are all sorts of claims being thrown around in these hearings about encryption technology that is widely available in the international market, and I am suspicious of those claims.
What I want to know is whether anywhere in our law enforcement establishment or the commerce establishment we in fact have a reliable database of what is out there and what isn't? Mr. Secretary, if you would like to answer.
Secretary REINSCH. Well, the magic word there, Mr. Andrews, is reliable. There are private sector organizations that keep track of this. They are not, I wouldn't say, entirely objective in their orientation. Most of the data is drawn from a survey that used to be kept as a public service by a company that has subsequently been subsumed into a different company, no longer keeps track of all available products which I think most parties regarded as an accurate and relatively complete list, but that hasn't been updated since 1997.
We keep track of this issue as a statutory responsibility, and one of the things that we will likely be doing over the next X number of months is conducting another in a series of foreign availability studies on this subject. We last did one several years ago. We will do it again.
But I would also say that part of the equation that I think needs to be mentioned, in addition to what you said, is there is a difference in this case between widespread availability and widespread use.
Secretary REINSCH. As the Director pointed out, these products are often features in Lotus notes or software that is sold primarily for a different purpose. We don't find widespread use of encryption right now, and that is one of the things that allows us to say the problems that some of the members of the Committee have raised are a little bit farther off, but the products are out there, no question about it.
Mr. ANDREWS. My own conclusion, based upon your testimony today and the prior panel at last month's hearing, is that we should err on the side of national security and law enforcement. But we need—when I say err on the side, if there is a doubt as to whether an encryption technology is broadly available we should assume that it isn't and license it carefully and control its export carefully. But in cases where there is broad availability and use, I certainly think no one wants to hamstring our industry.
I would be interested in any of the panelists' thoughts on how we might devise an agency or a process within the Federal Government that could answer that factual question, who would have no vested interest in the outcome, no commercial interest in the outcome, but tell us that if a terrorist could just as easily buy a product off the shelf and easily use it in Europe or Asia, it doesn't make sense to have a lot of export licensing. But if that is an overstatement, that is not really true, we ought to know it and in my judgment we should err on the side of controlling it from further export. How might we set up such a process?
Secretary REINSCH. Well, I can make two suggestions, Mr. Andrews.
First of all, we do that now through the normal export licensing process. Things have to come into us, either for a license, if it is subject to control, or even if it is not it comes in for a technical review, we examine the product and that allows us to draw some conclusions about it and consider some aspects of it, including the ones that you have raised. That is an interagency process that includes representatives from the Department of Justice but also the Department of Defense, the NSA in particular, and some other agencies as well. I think that works pretty well.
Another way that has been proposed, and we have not yet found a formulation that is satisfactory but I offer it up for you, it particularly exists in the counterpart Senate bill, Senator McCain's bill, is the creation of an advisory board that would review those kinds of questions. Thus far the proposals we have seen have had representation that I would say is unbalanced, but the concept is one that would bring a lot of expertise to the table that isn't inside the Federal Government.
Mr. ANDREWS. I appreciate that.
The other point that I would make, and I appreciate the eloquence with which it was stated by the witnesses this morning, I don't think anybody disagrees with the proposition that sooner or later everyone is going to have everything. The issue is when, how soon, and what can we do it about it in the meantime? I think we do need to have a process here where our best and brightest people in law enforcement, in national security and in intelligence have the chance to outsmart this technology before it gets into the hands of those who would use it to harm us.
This is not an absolute, total ban for all time. That is probably impossible. That would be like passing a law repealing the tide tables along the Atlantic Ocean, and we understand that. But I do think it is possible and I think it is necessary for us to set up a process where your brightest men and women have the opportunity to outsmart those you are trying to protect us against. And I look forward to working with the Administration and altering this legislation in that regard.
I yield back.
Mr. HUNTER [Presiding.] Mr. Smith.
Mr. SMITH. Thank you. I really appreciate all of you coming this morning and giving so much of your time on a very important issue.
Let me say, right off the bat, I do not disagree about the importance of encryption. There is no question that the ability to access information is critical to law enforcement and national security, and the fact that encryption has developed to this extent, it has many challenges to people like yourself. I understand that and totally and completely agree with you. The stuff is very, very difficult to break and getting more difficult on a daily basis.
I guess where I disagree is in the arguments about how available the information is, first of all; and, second of all, how important it is that we are hindering our own companies in the development of that technology.
Right now, as the economy becomes more and more global, the Internet becomes more and more of a factor, there is just a whole lot of very smart people who are not in the U.S. anymore. It is not just us. We are not the only ones that can develop new products. They are all over the globe, even as we sit here right now trying to develop better and better products.
There is no doubt that it will happen faster and faster and become more widely available. I think we underestimate that to a very large degree.
I know we have sort of went back and forth on that as much as possible.
The two points I want to get into is sort of the key recovery argument, because I think something you said, Director Freeh, that I didn't quite agree with was, you know, key recovery is not really going to be that big a deal in an encryption product. You know, it is not necessarily what folks are going to be looking for because most people aren't going to be that concerned about whether or not it gets broken.
I guess I disagree with that, and the scenario I think of is, pick a country, Japan, Denmark, Greece, wherever, and they are looking at a U.S. firm and a German firm and they are looking at an encryption product and they know that the U.S. firm is going to give access to that product to the FBI. And we know here in the U.S. that we have the Fourth Amendment and we have a warrant process and we have this—you know, we don't just turn it over to you, and we know that. I doubt seriously whether or not foreign countries have any faith whatsoever in that process that we have here in this country, and I would be stunned if those countries did not reflexively pick the product from another country that they know didn't have that key sitting in the FBI's pocket. It just seems like a no brainer to me.
In fact, I don't know if you have seen the study, but the industry has done a study, it is somewhere on my table here, on encryption, how available it is, Cyberspace Policy Institute, and they have already found situations where other companies—and in this case wrongly, because U.S. products don't have key recovery—but because they know that it is our policy to try to develop key recovery, they have made the argument, well, you know, that U.S. product, the FBI is going to be able to get to it, and we have already lost sales on this issue. I am wondering if you could touch on that key recovery because that seems to be the plan.
At the end of all of this, you seem to be saying in 6 months, a year, 5 years, 10 years, whatever, I think everybody agrees that this is coming and it is coming to the point where we can't control it. So what you are trying to do, as a stopgap against that, is develop this key recovery system, and I just don't see that working from all the evidence that we have laid out there. I am wondering if you could comment on that.
Mr. FREEH. Sure. What I meant to say with respect to key recovery—not that it is not important, it is certainly a technique and a partial solution to what our overall problem is. What I meant to say is that is not the only protocol for a solution. The electronic reality of a key, whether the key be the with ISP or the manufacturer or on deposit with some third party, what we are saying is we don't propose that as a one-shoe-fits-all solution. We look at other varieties of plain-text retrieval, things that companies and manufacturers and users will want and in many cases have incorporated in their own networks so the head of an investment bank knows that their intellectual property and business decisions and trade secrets are protected from employees who might try to steal them.
To go back to the first part of your question, I would just respectfully disagree with that. I think that if I was a foreign consumer and I had my choice between an American encryption product and one made in a foreign country and I knew that to get the plain-text feature activated in that American product I would have to see something happen where my government and its law enforcement officials, whatever their system of justice was, would still have to come back to the United States and get it, that is a much more protective system to me than the foreign product which is made without any publicly-described access feature. But I know the police and the security service in that country and I know them very well because we work with them, and in some cases against them. That product is not going to be available in that country unless the security service or the police have that key under none of the protections, none of the regime and none of the lawfulness that we have set up here in the country.
So if I was a foreign customer I would pick the American product because it would be much more difficult for the police to break that product.
Mr. SMITH. I guess I missed something there, maybe just for a moment. You threw in a choice there that I am not quite aware of. I am assuming these other countries are selling a product that has no plain-text, no key recovery feature. How is the purchaser of that—I mean, that doesn't make any sense.
Mr. FREEH. Well, again, I understand your assumption, and I would be happy to discuss that.
Mr. SMITH. You are assuming that, whoever sells it, there is going to be some recovery feature that they are going to maintain?
Mr. FREEH. No one who buys a product, particularly in many of the countries which we can discuss separately, should have any belief or confidence that that product is not accessible to the security service in that country. That is what I am saying. I would be happy to go into it with you in a closed session.
Mr. SMITH. I am not sure we can get quite to that point. I am not sure that we are going to get every country to buy off of the key recovery, and that is going to be the problem. But I understand where you are coming from.
Just quickly on the other point, you know, we have heard that, basically, the only argument for lifting our encryption limitations is basically, you know, dishonorable greed, if you will. The folks in Silicon Valley and elsewhere simply want to make piles and piles of more money at the expense of our national security. And I think that argument is flawed in two directions.
Number one, it is a matter of the importance of technology to the economy, not just to a few executives at software companies, but to our entire infrastructure. E-commerce, the Internet, all of that is becoming the leader, the driving force in our economy that is going to determine how strong our economy is, how high unemployment is, whether or not my constituents or anybody else's constituents here are able to get jobs. Us continuing to be the leaders in the IT economy is about the most important issue to people's economic security as anything out there. So I think we make a mistake if we say, oh, it is just a couple of companies. What do we care if they are making money?
The way the new economy works, second place is often no different than last place. If you have the second-best product on the market, you are dead; and the reason is because choice is so widely available. It used to be if you had the second-best product, well, you could carve out a market that the first-best product probably couldn't get to and you could survive. That is not the case anymore. If you don't have the best, you are probably going to disappear. So it does hamper our own entire economy, not just a few executives.
The final point has been made by all of you, and that is having the best encryption products in the world made here is in our national security interest. I think everyone grants that point. I think they underestimate a degree to which that could change. I think there is a little bit of American arrogance out there that we are always going to lead, the rest of the world is never going to catch up with us so we can sort of afford to play around a little bit and not have that happen.
So it is not just, well, we have to err on the side of national security. That is what we always say. I would say making sure we have the strongest encryption products developed here is erring on the side of national security; and, second, the cost of erring against a strong IT economy is far greater than people are stating.
Mr. FREEH. No, I certainly agree with that, and I think we do here. Nobody here is criticizing industry because they want to make profits and be a leader.
Mr. SMITH. Some people here are. You may have missed that.
You know, oil companies, the car manufacturers, are treated differently in the United States of America than they are in any other country in the world, because of our concerns for public safety, environmental security. So we do things differently with our corporations here, as a government, as a Congress, than we do anyplace else.
What we are saying is the software industry, particularly related to this public safety aspect of their business, a tiny aspect of their business, should not get an exception to that.
Mr. SMITH. That is true.
One final point, and that is you can't ship a car over the Internet so it makes it a little bit easier to have those restrictions than it does when you are talking about technology, but I think that is a fair point.
Thank you, Mr. Chairman.
Mr. HUNTER. I thank the gentleman.
Mr. Freeh, this is an opportunity to—I am the chairman of the Military Procurement Subcommittee that oversees nuclear installations, and this is an opportunity rather, than waiting for another forum, to ask you a question concerning the laboratory situation, which I am sure you have talked about extensively in other committees and subcommittees.
We have had a number of witnesses in with respect to the prime suspect of the nuclear theft investigation. That was Mr. Wen Ho Lee. And in the previous testimony a meeting with you is referenced to the effect that, in September of 1997, after Mr. Lee had been under scrutiny for some period of time and he had been left in place in an attempt to expand and perhaps develop some further evidence, you had a meeting with laboratory officials and DOE officials and said, listen, there is no, and I quote, ''investigative reason to keep this guy in place, get him out of there.'' And yet some 14 months transpired after that meeting before he in fact was removed.
Everybody has had a chance to comment on that, except you, before our subcommittee. So what happened?
Mr. FREEH. Well, I have had a chance to comment on it, as you know, in several sessions, in fact, mostly closed sessions. And I would be happy to speak to you about it and answer your question directly.
The reason I am reluctant to do it here and in open session, I have not done that before. We have a pending criminal case here, investigation-wise, and I don't know how that case is going to end up, but I would not want to say anything here on the record that would interfere with either the potential for going forward with that case or, if a charging decision is made by a grand jury, to affect the success of the prosecution. Anything I say would be directly related to that case in the discovery, in pretrial motions, and I would rather not do that, but I would be happy to meet with you separately, and I can answer your question most directly.
Mr. HUNTER. Okay. If you can do that, we would appreciate it. As you know, most of the other participants in that conversation have testified in open session.
Mr. FREEH. Yes, but they are not in the law enforcement business.
Mr. HUNTER. Yes, I understand. Okay, if you could let us know about that, I would be happy to meet with you separately.
Attorney General Reno, thank you for being with us. We appreciate your being with us today on this issue.
We are also working on a joint project, that is to try to keep folks from drowning as they cross the All-American Canal at the Mexican border. I know that is a concern of yours, a concern of mine also. We have got a few recommendations to make we will ship off to your office.
Secretary Reinsch, thank you for being with us in this case. I think we are on the same side.
Just one question on the issue at hand, and that is, as I understand it, and pardon me for being out of this hearing during most of the hearing, but the key recovery system is kind of a condition that we like, is that right?
Mr. FREEH. It is clearly a workable condition. We know the 13 companies make key recoverable products. It is not the only solution. We want to be much more broad and flexible about that, but we know that that is a technological answer, particularly when it is voluntarily being manufactured and used by companies without requirement by the government that solves part of our problem.
Mr. HUNTER. So let me ask you this: If a company has or a user or a consumer of this encryption technology has benign intentions, that is, they don't intend to terrorize people or rob banks or do bad things, should they be worried about us having a key recovery system?
Mr. FREEH. They should not be worried at all, because what stands between them and any activity by this department or this FBI is a Federal, State or local judge, meeting the same conditions met every time we ask for a search warrant.
Mr. HUNTER. And we are selling, or we have sold, as I take it from reading the briefing, we have sold a lot of encryption technology with the key recovery system, and it hasn't seemed to deter consumers from buying our systems.
Mr. FREEH. Every major bank, and I met with several of the CEOs yesterday in New York, use this system and they use it securely but also protectively in case they have an employee who is going to steal something from them.
Mr. HUNTER. So could you speak to the legitimacy of the argument that if we insist on a key recovery system the rest of the world will pass us by because the consumers don't want that?
Mr. FREEH. Well, there is a two-part answer. First of all, I would like not to have to insist on it. I would like to solve this issue by not requiring manufacturers to make these products but giving them the incentives to make them.
I think every other country that we could possibly think of and all of my counterparts and all of the Attorney General's counterparts in those countries are going to want and ultimately have some type of relief in order to do their jobs.
What we would like to do is see it done on a voluntary basis without regulation, but it is going to require what the 13 companies who are making these kinds of products have elected to do and some government incentives which you can be very helpful in establishing.
Mr. HUNTER. But doesn't that solve—if the key recovery system is acceptable to the consumer, doesn't that solve the problem of liberalization of encryption with a greater and greater capability?
Mr. FREEH. Yes.
Mr. HUNTER. If the key recovery system is accepted on a system, then you don't care how many bits are involved in that system.
Mr. FREEH. Right. Absolutely.
Mr. HUNTER. So you can have a system that totally outperforms foreign built systems, for example.
Mr. FREEH. Yes.
Mr. HUNTER. And yet have protection for American security interests?
Mr. FREEH. Yes, sir.
Mr. HUNTER. I don't understand why that is—for those that oppose—that want to continue the liberalization, I don't understand why they feel it is mission impossible to go with a key recovery system along with continued sophisticated development and marketing. Attorney General Reno, do you have any comments or Secretary Reinsch? What is the stopper here—what comes to mind when you review that possibility?
Secretary REINSCH. Well, I think I would say two things, Mr. Hunter. One is the reason we are pursuing a market-oriented policy, and one that we are trying to maintain consistent with the movement of the marketplace is because we recognize that the technology is sufficiently out there that we probably can't, from a regulatory perspective, prevent every bad guy either in the country or abroad from acquiring encryption outside our purview if they are determined to do so.
So our approach is not to try to be a hundred percent but to try to get the market to seize on the kinds of products that Director Freeh has talked about and try to make that standard, if you will, so that as many people as possible that buy those products—.
Mr. HUNTER. Wasn't the key recovery system at one time an Administration requirement for sale of encryption above a certain level?
Secretary REINSCH. Well, for liberalization, it was—for liberalization of exports, yes. We have never required use. We have never imposed any domestic requirements for use. What we had said prior to last September was that for export without bit length limit, it had to be key recovery. What we discovered in our dialogue with industry is what the Attorney General and Director Freeh commented on earlier and that is there are some other products that are not what you would call key recovery that also meet their needs. We don't want to discourage those either.
Mr. HUNTER. But you think we can accommodate—by using key recovery and other products, we can accommodate two things. One, our national security interests and two, the consumer market.
Secretary REINSCH. Well, we can accommodate my colleague's problems. Without going into a lot of detail, accommodating the National Security Agency's problems are a little bit more complicated than that.
Mr. HUNTER. Okay. Thank you. Mr. Talent?
Mr. TALENT. Thank you, Mr. Chairman. I have no questions, but I would like to yield to the gentleman from Pennsylvania, Mr. Weldon.
Mr. HUNTER. The gentleman is recognized.
Mr. WELDON. I thank my colleague.
Let me also welcome all three of you here for this hearing and apologize for not being able to hear your testimony. I will read your statements.
I am familiar with the issue. Last year I worked closely with Dr. Hamre and offered the amendment that passed in this committee 45-1 that basically expressed our concerns relative to the security implications of the Goodlatte bill, and I have already met with Dr. Hamre in working on a possible amendment that I would offer jointly, perhaps with Mr. Skelton or Mr. Andrews and others in this committee when we mark up the legislation. So I am on your side on the issue.
I think it is an important one. I think there have been some actions in the past that unfortunately have exacerbated the problem. Mr. Chairman, I would like to ask unanimous consent that we insert in the record a letter from Ron Brown to the—or to Ron Brown from I believe it was an executive from Motorola back in 1995 congratulating Ron Brown for his efforts in allowing a very capable encrypted software to be sold abroad.
[The information referred to was not provided for the record.]
Mr. WELDON. I think those kinds of issues in the past have not helped us in this effort, but I will be supportive of the position that each of you have taken today.
But I do have a separate question that I would like to ask, and this is an opportunity that I won't have again. It is also a security issue. Attorney General Reno, I have been in support of across the board efforts to strengthen the position of our law enforcement agencies, the FBI and the Justice Department on a wide range of issues. For seven months last year, I had the honor of serving on the select committee looking at exports to China from the U.S. commonly known as the Cox Committee. I saw much of the evidence that has not yet been made available to the public that has been gathered by the CIA, the FBI, and other agencies, and I sat through countless numbers of hearings and countless proceedings where the issue of whether or not our security has been jeopardized was raised.
As you well know, the votes in the Cox Committee were unanimous. Despite some of my colleagues on the other side trying to distance themselves from the report or portions of it, there were no 8-1 votes. There were no 7-2 votes. Every word in our final series of findings was gone over and every Member had to agree before it was passed. And so the document was passed at 9-0 with no dissensions and no abstentions and there were no dissenting views expressed by Members of either side to our findings.
And our findings were severe. The security of this country has been severely harmed by the transfer of technology to China, severely harmed. And it is not just as Bill Richardson has characterized it, a problem with our lives. That's a relatively—I won't say a minor problem, but that is only one small portion of what we looked at. Because we looked at high performance computers, we looked at encrypted software, we looked at machine tooling, we looked at space launch capability, we looked at missile technology. We looked at not just proliferation of this to China but then China to other rogue nations like Iran, Iraq, Syria, Libya, North Korea.
And it is—it was very troubling to me—I am now in my 13th year in the Congress—to see what I saw, hear what I heard, and to have dedicated career employees in the intelligence service come forward and in many cases risking their careers. In fact, one key official is on administrative leave right now, simply because he spoke up. In fact, Chairman Burton's committee two weeks ago held a hearing when five of these current federal employees came in and testified about efforts to harass them in their job simply because they were doing their job, in their opinion, in a professional way.
There are many unanswered questions. The Cox Committee only looked at whether or not our security was harmed, but it was impossible for us not to look at linkages that were there. That was an impossible situation. In fact, I have put two charts on the Internet that were provided with the assistance of current federal intelligence employees which established the linkages, the linkages between the front companies, the linkages between the financial holding companies and banks, some of which are based in Hong Kong, Macao, and Singapore, and the agencies of the Central Military Commission, the Peoples Liberation Army.
And I provided, in an unclassified manner, 26 separate public documents that provide direct linkages, direct linkages between board members, between key leaders of these entities, between officers of the central military commission, the PLA. There is no doubt in my mind that those linkages are there. That is only in the public realm, and I have only seen a small portion of the excellent work that the FBI and the CIA did in this area. And, in my personal opinion, it is far more extensive than what we have been able to see publicly, and even far more than what I was able to see as a member of the Cox Committee.
I don't think this is ever going to ever be cleared up, General Reno, and I am not saying everyone but a select group of Members of Congress are allowed to see the unredacted Charles LaBella memo. Now, I know in talking to Henry Hyde and in talking to David Shippers that they saw a very limited 30-page portion of the LaBella memo, but to my knowledge, no one has seen the entire unredacted LaBella memo, which was sent to Director Freeh who then put his cover memo on it to you.
If there is nothing to hide, then there should not be a problem with the Administration allowing a select group of Members of this body representing the people of this country to answer the fundamental question as to why we did not proceed with a follow-on in terms of the linkages between the holding companies, the financial entities, and the agencies of the Central Military Commission.
My question to you is what is it going to take for you to allow selected Members of Congress, and I don't care who they are, whether they are Intelligence Committee members or whomever, to view the entire 97-page unredacted LaBella memorandum.
Attorney General RENO. We have tried working with Chairman Hatch, Senator Leahy, Congressman Burton, and others to provide you with everything that we could under the law, and we did it that day. If you have other versions of the law that would permit us to give you more, we would be happy to review it.
Mr. WELDON. If the Congress were to issue a contempt citation, would that be the initiative that would allow the release of the unredacted 97-page LaBella memorandum?
Attorney General RENO. My recollection was that the committee had cited me for contempt.
Mr. WELDON. The full Congress has not yet, just the Government Reform Committee has.
Attorney General RENO. What I was suggesting is that you change the law. A contempt citation would not change the law.
Mr. WELDON. General Reno, I just want to add for the record, and again as the ardent supporter of the issue that you are here for, opposing—the only one on your side of this issue is basically the government.
Every industry group out in this room is totally opposed to your position. So the reason that I am doing this is because of the security concern both internally and externally for our Nation. And time and again, I am willing to join with my colleagues on the other side of the aisle in going to the wall to protect our national security. I am very unhappy with what I saw as one member of the Cox Committee who is totally involved in all the deliberations. I am absolutely outraged that the American people are not able to get to the bottom of why these decisions were made.
If they were innocent decisions being made, I have no problem with that, but I can tell you there is a question in my mind based on what I have seen beyond the public documentation of the Cox Committee, work done by the CIA and the FBI and work done by the Defense Intelligence Agency and testimony of key professional employees who lead me to believe that there is additional information that the American people should have access to and that there certainly needs to be a follow-up in terms of why these decisions were made to allow the transfer of so much technology, not just the espionage by the Chinese.
That is a smoke screen to cover up the real issue. In fact, I am going to support normal trading status with China because if we are dumb enough to give the technology to China, it is our fault, not the Chinese. The problem is why were these decisions made and were they made in linkages with other events that would have occurred that we need to fully explore.
We are talking about a case of harm to our security that we haven't seen even beyond the Rosenbergs. And I, as the chairman of the Research Subcommittee, have to oversee $38 billion a year for new technologies to deal with these threats; and we don't have that kind of money. So to me it is a very personal issue as to why these decisions were made in a period of time.
Attorney General RENO. You are asking about a number of decisions that I—you have not been specific about. I would be happy to appear before you to testify as to anything that I could testify to under the law. Under grand—if it involves grand jury information, that is another matter, and I can't violate the law. I don't think you would want me to.
Mr. WELDON. No, I wouldn't want you to do that.
Attorney General RENO. And I will try though I have—I think there might be other people that you would want to hear from because I wouldn't have specific information concerning why something was done, but I am always happy to try to be as responsive as I can with the knowledge that I am consistent with the law.
Mr. WELDON. I appreciate that answer and I certainly wouldn't want you to violate the law and if you come back, I think it should be in a closed session so we could get into some of the—.
Attorney General RENO. What I would suggest you do, if you could give me the questions so that I could properly prepare, and it would be much more helpful.
Mr. WELDON. The reason I asked about the LaBella memo is that it is my perception and perhaps it is totally off base and it wouldn't be the first time, it is my perception that a very dedicated professional working for another very dedicated professional used his best professional judgment in assessing a lot more information that I, as one member of the Cox Committee, had access to and in his recommendation there was justification that would allow a decision be made to trigger the Independent Counsel Act.
And for that reason I think in the end access to that 97-page memorandum by as small of a number of Members as—and maybe—I am not a lawyer. I am one of the few Members or one of the half of the Congress that are not lawyers, but I can tell you our security has been harmed. It has been harmed in a way that we have not seen in this century, and it has been harmed by actions that occurred that people can't fully explain. And if a dedicated professional makes a recommendation to another dedicated professional who makes a recommendation to a third dedicated professional who disagrees with the first two, all I am saying is I think we have a right as Americans to understand the thought process that was used by the first individual in making that recommendation who had access to far more data and information than I did as a member of the Cox Committee.
But I appreciate your answer and your willingness and offer to work with us.
Attorney General RENO. Thank you.
The CHAIRMAN. Thank you very much. And it is time for another panel, I think. Before we go, I want to thank you all for being here and apologize for keeping you too late. Mr. Reinsch, I understand you consented to stay until they got through the panel. I appreciate that.
Mr. FREEH. We very much appreciate your leadership here, Mr. Chairman, Mr. Skelton. Thank you very much for your time and consideration.
The CHAIRMAN. You all have been good witnesses. We appreciate it. You have helped us a whole lot in our work. We hope we will be able to do something about this that will strike this balance we are talking about.
Again, thank you for coming.
Now, if we will change for the other panel. Mr. Bowcock and Ms. Kaufman, if you can take your chair.
Attorney General RENO. Thank you, Mr. Chairman.
Around this place, we have ladies first so, Ms. Kaufman, if you want to proceed and then—whichever way you would like.
STATEMENT OF MATTHEW BOWCOCK, EXECUTIVE VICE PRESIDENT OF CORPORATE DEVELOPMENT, BALTIMORE TECHNOLOGIES
Mr. BOWCOCK. She suggested I go first.
Thank you. Good afternoon, Mr. Chairman, and members of the committee. My name is Matthew Bowcock and I am the Executive Vice President of Corporate Development for Baltimore Technologies. I am testifying today to provide the viewpoint of a leading information security company that originates from outside the U.S.A.
I would like to put my comments in context by giving a brief introduction to Baltimore Technologies. Baltimore Technologies is a publicly listed company on the London Stock Exchange. We develop and market commercial security products for use in business and electronic commerce. Most of these products use encryption technology. We have software and hardware development centers in Ireland, the U.K., and Australia, and we have sales offices in 16 cities worldwide and customers in 40 countries. Many of these customers are governments, government bodies, and some of the world's leading financial institutions, and we have business and technology relationships with many companies including many U.S. corporations such as Intel, Cisco, IBM, Netscape, Security Dynamics and the subsidiary RSA Data Security. While we do not develop software inside the U.S.A., we are successfully selling our products and growing our business throughout America; and we are one of the leading global security companies.
We export the majority of our products from the country of development. These exports are regulated by the national government of the relevant country all of which are signatories to the Wassenaar Arrangement. Accordingly, Baltimore has unrivalled experience of operating in the most international of export regulated environments. Our business objective is to provide the world with the underlying electronic security infrastructure to support world electronic commerce. The underlying framework of world commerce requires a reasonable regulatory environment that transcends national boundaries. This framework has to be acceptable to the twin requirements of national and international governments and the freedom of the individual.
Encryption is now a common requirement for almost any Internet or electronic commerce product. This is in contrast to just a few years ago when encryption was only necessary for specialists products. It is now clear to everyone that the regulatory systems that were designed to control cryptography in the past cannot be sustained into the future. The next move is highly important, and Baltimore will encourage and support all initiatives to develop a structure that supports the requirements of both industries and governments.
The SAFE Act would completely alter the nature of the security market both inside the U.S.A. and in the rest of the world. We welcome the use of cryptography for the development of a secure e-commerce structure within the United States as proposed by the SAFE Act. Security and trust are essential components of commerce and cryptography is an essential component of e-commerce. The prohibition on mandating key escrow will also remove a potential technological obstacle to the adoption of secure systems. And in light of this morning's discussion, I expect you may want to ask further on that.
This act would enable the vast majority of non-American businesses and consumers to conduct business with each other over the Internet using strong security. However, this unilateral move comes soon after 33 leading countries, including the United States of America, agreed to harmonize a base level of crypto regulation in the Wassenaar Arrangement. The SAFE Act may solve a single problem of U.S. export but may cause other difficulties in advertising, in selling and using U.S. security products between other countries as many U.S. companies have development, manufacturing, and distribution facilities throughout the globe.
This is not a U.S. versus the rest of the world issue. The U.S. has a unique position in that it is the largest single market for development, export, and purchasing of high technology products. I would encourage the committee to consider a more international approach to the export section of the SAFE Act so that we recognize the international aspects of the industry and of the Internet.
I would also wish to refute the widespread perception that non-U.S. security companies flourish solely because of perceived inability of U.S. companies to export products with strong crypto. As part of our research for this testimony, we were astounded by some of the claims presented as testimony to some subcommittees. It is vital that this committee is not misled into developing legislation based upon incorrect information.
Baltimore Technologies derives a high percentage of its revenues from the financial sector where U.S. companies are free to offer strong cryptographic products. We compete successfully in the same way as any technology company does by bringing the best products to market first. I do not know of any significant non-American companies who have deliberately set out to build a business based on the U.S. export situation. The only situations we encounter of companies deliberately sidestepping U.S. regulations are the international subsidiaries of U.S. corporations.
While U.S. companies are subject to export restrictions, they have a domestic market that is the most active and sophisticated in the world comprising 260 million people. Many of Baltimore's products emanated from our Ireland development center with a domestic market of fewer than four million people. In many ways we are envious of American companies which can access a vast domestic market in which to develop and sell advanced security products. U.S. companies are not losing the technology race nor will they. There exists many significant impediments to the development of security products, and many American companies would cite the commercialization of various patents as being much more significant.
Thank you again for your invitation to present here.
The CHAIRMAN. Thank you.
[The prepared statement of Mr. Bowcock can be found in the appendix.]
The CHAIRMAN. Ms. Kaufman.
STATEMENT OF ELIZABETH KAUFMAN, SENIOR DIRECTOR AND GENERAL MANAGER FOR SECURITY, CISCO SYSTEMS, INC.
Ms. KAUFMAN. Mr. Chairman, distinguished members of the committee, I want to thank you for the opportunity to speak to you today about the SAFE Act. Following up on the testimony of this morning, I am going to focus my testimony on our overall objectives for cryptographic technologies, our perception of the market, and also to describe to the committee an alternative to key recovery that we have been working on with our partners for several years and also in partnership with law enforcement.
Before I start my prepared testimony, I would just like to reiterate with Baltimore, we seem to have a mutual envy society. They envy our domestic market. We envy the fact that Baltimore and their competitors have been shipping actually under a loophole in the Wassenaar Arrangement. In fact, they are not controlled as we are controlled in terms of their access to exporting cryptography. So even were they a U.S. company, they would not have the same controls that we have today.
Cisco Systems is the worldwide leader in networking for the Internet, and we sell products in about 115 countries around the world. We are also the leading U.S. provider of firewall and virtual private network gateways which are cryptographic products deployed to secure networks usually for internal security purposes or business to business transactions. Many of our general purpose products include cryptographic features including our routers, our cable modems, and many of our campus switches.
Many of our colleagues and industry have raised the issue of lost revenues for U.S. businesses, but Cisco Systems is not fundamentally interested in cryptography because of the dollars we may lose on cryptography sales. In fact, we believe that data encryption is one of the fundamental enablers for the next generation of network growth. We have found that the early opened deployment of our domestic Internet in the United States is the exception and not the rule. Both overseas and here, strong encryption that enables trust and secured data transfer is, in fact, a precondition to the continued strong growth of networking and e-commerce. In contrast to Director Freeh's remark earlier, more and more of our customers' large purchasing decisions actually take into consideration not only the presence but the strength of security features. And we are increasingly beginning to lose some of those deals, especially overseas to locally viable, not necessarily equal, but viable competitors.
We began our efforts to resolve the current policy stalemate on encryption because we and our customers and our industry partners need encryption technology to ensure the continued success of our business. We believe that overly restrictive controls on this technology will stall the networking market or create marketing advantage for foreign competitors.
Our concern is that there are three potential outcomes if we do not have export relief. The first is that the networking market as a whole may stall since businesses cannot deploy security sufficient to support their needs.
The second, and I will say I think this is the most likely scenario, is what we call the pecked to death by chickens scenario where we see U.S. market leadership eroded by different local competitors in each foreign market and bearing in mind that many of our foreign customers would prefer to buy their own domestic product just as U.S. companies would prefer to buy U.S. product. So we don't look necessarily for people who match us feature to feature. We look for people who are locally credible in their own markets.
The third and I think the least likely scenario is what we call the jaws scenario which would involve U.S. leadership being knocked out by a single powerful competitor which would most likely be the result of some type of merger or acquisition and many people point to, for example, a major foreign networking company buying one of the leading foreign security companies as the necessary step for this to occur. We do not believe that this is the most likely scenario.
Much of the policy stalemate has arisen from an inability and we heard much of this morning, an inability of industry, law enforcement, and intelligence community to reach a reasonable understanding of where customer and government interests are at odds and where they intersect. And we have spent several years building that understanding with the leader of the 13-company coalition that Director Freeh alluded to this morning. And we have brought forward a solution that we call the private doorbell that has been well reviewed both by law enforcement and by intelligence.
The private doorbell solution is classified currently as recoverable. It is not a key recovery product but a plain text access product. It is a recoverable technology under the EAR and it is something that we have worked on at length with law enforcement.
Our analysis has led us to reject available key recovery technologies for our particular products. Our markets, in fact, resist them very strongly and major companies, including U.S. companies, actually threatened to throw our products into the ocean were we to incorporate key recovery technology into them.
I think that the discussion of whether or not the market is interested in key recovery has overlooked an important fact, however, which is although our customers do not like key recovery technology, they are law abiding and their requirement to us was that we find an alternative, one that they felt did not compromise the strength of our products that allowed them to comply with a lawful warrant. So we entered this debate several years ago with a requirement from law enforcement that matched exactly the requirement we had from our customers which is to provide a mechanism that did not compromise their security but did allow them to comply with a lawful warrant.
Private doorbell is an alternative to key recovery. It enables our customers to deploy any algorithm of any strength but still comply instantly with a warrant for plain text data. It is a management function that allows the administrator who controls one end point of an encrypted connection to expose data to authorized parties in a selective way, and it is present today in every standards-compliant encryption gateway from any vendor. It is part of the Internet standard. We have been shipping this feature for over four years long before the SAFE Act and long before any key recovery legislation.
The value proposition for law enforcement is that it maintains the status quo. Our customers can employ strong encryption. They don't have to worry about trap doors or weakened cryptography. It is standards compliant and although we would prefer them to use purely our product, it is also something that allows them to deploy a multivendor network. Law enforcement has supported us in this initiative. This technology cannot offer the Intelligence Committee an encryption-free world; and frankly, if we felt that the situation was either U.S. encryption or no encryption worldwide, we would be having a very different discussion today.
And I believe that several years ago in reality, although people have pointed to foreign availability, those products were so immature that it wasn't practical to suppose until very recently that any large customer would really deploy such an immature product in spite of the cryptography. What we are seeing today is that foreign products are increasingly offering comparable levels of stability. They may not have all of the features.
We believe our products are still the best. But these products are adequate to the needs of people who require strong cryptography. And for the first time, we are truly beginning to lose deals not everywhere and not to everyone but for example to Israeli companies, to Finnish companies, and to some companies based out of the U.K. The E.U.'s trend towards a license-free zone to crypto makes us more concerned that we will be losing deals to some of these local competitors.
So for the intelligence community, we can't offer them a world without encryption but as these products gain market share, if they gain market share, they will extend the homefield advantage for our intelligence; and they will also defend against the possible broad deployment of foreign encryption technology that may be actively hostile to U.S. interests.
The intelligence community has suggested that private doorbell products are equivalent to key recovery. We formed a coalition, actually now 14 U.S. companies, in support of this initiative called the Alliance for Network Security. Our purpose is to advance our understanding with the government and to build on the license approvals that we have. We and our colleagues in ANS share the conviction that the resolution of this debate should be industry-led and market-driven but must satisfy national security and law enforcement requirements.
We also support passage of H.R. 850, the SAFE Act. The provisions of the SAFE Act would remove most license requirements for exports of recoverable products, such as private doorbell products especially for business-to-business transactions. We do understand that it would not absolve us or our partners of our obligations to our customers to law enforcement and to national security. We do not want to dodge these obligations, but we want to continue to lead the greatest technical revolution in recent history at the same time strengthening our partnership with our customers and with our government. And in addition, Mr. Sisisky mentioned that the need for a long-range plan, that is the substance of our discussions primarily with law enforcement, and we want to be there and help you develop a long range plan as we move beyond stalling deployment and deal with a world where there is widespread cryptography.
Thank you very much.
The CHAIRMAN. Thank you, both of you.
[The prepared statement of Ms. Kaufman can be found in the appendix.]
The CHAIRMAN. Ms. Kaufman, that is just what we are here about, trying to look at this thing and have some kind of balance involved. You said that you supported the SAFE Act, H.R. 850, but does this include your proposal that you have discussed acceptable to law enforcement and our national security interest, too?
Ms. KAUFMAN. H.R. 850 would include significant relief for our products specifically which are recoverable but not key recovery products, that we support that. Law enforcement has been very supportive although we heard this morning not of the SAFE Act in its entirety but certainly of the relief for recoverable products, such as the private doorbell products.
The CHAIRMAN. Mr. Bowcock, you have heard the other side so to speak, the other witnesses this morning and you are familiar with their positions, national security concerns from the Department of Defense, the law enforcement from the national level down to the local levels, all levels, their concerns. Are these concerns justified?
Mr. BOWCOCK. Absolutely. And I think that it should be understood that almost all major developed countries share concerns about the proliferation of encryption. That is why I made the observation that this debate is not unique to the U.S. It is exactly the same discussion that is taking place in the U.K. and in Australia and other countries.
I think one thing—could I just make a point of clarification, Mr. Chairman, in terms of some of the debate that I have listened to this morning. I think one issue that is not being clearly brought out is we have questions of key recovery, whether or not the objective is covert surveillance. This is very, very fundamental because there are a number of ways in which key recovery, data recovery, however else you describe it, can be provided. One way, of course, is through secret trap doors which are known perhaps only to national agencies. And, of course, any commercial company that is in a situation whereby information becomes disclosed that is available but is not commercially stated is jeopardizing its commercial viability in the future.
So all commercial companies are going to reject that wherever they possibly can, depending on the political environment they are operating in. But there are other ways in which key recovery features are provided in products, and we recommend to customers that it is good business practice to operate key recovery if your employees are issuing purchase orders and on Friday you file one of them and you have no idea what the obligations of the company are on Monday because all the data is encrypted, and you have no way of accessing that. That is very bad business practice. So we recommend, in most applications, that key recovery is employed.
The question then becomes can that data be made available and under what sort of legislative regime and can that data, if it is only available with, say, the employer or that key be used then for covert surveillance, for example, of that employee. So I would suggest that the debate is a little more complex than perhaps I have seen this morning in terms of key recovery or non-key recovery. It is a question of whether the features are covert and whether the capacity to be able to intercept is covert and who holds it.
The CHAIRMAN. The court order part, the key would be held, in fact, by the court. Is that different from what you are talking about?
Mr. BOWCOCK. That is a scheme which people have sometimes referred to as mandatory trusted third party or key escrow. I think that is largely being discredited in most countries around the world because commercial organizations are simply not prepared to accept that in a sense there is a back door key to their home that is kept always by the law enforcement agencies.
Instead, the option that is being put forward in a number of places where an organization is employing cryptography, an organization this is—and they employ key recovery for their own business practices, that should be made available to law enforcement agencies on a confidential basis whenever required. The problem with that scheme, of course, is it doesn't then allow covert surveillance when encryption is used from individual to individual, such as e-mail between two people involved in say child pornography or drug trafficking because they are certainly not going to use a scheme which is being provided by a commercial company.
The CHAIRMAN. The way it was explained, the law enforcement agency wouldn't hold the key. The court would have the key. That is a separate agency.
Ms. KAUFMAN. Maybe I could give an example that would clarify. Most key recovery schemes are one technical mechanism with a cryptographic product so that you can get the data back if you are not one of the original owners of that data. So, for example, it is as if you had a house key that you stored with the court or with law enforcement and then you yourself possessed a key to your house. The objection to that, especially in the context of the Internet, is that we have learned through experience that if there is an extra key, someone and probably a 12-year-old on summer vacation will find some mechanism to get a hold of that extra key and exploit it. So our customers who would like to provide access to the data object to the technical mechanism because they feel it makes them vulnerable.
Now, an alternative, for example, the mechanism that we have adopted does not involve keys because our customers objected to the vulnerability. So, an example, the way our products work, which is a little different technically than Mr. Bowcock's, would be if you wanted to send him a message and you wanted to encrypt it for his eyes only, in our system you would hand that message unencrypted to Mr. Skelton here.
He is a gateway in this example, I beg your pardon, sir, and he would hand it to me, encrypted so his job is to encrypt it. My job is to unencrypt it and pass it on in the clear to Mr. Bowcock. So the opportunity is very similar to the status quo for law enforcement today where if they received a warrant, they could place a tap between the two of us or, Mr. Chairman, between you and Mr. Skelton and they would be able to intercept the data and there is no question of a key. Our keys are still secret. What we provide is an alternative way to get at the data. And so what we are trying to do is eliminate the possibility of a 12-year-old or somebody with an interest in sabotaging our communication. We are trying to eliminate their access to the data but still provide law enforcement a way to request that data of you and give you a way to comply.
The CHAIRMAN. That is the procedure you think that law enforcement and the National Security Agencies are in favor of?
Ms. KAUFMAN. Law enforcement is strongly in favor of it. National Security Agencies feel it is equivalent to key recovery so they would prefer no encryption but if they have to have encryption, they have told us they consider this comparable.
Mr. SKELTON. Your example, Ms. Kaufman, is rather interesting because I am just doing my best to conquer e-mail. I think all of us are looking for that special balance between what you and your company seeks, national security, and law enforcement and my question is, why do we require, why is it necessary to have legislation? By the time legislation is passed, technology may leapfrog far ahead. Would we not be better off just having a regulatory process which can be changed more quickly and in charge of this type of technology? Why is legislation necessary?
Ms. KAUFMAN. I guess I would answer by saying we don't believe that any amount of legislation is going to replace the need for a strong working partnership between industry and law enforcement and regardless of the fate of the SAFE Act in H.R. 850, we know that we will continue working with Director Freeh and his staff and with the intelligence agencies as the technology continues to develop.
We have a position on the legislation. It is here and obviously it has an impact for our business. We also feel that the market is moving a great deal faster perhaps than many people would wish, but we don't believe that—regardless of even if the SAFE Act were to go through unmodified, we would still have a great deal of work to do together to ensure that our own capabilities continue to develop and that we were educating law enforcement and listening to their concerns as we move forward.
Mr. SKELTON. Thank you very much, Mr. Chairman.
Mr. TALENT. I am going to get one thing straight in terms of your views. What is a key issue here is whether, no matter what we do, the people who we are concerned about will be able to get the encryption technology they want on the foreign market any time soon because we don't control what foreign companies do in this Congress. So, Ms. Kaufman, you kind of got there when you were talking about the fact that you are beginning to lose significant deals because of the current restrictions. I understood you to testify to that effect; is that correct?
In your opinion as people are familiar with this field, if we continue the current policy without change, however we change it, are American companies going to significantly lose business? Number one, and number two, are people abroad going to get the encryption technology that our law enforcement officials are afraid of from foreign competitors?
Ms. KAUFMAN. Thank you, Congressman. I am going to answer that two ways. What I would say first is that the continued growth of the networking industry requires that there be stronger security for the infrastructure.
And I think my company was as guilty of this as anyone. Until 1995, no one who connected to the Internet was permitted by contract to do any business on that network so the initial boom in the networking business was driven by exploration, people being very curious, and because it was government subsidized, there was not a compelling business interest to protect the data across the infrastructure.
If you ask me will I lose a large infrastructure deal to a competitor who has adequate comparable equipment and stronger security, we have already lost several of those deals and what we believe is it is the thin edge of the wedge, we believe that this is the early adopters and as more people start to take security seriously, that we will start to lose more and more deals.
Mr. TALENT. Weren't your two statements inconsistent. I don't ask this to be adversarial. I have learned more from your testimony than I think the first panel provided us all morning long. That is why I am asking you. On the one hand you said no, you are not going to lose significant dollars.
On the other hand, if I understood you properly, you just said this is the leading edge and it is coming. Is it your 5-year framework, you think in 5 to 10 years you will begin—.
Ms. KAUFMAN. I am sorry, let me clarify. We sell networks. Cryptography, as Director Freeh said quite accurately, is a very, very small component.
Mr. TALENT. That is what I am getting at. The question is how important is this cryptography in the minds of your customers no matter how much it costs them?
Ms. KAUFMAN. It is increasingly vital.
Mr. TALENT. It is like the person who insists when they get into a mini-van and choose which one to buy, the key feature is how many cup holders it has. It may not cost the company very much, but when you talk to people who manufacture automobiles, and it is things like that that trigger consumer decisions.
Ms. KAUFMAN. I would compare this to air bags which it is becoming standard best practices and now that there are credible, we don't like to think comparable, but credible competitors who offer better/best practices for security, we are at risk not just of losing the $2 million, for example. It is the total deal. And that is our interest. It is not that small feature component. We agree that that market is quite small. And it may never be large, but it is the infrastructure that we build.
Mr. TALENT. So your customers are significantly—it is a decision that is a factor that affects their decision to buy whether they feel that the network they are purchasing is adequately secure?
Ms. KAUFMAN. Yes, increasingly.
Mr. TALENT. And this cryptography key is an important—this encryption technology is the vital aspect of that. Is that fair to say then?
Ms. KAUFMAN. Yes.
Mr. TALENT. Now, Mr. Bowcock, your statements about the difference between covert and overt was very enlightening to me because we are not talking, I take it—a lot of—the legitimate companies we are talking about, they are happy to respond to a warrant.
I am not simply concerned about your customers who don't want to respond to a legitimate law enforcement request. Those are the people that I don't want to get this stuff so I don't want you to set it up, but they are concerned with law enforcement having an effective key which it could use covertly even if it is only law enforcement that has the key. Now, I don't understand why an honest company would be—because I am going to be naive here. I don't understand why an honest company would be concerned about the FBI and only the FBI having the key to their encryption technology.
Mr. BOWCOCK. I think there is another important issue that did not come out in this morning's debate and that is the difference between domestic interception, domestic products which, of course, are not in any way regulated by export, and international products and access to those. Now, clearly a company which is in—a company which is in, say, Japan which is acquiring a product and has a choice of one from Germany and one from the U.S. and they believe the one from Germany, whatever reason, whatever Director Freeh may have stated this morning, they believe the one from Germany does not give the ability for someone to give covert access and they know the one from the U.S. does because it is U.S. policy to encourage that, it becomes a question of national sovereignty and their sense of comfort about that.
It would be an extremely difficult sell regardless which country you originated from to convince them that the country that the technology originated from should have access when that government in question doesn't. That is why I believe that hidden trap doors are ones that originate from a particular country and only give access to the data to the law enforcement agency of that country of origin will not receive any commercial acceptance.
Mr. TALENT. You see why it is exactly the hidden trap door that the law enforcement people want because they are not that concerned about the legitimate companies. They are for embezzlement and all that sort of stuff. They are concerned about the terrorists who are not going to respond to a warrant. Is there some way of accommodating giving them a hidden trap door while meeting the needs of your legitimate customers?
Mr. BOWCOCK. I think it is true to say there is, as I think was stated this morning by the attorney general, there is no silver bullet. There is no simple solution to this that resolves everything. The way things are moving in the U.K. is they have decided to focus more on the powers of gathering evidence so that they are able to seek from any valid—any commercial organization that does have either the plain text or the key, access to that key, and it should become an offense to be able to inform other people that that key has been sought or to refuse it if you actually have access to the data.
Now, you could argue, of course, that any drug trafficker is simply going to take no notice; but it is worth reminding people there are many situations in which people have actually been prosecuted for much lesser offenses. I think there was a fairly well-known U.S. gangster in the 1930s who ended up in prison deliberately for tax evasion despite the fact he probably was responsible for much more serious offenses. So, on occasion, it may be better to have something than nothing as a means of effecting access to some data. But I suspect that access to covert surveillance capabilities, again to always run into the question of are these disclosed or are they not and if they are, they are immediately going to reduce the acceptability and competitiveness of the product regardless of where they are from. And if they are not disclosed, I think there is a real risk to the commercialization of that being disclosed, and therefore to them losing their position in the market.
Mr. TALENT. One more question if I may, Mr. Chairman. Ms. Kaufman, your private doorbell does not solve this problem of giving the law enforcement agencies the covert ability to crack the encryption code without the user knowing it; does it?
Ms. KAUFMAN. No, it does not. It gives them a place they know they can go where there will always be plain text, but it does not give them a mechanism if they receive a lump of encrypted data to break that data. There is no easy way around that.
Mr. TALENT. In fairness to the law enforcement people, that does not solve the problem with the terrorists because they are not going to cooperate so they get some computer data or some encrypted message and they know it relates to possibly blowing up the U.N., your private doorbell is not going to enable them to crack that code.
Ms. KAUFMAN. Not with an educated target, no. But the requirement they have stated to us is to maintain the status quo. And as we understand it, people are capable of shredding paper, burning paper, anything you might look for. And the status quo was can you execute a warrant for data if the data is there and they have been very supportive of this.
Mr. TALENT. You two both feel strongly that the terrorists will be able to get the higher level encryption technology on the foreign market regardless of what we do either now or in a very short period of time?
Ms. KAUFMAN. We know that they can today. There is a significant level of expertise. I think that actually better—we heard the analogy of an electric car this morning. I think possibly a diesel engine is a better analogy of something that began as very unwieldy, very unpopular in California but is increasingly something that is comparable to existing products. And I think that what we are finding is that today, right now, the terrorists who would have access to this technology require some special expertise. They can get the technology very, very easily, but to configure it correctly and to understand what it does requires some knowledge. So it isn't access; it is expertise. As that expertise becomes more broadly available, they have no access issues so what we expect is more and more people with lower and lower levels of expertise will use it commonly.
Mr. BOWCOCK. Just to reiterate that. The majority of our business comes from the financial sector in which there is complete deregulation in terms of 128-bit exports. Therefore, we compete head-to-head in the majority of the short lists, in the majority of business that we bid for, if there are three companies on it, the other two are American. Therefore, I would say, at a guess, 70 plus percent of our business we compete head-to-head purely on features and sometimes we win, sometimes we don't which I think is a direct statement of the state of development of technology.
Now, I should point out that of course we live under regulatory regime the same way as the U.S. companies do. You can argue about whether the interpretations are different or whether or not one country, Ireland, Australia, U.K., incorporates the exact same processes. But we also lose business to small start-up companies which are outside the Wassenaar Arrangement, and therefore what we are keen to do is to make sure that within the context of law enforcement requirements, there is an organized affair and open market globally so we would encourage deregulation but on an organized basis globally.
Mr. TALENT. Mr. Chairman, I thank you for your indulgence.
The CHAIRMAN. Mr. Hunter.
Mr. HUNTER. Thank you, Mr. Chairman. I want to apologize to this panel as I had to the other panel for having to go in and out of the room as you were testifying. But I gleaned, I think, the essence of your position via Mr. Talent's questions.
Ms. KAUFMAN. Yes.
Mr. HUNTER. Mr. Bowcock, you said essentially you thought it is going to become increasingly difficult to make sales to foreign countries where the government of the manufacturing location, that is, the United States in this case, has the key to the encryption, but the host government of the purchasing company doesn't have it. Is that the essence of one of your points?
Mr. BOWCOCK. That is correct, yes.
Mr. HUNTER. How about some kind of a system where there is a sharing, if you will, where the law enforcement apparatus in the consumer nation likewise at a very high level with the United States has the ability to recover the key.
Mr. BOWCOCK. We certainly have had situations whereby we have received export approval in a way that probably an American company wouldn't have done because the originating country's law enforcement agency is comfortable—the law enforcement agency of the country where the key recovery is going to operate would cooperate in any attempt at interception.
Mr. HUNTER. So you do—you have made some deals that on an ad hoc basis have reflected that?
Mr. BOWCOCK. Exactly. That sort of situation certainly has occurred in which—however, one of the slight difficulties of that is that if the question is something such as—in which there is clearly a shared common interest such as drug trafficking or certain forms of terrorism, there is no political content to it, then clearly there is a level of comfort from the originating country where they would be able to access and intercept data from that country but there, of course, can be divergence in terms of the political interests of the two countries concerned; and therefore they don't always have a sense—a guarantee that their interests would align.
Mr. HUNTER. If you go back to most of the consumers in the financial world and if you take the, say, the COCOM nations, NATO plus Japan, former COCOM participants, it would seem to me the financial community in those nations should have no problem if you have a key recovery system that they understand is there for law enforcement, extreme law enforcement measures that might be necessary and that it is shared with the host nation. I would think that the benign users in the financial world wouldn't have any problem at all with that.
Mr. BOWCOCK. No, and I think the Wassenaar Arrangement was the start of that sort of harmonization which we would hope would continue in terms of there being some sort of harmonization. The difficulty of course is that, as has been evidenced today, this is a fairly complex issue and it often takes quite a lot of time before the debates in particular countries reach a level of maturity whereby there is a consensus. I believe some of the consensus that is being reached in the U.K. is not all that different to the consensus that is being reached in a number of other countries about what the only practical mechanisms are. So over time we would expect to see that sort of harmonization and would consider that very desirable.
Mr. HUNTER. If you take the non-benign user, user with criminal intent, and he has a choice today between the key recovered system that is one where he may be in jeopardy, he may be exposed, and a non-key recovered system, what is the—I would think that he would be willing to sacrifice a modicum of effectiveness in return for having the absolute lock, if you will, especially when he is the guy who has a real interest in law enforcement folks not knowing what he is doing. Is that true?
Mr. BOWCOCK. I think it is true and it is also worth remembering that the majority of these technologies originate from a relatively small group of developed countries and, therefore, if there is a degree of harmonization that is likely to address the majority of products that are available in the world, if not all.
Mr. HUNTER. But I guess what I am saying when you say a small number, if you are a terrorist operation and you are shopping for an encryption—for a system that has got encryption technology, you are not going to say, well, it looks like most of the products on the shelf are encrypted key recoverable and therefore I am going to go with one. You are going to say, tell me which one out of 30 isn't key recoverable and is absolute security for me and I am going to buy that one. Right? You are going to shop for the one that isn't for the exception.
Mr. BOWCOCK. I think you are absolutely correct; and with the open knowledge that is available across the Internet, it is inevitable people will be able to select based upon that—probably choose products on exactly that basis.
Mr. BOWCOCK. We are in a situation whereby there is massive change taking place as the result of the communication technology. We are talking today about threats to the way society has been organized and regulated in the past in a number of well-ordered and fairly civilized societies.
Now, the changes that are taking place are so fundamental, that I would venture to suggest there are countries all over the world the governments of which the very existence are threatened by the fact that if the information is suddenly free and available to all sorts of people, there are professionals, there are commercial trade organizations that are very threatened by all the changes taking place at the moment. A good example, for example there are taxation regimes all over the world which are going to have to change dramatically. This is only one example of all the changes. The best that we can hope to do is at least control and follow the tide even if we can't actually stop it.
Mr. HUNTER. So you think there is still a value in the harmonization even though there would still be exceptions which the non-benign user can shop for and obviously will focus on?
Mr. BOWCOCK. Except law enforcement requirements are quite fundamental to this whole question and therefore we will do whatever we can to cooperate with those within the context of what our customers are seeking and therefore there is a very valid reason to try and provide as great of access as is reasonable in the context of a time of enormous change.
Mr. HUNTER. Last question and maybe you can both answer this to the point of the bill that is before us.
This is a liberalization of the encryption technology export obviously. It obviously removes some leverage from the administration. Any time Congress pulls a couple of aces out of the deck of an administration which is undertaking to negotiate on a multilateral basis, they are weakened and they are unable generally to accomplish as much as they could otherwise.
If there is potential for putting together these multilateral agreements that end up with some harmonization that you have spoken of which does protect security interests, is it in the interest of this Congress to cut the legs out from under the Administration by going with the liberalization act unilaterally, if you will, and unicamerally.
Ms. KAUFMAN. I will take that question first. I would like to actually respond to your prior line of questioning briefly, if I may, to say that I think for different kinds of technology, the success of key recovery for benign customers has varied. And in the markets where we sell product, we find that very large companies, such as IBM or smaller ones have completely withdrawn their support for specific key recovery technologies.
IBM actually has complained that not even the U.S. Government is willing to assume the additional risk by purchasing and installing key recovery products. And that is not to say that there are not other mechanisms. And earlier in my testimony, I identified some alternatives to key recovery that meet the needs of law enforcement. But we do find that benign customers are so concerned about the additional level of threat to their networks and our knowledge of what is going on in the infrastructure leads us to support them in that concern, the threat to our infrastructure and to our legitimate businesses is very real and there is an increasing condition of constant attack, particularly against financial institutions and government networks today.
Mr. HUNTER. So you don't think we will be able to keep this encryption key recovery as close to our chest as we have our nuclear secrets at Los Alamos?
Ms. KAUFMAN. I can't comment on that, sir, for other reasons than your prior panel, but I do think that if the current industry has taught us one lesson, it is that mechanisms that are intended for use by one party are often used by another. We find that constantly we historically install many administrative back doors into our gear to enable us in troubleshooting and with 80 percent of the Internet running on it, I can tell you every 12-year-old on summer vacation makes a routine practice to trying to find ways to misuse those mechanisms, and our customers are very sensitive to that.
Mr. HUNTER. Let me respond to that for a second. We have—throughout the spectrum of business activity, we have lots of exposures that are met. I mean, when people sign non-disclosure agreements and later disclosed, when confidences that are—contractual confidences are exposed, there is—there are consequences from that. And we have a legal system that allows you at least in part to redress those problems. So understanding that IBM and all of the components of the industrial base or constituents of the industrial base are, by nature, very nervous about people knowing what they are doing and about confidentiality, nonetheless, that is a problem that we have dealt with in the past in other areas.
If you have a multilateral system where you have on a very high level you have this—these key recovery systems and IBM knows going in that no matter who they buy from in the western world, there is going to be some species of key recovery system that is required, don't you think at that point they will bite the bullet and say, okay, we don't like it, but we have triple checked with the Department of Justice and nobody sees this? They claim it is as safe as our nuclear secrets at Los Alamos, it really is safe and that they will go ahead and proceed?
Ms. KAUFMAN. I think this goes to your original question.
Mr. HUNTER. In other words, should we let paranoia, if it is paranoia and it is not founded, let that drive the market and drive our policy?
Ms. KAUFMAN. I think there are two parts to answer that question. The first is we are increasingly asking people to bet their businesses on the electronic infrastructure that we build.
And our customers have asked us to find a way to enable them to be law abiding without introducing additional risk into their decision to bet their business on this new infrastructure. And there are ways to do that, we believe, that are significantly safer than key recovery.
In terms of the harmonization, I think we are somewhat overstating the strength of Wassenaar since there are countries participating in Wassenaar that range from Finland to France, and the U.S. is more restrictive than some but not all. Wassenaar really prescribes lists. It is not an international licensing policy, and we have seen that there is considerable variation in terms of interpretation or how people use those lists to their own marketing advantage.
Further, our concern is that some of our major competitors, for example, Israel, which is an emerging international center of expertise for cryptography, is not a Wassenaar country and so the question is how effective is it if it is not highly harmonized, even within the participating nations and some of the key technology contributors Israel, India is another one, do not participate in Wassenaar and have a vested strategic interest in proliferating their own versions of this technology worldwide.
Mr. BOWCOCK. I would agree in terms of the comments about Wassenaar. It certainly is patchy in terms of the way it is implemented but just to go back to the specific question in terms of should you be removing a couple of aces from the Administration as I think you described it. It is certainly not our place as an overseas company to in any way suggest how the committee should—suggest how the committee should vote.
However, just to reiterate our position, because we are operating globally, we would like to see reduced export requirements in general because our customers seek it and it would give us a freer, more open market in which to compete, and we have no fear of the competition. We certainly don't feel we get any benefit that is worth speaking of from the fact that U.S. companies are going to face U.S. export restrictions which are certainly among the most restrictive, but in most of our markets it is not an issue. So we encourage the reduction. However, we would like to see that done on the basis of agreement being as widespread as possible between the major countries from which technology originates so that it is genuinely an open market, a level playing field and the interests of the collaborating countries in law enforcement can be taken into account in a cooperative way.
Mr. HUNTER. Thank you very much. Thank you, Mr. Chairman, for the indulgence.
The CHAIRMAN. Thank you. And thank you both for your testimony. I have gotten a lot from it. I have learned a few words and things. But we represent both sides in this undertaking, concerns of both sides. We represent the business concerns, of course. We represent people concerned about the impact on national security and law enforcement.
Incidentally, the law enforcement impact and national security impact impacts on business too. And that freedom we talk about and all the rest of these things, that we have to try to bring about some kind of balance in this legislation that is before us. That is our job today. If we get too deep in the inquiry, it is because of our concern for trying to arrive at some kind of a balance in this thing. Thank you again for your input. It will help us tremendously in our work.
We apologize for keeping you so long. Thank you very much. The committee will be adjourned.
[Whereupon, at 1:47 p.m., the committee was adjourned.]
A P P E N D I X
July 13, 1999
July 13, 1999
[This information can be viewed in the hard copy.]
|Join the GlobalSecurity.org mailing list|