Tài liệu the security freedom through encryption safe act docx

assist law enforcement End create a national electronic fechnologies center, a net center, to serve local, State, and Federal law enforeement ‘authorities by Providing "information and

ENCRYPTION (SAFE) ACT

HEARING BEFORE THE

CONTENTS

‘Testimony of "Aino Thomas, Vice President and Chief Technology Offer,

“Cybersource Corporation teen, Đayd Do Chaiman and CHO, V-Oue Corporation

ilepie, kd, Exeative Direclor, Americans for Computer Privacy

Vlg Vay Hacc Vice cident, Martell alors ck: Iolouies International Fioance Serueer Cenle Hornstein Richard, General Counsel, Networe Associate ine

Eee ion Roasla D Asaaclate Deputy Avtorney Genera Depsriment “ch Justice MENEmana (mm Rarbasa À» Bepjy Bireior: National Sccuriy Ago

Reincch Hon Wilism A Under Seeretary af Commetee for Export Tmunisration, Departmesit of Commerc Ad: Sells B Bugene, Trusted Socurty Advisor Glabal tatearity Corpora

Materi sisi ‘Caoalaten, Hen Hob, a Representative tp Congress from the State of ‘Vingins, prepared statement a i i Sec i 3 sở

Schulte, E,Engone, ‘Trusted Secsrity “Advibor and’ Rascareiy Diveelor Tobal Integrity Corporation, lester ated tne 1, 1600, to Hom Wa

‘Tuuain, enclonag responce for tho record

‘THE SECURITY AND FREEDOM THROUGH

ENCRYPTION (SAFE) ACT

SUED) Pen homnesadine Tato, Oxley, Shar,

Gillmor, Deal, Largent, Cubin, Rogan, Shimkus, Ehrlich, Bliley (ex

go lpi open, obi NE Dy cy

sical ere

Staff present: Mike O’Rielly, majority professional staff; Cliff

ne meat, Mane OG, pala peste a eta rsa As Loti oe

Ta, ae ta ane ES ÔN ST)

a a wel agen cae pee coe a Soa en aes pare at eae foe a oe eg a oe eae Seas eee HE Sat A aa, few sua thnk onsen ean pane are tact ae, ag i cpereton oan Seat conus a oking Be cae ont when Oy

ng CN, TÚ eee SES nl eke pos ee aly race, ey

Bn a oper a al ber ie oy, foe ee

E210 11222200 deere (ean ante ap en aa ace E0 hi Tu an Deore DO Âei

na anes ar eee a

fe Url apres ool ae an ee uy) gun a ey, een, acne pause ae, aay eo ae gts en rm gene, i he corp Dy a fo ese epee beens elas eae fe ae Nor ce cae ee HH

TH Giiợ ¿xu2963008 piers antics Bard

if iS a es ese ane

tially harmful effects of encryption products and want to keep these products from being used without proper eaution or proper sọc proval To be more accurate, the administration's encryption poliey feflects diverging purposes On the one hand, the administration, led by the intelligence community, wants Wo contain eneryption products from being used abroad more often and interfering with Bheir sbility to conduct inteligence gathering On the other hand, the lave enforcement community wants to manipulate the design of encryption products to cnsure they can obrain sceess to the enerypted material as needed with proper authorization ‘The current policy, based on good rd proper intentions, is a fail- ure, T believe that i fs impossible to contain the use of eneryption proviets, Tn fat, the only encryption produets that we are contain Ingaare American products from being used internationally ‘ihe world economy is naw interdependent The digital economy

is even more dependent on interacting, communicating and con

‘ducting business giobally Instead of recognizing this Tact, our con fainment strategy has put ankle-bracelets on American companies

We expect them to thrive and compete, but we put a roadhlock in their way am glad to sce we have a foreign eneryption producer here today to talle about international treatment of encryption and hhow their business is going ‘The law enforcement community makes a stronger case for their osition, but it, loo, does not survive scrutiny If there was sticcess RUS! encryption products would dominate the world, and they

‘would contain & vital component that allows for the decryption of Sensitive material on command of court order In their view, the faster acceptable American encryption products are created and used, the better ‘Unfortunately, this position ignores some very simple facts: the back-door or recoveratle mechanisme cannot be forced on current encryption manufacturers In some market segments, recoverable products could be successful; in others, it will not, In the mean: Hine, the beneftts of encryption are delayed or prevented trom reaching the needed user Our law enforeement community cannot force foreum proddcera in fet to bud reenrerae products ‘am reminded of an analogy told by a high-technology compan

on the subject of encryption When asked whether they could build erable product, he cad this was Wks yo aaking the creators

of the atomie bomb to develop @ mechanism to put the world back fogether if it warns out that it shouldnt have been detonated, oF it 1e Tike asking a farmer to put the egg back together after it has Been coaked, eaten and digested ‘So Treome from the perspective that there are two truths about the debate over encryption products: One, we are unsuccessfully hamstringing U.S, eneryption producers and those that want to in- rete encryption inte their products based on false pretenses: and two, the only way that eurvent policy is going fo ehange is for Congress to take action, “The nóministration likes to play both sides of the issue, and when it looks as though the political pressure is too hot, they inate Slight changes to the policy” They modified their poliey late last year to provide relief for certain market segments, but what hap- pens if you are not in one of those targeted segments? ‘The simple

3

answer is, you are out of luck; and this is no longer acceptable

‘That is why’ Tam a supporter and eosponsor of HLR 850 FUR 850 would relax current restrictions to permit export of encryption of any strength without being recoverable I would be remise if L didn't point out that while TLR 850 s a step in the Heht direction, the bill ig missing certain concepts The Commerce Committee did a great, job, I think, on the development of an encryption Hgh leết laboratory to promote cooperation ‘and, the Sharing of knowledge between law enforcement and the eneryption- producing community It is our hope that this eoneept will be con- Unued ‘in addition, encryption products have the ability to protect, and sectire today’s communications ‘network, the telecommunications network and the Internet, in ways that are necessary, especially as the dependency of these ‘networks on foreign networks increases With our jurisdiction over commerce generally, and our expertise

on communications policy speeifieally, | hope we will take the nec: essary time to improve this bill before us to reflect this aspect of the debate 1 should add, parenthetically, as you know, the Ninth Circuit has entered into thịs debate ‘The Ninth Circuit has generally declared the export ban on encryption products to be unconstitutional on the theory’ that eneryption Is, in fact, a part of free speech, that with: oxi encrypted produto free Speech In thie country and round the ‘world would not adequately be protected as the Constivution

in that regard, the administration faces the prospect of a dect- sion oa whether to appeal that decision I will be joining with a number of members inva letter to the administration urging them fot vo appeal the Ninth Cireuit decision, rather, to work with Us

in this committee and in this Congress to pass H.R, 850 with, as T'said, with the work of this eommiitee perfecting it in the process: and I would urge other members to consider joining me in that re Guest to the administration to join us In this legislative effort, rath

er than to parsoe a long and extended appeal of the Ninth Cireuit Secision to the Supreme Court, T look forward to hearing the witnesses and recognize now the ranking minority member from Massachusetts, my good friend, Mr Markey Mr Markey Thank you, Mr Chairman Thank you so much for hoying thịn hearing today, ‘This iasue is a very difficult one from a public poliey perspective Polieymakers are asked to balance personal security and freedom with national security and freedom to enable better privacy protec- tien but to also help lave enforcement fight erime and to simulta neously salute our clear, economic interests in promoting commer- ial exporting opportunities of encrypted produets and services During committge deliberations on this eaeryption legislation in the last session of Congress, T successfully offered an amendment that tried to strike a balance ‘There is no member of this committee who is unsympathetic to the plight of law ‘enforcement during this time of profound ‘and rapid technological ‘change There is no member of this committee ‘who is Unilling to place certain restrictions on the most highly so-

phisticated encryption that would pose national security risks The problem is that our export controls today have not fully’ kept Up

with advances in technology or with the general availability of that

technology sn commercial products {East sousion I suggested that in headlong pursuit of trying to help law enforoenent ofa Bght crime we Ought not rash ta adopting rules, regulations or instigating government intrusion in the high-tech marketplace bless we are sure that the proposed so: Tution solves the problem, {remain conviaced that proposals from the law enforeement com munity need additional work and farther analysis T understand hele frustration: and, last session, my amendment tried to get law enforcement the additional tools they need to fight crime 1 suy fesled thai the high-tech indusixy should assist law enforcement End create a national electronic fechnologies center, a net center,

to serve local, State, and Federal law enforeement ‘authorities by Providing "information and “assistance ‘regarding the encryption Technologies and techniques T'still believe that tits initiative is preferable to a poticy that would place for the first time controle onthe domestic use of encryption by American citizens ‘and thereby mandate how every

‘imerican citizen protects his or her electronic security T pledge 1n continue to try to work with the national security and law enforee-

‘ment communities in trying to fashion common-sense encryption policy "The high-tech industry has been highly onganized in its effort to liberalize and update US poliey toward the export of eneryption foftvare and related polio, i haw correctly’ Geniied the com inereial imperative by opening up opportunities for U.S companies t6 compele overseas in these erfical, knowledge-based industries ‘Tbe industry has also been quick to" point out that strong encryption can help thwart erime Moreover, she high-tech industry fas noted that strong encryption can also avail customers of great

tr privacy protection; and the industry ‘has been eager to assist Consumers by creating products that permit: people to xafeguard thelr personal conversations or dala files or all of these efforts, [wholeheartedly commend the high-tech industey Ponty wish that the industry woule be equally zealous in protecting the privacies of consumers when its commercial Interests

re more complicated: whether it ie the Intel Pentium IL chip oF tinique identifiers in Windows software or E-commerce products yet

to come With reapect to transactional on-line privacy, the industry has been less attentive to balancing security invereats with per sonal privacy while consumnere are on-line ‘A Zecent survey conducted by the Georgetown Business School of oncine websites found that upwards of 90 percent of the sites col fected personal information from consumers, However, for the pri- vaey chteria generally perceived as embodying fair’ioformation practices, such as consuiner notice, consumer choice, access, secu Bly and contract information, the raw numbers from the survey are sobering, Only 9.5 pereent of the enlire survey sample con: tcined these basie privacy criteria, Even at the top 100 most visited

‘websites, only 19 percent have privacy policies consisting of accept ing falr information practice criteria,

5

Tt is one thing to post your privacy policy, but it is an entirely separate issue as to whether of not that posted policy is anythin

more than a grudging acknowledgment that a website collects anc

discloses personal information without any consumer control over Such collection of disclosure Ì bope we can make progress on that issue, as well as making progress on the encryption policy It is the flip side of the same fin, and T believe that the industry has the same obligation to eon- Suiners in protecting them against companies compromising per- sonal information as they do protecting them from the government compromising their personal information From the eonsumer’s per- Spective, there is no difference: and 1 am going to ask the witnesses today to tell me hove they stand on this tamve Tthank you, Mr Chairman,

Mr Tavinn Thani you, Mắc, Chairman, Mr Markey We are pleased now to weleome the chairman of the full commit tee, the gentleman from Richmond, Virginia, Mr Bliey Since he

is the most Important member here, we will enerype his testimony

We will supply you with it encoded Mr Biley, for an opening

Chairman’ Buitey Thank you, Mr Chairman 1 want to thank you for yielding to me and holding this hearing “The stidcommittee meets to consider 11 €50, a bill to provide export relief for certain encryption production, ‘is is not a new {ssue The Commerce Committee reported export relief legislation

2 years ago Tn 1907, we learned firsthand how contentious and important this iat so all parties involved The aw enforement and ai gence communities argued passionately that the current policy is workable amd necessary for them to do what we expect from them,

Gn the other frand, the high-tech community, the companies that fre fueling our Nation's economies and producing dramatic innova: tion, argues strongly that the current poliey is based on faulty losie and is directly harmful to their ability to compete internationally

‘They also point out that, while they are harmed by U'S policy, American consumers and the growth of electronic commerce are

harmed just as well ‘The Commerce Committee has been a leader in opening the land scape for electronic commerce We take seriously our role in pr0- toting electronic commerce; and, for instance, 1 have introduced legislation dealing with the electronic signatures and the scope of aia base protection, both of whieh the committee will turn to very Soon T support the effort to revise our Nation's export policy with Fegards to encryption to reflect a current availability of encryption prodticts and the benefits of stronger products ‘The administration's policy of today is unworkable and an bm- pediment to the U.S encryption producers and users We need the Policy to change It is hard Taacbit encryption products when the same product ean be bought to restrict U.S companies from selling from an Israeli, French or Trish company The administration has teed f'mininize apposition to ite policy by providing limited flit for certain sectors in certain type of companies, "This policy is partly based on the idea that containing U.S

encryption products will aid our national security The administra-

tion has attempted to sell this approach in an international forum Sith little success or resulting in vague promises ‘The eurrent piecemeal encryption poliey does nothing for the multiple companies that want to integrate encryption into their products as an add-on future For instance, forelge software compa hies selling word processing products are using the U.S restric Hons as a marketing tool to sell their products over American come nies This current policy also lets uncertainty rule the aay We Rave been in Sentech aumerous eleesronie commerce ms that are trying to fight through the new rules to figure if they qualify

or don't qualify for licensing exception and thus are able to provide Service caneunters want ‘With that said, [am always interested in trying to find a com: romise, if posable If there ig room for agreement that can help faw enforcement ot protect national security without codifying the Current poliey, I want to know about it ‘We will move encryption legislation soon in this committee, and

is TUR 850 the best approach to do this? Should ehanges be made

to the bill? Should we consider another approach like the one intro- duced by Senator MeCain in the Senate? Took forward to hearing from the panelists today on these im- portant snes; and thanke vow again, Mt Chairman, for yielding

ne the time ‘Mr TaUaiv, I thank you, Mr, Chairman, the leader of the Vir-

gi hleteloch crowds reid about you wis in The Washington ost Tam pleased now—

Chairman BLILey Don't believe everything you read in the Post,

Mr TAUaN, The Chair is pleased now to welcome the ranking minority member of the full committee, the Honorable John Dingell from Michigan, “Mir, DINGELL Me Chairman, thank you for the recognition; and,

Mr Chairman, thank you for holding this hearing today It ls very important This is not an easy eubject The committee has grappled with this matter for a number of years, Unfortunately, we have hhad little success in finding the right solution, "As each day goes by, technological advances create a greater need for a coherent national policy I hope that, as the need for that solution becomes more compelling, this committee will redou- ble its efforts to find a sensible, rational middle ground that bal- ances the erucial interests at stake ‘We lead the world in production of computer hardware and soft- ware, Technology is an engine which drives the global economy and Gnves the US" cconomy."We should not idly St by and let US companies lose in the marketplace because they cannot deliver the {and of secure products and services customers demand ue as ve wll hear drm our witnesses today, {am sue, the ad vent of, increasingly sophisticated technologies is a double-edged Sword, It ean make global commerce and communications more se- cure, it cạn also make national security and lav enforcement Tess

So We all know too well even in the post-Cold: War era the wars ageinst “international terrorism, espionage and human rights abuses continue unabated, and’ significant threats exist to this country Irom activities of people, not its Triends, both in the mili-

+

tary and espionage sense, and also from the standpoint of erime, dnige and matters of that sort Mr Chairman, we have an important duty to see to it that we protect all of the vital interests of the United States in foreign com: Tmerce and communications Thus, we have an important need (0 dress te concerns of the administration with regard to security, which is very diffeuit: I'am not quite sure how it can dane or how Iwill be doate, but 1 hope that we will work very hard on this pare teas point And Tam prepared to work with You to try and craft

2 sensible, national encryption policy we ean all support Tyield Back the balance of my time

Mr Tavain [thank the gentleman from Michigan

And the Chair is now pleased to recognize the vice chairman of the subcommittee, the gettteman from Ohio, Mr Oxley ‘Mr, OXLEY, Thank you, Mr Chairman, and welcome to our dis- tinguished witnesses, Mr Chairman, I iake a back segt to no one when it comes to matters of international free trade, U.S export promotion, and sup- port for our high-tech industries You will Rind not @ stronger advo Ente for US firms seeking to penetrate foreign markets ‘American companies are world leaders in eneryplion and other culting edge lwelinologies, They should be able to export their prod: tts to our trade partners around the globe In fact, T would’ sup- port the legislation before us if it were needed and took into serious ecount U'S, national security interests

‘There fo doubt im my mìnd shat American firms have the abil ity to produce the most powerful, most impenetrable ‘encryption products In the world T do not question the value of this technology for purposes of pro- tecting electronic commerce, consumer privacy, and proprietary In: formation We need this techaology, and ‘We do not, however, need this legislation Tis unnecessary, so do our trading partners given the adininistration’s regular review and modernization of EFS "encryption poles, More importanty the Bll a drafted, I ep Fesente areal theft to national security and public safety in the Taited States, Twould refer the members to the closed briefing that we received last year from the various security agencies, including the FBL and the CIA, I would certainly recommend that we have a similar brief- ing before we move on this bill fiir Chairman, there “canbe no doubt that the power of eneryption technology in criminal, ands or the hands of enemies

of the United States tan be turned to ill purposes with devastating consequences for members of a free tociees T am speaking here 0 ferrorists, antigovernment militants, rogue ‘regimes, onfanized rime syndicates, drug cartels, child pornographere, kiinapers, pedophiles ‘Not only would this legislation assist those who would use this technology to conceal their erimes from surveillance by our intel: figence and law enforcement agencies, ft would also undereut inter- national efforts, lo control “the proliferation of ‘unbreakable encryption "The enactment of IL, 850 would make powerful encryption all the more available to our adversaries Tt would undermine the

agreement reached last December to improve multilateral export

controls under the Wassenaar Agreement The 33 signatories to

that agreement represent the bulk of encryption-producing coun thes Furthermore, this legislation is not necessary The administra- tion hao provided significant rellef from the export controls where ean safely do so, which T applaud Fify-sixbit encryption products may’ be exported after @ one- time review, Products above 86 bits may be exported for use by the Subsidiaries of American firma, except those located in terrorist nie tions, They may be exported to 48 friendly nations to be used by banking, financial, medical, insurance, and on-line companies Products above 56 bits may also be exported to other commercial firms if they are recoverable, as in the industry-developed “door- bell” approach, Mr, Chairman, this is the kind of careful, reasoned approach to relaxing our export controls that is called for ina matier of this Seriousness Ifind it highly ironic that on the day that we receive the recommendations of the bipartisan commission report on high: tech transfers to China, which includes suggestions to strengthen our export system, we are considering legislation to undermine our

‘multilateral export control system for encryption Tt is unwise, and Tear we will live to regret i field back the balanes of my time

“avzin, Thank the gentleman

‘The Chair is now pleased to recognize the gentleman also from Ohio, Mr Sawyer, for an opening statement ‘Mi Sawyen ‘Thank you, Mr, Chairman, for the recognition and for having this bearing: it has been almost © years since the subcommittee held its last hearing on this subject ‘The full committee passed tt at the end of Sepleinbor in 19047 Thin Bil never came tothe oor, an you well Not much has changed since that time in terms of the United States’ policy and allowing companies to manufacture, use, and sell Stronger encryption products, We continue to limit the availabilty

of strong encryption, while discouraging exportation of encryption software ‘What really has changed is we have a new chairman of the Rules Committee Pam not sure what his positions on this kind of legislae tiện are, but it may make a difference T hope the subcommittee and the full committee will once again nave te resulve'to addres the issues that ae raed ty FLR, 630 sume just say that Ì recognize the eoncerns of the lay enforee- mont communits | think we need, as several members have mene Honed, to find ways to address those concerns and make sure they have the tools to do their jobs effectively But it just seems to me that for-some time the genie has been oit of the battle In fact, we have a bottle whose nock is very tightly sealed, the cork is embed ded and very much in place, bu there 1s no bottom left on the bot- tle, And that is a reality that we simply have to be able to address ‘We are in a new era, as everybody is fond of saying We have simply got to alter our policy to give consumers greater insurance that their communications and data are as private as possible and

9

so that we might compete with our international counterparts, par- ticularly: Amevican companies that find themselves doing business throughout the world, im settings where they need to be as Pro- tetted Sit: Chaininan, let me thank you again for scheduling this hear- as they like to feel at home ing, {look forward to hearing from our witnesses Sir, Tatzin’ I thank my friend: and the Chair now yields for an opening statement to the gentleman from illinas, Mr Shimkus ‘Mr Siisikus Thank you, Mr Chairman, Tihist want to welcome the panel, and i will turn back my bal- ance of time to fet started ‘Me Tate Phe Chair will recognize the gentleman from Mary- land, Mr Ehriich, for an opening statement Mr Fiikiich 1 have no opening statement I would like to make

a brief comment ‘As anew miciaber of the committee, this is certainly one of the more difficult issues that has been brought to my attention 1 look Forward to the comments of the panel, the impressive panel Before

we What makes it very dificule, peopie for whom T have great re: Spect in this area have quite diverse views, t0 say’ the least So T Tea forward ta very god debate today Thank you, I sield back

Mr Tauas T thank the gentleman,

T'might point out the Chair has presented to me a letter from the Losisiana Sheriffs Association ‘in favor of HLR, 880, 1 dont know-how itis in Maryland The Sheriffs have a good vote in Lous

‘The gentleman from Georgia, Mr, Deal

Mr Brat Mr Chairman, { don't have an opening statement

Mr Tauz7ix The gentleman from Oklahoma, Me Largent

sv oF Hfon, CLP STEAKS, « RePrseNTATINE IN CONGRtEss ‘rosie Suare or Pons

Me, Sharan: tan onan ng be gran eo cai saat! crete te Hh, et

We cemnale ouaate tenant set teed a

ae PS rl Cree hPa

also tok forward to the witness testimesy regarding the compromise plan that

TT Siig set ccna ad eters

Sa

Thank you Mr: Chatrman,

Prepanen Stave OF HON Banuans CUBIS, 4 RePResetATIVE owt tie Seats oF Wome tý CONGHPSS

None cee gi eG Bente Bell ing i ota Pe a pai a eal na ups a sư

Sp ete EGE nde dbo ng To CN

Instead of adopting domestic restricelons, I'm pleased that the Commerce Commit

Pranep Starainier OF HON Axa Esto, 4 RerpesenrarIve i CONGHESS FROM ‘hit Suare ov Cuaron

‘Thank you, Chairman Taun, fr calling this hearing on HLR, 860, the SAFE Act Tên pleteel thật mự constilucat Tom Auld vopresebiing Cybertcusce, latent ing belure or Commisten todas After working for NASA sẻ thơ me lanh (Glan tn Mountain View Ste Argold went to the private sector, We look forward

fhe SAFE Act currently hes 252 cosponsors, far more than a majority of the

Members f this Houso A majerityof the members of the Connittes are cosponcor Ing thie Dil Aud this Legielation is virtually the sami bil that passed the fll Com ineiee Commitice last Congrese, ‘ost fot all of us on the Commerce Committee have heard the arguments for andl against this legitation lnk the Adeioseteation apart conto piy Wo, wl bear today shot fo ‘Whst Some mas’ not realize fe the development of a cottage industry, dineetly

es companic ike Serena, hip, ard Entrust who foe ile or no resticions

St exporling eneryvtion products ‘GYDURNBTICR’ un Hetonian data, socaity company, is marketing its encryption prpuct as having "No Bap Rosca PSY oe More inporluatly, U.S companies EBanger dembinds and tarhnalogical tanovetions havw driven the developmsnt of nve suffering eee senemyption technology ploballr Commerce Secretary Daley reported that censuer= Spent'imore than 80 billion auline last year Furtier, Forrester Research has Pre

‘dsqna that Evcarnmerce eales will reach $105 bilan by 2008,

a Hocent tadioe alo show that the dinitrate crơtiện poley thralens to cost cur seowminy Hom $60 to $09 billion dollars and 900,000 jobs over the next few

te Esra eg oda em Ban s= SAmE SEh sẻ De ID GhẾt? ae lo elaw sù sat nạn tn SA Aq

đo BI VU ve Mẹ dam tớ eniep 0 VẤ trưng oak Can pela

‘Mr TAUZIN Then the Chair is very pleased to weleome our panel TNinderstand some of you, Ms, McNamara and Mr Reingch, have tims delayor go we will toy and go through thie quickly: Lat me fue Jour with a large panel, we have your writes satements ta HOR Waal ohicn we cen rete ane Tevlow Ie j00 would uae yout

E ininutos'wioey, by sunmaticing, by conversational giving us Jour pelnt of wit thế hitting th high points: what sou want us Wewedanbsr afew your teetfnocy iting, we Would spprecite It

‘hat will give us tiie t engage sou in à di am sooh am ve can and give you time to make your appointments this morning MWe wal begin by introduding the Honorable Ronald D, Lee, Aaso- ciate Beputs Attorney General, United States Department dể le: ee" And Me, Lae, we weloome your testimony, sr Nir Tek, Thank you, Mt: Chaleman, With ibe Chair's indulgence, would asi that Mle etnseh precede me Nir Tauzry If that inet have ne objection

ME Reinseh, do'you wane to go fists You are on, si

Me emnscri We have a treling show, Mr Chaisman; and we usually prosent itn tho same order, Nir HN Thi ie Willan Reinsch, the Under Secretary of Cominerce for Export’ Adminjteation, the ‘United States Depart: est GrGarneree Wi einach

STATEMENT OF HON, WILLIAM A REINSCH, UNDER SEC- RETARY OF COMMERCE FOR EXPORT ADMINISTRATION, DE- PARTMENT OF COMMERCE

Mr ReINscH Thank you I wouldn't want the subcommittee to think that we are incapable of innovation, but I think there is some flow to our comments that might make more sense if delivered in the right order

Let me make an abbreviated version of my statement I appre- cinte you putting the full one in the record,

It is a pleasure to be back, Mr Chairman, to discuss one of my favorite subjects We think we made some progress, notwithstand- ing the comments of some of the members of the committee, on our policy since the last time I appeared It is obvious, though, even from this morning's remarks, that encryption remains a hotly de- bated issue,

We continue to support a balanced approach which considers pri- vacy and commerce as well as protecting important Taw enforce nent and national security equities We have been consulting close

Jy with industry and its customers to develop a policy that provides that balance n'a way that also reflects the evolving renites of te marketplace

‘The Interact and other digital media are becoming increasingly important to the conduct of international business My fell stale- nent supplies a number of statistics on that point, and I won't go Into that in detail Tt is clear, though, that in addition to the rapid growth of E-com-

‘mereo, busiiesses also maintain their records and other proprietary information electronically, ‘They conduct day-to-day ‘comimunica Hons end business transactions through the Taternet and E-mail ‘An inevitable by-product of this growth is the need for strong

‘eheryption to provide the necessary secure infrastructure for digital fgmmmunicatons transactions and ngtvaridi and xo xupoi thạt

‘That Is precisely why developing a new policy has been dificult — because we dont want to hinder the legitimate use of encry

aplcularly kiring the past, 3 years, through, extensive consultations with for cleironie commerce, j : the Congress, people al this table and many others in the industry, wwe have concluded, among other things, there is no one-sizefite-ail Solution; and we have put out a variety of revisions to our poliey

Tô Do khảo the gay diferent aapects of encryption fast September 22nd, we published a regulation implementin, our decision to allow the export, under a license exception, of Une limited strength encryption ta banks, and financial institutions To- cated in 46 countries, which allows U.S companies new opportuni- Hee to sell encryption products fo the world's leading exonomen ‘A Week earlier, on Reptember 16th, the Vieo President unveiled

an overall update fo our policy that addresses a number of the con cers that were expressed today by opening large markets and {ur they sereamtining exports at update permits the export of LG 126-bit encryption products ộ and higher with or without Key recovery lờ ‘umber of Industry sectors: Now banks, financial institutions, health facilities and ont line merchants can secure their sensitive financial, medical and on- line transactions in an electronic form This update also allows US companies io expors 128-bit or greater encryption products, ined: ing technology to its subsidiaries located worldwide, to protect its Proprietary {ifomation and to develop new products) ° "7" fany of the updates permit the export of encryption to these en users under a license exception ‘That is, after @ technical review could be exported by manufacturers, resellers and distributors Without the need for a license or other additional review

‘Our poliey is to approve exports of strong encryption to a list of countries of a set of end users, rather than permit exports globally,

to help protect ational security interests, However, wo do have & feneral policy of approval through encryption licensing arrange: Mente, sll to bulk lenses, which allow unlimited shipments Strong encryption to these sectors worldwide of Purthermare, our update allows the export of 128-bit or greater recovery capable of recoverable encryption products "under

18

encryption licensing arrangements Such products include those

that are readily available in the marketplace, such as general pur-

pose routers, irewalls and virtual private networks These recover- lo products are usually managed hy # network or corporate secu ity administrator "Phore has been some talk in the opening statements about our international efforts In December, through the hard work of Am- bassador Aaron, the Presidents special envoy the Wassenaae Ar- Tangement members agreed on several changes relating to encryption controls ‘Specific changes to multilateral encryption controls include re- moving multilateral controls on all encryption produets at or below

56 bits and certain consumer items regardless af key length ‘Most importantly, the Wassenaar: members agreed to remove encryption software from the General Software Note and replace tt with a new Cryptography Note, Drafted in 1901, when banks, gov- emments and tilitaries were the primary users of encryption, the General Software Note allowed countries to export mass Markel encryption software without restriction That was ereated to release general purpose software on personal computers, but it inadvert= Enlly also released encryption’ We believe lt was essential to mad- emize the GSN and close that loophole Under the eryptography hole, mass market hardware has been added, and a ed.bit key length or below has been set as an appropriate threshold ‘This ene ables governments to review the dissemination of 64 bit and above encryption, Te me clear, Me Chairman, this does, not mean that encryption products of more than 64 bits cannot be exported Ax just Said, cur own policy permits that, as do the polices of most father Wassenaar members’ Tt does mean there has to be a national

Mr Chairman, let me just say, with respect to H.R 850, briefly,

it will come ae no surprise to you that the administration opposes this bill; as we did before; and my full statement goes Into greater detail on that Tet me just say that we believe the bill in letter and spivit will destroy the balance we worked so hard to achieve, Te would jeop- frdize cục lay enforcement and national Security Interests and we inliove that the best way to make progress on this issue is through farther constructive dialog with the Congress, with the indushy, and ‘with ts many customers, "Thane you very mach,

(The prepared statement of William A Reinsch follows:]

Paunanen Starennier or Wa.ttaa A, Resssce, Usopte Sener ro ExPOr ‘AbNiisraavion, Deramiunnt oF CoMMENCE hank you, Mr Chairman, for the opportunity to testify on the direction of the Administeation's eneryption policy We have made e great desl of progress since I {et testimony before this Cosamitiee on thie subject i serpin romaine a oly debated sue The Admission contin ~~ ; tnieupport s balanced appraach which considers privacy ane commeren ae wel a Dining portant lal enceent nd nation smarty eaten We hace beth that balance in a way thet aloy tiers the evoleing realities of the market place

last January compared to only 5.8 million in January 1995 One of the many uses đun vn HC s enilem eee! on tut evengey ves sone Sommeres According tg a recent study, the value of e-eommerce transaction in {G03 was $19 millon, The projected valse of ecommerce ip 3000 is $2 18 bilo,

‘To cts one example travel bosked on Xermeate Website vs Soublea every Sear

‘Since 1907, going from 300,000 to a estimated 27 yllon this feae Many service Industries which traditionally nequired face-to-face interaction sush aa banks nan

al jastitytions and retail snerchants are now providing ther service Castamers

an now sit a their home compsters and aeeest their henking and investment c- outs ey a wine wlth ew steps ofthe le toàn ‘ehermore, most businesses mainvain thelr records ard other proprietary infor ation electronically They now conduct many of their day today’ commmurications Hal aint hàn hon va thề Bạt mài An mộ nhi byprct

TH Soke Theatr bing incase i, te Seture inshucture for tigtal communication onanctions and et im and sete ewpenage oe

‘ade peaple und businesses wary of posting ther private and company proprietary Information on electronic networks sf they seleve tie infigutructure may nae be se 8g À minh are nhhatruere sm hp nh thet fears, and low electronic

‘Devetoping's new enereption polity has been complicated hecause we do not want

Nà 2 iegtnate lepine fr leon cman et af Oe ine time ave want t9 protect our Wal natienal security, foreign polly ad faw enforce iment interests lo have concluded that the best way vo necomplish ths le 10 con {nue @ hulaueed approach to promote he development of stan eneryption peed cat would alt atl goesnmeat acess fo plunent under arly dls Grcurmstances to promote the legitimate usea of strong encryption Uo proveet con đợc snd efatinae looking for additional ways to protactiniportant law en ureemeu ‘Durlng the past Uives years, we have learned that there are many ways to assist nd national security titerest= : =

in lawl aedes, There ie no one-size ital! solution The plans for zecovers tneryption praduets awe recsived (rom more than sixty companies showed that & thuter of Giferene technical approaches to recovers exist: fo eensing exports of Sheryption products tinder indiidual ticenses, we also learaod that, while seme products may not moet the eriet technical ertara uf oar regulations, Uhey are he Erthstese consistent with our policy goats, Additionally, we eared that the use of stong nom-recovery encryption within cortaim tmnted invddetry sectors in an important component of gue pshiey tn order

‘th protect private-consimer information and allow cur US high teh industry 10 Imalmtaia ily lead {2 the taformation secueitysbarket whale minimiaing risk to tonal security and iaw enforcement equities Taking into secount ail ut we have Issened and reviewing international market trerde aed realities, im 1008 we made Seyoral changes p eur aneryption policy that Ist suramarize for ys ‘Gn September 22, 1095, we published a regulation implementing our decision to

nh Tế mem, va Histo exceptin, of unlimited siengh encrypt Banke and figoncial instiuations located to countries that are members of the Finan

‘tal Action Task Force or which have efective anti money laundering lama, This te

‘lation alto allows exports, under a lense exception, of encryption products at ite opectally designed or financial transsetions This policy recognizes the need t0 Stee and suleyuard our fingneial networks, and that the barking Aml naangai

“Scmmunities haee 2 hist af ooperntion wich government authorities whet Infor

‘hatlon is required to combat eaneis ad other fries ‘Re mentioned earlier, we have been lokting for wy to make our policy consist sot wd that sete ad national sega sa lw enrcenent cones Indust lave enforcement, ai privacy groupe on how eur policy tight be improved to-find technica! solutions, in addition to ew recovery, that cat wosst fave enlotce:

‘Bont in Tế mg lệ combat Sime” A ine Sane ine, we wanted Bn to find protect important privacy concerns The pispose of tive đi ogae wat to find Siti vinh hột ma uy ây cnbinoerk le pptectng tials Suits, plus assuring continued US technology leadership ad promoting the pr acy ed security of OS Heme and eituens'tn electronic commerce, We believed {ed ad ow th in ben nyt erage on tls sue e heh # on Structive, cooperative dislogue, rather than seeking lislative solutions Throtgh gar lic ane has es inzeasad uederstanding sang paves, ane have made ptogress,

1

‘The zs of thi dale was an update to our encryption policy which Vice Potslat Gort siveled Mt saplantar"46 ne fopulguene upolementng the up ifs published on Decale) This wil notond the dobate over sncgpae Controls bt we hee the regulation adatesses some private sector soncetta Ey Bane age Wh la ta furl nha hien 'ike Spdate reduced evtrls om cxpurts of 363 products and, for certain indus

{Bla eco features, Tet devooping our policy ve jaentied hey sectors th can

form the basis ofa secure infrastructae foF communicating and storing tnformation

Sas op tog gga ion, nam oon pe

to thete endmers under g License exeepiion ‘That đe th be exported hy manuhetirerA soelEe aml distributors ‘het ened fora Reena other ational seve: Spey the ne poy Ts, after the produc: reserves a

‘sports of S6-it software and most hardware to any end user under a iene ex

‘experts Thy mượn ‘Reense exception to prove ipartant buskness proprietary of strong encryption, including technology, to US companies and their

exports of strong encryption to the insurance and medicaVheatth sectors in 45 Thi unl fice excoption fr tae in securing prpdelety meleal ani ‘at natin, : _ :

Ther Soke uci developl by à nu g companies oi “gà be a tent’ to recipients In located in 46 countries Such products tnade systems

Tite aundged ty norwore or cnrpornte secu alas

1 would la tht the profslns apply to exports of profuts vith or without key tere featten One of the tapes four oley uate it pera exports

TH nhu mà ng the nh tạ tinal aceunty ana aw enfreement Fr exam Hin se caves" have limited our approval pay to lat of counties OF 8

độ tu thơ than permit xpos on lal bai, to hap pot Đế

"We have also expazded our policy t> encourage the marketing of a wider vari

or trecoverablo® praduets that nay hot be key recovery tn arvow see bu whe

‘Ray be heii sow eercamentavting pursuant ttt legal muahorties Age, {ee are lel sytem nage bự 4 network ‘or comordte aaminsstratn We tee further breaaned exports key recovery products by longer requeDs & Evie a veg hey too ent and no lnger regi companies bint

“MTs past Tce bette Fs Ms egies ori «oe eae Te te tesco COCON, Hos multe eet cent arrangement Year, we alvo made progress om developing a common international a

mong if coantres whose purpous ise prevent dewtbtingsceumslatgae ors

Sand eltan itame with mibtafy uses sh couninies or regions of eoncers Wassonsa®

Thi the bass for many Ta December, through de hard Work of Ambassador David Aaron, the Presidents of cur expert actos ancl envay miên tho Waspesuar Asrangenent tauen sofeed ft sạn fal change slaty aneypion cote Wau sankey go a Tond way ar

hưng na to pie sey roiling oie wa +

‘Nigngerfeglatory Sumework fo tantging the sped of buat encryption

Speke changes to multintera! enerspton controls include remove rouiteteral

contin sn i enerspon dua nơ bu BS bit snd certain conener aris

‘Spares of key lens mát me chim imment TẾ main DVÙ phe nha

SN telephone syste dengoed ‘or hame o oes use hại mod te Wagueiaar members aged wo remove encryption software trom Wanmenaars General Sefware Note and fplace it wath a new epiograpy fore Drated in 1961 ehen bases, goverment and pillars were the priiay thes of enctspton the General Sahtare Note alnred souriies to permit the o€-

Đi Han hai chen sinh without sini Tin CD vài chi

fneouraed some signatory counerjes to permit the tnnestrcted eeport encrrpti

Sofware Te "was evsentil to modernice the ĐỀN and’ clowe the Tphole ts Pere

TY the unconied expart of enerytin wit untmted ey langeh Under te

An HH no anche ia teh 0

ie capt eid, One uel Pome ee Pte

es eer eee oe eee ee gga Sin pcs eka must ent hf Sa vị Slee ASS as titi ae Soe can Secrets seed at acca daraan Gero ene

TT eee igs ia nana eS

Pe Eee Se es ahs a eae a ot

iS BORE rime & ure cả túc noi nhe ae

eli eis ete each tre oan ee a dire ie, area rca ae tae laa ie REI ng idan aig hati antec nec men ae ae

Sh sien ues eco a NHƯ Eevee rere mg TH er Speer ee ares ee se ne tae

EEE + di VAT mee ak Piece

về CÓ SH Su dae alae ao ian se oes se

Mr Tavzix, Thank you

Mr Reinsch, the reason—I will hear from all the witnesses, but

if You have to leave before we get to it, one of the things that 1

‘ant you to respond in writing to is, what will be the administra: Uon's position iF the Ninth Cireuit decision is upheld on that ap- peal, and how do you plan to respond to it? Itis going to be a ser bus question, ‘Me REINSCH, I ean do that right now, Mr Chairman

1

- Mè, TAU/IN, I don't want to interrupt, I want to get everybody

‘And the other thing we may want more information on is more detail on why you think the draft of FLR 850 inhibits the develop- ment of voluntary key recovery systems, We would like to under- stand that argument a little better

‘Mr TAUZIN The Chair will now turn back to Mr Lee for his tes- timony,

STATEMENT OF HON RONALD D LEE, ASSOCIATE DEPUTY ATTORNEY GENERAL, DEPARTMENT OF JUSTICE

Mr Lit Thank you, Mz Chairman I have prepared written statement, and Iwill jist try to aummarize i hove ‘The Department of Justice and law enforcement agree with the comments of several members and the Chair that strong encryption {s coming t is needed, [tis needed to protect the privacy of Amer- ican citizens It is needed to promote the security of, and the con Tdence that the publie Places in, our information infrastructure ‘We would be remiss, however, if we aid not also state our deep concern about the threat to public safety posed by the widespread tse of encryption in the hards of eriminals and terrorists Law on forcement agencies, Federal, State and local here in the United Staten, and their counterparts in foreign epumiries, have already Begun encounter the ue of Gheryptin tn attempts to conceal erininal activity ‘We believe that with the growth of eneryption and the growth of digital media generally, the number and complexity of these cases wllcertaily ferease a enerypion Becomes rnereanngly a fsture drour Lives We must recognize the very real costs to public safety that the uso of encryption by ‘criminals poses ‘The het result is easy to State Agents frequently will not be able to make effective use of search warrants tân ordets and other legal proeates, altar ized by Congress and ordered by the courts aver searching review, that are essential to effective law enforcement investigations today Ie'will be harder and harder to investigate, to find evidence of criminal activity and to prosecute that activity In the light of these Challenges, the Department of Justice sup- ports the carefully balanced approach to export controls that See- Fetary Reinseh laid out ‘The Attorney General, slong with the Director of the Federal Bu- reat of Investigation aud other government officials, bas heen ex gaging industry leaders in @ continuing and cooperative dialog {ENS dialog has gous on at several levels; and fe has provided s both with an opporsunity to explain our publie safety concerss and, just as importantly perhaps more importantly for our learning Curve, to learn aboat innovative solutions that industey bay re canted Both we and industry have found the discussions to be candid and productive We are committed to continuing those diseussions

‘We Welleve that the eurrent balanced approach is most conducive

to continuing this dialog and these lines of communiention ‘The rapid elimination of export controls as proposed in the Secu- rity and Freedom ‘Througi Eneryption Act woukd upset this bai:

ance We believe that passage of the SAFE Act would cause the Rurther spread of robust encryption products that would be used by terrorist organizations and other ertminals to eonceal their activi lies and would frustrate the ability of law enforeement to conduct sffective investigations ‘We realize that law enforcement has an obligation to develop its own resources to deal with this problem, as well as reaching out

to others, We have begun initiatives such as the finding of a een- tralized technical tesource within the PBL whieh wil support Ped tral, State and local law enforcement personnel to develop @ broad Tange of expertise, technologies and tools, These items will help us respond directly t9 the threat of public safety that the use of strong eneryption poses, This resource will algo help law enforcement stay breast of current technolo ‘We look forward with working with Congress, with Congressman Markey and others fa discussing this topic s0 that law enforcement may continue its mission of protecting public safety into the future

We do have to explain, however, that no matter what technology, rho matter what resources are developed, there is no silver bullet there is no one solution that te administration and Congress can point to and say, this offers law enforcement what it needs, Wide- read’ uae of honresnverghle enersptign wil quickly overwhelm any possible silver bullet that could be developed now or in the fi:

Tn light of that, we need to rely on the balanced approach that

we are pursuing, This approach balances the need for secure, pri- Yate communications with the equally important need to protect the safety of the public against threats from terrorists and erimi- nals We believe that our counterparts in foreign law enforcement Share these concerns, We look forward to working with you on this important issue now and in the Suture yank you, Mr Chairman

(he prepated statement of Ronald D Lee follows:]

PREPARED STATEMENT OF RONALD D Lice, Assocuure DeeuTy AvTOENEY GENEL, TP vw MEN or Juste

Ree renee ites net nh In Soe ae nữ HE AC com

19 for preventing, investigating, and) prosecuting serique criminal and tervoest acts thn they aie directed aginst tht United States: We wre gravely concerned that the proliferation asd use of non eeusersble encryption by cPiminel elements ‘ould SSrsusty wndormnine these duties to protect the American’ people, even while wo [eur the Spread of trong encrsptign products that permit time? and legal Law en forcement access to the plaints of eneryoted, crimisally related information "The most easily andersioed exarnple we clectronie survedlance Coumauthorized wiretaps have proven to be one the moet scostfal law enioreement toals im pre Nonting and prosecuting serious erimes; including drug tracking and terrorism,

Ni nhan TH giun bị bong dows elie sate walling eran mien atfecing sur publi salty and national soci: in edison, ab Sos) itecomes more cependent on compiater, evidence of erames ss increasingly found 12

Ed computer data, which can he searched md seizes pursuant to co-author: ined warrants But if non reqaverable encryption proliferates, unese cecal faw on forcement tools movie be ried The, for example, even if Une government sate {isthe ngon BE ta procedal ruirement fr obtaining 9 sta reer the wiretap would be wortiess i the {ntareepted communications of the targeted Enininats-emowat to'an unintelligble jute of nolaes or ayabola, Gr we angle le

fi ie Te Compas a's tera and, sole fend the ent identi fis or her targets, plans and co-conspisatore, The potential hari to puble eats, Thy enforcement, Sed ts Une nation’s domestie secuely eould be devastating Ente emphasis iat the concer sot theologian AL TÀI ghe Wor example, im an nvexignion of mulisnsonal cid per poerapky ting, iivestigniars dicoovered sophisticated encryption used co protect Uses of aes of hd poonography tae were exchanged amon Phere

Si yiy snseverat major hacker eases: the subjects have encrypted coraputer es thereby tingeating evidence of serious evines, Ia one auch ease, the goverment as tunable to dstermise the fall scope of the hacker's aetiity Beeguse of the use af lneryption, ‘The lescons learned rom these mvestigatona hve clear erminals ae

‘Stginning to leary that encryption '> 0 power tool for keeping their eriwes from foming uy light Morwaver, as eneryption proliferates and becomes an ordinary cor omen of mass market Kms, and-ae thetstrength of eneryption preduris Inebeases, The threat to public safely will crease proportienctely ‘Eqport tondrals on eheFyption products Have been 18 place for years and exist pr man'to protect national security and foreizn pricy Interests The nation's Intel Tigence gathering eflorts often provide valuable information to lave enforeement

‘agencies relating to criminal or terrorist acts, and we elieve that this eapabat fnnot be lot Nonechless, US law enforcement has toueh greater concerns about noel chờ mùng mi by tinal semenen within, the Unie states thar prevent timely inw énforesment access tothe plaints of law {hllySeized enerypted data and communieations relating to eriminal ot terrorist ae

“The Department of Justee, and the law enforcement community a6 a whol, su potta the toe of encryption technology to protec data snd comaubicadota sân Gh Few ne mat sevens, diclmure and alteration Adtonall, encrypion aly widespread’ and intefaounected computer and information networks At the sine me, we believe that the widespreud use of unusable eheeyption by ere seVimacis pcos temas Set foi pbc sale tata ee

‘Wilecpreed use of steng, recwereble eneryptign products and services "the Department belisves that encouraging the use of recoveratle enetyption prod ucts irae important part of protecling business ad personal data as well 42 pro tecting public tery in sealtion, ths sppruseh continues to find support among bsnl and iia nt freee eed Tho tiprnnton th has hergpiion Key, thus gecentally depriving Une basitess of important and tim cach: SER hasines dala mi abainnr nạp find that a dprtled emponce as rented Seiden formation nn thon shaded wt be yay Sane the Goverasment iniplemente\encryion in our own information technology s¥ateins,

Re lise a bustntes need for plaintext recovery to assure Gree deta at iors” ton that we are statutory Fequired te mana are mp fet avilable atoll tunes For thse reasons, ag well'ab te protect public sects, the Department has bear af Frinatively encouraging the volubtary dlvelopment af data fecavery products, ree

malzing that only thelr ubiquitous use will provide both protection for data asi pro _¬ Tecan we remain concerned with the tmmpact of encryption on the ability of law cnforgement st al levels of government to protect te pubic aalety, the Department

ng the PBI are engaged in cautiuulug discussions with industey ina number oF Aitforent fora These onsoing, prodelive dlagussions seek to find erative solutions,

Tà edaltion to key recovery, tthe sical needs for sương eneryglion t protsct Be

‘acy and plaintext recovery to prosect public sefly and Business Toterests While

‘he stil have work todo, these Galogies have bees useful because we have discov rad areas of agreement and consenats, and have found promising afoas fo seeking smpromine spiations to these difeuteisques While we do not think that there 1s tine mage technelgy or soeion tal the needs of industry consumers, aad law ‘omeement we believe that by torking with those i» industry who creste ang mar Eee eneryptin products, we ram benglt đam the accumtalated capertice of fadctry gain a eto nderstartng of ecbonogy sát and deveing avant at Baffnce privacy and security Vie believe that a sonstractive dialogue on these fsuee is the best way to make pragrest, rather than teeing export contrellegisiatin, Largely ns a result of the Aisiogue' the Adwunietration hae hed wilh industey, siguifcent prowross was made

bm ekport coabrols Recent updates were announced by Vige President Gore on Sep {emer 16,1098, and implemented in an interim rule, which was eesed om Decor

er, Md "Me Department of dusioe support te updates 0 expore conta Shiels iberalized controls om products that have a Bit lenges af bis ar ese, ana pemmit the export af unlined strength encryption to ceria industey sector im Eloding wnedientTaclties and banks, naneiel iestiutions, and Insurance compas Intuit jariadietions, These changes alow these sectors, which: ossest large

"mounts af highly personal information, io use praduets that will protect the pevaey

oF their vient, We aloo expanded sr potiey te permit recoverndte expociay Much st fystes tnaneged’ hy network edness, fale omomercia rm We

Iy consistent swith the nevde af law enforcement In adaltion, she Department i fosjetion with Ww eat of he Administration, intends to continue cạn die

‘her to ensure that te Balance of intereat remains fae ty all concerned ‘Ade aie time, te Departinent of sic alo ving (odes the threat the Bederal Bureau of Investigation and other law enforcement entities to obtain the plaintext of tnerypted ramfnnnieations Amory te sniiatives i the funding

3 pentallsed tachniSl veauoree within the EBL" Chis reauuree, when filly eetab: lise wil support federal state ‘and local law enforcement in developing bread range of expettian, technologion, coals, and teshmiques to respond ively to Use

HN to publiecafoty posed by the widespread ae of energpaton by criminals ad terrorists TP with algo allow Igw eaforecmant to stay’ abrestt of rapid charges fs fecchnology Finally, it will enbance tho abitty of low enforeement to Tally execute the witelap ordert;seateh svarranta, and other lawful process sued by courts So tbiain evidence in criminal meectivations when exenyptign fs encountered "The proposed Security end Freedom through Rueryption Act raises soveral con cor hah he perspec at he Ueoaree f Sasten Bese saree deep

‘atonal security and public ealety tncereats dnrous Ure iberaliztion of export com Etols Tar Beyond our current polie ang contrary to our international export contr

đà hàn Ất an Sir conc that cu of ibeskable meron

$i Seaton einfsis nd sua tt SH nể Lạy niimtehen to eombat

"ho asend problem ie that the Act may impede the development of produits that could seiet aw enforcement ta uesoes plalneext even when also demanded by the

‘marketplace The Admintstracin believls that the development of such produste Is Important for a sale society Unioreuratels, to the extent that this prowsion would actly prohibit gorernmen from pocguraing dvslopmnt of key managment trnment agencies from complying with statutory reguirementa ang would put pubic Safety and! national security st risk, For example, ie might prechade the Unites Sine fevomone rom eng seul ad Soprprinte nels to tae Key ew ASS Key nedovery or demand ts ase he legally required storage af records megan {hig such'maters ae slen f controted substsnece o freatms,

au

Se Ie GS BOR ee aed 0 Aes sek

EU fe ee is Cs

‘Mr Tavzin Thank you, Mr Lee

T Want to turn to Mr’ Ed Gillespie, the Executive Director of Americans for Computer Privacy here in Washington, DC Ed, for your testimony, sir

STATEMENT OF ED GILLESPIE, EXECUTIVE DIRECTOR,

AMERICANS FOR COMPUTER PRIVACY

Mr, i1 ESet, Thank you, Mr, Chairman Thank you for this op- portunity to testify in support of FLR 850, the SAFE act as spon Sored by Representatives Goodlatte and Lofgren and cosponsored

by a bipartisan support of over 250 Members of the House

T serve as Executive Director for Americans for Computer Pri- vaey, a coalition of over 3,500 Individuals, 40 trade associations, and over 100 companies representing financial services, manufac: turing, high-tech and transportation industries, as wel as law en- forcement, civil-liberty, taxpayer and privacy groups ACP supports policies that allow Ameriean citizens to continue using strong encryption without government intrusion and advocates the lifting

of export restrictions of U.S.-made encryption products

We applaud the chairman and ranking member of this sub: committee and majority of members of the Commerce Committee Who have cosponsored the bill and respectfully unge the subeommit tee to report it without amendments for full committee consider- ation

ACP believes strong eneryption is essential to protecting the N tion’s infrastructure and ensuring the integrity—

Is that mine or his?

Mr TaUzix Te is\a very sophisticated—the technologically suffi cient system that we are working, on ‘Mr Gittespie We believe that strong encryption is essential to algo ensuring the privacy of electronic communteations of American citizens, businesses and organizations; protecting our long-term na Uonal security Interests; safeguarding the publie; and maintaining U'S leadership in the development of information technology tn lusiries

‘The United States must have a lear and realistic nationsl polic

to assure that industry is able to develop the products that will help us to meet our nailonal objectives Trafe on the Internet doubles every 100 days Predictions of business-to-business Internet commerce for the year 2000 range from $66 hillion to $171 billion; and, by 2002, eleetronie commerce between businesses is expected to reach $300 billion ‘Consumers worldwide demand to be able to protect their elee tronic nformation and interact securely and acceso to products of strong encryption eapability has been become eritieal ta providim item with confidence that they will have this ability, ‘Progress was made last year in the development of the adminis- P0 Jng tration's policy as announced by the Viee President in September and contained in the interim final regulations ACP commends the government for the hard work and thoughtful consideration that

‘went into the development of that policy and those regulations, However, ‘the Clinton administration has vet to allow US ceneryption manufacturers to compete on a level playing field in the global marketplace The administration policy remains highly prob- Tematie and does not represent the cleat and realistic national pole 1` nh rimarily, ACP believes that the export poliey shortchanges our Ni longterm ational interest and that it puta at jeopardy our current global leadership in this vital technology Sương hình quallly encryption products are already widely available from foreign mak srs that renders our export policy and exercise in futility We worry that America will lose this critical market to foreign makers When land if t-does, it will be too late to change U.S poliey and too late {bipreserve our leadership in this vital arena ‘There can be no doubt that US national security objectives are best served hy an Information technology world im which US car- anies are market leaders in all aspects, especially encryption Reps industrial members have ample nu rowing market share of foreign encryption and examples 0! of the Thy Businesses losing out to foreign manulacturers because of our US export regulations ‘A’ 1997 study found that 656 non-American eneryption products are available from 29 foreign countries, These encryption manufac- itirers are located as far from the United States as India and as lose to our borders as Mexico The products in the study were pur- chased via routine channels or directly from the foreign manufec- turer or from a distributor, Strong encryption is also available for sale and for free on the Internet to anyone in the world with a computer Here is just one example of how you can obtain strong eneryption with just 2 few

23

clicks: You can visit the international Pretty Good Privacy Site: eww pape.com Brom that URL, anybody in the world can develop Sương (28-bit encryption within AT seconds, And because any ett zen in the US can’ download encryption legally from the Internet, ihe Ìnternet tmakes controlling eneryption exports a very difficult proposition [ACP strongly believes that our longterm national seurity objec tives can only be achieved if the United States realistically” ac- Knowledges the inevitability of a world of ubiguitous, strong encryption ‘Trying to control the proliferation of eneryption is like frying to conttol the proliferation of math, That is what we are talking here Eneryption slgorithms are nothing more than sophis- ticated mathematics And while the US may realistically hope to remain the leader in such a field, it cannot realistically expect to monopolize it 'ACP'has advocated that the U.S Government should work coop- eratively with our Nation's hardware and software manufacturers fo dovelop the technical tools and know-how to achieve a policy that effectively responds to society's needs for law enforcement, na Eional security, ertical infrastructure proteetion, privacy preserva tion and eeondmic well-being However, Congress must pass the SAFE act and establish @ clear and roalisize national, poly on encryption ‘That is the best way" to preserve U.S Weadezsbip encryption technology upon which the secessful protection of our Sriisal infraptructure and achievement of natlonal security objec tives certainly and inevitably depends "Thank you again, Mr Chairman; and I will look forward to your questions (the prepared statement of Ed Gillespie follows]

Phnatp Sraarntrvt oF En Giutesii, Exscutive DIRECTOR, AMERICANS FoR me gi PhnAcv

Sich Pema đheitricieteiitRoedootteetioe VUE

SH csc oe SAP Aged yes ar Ses ae Ca anes eas Ula tc roe

‘Safeguarding the public, and

conduct commerce, and operate end protect our national infrastructure Sương heryption Je key nga’ the United State needs a clear and tegliete national policy to anvure that 8 tho ontsinuod vitality aod grows ofall Unese aclviies Accord: indict is able to develop the products thst wall help us to meet our halienal objec

"Fue on the Internet doubles every 100 days, Predictions of business: to-busineas {nlarnes commerce for the yeur 2000 range fom 865 hilton to $171 billion and by

‘ht electronic commerce batween wisinosses iy expected to reach 8300 bilien During i097 one leading mantncturee of computer software and hardware Pld 88

‘milion per da online fora tora of $11 billion for the year ‘More and more individual consumers leo are going ine and spending More thas 10 milion people in North America alone have puschased something dược the ernst and a least 40 milion ave obtained produce and price Information on the Internet aniy la make the final purchese offline Timagine the boost in volume of

‘eecommeren if of these conuers had enough confidence ta the security of Une fntermet to purchase on-line ‘Consumers worldwide arc demanding to be able to protect their electronic infor- mation and Internet sezurely worddvide, and accost to products wih strong tncryption capabilities has Sstome eriveal to proving therm with confidence that thes il ave this ability Signifcamt propross wns made last year in the development of the Administra tion’ poly atinunoed by the Văee President in September and contained inthe in {ess inal cegulatons of December $3, tga ACP commends the government for the hard wort and thought) consideration thot went ino the development of Wat poly and those regelations Laet year, ACD hud several productive meetings with the Aamanistrations interageney task fare, insiuding ruprocentattvee irom Law eo forcement and the Justice Department Those meetings were conducted in good-faith

tu both sides tnd led to & greater uiderstanding of both sider of the needs and ones of the her The Chintan Administeaion incorporated ipany of our wert Eccommendations nig its updsted export policy, including: export velit for Sncryotin products that use ayinmatelguritins, upp an, including 2b bi prodicts that use agyinmetsie algorithms up to and indudieg 103i ảnd vole? Rirvarigus sectors of the business community “re Cincon Aduisatratien, owen, has et to allow US encryption mama turers to compete {tation poli remains highly problematic ané does not represent the elear and 7 on level playing field Inthe globel marketblace” The Admit ISIE Salil oly hat Bị ae satu get, the Adminstration has encered Lato an agreement with 32 other countries — đỆP No Tham, Ararginentscontinig certain export nos on encryption Ca Hinetione sn American compantes Whar these called for under the arvangetment Ae minimal interim step, we believe the Administation should st least eainato all Sonttals on aneryption software std haraivare for products up fo @tchits, and should imninate ail reporting requirements om higher levnl encryption exports Suet ae ons would male U'S."controls consisent with the neviea! Wastenasr Armnge

‘ie also believe that the Administration’ efforts to develop a plobel approach to {his insue dhroush the Warsenate Acrangement are doamed t ifore We recognize {Eas eal Bible ad i ere truly posible fo aches waver ante spent thar ‘he aly enforced iadustty "would ng dab be: suppor ak Wssensar only has 98 tmemabers and does not inelude enerypten-preaueing coun: tien wich an China, India, Sout Aften, oF Letael Purther, the Administration

‘Should reeogniza that the, Wassenaar Areafgement se only as effective na the tmple-

‘anting regulations adgpced by the mambor counteies Some of the member nations

‘il promulgate regulations that are less estrctive than thoce of the United States, thereby "providing those nations “with s compeulive aovantage over domestic fneryption mantactarers in short, the Wassenaar Arrangement is tootless

Se "AE au example, { would point to « Dagember 6, 1998 New York Times artile that dighllghis the aiealty the Waasenaar Aeransement has encountered in attempUpg

0 ok ii sale o cotbat airtesh and tanks to Etsiopis and Uganda, cleary thể problems seeneited with Wassenaar sald he compounded hẹn ateptim to r Elder products that Gt gn a eompncr disk or can he sent over the Tatereet Tecan the Interim Rule fell short & shumaber of shoct term points For exam- plete Tog Rule doce at oe th date promis hy Vile Pretend Gare all ondhusers except terrorist states) In ually, the Interim Mufo docs not allow the

gor of 98 qnerption chip, integrated cireuits, toolkits, and exeutable or

nạn nản chat men edipE tp š binh aly aie udertined by provisions of te Inter Rate or example, the Teperung Further th interiy tle comple aa nubs the beets the now

Fequirements are to onerous to companies that reporting costs may exceed the price

of fain procs, ul log the prof ei amply imprncteal 40 expect mantic Sere LP NeSE potting data oh maser encryption profuc My personal

‘perience that Vneee return registration cards on Cole ager, anetefine me

ng Na net expect mos poole iv tte Teaa have slnlar Sper

"We have made these poins ino eter provid our oa comment on the reg ulttons ts Sie Saingceation” However ie hatsnitraton's new poy ar grote

ZS ap forthe iated progresy vena fawed even on itso tvs yond ise ia the cay ng we continue to have geinth sigreeents wit the’ Aumnietation Shoat ie’ carrent policy, which

tional torée that it put at Joopsray uf eusrent labal leadership ih this vital

{stn Son haute ons prt enh ne idly stale Vy ra rối try tha hien vi Tee TẠP niền¡ Tam T Torsieh makers: Whe and if IEE vl bole to thange US plcy and too Int to prserve US henge

fe do ne at US eaderahp postin, what wt that moan? twill exp that une fauloal se agencies wil be conitnting’chgultous nerypton de ot

ty W'S: companies, but by foreiga companies Where then will :he hationel securty Agencies po for teeholeal help on enerypiion, If the most sophisticated encrsption ex

E20 huctrue side abso yw abe mean thatthe protec o gr

Ech mallonl Ineasnuctare ay depend on freigninade the hơn" ga Sats

We sust retain leadership in this vital technology if we aze to meet our long-term

tial seteity objeedies Tati why we st Soma ol energtior cepdE PO-

‘Bis pm ong orgs not arte’ perpestive in the long Fan, ere can, be no doube that US national security ebjestives ere

ost sted By an IT 'waridinish US, companies ave tartt ede a So

FPanidly owing market share of foreign enerygtion and examples of U.S businesses

ng 4n reign spanutaccurers eca oe the US expat regulations For ex

‘aple, 2 Decomibet 10 study conducted by Trusted Infrmatigg Spot found that đột non-American encrypion product ate avaiable Lam 29 fori austen

‘These enersption manuluetucers are forated as far from the U.S as Chine and as

ace ps etic "the redcts tn the study were purchgoed tia reuse chancel, ef: thee alteatiy in Ue Dretnn mánuhenuưế e tư a distor Wak Bach Sarl hee Tae bats opporties with tajor frei eonglom erty such ap iors BEG) SAP AG ond Sonne Ay eenae oS port

‘Sti Teplaepe US, sftearo companies extn te have et lisa {intial user oftheir sore due to the merygion relations ACE believes these foreign uetomers are purchasing srongnop-American everson products These foreign products are io of Muh qullty'and we do nov accept the Gl thấu thec fin Eis aze forging ston enctption fst because they cant fot Aurea

Hurther foreign encryption manufacturers are marketing thele produets by ual

US" encription roulstions ayant American companies, For example, Baltimore

CD an ieh enaeyptlon monfacsrer that President Cinton ghia

‘luring he ip to Dublin lot ve speieaiy points out he shorten of US

th De preducts tthe mel of thee produc, WebSoeure The, opting faspzaph dfsvebale states tat the export versione of U8 brewers “ae lin Tnhh nen euch is tol betes shough tor tno applications coglnct, WebBocure provides 12S: encyplia for real secur" inthe worl wth's computer: Here ts juet one example af the ase with eh ni ca BE alas svalleie fade and far te on the Yatoret to anybody fern ostade the Usted Siew con eats sisone enexgpion with few ck om

Bisir "computer ‘hey can visit ghe international Pretty” Good Privacy site

sev gp fon rom hat URL ng lúa vi can dàn sưng tt Sneryplon vàn 4p son Ai erduse any" elise fw O'S, can đan ae ncrypion ingly fom the tncrnet, and anyone sn the world with a somputer ha

[zrnied ave flowing URL: wor alimorecom/praust/wabnecusindex Mel

isa a ia a irs ane UM warp aa

ficult proposition SREP Testes ena co eur patna lien tt sự HA net

iy a prany gitar tary es gat te ete aaa Ral ting th al FUR ey dan hk Ue ec ar

VD a ihe anonere to qutions abut national seri, sgh Mien eli aman unis eae aa

Se AGE cig lary at ane aaa cae es oP Sai te Ue, ite rence comme i a

erates, wale a eee oad eee Te ne ee eee ae Ôn TP nhi ịt mummgl suudee coats ESS thee he Gn ng ng nh nh th nh PL a ee eet BH nh ben

Độ ng eo et Lâu hoard ea ee Wie SEN ere elena Caco ees od eee Se eee, ean rece ee ees cae, ee nen lính he, Di BRP ere nee ee ng Trị th bệ er eg te Se

ae te ee gona aa cme ean Soe DH cc Hig il eee Seperated

Ma Seems we ey of NET Center (an, see anes Des GP Eee ee a ecto aT Gazi a eet

ee Cte ee ees Ge a eee eee dtl 1 r1 tae, ee ciara er aaa

Spire cau eal eat REE TLE senator Bb Kev ely uae that) he

Aen mame ni bạt LỆ vị

Ea emphases hu It roogne a kg girtmeHial need po

sn EE Sie rent tes nein eats eres eed a TEESE ot Raine ge rune ote ie at aa Pe are Ae oe HE a ee et ee eee fet ete pei eninge 6n on

đe delay ol eet anata aeleas Pan SAS arent tint cat parse Simms Siesta he cece Sern a ig a ME ONE De etal hase an hate nad IEEE, cei SSPAC 5 Goreammt shold or sopsnddnh with ut

Sroremenl ers

SES foe th i pe ca eee eae ee

‘Mr Tauzin Thank you, Mr Gillespie

We are now pleased to’ recognize the Honorable Barbara McNa- mara, Deputy Director, National Security Agency T want to tell how pleased we are that you grace this hearing We thought NSA folks were all in dark suits and dark glasses, and you look great today Thanks for being here

STATEMENT OF HON BARBARA A MCNAMARA, DEPUTY

DIRECTOR, NATIONAL SECURITY AGENCY

Ms, McNamara Thank you very much, I am glad T ean Tighten sour fe Thank you for the opportunity to appear before you todas And you do have my statement for the record,

‘Mr Tauzin Yes, ma'am

Ms, McNAMARA’ NSA plays a critical role in our national seeu- rity, We as an agency have two missions One is to ensure that the

US Government communications are secure and protected apainst prosecution by foreign hostile services, For that mission and that Inission alone, we could support and do support avery strong U.S industry in order to provide that service tothe U.S Government But ire also have another mission, and that other mission is the one thất T would Tike to speak vo you today about Tt is a mission

ta provice foreign Intelligence o chy US Goverminent and policy ers and lay commanders, baxe 4 ogpnpnlblltrahd dã intercept and analyze the communication signals of foretgn adver: Satie to produce Srliciliy uniies nhủ, Rơi mable inteliseuce re ports for our national leaders and military commanders ‘Very often time is of the essence Intelligence is, first and fore- most, perishable It is worthless if we cannot get it to the decision

‘makers in time to make a difference

Signals intelligence proved its worth in World War Il The United States broke the Japanese naval code and feared of their plans lo invade Midway island, significantly aided the US defeat Srthe Japanese feet and helped shorten the war Today NSA provides exactly that same service to U.S forces and coalition forces nperating today in the Belwana, We have’ hat re Sponsibility to perform that support to our troops wherever it is that they operate in the world Demands on NSA for timely intel ligence support have only grown since the breakup of the Soviet Uhion and have expanded into national security areas of terrorism,

‘weapons proliferation, and narcotics trafficking ‘Currently, many of the worlds communications are unenerypted

‘And let me’ addess, Congressman Sawyer's comments about the Genie being out of the bottle We acknowledge that there is strong Encryption out there In faci, my colleague here on my right sd: Girossed PGP, Ie is out there, Bue i is not being used broadly, and Sve know it is not being used broadly because tht is our business Weis out there, it is not being used broadly and will not be used Aintil a global security management infrastructure allows it to be {sed commonly across international borders TE not controlled, encryption will spread and be widely used by foreign adversaries that have traditionally relied upon unencrypted communications As a result, much of the crucial information we fre able to provide today could quickly become unavailable to US Gecisionmakers, The SAFE Act mandates the immediate decontro!

ff most encryption exports which will greatly complicate our mis- Sion because it will take tpo long to deerynt a message if, indeed sve can decrypt it at all and respond to our global mission “rhe bill would also prevent us from conducting meaningful re view of 8 proposed eneryption export These xeviews provide us With valuable insight into what is being exported, to whom and for

‘what purpose Congressman Oxley and Mr Reinsch addressed the liberalization that occurred last year on the part of the administration, and Mr, Reinsch also addressed the international agreement ‘let me say in answer to your statement, Mr Chairman, that what aboutor your questiod—what about the other sectors that

fe not addressed in the liberalization that occurred last year? We

đồ nai automatically deny export of strong prodvts 2 anyone, Tn fact, sectors of nations—we have approved export of very strony eneryption prodicts to areas of the world that are not pat of the Sectors that Mr Reinseh described tis not automatic denial, We view them all in an individual b- censed approach So T-woutd just Tike to put that statement on the record Tn summary, the SAFE act will harm national security by mak- ing NBA's job’ of providing critical actionable intelligence to our leaders and military commanders dificult, i not impossible, thus putting our Nation's national security at considerable risk ‘The Tinited States cannot have an effective decisionmaking process or

4 strong fighting force or a responsive law enforcement community ora strong counter terrorism eapability unless the information re- Quired to support them is available In time to make a difference

29 Let me close by taking advantage of Mr Oxley’s statement ear- lier | would be more than pleased to talk in more detail ima class fied hearing

The prepared statement of Hon Barbara A McNamara follows:] Phuvaaun Sesresey oF Banana A McNasaea, Devry Dinectos, NATIONAL Setunrey AEN

Mr Chairman, thank you for giving me the opportunity teday va discuss the is gotint nie af enenaion fm eave ntinah scary ae oe {fase contra T wil Shen address specie concerts NSA han vìth provisions of the

SP Ác đu uc totbegn by bratiy uiroduring the National Sex ity Agency (NSA) aa Tes asain “Tue National Secomty Areney was founded in 1052 by President Truman AS a separately organized agency nithin the Hepartient of Defence, NSA provides Sig balslinteligence to variety of users in the Federal Government and secures infor

‘lution systems forthe Dapaetmmont of Defence sp eter Us Gavernmen agencies NSA"sad designated 1 Combat Suppart Ageney in 19as by the Secretary of Defense

a fesponse to the Goldseater Nichols Department of Defoe Hengyanization Act ‘The abuts to understand she secret communiations of ghar fers averaavies swhife protecting one wom commbntestons=a eapamity in which the United States Tends thể kheL ciếc our nation a unique advantage The key to this atomplish rent is crsptslogy, the fundamental mission td, gore competent of NSA, điên Thận Túáy ng ng anh deogbentg cade, ciphers and other forme

oe Tee cmmrsentns NSA" ie ghi th two ctpleientacy eke ie

Shearman ‘critical to {0.5 Nang sau hy by Tàn ĩ aig efor

fo signaie intelligence, or the process ‘om Toreign communications digaals by "protection" t am referrie to previding so deweing important inteliigense taformation Sanh thrinformation systems” Maietaining ths global advantage Tor the, United

‘Stetes requires preservation of @ Realthy crsptologte tapabi ly in She faey of apa algled fechneal shallenges, fs the signals intelligence (SIGINT) role that I want to adress today Our pri cipal responelbity is to snsure a stronn: national scearty environment by providing Lely information thar jestential to erie military and Poigy secison making NSA Toterecpts and gnalyees the communiestions signs of sur feign adversaries, pany ef which are guarded by suey and etter complex clactronie countermeasures From thean signals, we progite ita intelligence reparts (or national decsion sa

‘rz and military coinmatiors Vary often, time te othe eesence Intelligence i per {Ehable, fs worthless Wo cannot provide ft mn time to malke a sifference in Fe chống vai đồn loạn Poexamgle, SIGINT proved its worth in World War IL when the United States broke the Japanese aval code and learned af their plans to invade Midway land,

‘Thoe intellignace significantly aided the US defeat of the Jopaneae lect Subse

“on use of SIGINT helped Shorten the war, NSA contines tees to provide wel {igence ke the warighter and the policy aaker in tine to Make a difference for fur nation's seeuly Demands on us this areas have only qrown sinee the break

Up ofthe Soviet Union and have expanded to ddress her atonal security threats

‘leh as teeroriom, weapons proitration, and nareate trafieking, to name alow Fecauce of these growing Serious threats so ourcnationsl security care Toast be taken roth urination leluwnre eqalien Pạsguet tui Chap mm

độ hang mật càn tiêm vi vật lately rent the bạn ental ta igeneo reporting This sl preatiy complicate Sur expestation af foreign targets

Ie ne allay Di te trán To eo Ba ttee che c edetd ee can deerype ita hua nề bepnge it SIHÌe lạc lon (4g nh” mang, ef the word communieations ane unencrypted Uistrially, cpersption haw been ised primarily by governments nhi the mà than, TL vàn ei ploved for confidentiality in hatdorare-nasnl systems and was oft cumbersome to {ise As encryption moves i seftare-based plmontalions and the infasaractare develops to provider fet of encryption lated security services, netrypuon ‘Wil spread and bo widely used by other trcign adversaries that have tradi onaly re 8S upon snoneryped communications he immediate desonteat of encrptie ex ports Would accelerate the yee of encryption by many of these advoteariee and te R*fesull, such of the eeucial information we are sble to gather tndny could quekly Seeomeiunavatlable fo Gs finmediste encrypiion deeonteo! will also deprive us ofthe

opportsnity to conduct @ meaningful review of encryption products prior to thee ox Đặt Inthe past this review prossay hur provided us with valaste Insight ints Đặc lạ being exported, to sehen and for whet purpose Without the review aed

Tế BÀ tờ de) an oxport application, it wil be lnpossle to contol exports of

‘chergption ¢9 individuals and oiarseatane thal chreaten tne United States Por in gui tamdgdiare decontrcl wil cncermine intersacional efforts ty proven terrore: Sttorks, nd eaten forronets, druy taller, and proltorators of Weapons of mass

để im least do not confuse the needs of national security with the moods of law enforee- ment The two sets of interests and methods vary considerably end must be sở

‘rensad separately The inv enforcoment communits te primary concerned about {he use of on-resoverabie encryption by persons engaged in ileal activity At NSA, dea prmprly foced on presente export contre ehc pienL balee a

‘While uur mission ie t9 provide intelligence to help protect the country’s socurity, sie also recngnize that there must be s balanced approach ta the enersption issue

‘ie interent of eduery and provsey groupe, as well oof the Goverment, ast participate in ihe 2iat Century world of glebonie commerce” it wil enhance the Economie compottveness of US industry It wil combat unouibortaed access to Br Vote Information and i will deny adversaries from geining access to US informa:

Ua wherewor st maybe dhe word

iors thie alenced Sopronh, we are enzaged in am ongoing and predictive late addrences men industey conserna and has sigmieantiy advanced the abi

Uy of US vendors to parcicpale in oveeseas markets OF eiual significance, the Wassersar hatons, presenting most major producers and ‘ysors of encryption, Sureedunauhinousiy {a December 1098 to tantra strong hardware sn software Sen products, The Wasgenaay Agisoment clearly chows that offer nations eres that & balanced approach is needed on encryption policy and eapere conuols {hat commrca! and item aecity sneestn ar aalgrensed, Bath are piv tecing tional sect ese are Clamps sf the Kinde of advanens sale tinder’ the current topwlasary sructure, whieh provides greater Heaiblity"then 3

“tetutony structure to adj expore controls as Sircamstances warrant in order to ineet the needs of Government end industry” We want US companies to effectively ompese in world markets In fae, itis something we strongly support ay long at {Rime comsiatentiy with natin eects needs, NSA suppers ibe Teen oe

to open up longe commercial stark while trying Lo mine potential Yak 05 a onal seciriy! We beiews ignifcant progress wan mace,

‘elroy the SARE AR ICS SES pretant st you understand the sgn cant feet certain provisions of tgs bil wil have on national security f enaeted, the bil would efldively decontral must commercial computer sullware encrypted

‘and cpecliod hardware seeryptan exports to all destinatsonn, even vegions of insta”

MS TC vanld leo doprive the Government of she oppurtunity fa conducts mean Ingiai review of 8 proposed expert to assure its comparbie with U.S, national sec

‘interests and ‘would also iminate the ability to-deny an export applestion 1 Dilional security concerns are nat adesuately nddveased

‘The bil sould pera exports of enetypton based on products that are pormitted uy reign Bhai Snstttsne hee â eoihe die ni {8 thal stot be the base tây dựờn rung oder ncryion exe Briate in eases sch a those involving banks na sther facial sntittions which

TP mù related ad have a od roar of pedi secs to Ital reqvet for Spuatty ould ltiate injortant anal sete eee snare Tsurmmary, the SAFE Act will harm national security by making NSA’s jb of providing wis italigene to our ears and olitary comaiandars dice, i ot Rhpossible, thas putting our nation security af some considerable risk Out nation fannot have aa ellsctive decision-making process, strong fyhting force, respon lve law enforcement community ora stone eounter-terotisa capability unlose the {telligenee information requived to support them ie avallablo im He to ake a Gt ference The nation needg t belaneed encryption policy that allows U.S industry to untae to be Une works eehnlogy lender, bul Uist poley must also provee wut

a

‘Thank sou for the opportunity to address the Subsommittee and T would be happy

to Bnaier any questions you may have

Mr, Tavzin, And we have noted Mr Oxley’s request, and we will probably give you that opportunity, Mrs, McNamara

We are pleased now to welcome Mr Richard Hornstein, the Gen- eral Counsel of Network Associates, Ine of Santa Clara, California

Mr Hornstein,

STATEMENT OF RICHARD HORNSTEIN, GENERAL COUNSEL,

NETWORK ASSOCIATES, INC

Mr HORNSTEIN, Good morning

My name is Richard Hornstein I am the General Counsel of Net- work Associates, We are the world’s leading provider of security products, software products We are based in Santa Clara, Califor Dia Last year, Network Associates did approximately $1 billion of Teveniie, We have 2,700 employees worldwide, and we have offices Tocated in 30 countries throughout the world Tam algo here to speak on behalf of the Business Software Alli- ance, the BSA ‘The BSA's members include, among others, Adobe Lots Development and Microaoft ‘We would like to thank you, Mr Chairman, as well as rant member Mr Markey, for your strong support in this and previ Congresses.” We also want to thank the other 19 subcommittee members who are among the approximately 253 cosponsors of the SAFE act

‘You may not know what Network Associates is We were just re- cently born about a year ago through a merger of several compa: fies, but probably you do khơw our products Our produets include Virus Sean, an antivirus product; Pretiy Good Privacy, or PGP an encryption, virtual private network; PKI products; Gauntlet Aire-

‘wall, that product is used by the NSA; Cybereop, whieh is an inte: Sion detection product “These products We sell as individual point produets, and we also sell them am an integrated suite, We look to provicing 10 our eus- tomers solutions for thelr needs, and more and more our customers

ae demanaling comprehensive tations for thelr corporate needs sản give you an example of how these products work If you look upon a corporation as & village and if the village ts going to heed around it castle wall to protect it, that will be a firewall

‘They sould need soldiers to travel inside around the caste patrol: ling, checking [.D., making sure people aren't going where they are Supposed to, That would be intrusion protection ‘Wen the king needs to travel from his castle, travel across the countryside and go visit another castle, that will be either a virtual private network of communication of ah encrypted E-mail message Piinean, this is in simplistic forms, really, what we are talking about here ‘What Tam looking at right now is, for us to grow as a company wwe need to grow on a global basis The time to mnarket for our prod Ucts is today Our customers right now are looking for answers and Solutions for us to provide today joreign companies out there with comparable products are out ie prod there selling to our customers, the customers who buy Virus Sean

today Checkpoint, an Israeli company, is selling firewall products

on 2 worldwide basis They have $150 million of revenue,

Baltimore Technologies, my counterpart is sitting down here, which is the UK Irish company, is selling virtual private networks and encryption products ‘They are a serious threat to our viability

as an entity

What I would like to do is give you a couple of examples of some deals that right now that we are looking at and questioning wheth-

er or not we actually will be able to get these deals

One is with a company called DaimlerChrysler, It is a German company that is a major worldwide automaker, They also are a major U.S company through their acquisition of Chrysler Motors They are a customer of mine from the past because they lead Ii There is a seven-figure deal on the table today to license by a pretty good privacy PGP product However, in competing on the bid

on this product, on the sale of this product, I am up against a com- pany called Eudomoako Eudomoako is a German software security company They did $35 million last year in revenue, and they are going rapidly right now all throughout Europe

Right now, DaimlerChrysler, as T understand it in discussions with my sales folks, is stating that, yes, [ean get your product, but Tean't support—under the current rules, any sort of support that will be necessary for such a deal, hundreds of thousands of nodes today being sold to this customer, hundreds of thousands of nodes, Would require technical support across the network The only peo: ple appropriate to give such support are my engineers back in Santa Clara They could not communicate with the German MIS departments without violating the technical assistance rules, ex- posing us to economic penalties and potential eriminal sanctions,

‘A similar deal is for a company called Robert Bosch, This is an equipment company based out of Switzerland Tens of thousands of nodes, six-figure deal, and Iam in jeopardy of losing them to a company called Ascom, which is a billion dollar revenue Swiss hardware and software security company which is making inroads

in the growing market

‘Once these products are sold by our foreign competitors, it is like plumbing, You can’t pull them out of the house They are not going

to replace me if in 2 or 8 years we liberalize these rules

A third example is a company called Orient, Overseas Container Line This is a Pac Rim company, There, again, another company

of mine that uses Virus Scan “This is, again, another six‘figure Tam up against in that transaction with Checkpoint, an Israeli company that sells a firewall—world-class firewall product and a VPN solution; and they are also bundling in the PKI Search Serv-

er, which is a Canadian product,

In speaking with my salesperson, as I understand it, Orient Overseas is not, probably going to buy our product Why? Because,

in marketing, Checkpoint is looked to be the world leader They are

an Israeli company, and they are looked to be a dominant of 50

percent of the Pac ‘Rim’s market on firewalls and VPN products,

virtual private networks,

8 Also, because of their VPN product or at least the network prod- uuet has to be registered when such sales are made with the U.S Government, the privacy concerns of my foreign customers are vio Iated, and they don't want to buy my products because they don't

to have a product that is being registered with any foreign govern- ment

In elosing, I would like to thank you for allowing’ me to speak here at this proceeding, I would like to thank you for—those of you for supporting the SAFE act, I can be available for any questions

at your leisure

“Phank you very much,

[The prepared statement of Richard Hornstein follows:]

Puepanen Srvrewene oF Rictaan Honvsren, Vice Prestber ov Local APrains, "Eatanow ap Consouar Bivetonues, NevwonR Associves O8 BEHALF OF Good Morning My name is Richard Homstein, snd 1 am Vico President of Legal Alfaies, Taxation aiid Corporate Development st Network Asootiaten, TAc, aes

đe săn Cư Cai Netware Anon Ie, i the lean tment software The array of security preducts olfered by Network Associaton i Clea, PGP mai An He đc fend email enti prac pring cerare Suerypued communicitions Tor over si tlllin aoare worldwide), the Gaumtet ire

‘rail fone of the leading eommoreat software Grewall products dekpinaly developed Tbr use by the NSA’, PUP VPN (e revolutionary new Interuet desktop communes: Nom product allowing users to communicate wcurely over the Ingernat dstabating Sti video and tent iformation on a sbeure enerypted channel neross the tater feb) d Cybareop can intrusion software product Which protects the computor et

aif Nein Associton td the Busines Software Allin (BSA Sines 1988, BSA ‘has beon she voice of the xay leading soRware developers Detore

thonts and with consumers in the international marzetplace BSA promotes te cen tinged geawth of the software indusy through its Internatignal public poli edu ation and enforcement prograen in 8 courires #hroughout Norte Ameria, Biron, ASABE Latin Ames Tà nghe epreset the fant gong ity ne ‘world BSA worldwide members Include Adobe, Attachinate ‘Autodesk Bentley Sys teins, Corel Corporation, Lote Development, Siaeromedia, Mroralt, Network Azan Cates, Novel, Qemamtee snd Visio Adsonal members 5€ BSA Pélicy Counet im lie, Azote” Computer, "Compac, Inte, Tatuit and” Sybase BSA wets Hut we really are here today to speak on behalf ofthe tens of millions of sors

of Amerlan soltware and hardware praducts, The American sofware and hardware tháng have scene hysatn we have listened and responded tthe need

‘Which they are willing to page ‘Gne of the mast important features computer users are demanding js the ability P

to protect their electronic information ado interact securely worldwide, Amerieay Sompanie> have innovative products whieh ean meet this demand and compete Intefnationaliy™ Hut there is one Uhing fm esr gay he continued application af

‘overbroad, unilateral, ‘ve Security and Beto through Encption (SAFE) Act, TR, 60, mernies export controle by the US Guvernment

US export laws regarding softrare-snd hardware with encryption capabilites to jermie-Atberiean companies to compete on a fevel invernationel playing fad and to provide computer users wilt ther eheice of adequate protection đi nh ưmabion and erie Inbastrmehumes for thelr contiden

For these remeons, HSA ưonạiy supports the SAFE Act, We unge the Committee

ty report he SAFE Act wsamended nn fk forward te cs passage by the Howse

‘We wane to thank both you, Me Chairman, as well ag Ranking Member Mr Mas-

‘key or Sour strong suppott in this and previous Congresses We also twane lơ thank:

the 19 other Subsommittss members who are among the 289 ensponcors of the Act

“This morning 1 want to make four points

+ The worldwide standard ls 128-0 encryption

1 Nass marke! sotwage aed hardware fs uncontrollable,

1 -US°mamutscturer face gnneeessariy's signilcant competitive disadvantage: and

1 BSA strongly supports the SADE Act hectune witknut relaxation of export cote role our ensinl infrastructures rematch at rise The inevitable result of the Ad imneseauoncurenegeliey ibe aikepreaaldepuraent ol of weal: Aer ian snare sử Tan ai, bute vig designing an shure se encryption software and hardware thoughout our infrastructures bot n Amer fen snd abroad Ssupe Networks And Confidential Informotion In The Intornet Age Are The Key To ‘Privacy And Commorce American individusle ard companies sie rapidly becoming networed together

‘unough private local area networks (TANS, wide area networks (WANS) and pubic hhetorls such se the Intemnet Combined thera private und pile nelwerks abe the

TH thản để ceive comes, truaacione and commit Teale onthe Inteenet Souiles every 100 days, Prodieuons of busitese-o-musiness Internet commerce for tho vear 2000 rane from $65 bilo to $111 bilson, ae by

iO, eleczonie commerce between Imuninesses is expected to reach $900 bile During S900 one leading manufacturer of computer sofware and haréseare sod $3

‘ili per day online fi a total of $11 bilion for the year More and tore nid! consumers aloo are going’ of Line and spending Five

am from todas, we antvepote nearly 60 gencent of al Americans to be Using the TẤN ph More tham 10 milion people im Nonth America alone have alread’ pus chan] camething seer the Internet ad at least 40 million have ebtaired product Lind price taformation on the Ineernot only t male the final purchase et ie Alo- ether last year, consumers spent nearly 88 bilion online Newly 1.5 miion Amor

ng lun hte ailive population every month, and the number of worldwide online Tan r expected to seath 248 milion by 2008, "The incteaible puctcipation by American consumers in the Internet phenomenon, clastiy demmatraces {at tha need for ston eneryption is no longer merely the burview af our national secusity agencies concerned abut soeting Gata ad com- Eesti far ntereption by fregn government Today every Aruna ev Erootin solume of e-commerce ital of these consumers had ettugh confidence in fhe secs of the ineemat to purchase omiline Vet fm 1006 the Compater Security Ingrithta® Bt Computer ‘Crime Survey fuiestod that gar worldwide corporations

‘wl be increasingly under siege: over hall from within the Corporation, and nearly alt Bon ouisde at thei internal networks, "Network ears mast have sunfidence that their communications and dats—~abeth-

ex pero felony inal ramactons oe saaive business ination ay ve Stopaphl: boundaries and opening the world to buyers and seller, Companies, Bo Emmente am inaivisoats now realize that they ean no longer protect data and com SEunicatine ru, ators fy teyingom imine physeal aces to computers and isimtaiaing stand-alone cebtratized mainframes Instead, users expect ta be abe 29 BẾP p thấm email oe modify « dacament fom any computer anywhere in the Storld temps by using thelr Interae! browsers, Ths, consumers worldwade are de Thonding f0"be able fo prowel the electron Lnformnation an! lnherkel securely

‘Nellie and, Sues to prota with dương enerplon capabies has become

‘tsa! to broviig them wth confidence that they al have this abiley

Ful Deptoment OF Strang Berson Ie Vitel Ror Protacting Amerizc's Cra Governments also sre recognizing that without eneryption, the electronic net works that control such creat fntions a8 sihine fighke health, gaze Ramexone

‘lectsical powar and flanneial markets remain hughly Vuinefable The US" Gener

‘Reanunting Olfice im its report nsuea in May of 1698 entitled "lnfurmation Srrurty: Gere etn Dupe of ire Pons Ines eh oan that ca Fiternet such attscks are costly and damaging and such attacks on Defense and cher US" computer systems pose a sevious hờn to national secu,

35

‘As the President said on January 22, 1999, before the National Academy of

‘Sciences, “vie must be roady—teady if ole adversaries try to use computers to dis ble power urds, banking sommuniealions and tansportaon network, palice, {se

fd eich Mercer on itary tae Ble wind more, thew erica afta aro {Given by, and linked together wth, computers, making them more walserable (0

‘Sarvption, ‘The President has been so concerned that he estsblished a Commission on Critical Infrastructure Protection to provide him with guidance and issued two Presidential Dinmetives hased on the Commission's recommendations In the Report of the Presents Commission on Cetial Infrastructure Protection lenllled’ Cron! Poundatione: Preseting smeria’s Infrastructures (Octobe 198), the Comlzsion emphasized that "Strong encryption isan essential clemet for the Sheurity af the information on whieh cheat inieastractures depend." In fact Sipiotection of the information our erie! infrastructures are inereacingly depen fent upon ie fn the nationa) interest and-essential to their evolution and full use, [A'Secive infrastructure requires the falling

* Secure and reliable tslecnmmuniestions networks

+ Bifctive moans for protecting the taformation systems attached to thooe net ‘worl + Bflective means of protecting data agninst unauthorized use or diseonure

1 Welltraines sors tio onderstad how uo protect their systems and data” An earlier blue sisben National Research Connell (NHC) Committee salarly com claded in Hs (May 1986) CRISIS Report Cryptography’ Role ia Securing the {nor

‘ation Sociots that encryption prumote the national security of Uke United States

by protecting “nationally cPtical information systems and networks againet una thorized penetration.” "Tins, due NAC Committee found that on balance the advantages of widespread

‘encryption use outweighed the disadvantages and tnat the U.S Government has Tạm Important stake im aseuring thai fis important and sensitive -taformation is protected em foreign government oF other partes whose interests are hostile to Fhowe ofthe United States

in recognition of the risks and threats to information, on January 16, 1990, the Natlonal Insitute of Siandards and Technology (NIST) eatablished a new draft Fe

‘ral Information rocessing Standard (F122 46-2) to require the wise of stronger

‘cheryption in government systems NIST stated that Wt ean me longer support the Ase of the DES tor auany appliations” and that all new systems must use the sig hiicantiy stronger Tapie DES "to protect sensitive, tnsiaenfed data” Under tho BIPS, all extatiny systems are now'expected to develop a strategy lọ trandtun to

‘Teiple DES, with crfieal systems receiving & priority Thformation security is ertieal to the integrity, stability and health of inviduals, orporations and governments While cryptoxraphy ts but one element of security, IE the kevstane of secure, distributed 2ystens, Frankly, there is no substiute for

‘ood, wideeprend, strong crsptography when atlzmptin to prevent crime and "bo đc themanh these networks Tae security of any network, however, is only as good fasts weakest link Thus, private businesses who ane responsible for running our

‘riteal infrastrictures aid the millions of constimers sansacting businees ower these infrasteucturee-deposting money in banks ahd purchasing airline tickets Trust have necoss to the strangest security, ‘This access cannat be limited to only Ameriean companies, however, aa_Ameries’s infrastructures exhnot be protected they ave networked with foreign infraseractarer hited to weak snerypten,

Ih the long-term, we believe it fein Americas bet interest to have America’s ext ical infrastructures and national cccanty be proteted by widespread reliance na

‘trong Amoricar encryption products both hore and abroad, The SARE Acts

‘ueryption policy wil ctsure that Americans ean woe and aell'any encryption thet

‘they want domestically, proibit both Federal and State governments from imposing foncrypiton ‘standards oF tochniquas, and rola export controls on products with

‘cueryption capabilites in g roenter that ie based on technological and werhet reall tes: Just because law enforcement and tational security interests wish that they

‘ould turn back the lock and Keni consumers” access to strong eneryption epproved

By the yovernment, fell not happen, especialy on a worldwie haste, This is cape ally true for mass market software ant hardware, whieh by is inherent nace

don t 1250k hen nd ‘pete inlenatonaly ‘But unless the core American indiviivels and businesses will’boe be active, participants in thie ne

its eritical infrastructures, with the answers to their security problems Instead for-

Teen 1080 and 1802, the computing and software industry grew ab an annul ra

ie Sires SE iar Ut ae, so Phgr

đế are seounttg worldwide cnitical infrastructures, not American products

Unilaterat U.S, Export Controls Harm American Interests

CCorrently, there are no reateletiona on the use of cryptography within the United States However, the US) Government maintains strc untfatera! expore controls on fcunputer praduets that ofer strong emereption capabilities "Almeria companies are forced to lithe strength oftheir encryption to the 56- ste vt el Se ati ts Thu necnsy niaounced em tông vả also rem compote oveuprt stron chon in om stony scion sen yer

Is However chs policy igures the fat that

‘he minimum strength now required by new Internet applieations Is 128-bit + The mast widely used eneryption program, PGP, sith over six million users ninh Shs Uhswsr Beveoped IDEA neryption sigur, wt 9 He

‘+ American companies cannot export encryption products to a vast majority of nan W'S" commercial entities, Foreign manufacturers provide 12A bít phetspien Si: tematives ah adkone GÌÌng the market void ezeatea by US eapart controls; + Providing sector by-socior vee? unworkable for ttass narket predicts and does ‘not rellce commensal realities fr aes of easton products + B8 bù chetinLien has bean demonstrated to fe vulacrable to coramercial Jt alono (governmental attack “Ia the beginning ofthis Yeur at the RSA Bveryption Cam

37 ference, « 56-bit DES encoded mencage wa brvken by private companies and {Ealvidials working together in 29 hate and 18 tides smagine whet a hos

ts overnment with seis ruourcte cold dane ny + Now nvelopments in teehnolopy ore intrduced ‘Seeryption Une: Adi Shamin, a Lefaeli computer scientist, recently announced “everyday that speed up

“fertile” which iss propoted method for quickly unscraribling cotopater-ger pied aden ha uni ng been inucered Secure, af the Tnterasto Export controls leo have made American companies less competsite and opened the dour for foreign software ond hardware developers to gain significant market

‘hare “deereasing our natnal and ecosanie security

Whew Boor al, Fri Conse Wil Purcaae Thar Produce Prom Fu rae a Sey Canis Seria 04 SE, tạ

ahh Saar IES eel a et sree bere oe eles ce eee ae tọa hư non te AE XU

SETS Spot’ ete altel Saag peau nd cas Hang ngy as 195, the General Acoulog Ofc conned at sphncated sola te the Sena Are Peoria de Salt eae oad Omen conten al wetted

Fer pane mar eee ean Sil De

‘Beppe wale oop ae glen ie mine wl ph eee Tae cals i pts Rec ali

Ko Ong ni seem pacity my Armagh ean tÀPen dưng men Ba] Bega see Us eres See aor 1 ed Greg sac ad

te Re de TUe Đi” Tethis such ng re German company, are vl

Sse rece tet coe a ee ie eet en orem Rabe ii Ue eee ane eee ar

n an

Ses cee een ie a rental Pg ings (UK) and Baltimore Teh

1 ri rẻ no lui