Since 1992, when AT&T announced its plan to sell a small, portable telephone device that would provide users with low-cost but robust voice encryption, the issue of encryption 'that is, the use of mathematical algorithms to protect the confidentiality of data -- has been vociferously debated in the United States. Some people -- legitimately concerned about privacy, commerce, and computer security -- have advocated the unfettered proliferation of strong encryption products, and disapprove of the Administration's attempt to promote cryptographic methods that allow for law enforcement access to plain text. They have argued that government should simply stay out of the encryption issue entirely. Government controls on the export of strong cryptography have come in for particular criticism. In the din of the debate and in some legislative proposals, however, the significant impact that unbreakable encryption would have on domestic law enforcement and national security has often been ignored or understated.
First, let me make clear that we believe that the availability and use of strong cryptography are critical if the "Global Information Infrastructure" (GII) is to fulfill its promise. Communications and data must be protected -- both in transit and in storage - if the GII is to be used for personal communications, financial transactions, medical care, the development of new intellectual property, and myriad other applications. Indeed, people sometimes lose sight of the fact that law enforcement is responsible, in part, for protecting privacy and promoting commerce over our nation's communications networks. We protect communications privacy, for instance, by prosecuting those who would violate the communications privacy of others, and we help promote commerce by enforcing laws that protect intellectual property rights, by combatting computer and communications fraud, and by helping to protect the confidentiality of business data. Our support for robust encryption stems from this commitment to protecting privacy and commerce.
At the same time, however, we must be mindful of our other principal responsibilities: protecting public safety and national security against the threats posed by terrorists, organized crime, foreign intelligence agents, and others, and to prosecute serious crime when it does occur. Thus, notwithstanding the significant benefits of encryption, we are gravely concerned that the proliferation and use of unbreakable encryption would seriously undermine our ability to perform these critical missions.
Court-authorized wiretaps have proven to be one of the most successful law enforcement tools in preventing and prosecuting serious crimes, including terrorism. In addition, as society becomes more dependent on computers, evidence (and the fruits) of crimes are increasingly found in stored computer data, which can be searched and seized pursuant to court-authorized warrants. But if unbreakable encryption proliferates, these critical law enforcement tools would be nullified. Thus, for example, even if the government satisfies the rigorous legal and procedural requirements for obtaining a wiretap order (which can be obtained only in limited circumstances), the wiretap would essentially be worthless if the intercepted communications of the targeted criminals amount to an unintelligible jumble of noises or symbols. The potential harm to law enforcement -- and to the nation's domestic security -- could be devastating.
Our concern is neither theoretical nor overstated. We have already begun to encounter the harmful effects of encryption in recent investigations.
- In the Aldrich Ames spy case, Ames was instructed by his Soviet handlers to encrypt computer file information to be passed to them.
- Ramzi Yousef, recently convicted of conspiring to blow up 10 U.S.owned airliners in the Far East, and his co-conspirators apparently stored information about their terrorist plot in an encrypted computer file in Manila. (Yousef is also one of the alleged masterminds of the World Trade Center bombing.)
- In a child pornography case, one of the subjects used encryption in transmitting obscene and pornographic images of children over the Internet.
- In a major international drug-trafficking case, the subject of a court ordered wiretap used a telephone encryption device, significantly hindering the surveillance.
- Some of the anti-government militia groups are now promoting the use of encryption as a means of thwarting law enforcement investigations.
- In several major hacker cases, the subjects have encrypted computer files, thereby concealing evidence of serious crimes.These are just a few examples of recent cases involving encryption. As encryption proliferates and becomes an ordinary component of mass market items, and as the strength of encryption products increases to the point of denying law enforcement access to intercepted communications or stored electronic evidence, the threat to public safety will increase exponentially.
Same people argue that individuals should have a right to absolute privacy from governmental intrusion, regardless of the costs to public order and safety, and that any new technology that enhances absolute privacy should go unrestricted. But our society has never recognized an absolute right to privacy. Rather, the Fourth Amendment strikes a careful balance, permitting government invasion of privacy (including searches of someone's personal communications and papers) to prevent, solve, and prosecute crimes, but only when the government demonstrates "probable cause" and, absent exigent circumstances, obtains a warrant from a neutral and detached magistrate. Unbreakable encryption would upset this delicate constitutional balance, which is one of the bedrock principles of our legal system, by effectively nullifying a court's issuance of a search warrant or wiretap order. The notion that advances in technology should dictate public policy is backwards. Technology should serve society, not rule it; technology should promote public safety, not defeat it.
Similarly, some industry and privacy advocates claim that strong encryption such as 56-bit DES should be exportable without restriction because, even if this leads to a massive proliferation of DES products both at home and abroad, U.S. law enforcement and intelligence agencies can be given the resources necessary to decrypt DES-encrypted communications. Essentially, they argue that expensive, fast computers can be used to decipher encrypted communications by "brute force" -- which essentially means trying every possible "key" (a sequence of symbols that determines the transformation from plain text to cipher- text, and vice versa) until the right one is found. For several reasons, this argument -that "brute force attacks" and additional resources will resolve the encryption debate -- does not withstand scrutiny.
First, estimates regarding the amount of time needed to decrypt an encrypted message by brute force are purely theoretical and do not consider the realities associated with brute force attacks. For example, such attacks assume that the nature of the underlying plain text is known in advance (e.g., one knows from the outset that the text consists of words in English). In fact, the "plain text" may be a foreign language, a graphic display, or some other form of data completely unknown to the person trying to decipher it.
Moreover, according to the National Security Agency's own estimates, the average time needed to decrypt a single message by means of a brute force cryptoanalytic attack on 56-bit DES would be approximately one year and eighty-seven days using a thirty-million-dollar Cray supercomputer. Of course, law enforcement would not be confronted with only one message to decrypt. During 1995, for example, federal and state courts authorized more than a thousand electronic surveillance court orders, resulting in over two million intercepted communications. Given such numbers, brute force attacks are not a feasible solution.
Additionally, law enforcement agencies at the federal, state, and local level are finding that searches in routine, non-wiretap cases now commonly result in the seizure of electronically stored information. Because storage devices have increased in capacity and decreased in price, the quantity of data seized in "ordinary" cases continues to increase dramatically. If all of these communications and stored files were DES-encrypted, brute force attacks would not provide a meaningful and timely solution, especially since some cases, such as kidnappings, may require immediate decryption to prevent death or serious bodily harm. Thus, even if hundreds of such supercomputers were built (an expensive undertaking, to say the least), the approximately 17.000 federal, state, and local law enforcement agencies could not be given timely access to necessary decryption services.
Finally, many proponents of strong encryption advocate its proliferation precisely because it cannot be decrypted by the government. Thus, even if the government could acquire the ability to quickly decrypt DES-encrypted communications and information. many of the brute force advocates would push for even greater key lengths, on the ground that 56 bit DES no longer provided acceptable security. But greater key lengths would, of course, increase the difficulty and cost of decrypting encrypted data even more.
Our goal, then, must be to encourage the use of strong encryption to protect privacy and commerce, but in a way that preserves law enforcement's ability to protect public safety and national security against terrorism and other criminal threats. A consensus is now emerging throughout much of the world that the way to achieve this balance is through the use of a "key recovery" or "trusted third party" system. Under this system, a key for a given encryption product would be deposited with a trusted third party or "escrow" agent, which could be a private party or a governmental entity. (Some entities, such as large corporations, might be able to hold their own keys, provided that certain procedural protections were established to preserve the integrity of a law enforcement investigation.) The government would then be able, upon presenting a certification from the relevant law enforcement official, to obtain the keys from the escrow agent in order to decrypt information obtained pursuant to legal authorization.
Again, it is critical to keep in mind that, under a key recovery system, the government would not be able to access arbitrarily the encrypted communications of the average law-abiding citizen or business, because access to encrypted data could be obtained only as part of a legally authorized investigation. The same constitutional and statutory protections that preserve every American's privacy interests today would prevent unauthorized intrusions in a key recovery regime. Thus, under a key recovery system, there would be no increase in the government's authority to search or surveill private communications. At the same time, though, individuals and companies would gain the benefit of strong cryptography to protect against non- governmental intrusions into their privacy.
Beyond the interest in effective law enforcement, many businesses are beginning to recognize their own need for some method of escrowing keys. A private company, for example, might find that one of its employees had improperly taken and encrypted confidential information in the company's files and then absconded with the company's only copy of the keys. In such a situation, the company's only means of retrieving the information might be to obtain the keys from the escrow agent. And recent hacker cases, such as the one involving an intrusion into Citibank's computers by hackers in St. Petersburg, Russia, have further demonstrated to many businesses the general need for a cop on the "information superhighway." A key recovery system would provide businesses with the encryption they need to protect their own communications and stored data while preserving law enforcement's ability to track down and prosecute criminals who use encryption in an effort to conceal evidence of their illegal activities.
Key recovery thus holds great promise for providing the security and confidentiality businesses and individuals want and need, while preserving the government's ability to protect public safety and national security. Because there are no restrictions on the use of encryption domestically, however, there is presently no way to require the manufacture and use of key recovery products. The Administration therefore has been pursuing a policy to promote the voluntary manufacture and use of key recovery products, and the development of a key management infrastructure ("KMI"), in the hope that market forces will make such products a de facto industry standard.
We also have been engaged in ongoing discussions on this subject with foreign governments, which are now anxious to join us in developing international standards to address this issue on a global scale. In fact, an experts working group of the Organization for Economic Cooperation and Development (OECD) is meeting on September 26 and 27 to consider draft principles that would acknowledge the need for encryption products and services that allow for lawful government access to protect public safety and national security. We believe that key recovery encryption will become the worldwide standard for users of the GII if we continue our international leadership in this area.
If key recovery encryption does become the worldwide standard, U.S. businesses will be able to compete abroad effectively, retaining and even expanding their market share. At the same time, law enforcement agencies will have a legally authorized means of decrypting encoded data. This approach would therefore effectively serve the interests of all Americans.The argument is sometimes made that key recovery encryption is not the solution, because criminals will simply use non- key recovery encryption to communicate among themselves and to hide evidence of their crimes. But we believe that if strong key recovery encryption products that will not interoperate -- at least in the long term -- with non-key recovery products are made available both overseas and domestically and become part of a global KMI, such products will become the worldwide standard. Under those circumstances. even criminals will be compelled to use key recovery products, because even criminals need to communicate with legitimate organizations such as banks, both nationally and internationally.
Let me turn now to H.R. 3011. We believe that the central provision of the bill, Section 3 -- which would effectively eliminate all export controls on strong encryption would undermine public safety and national security by encouraging the proliferation of unbreakable encryption. We therefore strongly oppose the bill.
We have heard, of course, the off-repeated argument that the "genie is already out of the bottle" -- that strong cryptography is already widely available overseas and over the Internet and that attempts to limit its spread are futile, and serve only to handicap U.S. manufacturers seeking to sell their encryption products overseas. We disagree. Deputy Director Crowell will address this argument more fully in his testimony, but let me just mention four points briefly.
First, although strong encryption products can be found overseas, these products are not ubiquitous, in part because the export of strong cryptography is controlled by both the U.S. and other countries. It is worth noting in this regard that export of encryption over the Internet, like any other means of export, is restricted under U.S. law. Although it is difficult completely to prevent encryption products from being sent abroad over the Internet, we believe that the legal restrictions have significantly limited the use of the Internet as a means of evading export controls.
Second. the products that are available overseas are not widely used because there is not vet an infrastructure to support the distribution of keys among users and to provide interoperability among the different products. Third, the quality of encryption products offered abroad varies greatly, with some encryption products not providing the level of protection advertised.
Finally, the availability of encryption over the Internet does not undermine the utility of controls on exports of software or hardware products. The simple fact is that the vast majority of businesses and individuals with a serious need for strong encryption do not and will not rely on encryption downloaded from the Internet. For these reasons, export controls therefore continue to serve an important function.
A few other factors are important to consider regarding export controls. First, our allies strongly concur that unrestricted export of encryption would severely hamper law enforcement objectives. Indeed, when the U.S. let it be known at a December 1995 meeting of the OECD that it was considering allowing the export of some stronger, non-escrowed encryption, many of our allies expressed dismay at the prospect of such an action. They feared that it would flood the global market with unbreakable cryptography, increasing its use by criminal organizations and terrorists throughout Europe and the world. It follows that the elimination of U.S. export controls, as provided by H.R. 3011, would have an even more devastating impact on international law enforcement. It would be a terrible irony if this government -- which prides itself on its leadership in fighting international crime -- were to enact a law that would jeopardize public safety and weaken law enforcement agencies worldwide.
Second, critics of export controls have mistakenly assumed that the lifting of export controls would result in unrestricted access to markets abroad by U.S. companies. But this assumption ignores the likely reaction of foreign governments to the elimination of U.S. export controls. To date, most other countries have not needed to restrict imports or domestic use of encryption largely because export controls in the U.S. -- the world leader in computer technology -- and other countries have made such restrictions unnecessary. But given other countries' legitimate concerns about the potential worldwide proliferation of unbreakable cryptography, we believe that many of those countries would respond to any lifting of U.S. export controls by imposing import controls, or by restricting use of strong encryption by their citizens. France, Russia and Israel, for example, have already established domestic restrictions on the import, manufacture, sale and use of encryption products. And the European Union is moving towards the adoption of a key-recovery-based key management infrastructure similar to that proposed by the Administration. In the long run, then, U.S. companies might not be any
better off if U.S. export controls were lifted, but we would have undermined our leadership role in fighting international crime and damaged our own national security interests in the meantime.
Third, it is important to keep in mind that the State Department has shown considerable flexibility in administering export controls. For instance, it has permitted U.S. banks and other entities to export strong encryption products for their own use abroad, and has permitted the export of strong encryption as long as such encryption allows for legitimate government access.
Finally, as Vice President Gore announced in July, the Administration is considering various measures to liberalize export controls for certain commercial encryption products, in order to promote the competitiveness of U.S. manufacturers during the transition to a global KM!. In addition, the Administration is considering transferring jurisdiction over commercial encryption products from the Department of State to the Department of Commerce, a step which also would ease the burden on industry by providing for faster and more transparent decisions on applications for export licenses. We expect that a final decision will be made on these steps shortly.
In light of these factors, we believe it would be profoundly unwise simply to lift export controls on encryption. National security should not be sacrificed for the sake of uncertain commercial benefits, especially when there is the possibility of satisfying both security and commercial needs simultaneously through global adoption of a key recovery system. There is only one responsible course of action that we as government leaders should embark upon: to promote socially- responsible encryption products, which contain robust cryptography but that also provide for timely law enforcement access and decryption. This is the Administration's policy, and we look forward to working with this Committee as we continue to develop and implement our approach.
I would now be pleased to answer any questions you may have.