1997 Congressional Hearings
Intelligence and Security


Testimony of Daniel E. Geer, Jr., Sc.D.

U. S. House of Representatives
Committee on Science
Subcommittee on Technology
Washington, DC
11 February 1997

Thanks to the subcommittee on Technology for the invitation to be here today and thank you all for choosing to spend your time with us. Every member of this panel is a trusted subject matter expert of considerable standing. Our worlds and yours do not ordinarily cross, but they should. They will have to. What is happening in the electronic world is, to quote The Economist, more defining than the telephone and but one notch short of the printing press. Without rancor or hyperbole, there is really very little time remaining for Congress to itself choose whether to lead, follow or get out of the way. Where it is crucial that government lead is in setting the rules of the game.

We hope to educate you today, but we know that in your line of work there is no time to study subjects not germane to this term's legislative agenda; we panelists, therefore, have the burden of proof to say something relevant. I am reminded of what I know as the four verities of government:

The trade press gets it wrong when it tries to talk about security as just a question of picking the right vendor. The lay press gets it wrong when it talks about exciting personalities and not about important ideas. Those of you in this room today have an inkling that something is up or you would not be here. Congratulations; you're right.

In one way or another, I have tried to make and sell computer security products for over a decade. Until the last year, I found that I could only sell to two kinds of organizations: Those that had already been hurt and those that had to answer to some higher authority and soon. Almost without exception, until 1996 no one talked about security in other than defensive terms. 1996 was the last year for that kind of thinking.

The wholesale conversion of the commercial world into an electronic market is upon us. If I'm wrong by a year or two, that is all that I'm wrong about. Since the start of 1996, my phone rings incessantly with both public and private organizations wanting to know how to be part of this electronic revolution without embarrassing themselves. There are only three requirements for an electronic business, or an electronic government for that matter.

Requirement number one is network access; that's easy -- it's universally available and the price is dropping fast; half the users on the Internet have been there less than a year and there is nowhere on this planet where an electronic business cannot be located, technically speaking.

Requirement number two is something to sell; that's easy, too -- how long did it take the VCR to go from "Are there any movies for this thing?" to one video store for every 10 square miles? The market for ideas has never been greater and as governments everywhere will learn, with the Internet out there, it is no longer possible to ban a book or even an idea. The Internet is Radio Free Europe on steroids.

Requirement number three is some way to have trust in the transactions -- that is, per se, why we're here today. Security technology is the single essential enabling technology other than the network itself. Those who get it right and agree on how to do trust management will dominate the next century.

I am here to convince you that security technology and security issues are worth the investment of your time and your brain cells. I want you to become educated consumers of security claims. In one of the Sherlock Holmes stories, Holmes, holding a scalpel in his hand, says "Watson, isn't it interesting how the instruments of healing are so indistinguishable from those of crime?" Security technology is like that precisely; there is a very subtle difference between the good and the evil here and there are already frank charlatans and charismatic quacks aplenty.

Let me assume for a moment that you of the Congress want the electronic markets to be as much dominated by enterprises within your sphere of control as the physical markets of today are, i.e., that you want the United States to continue to enjoy its economic position in a world of free trade and location-does-not-matter. Let me also assume that you are fond of entrepreneurial efforts as a way of taking advantage of change. Here is what you must do.

You must not hinder the use of security technology. This means you must explicitly forbid domestic use controls on cryptographic technology. If you do not do this, you will have chosen to export jobs rather than products.

You must make enough rules that there can be recourse when electronic commerce goes awry. Today, the rules of liability for purely electronic businesses are without case law precedent or agreed-upon governance. If you do not do this, the insurance industry will do it for you and, again, you will export jobs rather than products.

That is only two things and they are simple things. Do not let anyone make it more complex or argue that we need to go slow or that we first have to let foreign governments or domestic law enforcement catch up. By the time that happens, you will definitely be somewhere between "follow" and "get out of the way." I, we, beg you to invest some study time on this and talk to people like us. No leading company in electronic commerce is more than three years old; the companies you see every day are likely to be as in the dark as government is. The smarts are out there and, if you act informedly now, you can do the right thing before the calculus of sunk investment and private interest dominate the conversation.

Thank you.