WAKE-UP CALL ON ENCRYPTION (Senate - April 02, 1998)

[Page: S3114]

Mr. LEAHY. Mr. President, it is time the Administration woke up to the critical need for a common sense encryption policy in this country. I have been sounding the alarm bells about this issue for several years now, and have introduced encryption legislation, with Senator Burns and others, in the last Congress and again in this one, to balance the important privacy, economic, national security and law enforcement interests at stake. The volume of those alarm bells should be raised to emergency sirens.

Because of the sorry state of our current encryption policies and, specifically, our export controls on encryption, we are seeing increasing numbers of high-tech jobs and expertise driven overseas. Recently, a large computer security company, Network Associates, announced that it will make strong encryption software developed in the United States available through a Swiss company. Encryption technology invented with American ingenuity, will now be manufactured and distributed in Europe, and imported back into this country. All those good, high-tech jobs associated with Network Associates' encryption product are now in Europe, not in Silicon Valley, not in Vermont, not in any American town, because of our outdated export controls on encryption.

Network Associates is not the first American company to face the dilemma of how to supply its customers, both domestic and foreign, with the strong encryption they are demanding and also comply with current export restrictions on encryption. Other companies, including Sun Microsystems, are cooperating with foreign companies to manufacture and distribute overseas strong encryption software originally developed here at home.

I have said before, and repeat here again, that driving encryption expertise overseas is a threat to our national security, driving high-tech jobs overseas is a threat to our economic security, and stifling the widespread, integrated use of strong encryption is a threat to our public safety. That is why I have called in legislation for relaxation of our export controls on encryption.

Over the past month, we have learned of two serious breaches of computer security that threaten our critical infrastructures. Both incidents were apparently caused by teenagers using their home computers to trespass into the computer systems of the Department of Defense, the telephone network, the computer system for an airport control tower, and into the computer database of a pharmacy containing private medical records. One of these adolescent explorations in cyberspace disrupted telephone service in Rutland, Massachusetts and shut down the control tower at a small airport.

The conduct of these teenagers is now the subject of criminal investigation, due in large part to the great strides we have made in updating our criminal laws to protect critical computer networks and the information on those networks. I am proud to have sponsored these computer crime laws in the last two Congresses. But targeting cybercrime with criminal laws and tough enforcement is only part of the solution. While criminal penalties may deter some computer criminals, these laws usually come into play too late, after the crime has been committed and the injury inflicted.

We should keep in mind the adage that `the best defense is a good offense.' Americans and American firms must be encouraged to take preventive measures to protect their computer information and systems. A recent report by the FBI and Computer Security Institute released shows that the number of computer crimes and information security breaches continues to rise, resulting in over $136 million in losses in the last year alone.

The lesson of the recent computer breaches by the teenagers is that all the physical barriers we might put in place can be circumvented using the wires that run into every building to support the computers and computer networks that are the mainstay of how we do business. A well-focused cyber-attack on the computer networks that support telecommunications, transportation, water supply, banking, electrical power and other critical infrastructure systems could wreak havoc on our national economy or even jeopardize our national defense or public safety.

We have been aware of the vulnerabilities of our computer networks for almost a decade. In 1988, I chaired hearings of the Subcommittee on Technology and the Law on the risks of high-tech terrorism. It became clear to me that merely `hardening' our physical space from potential attack is not enough. We must also `harden' our critical infrastructures to ensure our security and our safety.

That is where encryption technology comes in. Encryption is one important tool in our arsenal to protect the security of our computer information and networks. Both former Senator Sam Nunn and former Deputy Attorney General Jamie Gorelick, who serve as co-chairs of the Advisory Committee to the President's Commission on Critical Infrastructure Protection, testified at a hearing last month that `encryption is essential for infrastructure protection.'

Yet, even computer security experts agree that U.S. encryption policy has `acted as a deterrent to better security.' As long ago as 1988, at my High-Tech Terrorism hearing, Jim Woolsey, who later became the director of the Central Intelligence Agency, testified about the need to do a better job of using encryption to protect our computer networks.

I have long advocated the use of strong encryption by individuals, government agencies and private companies to protect their valuable computer information. Indeed, a major thrust of the encryption legislation I have introduced is to encourage--and not stand in the way of--the widespread use of encryption. This would be a plus for both our law enforcement and national security agencies.

Unfortunately, we still have a long way to go to update our country's encryption policy to reflect that this technology is a significant crime and terrorism prevention tool. I am particularly concerned by the testimony of former Senator Sam Nunn last month that the `continuing federal government-private sector deadlock over encryption and export policies' may pose an obstacle to the cooperation needed to protect our country's critical infrastructures.

At the heart of the encryption debate is the power this technology gives computer users to choose who may access their communications and stored records, to the exclusion of all others. For the same reason that encryption is a powerful privacy enhancing tool, it also poses challenges for law enforcement. Law enforcement agencies want access even when we do not choose to give it.

The FBI has made clear that law enforcement wants immediate access to the plaintext of encrypted communications and stored data, and, absent industry capitulation, will seek legislation to this effect. Indeed, while much of this debate has focused on relaxation of export controls, the FBI has upped the ante. Recognizing that the encryption genie is out of the bottle, the FBI has indicated it may seek import restrictions and domestic controls on encryption.

The FBI has told me in response to written questions that: `[I]f the current voluntary efforts are not successful,. . . it is the responsibility of the FBI. . . to seek alternative approaches to alleviate the problems caused by encryption. This would include legislative remedies which effectively address law enforcement concerns regarding the import of robust encryption products, as well as encryption products manufactured for use in the U.S.'

The Administration has not disavowed this position. In a recent letter to the Minority Leader, the Administration expressed a preference for a `good faith dialogue' and `cooperative solutions' over `seeking to legislate domestic controls,' but has clearly not ruled out the latter approach.

Even as our law enforcement and intelligence agencies try to slow down the widespread use of strong encryption, technology continues to move forward. Ironically, foot-dragging by the Administration on export controls and threats by the FBI to call for domestic encryption controls, have only motivated computer scientists to find alternative means to protect the privacy of online communications that may, in fact, pose more of a challenge to law enforcement.

Indeed, the terms of the current encryption debate may soon become moot. The New York Times reported a few weeks ago that Ronald Rivest of MIT has developed a new method for protecting the confidentiality of electronic messages that does not use encryption. Instead, this method breaks a message into separate packets, each marked with a special authentication header, and then `hides' those packets in a stream of other packets. Eavesdroppers would not know which packets were the `wheat' part of the message and which packets were the irrelevant `chafe'. As Mr. Rivest noted in his article announcing this technique, `attempts by law enforcement to regulate confidentiality by regulating encryption must fail, as confidentiality can be obtained effectively without encryption and even sometimes without the desire for confidentiality by the two communicants.'

I know that others of my colleagues, including Senators Burns, Daschle, Ashcroft, Kerrey, and McCain, share my appreciation of importance of this encryption issue for our economy, our national security and our privacy. This is not a partisan issue. This is not a black-and-white issue of being either for law enforcement and national security or for Internet freedom. Characterizing the debate in these simplistic terms is neither productive nor accurate.

Delays in resolving the encryption debate hurt most the very public safety and national security interests that are posed as obstacles to resolving this issue. I look forward to working with these colleagues on sensible solutions in legislation, which will not be subject to change at the whim of agency beauracrats.

Every American, not just those in the software and high-tech industries and not just those in law enforcement agencies, has a stake in the outcome of this debate. We have a legislative stalemate right now that needs to be resolved, and I plan to work closely with my colleagues on a solution in this congressional session.

I commend Senator Ashcroft for holding an encryption hearing last month and providing a forum to discuss the important privacy and constitutional interests at stake in the encryption debate. How we resolve this debate today will have important repercussions for the exercise of our constitutional rights tomorrow. Do you agree with me that every American, not just those in the high-tech industries and not just those in law enforcement agencies, has a stake in the outcome of this debate?

[Page: S3115]

Mr. ASHCROFT. Yes, I do. The testimony presented at the hearing made clear that how we resolve the law enforcement issues at the heart of the encryption debate may affect the exercise and protections of important First, Fourth and Fifth amendment rights. While we must ensure law enforcement the appropriate amount of access we cannot do so at the expense of important constitutional liberties. As I mentioned at the hearing, the FBI has argued that a system of mandatory access to private communications--or a system in which the federal government strongly `persuades' individuals to hand over their rights to the FBI--would make it easier for law enforcement to do its job. Of course it would, but it would also make things easier on law enforcement if we simply repealed the Fourth Amendment.

Mr. LEAHY. These constitutional issues are vital ones for Congress to consider. I understand that efforts are underway for industry stakeholders to reach some accommodation with the Administration. I encourage constructive dialogue between the Administration and industry and, in fact, have been urging a dialogue between law enforcement and industry for over a year. But Congress will continue to exercise necessary oversight to ensure that the privacy and other constitutional rights of Americans are protected.

Mr. ASHCROFT. As the Chairman of the Judiciary Subcommittee on the Constitution, Federalism and Property Rights, you can be assured that the subcommittee will stand ready to provide oversight to ensure that no constitutional right of any American is compromised. Several very important rights were addressed by the witnesses during the hearing, and the constitutional concerns of law-abiding citizens must be respected. Importantly, in the ongoing dialogue between industry and federal law enforcement we must make sure that the interests of the citizens of the U.S. are represented and their constitutional rights respected. We must ensure that everyone in the negotiations--including the administration--views the constitutional rights of law abiding citizens as non-negotiable absolutes, not as bargaining chits.

Mr. LEAHY. I have been concerned about companies, such as Sun Microsystems and Network Associates, using foreign companies to manufacture and distribute strong encryption, which was developed in the United States but may not be exported under U.S. regulations. These instances are just the latest examples that delays in

resolving the encryption debate is driving overseas cryptographic expertise and high-tech jobs, to the detriment of our economy and our national security. Do you share these concerns?

Mr. ASHCROFT. Yes, I certainly share those concerns. The impact to our national security is clear and under the current Administration policy the United States is sending some of our greatest talent and products to foreign shores, enabling foreign competitors, both to industry and to our national security, to gain a strong foothold. In just the past few weeks, Network Associates, our largest independent maker of computer security software, decided to allow its Dutch subsidiary to begin selling strong encryption that does not provide a back door for law enforcement surveillance. This move by Network Associates was necessitated by our current wrong-headed export provisions. We have to re-examine these policies. Simply put, strong encryption means a strong economy. Mandatory access, by contrast, means weaker encryption and a less secure, and therefore less valuable, network. This recent example of the export of a manufacturing enterprise and the accompanying intellectual capital is only one example of a bad policy weakening our economy.

Mr. LEAHY. In my view, encryption legislation should promote the following goals:

First, legislation should ensure the right of Americans to choose how to protect the privacy and security of their communications and information;

Second, legislation should bar a government-mandated key escrow encryption system;

Third, legislation should establish both procedures and standards for access by law enforcement to decryption keys or decryption assistance for both encrypted communications and stored electronic information and only permit such access upon court order authorization, with appropriate notice and other procedural safeguards;

Fourth, legislation should establish both procedures and standards for access by foreign governments and foreign law enforcement agencies to the plaintext of encrypted communications and stored electronic information of United States persons;

Fifth, legislation should modify the current export regime for encryption to promote the global competitiveness of American companies;

Sixth, legislation should not link the use of certificate authorities with key recovery agents or, in other words, link the use of encryption for confidentiality purposes with use of encryption for authenticity and integrity purposes;

Seventh, legislation should, consistent with these goals of promoting privacy and the global competitiveness of our high-tech industries, help our law enforcement agencies and national security agencies deal with the challenges posed by the use of encryption; and

Eighth, legislation should protect the security and privacy of information provided by Americans to the government by ensuring that encryption products used by the government interoperate with commercial encryption products.

Do you agree with these goals?

[Page: S3116]

Mr. ASHCROFT. Yes, I agree with these goals and will look to these same items as a reference point for the drafting, introducing and passage of encryption reform legislation.

Mr. LEAHY. Would the Senator agree to work with me on encryption legislation that achieves these goals and that we could bring to the floor this Congress?

Mr. ASHCROFT. Yes. I believe it is critical for us to address this issue and soon. I also believe that we should work together to produce a piece of legislation that demonstrates our position on encryption policy.