Page 1 TOP OF DOC
??–???
1999
[H.A.S.C. No. 106–16]
U.S. ENCRYPTION POLICY
HEARING
BEFORE THE
COMMITTEE ON ARMED SERVICES
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTH CONGRESS
FIRST SESSION
HEARINGS HELD
JULY 1, 13, 1999
HOUSE COMMITTEE ON ARMED SERVICES
Page 2 PREV PAGE TOP OF DOC
One Hundred Sixth Congress
FLOYD D. SPENCE, South Carolina, Chairman
BOB STUMP, Arizona
DUNCAN HUNTER, California
JOHN R. KASICH, Ohio
HERBERT H. BATEMAN, Virginia
JAMES V. HANSEN, Utah
CURT WELDON, Pennsylvania
JOEL HEFLEY, Colorado
JIM SAXTON, New Jersey
STEVE BUYER, Indiana
TILLIE K. FOWLER, Florida
JOHN M. McHUGH, New York
JAMES TALENT, Missouri
TERRY EVERETT, Alabama
ROSCOE G. BARTLETT, Maryland
HOWARD ''BUCK'' McKEON, California
J.C. WATTS, Jr., Oklahoma
MAC THORNBERRY, Texas
JOHN N. HOSTETTLER, Indiana
SAXBY CHAMBLISS, Georgia
VAN HILLEARY, Tennessee
Page 3 PREV PAGE TOP OF DOC
JOE SCARBOROUGH, Florida
WALTER B. JONES, Jr., North Carolina
LINDSEY GRAHAM, South Carolina
JIM RYUN, Kansas
BOB RILEY, Alabama
JIM GIBBONS, Nevada
MARY BONO, California
JOSEPH PITTS, Pennsylvania
ROBIN HAYES, North Carolina
STEVEN KUYKENDALL, California
DONALD SHERWOOD, Pennsylvania
IKE SKELTON, Missouri
NORMAN SISISKY, Virginia
JOHN M. SPRATT, Jr., South Carolina
SOLOMON P. ORTIZ, Texas
OWEN PICKETT, Virginia
LANE EVANS, Illinois
GENE TAYLOR, Mississippi
NEIL ABERCROMBIE, Hawaii
MARTIN T. MEEHAN, Massachusetts
ROBERT A. UNDERWOOD, Guam
PATRICK J. KENNEDY, Rhode Island
ROD R. BLAGOJEVICH, Illinois
SILVESTRE REYES, Texas
Page 4 PREV PAGE TOP OF DOC
TOM ALLEN, Maine
VIC SNYDER, Arkansas
JIM TURNER, Texas
ADAM SMITH, Washington
LORETTA SANCHEZ, California
JAMES H. MALONEY, Connecticut
MIKE McINTYRE, North Carolina
CIRO D. RODRIGUEZ, Texas
CYNTHIA A. McKINNEY, Georgia
ELLEN O. TAUSCHER, California
ROBERT BRADY, Pennsylvania
ROBERT E. ANDREWS, New Jersey
BARON P. HILL, Indiana
MIKE THOMPSON, California
JOHN B. LARSON, Connecticut
Andrew K. Ellis, Staff Director
Peter Berry, Professional Staff Member
Ashley Godwin, Staff Assistant
(ii)
C O N T E N T S
CHRONOLOGICAL LIST OF HEARINGS
Page 5 PREV PAGE TOP OF DOC
1999
HEARINGS:
Thursday, July 1, 1999, H.R. 850, A Bill to Amend Title 18, United States Code, to Affirm the Rights of United States Persons to Use and Sell Encryption and to Relax Export Controls on Encryption
Tuesday, July 13, 1999, H.R. 850, The Security and Freedom Through Encryption (SAFE) Act
APPENDIXES:
Thursday, July 1, 1999
Tuesday, July 13, 1999
THURSDAY, JULY 1, 1999
H.R. 850, A BILL TO AMEND TITLE 18, UNITED STATES CODE, TO AFFIRM THE RIGHTS OF UNITED STATES PERSONS TO USE AND SELL ENCRYPTION AND TO RELAX EXPORT CONTROLS ON ENCRYPTION
STATEMENTS PRESENTED BY MEMBERS OF CONGRESS
Skelton, Hon. Ike, a Representative from Missouri, Ranking Member, Committee on Armed Services
Page 6 PREV PAGE TOP OF DOC
Spence, Hon. Floyd D., a Representative from South Carolina, Chairman, Committee on Armed Services
WITNESSES
Hamre, Dr. John, J., Deputy Secretary of Defense
McNamara, Barbara A., Deputy Director, National Security Agency
APPENDIX
PREPARED STATEMENTS:
Hamre, Dr. John, J.
McNamara, Barbara A.
Skelton, Hon. Ike
Spence, Hon. Floyd D.
DOCUMENTS SUBMITTED FOR THE RECORD:
Letter submitted to Hon. Floyd D. Spence from Dr. John Hamre
QUESTIONS AND ANSWERS SUBMITTED FOR THE RECORD:
Mr. Kuykendall
Mr. Ortiz
Page 7 PREV PAGE TOP OF DOC
TUESDAY, JULY 13, 1999
H.R. 850, THE SECURITY AND FREEDOM THROUGH ENCRYPTION (SAFE) ACT
STATEMENTS PRESENTED BY MEMBERS OF CONGRESS
Skelton, Hon. Ike, a Representative from Missouri, Ranking Member, Committee on Armed Services
Spence, Hon. Floyd D., a Representative from South Carolina, Chairman, Committee on Armed Services
WITNESSES
Bowcock, Matthew, Executive Vice President of Corporate Development, Baltimore Technologies
Freeh, Louis J., Director, Federal Bureau of Investigation
Kaufman, Elizabeth, Senior Director and General Manager for Security, CISCO Systems, Inc.
Reinsch, William A., Under Secretary for Export Administration, Department of Commerce
Reno, Hon. Janet, United States Attorney General
Page 8 PREV PAGE TOP OF DOC
APPENDIX
PREPARED STATEMENTS:
Bowcock, Matthew
Freeh, Louis J.
Kaufman, Elizabeth
Reinsch, William A.
Reno, Hon. Janet
Spence, Hon. Floyd D.
DOCUMENTS SUBMITTED FOR THE RECORD:
[There were no documents submitted.]
QUESTIONS AND ANSWERS SUBMITTED FOR THE RECORD:
[There were no questions and answers submitted.]
H.R. 850, A BILL TO AMEND TITLE 18, UNITED STATES CODE, TO AFFIRM THE RIGHTS OF UNITED STATES PERSONS TO USE AND SELL ENCRYPTION AND TO RELAX EXPORT CONTROLS ON ENCRYPTION
House of Representatives,
Committee on Armed Services,
Washington, DC, Thursday, July 1, 1999.
The committee met, pursuant to call, at 9:45 a.m., in room 2118 Rayburn House Office Building, Hon. Floyd D. Spence (chairman of the committee) presiding.
Page 9 PREV PAGE TOP OF DOC
OPENING STATEMENT OF HON. FLOYD D. SPENCE, A REPRESENTATIVE FROM SOUTH CAROLINA, CHAIRMAN, COMMITTEE ON ARMED SERVICES
The CHAIRMAN. The meeting will please be in order.
The committee meets this morning to renew its consideration of encryption and the impact on our national security of pending legislation that proposes to remove controls on the export of encryption products.
The issue of encryption, the encoding or scrambling of electronic data to protect its contents from unwanted disclosure, is technical and complex but its importance to our national security cannot be overemphasized.
The committee has a bill, H.R. 850, the Security and Freedom Through Encryption or so-called SAFE Act on sequential referral until July 23. Due to serious national security implications of H.R. 850, I plan to hold a markup session during the legislative week of July 19th.
As many of my colleagues know, H.R. 850 is similar to legislation proposed two years ago, legislation which the committee amended in order to retain some export control on encryption software. The committee alternative was adopted two years ago on a strong bipartisan vote of 45-to-1.
Page 10 PREV PAGE TOP OF DOC
I continue to believe that the unrestricted export of sophisticated encryption products, which is exactly what H.R. 850 does and would allow, carries serious national security risks for our Nation. In fact, not only does H.R. 850 decontrol the export of encryption software, it also lifts controls on the export of all computers that contain encryption software.
This little-noticed element of H.R. 850 would essentially gut the tightened restrictions Congress mandated two years ago on the export of supercomputers to potentially dangerous end users like China.
In the context of the recent Cox committee report and growing concerns over the transfer of sophisticated United States technologies to country of proliferation concern, H.R. 850's decontrol of encryption and some computer exports makes no sense to me.
But let me be also clear about what this debate is and is not about. This is not a debate over the right of American citizens to use strong encryption products here at home to conduct financial transfers or transactions or to send secure communications over the Internet with confidence. With the growth in electronic commerce and communications, the need for information security is well recognized. However, I believe that removing controls on the export of strong encryption products will significantly weaken the ability of our country to protect its citizens against terrorists, drug dealers, and other criminals in the future. It would be tragically ironic in my opinion for the Congress to make it easier for terrorists to conceal their planning at the same time we are working to enhance the security of all Americans against terrorist threats through initiatives such as improved embassy security and by devoting additional resources to counterterrorism.
Page 11 PREV PAGE TOP OF DOC
From a strictly military perspective, a significant part of America's tactical advantage on the battlefield rests not only on our ability to ensure the security of our own military communications. The allied victory in World War II was in no small measure made possible by our success in breaking the codes used by Germany and Japan.
Unfortunately, the unchecked proliferation of sophisticated American encryption technology will only complicate the ability of our military forces to fight and win future battles.
We all realize that as technology continues to advance, preventing its spread and its use against us becomes more challenging. Despite this challenge, however, I strongly believe that our government should not, as a matter of policy, do anything to make it easier for a terrorist to harm Americans, drug dealers to ply their deadly trade, or an enemy on the battlefield to gain technical advantage over our forces that might result in higher casualties or a protracted conflict.
This is what the national security debate over encryption is all about. In my view, H.R. 850, the inappropriately named SAFE Act, will in fact increase the risk to Americans. Accordingly, we are fortunate to have before us this morning two Department of Defense witnesses who are uniquely qualified to address the serious national security implications of H.R. 850. They are the Honorable John Hamre, Deputy Secretary of Defense, and Ms. Barbara McNamara, Deputy Director of the National Security Agency. I welcome both of you to the committee.
Before we proceed, though, I would like to recognize the Ranking Democrat from Missouri, Mr. Skelton, for any opening remarks he would like to make.
Page 12 PREV PAGE TOP OF DOC
[The prepared statement of Mr. Spence can be found in the appendix.]
STATEMENT OF HON. IKE SKELTON, A REPRESENTATIVE FROM MISSOURI, RANKING MEMBER, COMMITTEE ON ARMED SERVICES
Mr. SKELTON. Mr. Chairman, thank you very much. It is a pleasure for me to join you in welcoming our two distinguished witnesses, the Honorable John Hamre, Deputy Secretary of Defense, and Barbara McNamara, Deputy Director for the National Security Agency, to our hearing. I look forward to the testimony today.
Today we are again confronted with the challenge of addressing an extremely complicated technical issue with significant personal, commercial, and national security implications.
While we will focus our attention today on national security concerns, I am reminded that there are many other pressing aspects to this issue that will affect each of us. There is an increasing reliance by individuals, institutions, and businesses, on electronic networks to conduct their activities. It is not just a local, State, or national issue, it impacts on how we as individuals and how we as a Nation interact in the global arena.
Mr. Chairman, while we extol the merits of technological progress, the growth of electronic commerce, and the importance of retaining American technological advantage, we here on this committee must respond to the challenges posed by the rapidly changing new technologies in the protection of national security interests. We increasingly rely on the vulnerable commercial information systems and electronic networks where the desired security and privacy is not assured. What we do here in this committee on this bill will make a difference. We have the opportunity to influence the confidence that we as a Nation will have in our ability to exploit the advantages of the new technology, while at the same time maintain the technological lead we now enjoy, provide for the public safety, and accommodate our national security requirements.
Page 13 PREV PAGE TOP OF DOC
Mr. Chairman, I know that this is a very complex and complicated issue, but I am committed to seek the right balance of the measures needed to meet all of our critical needs. The testimony of the witnesses here today provides us with one part of this issue. Thank you.
[The prepared statement of Mr. Skelton can be found in the appendix.]
The CHAIRMAN. Thank you, Mr. Skelton.
As you probably already know, we are having difficulties with our communications system this morning, so if you kind of speak in the mike, we will try to go on through it. Without objection, the full text of your prepared remarks will be submitted for the record. You can proceed as you would like. Dr. Hamre.
STATEMENT OF DR. JOHN J. HAMRE, DEPUTY SECRETARY OF DEFENSE
Secretary HAMRE. Mr. Chairman, thank you very much. We are genuinely honored to be invited to be here. This is an enormously important subject. I would like to begin by thanking this committee for having had the courage and the foresight last year to have addressed the national security implications of this issue. Had it not been for this committee, we would have had a steamroller that would have taken away one of the most important tools that law enforcement has in America and that we in the national security arena have to protect this country. And we are counting on you again. We cannot simply for the sake of the convenience of marketing interests set aside the national security of this country.
Page 14 PREV PAGE TOP OF DOC
We just concluded an 11-week air campaign. There are a lot of things that we need to study from that campaign. One of the dimensions which we cannot go into in this hearing was that we were significantly affected by the lack of our ability to get communications on our opponent, and frankly we had some of our communications that were compromised during this. We feel very directly the need for strong encryption to be able to protect our military operations. We also have a requirement to be able to do everything we can to find out what the bad guys are going to try to do to us.
Every one of those soldiers and airmen and Marines and sailors that has been fighting for this country is in exactly the same shoes that you are in now, but you are in a much larger role. The ability to protect and defend this country over the next 10 years sits in your hands as you look at this issue. It is that important.
Now, we in the Defense Department feel both sides of this problem. We need to protect ourselves in cyberspace. We have had hearings in front of you and we have told you how important it is for us to be able to protect ourselves in cyberspace, and encryption is a very important dimension to that. We have to be able to encrypt our communications.
At the same time, we need to know who is operating inside our networks. We need to have a key recovery system so that we know whoever we are talking to we can identify who they are and confirm their identity. We are not imposing it on anybody. I think there is this backdrop fear that a lot of Members of Congress have that this is simply something that we put down everybody's throats in America. That is not the case. This Administration is not pushing that.
Page 15 PREV PAGE TOP OF DOC
One of the most objectionable parts of this bill is the prohibition on the Department of Defense from being able to put in place the ability to identify who we are talking to in an encrypted environment. Now I will tell you what that means. That means that if we have a spy in one of our laboratories, we wouldn't be able to monitor them if this legislation passes. So the very sort of thing that everybody is outraged about and decries, you would absolutely open the door and let it happen without any ability for us to do anything about it if you pass this bill. It is that important.
Now, get to warfighting. I am telling you the world that is out there increasingly is an electronic world. We have got to do everything we can to protect our troops and our soldiers and sailors when they go in harm's way, and that means using all the resources that are available to the Department to be able to do that. We cannot afford to have troops go into combat not knowing as much as we can possibly give them, information in advance. And just simply unregulated release of the strongest encryption is going to do one thing: put more troops' lives at risk. Period. And that is why this is so important.
So far, everybody that has held hearings on this subject has only looked at issues of privacy. I honor that. That is why we go to war. The Constitution insists that that is one of the rights for all Americans and we will fight for that.
But at the same time, we have got to protect this country, and there are a lot more bad guys out there than we think. And you mentioned them in your statement, Mr. Chairman. It is not just the terrorists in the world. It is the organized militaries in the world that want to do harm to us every day. It is the pedophiles and the smut peddlers. It is the drug dealers. They are all increasingly using these tools, and if you want your security agencies to be able to protect this country, you can't strip away from us some of the tools we are going to need. And that is what this bill would do.
Page 16 PREV PAGE TOP OF DOC
Now, I think there is a lot of misinformation that is being peddled in this town about encryption and the Administration's position. The Administration is not prohibiting the export of strong encryption. As you know, right now you can export the strongest encryption to anybody in the finance sector, anybody in insurance, in health care, any U.S. corporation that has overseas subsidiaries and its trading partners. They all can get the strongest encryption today. That is not being restricted.
If you listen to a lot of the lobbyists you get the impression that the American software industry is absolutely hobbled and can't do a darned thing and that is not true. A significant part of this market is wide open and the Administration is willing to relax it even further. And we are working very much in deliberations and I think you will see something in a matter of weeks, further relaxation.
I was once asked in a hearing, aren't you just trying to hold back the rising tide, an inevitable tide of progress, technical progress? And the answer to that is yes. But I am trying to keep it from becoming a tidal wave. You have got to give us a chance to stay ahead of this rising tide so that we can manage it and we can give you genuine security and protection for this country.
But if you were to drop everything tomorrow, which is what H.R. 850 would do, it would be a tidal wave that would crush your national security and law enforcement agencies that are protecting this country.
Now, we are absolutely open to working with anybody. We are not mindless about this because we need this protection ourselves. We have got to have encryption for ourselves. But we have got to balance it. And this committee is the one that has to insist that that happens. If it isn't going to happen by this committee, it is lost. We have got to stand up, we have got to make sure that when it comes to fighting the bad guys here in the United States and fighting the bad guys overseas, you don't strip away what we need to be able to do our job and we can do it in lawful means.
Page 17 PREV PAGE TOP OF DOC
There is not a darned thing that we are proposing that is not fully protected through the constitutional procedures that are developed to protect all of our privacy and we all want that. We will fight for that. But we can't simply hobble your defense establishment and your law enforcement establishments just because we think we have got an inevitable tide of technology. We have to manage it, and that is what we are asking to be able to do Mr. Chairman.
And I would be glad to answer any questions, but I think you need to hear first from Ms. McNamara who is our expert.
The CHAIRMAN. Thank you for your usual good job.
[The prepared statement of Dr. Hamre can be found in the appendix.]
The CHAIRMAN. Ms. McNamara.
STATEMENT OF BARBARA McNAMARA, DEPUTY DIRECTOR, NATIONAL SECURITY AGENCY
Ms. MCNAMARA. Good morning, Mr. Chairman, and thank you for this opportunity. Let me say that I had to refrain from applauding after your opening remarks because I don't think I can say it any better than you have said it.
We really do need to appeal to this committee for your help in stopping the SAFE Act from passing. Why am I here? And I think I need to explain our role in this. The NSA secures information systems for the Department of Defense and other U.S. Government agencies and provides information derived from foreign signals that we decode to a variety of users in the Federal Government. It is this foreign intelligence role that I want to address today.
Page 18 PREV PAGE TOP OF DOC
NSA intercepts and analyzes the communications of foreign adversaries to produce critically unique and actionable intelligence reports. Very often, time is of the essence. Intelligence is perishable. It is worthless if we cannot get it to the important intelligence—sorry—if we can't get it to the policymakers and the military operators in time to make a difference.
As you said, Mr. Chairman, with our ability to read the encoded messages of Japan and Germany during World War II, and we learned their plans and intentions, we actually were able to help save lives and the war ended sooner than otherwise would have been expected.
That same crucial support was provided during Desert Storm and Desert Shield and it is being provided today in Kosovo, and in the past, in the recent past, elsewhere in the Balkans.
We live in a dynamic and unpredictable world. And in that world intelligence is, in fact, the Nation's security over the horizon capability. We give warning. Demands on NSA for timely intelligence have only grown since the breakup of the Soviet Union and have expanded into other areas of terrorism, weapons proliferation, and narcotic trafficking—national security areas that have no geographical or national boundaries.
Today, many of the world's communications are unencrypted, despite what you hear to the contrary. Historically, encryption has been used primarily by governments and the military. As encryption moves to software-based implementations and the infrastructure develops to provide a host of encryption-related security services, like authentication to which Dr. Hamre referred, encryption will spread and will be used widely by foreign adversaries that have traditionally relied upon unencrypted communications.
Page 19 PREV PAGE TOP OF DOC
The immediate decontrol of encryption exports as proposed in the SAFE Act would place encryption in the hands of many of these adversaries and, as a result, much of the crucial information we are able to provide today could quickly become unavailable to those who would need it and rely upon it to guide their actions and decisions and thus put national security at serious risk.
As you consider the SAFE Act, it is very important that you understand the significant effect certain provisions of this bill will have on national security. If passed, the SAFE Act would immediately decontrol the export of strong unbreakable encryption. It would deprive us of the opportunity to conduct a meaningful review of a proposed encryption export to assure its compatibility with national security interests. Historically, this review process has provided us with valuable insight into what is being exported, to whom, and for what purpose.
Without this review and the ability to deny an export application if necessary, it will be impossible to control exports of encryption to countless bad guys.
For instance, immediate decontrol would undermine international efforts to prevent terrorist attacks, to catch terrorists, drug traffickers and proliferators of weapons of mass destruction. Immediate decontrol of encryption exports will likely result in the global spread of strong encryption among our adversaries and the use of encryption as multiple levels within communications networks.
This will greatly complicate our ability to exploit foreign targets and provide the delivery of timely and usable intelligence because it will take too long to decrypt a message if, indeed, we can decrypt it at all. And if we are to provide timely support to our deployed military forces, we must be able to do better than that.
Page 20 PREV PAGE TOP OF DOC
As the Chairman so articulately described, the SAFE Act would eliminate all controls on the export of computers. Encryption, gentlemen, raises as many national security concerns as satellites and supercomputers; if not more, because of its widespread applicability.
I apologize, ma'am, I didn't see you come in.
You will hear others say that the genie is out of the bottle. Encryption is available overseas so why try to control it from this country? It is true that strong encryption is available overseas, but it is not yet widespread. We are employing export controls not to prevent U.S. industry from competing successfully in the international marketplace, but rather to prevent the proliferation of robust encryption to hostile forces. We support the availability and the use of strong encryption to secure electronic commerce, and that can be done today; to protect banking and financial transactions, and that is being done today; and to ensure confidentiality in corporate communications, and that is being done today. In fact, we allow U.S. companies to export unlimited strength encryption to most locations for these and other purposes, as Dr. Hamre said, under current relaxation.
However, we cannot allow the same free flow of encryption to those entities that would harm our Nation's security. Through export controls, we shape the environment in which we must conduct our code making, our signals intelligence, our foreign intelligence mission, by focusing our attention on end use and end users. Can we stop some foreign adversary from getting strong encryption if he really wants it? No, we cannot. But we can use individual solutions to solve those individual problems and use export controls to keep robust encryption out of the hands of most of our foreign adversaries.
Page 21 PREV PAGE TOP OF DOC
Without some control on its export, encryption will become ubiquitous and we will be severely hampered in our ability to support our military forces, policymakers, and the law enforcement community with timely intelligence reports.
In summary, the SAFE Act will harm national security by making our job of providing critical, actionable intelligence to our leaders and military commanders difficult, if not impossible, thus putting our Nation's security at considerable risk. The United States cannot have an effective decision-making process or a strong fighting force or a responsive law enforcement community or a strong counterterrorism capability unless the information required to support them is available in time to make a difference. The Nation needs a balanced encryption policy that allows U.S. industry to continue to be the world's leader, but that also protects the security of our Nation.
Mr. Chairman, since this is an open hearing, I cannot discuss in complete detail the negative impact of the SAFE Act, but would offer a classified hearing if that would be acceptable and you would be willing to do that. And I will close now and thank you for your time and attention and be happy to take your questions.
The CHAIRMAN. Thank you very much.
[The prepared statement of Ms. McNamara can be found in the appendix.]
The CHAIRMAN. Mr. Skelton.
Page 22 PREV PAGE TOP OF DOC
Mr. SKELTON. Thank you, Mr. Chairman. Dr. Hamre, what do you mean when you say we could not monitor a spy within our national laboratories?
Secretary HAMRE. Sir, what I said was if H.R. 850 were to pass, one of the most objectionable features of that is a prohibition on the government from having a key recovery system. In other words, I would not be able to have in the Department of Defense an ability to know who of my employees is talking to who. I wouldn't be able to reconstruct that. And so all of a sudden, the bad guy who is inside our midst who wants to send his stolen secrets back to headquarters could do it and we wouldn't have the ability to control that or monitor it.
So I decry these people that want to spy on America, especially our own people who want to be traitors to this country. But we need to do something to be able to protect, and that provision would prevent us from ever doing it. So anything that you found objectionable, that I find objectionable with somebody selling out on this country, you are basically giving them the keys to do it if you pass this bill.
Mr. SKELTON. Thank you. I have another question. What is to prevent the bad guys, whoever they may be, from getting the encryption from the lawful sources who have it such as commercial interests? What is to prevent them from getting it from them? You say in your testimony—.
Secretary HAMRE. Yes, sir.
Mr. SKELTON. —that commercial interests, financial interests and the like, can have encryption—.
Page 23 PREV PAGE TOP OF DOC
Secretary HAMRE. Yes, sir.
Mr. SKELTON. —that is exportable. And what is to prevent the unsavory souls from getting it from them?
Secretary HAMRE. Sir, bad guys today can get strong encryption products where we have relaxed the controls in areas, where we find other ways that we can still get access when we need to get access in a lawful manner. Now, it isn't 100 percent. We are managing a security risk here. I mean, we would love to have it otherwise. This technology doesn't let us have perfect security and we are trying to find ways in which we can manage it. The areas in which we have relaxed the export of strong encryption has been in areas where we feel we can tolerate; there isn't a significant security risk in those areas. They also represent the bulk of the market, by the way. So it is in the areas that we know there is a considerable risk of the bad guys talking to each other and communicating to each other in ways that we can't get at it. That is the part we are trying to regulate. That is what we are trying to control.
Let me ask Ms. McNamara to respond as well.
Ms. MCNAMARA. Yes, sir, Mr. Skelton. There isn't anything that will prevent every bad guy from getting access if they want to break the law. But we have solutions to individual problems. We just don't have a global solution, if encryption became globally used as this bill would—as the SAFE Act would permit and foster.
In the case of the export of strong encryption to the financial sector, that in particular is application-specific. And so it would not necessarily be imminently usable or useful by people—.
Page 24 PREV PAGE TOP OF DOC
Mr. SKELTON. By someone else?
Ms. MCNAMARA. By someone else, exactly.
Mr. SKELTON. How many times have you heard the argument that the cat is already out of the bag, the foreign competitor is already producing and selling what we are currently trying to restrict? What are our policies to be in light of that? Or is that true?
Secretary HAMRE. It is not entirely true. It is true in some small dimension, but it is not really true and it is an overstatement. There are 33 countries that have signed up in the Wassenaar Agreement and they are regulating encryption products to the same standard that we are. We are frankly a little too tight and we will loosen up to meet the Wassenaar standards. That is the bulk of the industry and they are being regulated internationally. The cat is not out of the bag.
Is there an encryption package that is out there that somebody, a couple of bad guys could download and use to talk to each other? Yes, there is. But that doesn't mean that the case is closed against us. We have other ways that we can take care of that problem. And it isn't a broad-scale environment that we can't get through. That is what we are trying to prevent.
Mr. SKELTON. Thank you, Mr. Chairman.
The CHAIRMAN. Mr. Hunter.
Page 25 PREV PAGE TOP OF DOC
Mr. HUNTER. Thank you, Mr. Chairman. Dr. Hamre and Ms. McNamara, thank you for being with us. And I agree totally with your position. I just wish Dr. Hamre that you were working the supercomputer issue also.
Secretary HAMRE. Well, I am doing that, too, and I will talk to you about that if you ask.
Mr. HUNTER. This is one place where it seems like the Administration is a lot tougher than it has been with other species of exports. And I would like to see you—maybe we could have some discussions in the future with respect to supercomputers and how we could make that policy work.
But a question for you on this: Why is industry so intent on having the unregulated export of this encryption technology without this key recovery system? Why should it make a difference to them? Because I understand that is what you want to have is a key recovery system.
Secretary HAMRE. We want to have it on a voluntary basis. We are not trying to impose key recovery on anybody else. But I don't want have to have a law passed that says we can't have it for us. That is what is so objectionable about H.R. 850. But I think there is a very strong interest in America for encryption and wanting to have protection. And we agree with that. We are not opposed to that. We also believe that there is a natural interest in the business community to want to know what their employees are doing. And again, by totally lawful means.
Page 26 PREV PAGE TOP OF DOC
But I used to be the Comptroller. We got out at Columbus, Ohio, where we have a payment center. We have disbursed about $43 million an hour. I am certainly not going to give a bad actor out there some encryption where he can send a check to his own personal bank account and I can't reconstruct that. It is voluntary. I want it for us. I am not trying to impose it on anybody else.
Mr. HUNTER. Understanding that, though, the proponents of 850 came last year with this bill, they really worked this thing, there is an enormous commercial interest in being what you would call—and I think I would agree—is a strongly unreasonable position. I am just trying to understand why they are so tenacious and why that is so important to them.
You have laid out a path that they can take that will allow reasonable export and you have pointed out that this is multilateral; we have other nations that are working with us on the control. Usually these folks don't come to this town and spend big money unless they have something that is extremely important to them. Why should they be so tenacious in this area? What is it that they object to so strongly?
Secretary HAMRE. Sir, my personal characterization of that would be unfair. I think you need to ask them about that.
Mr. HUNTER. Well, go ahead. We like to hear unfair characterizations.
Page 27 PREV PAGE TOP OF DOC
Secretary HAMRE. I think that would be unwise as well as unfair. But what I would say is that their fear is that we are not going to move in the regulatory process as fast as this technology is moving. And I could understand that. I mean, this is a very fast-moving technology in the field, and they are very worried that the bureaucratic process in the Administration will get bogged down and it won't move fast enough to accommodate the genuine changes. I honestly believe that is not the case. We are moving fast. We made significant changes last year and you will see some significant additions in the next weeks and months.
To give a fair representation, there are some out there who are cyber-libertarians, but that is a different bunch. I mean, the business interests I think are worried that we are not going to move fast enough to accommodate the change in the marketplace and we need to prove to them we can.
Mr. HUNTER. Just a last question. COCOM dissolved with the demise of the Soviet Union. We have gone through a number of areas where we need—supercomputers included—where we need to have perhaps a reestablishment of that multilateral control mechanism. What do you think?
Secretary HAMRE. Sir, we in the Defense Department would like to have as strong an instrument as possible so that we, with other governments, can regulate the movement of goods and commodities that have potentially damaging national security implications.
Mr. HUNTER. Do you think we should reconstitute COCOM?
Secretary HAMRE. COCOM collapsed because none of the participants wanted to abide by it any longer. What you have with Wassenaar is the next best thing. This has been one area during the last 12 months where we have been asking to buy time because it is—we are buying time here. During that period, we have been working with our counterparts in Wassenaar to get stronger enforcement of export controls so that we are not punishing American companies, and I honestly don't think that they are being punished because of it. And we are all working together here and there is not a single product that can't be exported with an appropriate license review, even the strongest things to the bad guys. We still want to look at it. Other than that, the market is wide open for where the bulk of the market is right now.
Page 28 PREV PAGE TOP OF DOC
Mr. HUNTER. I think I may be a little more conservative on this issue than you are.
Secretary HAMRE. Yes, sir, you may be. And I would be happy to talk about supercomputers if there is time later on.
Mr. HUNTER. Thank you.
The CHAIRMAN. Mr. Ortiz.
Mr. ORTIZ. Thank you, Mr. Chairman. Maybe you can help me. What percentage of the global market for encryption product is currently captured by the United States industry? Do we have any idea?
Secretary HAMRE. Mr. Ortiz, I will have to try to get an answer back for you. I don't know the answer to that. I think the way to look at it is in value terms, not in numbers of programs. There are lots of programs that people are trying to sell. But the bulk of the market is still very much dominated by the United States. By the way, we want it to be that way. We want American companies to dominate the world, not just because we deserve it and we are better than anybody else, but it is good for national security. I will have to get you an answer.
[The information referred to can be found in the appendix.]
Page 29 PREV PAGE TOP OF DOC
Ms. MCNAMARA. If I may, the 33 nations that signed up to Wassenaar, which is the follow-on to COCOM, are 33 nations that produce encryption products or products that have encryption as part of them. But even given that there are 33, we still see in the market U.S. industry predominating in the world.
Mr. ORTIZ. Just one more question. If this legislation passes, what do you expect will happen within the next 5 to 10 years? What kind of serious problems will we be facing?
Secretary HAMRE. I will defer to Ms. McNamara to describe with greater precision. My view is that almost immediately we would see very, very strong encryption products fall into the hands of foreign governments, foreign militaries, many of whom we have to meet on the battlefield. And so almost right away we are going to lose one of the huge advantages that the United States has when it goes to war, and that is the ability to stay ahead of the other guy because we are able to know more about him. And that is what would happen almost immediately.
Ms. MCNAMARA. I would second that, and I would add that in those areas, nonmilitary areas, we would see the export of strong encryption, but there is not yet an infrastructure that will allow it to be used globally. The reason—and as I acknowledged during my remarks, there is strong encryption out there in places. We are not seeing it used broadly today because there is no management infrastructure which will allow the global exchange of keys to allow it to be used. It is being used in industries, it is being used in multi national corporations, it is being used in sectors.
Mr. ORTIZ. Thank you very much.
Page 30 PREV PAGE TOP OF DOC
The CHAIRMAN. Mr. Bateman.
Mr. BATEMAN. Thank you, Mr. Chairman. It will become apparent very quickly that I know little or nothing about the technical aspects of this subject. That does not mean I am not interested in them and concerned about them. And I can assure you that I sense it is beyond my ability to fathom on a technical level, I put great credence in the people who are looking after the interests of this country which I think are most important. And that means I am going to follow the advice and the guidance of those who are seeking to protect our national security interests, even if there is some jeopardy of our economic interests.
Now, I have read the memorandum that is in front of us. I have listened to your statements. I want to read a part of this memorandum and have you all try to explain to this very lay mind why we have not already given away the store as it relates to this issue.
I read from the memorandum that says: In spite of these national security concerns, controls over the export of U.S. origin encryption products continue to be liberalized. In June, 1997, Netscape Communications Corporation and Microsoft Corporation received permission to export encryption products up to 128 bits in length for use exclusively in banking and financial transactions.
Well, if they can market it to someone who says they are going to use it for banking and financial transactions, what prevents a drug billionaire from setting up a banking and financial corporation, getting the stuff, and then using it for reasons having little or nothing to do with the front that has been created? Are we not already inviting difficulties?
Page 31 PREV PAGE TOP OF DOC
There is more of this, but the last and most significant remaining item is: The Administration also abandoned its insistence on development of a key recovery infrastructure.
If we have abandoned insistence on that, what is there left to argue about in terms of whether or not we are going to allow encryption or how much encryption we are going to allow? Can you all clarify that for me?
Secretary HAMRE. Ms. McNamara can do a great deal better than I. But I think the example of banking is a great example. We talked a lot about this a year ago when we were looking at the liberalization and the reason we agreed to do it in the banking sector, this is a fairly highly regulated industry and there are other ways for us to get lawful access to transactions to be able to find out something if we feel that there are reasons, that there are drug dealers that are laundering drug money, et cetera. There are other ways to get at that without having to have the ability to break a code.
That is exactly why we thought we could liberalize it, because we thought about this very carefully, and there are other areas where we cannot do that because there is not such a strongly regulated environment that lets us get lawful access to the information. I think that is a very good example of why we could tolerate it in that area and it doesn't constitute a major security risk.
Now, on the issue of key recovery, key recovery is anathema to an awful lot of Americans and it is because it has this specter that America's government is going to be listening in on every conversation or looking at every e-mail message we send back and forth. First of all, that is a terrible mischaracterization of the situation, because there is absolutely nothing that we are going to ever do that is not done through absolutely lawful means worked out that we do to protect everybody's privacy in this country.
Page 32 PREV PAGE TOP OF DOC
Frankly, you do a lot better job protecting Americans for privacy when it comes from the government than do you from the private sector. I mean right now, the private sector is selling your personal phone records to anybody that wants to buy them and there is only one party that can't buy them, and that is the United States Government, for your privacy. That is the kind of irony we have in this situation. But it is the Fourth Amendment to the United States Constitution. And if you call us to go off and fight and protect and defend this Constitution we will do it. And that is part of it. It is part of the encumbrance that we gladfully accept because this is a great country.
Now, key recovery, there is a difference from mandating key recovery on everybody else and preventing us as a Department from buying key recovery for ourselves. We have to have it for ourselves. I am not going to try to impose it on anybody else, but, for crying out loud, don't keep it from us. We have to have it just for our own network security.
Mr. BATEMAN. Perhaps I am not properly understanding this sentence. It says: The Administration also abandoned its insistence on development of a key recovery infrastructure.
Are you telling me that we have retained that which we need to retain and that there is no problem with a policy decision to abandon development of a key recovery system?
Secretary HAMRE. Sir, I think what whoever authored the memo was saying that we abandoned any requirement on a national level to have a nationwide key recovery system. That is true because that is just not acceptable to Americans. But we have not abandoned the goal to try to have voluntary key recovery for the government where the government wants it and needs it, and that is us.
Page 33 PREV PAGE TOP OF DOC
Ms. MCNAMARA. I would second that, Mr. Bateman. I think perhaps in the writing of the memorandum the word ''mandatory'' may have been eliminated or forgotten. But what we abandoned was a requirement for mandatory key recovery in the U.S. and that gets at—it was unacceptable for a whole host of reasons but we absolutely need to have it on a voluntary basis.
If I may add to the Secretary's answer about finance, we have long, as a government, given preferential treatment to the banking industry for the use of strong encryption because we always recognized that as a crucial element of our ability to have a strong government and a strong financial world, and that continues in the relaxation policy to the banking sector and the financial sector because they are heavily regulated industries.
If a bad guy were to gain access to what you cited as having been approved for export, and we needed to for whatever reasons, because it was a national security issue and we needed to be able to provide foreign intelligence about that bad guy, we would know how that product works. Because as I said in my testimony, a component of the licensing regime is a technical review of products even for those that are being exported as approved, so we would understand how that product works and the best minds in this Nation would be put to work on solving the problem, as long as it was an individual problem, and we would not expect to see them take—be able to take maximum advantage of a product that was released for the banking sector.
Mr. BATEMAN. I would be more comfortable with less liberalization, as long as you have a procedure in place where the government cannot go around snooping on anybody and everybody's communication without some necessity for showing good and proper cause for being able to do so, that it affects the national security interest of the Nation. If that safeguard is in place, I would be much more, much more restrictive on encryption than I even hear from the witness table.
Page 34 PREV PAGE TOP OF DOC
Also, I see this memorandum references to a Senate bill that has been reported out of the committee. Are you as concerned about the Senate bill as you are the House bill?
Secretary HAMRE. Yes.
Ms. MCNAMARA. Yes.
The CHAIRMAN. Thank you, we will break for the vote and then come back.
[Recess.]
The CHAIRMAN. The meeting will please be in order. I understand Dr. Hamre has to leave before too much longer and we want to try to go ahead and get to the Members to have the opportunity to ask him some questions. Mr. Kennedy.
Mr. KENNEDY. Thank you, Mr. Chairman. Let me begin by saying that it is always a pleasure to have you, Dr. Hamre. Ms. McNamara, I want to thank both of you for the tremendous work that you do on behalf of our government and national security. At the outset, I just want to say how much we appreciate on this committee all of those who dedicate themselves to protecting this great country of ours.
I am interested in this issue because I think it is a cutting edge issue. I have been in some of those closed door briefings to fully appreciate the enormity in your task to try to determine what our intelligence, how our intelligence is so crucial to deploying our resources accurately. I really appreciate the fact that you are concerned about being overwhelmed by what encryption, letting go of encryption will do to your efforts in terms of trying to keep track of the various and myriad arrays of intelligence data that you need to keep track of in order to be able to keep a handle on things.
Page 35 PREV PAGE TOP OF DOC
The way that I feel we are operating to try to choose a kind of a metaphor is that we are trying to hold back a tide here that is busting loose. And that is technology now bursting onto the scene like we knew it would and like we have heard it is for the last several years that I have been in this committee and you have been telling us about this impending problem. The fact of the matter is the problem is here, it is now, and that tidal wave is right at our ears.
The question is how are we going to address this. It seems to me, and I have studied this issue and talked to many people in the field, that the United States when it comes to this technology needs to definitely partner with the high tech community. The reason I say this is it certainly seems to me when you said that it is important that over the next few months, Dr. Hamre, we intend to show the tech community how we are going to try to keep pace, we intend to keep pace.
I remember you saying it because I jotted down notes. Everybody that I heard, and I travel quite extensively and meet with these tech people, I am constantly amazed at how quickly things are changing. Things that are here today are gone tomorrow and outdated. The notion that we could even presume to keep pace within our current bureaucratic system, and I appreciate your spirit in which you said that. And in the next few months we intend to show that. If you just hear that language, that language itself doesn't keep pace with the ever changing technology, changes that are happening in the high tech arena.
What I am trying to say is when we have a number of closed door briefings on X program or Y program, I am always amazed at how quickly it ends up in the commercial market. It is like we come up with it; and before long, we are selling it. I am saying to myself, how come we are selling it? It took us so long through the R&D process to come up with this, once we have arrived at the technology we are deploying it. Of course, for us for procurement reasons, we procure it and then we need to sell it for us to maintain a low per unit cost in whatever we are purchasing. So we end up selling it worldwide.
Page 36 PREV PAGE TOP OF DOC
So this notion that we are somehow giving away the store doesn't rest well with me because the fact of the matter is I think from all of my experience here with all of the R&D programs that we come up with, we are always a few years just ahead of the curve, in this case probably a few months to a year ahead of the curve; but we are never that far ahead of the curve. By and large, our commercial interests, the commercial interests of the world to keep track with us are always there banging on our door. Whatever we come up with is immediately out there. Then we have to begin that whole long R&D process all over again to maintain that cutting edge.
What I am trying to say is in this tech area, I think that we need to co-opt, if you will, American high technology because we are the leaders in the world. The fact of the matter is if we are going to intend to be the leaders in the world for our national security purposes, it seems to me we want to work with them and make sure that this stuff is going to be sold anyway, why not make sure they are on our side. If the product is being sold all over the world, why not make sure it is our product, domestic companies that have some allegiance and some interest in this country because they know about and appreciate the values of this great country of ours.
I would ask you in a general sense given that kind of horse-out-of-barn-trying-to-shut-the-door-now, and given the fact that even with the treaty that you acknowledge, even France and the UK, I understand, are backing out or changing their encryption laws. Basically, what we are seeing is the devolution of that notion that there is going to be a consensus. There is no uniform encryption now of standards. It is starting to even eat away at our allies, and France and the UK are starting to give some relaxation to their key escrow encryption. But with that, let me just ask you whether you don't think that with all of these comparable foreign design manufactured encryption that is being sold internationally, don't you think it is important for us to keep hold of our—the world marketplace that the U.S. companies have so that we can somehow co-opt this bronco that has gotten out of the barn and let's ride this thing as opposed to think that we are going to help protect ourselves by just shutting the barn door after this horse is out.
Page 37 PREV PAGE TOP OF DOC
I might add, finally, if you could comment on-we are operating here it seems to me in sort of a flat earth environment here with respect to this technology and we are in a round world. With that, what are you doing to get up to speed to deal with the ways around encryption now that we know we are facing the onslaught of encryption? What are we doing to address the human intelligence angles and other areas where we can begin to continue to monitor these areas that we know are vulnerable?
So, with that I would like to thank you both for your presence today.
Secretary HAMRE. Thank you very much, sir. First, I don't think anybody is trying to close the door on a barn when the horse has run out. I think the analogy, as I mentioned earlier, is one of trying to live with the rising tide and not have it become a tidal wave.
We know this is changing. Nobody is going to stop that. Nobody is going to reverse that and nobody is proposing that. It is a matter of how fast can we move ourselves and regulate the environment where it is truly dangerous so it doesn't get into a truly dangerous area before we can get there and have some solution to the problem. So we are really trying to manage a problem, not prevent a problem. You can't prevent the spread of this technology, first of all.
Second, I think this gets to a reason why it has to be done and it is best done in a regulatory environment not in a statutory environment. The very problem we are wrestling with some super computers was ''super computer'' was defined in law two years ago as being a 2,000 MTOP machine. This fall it is going to be a laptop that meets the 2,000 MTOP machine. Which means you can't really do it in a statutory environment. You need to do it in a regulatory environment.
Page 38 PREV PAGE TOP OF DOC
The problem is that you don't trust us. You are skeptical that we, the Administration, are going to be on the one hand moving fast enough for some people and on the other hand protecting security. So that is a backdrop of everybody's resistance right now. We are going to have to reestablish a pattern of confidence and trust with each other. We are trying just as hard as you are to protect national security. We are not more for national security and you are less just because you feel that you are trying to push us on this technology issue. We are all trying to work on these issues together, but it is best to do it on a regulatory environment and we have to reestablish in you confidence in us. I think that is an important part. That is what we are going to demonstrate with some of the changes that we are making.
You said about France and the UK, they have been pretty good models about how we should all evolve. The UK when Prime Minister Blair said, I am going to promulgate new regulations in the laws for encryption, he brought everybody in and he said, you companies are going to watch out for national security interests at the same time.
That is exactly the model that we are trying to establish around the world. Think that I—what France is doing—France is actually very strong on these issues. The UK is very strong on these issues. They are trying to do exactly what we are trying to do, to create a regulated environment where everything is done through lawful means, but we can stay ahead of the bad guys in the areas where there is the greatest risk and not hurt commercial interests in the process.
I actually think that is exactly what our policy is. That is what we are trying to do. It turns out that we need to move fast because this technology moves fast and that is exactly where we are trying to be at, sir.
Page 39 PREV PAGE TOP OF DOC
Mr. KENNEDY. If I could just follow up briefly. The notion I have here is if we are going to bring the tech folks into the room, the only way they are going to be of use to us is if they have market share and they stay ahead of the technology. But they can't stay ahead of the technology and have market share if we are hamstringing them at the outset. In other words, for them to be effective for us, we can't micro-manage them or else it is belying the purpose of us partnering with them because they won't have the ability to help us when we need them to help us, and that is to give us the best scientists who are working on this to help us find ways that we can cope with these new technological advances.
Secretary HAMRE. Again, sir, I don't mean to be disputatious, but I don't believe we are hamstringing them like the lobbyists are telling you we are. I think that is overstatement.
Ms. MCNAMARA. May I comment? First of all, we agree that national security wants and needs U.S. industry to dominate the marketplace. We are unequivocal on that point. So you and I, none of us is in disagreement in that regard.
A licensing regime allows us to manage what we are confronted with overseas and fosters an environment for U.S. industry to talk to U.S. Government on the development of their products. The licensing regime and regulatory regime fosters that type of environment. Absent that, there is no rationale or reason why U.S. Government and U.S. industry would, as a natural act, have those conversations. So the licensing regime would do it.
If you eliminate it, export controls which the SAFE Act does, thus doing away with the licensing regime because there would be nothing to license, there would be no environment that would—there would be no environment or any means to foster that environment. Yes, that could be voluntary. I am not saying that industry wouldn't come as a voluntary act in some cases. But the regulatory regime fosters that environment.
Page 40 PREV PAGE TOP OF DOC
With regard to the change in the UK, the French and the UK are both signatories of the Wassenaar Agreement which gives them an umbrella document against which to form their own export control regimes. Those regimes are following what the U.S. regime is today. The change that you read about, about the UK, was their abandonment of the requirement for mandatory key recovery. Key recovery is an enforcement issue. It is not a national security issue. We need to separate those two. Key recovery is an information assurance aspect. It is not a national security aspect. So they haven't backed off at all except to follow suit as the U.S. Government has, and that is to abandon the mandatory requirement for key recovery. In terms of their export control processes, they are exactly in track at the moment with the U.S.
Mr. KENNEDY. Thank you. Thank you, Mr. Chairman.
The CHAIRMAN. Mr. Weldon.
Mr. WELDON. Thank you, Mr. Chairman. I appreciate both of our witnesses coming in today and the conversation I had with Dr. Hamre at length over this issue. Last year I offered the amendment in this committee that passed 45 to 1 to maintain the security concerns that you have told us about. I only wish the debate on this bill in the Congress weren't so much being heavily driven by the absolute desire of both parties to curry favor with Silicon Valley for campaign donations. That is offensive to me because while it may benefit my political campaign financially, in the end on this committee our concern should be national security.
All of us in this country want to see our companies prosper and be able to lead the world market. There are none of us that want us to be isolationist and hurt our companies. I think for any of us to think that there are some Members who want to hurt American industry is trivial at best and certainly totally false. But the question is we have an obligation as committee members to listen to people like John Hamre and Ms. McNamara, who I have the highest respect for.
Page 41 PREV PAGE TOP OF DOC
John, you know this, I said this publicly, you are one of the stars of this Administration. I don't often give many stars to this Administration, but you certainly are one of them for your work, and I respect your integrity. We need to listen to what you say not because you want to hurt industry but because you want to make sure that our security concerns are being met. I want to tell you, and I know I am going to offend some industry people in the room and that is the way it goes, I am not going to shed crocodile tears for companies that back in 1992, 1993, 1994, led the effort, and in some cases illegally, to transfer sensitive technology abroad and then come back to us and complain that our export controls aren't loose enough to allow them to maintain their market share.
They were so aggressive in the early 1990s and in some cases got approvals, one of which I have some documents, Mr. Chairman, which I would like to submit for the record. One is a letter dated July 5, 1995, to Ron Brown thanking him for giving approval to the export process for an encryption algorithm to China. During our China committee hearings, that is all we heard about. And while that whole Cox Committee report is being spun to be China's espionage, the bulk of our problem in the 1990s was the total relaxation of the controls that we had and the ability of the Defense Department to play a legitimate role in monitoring technology that was being made available.
I disagree with Ms. McNamara on the Wassenaar process as many of my colleagues do. I think it has not been the success that perhaps we would have had in our co-com. I would like to see the Administration take a more direct leadership role in bringing the nations of the world together to see if we can't put into place a stronger mechanism of cooperation to stop this auctioning off to the higher bidder of who can gain the most market share simply because of their ability to influence their government's export policies.
Page 42 PREV PAGE TOP OF DOC
Mr. KENNEDY. Could you yield?
Mr. WELDON. Not yet, I want to finish my comment first.
I would just ask for the record, Dr. Hamre, if you would, in fact, agree to a letter that you sent me dated May 24, for those who were saying that we are hurting our export policies. This is the quote that I am reading from if you could just confirm this. I would like to put the entire letter, Mr. Chairman, into the record if that is okay with you.
[The information referred to can be found in the appendix.]
The CHAIRMAN. Without objection.
Mr. WELDON. You said last year we actively worked inside the regulatory process to update our export policies opening approximately 70 percent of the world's economies to U.S. encryption products.
Is that correct?
Secretary HAMRE. Yes, sir, and it will get even wider here.
Mr. WELDON. 70 percent?
Secretary HAMRE. Yes, sir.
Page 43 PREV PAGE TOP OF DOC
Mr. WELDON. So to characterize this as an attempt to try to limit the effort, I think is certainly false on the surface and utterly ridiculous, in fact, in depth. Let me also say, Mr. Chairman, I think as we look at this issue we need to look at the backdrop that occurred in the past several years in allowing certain companies to get access to sell their encrypted products abroad.
In particular, I am very concerned about the 1996 decision to allow RSA Data Security to reach an agreement with the People's Republic of China in terms of sharing encryption technology for use on government networks. I think that is going to come back to bite us as a country because we, in fact, have helped China develop the most capable encryption because of the capabilities that we give them.
This gets back to the heart of the issue of making sure that the Pentagon and the intelligence community and the NSA have a role in the process of what we are selling. I am not saying that we should have a veto authority, but they should have a role in that process. They should be able to share with Members of Congress and the Administration the very real concerns of security and the implications that could come back to cost us significant amounts of dollars.
Dr. Hamre, do you have any idea as to what the cost would be, first of all, for establishing a counter-encryption effort if, in fact, we had to do that? That is one question.
Number two, can you confirm an article that was in today's Christian Science Monitor that quotes the author from a recent Rand Corporation report, Tom Regan, as saying that Osama bin Laden is, in fact, using information technology to facilitate his terrorist activities, and wouldn't it be logical then to assume that if Osama bin Laden is using information technology that perhaps there would be some attempt to use encryption technology to mask these activities from national security agencies and officials? I don't know whether you saw the article today or not, but it ran in this morning's Christian Science Monitor.
Page 44 PREV PAGE TOP OF DOC
Finally, as a question, maybe we ought to look at the fact of perhaps if this policy were to be changed, and we totally removed the ability of monitoring or stopping encryption exports, maybe we ought to look at the idea of perhaps having those companies that are involved in selling their encrypted technology to an individual or entity that we then find out who is involved in a criminal act, to hold them liable and hold them accountable for the use of that highly capable encrypted technology to pay the price for the damage they have done because of a criminal activity that could not have occurred perhaps without the support of this highly capable encryption. Dr. Hamre.
Secretary HAMRE. Mr. Weldon, first, let me thank you for the leadership that you provided last year when this was crucial. If it hadn't been for you, this would have just rolled right over the national security, and I thank you for that.
On the first question about the dollars for counterintelligence if this were to disappear, it would be an enormous number. I don't have one right now, but I will try to give you a reasoned assessment. We still have to do better on counterintelligence in this country even if we were not to pass the Goodlatte bill. We are just not protecting ourselves well enough across the board. We are going to have to spend more on counterintelligence, period. This would just swamp us if all of a sudden we had to find ways to get around this problem. But I will give you a more reasoned answer.
Sir, I did not see the article in the Christian Science Monitor and I am somewhat constrained obviously in an open setting to talk about this openly, but I can unequivocally tell you Osama bin Laden and other bad guys in the world are not only using information technology but encrypted information technology.
Page 45 PREV PAGE TOP OF DOC
Mr. WELDON. For the record, if you could go maybe in a classified setting for us in more detail because Members need to get into this issue in-depth and that can only take place in a classified setting and not the public where the rhetoric overtakes the substance of what is involved with this issue.
Secretary HAMRE. I will, sir.
Mr. WELDON. I see all of my industry friends shaking their heads back there because they don't want to see it happen, but I can tell you as a Member of Congress, we will demand that take place.
Please focus on the third point.
Secretary HAMRE. On the issue of liability, it seems to me everyone has a requirement. It is not terribly different than someone else uses a product to commit a crime. I don't know how we could accept that. Now, I can't get into—you are not talking about issues that only Members of Congress can resolve when you start talking about assessing liabilities and passing laws and that sort of thing. What I do is I welcome very much the attention that you are placing on the responsibility of every American, not just your law enforcement and national security people, to worry about the protection and security of this country, and I thank you for that.
Mr. WELDON. If my Chairman will allow me, and you may not want to answer, but if this were to pass, could we look at perhaps passing some kind of a liability or penalty on those companies whose encrypted products are sold and we find that that encrypted product has, in fact, been used in the course of illegal activity by a foreign national or a terrorist group.
Page 46 PREV PAGE TOP OF DOC
Secretary HAMRE. Sir, the reason that I was ducking your question, and I was ducking your question, is because if I were to give you that answer it would come across as an official position of the Department of Defense.
Mr. WELDON. How about a personal answer.
Secretary HAMRE. Personally, I would pass it in a heart beat.
The CHAIRMAN. Mr. Andrews.
Mr. ANDREWS. Thank you very much, Mr. Chairman. I thank the witnesses for their testimony this morning.
This appears to be an issue where there appears to be broad consensus or even unanimity about the right propositions or answers, but almost no understanding of the facts.
And I think what you have done this morning is to lay out some very important factual questions that must be answered before the Congress can take action on the legislation that is before us.
It is interesting that the hearing room is almost about half empty, half full, depending on your point of view today. You don't see any television cameras here. If we will put out a release saying that we were having a hearing this morning on whether we were going to be able to stop an international terrorist group from hacking into the launch codes for nuclear weapons and redirecting the nuclear weapons at the continental United States, our weapons, if someone had the ability to do that whether we would have the ability to break in and stop them from doing that we would have to shut the room off because the place would be overflowing with people.
Page 47 PREV PAGE TOP OF DOC
It is not an exaggeration to say that is what this hearing is about. It is about whether someone gets that kind of capacity, whether we are in a position to stop them from using it. It is also true that if we are ever going to have a hearing about the loss of tens of thousands of American jobs because we were artificially cutting off exports of our companies and that we were going to pass a law that would lead to the loss of tens of thousands of jobs, we would have the room filled with angry constituents, I am sure.
I think there is unanimity. No one in either party on either side of this debate wants to cripple the defense capability of the country or the law enforcement capability of the country. On the other hand, no one on your side of the debate wants to deprive American employers of opportunities that are rightfully theirs. You can start with that proposition, we are all trying to go to the same place.
I think the key factually to this whole debate is found on page 8 of your statement where you address the argument of the proponents of this bill, that the elimination of encryption export controls wouldn't really make any difference because these products are already out there being broadly sold and distributed by our international competitors. So their argument sort of is that eliminating the export controls won't do us any harm because these products are all out there anyway. I think that you raise what is the key point when you say that the foreign availability argument is seductive but flawed.
We know that not all products reported as available overseas are actually available. We also know that some of the products in the foreign market are poorly implemented. Others have non-existing user support or may not be widely used. The key importance of that fact is that if these encryption products are not broadly available on the international market, we would then not be asking our companies to give up a competitive edge. The question becomes relatively easier. I think that we in the Congress need to talk about a method for answering the question that you have raised both on a classified and unclassified basis. Because for products that are clearly available in the international market now anyway, it makes great sense for us to cut back on the bureaucratic process of gaining an export opportunity. If something is already out there, we are foolish to deprive our own companies of the ability to traffic in that marketplace.
Page 48 PREV PAGE TOP OF DOC
But where it is unclear that it is out there, that is when the hard question comes in. When it is clear that it isn't out there yet, then it seems to me to be a compelling argument that we ought to create some licensing process, some meaningful security review that before our companies are given the chance to put the product out there that we have thought through all of the security ramifications of putting it out there.
I think that we have to divide the world into three components: Products that are clearly out there where there is no security loss to permitting free competition by our people; products that are clearly not out there, where I think it makes great sense to have a thorough vetting review process, whereas Mr. Weldon just said, there is a significant role, not a veto role, but a significant role for national security agencies; and then products that are in between where it is not clear, there ought to be some fact-finding system that helps us understand that.
I am quite convinced that the bill in front of us does not do that, does not create that discrimination among cases. I think that it very clearly raises the risks that in order to rush to commercial opportunity, we may be stumbling onto a security risk that we don't want to do.
I want to ask you a question based on that analysis, and that is are the intelligence data available, or the technological data available to conduct such a review that I just outlined for you? Is the Department prepared, either on a classified basis or unclassified basis, to tell us and the public, if appropriate, which encrypted products are really viable for use around the world and which are not?
Page 49 PREV PAGE TOP OF DOC
Secretary HAMRE. Let me defer to Ms. McNamara to give you a technical answer, but let me make a pledge to you. We will come back to work with you in any form or venue. Some of it will have to be classified to give you exactly our assessment of that question. And we will be honest. We are not going to try to skew it and try to win talking points for a debate on the floor of the House. Where there is a very strong product out there and the foreigners are marketing it and it is hurting our companies, we will admit to that and we will agree to that. We are not trying to hurt our companies. We also think that American companies ought to be honest about the market that is hugely available that they are misleading you to pretend that it is not available to them, and it is. We will be glad to sit down and go through that, but let me defer to Ms. McNamara.
Ms. MCNAMARA. Mr. Andrews, thank you. We actually did such a study in 1996. We have not done one since. The results were classified. It was a tremendous undertaking. It is tremendously manpower-intensive after one gathers up products around the world. So it has been done in the past, it could be done in the future, and it is not something that is done easily, lightly, or in short order. I think that it took us one full year to, first of all, round up all of the products and we do spot checks now. But anything that would come from our agency would have to be a classified answer.
Now, some of the industries do annual reports on availability, but it doesn't get at the issue all the time that you actually raised. Does it, do they actually function the way they do, is there accuracy in packaging?
Mr. ANDREWS. I would go back to the Chairman's statement of June 9 which Dr. Hamre makes reference to in his statement. I think the Chairman of the committee is exactly right in suggesting that it is our job on the week of the 19th of July in this markup to try to strike the balance that we just talked about here. I think the underlying legislation strikes the wrong balance. Our goal should be to institutionalize a process where the review that you undertook in 1996 goes on on an ongoing basis and, most importantly, where you reach a conclusion that there is a potential security risk to the country that there are consequences to that decision, that it is not just a decision that you reach.
Page 50 PREV PAGE TOP OF DOC
So I would associate myself with the Chairman's June 9 remarks and I would offer my interest in cooperating with the Chairman and with the Administration to try to strike the proper balance when this bill comes before us next month, or this month.
Thank you, Mr. Chairman.
The CHAIRMAN. We are going to break for this vote. I understand, Dr. Hamre, you have to leave while we are—.
Secretary HAMRE. I apologize. I am supposed to be at the White House at 11:30. If I might take my leave, I will come back at any time, either at a hearing or to brief anybody. I would be honored to.
The CHAIRMAN. Well, we appreciate you being here today and we will call on you again in the future. But we will break now for this vote and be right back.
[recess.]
The CHAIRMAN. The meeting will please be in order. Mr. Taylor.
Mr. TAYLOR. Thank you, Mr. Chairman. I am going to be very, very brief. I want to thank Ms. McNamara for expressing her concerns about this. I was recently given a copy of a letter dated October 27, 1993, signed by a number of members of the California delegation, Republicans and Democrats, including some real surprises. And the quote on it is to Secretary Christopher and it is arguing against the State Department's recently imposed category 22 MTCR sanctions against China. It is written on behalf of Hughes Corporation.
Page 51 PREV PAGE TOP OF DOC
And, of course, the great quote in there is: ''You will find that Hughes' satellites are guarded around the clock by U.S. Government and Hughes personnel during their time in China, and the Chinese have no opportunity to touch or even view the embedded MTCR technology; therefore no technology transfer is possible at this time.''
I think our Nation, having been burned at least once in trying to commercialize things that have a military applicability, needs to be extremely cautious in the future; and I commend Ms. McNamara and I commend Dr. Hamre for expressing their concerns today and I hope this committee is listening.
Ms. MCNAMARA. Thank you for your support, Mr. Taylor.
The CHAIRMAN. Mr. Smith.
Mr. SMITH. Thank you, Mr. Chairman. I guess I should preface my remarks by saying when Congressman Weldon referred to the 45-to-1 vote last year, I was the one. So I have a different viewpoint on this.
And I also want to say—I am sorry Mr. Weldon is not here. I do not in any way question his motives on this. I do not believe he is arbitrarily trying to shut down the industry or blindly supporting national security. I just wish he wouldn't be so quick to question the motives of everybody else and say that we are willing to sell national security out for a few campaign checks from Silicon Valley. I don't think those sort of statements help debates like this in the least bit and for my part, they are not accurate. There are legitimate differences of opinion on this issue that should be aired and should be presented. And my difference of opinion starts with a couple of points.
Page 52 PREV PAGE TOP OF DOC
One, it was asked earlier, Why does the industry care about this? It is not a hard question to answer. They care about this because encryption is very, very important to a large number of products.
They care about it because the best encryption is going to sell. As e-commerce expands, as a variety of different technologies expand, having the ability to encode that data, whether it is a credit card or financial information or anything, is going to be a critical part of a product; and the person that has that best product is going to get a tremendous advantage.
And I guess the analogy in all of this for me is because it is so important, trying to control it is going to be difficult. I mean, you can think of prohibition, gun control. The bottom line is people really, really want alcohol and in our country really really want guns, so passing laws to prevent them is going to be difficult. And I think everyone would agree with that. I want to make sure that the committee members understand how important encryption is to these products and how, if you have the best encryption in your product, you are likely to get the sale and if you don't, you are likely to come in second place. And second place in the information technology business means that you don't sell anything. So it is very important and that is why it is important for people to be able to export it.
And I guess the first question I have, and I have several, is there is a report out now that says—let me get the numbers right—there are 805 foreign cryptography products being sold from 35 countries out there. This stuff is becoming widespread and at least 167 of those are top of the line. And it is also important in this debate to get the top of the line. When Mr. Weldon said that we will allow exportation of a lot of products, we do; 56-bit encryption which can be broken in, gosh, I don't know what it is down to now—a while ago it was 4 or 5 days, it is probably down to 4 or 5 hours now—how quickly you could break that 56-bit code so the person with the 128-bit, that is what they are looking for, is going to be able to sell that product.
Page 53 PREV PAGE TOP OF DOC
And the Wassenaar Agreement is not binding in any way. I mean, it is not like if somebody were to export tomorrow, we would have any way to punish them. There is already evidence that a lot of this exportation is happening so it seems like the product is out there a lot more widely.
And one more final point before I turn over to answer the question. We mentioned the Christian Science Monitor article about bin Laden having access to IT technology. We agree with two things on that: Number one, I am certain that he does; and number two, I am certain it is very, very important and very dangerous. No question about it. But he has that technology within the existing export regime.
If this export regime we had was working so well, if this was, you know, what we needed to do to prevent bad guys from getting access to technology, what is he doing with it? And the answer to that question is because the technology is so widespread.
And I think there is one other attitude that has permeated this hearing that is wrong, and that is that somehow only people in the U.S. can come up with the best product. There is no way somebody in India or Argentina could develop this technology on their own, which is ludicrous. The nature of technology is that incredible leap-ahead advancements have been done in the most obscure places. Just some very, very bright guy with a lot of time working on equipment has developed incredible software and incredible new technology products and it will continue to be that way. And I just don't think at the outset that we are fully explaining in this hearing the degree to which that technology is in fact out there.
Page 54 PREV PAGE TOP OF DOC
And right off the bat, I am curious: Are these folks just wrong? Are there not that many products being sold by that many countries?
Ms. MCNAMARA. I can't argue with your numbers, Mr. Smith, because I just don't know whether those numbers are 100 percent accurate or not. There are a lot of countries, as I said. There are 33 signatories to Wassenaar, each of those signatories is a producing nation of encryption. So in terms of the overall products, I can't tell you that.
In terms of strong encryption, yes, there is strong encryption out there. A lot of it is U.S., and a lot of it has been approved through the licensing regime. I think I need to correct the fact that there is top-of-the-line U.S. encryption that has been approved for license in very large areas of the world.
Mr. SMITH. I agree with you on that.
Ms. MCNAMARA. We are not approving only 56-bit encryption. There is 128-bit encryption that has been approved for the finance sector, the health sector, the insurance sector, the banking sector, U.S. corporations and their international subsidiaries for the purposes of e-commerce and the like.
So I think the statement that it is only 56-bit encryption that is being approved by the Administration is dated.
Mr. SMITH. Some of it is. Some of it is only 56-bit.
Page 55 PREV PAGE TOP OF DOC
Ms. MCNAMARA. Some is being approved at 56 bits? Oh, absolutely; 56 is being approved. But independent of bit length, we are exporting broadly around the world globally to the sectors I have described, to U.S. corporations and their international subsidiaries globally, and for the purposes of e-commerce so that individuals around the world can protect their own credit cards when they engage in commerce over the Internet.
Mr. SMITH. What are you prohibiting from being exported?
Ms. MCNAMARA. We are prohibiting for end use and end users so that we can shape the environment to be able to sustain our capability to prosecute in foreign intelligence—by foreign intelligence means, foreign militaries and foreign governments for the most part. And that is not prohibited either, let me say. There is no prohibition.
When I say that we are looking at it, it is through the process of individual licenses based on the end use and end user. All of those other sectors that I described are not individual licenses. They are in some cases license exception, which means for the most part they are license exception. They have to be looked at—a product has to be looked at, one, by the government, and anybody else who designs that product or a similar product is allowed to export. So for the record, there is a lot of very strong top-of-the-line U.S.-designed encryption out there recognizing the market and the use.
Mr. SMITH. And I think that is good. What I question is the limitations we place on it because of the availability of this data elsewhere that is out there. And I want to say, I mean I completely share the national security concerns. I know encryption technology is of national security importance. What I question is our ability to keep up with it. And I think there is a lot more out there than we are admitting and that we are hearing.
Page 56 PREV PAGE TOP OF DOC
And on the bin Laden point, that is sort of what this is all about. We do this to prevent people like bin Laden from beginning access to encryption technology, that is the definitive argument. And yet here we have an article that says he has it. How does that not argue that the policy is failing?
Ms. MCNAMARA. Well, as both Dr. Hamre and I said, you are never going to prevent an individual from breaking the law. Individuals speed through school zones all the time, but our response is not raising the speed limit in a school zone. And our response to the fact that an individual like bin Laden does have access to high-tech, high-end technology should not be the rationale for eliminating, in their entirety, export controls. And that is what the SAFE Act does.
Mr. SMITH. Two quick points. First of all, there is no downside to limiting the speed in a school zone. You are not costing your economic advantage. And particularly if you add that on to a comment that has been made a couple of times that U.S. domination of encryption technology is critical to national security. You have made that point several times and I couldn't agree more. And there is a substantial downside to placing restrictions on our companies and limiting their ability to develop it and that we will slowly lose that U.S. domination. And I will let this go.
There are other people who I am sure want to testify, but early on you said, without encryption controls, strong encryption would become ubiquitous. That was your argument. I guess what I would say is what technology has told us in terms of how quickly it has advanced is that with or without encryption controls, encryption will become ubiquitous in a very short time frame. The degree to which other countries are leaping ahead on technology, other countries that either don't belong to the Wassenaar Agreement or countries like Canada that I believe does belong to the Wassenaar Agreement and still exports 128-bit encryption technology are out there. Soon it will be ubiquitous. We will have the ubiquity that we fear without the leadership that we need to deal with it. That is my argument.
Page 57 PREV PAGE TOP OF DOC
Ms. MCNAMARA. And I would only add to that, sir, that Canada is a signatory to Wassenaar. They do export 128-bit encryption, but so do we for specific end use and end users.
Mr. SMITH. Canada doesn't have that limit, though.
Ms. MCNAMARA. They do in terms of—the product that you are talking about was exported by Canada to their signatory—their signature to Wassenaar—prior to the Wassenaar Agreement, and since then they have put controls on. I am just explaining the facts as I understand them. And so there is a lot of disinformation out there. There are lots of generic statements being made. In fact and in practice they are not true. And I don't know how else to comment on that.
In terms of what we are denying, we are not denying what we are saying is the licensing process allows U.S. Government to review products that industry is manufacturing and proposing for sale. The elimination of export controls would essentially eliminate or does eliminate any need for regulatory review of those products. When those products are reviewed and we understand the end use and the end user, and the national security implications of such, we work with the companies and many, many products are exported because there is no national security issue at risk.
Mr. SMITH. Thank you.
The CHAIRMAN. Thank you. Mr. Abercrombie.
Page 58 PREV PAGE TOP OF DOC
Mr. ABERCROMBIE. Thank you very much, Mr. Chairman. Ms. McNamara, thank you for being here today. I am especially pleased that you are, because to the degree and extent your testimony has not been read by other members who couldn't make it today, I am certainly going to try to make it my obligation on this committee to see to it that everybody does.
Ms. MCNAMARA. Thank you very much, sir.
Mr. ABERCROMBIE. I want to take issue with just one of your statements in here, but not for the purpose of engaging in an argument with you about it but to try to make a point which I hope will complement what you had to say.
On the end of page 2 in your last paragraph there, ''the interests of industry and private groups as well as the government must be taken into account'', the sentence before that: ''While our mission is to provide intelligence to help protect the country's security, we also recognize there must be a balanced approach to the encryption issue.''
I take the balanced approach to mean what you just discussed previously; that if there is no national security interest, obviously you don't want to do it. But we don't mean balanced here in terms of letting industry badger you or anybody else into trying to sell something that you believe is against the national security interest?
Ms. MCNAMARA. Your first characterization is correct, sir. I meant balanced if there is no national security interest, then we are pleased to see U.S. industry populate the marketplace.
Page 59 PREV PAGE TOP OF DOC
Mr. ABERCROMBIE. But this bill then as it is written right now, I guess, is trying to be sold to us on the grounds that it somehow strikes a balance. It doesn't do anything of the kind as far as I am concerned. It tips the balance way to the other side and eliminates the national security side of it at all.
Now, my good friend, Mr. Weldon over here, has made a case about trying to modify this bill and I believe he said in the course of his comments that he wanted this to be voluntary or he was not trying to give a veto, give a veto power to the National Security Agency or the Department of Defense. But I feel very strongly that you should have a veto power, because there is going to be no balance.
The question was asked of Dr. Hamre and you, what was involved in these companies? Can you see this from down there? Do you have an idea what I am holding in my hand here?
Ms. MCNAMARA. I noticed what you raised when the question was originally asked.
Mr. ABERCROMBIE. This has a picture of George Washington on it. They may change the size of the George Washington and so on over time and the design, but it still comes to the same thing. It is for money. And we spend $270-plus billion in this country every year on our defense and this committee has votes on literally life-and-death issues over people. And I could care less about somebody trying to make a buck off of the defense of this country and the lives of the people that are involved in it and that is what the bottom line is here.
Page 60 PREV PAGE TOP OF DOC
Now, I think that you should have, and I think the National Security Agency within the Department of Defense should have veto power over anything with respect to encryption that it believes endangers the national security interests of this country. That puts a tremendous burden on you, but you may see an amendment to that effect come forward from this committee depending on what else evolves out of these hearings. And I just wanted to alert you that some of us feel very, very strongly. Do I sound like I am speaking strongly on this? I think so.
Ms. MCNAMARA. I find you very believable sir.
Mr. ABERCROMBIE. Thank you. Let me just very quickly move to page 3. I won't take that as an encouragement so you can't get yelled at after. You said if—let me go backwards. If we take for conversation's sake here on page 3 in the middle of the page: ''If enacted, the bill would effectively decontrol most commercial computer software encryption and specified hardware encryption exports to all destinations, even regions of instability. It would also deprive the government of the opportunity to conduct a meaningful review of proposed exports to ensure its compatibility with national security interests.''
If we were able to put another amendment which would address specifically the signals intelligence role of the National Security Agency—and there I refer you back to your first page of your testimony—you say, It is the signals intelligence role that I want to address today. If we could craft an amendment that would specifically address that aspect, I am operating now on the premise for conversation's sake that we are not able to beat these companies who will give us all of this pious crap about what other countries will sell and all the rest of it and this is available generally and all the rest, but by the way—I am sure that is what we are going to hear. How they get up in the morning and take a look in the mirror and justify it is beyond me.
Page 61 PREV PAGE TOP OF DOC
But if we are able to deal with an amendment that deals specifically with that, could that be done? Could we craft such an amendment that would address the specific issue or issues surrounding signals intelligence? Because I take it from your testimony you consider that the most crucial and fundamental aspect of the national security interests you represent.
Ms. MCNAMARA. From my vantage point, sir, I am speaking now from the National Security Agency, the impact of the export—the elimination of export controls on encryption impacts directly the signals intelligence mission of this Nation, and we have that mission for the Department of Defense and for the United States Government.
So in terms of the export control process, the elimination of export controls directly affects that mission.
Now, there are other aspects of this bill that we also have concerns about as Dr. Hamre talked, because it also denies the U.S. Government agencies the opportunity to use key recovery for their own purposes.
Mr. ABERCROMBIE. Yes.
Ms. MCNAMARA. And the National Security Agency has a second —another mission. I can't call it second because they don't like to think of themselves that way. And that mission is the information systems security advice and service and equipment for United States classified systems. And we feel very strongly as well about the aspect of the bill that deals with the prohibition of key recovery for government's own use.
Page 62 PREV PAGE TOP OF DOC
Mr. ABERCROMBIE. Okay. Then with respect to the question of signals intelligence and key recovery, does the Department of Defense and/or the National Security Agency have language or could we request of you language that you think would address those questions in a manner, legislatively speaking, that would cover your concerns?
Ms. MCNAMARA. We would try and work with you on that. I don't have language to give you. We don't have language to give you. But we would happily work—.
Mr. ABERCROMBIE. You understand the reason for my question. I am not trying to put you on the spot so much as I don't want to come up with something where I am dreaming it up as we go along because I am outraged by the fraud of this bill. That doesn't get us anywhere. It gets us back on the rhetorical side of things. We will hear plenty of that back and forth anyway.
But if you have these concerns, I think it will be very useful if, in conjunction with the committee or with myself or with anybody else who is concerned this way, that we develop an amendment or amendments which would address specifically the questions—the two central questions that you have raised here today; because in the context of the bill as it is written, then, we would have to come up with an alternative that would address those questions and meet the concerns of those members of the committee which feel that that is legitimate and needs to be covered.
Ms. MCNAMARA. We will happily work with you.
Page 63 PREV PAGE TOP OF DOC
Mr. ABERCROMBIE. Thank you. Thank you very much, Mr. Chairman. By the way, excuse me, last thing, Mr. Chairman. I wanted for the record to say you will notice how often in today's hearing we have had to talk about having a classified hearing in order to deal with the full ramifications of these issues. That should send a signal to the American public that these are serious security issues. Not because we are trying to hide anything from the public, but this is not so simply dealt with in terms of other countries can sell it, so what is the difference, let it all go out there. There are serious, sobering, national security questions that can only be dealt with fully in a classified context, precisely because of the danger that is evoked by the spread of this technology with respect to our security interests.
The CHAIRMAN. Point well made, Mr. Abercrombie. Mr. Snyder.
Mr. SNYDER. I have no questions.
The CHAIRMAN. Well, it looks like that is about it, then. Ms. McNamara we apologize for keeping you so long but we appreciate your contribution. It is important, as Mr. Abercrombie just said, that people understand the national security implications of this legislation. We are going to be looking into it further. We will probably take some other action and have a markup on it and then we will see where to go from there. But we couldn't do these things without your expertise in these matters and we appreciate it.
Ms. MCNAMARA. Thank you very much, Mr. Chairman, and members of the committee for your time. Speaking for Dr. Hamre and myself, we absolutely welcome your help and your support in taking on this bill and giving us the opportunity to be heard and to provide you with the information that we hope will be helpful to you in your deliberations. Thank you very much.
Page 64 PREV PAGE TOP OF DOC
The CHAIRMAN. Again, thank you for your contribution. If there is no further business, the meeting will be adjourned.
[Whereupon, at 12:09 p.m., the committee was adjourned.]
A P P E N D I X
July 1, 1999
PREPARED STATEMENTS
July 1, 1999
[This information can be viewed in the hard copy.]
DOCUMENTS SUBMITTED FOR THE RECORD
July 1, 1999
[This information can be viewed in the hard copy.]
Page 65 PREV PAGE TOP OF DOC
QUESTIONS AND ANSWERS SUBMITTED FOR THE RECORD
July 1, 1999
QUESTIONS SUBMITTED BY MR. ORTIZ
Mr. ORTIZ. ''Thank you, Mr. Chairman. Maybe you can help me. What percentage of the global market for encryption product is currently captured by the United States industry? Do we have any idea?''
Secretary HAMRE. U.S. industry clearly dominates the world market with respect to encryption products. It not only has unregulated access to a domestic market of approximately 260 million savvy consumers, but it also has streamlined export access to roughly 70% of the world market in sectors such as: banks, securities firms, and their customers; subsidiaries of U.S. companies operating abroad; insurance firms and their customers; medical and health firms and their customers; and e-commerce applications to on-line merchants and their customers. U.S. industry is also allowed to export, in streamlined fashion, key recovery products to any end user and recoverable (e.g., network administrator controlled) products to most foreign commercial firms to protect their sensitive company data.
The Department hesitates to provide, at this time, percentages for U.S. industry's share of the global market. There have been numerous studies on the ''foreign availability'' of encryption products. Determining the ''foreign availability'' of encryption products is somewhat complex because a balanced policy on this issue requires a more nuanced metric than that of a linear count. Not all products reported available are actually available for sale and acquisition. In some case, the advertised strength of a product's encryption is not the actual strength. Certain factors determine or undermine the usability of a product, even if a product is available, e.g., the requirement for a key management infrastructure, the lack of user support, a poorly implemented encryption algorithm, and availability of the product in only one country or market versus global availability. The government is current assessing the extent and detailed composition of the global market to determine as accurately and scientifically as possible U.S. industry's share of the encryption market.
Page 66 PREV PAGE TOP OF DOC
QUESTION SUBMITTED BY MR. KUYKENDALL
Mr. KUYKENDALL. As sophisticated encryption devices become more readily available to enemy forces or terrorists, either through enactment of this legislation or through foreign markets, what additional resources—personnel, technology, equipment, research and development—will be needed by the Department of Defense for national security purposes to protect our own systems and provide intelligence support?
Secretary HAMRE. [This information is classified and retained in the committee files.]
H.R. 850, THE SECURITY AND FREEDOM THROUGH ENCRYPTION (SAFE) ACT
House of Representatives,
Committee on Armed Services,
Washington, DC, Tuesday, July 13, 1999.
The committee met, pursuant to call, at 10:37 a.m. In room 2118, Rayburn House Office Building, Hon. Floyd D. Spence (chairman of the committee) presiding.
OPENING STATEMENT OF HON. FLOYD D. SPENCE, A REPRESENTATIVE FROM SOUTH CAROLINA, CHAIRMAN, COMMITTEE ON ARMED SERVICES
Page 67 PREV PAGE TOP OF DOC
The CHAIRMAN. The committee will please be in order. The committee meets this morning to continue its examination of the encryption issue and to receive the testimony on legislation that proposes to remove our control on the export of United States encryption products.
H.R. 850, the so-called SAFE Act, is before the committee on sequential referral until July 23. As I announced last week, it is my intent to schedule a markup of this bill next week. Prior to markup, the committee will also receive a detailed classified briefing in closed session from the National Security Agency concerning the serious national security implications of the unmonitored and unregulated export of encryption products. I urge my colleagues to take advantage of the opportunity presented by that briefing next week.
Two weeks ago, the committee heard testimony from the Deputy Secretary of Defense and the Director of NSA regarding the national security problems that H.R. 850 would create for our government's efforts to battle international terrorism and to combat a range of other crimes directed against Americans. There does not seem to be too much debate among those who have lived with this issue over the fact that strong encryption in the hands of terrorists, drug dealers, and other bad actors will make it harder for our government to protect American lives.
The national security impact of unregulated encryption exports ought to be, in my opinion, the central element in any debate over whether or not we should allow highly capable encryption products to be freely exported.
As I indicated two weeks ago, it would be both tragically ironic and unconscionable for Congress to make it easier for an adversary to do harm to Americans, and at the same time we are working as a government to improve security for Americans all over the world through numerous counterterrorism and other initiatives.
Page 68 PREV PAGE TOP OF DOC
Beyond the so-called criminal element, which we will hear more about today, H.R. 850 will also put at risk the safety of our men and women in the armed services. Secretary Hamre was straightforward in his testimony earlier this month when he said, and I quote, ''unregulated release of the strongest encryption is going to do one thing: Put more troops' lives at risk, period,'' end quote.
Our witnesses this morning are here to help us better understand the serious national security implications of H.R. 850, and accordingly, we are pleased to have with us today the Honorable Janet Reno, Attorney General of the United States; the Honorable Louis Freeh, Director of the Federal Bureau of Investigation; and the Honorable William Reinsch, Under Secretary of Commerce for Export Administration.
After taking testimony from our Administration witnesses, the committee will hear next from a panel of outside witnesses representing industry. They will be Matthew Bowcock, Executive Vice President of Corporate Development of Baltimore Technologies, and Elizabeth Kaufman, Senior Director and General Manager for Security at Cisco Systems. Let me thank all of our witnesses this morning for being with us.
Before turning to our panel of witnesses, however, I would like to recognize the committee's Ranking Democrat Mr. Skelton for any remarks he would like to make.
[The prepared statement of Mr. Spence can be found in the appendix.]
STATEMENT OF HON. IKE SKELTON, A REPRESENTATIVE FROM MISSOURI, RANKING MEMBER, COMMITTEE ON ARMED SERVICES
Page 69 PREV PAGE TOP OF DOC
Mr. SKELTON. Mr. Chairman, thank you. It is a pleasure for me to join you in welcoming our distinguished witnesses on this encryption export policy hearing today.
I understand, Attorney General, this is your very first venture before the Armed Services Committee. We welcome you.
Director Freeh, it is good to see you, and we welcome you, sir.
And Secretary Reinsch, thank you for joining us.
Today is a very, very important hearing that we are embarking upon. The subject we are addressing is very complex, it is highly technical, yet it touches every part of our national being. It impacts on all of us individually and in a variety of ways. While this committee has a primary interest in protecting our national security interest, we cannot ignore the potential effects of what we do on our personal and private concerns and the commercial infrastructure activitie