1996 Congressional Hearings
Intelligence and Security

Testimony of the Honorable Bob Goodlatte
Before the House Judiciary Committee
on H.R. 3011 - the Security and Freedom Through Encryption Act
September 25, 1996

Mr. Chairman, Thank you for holding today's hearing on my legislation, the Security and Freedom Through Encryption Act which has 45 cosponsors, many members of this Committee, both Republicans and Democrats.

Although the session is quickly coming to a close, this is a very valuable opportunity for Members of this Committee to learn more about the complicated issue of encryption policy.

I will begin by stating from the outset that I, like every other Member of this Committee is one-hundred percent committed to giving law enforcement the tools they need to fight crime, including domestic and international terrorism. This is a responsibility that each one of us takes extremely seriously. Not one of us would support policy changes that jeopardize public safety or national security.

I also believe, however, that the chief roadblock to electronic commerce on the Internet is government regulation of encryption. No matter how badly policy makers wish and want the Global Information Infrastructure to be successful - it won't flourish until this roadblock is removed.

Mr. Chairman, the goals of ensuring the availability of strong encryption and of ensuring that law enforcement can continue to be effective are not mutually exclusive. We can do both.

Encryption is the ability to protect stored data and information being communicated on electronic networks. By using mathematical algorithms to encode information, a sender can scramble information so that only the intended recipient can decode it. Just as an individual who mails a letter today puts it in an envelope to ensure its privacy from prying eyes, a computer user can envelop a message sent via a computer system to ensure it won't be read by anyone who should not.

Encryption is a basic technology that is in great demand. Computer users world-wide want to be able to protect the confidentiality of their computer communications.

Americans currently enjoy the right to use any level of encryption we might choose. That is a right that I have been working to protect. However, the Administration's antiquated export controls are jeopardizing this right. Although computer users are demanding strong encryption, American businesses can't sell that strong encryption outside of the United States. Foreign competitors however, aren't delaying in developing and selling strong encryption. These foreign competitors are on the cusp of setting the world-wide standard for encryption technology.

Now that there are more than 35 million Internet users worldwide and more than 21,000 businesses are connected to the Internet, we've already entered the era of electronic commerce in cyberspace. And as more and more companies begin to rely on digital commerce, efforts to protect confidential and sensitive company information carried on this network become more important. The need for secure communications has moved well beyond governments to the privacy concerns of average citizens and businesses.

The threat of economic espionage is very real for American businesses. Strong encryption will allow American businesses to protect themselves from this threat. American firms currently lose billions of dollars each year due to the theft of proprietary economic information. That threat grows exponentially with the growth of digital commerce. The lack of good encryption leaves computer users vulnerable to the prying eyes of hackers, corporate competitors, and even foreign governments.

The Computer Emergency Response Team, known as CERT, based at the Carnegie Mellon University, in Pittsburgh reports that the number of reported intrusions into U.S. based computer systems rose from 773 in 1992 to more than 2,300 by 1994 - a 197 percent increase in two years. Additionally, CERT reported the number of sites attacked rose more than 89 percent during the same period.

Once into a computer system, hackers have the ability to steal, modify, or destroy sensitive data - thus the potential costs to business are staggering.

It just seems logical that if encryption technology is available to protect information being sent on electronic networks, people ought to be able to use that technology. I have learned in numerous meetings I have had with Administration officials on this issue that they view they view the situation quite differently. For instance, I have been told by officials at the FBI that export controls are a means to keep domestic users from getting strong encryption. The Administration is using export controls to shape what encryption technology is used internationally, and by extension, what is available in the United States. That threat should strike fear in the heart of every single computer user in this country and it just won't work.

I've said it before and I'll say it again - law enforcement just can't put the technological genie back into the bottle. Foreign competitors are selling good and strong encryption - and criminals and international terrorists are going to have access to that strong encryption. Studies show the availability of over 500 foreign products and programs with strong encryption capabilities - much stronger than U.S. companies can export. In addition encryption programs up to 128 bits such as Pretty Good Encryption can be downloaded from the Internet.

U.S. export controls simply will not keep encryption out of the hands of people who want to use it for criminal purposes. The days when U.S. export controls could effectively limit the foreign availability of encryption are long gone. Any criminal who has a computer and a modem can obtain strong security.

I applaud the Administration for looking at this issue and realizing that we must move toward a liberalization of our export controls. However, from the discussions I've had with Administration officials and from press reports of the latest "soon to be released" encryption proposal, I believe that the Administration is going down the wrong path.

Earlier this year the National Research Council released a report advocating that the Administration immediately liberalize export controls on encryption to 56 bits without implementing a "key escrow" plan which they said would not work. This report was very good news for those of us who had been advocating such a move. From information that I have gathered in my meetings with Administration officials and in recent press reports, I do not believe that the Administration is prepared to follow the recommendation in the NRC report. It is my understanding that the Administration is proposing a "key recovery" plan and allowing encryption exports up to 56 bits only if companies commit to implement key recovery. That is very bad news.

The arguments that the FBI, CIA and NSA have given me to justify the need for a massive "key escrow" or now it is called "key recovery" plan just don't ring true in 1996. They have stated that they cannot effectively crack 56 bit DES encryption. Yet, a recent report from a group of cryptography experts demonstrates that the government can crack a message encoded with 40 bits of encryption in .0002 seconds for .001 dollars. They can crack 56 bits in 12 seconds at a cost of $38. That's pretty good evidence that lifting controls to 56 bits DES or even stronger won't prevent the FBI and NSA from doing their jobs.

To slightly change an old saying about another controversial issue - "if you outlaw encryption, only the outlaws will have encryption."

A very compelling argument can in fact be made that the use of encryption will actually decrease terrorism. The use of security on electronic networks can prevent a whole new breed of terrorism. It could prevent terrorists from manipulating power plant operations or air traffic control systems, or even from changing the engineering designs of products, potentially endangering us all.

Current export controls aren't succeeding in keeping encryption products out of the hands of computer users in other countries, but they are putting U.S. computer companies at a competitive disadvantage. An economic study released in December of 1995 by the Department of Commerce demonstrates that failure to address these export controls by the year 2000 will cost the U.S. economy $60 billion and 200,000 jobs.

U.S. computer companies - world leaders in cutting edge technology - must have the freedom to develop products with strong security features which meet computer user demands and privacy concerns in the U.S. and abroad. The government shouldn't cripple the computer industry every time a new technology is developed that challenges law enforcement.

Many questions remain unanswered by the Administration and today I will ask them a number about their unreleased proposal. Many questions remain unanswered. My first question is why now? The Administration has been promising to send up its encryption proposal for months. Why do they choose to start talking about it the week before Congress is going out of session?

Many substantive questions remain. Will the Administration's proposal relax exports to 56 bit DES only or to other algorithm strengths? Will it apply to custom software only or to mass market software? Will it apply to stored data only or stored data and communications? Will participation be truly voluntarily? Will key recovery products be able to interoperate with nonkey recovery products? For that matter I will be interested to see how the term key recovery is defined. If the key must be held by an agent certified by the government, which for the time means an approved entity in the United States with at least some employees having secret security clearances, the proposal will raise many crucial privacy concerns.

Such a proposal involves substantial costs, would be a significant administrative burden for U.S. firms, and threatens the privacy of U.S. citizens.

In addition, if this doesn't work and individuals don't voluntarily embrace key escrow then Administration officials have said in meetings with me that they will seek legislation forcing Americans to use only encryption to which the government has access.

Such an action could open American citizens' and businesses' confidential data and valuable proprietary information to unwarranted government interception, search and seizure. Law enforcement officials and FBI agents will be able to obtain access to financial transactions and personal correspondence.

This represents a huge jump from the current situation since Americans can currently use and sell whatever encryption they want without having to give the key to anybody - much less the government. How will the government get built-in access to American's electronic information? The government intends to leverage user demand for global interoperability of computer systems; and American industry's desire to be able to sell a single program worldwide (i.e. to export) in order to satisfy that demand and meet foreign competition. Domestic law enforcement agencies and the NSA are driving this initiative - they want access to encrypted information.

That is why it is so crucial for Congress to pass legislation early next Congress to prevent this from happening.

I introduced the Security and Freedom Through Encryption Act (S.A.F.E.) to protect every American's right to use and sell encryption and their privacy as well as to liberalize current export controls. My legislation would:

Continue to ensure that all Americans have the right to choose any security system to protect their confidential information.

Prohibit "big brother" from mandating a back door into people's computer systems.

Make it unlawful to use encryption in the commission of a crime or to willfully cover up a crime.

And allow the U.S. computer industry to export generally available software and hardware if a product with comparable security is commercially available from foreign suppliers.

Similar legislation, PROCODE, has been introduced in the Senate by Senators Burns and Leahy. A series of hearings have been held on their bill in the Senate Commerce Committee where these issues have been thoroughly debated.

The legislation has the support of major industry groups. Privacy advocates across the ideological spectrum: not only such "liberal" groups as the ACLU and EPIC, but libertarian and conservative groups as Americans for Tax Reform, and the NRA have coalesced behind it.

They support my bill because the government's proposal is antimarketplace, anticonsumer and antibusiness.

As we enter a new century the opportunities created by technology abound - we must be willing as a country to use that technology to achieve success. We can't have our government holding us back as the rest of the world surges forward. Enacting legislation to reform export controls on encryption should be at the top of the list of issues that this Committee addresses in the 105th Congress. Thank you Mr. Chairman.