1996 Congressional Hearings
Intelligence and Security


PREPARED TESTIMONY OF
PATRICIA RIPLEY
MANAGING DIRECTOR BEAR, STEARNS & CO. INC.
BEFORE THE
HOUSE COMMITTEE ON THE JUDICIARY
WEDNESDAY, SEPTEMBER 25, 1996

Good morning. Mr. Chairman, Congressman Conyers, members of the Committee, thank you for this opportunity to testify in support of H.R. 3011.

My name is Patricia Ripley. I am the Managing Director at Bear, Stearns responsible for the Corporate Security function, which I started in 1990. My responsibilities include developing information security policies and guidelines, and reviewing and testing security implementation. Prior to 1990, I was in charge of the Computer Auditing function at Bear, Steams and before that was a principal with Arthur Young & Company, managing the computer audit group for the New York office and metropolitan region.

Security is very important to Bear, Stearns as it is to all of us in the securities industry. At Bear, Steams, my staff and I review and analyze technology and its impact on security at the Firm. We have a fiduciary responsibility to our customers and to our shareholders to maintain the confidentiality, integrity and availability of our data.

Each year, Bear, Steams spends hundreds of thousands of dollars building, buying, implementing and testing the security of our systems and networks.

My primary responsibility is to protect the information of our customers and of the Firm. Our business depends on the ability to communicate quickly and effectively with our clients and to advise them on financial matters. If we could not maintain the confidentiality of our clients' and our own data, we would lose our clients' confidence and their business. In today' s financial environment, we compete with firms from all over the world. The customers we court are investors both within and outside the United States. Our ability to present globally-deployed financial expertise to our clients makes us successful.

The growth of the Internet and open systems has presented us with new security challenges. There are people at Bear, Steams who feel that the security risks of the Internet outweigh thebusiness benefits. However, the Firm feels that we have no choice but to use the Internet if we are to stay competitive. Our clients want to do business over the Internet. Our competitors already do. We no longer have the option to stay off-line.

Because of my responsibility for security, I was asked to oversee Bear, Steams' connection to the Internet and its secure use. Because of the security concerns, we have taken a relatively conservative approach to using the Internet. We believe that any information that is passed over the Internet can and will be read by others, unless strong security measures are implemented.

Our "Internet Use" policy states that Internet "services should not be relied upon as a secure or efficient means of communication or data transmission unless appropriate security measures have been taken" and that "the Internet and third-party dial-up services are not to be used for transmitting or receiving any information that might be considered proprietary or confidential unless appropriate security measures are taken."

This policy has generated numerous inquiries as to what constitutes sensitive information and how to best secure it. The Wall Street environment is highly competitive. When we have information that gives us a market edge over our competitors, it is crucial that we keep that information secret. When our market analysts spot a trend, it is crucial that we provide that information to our clients -- and only our clients -- without it finding its way into the hands of our competitors. As you might imagine, much of the information in which we trade is extremely valuable.

For example, if we are advising a client on a potential acquisition, the name of the target company cannot become public before the client is ready to announce it. Should the information be made public too early, purchases could be made in the market that would make the planned acquisition more expensive, or even impossible to complete.The

securities industry is at the forefront of using information and communications technologies to facilitate global business. As more and more of this information is sent electronically, safeguarding the confidentiality of this information has become a vital concern to us. Encryption -- the process by which messages are disguised from unauthorized recipients -- is a technology to

secure communications between ourselves and our overseas clients and colleagues.

Because encryption relies on complicated mathematical formulae to scramble messages, encrypted messages cannot be read unless the receiver has a corresponding formula, or key, that will unscramble the message. The longer an encryption key is, the stronger it is considered to be and the more difficult it is for an unauthorized party to decode. The securities industry currently uses encryption technology to protect sensitive electronic communications domestically. We also use encryption to authenticate the originator of information, including digital signatures.

In the international environment, however, the industry has to contend with an additional set of adversaries. Besides our non-U.S. competitors, it is not unheard of for foreign intelligence agencies to conduct industrial espionage against U.S. firms on behalf of their domestic industries. Unfortunately, current export restrictions on encryption do not allow us to provide robust American-made encryption software to our non-US clients, as well as, hamper our efforts to communicate securely with them. This leaves us with two options: providing the client with encryption software made by a non-U.S. company, or refusing to communicate with the client electronically and trying to fmd alternate means of communication.

This leaves us and other U.S. securities firms at a disadvantage. Companies that reside in the country in which we're doing business can employ any encryption scheme on the local market they wish. Because of Bear, Steams' size, we prefer to standardize products that can be used by all of the locations we support around the world. It would be very cumbersome to attempt to buy, use, and integrate a different product in each country in which we do business.Furthermore, we do not feel as comfortable purchasing non-U.S. products as we do purchasing American- made software. Practically speaking, our technical staff, most of whom are based in the United States, would have difficulty working with vendors in different time zones all over the world. We also lack familiarity or comfort with the overseas products and vendors. We typically work face-to-face with vendors to evaluate and understand their product prior to buying them. We ask for hands-on product demonstrations and normally request white papers describing the products and evaluation copies of the hardware or software products to help us in the selection process. We also monitor the testing of products -- both formally by the vendor and also through reports over the Internet from other companies that have tested these products. The inherent difficulties of long distance product support is another consideration that dissuades us from using foreign products.

This is ironic because anyone anywhere in the world can download a copy of PGP (Pretty Good Privacy), a free encryption program available from Internet sites located around the world.

/1 For example, our legal department might wish to exchange data securely with a London law firm. We can ask the London firm to use PGP and can ask them to generate and send us their public key. Similarly, we can generate and send them our public key. Once done, we can then legally exchange messages and data that have been encrypted with the strong cryptography available in PGP.

Even if we were to communicate with all our overseas clients in this manner, PGP is not the ultimate solution because it will not work in all instances where we need secure communications. We use many different communication technologies, each of which can require a different security implementation and PGP does not work with many of them. Security products do exist

?????I Several such sites are listed at the Encryption Policy Resource Page at http://www.crypto.com/.?????in the U.S. to solve these problems, but they cannot be exported. Rather than try to fit our security needs in the parameters of U.S. export restrictions, we would like the option of using strong encryption products developed in the U.S. that have more functionality and are easier to use, and to be able to make those products available to our clients overseas.

As mentioned before, existing laws and regulations governing the export of encryption technology place our ability to communicate confidentially with our foreign clients at risk. The federal government classifies "strong" encryption as "munitions" and closely controls the use, sale and re-export of encryption software. These rules ignore the fact that many of the restricted products are already available outside the U.S. And even though the rules allow U.S. companies to export any encryption products they wish to their overseas offices, this process entails paperwork burdens and severe penalties for non-compliance.

In addition, the overseas office exception does not apply to communications with clients abroad. With respect to our clients, current law only allows us to export encryption technologies that use up to 40-bit keys. In the past, only government intelligence agencies with significant budgets for encryption technology would have been able to break such a code, but with the advent of faster and more sophisticated computers, an individual with a good computer can break a 40-bit key in several hours.

Competitor companies or governments with budgets dedicated to decrypting messages can unlock a 40-bit key in a matter of seconds. According to an ad hoc group of cryptographers and computer scientists, it would take an intelligence agency with a $300 million budget for decryption technology just a fraction of a second to decode a 40-bit key; a company with a $300,000 budget could break a 40-bit key in 24 seconds; and a hacker with $400 worth of software could do it in 5 hours. The inadequacy of 40-bit encryption is of particular concern to Bear, Steams and the rest of the securities industry. It is imperative that we have the tools toensure the confidentiality of our overseas business communications. As I noted earlier, the stronger cryptography available from foreign companies does not provide a workable solution to our security concerns.

The Clinton Administration sought to address the limitations of current export restrictions while still protecting its legitimate law enforcement interests in combating global terrorism and organized crime, by proposing a "Commercial Key Escrow" (CKE) system. The CKE system would permit U.S. companies to export 64-bit technology, but would require a copy of the key to be kept with a third party or escrow agent. The escrow agent, most likely a bank or encryption company, could release the key under two circumstances:

- to the owner if the key had been lost and it was needed to decrypt documents, and

- to law enforcement officials if they have the appropriate warrants necessary to obtain data which had been encrypted with the escrowed key.

Bear, Steams does not support the CKE system for several reasons. First, 64 bits is not sufficiently secure. While the Administration's proposal would be an improvement over the current 40-bit limit, the government acknowledged at an industry meeting with the National Institute of Standards and Technology that well-funded attackers (such as foreign governments) could break 64-bit encryption without too much difficulty. In addition, many of our overseas clients are already using stronger products that are available abroad and can be imported into the U.S. Those clients would have no incentive to move to a 64- bit key that would provide them with less protection than is currently available through their foreign suppliers.

Second, while we might be receptive to a key escrow system, we will not support allowing third party access to the keys, even if the government is the third party. Key escrow -- in whichindividual firms would keep the keys in their own off-site data centers or in safe deposit boxes 'is quite different from third party escrow. According to the Administration's proposal, government-approved key escrow agents are prohibited from informing parties when their keys have been disclosed. Thus, our firms will never be sure if the key escrow agent followed the proper procedures when disclosing our keys. No securities firm would be comfortable giving any third party, no matter how trustworthy, the means to access all of its confidential customer data and other proprietary information.

Third, the Administration has said it will enter into bilateral agreements with other countries to establish circumstances under which escrowed keys will be disclosed to those governments. Although the Administration has said it will only negotiate these agreements with friendly nations, it is disconcerting to realize that access to our keys could become a bargaining chip in a foreign policy debate. We are particularly concerned because some ostensibly friendly countries have targeted our firms as a source of information for their domestic industries.

Finally, we do not support the CKE proposal because it was designed to fit the needs of law enforcement and national security, not the needs of the business community and our clients. While we recognize the need for a strong national defense and vigorous law enforcement efforts, we do not believe that restricting critical technology is the way to solve those problems. The U.S. stands to fall far behind other countries in electronic commerce if it cannot develop a secure worldwide payments system. As discussed above, 40-bit encryption falls far short of this goal. Indeed, this view was endorsed by the National Research Council, a bipartisan non-profit institution that provides advice to Congress on science and technology. In a report released on May 30, the NRC said:

"The U.S. government's current support of escrowed encryption as a technical pillar of its cryptography policy is inappropriate now because there are too manyunresolved questions about this approach. Even when these problems are resolved, adoption of escrowed encryption or of any other specific technology standard by the commercial sector should be voluntary and based on business needs, not government pressure."

Mr. Chairman, we believe H.R. 3011, The Security and Freedom Through Encryption (SAFE) Act, rises to the NRC's challenge. H.R. 3011 would:

- Allow the unrestricted export of "mass market" or "public domain" encryption programs such as "Pretty Good Privacy;"

- Require the Secretary of Commerce to allow the unrestricted export of other encryption technologies if products of similar strength are generally available outside the U.S.;

- Prohibit the federal government from imposing mandatory key escrow policies on the domestic market; and

- Limit the authority of the Secretary of Commerce to set standards for encryption products.

We believe that the bill addresses the problems with current law in a balanced and measured fashion. I and my colleagues in information security need to fmd ways to provide our firms with secure communication without violating the government's outdated encryption export policies. In some cases, this has meant using non-electronic

means of communication, an obvious disadvantage in this era of instant global communication. By allowing our firms to provide secure communications with clients and partners abroad, H.R. 3011 will foster growth in the capital markets, enhance the global competitive position of U.S. securities firms, and lead to a new era of electronic commerce.

I thank you for introducing this important legislation and for giving me an opportunity to testify in its support. I would be happy to answer any questions you may have.