1996 Congressional Hearings
Intelligence and Security


S. 1726

June 12, 1996


Good morning and thank you Mr. Chairman. My name is Jim Barksdale. I am President and CEO of Netscape Communications Corporation of Mountain View, California. It is a privilege to be a witness today as the Senate begins deliberation of an issue which is critical to the high-tech community in the United States. The subject of encryption may strike some Members as an esoteric one. In fact a lot depends on resolution of this issue -- whether America's high-tech industry can effectively compete in the global marketplace, whether the research, development and product design of America's entrepreneurial geniuses will be stolen by foreign competitors or governments, whether citizens of this country can continue to enjoy the privacy they have come to expect, and whether that worldwide network of networks, the Internet, will become not just a town hall but a bustling electronic marketplace.

Netscape strongly supports the Pro-CODE legislation (S. 1726) for the following reasons:

(1) The bill recognizes that strong encryption is essential to the Global Information Infrastructure (GII) achieving its potential as a means of commerce and private communication by protecting individuals and companies from computer crime and unauthorized access.

(2) The bill permits the high-wage U.S. software and computer industries to compete on an equal plane with growing foreign competition in the burgeoning world market for products with strong encryption.

(3) The bill aims at keeping U.S. products with strong encryption from being sold to countries, individuals and entities that present actual threats to national security, instead of assuming that all foreigners must be prevented from obtaining these U.S. products.

(4) The bill focuses on who will receive U.S. export products abroad, rather than the bit key length of the product, thereby avoiding bit key length limits that ignore competitive threats from strong encryption distributed by foreign suppliers.

(5) The bill rejects mandatory key escrow regimes that would seriously undermine market opportunities for U.S. products abroad because the overwhelming majority of countries that do not have a mandatory key escrow system.

(6) The bill recognizes the reality and economic importance of distributing software over the Internet by including Internet distribution as a measure of whether a product is available on the mass market.

Mr. Chairman, these hearings are particularly timely because they follow release of the National Research Council's (NRC's) study, Cryptography's Role in Securing the Information Society. This report was authored by a broad range of experts, including prominent members of the law enforcement and national security communities. I am honored to appear before this Subcommittee on the same day as Kenneth Dam, Chair of the Committee that developed the report. While Netscape does not agree with everything in the report, we do think that it sets out general principles that provide an important basis for understanding the issues.

First, the NRC Report makes clear that encryption is necessary to electronic commerce and that cryptography will be a fact of life in the information economy, whether it is available from U.S. companies or from foreign competitors.

Second, the Report emphasizes that encryption should be encouraged because it plays an important role in protecting our national security and in preventing computer crime and economic espionage, while increasing confidence in communications networks.

Third, the Report cautions against imposing top-down government solutions on this issue (such as mandatory key escrow) that are not harmonized with market forces.

Fourth, the Report recommends that instead of trying to make mass market encryption "go away," government should adjust to a world in which encryption is readily available to computer users by taking steps including upgrading its technical abilities to decrypt information.

Fifth, the Report supports an open debate on this issue, rather than one based largely on classified information.


Netscape was founded in 1994, but I am not new to the subject matter of today's hearing, having worked previously at McCaw Cellular, Federal Express, IBM, and with Naval intelligence during my military service. In fact, the very subject of encryption is not new. Encoding and decoding information has been part of American culture since the Revolutionary War, and most of us are aware that cracking the German Enigma machine significantly aided Allied efforts during World War II. But clearly there is a new world out there today. The Cold War is over, telecommunications structures throughout the world defy physical boundaries and allow new, life-improving products and services to be delivered to citizens in ways not imaginable ten years ago. There has been a sea change in the way we communicate.

New and exciting ways to use and transmit information have created a huge demand for more secure communications available through encryption. Netscape finds itself right in the middle of this tornado of change. All of our products include encryption, as privacy and security are fundamental building blocks of effective communications. Selling software to the mass market on four-month product cycles with thousands of beta testers located outside the company all via the Internet is a new idea. It is being embraced by established software concerns as a new model to follow. It is totally different from the old idea of writing custom software for a few big customers. Proprietary and stand alone systems are becoming the past. Internet access and communications software is the present. A computer connected to a network is in the immediate future for every American.


Current U.S. government policies on encryption are not working. They hurt U.S. competitiveness, and they must be changed. A clear understanding of market conditions in the world suggests it is not a question of whether U.S. policies need to be changed; the questions are when we will change them and whether we will change them soon enough so that foreign entities and governments do not replace Americans as the dominant players in the world software and hardware markets. The time for action is now, not next year or the year after.

A. Export Controls Thwart U.S. Competitiveness

People and businesses around the world want to communicate privately and securely. They want their medical records to be accessible when their needs require it, and they reasonably expect and want that information to be between them and their doctors. They want to send messages via electronic mail only to their intended recipients, and they want to buy boots or stocks electronically without fear of having their account information or credit card numbers intercepted and stolen. That is only reasonable.

Today, unfortunately, U.S. export restrictions on encryption threaten this new environment. Export restrictions block American participation in this new marketplace, limiting not only Netscape and its American competitors, but also our customers. Netscape can sell 128 bit key length encrypted products in the U.S. and Canada. So can any other company or individual, foreign or domestic. But while foreign companies can compete with us in the U.S., our foreign competitors can sell their 128 bit encryption products abroad, and we can't. U.S. export laws only permit export of products of no more than 40 bit keys for all but a narrow category of products for financial transactions.

For example, a large, corporate customer in Germany wanted to use Netscape's 128 bit key software to run a national health care information network. Each user would have a smart card carrying a chip containing their complete medical records and health care information in encrypted format. A patient could go from doctor, to employer, to government agency for treatment, benefits, and other assistance without having to keep track of paper, forms, and files. Because this network would have used encryption, the patient's information would have remained private. If the patient had to travel outside of Germany, the patient could transmit or retrieve information via this network because it is based on the open and interoperable standards of the Internet, which Netscape products support. Hence, if a patient had to come to a specialty hospital in the U.S., the records would be transmitted completely privately and with complete integrity. It is worth noting that telemedicine networks like this one are critical for U.S. citizens in rural areas if they are to get the same level of health care that citizens in urban areas enjoy.

Unfortunately for Netscape, because of U.S. export controls, Germany will build its telemedicine network by having a German company build the software from scratch. This not only means a loss of a sale to Netscape. It also means that a new competitor has been created where one did not exist before. As you can see from this example, U.S. export controls not only cost American firms sales, but end up aiding overseas competitors or even worse causing new ones to be created.

B. The Demand For Network Software With Strong Encryption

Netscape has been all over the world selling product. And we have learned that our foreign customers do not want and will not buy our exportable 40 bit product. It has been hacked by college students in France and Berkeley, California. Foreign customers want to be on the same level playing field as U.S. based firms, meaning they want the same level of encryption strength that U.S. based firms use: 128 bit, or more. In addition, U.S. firms with officers, vendors and customers overseas want to have the same level of security across their entire network. They can't have their U.S. executives communicating in a secure manner using 128 bit encryption between two U.S. locations, then have to build a separate network to communicate between Billings, Montana, and Berlin, Germany, in which only vulnerable 40 bit encryption is used.

Demand is growing rapidly for secure internal corporate networks, or "Intranets," which connect sites in different locations that are parts of the same enterprise. Also, the demand for company-to-company communications and transactions across "Inter-Enterprise Networks" is large and lucrative. Many U.S. firms buy supplies from overseas or vend their products and services to foreign customers. Transmitting payment information or product over the Internet is efficient and timely. However, without adequate levels of encryption, the risk of data loss or unauthorized access is too great for some to risk. Last, but perhaps most important for the consumer, is the need for encryption by businesses doing commerce online in the digital era. Consumers' faith in the GII will not blossom unless it is trustworthy. For now in the U.S., at least, consumers can use strong encryption. However, the need for security does not end at the physical borders of the U.S.

During the hearings on "Security in Cyberspace" held on May 22 before the Senate Permanent Investigations Subcommittee, it was reported that major banks and large corporations incurred an estimated $800 million in losses last year due to unauthorized access into and attacks upon their computer systems. (This figure is the result of a survey conducted by the subcommittee.) Responsible corporate customers that provide jobs to millions need strong encryption to protect their computer networks and communications channels here in America and abroad as they try to compete in the global marketplace.

C. Foreign Availability: Myth, Reality, & Customer Perception

I realize this is a new subject for many Senators, so I want to say this again. We only want to be able to sell the same products in Europe or Asia that the rest of the world can sell in Europe, or Asia, or the U.S. Others can do it. We can't. Let's examine a few examples of who the others are.

The most fundamental point to understand about foreign availability is that the U.S. does not have a monopoly on the world's cryptographers. Hundreds of people all over the world have the ability to create the mathematical algorithms that underlie encryption. Many are in Europe, the Middle East, Russia, China, and Japan.

Cryptographers working in those nations can create the code to meet the demand that U.S. firms are denied from meeting. There are two examples of foreign competition that I would like to highlight. One is a very small company in a developing nation and the other is one of the largest companies in the world in one of the most developed countries.

Thawte Consulting, Inc., of South Africa produces Internet software called Sioux based on the same open standards we use, and offers the same encryption strength as our domestic product -- 128 bits. As I've already described, U.S. export laws limit export of products with encryption to levels far weaker than this (i.e., 40 bits). Thawte Consulting targets corporate customers, the high end of the communications software market, selling server software, which yields the highest profits. Thawte Consulting distributes its Sioux software to the world via the Internet at extremely low cost. Also, because they distribute their product on the Internet, bugs in their product are fixed after being identified by beta testers -- the same type of interested users that help American companies improve their products.

Export controls have tied our hands, placing us at an often embarrassing marketing disadvantage, enabling companies like Thawte Consulting to establish a global market presence without effective competition from American companies. As you can see from this enlargement of the Sioux web site, Thawte even uses U.S. export control laws as an explicit part of its marketing strategy, playing off concerns about the inadequacy of U.S. export quality encryption, advertising on the Web that:

Sioux offers full 128 bit encryption around the world, unencumbered by US ITAR regulations . . . .

The U.S. ITAR regulations prohibit the export of strong encryption technology from North America. This means that companies such Netscape, Microsoft and Open Market have to ship "Export Versions" of their software which have limited encryption capability -- using 40 bit keys which can be trivially deciphered.

Since Sioux was developed outside of the ITAR framework it ships with full encryption enabled all over the world. Why limit your security?

The threat from Sioux is in no way hypothetical. It functions as an add-on to Apache server software (an American-based free-ware product), which in the first quarter of this year, achieved greater market share than Netscape, Microsoft, Oracle and Open Market combined.

The other example is a computer chip produced by Nippon Telephone and Telegraph (NTT) of Japan. This chip is based on a reproduction of American technology and possesses a public key strength of up to 1024 bits. NTT will sell this chip in the U.S. and elsewhere under the established brand name of RSA, a well known encryption technology firm just up the road in Silicon Valley from Netscape. Jim Bidzos, CEO of RSA, is here today as a witness so I will not go into any further detail on the example of NTT, since he is in a better position to explain the potential of NTT's encryption products. However, as several Senators have reminded us, encryption technology is not the first technology Japanese industry has reproduced with the intention of dominating the global marketplace. They are spending significant sums of money at the government level to leapfrog ahead of our technology in this area. They know how large the market can be. Just as they did with consumer electronics, cars and steel.

Finally, as an exporter, I stress that the existence of U.S. export control bit key limits creates a serious customer perception problem abroad. Customers are aware that U.S. export controls block export of strong encryption. As you can see from the Sioux web site, our foreign competitors are even beginning to advertise on this basis. Until U.S. export control laws are relaxed, our potential foreign customers will be suspicious of an important feature of our product.

D. The Threat To U.S. Companies Is Imminent

The damage export controls are doing to American competitiveness and leadership in computer hardware and software is a clear and present danger. Without immediate relief overseas, competitors will gain substantial footholds in valuable and strategically important markets in industrialized countries. Once these footholds are established, foreign technical standards will drive the rules of the marketplace. Success in the Internet industry depends on driving the deployment and acceptance of technical standards. The size of the company is not a determinative factor. Two years ago no one really paid attention to Netscape, a small start-up company. Today, established industry leaders have radically changed their strategy to follow our lead even though we remain a small company by comparison. Just as we have established an enviable market position in a short time frame, others could supplant us in a matter of a few months. Products don't have to be boxed or shipped. People download products from the Internet immediately. The product cycles in our markets are measured in a few short months. If we continue to be prevented from meeting demand for products with strong encryption capabilities, competitors will do so at our peril. These competitors will set Internet standards and sell their products here, making America dependent on their technology. This in turn could seriously undermine America's leadership in the many U.S. industries that are positioned to be leaders in the electronic marketplace. We realize that congressional "product cycles" are a lot longer than those for our industry, and that years divisible by four are prone to gridlock. We suggest, however, that this is a matter that cannot wait until the 105th Congress assembles.


The Administration has insisted that products incorporate key escrow mechanisms that guarantee back door access for government purposes as a condition of allowing export of products to non-banking customers with more than 40 bit keys. The government began by insisting that it holds all the keys, and has moved in a somewhat positive direction, although in Netscape's opinion not far enough. It is clear from the standards the government proposed for escrow agents that the government is seeking the easiest possible access for government agents to encryption keys.

A. Mandatory Key Escrow Poses Serious Problems for U.S. Exporters

I have to point out that this government goal runs counter to making U.S. product a success in international markets. Imagine the reaction of a foreign customer if offered a product to which the U.S. government has immediate, ex parte access. Just think about it. If a Japanese company came to you with a terrific communications product, but the Japanese government had ready access to the key and could listen in at will, would you buy it? Our U.S. customers wouldn't buy from a Japanese company either if the Japanese government held the key. FBI Director Louis Freeh has made clear in public testimony that there are dozens of countries and state-sponsored economic espionage cells actively trying to get their hands on corporate proprietary information. Given that threat, it would seem the remedy would not be to have access to that information controlled by governments.

B. Mandatory Key Escrow Is An Untested And Cumbersome System

I don't mean to minimize the interests of the law enforcement community. They have a tough job to do and they want to have every possible tool at their disposal to watch suspected criminals. I have enthusiastically cooperated with the law enforcement community at McCaw Cellular and at Federal Express. I know that wiretaps are useful tools for law enforcement. However, it does not follow that the equivalent of telephone wiretaps must be extended to data networks.

Remember that in 2 or 3 short years, there will be 100 million people connected to each other over the Internet. Each of these people is likely to use dozens, if not hundreds, of separate keys in the course of a month of transmissions. Withdrawing and managing these many keys securely will be a major and expensive management problem. Furthermore, e-mail communications often don't travel in one piece across the Internet. They are often divided into separate "sub-packets" of information that at times even travel along different routes to reach their destination. The speed, volume and structure of electronic transmissions would require a major increase in law enforcement staff in order to carry out data network wiretaps. These two problems together would result in the development of a massive new surveillance bureaucracy to achieve a wiretap equivalent in this area. I suggest very respectfully that there might be better ways for law enforcement to root out crime. In addition, I do not believe that this country can afford to build such a bureaucracy.

C. Existing U.S. Policy Has Negative Effects on National Security

In many policy discussions widespread use of strong cryptography is presented as a threat to law enforcement and national security interests. Perhaps the most important insight that comes from the NRC's report is its conclusion that cryptography is in fact one of the best protectors of our national security. The report explains that "export controls have a number of potentially negative effects on national security that policy makers must weigh against the positive effects of reducing the use of cryptography by hostile parties." (NRC Report, Cryptography's Role in Securing the Information Society, May 30, 1996, at 4-25.) We have often been told by the FBI that foreign governments have shifted much of their intelligence focus to the business sector. Hostile intelligence efforts to pry secrets from corporate America is a genuine national security threat. Fraud and computer-related crime also rank high among our law enforcement concerns. Wide deployment of strong cryptography would provide substantial and effective defenses against those hostile intelligence and criminal forces. Indeed if all commercial text and voice communications were encrypted, at least when they passed over publicly-accessible communications links, we would significantly reduce the risk of compromise of commercial and other information.

It is important to note that the world of electronic communications changes rapidly and many technological factors other than encryption contribute to the difficulties confronting law enforcement and national security interests. According to the House Permanent Select Committee on Intelligence the ability of the NSA "to filter through the huge volumes of data and to extract the information from the layers of formatting, multiplexing, compression, and transmission protocols applied to each message is the biggest challenge of the future, [while] increasing amounts and sophistication of encryption add another layer of complexity." (Intelligence Community in the 21st Century, p. 121) Such a finding seems to indicate the need for further consideration of our nation's security needs in the digital era, separate from these proceedings.

If the present impasse between the policies proposed by law enforcement and by industry continue, the GII will not be secure and will be ripe for exploitation by malicious forces. The May 22nd hearing before the Governmental Affairs Committee's Subcommittee on Investigations revealed that government computer systems, including the Pentagon's, have been repeatedly penetrated. Our power grid, gas and oil pipelines, and stock exchanges are among potential civilian targets. This is the exact opposite of the result intended by the present export policy. So in my view, the core assumptions of export controls on encryption are flawed. Marketplace solutions are more attractive to consumers than having "big brother inside."

D. Existing Policy Is An Inefficient, Unsuccessful Attempt to Promote Mandatory Domestic Key Escrow Encryption

In the case of law enforcement, the relevance of export controls is particularly problematic. The FBI and the various state agencies that use electronic surveillance are, in most cases, concerned with domestic, not foreign, activities. Thus, what is of most direct concern to them with regard to encryption is deployment of unbreakable encryption in the United States, not the export of encryption to foreign countries. Yet, the FBI and the Department of Justice have strongly supported the continuation of export controls. Indeed, the NRC report notes the candid admission of the FBI that "the use of export controls may well have slowed the speed, proliferation, and volume of encryption products sold in the U.S." (NRC Report at 4-13, n. 29)

The Administration's May 20 "export and escrow" proposal seems to be a back door effort to affect the domestic use of encryption, not an effort to maintain NSA's capabilities with respect to international communications. If that is in truth what the Administration is seeking, one must wonder why they do not seek a more direct regulation of domestic use of encryption instead of the indirect, ineffective and counter-productive continuation of export controls.

There have been no public proposals to limit encryption in the U.S. But if that's what the export control laws are covertly trying to accomplish, we ought to have an open debate on that subject. The existing policy distorts U.S. export control policy for domestic purposes. Although well-intentioned, the policy has not worked to bring mandatory key escrow to the domestic market, and is inflicting significant harm on U.S. manufacturers while jeopardizing U.S. leadership in Internet-related industries.


Netscape does not quarrel with the government's effort to encourage voluntary escrow in the U.S. by creating an escrow-friendly infrastructure with Federal purchases and the like. Reliable key management practices are important to ensuring that encryption systems do not result in lost data in the event that owner's key is destroyed or lost, for example, after the departure of an employee from a company. Management of keys is important to the trustworthiness of the infrastructure.

However, available encryption must be strong enough to withstand attack over time; otherwise the infrastructure will be too fragile. U.S. policy must allow availability of strong encryption. I'll give you an example of why this is so important. With the rise of the Internet, product teams spread out over different locations in different countries and including different contractors and subcontractors often work on the same project over the Internet on inter-enterprise networks. Some of the information on these networks -- for example, airplane and automobile designs -- retains great value over time, making it worthwhile for foreign intelligence agents and corporate spies to devote significant time and computing power to cracking it. Furthermore, as explained in Moore's law -- that computing power doubles every eighteen months -- advances in computing power mean that information will be much easier to crack in only one or two years, when it still may retain substantial value. Export controls on key bit length up to an artificial limit (e.g., 56 bit) today fail to recognize that these and other customers want strong encryption that will withstand attack for a long period of time, outlasting improvements in code cracking technology.

Self-escrow coupled with development of a free market in escrow services (e.g., a private sector and independent Certificate Authority Service Provider (CASP)) is the better solution. While encouraging development of a reliable key management infrastructure, the government should steer clear of mandating use of particular third party systems that would put vendors and software designers in the impossible position of forcing customers to use government-approved systems.

Where we disagree with the government is in its use of export controls as a tool to affect what kind of encryption is sold domestically by U.S. companies. Proposals to create a domestic mandatory key escrow regime through export control incentives will not work, as I explained earlier. But I want to stress, however, that we want to work with the U.S. law enforcement community. And I think the U.S. government would rather work with Netscape in Mountain View, California, than with a Japanese manufacturer or some cryptographer working out of his or her garage in South Africa. If export controls are not lifted, U.S. law enforcement's task will be much more difficult as it will be dealing with foreign companies that are providing dominant security products and services. By winning this battle, they might lose the war.


Strong encryption provides many benefits and solutions. For example, encryption in communications software provides an envelope for electronic mail. Unencrypted e-mail is not secure -- it is really an electronic postcard. The contents of the message are uncovered and visible for all to read. Encryption enables users to transmit private messages via the Internet in the same way that people mail letters and send packages through Federal Express and other delivery services. Because FedEx is able to provide its customers with a reliable, trustworthy, and secure delivery system worldwide, it enjoys a healthy share of the global market and as a result has driven standards and made its service readily available to most anyone, anywhere. Netscape's Internet software contains a browser to navigate the world wide web as well as e-mail. Integrating these two functions into a seamless package responds to customer demand for easier to use products and for convenience.

In addition to its importance for e-mail, encryption is needed to secure online transactions. From protection of payment information such as a credit card or bank account information to personally identifiable information, such as a user's home and e-mail addresses, encryption facilitates electronic commerce. Without encryption, authenticating and guaranteeing the integrity of data transmitted from a customer to a merchant and back cannot be accomplished. Without encryption, consumers will not trust the Internet and the network will be vulnerable to computer crime.

Also, individuals and businesses need to store information for safekeeping. In the physical world, safe deposit boxes, vaults, safes, and repository services, satisfy this demand. In the digital world, people need to have the tools to entrust this medium to transport and store their personal data and sensitive trade secrets. Encryption is essential for digital signatures and guarantees that the content of the communication has not been altered during transmission.

Piracy of intellectual property is a serious problem in the global marketplace. However, if export controls were removed and strong encryption allowed, publishers of content on the Internet could protect their intellectual property by distributing it securely and marking it with encrypted information bound to the data.

Encryption can also help to protect consumer privacy, the subject of hearings before the Federal Trade Commission only last week. The FTC explored technological solutions to protect a computer user's personally identifiable information from being collected and used without his or her consent. A user of a public key certificate service can go online using their digital i.d. as a privacy shield without ever having to disclose other personal information.. Thus, encryption can protect children from unscrupulous marketers and from online stalkers -- encryption can be the Internet latchkey.


Widespread use of encryption depends on its being incorporated into mass market products and services. Entrepreneurs around the world recognize this fact, and we certainly understand that at Netscape. However, export controls prevent us from acting upon this fact. S. 1726 would solve the problem.

Mr. Chairman, we congratulate you and the other sponsors on the introduction of S. 1726 and on these hearings, and look forward to working with you, and all members of the committee on both sides of the aisle toward its swift passage.


Jim Barksdale, 53, is President and Chief Executive Officer at Netscape Communications Corporation in Mountain View, California. In these positions he oversees all aspects of the growing Internet software company, whose goal is to provide open software to enable people and companies to exchange information and conduct commerce over the Internet and other global networks. Barksdale joined Netscape Communications in January 1995. He has served on the board of the company since October 1994.

Previously, Barksdale served as CEO of AT&T Wireless Services since September 1994, following the merger of AT&T and McCaw Cellular Communications, Inc. In that position, he oversaw the daily operations of the business, guiding AT&T's efforts to maintain a leadership role in wireless communications. From January 1992 until the merger, he held the positions of President and Chief Operating Officer of McCaw, a company with revenues that exceeded $2 billion in 1993.

Prior to McCaw, Barksdale spent twelve years with Federal Express Corporation of Memphis, Tennessee. From 1979 to 1983 he served as Chief Information Officer, overseeing the development and implementation of the company's world renowned customer service and package tracking systems. In 1983, he became Executive Vice President and Chief Operating Officer.

After his appointment to that role, the company grew from $1 billion to $7.7 billion in revenues and expanded operations to 135 countries. Under his leadership, Federal Express also became the first service company to receive the Malcolm Baldridge National Quality Award. Barksdale serves on the boards of 3Com Corporation, @ Home, Harrah's Entertainment, and Netscape Communications.

For More Information Contact:
Peter Harter, Public Policy Counsel
Netscape Communications Corp.
Phone: 415 937 3719

Note to users: All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the facts of the particular situation.
1997 ITAA (Information Technology Association of America) All rights reserved.