New Directions in Commercial Encryption Policy
Senate Commerce Committee
July 25, 1996
Dealing in a balanced fashion with the spread of encryption is one of the most difficult public policy issues we face today. Our response must address three important interests: law enforcement, national security and our commercial and privacy interests. I would like to provide some comments on how the Administration's policy balances those interests, the results of our study of the global encryption market, and our view of S. 1726, which is pending before the Committee.
Making strong commercial encryption widely available is in the best interest of the United States. Indeed, it is inevitable, as we learn to exploit the advantages of powerful computers and advanced telecommunications. These technologies are rapidly leading to the creation of broad electronic networks which will form the basis for communication and commerce in the future. The ability to encrypt electronic messages and data will be essential for electronic commerce and for the full development of information technology. Businesses and individuals need encrypted products to protect sensitive commercial information and to preserve privacy, and their demand for those products will further facilitate the spread of encryption.
This trend is also economically desirable. Protecting the confidentiality of business information will reduce losses from industrial espionage. Perhaps more important, we are the world's leading producer of information technology with almost half of the world's producers, and roughly half their revenues come from exports.
To retain this leading position and the substantial benefits to our economic health it produces, we must ensure our producers' continued ability to capture foreign market share. Our companies must be able to meet the growing demand for products with strong encryption. If they do not, foreign firms will ultimately step in to fill the void. The United States' policy on encryption must advance the interests of this vital industrial sector. We must shape our export control policies to allow American companies to take advantage of their strengths in information technology in their pursuit of global markets.
Our problem arises from the fact that the increased use of encryption carries with it serious risks. The spread of powerful encryption products poses very real problems for law enforcement and for our national security -- as my colleagues have testified. Any policy on encryption must address these risks if it is to be in the national interest. The Clinton Administration is making a very serious effort to develop a policy that balances the expanded availability of the strong encryption needed for economic growth and individual privacy with our national security and law enforcement needs. Most important, we are attempting to do that in close consultation with our allies and the private sector and by working with the market, not against it.
We have been working with industry to develop a framework, based on a key management infrastructure which would allow government to recover the key where necessary. This will encourage the use of strong encryption while protecting law enforcement and national security interests. This framework will be developed and implemented by industry, not the government, and would be available for both domestic and international use. Participation in it will be voluntary, and Americans will continue to be free to use any encryption they choose in the United States. This approach clearly differs from previous efforts, such as "Clipper Chip," which contemplated a dominant role for government. Our approach takes the opposite tack -- a limited government role working with industry to develop supply and demand for products that will operate in a key management environment. The federal government will work with industry to set standards for federal use of these products, establish criminal and civil liability for improper certification or release of keys, provide a market through purchases for government agencies, encourage the development of pilot projects, and negotiate with our trading partners on a common approach to encryption. We will not dictate the scope or style of the infrastructure, nor the encryption used within it.
This infrastructure will be based upon trusted parties who will hold keys to confidential data. In some cases, corporations would hold their own keys if they are willing to meet law enforcement requirements; in other cases, users might choose to use key recovery services provided by trusted third parties. These trusted third parties will be private entities. Access to the keys would be provided only to the owners where they have lost or damaged their own key or to law enforcement officials acting under the authority of the courts. This approach balances economic needs with law enforcement concerns and is one that many of our major trading partners, most notably the United Kingdom, are also adopting. The United States is working bilaterally and in the OECD to develop an international framework for a key management infrastructure that will ensure equal protection for consumers and equal access to markets for producers. Our view is that a global key management infrastructure provides the best means of using strong encryption in a responsible manner.
We have come to this view after a great deal of work, one element of which I would like to mention -- a study done jointly by the Bureau of Export Administration and the National Security Agency.
Background and Purpose of the Encryption Study
Computer software and hardware companies believe that current encryption export controls are outdated and ineffective and are causing them to lose their global competitiveness. They assert there are a multitude of strong foreign encryption products available. In late 1994, in fulfillment of Vice President Gore's earlier commitment, National Security Advisor Anthony Lake directed that a report be prepared assessing the current and future international market for software products containing encryption and the impact of export controls on the U.S. software industry.
The Department of Commerce and the National Security Agency jointly prepared the report, which was completed in July, 1995. The Bureau of Export Administration took the lead in assessing domestic and international markets for encryption and the impact of export controls on U.S. industry, while NSA was responsible for identifying and evaluating foreign encryption software products and international laws and controls governing use, export and import of encryption. A declassified version of the final report was made available to the public in January 1996.
Methodology and Industry Involvement
A wide variety of government agencies, academic experts, commercial information sources, trade associations, and industry representatives were contacted. No definitive statistics exist regarding the size and composition of the U.S. market for encryption software. BXA consulted with computer security specialists, market researchers, and academics to create a picture of the current and future domestic market for these products. We supplemented this information with an informal poll of information security specialists from ten diverse Fortune 500 companies to determine how these firms are currently using encryption software.
To assess the international market, BXA utilized the Foreign Commercial Service in 31 U.S. embassies. They provided input on demand for encryption in their host countries as well as the estimated U.S. share of the market. U.S. officials overseas and foreign government officials provided information on foreign laws, regulations, and policies affecting encryption. We used this information to determine the extent to which regulatory controls influence the international marketability of encryption software products.
Foreign encryption software products were identified and purchased for review. NSA cryptanalysts studied the 28 foreign products ultimately obtained to evaluate their strengths and weaknesses. Finally, in order to determine the impact of existing export controls on U.S. software vendors, BXA worked closely with the Software Publishers Association, Business Software Alliance and other industry groups to develop an industry questionnaire. The voluntary questionnaire was mailed to about 200 firms believed to be involved in the encryption software market. It was also posted on the Internet. Thirty six encryption software producers elected to respond to the questionnaire, which gave them an opportunity to explain and quantify the impact of export controls on sales, employment, profitability, and product development. Frankly, this was a disappointing response, despite repeated appeals to the industry, and it has led us to the conclusion that many companies are unwilling or unable to quantify the effects of controls on their operations.
Let me summarize some of our major findings:
In the security-specific software market, however, U.S. manufacturers face competition in foreign markets from countries such as the United Kingdom, Germany, and Israel. To a large extent, markets for these products tend to be "national," with local vendors capturing a large portion of their home markets, in part due to the influence of export controls. In many foreign countries surveyed, exportable U.S. encryption products are perceived to be of insufficient strength. In about half the countries, overseas sources believe that U.S. export controls have limited U.S. market share. Some maintain that U.S. export controls promote indigenous production of encryption software.
Our study encouraged us to move ahead with the new approach I mentioned. This policy is based on key recovery, but it will be a flexible approach developed by and based in the private sector. Cooperation with industry is critical, and we are finding a willingness among many firms to work together toward a solution. As it will take some time to complete development of this new approach, we are considering a number of interim measures to ease the burden on industry while it moves to a key management infrastructure. In the expectation of industry cooperation in that regard, the Vice President on July 12 indicated what these measures might include:
Our work is not yet done. We are continuing to consult with industry and international partners to refine our proposal, and we plan to send recommendations to the President this September. Our goal is to develop a flexible, market-driven approach that balances public safety, national security, and economic vitality.
In the midst of this effort, legislation such as S. 1726 would not be helpful. Its fundamental flaw is that it does not provide the balanced approach we are seeking and instead would unnecessarily sacrifice our law enforcement and national security needs. Legislating decontrol of encryption would destroy any hope of developing a consensus on policy; it would be greeted with dismay by our international partners; and it would pose real risks to the safety of Americans.
In addition, from the perspective of the Commerce Department, we have a host of specific concerns about the bill. In particular, we believe it misunderstands and misstates the role of NIST in regulation and standard-setting. NIST is not a regulatory agency and does not "regulate" or control private sector use of encryption. It prepares and recommends to the Secretary for approval Federal Information Processing Standards (FIPS), which are intended to assist government agencies and are developed in consultation with the private sector. Often these standards, of which DES is one, have been adopted and utilized by the private sector in the interest of standardization -- an important objective in this sector but one which will be determined by the market rather than the government. The private sector has consistently been supportive of NIST's efforts in this area, and it is difficult for us to understand why the authors of S. 1726 would want to preclude that cooperation.
As I said when I began my remarks, encryption is one of the most difficult issues in public policy today, but it is a problem which this Administration is committed to solving in cooperation with industry in a way that reinforces market principles and achieves our varied goals. We hope that Congress will work with us to facilitate that process rather than obstruct it by passing unnecessary and harmful legislation.