1996 Congressional Hearings
Intelligence and Security

Introduction

"Good Morning. My name is Michael Zisman and I am the Chief Executive Officer and Executive Vice President of Lotus Development Corporation, headquartered in Cambridge, Massachusetts. Lotus develops and sells business software including such highly popular programs as Lotus Notes. I was previously CEO and founder of Soft-Switch, Inc. before it was acquired by Lotus in 1994. Before that, I was a professor at the Sloan School for Management at the Massachusetts Institute of Technology.

"I greatly appreciate the opportunity to testify before you on behalf of the Business Software Alliance (BSA) in strong support of the legislation. BSA's members include this country's leading manufacturers of software. BSA's members produce what is often referred to as "mass market" software. BSA promotes the interests of the American software industry through its programs to end software piracy and advance desirable public policies.

"But I am most grateful for the opportunity to speak on behalf of the millions of users of American software products. American business has succeeded because we have listened and responded to the needs of computer users worldwide. Quite simply, we can't sell what users don't want and will not buy.

"Right at the start I want to commend you, Senator Burns, for introducing
S. 1726, the Promotion of Commerce On-Line In The Digital Era (Pro-CODE) Act. I also want to recognize Chairman Pressler's strong support, acknowledge the leading roles of Senator Leahy and Representative Goodlatte in introducing their bills as well (S. 1587, EPIC; H.R. 3011, SAFE), and thank all the other co-sponsors of the various bills. These badly needed bills modernize export laws regarding software and hardware with encryption capabilities thereby permitting American software companies to compete on a level international playing field and computer users to properly protect their information.

The Importance Of The American Software Industry

"The incredibly dynamic computer software industry is an American success story. Since 1980 the industry has grown seven times faster than the rest of the economy and today is now larger than all but five manufacturing industries. Conservative estimates are that more than 500,000 people are employed in the computer software industry alone -- more than 1.2 million are employed in the software, hardware and semiconductor industries. This economic success has spurred an abundance of products and choices. Today, computer users -- consumers -- enjoy unprecedented access to information that is changing the way we all live and work. A prime example is the Global Information Infrastructure, which is made possible by the software that routes information and helps the user navigate oceans of information.

"The computer software industry also is one of our country's most internationally competitive. American produced software accounts for over 70% of the world market, with exports of U.S. programs constituting half of many companies' revenues. This means jobs -- highly skilled, well paid jobs -- and economic prosperity here in the U.S.

The Need For Immediate Export Control Relief

1. The Importance of Encryption

"Everyone agrees that strong encryption is essential to fulfilling the promise of the Global Information Infrastructure (GII). Encryption can protect the confidentiality and privacy of electronic information as well as ensure its authenticity and integrity. Without encryption, businesses and individuals will not entrust their valuable proprietary information, creative content, electronic commerce, and sensitive personal information to electronic networks. Those who do will risk unauthorized disclosure, theft and alteration of their information.

"Moreover, without encryption the electronic networks that control such critical functions as airline flights, hospital climate, electrical power and banking functions remain highly vulnerable to remote disruption. Within the last month the nation's leading papers have reported on the possibilities of "cyberterrorism" and "infowar." Two other Senate Committees -- Armed Services and Governmental Affairs -- have held hearings on the vulnerability of defense and civilian computer networks to such threats.


2. The Problem With Current Unilateral U.S. Export Controls.

"Currently there are no restrictions on the use of cryptography within the United States. However, the United States Government maintains strict unilateral "munitions" export controls on computer software -- even mass market software programs -- which offers encryption strong capabilities. Therefore, we can provide programs with strong encryption in the United States but we can't export those same programs. This is problematic because computer users demand global interoperability and software companies want to develop and sell a single version of their program worldwide to meet this user demand.

"The inability of American software companies to supply their users worldwide with strong encryption to meet their legitimate needs for information security directly threatens the continued success of our industry. Moreover, American computer users' information remains vulnerable. Finally, and perhaps most importantly to this Committee, U.S. export controls threaten to dislodge continued American leadership in developing the Global Information Infrastructure.

"American software companies have been forced to continue limiting the strength of their encryption to the 1992 40-bit key length level -- despite an Administration commitment at that time to regularly increase key lengths to take into account technological and market developments. But this level ignores the facts that:


• the current world benchmark is DES with 56 bit keys;
• hundreds of alternatives are available from foreign manufacturers and off the Internet (about half using DES); and
• 40 bit encryption is susceptible to commercial attack.

3. DES-Level Strength Encryption Is The Minimum Necessary Today For Vendors To Be Competitive and User Information To Be Properly Protected.

The Data Encryption Standard (DES) algorithm with 56-bit key lengths (developed by government and industry in the 1970's) continues to be the worldwide "benchmark" algorithm. It is taught in classrooms everywhere. It remains the U.S. Government's standard for unclassified confidential information. Moreover all the proposed "Internet Protocols" addressing security call for encryption at least at the DES level (recognizing the growing popularity of "triple DES" with 112 bit keys and PGP with 128 bit keys). It is essential to understand that the backbone of the Global Information Infrastructure is the Internet -- a network of networks not controlled by any one government or organization. In the last few years, American companies have recognized that they must adapt their business plans to work with the Internet, rather than instead of, or even in addition to, the Internet. Companies wishing to provide software for, or do business on, the Internet must acknowledge such standards if they are to have any chance of gaining widespread acceptance.

Continued unilateral U.S. export controls also have not been effective in restricting the availability of encryption abroad. A recent Department of Commerce study confirms the widespread availability of foreign manufactured encryption programs and products. An on-going industry study reveals that as of December 1995 there were 497 foreign programs and products available from 21 countries, 193 of which employ DES. (There are also 684 American programs and products - 330 with DES -- readily transferable abroad with a modem and public telephone line). The General Accounting Office also confirmed last year industry's assertion that sophisticated encryption software on foreign Internet sites were widely available to foreign users. A new algorithm called Pretty Good Privacy ("PGP") - with 128 bit keys - is available for free on the Internet and is soaring in popularity.

I would like to mention just two specific examples with respect to this foreign availability of products. First, just last week we learned that the world's largest telecommunications company -- Nipon Telephone and Telegraph (NTT) -- is about to market triple-DES chips worldwide. I think you will hear more about that this morning. Second, the Apache Group, based in the U.K., announced in April that its Apache Unix Internet Server software with very strong encryption now has a 29% market share.

There also can be little dispute that information encrypted at the 40-bit level no longer provides sufficient protection against even casual hackers using idle computers. Students with Ecole Polytechnique and at our own MIT have "brute force cracked" such 40-bit encryption. Indeed, a report released earlier this year by seven of the leading private sector cryptologists and computer scientists concluded that an individual willing to spend only $400 on readily available commercial technology could obtain a 40-bit key in only 5 hours. A small business spending $10,000 could recover a 40-bit key in only 12 minutes!

For all these reasons, in order to keep U.S. software companies on a level international playing field and permit computer users to properly protect their electronic information, it is necessary to immediately:


• permit the export under a Department of Commerce general license of software programs using the DES algorithm with 56-bit keys and other algorithms (e.g. RC2/RC4) at comparable strengths;
• automatically increase key lengths two bits every three years given the reality of "Moore's Law" which holds that the computing power for the same costs doubles every two years (i.e. institute a Cost of Cracking Adjustment or "COCA");
• broaden existing licensing for programs using even stronger encryption; and
• remove all export control restrictions on non-confidentiality uses of cryptography (i.e. key management, authorization, integrity, signatures), on the personal use of cryptographic programs abroad by American citizens, and by U.S. multinational corporations.

This is the minimum that needs to be done -- and done now!

4. The NRC's CRISIS Report Echoes These Views.

As you know, a blue ribbon National Research Council (NRC) Committee has called for U.S. policies which foster the broad use of encryption technologies. The Committee's report echoes what industry has been saying for several years regarding the need for export control relief. Importantly, the Committee concluded that as demand for products with encryption capabilities grows worldwide, foreign competition could emerge at levels significant enough to damage the present U.S. world leadership in information technology products. The Committee felt it was important to ensure the continued economic growth and leadership of key U.S. industries and businesses in an increasingly global economy, including American computer, software and communications companies. The Committee called for an immediate and easy exportability of products with DES level encryption. The Committee also noted that this would have to be updated periodically.

BSA Strongly Supports Pending Legislation Because It Provides Needed Export Control Relief

The Pro-CODE bill recognizes as a fundamental proposition that the United States should not try to control the export of something that is, in fact, uncontrollable. It makes little sense for our government to require individual validated export licenses for the export of software that is generally available by virtue of being mass marketed commercially, distributed via the Internet, or found in the public domain. Nor should computer hardware be so controlled simply because it incorporates such software. In short, if it is "out there," if it is already available to millions of people easily and readily transferable electronically, then it makes little sense to continue trying to control such exports.

Importantly, your bill does enable the Secretary of Commerce to continue controls in countries of terrorists concern or other embargoed countries pursuant to the Trading With The Enemy Act or the International Emergency Economic Powers Act.

In addition, your bill provides that if DES-level products have been permitted to be exported to foreign banks, then they should be exportable to other foreign commercial purchasers in that country. Note that the type of software and hardware we are talking about here is a "custom" product (if it was generally available it would qualify for automatic general license treatment under the bill's other provision). Because it is at least theoretically possible to control such exports, the question then occurs as to what should be the allowable level of encryption. For the reasons I explained earlier, nothing less than DES and its equivalents will do.

Once again, your bill does contain safeguards: the Secretary of Commerce is not required to permit such exports if there is substantial evidence that the software will be diverted or modified for military or terrorists' use or re-exported without requisite U.S. authorization.

Finally, I do want to note that we believe you and the other sponsors and supporters of the various bills have made a wise decision in seeking to make explicit what is now implicit under existing laws -- that there is not and should not be any restriction on the domestic use, choice or sale of strong cryptography. Some argue that it is already law because there is nothing to the contrary. That is correct -- nevertheless we believe that it is important and helpful to have a positive statement reaffirming the rights of Americans in this area.

Key Escrow Encryption Is NOT The Holy Grail

There has been much discussion about obtaining access to the keys with which users encrypt information. For example, it is certainly possible to envision companies or organizations wanting access to the keys of their employees so as to be able to access information generated in the course of their work. Presumably someone within the organization, or a third party entrusted by that organization, would hold the key.

However, key recovery encryption -- let alone key escrow encryption -- is new and undeveloped. Key recovery encryption is going to take a long time to sort out. Particularly with respect to international arrangements that make products internationally salable. Questions of feasibility, cost and convenience all must be addressed.

But what is clear even now, is that any key recovery system must result from a user-driven, market-led process. It cannot be a mandated, government-designed, top-down, one-size-fits-all solution.

I would note that for all these reasons, the NRC Committee recommended a policy of "deliberate exploration" rather than one of "aggressive promotion." We couldn't agree more.

Moreover, because this is going to take a long time, it is essential that immediate export control relief be granted for non-key escrow encryption products. As I hope I have explained, we simply cannot afford to wait any longer.

Conclusion -- Move The Legislation Expeditiously

In conclusion I want to say just a word about two fundamental points in the NRC's CRISIS report.

First, the Committee found that wider use of cryptography not only protects personal privacy and helps American businesses -- but it also promotes national security by protecting the civilian information infrastructure and promotes law enforcement by preventing economic crimes. The Committee found that on balance the advantages of more widespread use of encryption outweighed the disadvantages.

Second, the Committee concluded that encryption policies can be discussed and established on an unclassified basis. This is critical. All too often we in industry have heard from government that "if you knew what I knew then you would agree with us and you would not be asking for export control relief." Importantly, 13 of the 16 members of the NRC's committee had security clearances and received classified briefings. Yet they concluded that although important for specific situations, classified material is not essential for understanding current cryptography policy or how the technology should evolve.

The time for action is now. In order to keep American vendors on a level international playing field and American computer users adequately protected in the near term, software programs with encryption at DES level strengths must be immediately exportable. The legislation before you will do that -- as well as several other positive things as well. We urge the Committee -- and the Congress -- to move expeditiously.

Thank you.