Index

STATEMENT FOR THE RECORD

BARBARA A. MCNAMARA

DEPUTY DIRECTOR, NATIONAL SECURITY AGENCY

Mr. Chairman, thank you for giving me the opportunity today to discuss the important issue of encryption. I will be discussing the national security needs for export controls on encryption and why we oppose legislation that would effectively lift those controls. I will then address specific concerns NSA has with provisions of the SAFE Act. However, I would like to begin by briefly introducing the National Security Agency (NSA) and its mission.

The National Security Agency was founded in 1952 by President Truman. As a separately organized agency within the Department of Defense, NSA provides signals intelligence to a variety of users in the Federal Government and secures information systems for the Department of Defense and other U.S. Government agencies. NSA was designated a Combat Support Agency in 1988 by the Secretary of Defense in response to the Goldwater-Nichols Department of Defense Reorganization Act.

The ability to understand the secret communications of our foreign adversaries while protecting our own communications - a capability in which the United States leads the world - gives our nation a unique advantage. The key to this accomplishment is cryptology, the fundamental mission and core competency of NSA. Cryptology is the study of making and deciphering codes, ciphers, and other forms of secret communications. NSA is charged with two complementary tasks in cryptology: first, exploiting foreign communications signals and second, protecting the information critical to U.S. national security. By "exploitation," I am referring to signals intelligence, or the process of deriving important intelligence information from foreign communications signals; by "protection" I am referring to providing security for information systems. Maintaining this global advantage for the United States requires preservation of a healthy cryptologic capability in the face of unparalleled technical challenges.

It is the signals intelligence (SIGINT) role that I want to address today. Our principal responsibility is to ensure a strong national security environment by providing timely information that is essential to critical military and policy decision making. NSA intercepts and analyzes the communications signals of our foreign adversaries, many of which are guarded by codes and other complex electronic countermeasures. From these signals, we produce vital intelligence reports for national decision makers and military commanders. Very often, time is of the essence. Intelligence is perishable; it is worthless if we can not provide it in time to make a difference in rendering vital decisions.

For example, SIGINT proved its worth in World War II when the United States broke the Japanese naval code and learned of their plans to invade Midway Island. This intelligence significantly aided the U.S. defeat of the Japanese fleet. Subsequent use of SIGINT helped shorten the war. NSA continues today to provide vital intelligence to the warfighter and the policy maker in time to make a difference for our nation's security. Demands on us in this arena have only grown since the break-up of the Soviet Union and have expanded to address other national security threats such as terrorism, weapons proliferation, and narcotic trafficking, to name a few.

Because of these growing serious threats to our national security, care must be taken to protect our nation's intelligence equities. Passage of legislation that immediately decontrols the export of strong encryption will significantly harm NSA's ability to carry out our mission and will ultimately result in the loss of essential intelligence reporting. This will greatly complicate our exploitation of foreign targets and the timely delivery of intelligence to decision makers because it will take too long to decrypt a message if indeed we can decrypt it at all.

Today, many of the world's communications are unencrypted. Historically, encryption has been used primarily by governments and the military. It was employed for confidentiality in hardware-based systems and was often cumbersome to use. As encryption moves to software-based implementations and the infrastructure develops to provide a host of encryption-related security services, encryption will spread and be widely used by other foreign adversaries that have traditionally relied upon unencrypted communications. The immediate decontrol of encryption exports would accelerate the use of encryption by many of these adversaries and as a result, much of the crucial information we are able to gather today could quickly become unavailable to us. Immediate encryption decontrol will also deprive us of the opportunity to conduct a meaningful review of encryption products prior to their export. In the past, this review process has provided us with valuable insight into what is being exported, to whom, and for what purpose. Without this review and the ability to deny an export application, it will be impossible to control exports of encryption to individuals and organizations that threaten the United States. For instance, immediate decontrol will undermine international efforts to prevent terrorist attacks, and catch terrorists, drug traffickers, and proliferators of weapons of mass destruction.

Please do not confuse the needs of national security with the needs of law enforcement. The two sets of interests and methods vary considerably and must be addressed separately. The law enforcement community is primarily concerned about the use of non-recoverable encryption by persons engaged in illegal activity. At NSA, we are primarily focused on preserving export controls on encryption to protect national security.

While our mission is to provide intelligence to help protect the country's security, we also recognize that there must be a balanced approach to the encryption issue. The interests of industry and privacy groups, as well as of the Government, must be taken into account. Encryption is a technology that will allow our citizens to fully participate in the 21st Century world of electronic commerce. It will enhance the economic competitiveness of U.S. industry. It will combat unauthorized access to private information and it will deny adversaries from gaining access to U.S. information wherever it may be in the world.

To promote this balanced approach, we are engaged in an ongoing and productive dialogue with industry. The recent Administration update to the export control regulations addresses many industry concerns and has significantly advanced the ability of U.S. vendors to participate in overseas markets. Of equal significance, the Wassenaar nations, representing most major producers and users of encryption, agreed unanimously in December 1998 to control strong hardware and software encryption products. The Wassenaar Agreement clearly shows that other nations agree that a balanced approach is needed on encryption policy and export controls so that commercial and national security interests are addressed. Both are positive developments because they open new opportunities for U.S. industry while still protecting national security. These are examples of the kinds of advances possible under the current regulatory structure, which provides greater flexibility than a statutory structure to adjust export controls as circumstances warrant in order to meet the needs of Government and industry. We want U.S. companies to effectively compete in world markets. In fact, it is something we strongly support as long as it is done consistently with national security needs. NSA supports the recent updates to the Administration's policy. The export provisions were carefully designed to open up large commercial markets while trying to minimize potential risk to national security. We believe significant progress was made.

As you review the SAFE Act, it is very important that you understand the significant effect certain provisions of this bill will have on national security. If enacted, the bill would effectively decontrol most commercial computer software encryption and specified hardware encryption exports to all destinations, even regions of instability. It would also deprive the Government of the opportunity to conduct a meaningful review of a proposed export to assure it is compatible with U.S. national security interests and would also eliminate the ability to deny an export application if national security concerns are not adequately addressed.

The bill would permit exports of encryption based on products that are permitted to be exported for foreign financial institutions. The criteria for exporting encryption to these institutions should not be the basis for decontrolling other encryption exports. Allowing favorable treatment for specific classes of end-users may be appropriate in cases such as those involving banks and other financial institutions which are well regulated and have a good record of providing access to lawful requests for information. Requiring the blanket approval of exports to all other end-users in a country would eliminate important national security end-use considerations for these exports.

In summary, the SAFE Act will harm national security by making NSA's job of providing vital intelligence to our leaders and military commanders difficult, if not impossible, thus putting our nation's security at some considerable risk. Our nation cannot have an effective decision-making process, a strong fighting force, a responsive law enforcement community, or a strong counter-terrorism capability unless the intelligence information required to support them is available in time to make a difference. The nation needs a balanced encryption policy that allows U.S. industry to continue to be the world's technology leader, but that policy must also protect our national security interests.

Thank you for the opportunity to address the Committee and I would be happy to answer any questions you may have.