News

USIS Washington 
File

16 September 1998

TRANSCRIPT: GORE, OTHER OFFICIALS ON ENCRYPTION EXPORTS

(Revised policy seeks difficult balance, Gore says)  (4910)



Washington -- Vice President Gore has announced revision to U.S.
policy relaxing export controls on encryption, a compromise aiming to
satisfy the interests of U.S. business, law enforcement and national
security.


Gore said a policy with the right balance was difficult to reach. He
said the policy will be subject to scrutiny as technology and
circumstances change.


"Beginning today, American companies will be able to use encryption
programs of unlimited strength when communicating between most
countries," Gore said at a September 16 White House briefing. "Health,
medical, and insurance companies will be able to use far stronger
electronic protection for personal records and information. Law
enforcement will still have access to criminally related information
under strict and appropriate legal procedures. And we will maintain
our full ability to fight terrorism and monitor terrorist activity
that poses a grave danger to American citizens."


According to the administration officials briefing reporters after
Gore's remarks, following are some of the key elements of the revised
policy:


-- exports of 56-bit encryption are allowed to all but seven
terrorism-supporting countries after one-time review of the product by
the government.


No longer required are plans by the exporters for developing key
recovery products. These products allow users to break into their own
scrambled messages if they somehow lose the algorithm key; they could
also be used to assist law enforcement and national security agencies
collect information.


-- exports of key recovery products are allowed without restraint
worldwide.


-- exports of encryption software of unlimited strength are allowed to
certain sectors in 45 countries after one-time review. Those sectors
are insurance, health and medical (except biochemical and
pharmaceuticals), on-line merchants, and foreign subsidiaries of U.S.
companies. This policy already applied to banks and other financial
institutions.


-- exports are allowed to 42 countries under a Commerce Department
export licensing arrangement of recovery-capable products used for
development of networks and e-mail transmission. Excluded are exports
to munitions manufacturers.


All other license applications for encryption exports are to be
considered case by case.


Following is the official White House transcript of the briefing:



(begin transcript)



PRESS BRIEFING BY THE VICE PRESIDENT,

DEPUTY CHIEF OF STAFF JOHN PODESTA,

PRINCIPAL ASSOCIATE DEPUTY ATTORNEY GENERAL ROBERT LITT,

ASSISTANT DIRECTOR OF THE FBI CAROLYN MORRIS,

UNDER SECRETARY OF COMMERCE WILLIAM REINSCH,

DEPUTY SECRETARY OF DEFENSE JOHN HAMRE,

AND DEPUTY NATIONAL SECURITY ADVISOR JIM STEINBERG



The Briefing Room

11:57 A.M. EDT

    

THE VICE PRESIDENT: Good morning. While my colleagues are coming in
here, let me acknowledge them. John Podesta is going to take over the
podium after I complete my statement, and he is joined by Bob Litt of
the Justice Department, Bill Reinsch of the Commerce Department --
Under Secretary for the Export Administration -- and John Hamre,
Deputy Secretary of Defense.


I also want to acknowledge Carolyn Morris of the FBI; Barbara McNamara
of the National Security Agency; John Gordon, Deputy Director of the
CIA. And you all should know that this process, the results of -- the
interim results of which I'm announcing here, is a process that has
been run principally by John Podesta and Jim Steinberg, Deputy at the
National Security Council. And I also want to thank Sally Katzen at
the NEC and David Beier on my staff for the work that they and many
others have done on this.


Some of you who have followed this issue know that it is probably one
of the single most difficult and complex issues that you can possibly
imagine. But we've made progress, and we're here this morning to
announce an important new action that will protect our national
security and our safety, and advance our economic interests and
safeguard our basic rights and values in this new Information Age.


The Information Age has brought us the Internet, an inter-connected
global economy and the promise of connecting us all to the same vast
world of knowledge. But with that exciting promise comes new
challenges. We must make sure that in the Information Age you get
information about the rest of the world and not the other way around.
We must ensure that new technology does not mean new and sophisticated
criminal and terrorist activity which leaves law enforcement
outmatched -- we can't allow that to happen. And we must ensure that
the sensitive financial and business transactions that now cruise
along the information superhighway are 100 percent safe in cyberspace.


Balancing these needs is no simple task, to say the least. That is
why, in taking the next step toward meeting these complex goals, we
worked very closely with members of Congress from both parties, House
and Senate; with industry; with our law enforcement community and with
our national security community. And as we move forward we want to
keep working closely with all who share a stake in this issue --
especially law enforcement -- to constantly assess and reassess the
effectiveness of our actions in this fast changing medium.


Today I'm pleased to announce a new federal policy for the encryption
and protection of electronic communication, a policy that dramatically
increases privacy and security for families and businesses without
endangering out national security.


Beginning today, American companies will be able to use encryption
programs of unlimited strength when communicating between most
countries. Health, medical, and insurance companies will be able to
use far stronger electronic protection for personal records and
information. Law enforcement will still have access to criminally
related information under strict and appropriate legal procedures. And
we will maintain our full ability to fight terrorism and monitor
terrorist activity that poses a grave danger to American citizens.


With this new announcement, we will protect the privacy of average
Americans because privacy is a basic value in the Information Age,
indeed in any age. We will give industry the full protection that it
needs to enable electronic commerce to grow and to thrive. And we will
give law enforcement the ability to fight 21st century crimes with
21st century technology, so our families and businesses are safe, but
on-line outlaws are not safe.


In just a moment you will hear more of the details of this new policy,
but I want to conclude by saying that this policy does reflect one of
the greatest challenges of these new times. And to state it broadly,
it's a challenge of how we can harness powerful new technology while
protecting our oldest and most cherished values, such as privacy and
safety.


I'm grateful to those who have worked so hard to reach this balance.
And with today's announcement I believe that all families and
businesses have reason to feel safer, more secure and more confident
as we approach the 21st century. And now I'd like to turn things over
to White House Deputy Chief of Staff John Podesta.


Q Mr. Vice President, before you go, can you tell us what you say to
Democratic lawmakers who say the President ought to resign?


THE VICE PRESIDENT:  I disagree.



Q  How about the release of that tape?  What do you think --



THE VICE PRESIDENT: The President is going to have a press conference
shortly and I'm sure that you will not miss the opportunity at this
national security press conference with the leader of a foreign
country to raise all these questions.


Q  What about the videotape, should it be released?



Q  It was staged by the White House -- you know that, don't you?



MR. PODESTA: Guess what? I'm here to talk about encryption. Okay. I
can see the front row leaving here. (Laughter.) As the Vice President
noted, Jim Steinberg and I have co-chaired our process in this matter.
I volunteered for that duty because of my well-known fascination with
The X Files, which most of you know about.


As you know, this is an important and challenging issue that affects
many of our interests in our society. And over the past year we've
promoted a balanced approach to the issue, working with all segments
of our government and working with industry to find a policy that
promotes electronic commerce, preserves privacy, protects national
security and law enforcement interests, and permits U.S. industry to
secure global markets.


Recognizing the importance of moving this issue forward, last March
the Vice President asked us to intensify our dialogue with U.S.
industry, to bring industry's technical expertise to bear on this
issue with the hope of finding more innovative ways that we might
assist law enforcement. We appreciate the efforts of Congress, the law
enforcement community and particularly the industry groups. I would
note the Computer Systems Policy Project and the Americans for
Computer Privacy, who have been in an intensive dialogue with us over
the past many months to foster an environment that has allowed us to
come up with a policy which we believe has balanced the elements that
are necessary in this regard.


I think all the stakeholders in this process, on our side, as well as
on private industry's side, now have a greater appreciation of the
issues and intend to continue the dialogue, which I think we're most
pleased by. Again, I think some of the people here from industry will
be available at the stakeout later to take some comment.


Based on the ideas discussed among the various stakeholders, today
we're proposing an update to our policies that we've announced in the
past. I'm going to serve kind of as M.C. We're going to start off with
Bob Litt from the Justice Department and Carol Morris, who I asked to
join us, from the FBI, to talk about the law enforcement-FBI concerns.
Then we're going to turn to Bill Reinsch from the Commerce Department
to talk about export control and electronic commerce. And finally
you'll hear from Dr. Hamre from the Defense Department. I might ask
Jim also to join us up here.


Before I give up the floor to Bob and Carol, though, I want to stress
that encryption policy is an ongoing process. It's one of adaptation;
it's an evolutionary process. We intend to continue the dialogue, and
over the course of the next year, determine what further updates are
necessary as we work with industry to try to, again, come up with a
policy that balances national security, law enforcement, and the real
needs for privacy and security in electronic commerce.


Thank you.  Let me turn it over to Bob.



MR. LITT: Thank you, John. Good afternoon. The Justice Department and
the FBI and law enforcement in general is supportive, very supportive
of today's announcement on the updating of our export controls on
encryption products, particularly with respect to those products that
allow law enforcement to obtain lawful access to the plain text of
encrypted information.


We have been very encouraged over the last few months by industry's
efforts to work with us to develop and market strong encryption
products that provide law-abiding citizens with the ability to protect
the privacy of their communications and their electronically stored
data while at the same time maintaining law enforcement's ability to
ensure public safety when these products, when they become
commercially available, are used in furtherance of serious criminal
activity. Our goal is through whatever means to ensure that when we
have the lawful authority to take steps to protect public safety, we
have the ability to do so. And we have been working cooperatively with
industry for many months to develop approaches that will deal with
that. Carolyn Morris will now talk a little bit about the technical
support center that is being proposed.


MS. MORRIS: Thank you very much, Bob. Good afternoon, ladies and
gentlemen. We in federal, state, and local law enforcement, are
pleased with the administration's support to establish a technical
support center. This center will provide federal, state, and local law
enforcement with the resources and the technical capabilities we need
to fulfill our investigative responsibilities. In light of strong,
commercially available encryption products that are being proliferated
within the United States, and when such products are used in the
furtherance of serious criminal activity, this center becomes very,
very critical to solving the encryption issues that we need to make
cases. As a matter of fact, the FBI has already begun planning
activities of this critical technical support center in anticipation
of the availability of funds. The United States federal, local and
state law enforcement community looks forward to a cooperative
partnership with American industry, the Congress and the
administration to ensure that this technical support center becomes a
reality in the near future. With this center the American people can
be assured that federal, state, and local law enforcement has the
necessary resources and tools we need to fulfill our public safety
mission.


Thank you very much.



UNDER SECRETARY REINSCH: With respect to export controls, the
administration is updating its policy in three areas: Our existing
policy and some revisions there, an expansion with respect to certain
sectors, and an expansion with respect to so-called recoverable
products. And let me address each of these separately. In keeping with
the administration's reinvention initiatives, I'm going to try to do
it in plain language -- or plain English, so that those of you that
speak the vocabulary of encryption may find it too elementary, but we
can go back and do it again in another language, if you want, later on
in questions.


With respect to our existing policy, we have for two years ending this
December, permitted the export of 56-bit products after an initial
one-time review without further review by the government. What we're
announcing today is the maintenance of that window permanently. And so
56-bit products will be freed from export controls after a one-time
review, in perpetuity, not ending at the end of this year. We are,
however, removing the requirement for key recovery plans or key
recovery commitments to be provided in return for that change, which
was the initial condition that we extracted.


In addition, we are continuing to permit the export of key recovery
products -- products that contain those features -- without restraint
worldwide. We are, however, going to simplify significantly our
regulations that relate to those exports. In particular, we're going
to eliminate the need for six-month progress reports for the plans
that have been submitted, and we're going to eliminate the requirement
for any prior reporting of key recovery agent information. For those
of you that follow the regulations in detail, that means we're going
to eliminate Supplement Five of our regulations on these matters.


Now, with respect to sectors, we're making some new innovations in
four areas. Some of you may be familiar with the fact that some time
ago we announced expanded treatment of encryption products for export
to banks and financial institutions. And what we did at that time,
briefly, was to permit the export of encryption products of any
length, any bit length, with or without key recovery features to banks
and financial institutions in a list of 45 countries.


What we are announcing today is, first, that we are adding insurance
companies to the definition of financial institutions, so insurance
companies will be treated the same way under this policy as banks and
other financial institutions are now. In addition, we are providing
the same kind of treatment for exports of these encryption products to
the health and medical sector operating in the same set of countries.
We are excluding from that biochemical and pharmaceutical producers.
But the rest of the health and medical sector will be the beneficiary
of the same kind of treatment.


In addition, we are providing also this expanded treatment for that
country group to on-line merchants that are operating in those
countries. That means that for products that are like client-server
applications, like SSL, will be able to be exported to those
destinations.


All these things will take place under what we call license exception,
which means after initial one-time review to determine whether or not
your product is, in fact, what you say it is, they can then go without
any further review or intervention by the government to those
locations.


In addition, there is always the option in the export control system
of coming in with an application to export these kinds of products to
other destinations beyond the ones that I'm talking about right now,
and those will be reviewed one by one on their merits.


Finally, with respect to what we have come to refer to as a class of
so-called recovery capable or recoverable products, and these are the
products that, among others, include what has become known as the
doorbell products, which are products that, among other things, will
deal with the development of local area or wide area networks and the
transmission of e-mail and other data over networks -- we are going to
permit the export of those products under a presumption of approval
and an export licensing arrangement to a list of 42 countries. And
within those countries we are going to permit that export to
commercial firms only within those countries. And both in that case
and in the case of the on-line merchants that I referred to a few
minutes ago, we are going to exclude manufacturers or distributors of
munitions items, I think for obvious reasons.


We can go into further details later, if you would like. I think for
those of you that are interested in the nitty-gritty of all this
stuff, BXA intends to post all the details, including the country
lists, on its website and we should have that up later today.


Thank you.



DEPUTY SECRETARY HAMRE: Good morning. I'm here to speak on behalf of
the national security community. I'm joined today by my enormously
capable counterparts and colleagues, Deputy Director Barbara McNamara
for the National Security Agency; and Deputy Director John Gordon from
the Central Intelligence Agency.


The national security establishment strongly supports this step
forward. We think this is a very important advance in a crucial area
for our security in the future.


We in DOD had four goals when we entered these discussions. First was
to strengthen our ability to do electronic commerce. We're the largest
company in the world. Every month we write about 10 million paychecks.
We write about 800,000 travel vouchers. One of our finance centers
disburses $45 million an hour. We are a major, major force in
business. And for that reason, we can't be efficient unless we can
become fully electronic, and electronic commerce is essential for us.
And this is an enormous step forward.


Second, we must have strong encryption and a security structure for
that in order to protect ourselves in cyberspace. Many of you know
that we have experienced a number of cyber attacks during the last
year. This will undoubtedly increase in the future. We need to have
strong encryption because we're operating over public networks; 95
percent of all of our communications now go over public infrastructure
-- public telephone lines, telephone switches, computer systems, et
cetera. To protect ourselves in that public environment, we must have
encryption and we must have a key recovery system for ourselves.


The third goal that we had was to help protect America's
infrastructure. One of the emerging national security challenges of
the next decade is to protect this country, the homeland defense of
this country, against attack. We must have strong encryption in order
to do that, because most of this infrastructure now is being managed
through distributed computer-based management systems, and this is an
important step forward.


Finally, it is very important that the Department of Defense and our
colleagues in the national security establishment have the ability to
prosecute our national security interests overseas. Terrorists and
rogue nations are increasingly using these tools to communicate with
each other and to lay their plans. We must have the ability to deal
with that. And so this policy, it's a balanced and structured approach
to be able to deal with all four of those problems.


UNDER SECRETARY REINSCH: I apologize -- in listing my changes, I
neglected one very important item that I want to go back to, and that
is, in the sector area we are also announcing today the ability to
export strong encryption of any bit length, with or without key
recovery features, to subsidiaries of U.S. companies to all
destinations in the world with the exception of the seven terrorist
nations.


MR. PODESTA: Okay, I think we're happy to take your questions now. If
you could identify whom you're addressing, because there is a variety
of expertise. And I would like to introduce one other person,
Charlotte Knepper from the NSC staff, who has been instrumental in
pulling this all together.


Q John, this is a question for you. In October '96 and other White
House statements on encryption, there has usually been a line also
addressing the domestic side, saying that all Americans remain free to
use any strength encryption. I didn't notice anything like that in
today's announcement. Are there any conditions under which the White
House would back domestic restrictions on encryption?


MR. PODESTA: We haven't changed our policy, and the previous
statements are certainly intact. We have made a number of policy
statements in the past, since this administration came into office,
and I think that you should view this as a step forward, building on
the policies that we have put before the American public in the past.


Q  John, could I ask you one question about an un-encrypted matter?



MR. PODESTA:  Maybe.  (Laughter.)



Q Democrats on the Hill are now saying, and John Kerry is saying that
the President's actions absolutely call for some sort of punishment.
What are Democrats telling you about what they feel must be done at
this point?


MR. PODESTA: Well, I think I'm not going to stand here and take a lot
of questions, but I'm going to give special dispensation, as a
Catholic, today -- which is I'm going to return your phone calls
later. But in deference to the people up here I think we'll handle it
that way. But in specific response, I'll take one, which is that I
think that we had a number of productive meetings with Democrats on
both sides of the Hill yesterday. They view the President as a person
who has led on the issues that are important to them, and I think what
they want to do is get back to having him speak out and be a leader on
the issues of education and the health care bill of rights, on saving
Social Security. And I think they pointed at that and wanted to work
with us on that.


I think with regard to the question that you posed with regard to
Senator Kerry, I think that's a matter that they are debating amongst
themselves more than they are debating with the White House. I think
it's probably presumptuous for us at this point to offer them
assistance or guidance. I mean, the President has said that what he
has done was wrong; he's apologized for it; he's asked for
forgiveness. He is moving forward. And I think that this debate is
going on, on Capitol Hill, but it's largely going on amongst members
themselves.


Q We haven't heard many of them say they want to get back to the work
at hand.


MR. STEINBERG: You heard John, and I'm going to leave it there. Let me
just add a word in response, in connection with the domestic controls
issue. I think one of the lessons that we've learned from this
exercise is that -- actually, two lessons -- one, that trying to
balance the various interests and equities in this is much less of a
zero sum gain than I think some began to look at the question. That
is, you heard from Dr. Hamre and others that many of the interests
involved have common interests in making sure that we have secure and
effective means of dealing with communications and stored data. And so
we found, by looking in a very pragmatic way, that there were ways to
solve these problems without very, kind of, broad-based solutions. In
particular, I think the idea that there's no one-size-fits-all answer
to the problems of meeting the various needs informs the decisions
that we reached -- that there are a variety of different techniques
that respond to the different aspects of the industry, the different
aspects of the technology. I think that's what made the progress
possible today, is that industry, agencies and Congress sat down
together, pulled the problem apart, began to look at its different
components and began to fashion very pragmatic solutions.


And so I think we came to this discussion with a spirit of not looking
for a kind of single or simple solution to the problem but, rather,
how do you tackle and meet the various needs. And I think that's what
led to this resolve.


Q Could you talk a little more about the on-line merchants part of it?
I mean, what do you have to do to qualify as an on-line merchant? Do
you have to register or can anybody sort of set themselves up in
business?


UNDER SECRETARY REINSCH: I think the simplest way to respond to that
right now is we'll have a definition in the reg that will be very
clear as to what the criteria are for qualification. And those
definitions have already been dealt with and agreed to, so we should
have them up on the web site this afternoon.


Q A question for Bill Reinsch. How do you handle, then, 128-bit, to
which the Department has given export -- or has allowed to be exported
after going through this review? Will 128 or things above 56-bit, will
they require a license or will they still have to go through plans --


UNDER SECRETARY REINSCH: Well, with respect to the subsidiaries, the
health sector, the banks, the financial institutions, the insurance
companies, the on-line merchants, and the recoverable products as in
the universe defined -- no. In the case of all but the recoverable
products, they will all go on license exception, which means one-time
review and then out the door. With respect to recoverable products,
they will come in and go out pursuant to an export licensing
arrangement, where we'll have to do a little tailoring depending upon
the nature of the product. But there is a presumption of approval for
the 42 countries that I indicated.


And that's without reference to bit length -- 128 or more is all
covered by that. Now, if you want to export an 128-bit product that is
beyond any of those universes, then you would have to come in for an
individual license application.


Q A question for Mr. Litt. With regard to the technical support
center, when do you expect that to be in operation?


MR. LITT: I don't think we have a specific timetable yet. Obviously,
it would be helpful for us to have it up and operational as soon as
possible, but there are planning and budgetary issues that have to be
dealt with.


Q This is probably a question for Under Secretary Reinsch. The export
exceptions now are essentially going to U.S. subsidiaries -- foreign
subsidiaries of U.S. companies. I was wondering, could you be a little
more specific -- what size company, what kind of company will be
allowed to export powerful crypto to its foreign subsidiaries?


UNDER SECRETARY REINSCH: That doesn't make any difference. The
universe is determined by the end user, not by the nature of the
American company. But it is not -- while part of this relates to
subsidiaries of U.S. companies, that is correct, we also intend, on a
case-by-case basis, to provide for favorable treatment for export of
the same kind of thing to strategic partners of U.S. companies --
those foreign companies that are engaged in a closer, say, joint
venture, that kind of relationship.


Well, I think that's it.



Q What about foreign companies that have U.S. subsidiaries, like
Seaman's or -- or Chrysler -- can they get this encryption?


UNDER SECRETARY REINSCH: Well, keep in mind, there are multiple
universes here. If you're talking about the financial institutions,
the banks and the insurance companies, those aren't necessarily
American financial institutions. That's for export to any financial
institution, and for their use in any of their branches, aside from
the terrorist countries. This is true for the health sector; this is
true for on-line merchants as well. Those are not restricted to U.S.
companies.


Obviously, if we're going to have a requirement for U.S. subs, it
relates to U.S. subs, and wouldn't affect the examples you've
described. Now, with respect to recoverable products, which actually
is one of the areas where the companies you mentioned would probably
be looking because they'd be looking to build a network among their
various offices, affiliates of subsidiaries, dealers if necessary,
worldwide, the recoverable provisions that I described could be
exported to those companies within the territorial universe I
described -- the 42 countries.


Thank you very much. 



END                          12:25 P.M. EDT



(end transcript)