News

USIS Washington 
File

08 December 1998

TEXT: REINSCH SAYS ENCRYPTION IMPACTS COMMERCE, SECURITY

(Export control is challenging as technologies evolve) (2560)



Washington -- Under Secretary of Commerce William Reinsch says
encryption -- which protects electronic information systems -- is a
critical issue for the United States and is particularly challenging
for policy makers because of the evolving nature of the fundamental
technologies upon which it depends.


Encryption plays an absolutely vital role in national security, law
enforcement and the emerging field of electronic commerce, said
Reinsch, head of the Bureau of Export Administration in the Commerce
Department. As electronic commerce expands, inevitably there will be
similar growth in demand for encryption products, he said in a
December 7 speech.


The United States has always taken the approach he said to promote
industry-led, market-driven solutions to achieve a balance between all
of our interets, he said. While the position has not changed, he said,
the direction technology and the market are taking has changed.


President Clinton moved the jurisdiction over export controls on
encryption products and technology from the State Department to the
Commerce Department in December 1996.


Following is the text of Reinsch's speech as prepared for delivery:



(begin text)



UNDER SECRETARY WILLIAM A. REINSCH

BUREAU OF EXPORT ADMINISTRATION

U.S. DEPARTMENT OF COMMERCE



DEFENSE WEEK 19TH ANNUAL CONFERENCE

"DEFENDING NATIONAL CRITICAL INFRASTRUCTURE"

DECEMBER 7, 1998



Good afternoon. I am pleased to be here today to discuss the
Administration's encryption policy and how it relates to the
President's initiative on critical infrastructure protection.


First, a caveat. Encryption is only one piece of the larger critical
infrastructure pie. Clearly, strong encryption helps protect
electronic infrastructures. However, as important as encryption is for
this purpose, we would not be wise to allow the debate over encryption
policy to hinder our efforts in the larger critical infrastructure
area. For this reason, we are developing policies in these two areas
along separate tracks. By the time I finish my remarks, I hope you
will agree with me that this is the best course of action.


Encryption is a critical issue for our country, and what we do in this
area will have a profound impact on the safety and well-being of
Americans everywhere. We should all be concerned about the national
security and law enforcement implications of widespread use of strong
encryption. We should also not forget the role encryption plays in
providing us with economic security and privacy.


Export controls -- an integral part of our encryption policy -- are
particularly challenging for policy makers because they involve
technologies that are constantly evolving. Among all of the
technologies that are currently subject to export controls, computer
software is probably changing the most rapidly. In large part, this is
due to the rapid growth and the continuous development of new ways to
use it.


One of the many uses of the Internet which will have a significant
affect on our lives is electronic commerce. A recent article in
Fortune magazine, citing market research indicating as many as 17
million people will make purchases over the Internet in 1998, likened
the growth of this new type of commercial activity to a tidal wave. An
inevitable byproduct of this is similar growth in demand for
encryption products.


The reason for this is that people simply will not make purchases
electronically if they believe the infrastructure is not secure.
Despite the fact that making a purchase at the store with a credit
card has its own inherent security risks, the public perception is
that electronic purchasing poses very high risks that credit card
numbers will be intercepted and fraudulently used. Encryption can help
to allay these fears, and allow electronic purchasing to continue its
explosive growth.


Identity fraud is another problem that will continue to require
attention as we come to rely more and more on the electronic
infrastructure to do business. Apart from providing confidentiality of
data, encryption can be used to authenticate users and to ensure that
information passing through the infrastructure has not been altered in
transmission. Current technologies commonly used for these purposes
are digital signatures and message authentication codes, and they are
being used more and more every day. The government would like to see
these and other authentication technologies more widely used because
they improve the integrity of the infrastructure. In addition, this
use of encryption does not raise the same recovery issues as the use
of encryption for confidentiality. Multiple spare keys would undermine
confidence in the authentication system. Furthermore, government
access to authentication keys would only hinder law enforcement's
ability to prosecute criminals if such access can be used as a defense
to cast doubt on the origin of evidence.


Authentication and information integrity are clearly major factors in
the success of infrastructures for electronic commerce. But the
technologies I have discussed are not necessarily the best, or only,
approaches to the problem. Other technologies are beginning to appear
in the market, some based on biometrics. These use fingerprint or eye
scans for authentication. In the end, the market will decide which
authentication technologies become the standard. Regardless of which
succeeds, more work needs to be done to ensure that authentication
technologies are secure and easy to use.


With regard to encryption for data confidentiality, the U.S.
government continues to support a balanced approach which considers
our commercial interests as well as protecting important law
enforcement and national security interests. At the same time, we
remain committed to promoting the growth of global electronic commerce
to secure financial as well as business communications and
transactions.


When we transferred jurisdiction over export controls on encryption
products and technology from the State Department to the Commerce
Department in December 1996, we were explicitly recognizing its
dual-use nature. It just did not make sense to control encryption as
if it were a weapon. Developing a new encryption policy was difficult
because we did not want to hinder its legitimate use -- particularly
for electronic commerce -- yet at the same time we wanted to protect
our vital national security, foreign policy and law enforcement
interests. We decided that the best way to accomplish this was to
promote the development of strong encryption products that would allow
lawful government access to plaintext.


The major feature of our policy was -- and is -- to promote the
widespread development and distribution of recoverable encryption. In
terms of our export regulations, we established an incentive for
companies to develop this type of encryption by making it easier for
them to export their 56-bit products, in exchange for a commitment to
develop recoverable products. We believed that recoverable encryption
was an answer to the question of how to pursue policy objectives which
sometimes appeared to be contradictory.


Over 60 companies took us up on our offer by establishing recoverable
encryption product development programs within their companies. In
addition, we have given license exception eligibility to more than 20
key recovery encryption products. On top of this, the Commerce
Department has reviewed over 2500 export license applications for
encryption products, including encryption licensing arrangements that
allow exports of unlimited quantities of certain types of encryption
products to certain classes of end users.


It is important to note that export controls are not the only
component of our encryption policy. Under the leadership of Ambassador
David Aaron, the President's special envoy for cryptography, we
initiated discussions with other countries to harmonize international
controls on encryption. We also established pilot projects to show
that recoverable technologies work. We are completing the process of
establishing a key recovery standard for government use, and we
established an advisory committee made up of a broad spectrum of
interested parties to advise the government on encryption policy.


During the past two years, we have teamed that there are many ways to
achieve the goal of our encryption policy -- lawful access by
government officials to the plaintext of encrypted information. The
recovery encryption plans we received showed that different technical
approaches to recovery exist. In licensing exports of encryption
products under individual licenses, we also learned that, while some
products may not meet the strict technical criteria of our
regulations, they are nevertheless consistent with our policy goals.
Finally, we teamed that the use of non-recovery encryption within
certain trusted industry sectors could also meet our national security
and law enforcement needs.


Our approach has always been to promote industry-led, market-driven
solutions to achieve a balance between all of our interests. This
position has not changed. What has changed is the direction technology
and the market are taking us. Key recovery technology is still a very
important part of our current encryption policy, and we believe that
there is a future for it, particularly for stored data; however, over
the past two years, we have come to recognize that key recovery is not
the only solution.


As I'm sure most of you know, we recently made several changes to our
encryption policy that I would like to summarize for you. These
changes show how we are broadening our policy to embrace other
approaches to achieving our goals.


On September 22, we published a regulation implementing our
announcement that we would allow the export under license exception of
unlimited strength encryption to banks and financial institutions
located in countries that are members of the financial action task
force or have anti-money laundering laws. The regulation also allows
exports under license exception of encryption products that are
specially designed for financial transactions. This new policy
recognizes the fact that the banking and financial communities
cooperate with government authorities when information is required to
combat financial and other crimes. The direct result of this policy
change is that over 100 of the world's largest banks and almost 70
percent of the international financial institution market will now be
eligible for strong American-made encryption.


In addition, we have been looking for ways to make sure our policy is
consistent with market realities. Since last march, the Administration
has been engaged in an intensive dialogue with U.S. industry on how
our policy might be improved. The purpose of this dialogue was to find
cooperative solutions that could assist law enforcement, while
protecting national security, plus assuring continued U.S. technology
leadership and promoting the privacy and security of U.S. firms and
citizens in electronic commerce.


The result of this dialogue was an update to our encryption policy
which Vice President Gore unveiled on September 16. This will not end
the debate over encryption controls, but it does address some private
sector concerns by further streamlining exports and reexports of key
recovery products and other recoverable products. The policy update
also liberalizes controls on 56-bit products and on products of
unlimited bit length to certain industry sectors. Specifically, the
new policy allows for:


-- the export of 56-bit DES worldwide to any enduser under a license
exception


-- exports of strong encryption to U.S. companies and their
subsidiaries under a license exception


-- exports of strong encryption to the insurance and medical sectors
in 45 countries under a license exception


-- exports of strong encryption to secure on-line transactions between
on-line merchants and their customers in 45 countries under a license
exception.


We recognize that this is an evolutionary process, and we intend to
continue our dialogue with industry. Our policy must continue to adapt
to technology and market changes. We will review our policies again
within one year to see whether further change is necessary. Meanwhile,
BXA is drafting regulations to implement this recent announcement,
which we intend to publish this month.


With respect to developing a common international approach, Ambassador
Aaron made significant progress last week when the Wassenaar
Arrangement members agreed to control mass market encryption greater
than 64-bits at the same time they eliminated controls on products
below 56 bits. This is a clear indication that other countries share
our public safety and national security concerns.


We have learned from experience that export control policies without a
multilateral basis have little chance of being successful. Today, the
United States enjoys a commanding lead in the world market for
software products, including the market for encryption. If our
policies encourage other countries to develop and export the products
we are trying to control, we will not only lose our economic advantage
in this critical market, but we will also fail to achieve our national
security and law enforcement goals.


Public disagreement over encryption policy has been spirited, to say
the least. Many of those on both sides of the debate have been
unwilling to consider how their interests may coincide with the other,
or how they might reach a compromise. This is what we have
accomplished in our dialogue with industry, and it is important that
this process continue. This is clearly the best way to pursue all of
our policy objectives.


Finally, we cannot discount the possibility of congressional action in
this area. The mood in Congress is clearly changing, as shown by the
debate over satellite launches in China and the increasing focus on
tougher export restrictions. In the short term, this may further law
enforcement interests, but it may also retard private sector
development of infrastructure security systems that use strong
encryption.


Thus far congressional debate over encryption policy has been
acrimonious, and Congress has been unable to pass encryption
legislation. I believe it would be a mistake to pull the critical
infrastructure issue into the encryption debate. Protecting our
infrastructures is an urgent national priority. Encryption export
policy is evolving toward allowing strong encryption for trusted
components of the electronic commerce infrastructure. We are moving in
the right direction on both issues. We don't want to jeopardize the
successes we have had so far by unnecessarily linking one debate to
the other.


When I consider the pace of technological development in this country,
I cannot help but be excited about current and future prospects for
economic growth and prosperity. Protecting the safety of our citizens
and the foundations of our economic system is a responsibility the
government takes very seriously. Our encryption and critical
infrastructure policies will accomplish this, and will preserve U.S.
economic strength as we move into the twenty first century. Thank you.


(end text)