Luncheon Address
     Under Secretary William A. Reinsch
     Bureau of Export Administration
     U.S. Department of Commerce
     Defense Week 19th Annual Conference
     "Defending National Critical Infrastructure"
     December 7, 1998

Good afternoon. I am pleased to be here today to discuss the Administration's encryption policy
and how it relates to the President's initiative on critical infrastructure protection.
 First, a caveat.  Encryption is only one piece of the larger critical infrastructure pie.  Clearly,
strong encryption helps protect electronic infrastructures.  However, as important as encryption is
for this purpose, we would not be wise to allow the debate over encryption policy to hinder our
efforts in the larger critical infrastructure area.  For this reason, we are developing policies in
these two areas along separate tracks.  By the time I finish my remarks, I hope you will agree
with me that this is the best course of action.
Encryption is a critical issue for our country, and what we do in this area will have a profound
impact on the safety and well-being of Americans everywhere.  We should all be concerned
about the national security and law enforcement implications of widespread use of strong
encryption.  We should also not forget the role encryption plays in providing us with economic
security and privacy.
Export controls -- an integral part of our encryption policy -- are particularly challenging for
policy makers because they involve technologies that are constantly evolving.  Among all of the
technologies that are currently subject to export controls, computer software is probably
changing the most rapidly.  In large part, this is due to the rapid growth and the continuous
development of new ways to use it.
One of the many uses of the Internet which will have a significant affect on our lives is electronic
commerce.  A recent article in Fortune magazine, citing market research indicating as many as 17
million people will make purchases over the Internet in 1998, likened the growth of this new type
of commercial activity to a tidal wave.  An inevitable byproduct of this is similar growth in
demand for encryption products.
The reason for this is that people simply will not make purchases electronically if they believe
the infrastructure is not secure.  Despite the fact that making a purchase at the store with a credit
card has its own inherent security risks, the public perception is that electronic purchasing poses
very high risks that credit card numbers will be intercepted and fraudulently used.  Encryption
can help to allay these fears, and allow electronic purchasing to continue its explosive growth.
Identity fraud is another problem that will continue to require attention as we come to rely more
and more on the electronic infrastructure to do business.  Apart from providing confidentiality of
data, encryption can be used to authenticate users and to ensure that information passing through
the infrastructure has not been altered in transmission.  Current technologies commonly used for
these purposes are digital signatures and message authentication codes, and they are being used
more and more every day.  The government would like to see these and other authentication
technologies more widely used because they improve the integrity of the infrastructure.  In
addition, this use of encryption does not raise the same recovery issues as the use of encryption
for confidentiality.  Multiple spare keys would undermine confidence in the authentication
system.  Furthermore, government access to authentication keys would only hinder law
enforcement's ability to prosecute criminals if such access can be used as a defense to cast doubt
on the origin of evidence.
Authentication and information integrity are clearly major factors in the success of
infrastructures for electronic commerce.  But the technologies I have discussed are not
necessarily the best, or only, approaches to the problem.  Other technologies are beginning to
appear in the market, some based on biometrics.  These use fingerprint or eye scans for
authentication.  In the end, the market will decide which authentication technologies become the
standard.  Regardless of which succeeds, more work needs to be done to ensure that
authentication technologies are secure and easy to use.
With regard to encryption for data confidentiality, the U.S. government continues to support a
balanced approach which considers our commercial interests as well as protecting important law
enforcement and national security interests.  At the same time, we remain committed to
promoting the growth of global electronic commerce to secure financial as well as business
communications and transactions. 
When we transferred jurisdiction over export controls on encryption products and technology
from the State Department to the Commerce Department in December 1996, we were explicitly
recognizing its dual-use nature.  It just did not make sense to control encryption as if it were a
weapon.  Developing a new encryption policy was difficult because we did not want to hinder its
legitimate use -- particularly for electronic commerce -- yet at the same time we wanted to 
protect our vital national security, foreign policy and law enforcement interests.   We decided
that the best way to accomplish this was to promote the development of strong encryption
products that would allow lawful government access to plaintext.
The major feature of our policy was -- and is -- to promote the widespread development and
distribution of recoverable encryption.  In terms of our export regulations, we established an
incentive for companies to develop this type of encryption by making it easier for them to export
their 56-bit products, in exchange for a commitment to develop recoverable products.  We
believed that recoverable encryption was an answer to the question of how to pursue policy
objectives which sometimes appeared to be contradictory.
Over 60 companies took us up on our offer by establishing recoverable encryption product
development programs within their companies.  In addition, we have given license exception
eligibility to more than 20 key recovery encryption products.  On top of this, the Commerce
Department has reviewed over 2500 export license applications for encryption products,
including encryption licensing arrangements that allow exports of unlimited quantities of certain
types of encryption products to certain classes of end users.
It is important to note that export controls are not the only component of our encryption policy. 
Under the leadership of Ambassador David Aaron, the President's special envoy for
cryptography, we initiated discussions with other countries to harmonize international controls
on encryption.  We also established pilot projects to show that recoverable technologies work. 
We are completing the process of establishing a key recovery standard for government use, and
we established an advisory committee made up of a broad spectrum of interested parties to
advise the government on encryption policy.
During the past two years, we have learned that there are many ways to achieve the goal of our
encryption policy -- lawful access by government officials to the plaintext of encrypted
information.  The recovery encryption plans we received showed that different technical
approaches to recovery exist.  In licensing exports of encryption products under individual
licenses, we also learned that, while some products may not meet the strict technical criteria of
our regulations, they are nevertheless consistent with our policy goals.  Finally, we learned that
the use of non-recovery encryption within certain trusted industry sectors could also meet our
national security and law enforcement needs.
Our approach has always been to promote industry-led, market-driven solutions to achieve a
balance between all of our interests.  This position has not changed.  What has changed is the
direction technology and the market are taking us.  Key recovery technology is still a very
important part of our current encryption policy, and we believe that there is a future for it,
particularly for stored data; however, over the past two years, we have come to recognize that
key recovery is not the only solution. 
As I'm sure most of you know, we recently made several changes to our encryption policy that I
would like to summarize for you.  These changes show how we are broadening our policy to
embrace other approaches to achieving our goals.  
On September 22, we published a regulation implementing our announcement that we would
allow the export under license exception of unlimited strength encryption to banks and financial
institutions located in countries that are members of the financial action task force or have anti-
money laundering laws.  The regulation also allows exports under license exception of
encryption products that are specially designed for financial transactions.  This new policy
recognizes the fact that the banking and financial communities cooperate with government
authorities when information is required to combat financial and other crimes.  The direct result
of this policy change is that over 100 of the world's largest banks and almost 70% of the
international financial institution market will now be eligible for strong American-made
encryption.
In addition, we have been looking for ways to make sure our policy is consistent with market
realities.  Since last march, the Administration has been engaged in an intensive dialogue with
U.S. industry on how our policy might be improved.   The purpose of this dialogue was to find
cooperative solutions that could assist law enforcement, while protecting national security, plus
assuring continued U.S. technology leadership and promoting the privacy and security of U.S.
firms and citizens in electronic commerce. 
The result of this dialogue was an update to our encryption policy which Vice President Gore
unveiled on September 16.  This will not end the debate over encryption controls, but it does
address some private sector concerns by further streamlining exports and reexports of key
recovery products and other recoverable products.  The policy update also liberalizes controls on
56-bit products and on products of unlimited bit length to certain industry sectors.  Specifically,
the new policy allows for: 
     The export of 56-bit DES worldwide to any enduser under a license exception
     Exports of strong encryption to U.S. companies and their subsidiaries under a license
exception
     Exports of strong encryption to the insurance and medical sectors in 45 countries under a
license exception 
     Exports of strong encryption to secure on-line transactions between on-line merchants and
their customers in 45 countries under a license exception.  
We recognize that this is an evolutionary process, and we intend to continue our dialogue with
industry.  Our policy must continue to adapt to technology and market changes.  We will review
our policies again within one year to see whether further change is necessary.  Meanwhile, BXA
is drafting regulations to implement this recent announcement, which we intend to publish this
month. 
With respect to developing a common international approach, Ambassador Aaron made
significant progress last week when the Wassenaar Arrangement members agreed to control mass
market encryption greater than 64-bits at the same time they eliminated controls on products
below 56 bits.  This is a clear indication that other countries share our public safety and national
security concerns.
We have learned from experience that export control policies without a multilateral basis have
little chance of being successful.  Today, the United States enjoys a commanding lead in the
world market for software products, including the market for encryption.  If our policies
encourage other countries to develop and export the products we are trying to control, we will
not only lose our economic advantage in this critical market, but we will also fail to achieve our
national security and law enforcement goals.
Public disagreement over encryption policy has been spirited, to say the least.  Many of those on
both sides of the debate have been  unwilling to consider how their interests may coincide with
the other, or how they might reach a compromise.  This is what we have accomplished in our
dialogue with industry, and it is important that this process continue.   This is clearly the best
way to pursue all of our policy objectives.
Finally, we cannot discount the possibility of congressional action in this area.  The mood in
Congress is clearly changing, as shown by the debate over satellite launches in China and the
increasing focus on tougher export restrictions.  In the short term, this may further law
enforcement interests, but it may also retard private sector development of infrastructure security
systems that use strong encryption.  
Thus far congressional debate over encryption policy has been acrimonious, and Congress has
been unable to pass encryption legislation.  I believe it would be a mistake to pull the critical
infrastructure issue into the encryption debate.  Protecting our infrastructures is an urgent
national priority.  Encryption export policy is evolving toward allowing strong encryption for
trusted components of the electronic commerce infrastructure.  We are moving in the right
direction on both issues.  We don't want to jeopardize the successes we have had so far by
unnecessarily linking one debate to the other.
When I consider the pace of technological development in this country, I cannot help but be
excited about current and future prospects for economic growth and prosperity.  Protecting the
safety of our citizens and the foundations of our economic system is a responsibility the
government takes very seriously.  Our encryption and critical infrastructure policies will
accomplish this, and will preserve U.S. economic strength as we move into the twenty first
century.  Thank you.