STATEMENT OF SENATOR PATRICK LEAHY

Hearing Before the Senate Commerce Committee

U.S. Encryption Policy

The PRO-CODE Bill, S.377

March 19, 1997

Thank you for the opportunity to testify here today about the legislation Senator Burns and I, joined by others from both sides of the aisle, have introduced to put our country's encryption policy on a sensible course.

We have introduced two encryption bills: the "Encrypted Communications Privacy Act," which has been referred to the Judiciary Committee, and the "PRO-CODE" bill, pending before this Committee. While there are differences in these bills, they share the same overarching guiding principles for U.S. encryption policy. These principles can be summed up as FREEDOM TO CHOOSE and FREEDOM TO COMPETE.

FREEDOM TO CHOOSE

Americans should be free to choose any encryption method that suits their needs to protect the privacy of their online communications and computer files. Government efforts to dictate to its citizens the type of encryption they should use will be fruitless. If consumers have no need for the government-sanctioned encryption, they simply will not use it. The marketplace can talk back, as the failure of the Clipper Chip clearly demonstrated.

The Administration does recognize the power of the marketplace. In the recent report, A Framework for Global Electronic Commerce, the Administration has urged governments around the world to "adopt a non-regulatory, market-oriented approach to policy development around electronic commerce." The Administration knows how to talk the talk, but they are stumbling when they try to walk the walk. This tendency has also afflicted all previous administrations when confronting these new and complex technologies.

For those who may have a feeling of deja vu about this hearing, we should not fail to recognize the progress that has been made. The attention we gave to this issue in classified briefings and public hearings helped the Administration recognize the need for reform. The Administration has taken steps in the direction called for in our legislation by transferring export control authority for certain encryption products from the State Department to the Commerce Department and by loosening export controls.

But they have been doing their own version of the Lindy: two steps forward, and one step back. DES-strength encryption may be exported but only for two years and only by companies agreeing to develop key recovery systems and to open their business plans for review by the government.

At the same time, the Administration is urging many of our principal trading partners to adopt a global key recovery system. In my view, the Administration is putting the proverbial cart before the horse. They are promoting key recovery around the world without having in place privacy safeguards here at home, defining how and under what circumstances law enforcement and others may get access to decryption keys. Many users have legitimate concerns about investing in, let alone using, key recovery products without clear answers on how the FBI, or foreign governments -- including those with poor human rights records or histories of economic espionage -- will get access to their keys. We need clarity on these fundamental privacy issues.

Moreover, we need to carefully consider the practical costs and benefits of a key recovery system. Costs will be associated with keeping secure the highly confidential decryption keys that such a system will generate. Not every computer user will be able to, or will be interested in, bearing those costs, particularly over long periods of time. How much would such a system boost the cost of using strong encryption? There are many unanswered questions, which is why the National Research Council in its CRISIS report, issued last year, warned, "Aggressive government promotion of escrowed encryption is not appropriate at this time...."

FREEDOM TO COMPETE

American companies should be free to compete in the global marketplace and meet the demands of customers -- both foreign and domestic -- for strong encryption. We need to loosen export restrictions on encryption products so that American companies are able to export any generally available or mass market encryption products. The Administration's unilateral regulatory reforms are not enough.

Even under the current regime, popular browser software, such as Microsoft's Internet Explorer and Netscape Navigator, may not be exported in the form generally available here, since these software packages use 128-bit encryption. Lotus Notes shareware, which uses 64-bit encryption, may not be exported in the same version sold domestically. Similarly, AT&T announced earlier this year a new fixed wireless technology to carry high-speed digital communications directly to the home to use for telephones and computer communications and Internet access. They plan to build into the system TRIPLE DES, which has a key length of 112 bits, far greater than the strength the government allows for export. Unless we change our export policy, AT&T likely will be unable to sell the same secure version of this technology around the world.

COMPUTER SECURITY IS AN ECONOMIC ISSUE

We are mindful of the national security and law enforcement concerns that have dictated the Administration's policy choices on encryption. These agencies fear that the widespread use of strong encryption will undercut their ability to eavesdrop on terrorists or other criminals, or to decipher computer files containing material evidence of a crime.

But strong encryption can also serve as a significant crime prevention tool to stop online theft, vandalism and snooping. For example, modern-day graffiti has moved from physical space to cyberspace and now takes the form of leaving messages on government Web sites. In the past year, hackers have broken into the Web sites of NASA, the CIA and the Department of Justice and substituted politically charged messages and sometimes obscenities for the legitimate information accessible on those sites. Such break-ins reveal the vulnerability of government systems to hackers. These pranks are no joking matter, since these vulnerabilities can pose serious security breaches. The General Accounting Office published a startling report last year suggesting that the Department of Defense may have experienced as many as 250,000 hacker attacks in 1995 alone, the majority of which were successful. The vulnerability of our government computer systems puts vast amounts of sensitive government information at risk of unauthorized access and disclosure.

Government computer systems are not the only ones at risk. A recent survey conducted by Information Week and Ernst & Young of major U.S. companies found that more than half of the companies surveyed experienced losses due to information security breaches over the last two years. When you add computer viruses to the mix, a huge number -- 78 percent -- suffered losses. Some of the companies reported losses of as much as $1 million or more.

Computer security is not just a law enforcement issue, but also an economic one. Breaches of computer security are resulting in direct financial losses to U.S. businesses from the theft of trade secret and proprietary information. This hurts our economy.

NEEDED: STRONG ENCRYPTION

We can hike criminal penalties to astronomical levels to try to stop hackers and computer crooks, but this will not deter all computer criminals. We should keep in mind that the best defense is a good offense. Americans and American firms must be encouraged to take preventive measures and use encryption to protect their computer information and systems.

The FBI recognizes that encryption is an important tool to protect the security and confidentiality of our computer information. A recent issue of the FBI Law Enforcement Bulletin observed "a significant relationship between file or data encryption and reduced theft of intellectual property. Encryption, therefore, should be considered an important tool for protecting confidence information."

The Computer Emergency and Response Team -- or "CERT," for short -- is on the front line of trying to protect the Internet from security breaches. CERT has observed that "many of the computer security crimes and incidents on the Internet could have resulted in less damage or been avoided with the personal use of strong encryption." In a January 1997 report to the President's Commission on Critical Infrastructure Protection on how the government can reduce risks to the Internet and other critical infrastructures, CERT recommended that the government take steps to "ensure public policy facilitates the widespread use of encryption to protect information and users of cyberspace."

Nevertheless, one prominent expert on computer security told a Senate panel last year that:

"U.S. cryptographic policy has generally not been sufficiently oriented toward improving the infrastructure, in that it has been more concerned with limiting the use of good cryptography. U.S. crypto policy has instead acted as a deterrent to better security."

We need to make sure the government is encouraging -- and not standing in the way of -- the use of strong encryption and other technical solutions to protect our computer systems. I fully concur with CERT's recommendation, and the encryption legislation we have introduced would help implement its recommendation to encourage the widespread availability of strong encryption.

I look forward to working with the Members of this Committee and the Administration in crafting a constructive U.S. encryption policy that gets the government out of the way of better security for our computer networks. Our national encryption policy has focused almost entirely on the needs of our law enforcement and national security agencies, and neglected the needs of individuals, businesses and our economy. We need to bring more common sense and better balance to this issue.