Page 1 TOP OF DOCH.R. 1903THE COMPUTER SECURITY ENHANCEMENT ACT OF 1997TO AMEND THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY ACT TO ENHANCE THE ABILITY OF THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY TO IMPROVE COMPUTER SECURITY, AND FOR OTHER PURPOSES
THURSDAY, JUNE 19, 1997
U.S. House of Representatives,
Committee on Science,
Subcommittee on Technology,
The Subcommittee met at 10:47 a.m., in room 2318 of the Rayburn House Office Building, Hon. Constance A. Morella, Chairwoman of the Subcommittee, presiding.
Mrs. MORELLA. I am going to call to order the meeting of the Science Committee, the Subcommittee on Technology.
I thank our panelists for being so patient. We did decide in the vote not to adjourn.
Mrs. MORELLA. There was a plan to have a series of other votes, which is why I was delayed and other members of the Subcommittee are delayed. And, they just decided they were going to try to negotiate a problem they have with the rule on the defense bill. And, therefore, we will commence our hearing, which is quite important.
Today's hearing is going to focus on H.R. 1903, the Computer Security Enhancement Act of 1997. I would like to begin by complimenting the Subcommittee's Ranking Member, Bart Gordon, for his hard work in helping craft a bipartisan bill to address our government's computer security needs.
And, along with Mr. Gordon, Science Committee Chairman Sensenbrenner, Ranking Democratic Member Brown, Committee Vice Chair Ehlers, Representatives Davis, Stabenow, Jackson Lee, Sessions, Pickering, Traficant, Cook, Cannon and I have all introduced H.R. 1903. The bill amends and updates the Computer Security Act of 1987, which gave the National Institute of Standards and Technology the lead responsibility for developing security standards and technical guidelines for civilian government agencies' computer security.
Page 2 PREV PAGE TOP OF DOC Specificallyand I will run down the highlights of the billit reduces the cost and improves the availability of computer security technologies for federal agencies by requiring NIST to promote the federal use of off-the-shelf products for meeting civilian agency computer security needs. Second, it enhances the role of the independent Computer System Security and Privacy Advisory Board in NIST's decision-making process. The board, which is made up of representatives from industry, federal agencies and other outside experts, should assist NIST in its development of standards and guidelines for federal systems.
It also requires NIST to develop standardized tests and procedures to evaluate the strength of foreign encryption products. Through such tests and procedures, NIST, with assistance from the private sector, will be able to judge the relative strength of foreign encryption, thereby defusing some of the concerns associated with the export of domestic encryption products.
Fourth, it clarifies that NIST's standards and guidelines are to be used for the acquisition of security technologies for the Federal Government and are not intended as restrictions on the production or use of encryption by the private sector.
The bill also addresses the shortage of university students studying computer security. I find this really remarkable, that of the 5,500 PhD's in computer science awarded over the last 5 years in Canada and the United States, only 16 were in fields related to computer security.
To help address such shortfalls, the bill establishes a new computer science fellowship program for graduate and undergraduate students studying computer security. The bill sets aside $250,000 a year, for each of the next 2 fiscal years, to enable NIST to finance computer security fellowships under an existing NIST grant program.
And, finally, the bill requires the National Research Council to conduct a study to assess the desirability of creating public key infrastructures. The study will also address advances in technology required for public key infrastructure.
Page 3 PREV PAGE TOP OF DOC You know, all of these measures I have brought out are intended to accomplish two goals. First, to assist NIST in meeting the ever-increasing computer security needs of federal civilian agencies; second, to allow the Federal Government, through NIST, to harness the ingenuity of the private sector to help address its computer security needs.
Since the passage of the Computer Security Act, the networking revolution has improved the ability of federal agencies to process and transfer data. It has also made that same data more vulnerable to corruption and theft.
You know, in February, the General Accounting Office highlighted computer security as a government-wide, high risk issue in its ''High Risk Series.'' GAO specifically identified the lack of adequate security for federal civilian computer systems as a significant problem.
While this is the first time that GAO included computer security in its high risk series, it's not the first time that GAO has addressed this issue. Since June of 1993, the General Accounting Office has issued over 30 reports detailing serious information security weaknesses at federal agencies.
And, in a September 1996 report, GAO reported that over the past 2 years, serious information control weaknesses existed at 10 of the 15 largest federal agencies. The significance of these weaknesses cannot be understated.
According to another GAO report, in 1995 alone, the Department of Defense may have experienced as many as 250,000 attacks to its computer systems. It's estimated that fully 64 percent of these attacks succeeded in gaining access to DOD systems.
Concurrent with the release of GAO's high risk report, this Subcommittee held the second in a series of computer security briefings that I had initiated in the 104th Congress. During the briefing, members of the Science Committee heard from some of the most respected experts in the field. They all agreed that the Federal Government must do more to secure the sensitive electronic data it possesses.
Page 4 PREV PAGE TOP OF DOC In response, I included increased authorizations, with the approval of this Subcommittee, of $10 million a year in H.R. 1271, the Federal Aviation Administration Research, Engineering and Development Authorization Act of 1997, and $4 million a year in H.R. 1274, which was the NIST Authorization Act of 1997. These increases, if appropriated, should allow the FAA to conduct the research required to improve the security of its computer systems and enable NIST to increase its efforts to improve computer security in federal agencies.
The increase in authorizations, however, is only one part of the solution. Updating the Computer Security Act to enable NIST to better utilize private sector advances in computer security technologies is another.
The Federal Government is not alone in its need to secure electronic information. The corruption of electronic data threatens every sector of our economy.
The market for high quality computer security products is enormous. And, the U.S. software and hardware industries are responding. The passage of H.R. 1903, I believe, will enable the Federal Government, through NIST, to benefit from these technological advances.
I look forward to hearing from our distinguished panelists today. And, in my estimation, it's a good bill. And, I am hopeful we can move it through the legislative process in short order.
And, I am now delighted and honored to recognize the Ranking Member of this Subcommittee for his comments, Mr. Gordon.
[The text of H.R. 1903 follows:]
Insert offset folios 1-12
Mr. GORDON. Thank you. I want to join Chairwoman Morella in welcoming everyone to this hearing.
Not a day goes by that we don't see some reference in the news to the Internet and the explosive growth of electronic commerce. What was originally envisioned as a network for defense communications and university research is now an international communications network of which we are just beginning to realize its potential.
Page 5 PREV PAGE TOP OF DOC Both the Office of Technology Assessment and National Research Council reports have identified a major obstacle to the growth of electronic commercethe lack of widespread use of encryption products. The Computer Security Enhancement Act of 1997 is the first step to encourage the use of encryption products, both by the federal agencies and the private sector. This is, in turnor, this in turn will support the growth of electronic commerce.
The Computer Security Enhancement Act of 1997, which amends the Computer Security Act of 1987, depends on the close collaboration and cooperation between the National Institute of Standards and Technology and industry in developing standard reference materials and reference standards that are key to commerce. This legislation highlights the need for NIST to expand its activities in the area of electronic commerce.
H.R. 1903 strengthens NIST's role in coordinating federal agencies' efforts to utilize encryption and digital identification products. It encourages federal agencies to adopt and use commercially available encryption technologies whenever possible.
In addition, this legislation allows NIST to evaluate the technical merit of industry claims of the strength of generally available foreign encryption products. Hopefully, this will defuse some of the tension surrounding the issue of export of domestic encryption products.
Not only is this legislation consistent with the recommendations of the Office of Technology Assessment and the National Research Council, it is also in line with a set of resolutions adopted by the NIST Computer System Security and Privacy Advisory Board on June 6, 1997. Finally, I believe this bill is consistent with the goals of President Clinton's upcoming policy announcement on electronic commerce.
I believe that the most important underlying element of H.R. 1903 is that it recognizes that government and private sector computer security needs are similar. Hopefully, the result will be lower cost and better security for everyone.
Page 6 PREV PAGE TOP OF DOC It has been a pleasure working with Chairwoman Morella on crafting this piece of legislation. I look forward to working with her to move this bill through the legislative process.
I want to thank our witnesses for taking the time to appear before us. And, I look forward to hearing your comments.
Mrs. MORELLA. Thanks, Mr. Gordon. I want to recognize Mr. Brady from Texas, who is here. Do you have any opening comments that you would like to make?
Mr. BRADY. No, thank you.
Mrs. MORELLA. Ms. Rivers from Michigan.
Ms. RIVERS. No, thank you.
Mrs. MORELLA. All right. And, Mr. Ehlers from Michigan also.
Mr. EHLERS. Thank you, Madam Chairwoman. Just a few words. I apologize for being late, but I wasinterestingly enough, I was at a meeting with the Speaker and several members on the encryption problem, export encryption problem, and had a very fruitful discussion.
I think very few people realize the importance of computer security and the importance of proper encryption of data flowing over the Internet and other public means of communications. And, I am very pleased that we have this hearing.
I am pleased with your interest in the topic, Madam Chairwoman. And, I am pleased we are taking action on this.
I think it's extremely important for our Nation to be ahead of the curve on this. And, I hope we can soon changeeven though that's not directly the concern here, I hope we can soon change our national export policy on encryption so that we can continue to maintain the lead on this issue and can show the rest of the world how it should be done.
Thank you very much.
Page 7 PREV PAGE TOP OF DOC Mrs. MORELLA. Thank you, Mr. Ehlers. I am glad you were at that meeting.
And, I note alsoin my opening comments, I indicated that you are also a co-sponsor of this legislation we are considering.
And, now on to hear the distinguished panel that we have. Thank you, again, first of all, for your patience. You found out what it's like to testify here in the House of Representatives. I am sure that the Senate is probably not even as timely as we are.
I would like to just recognizeand we will proceed in this order, probably asking you to speak maybe not more than about 5 minutes, knowing that your total testimonies will be included in the record; so, if you want to, abbreviatethe Honorable Gary Bachula, the Acting Under Secretary for Technology in the Technology Administration of the U.S. Department of Commerce; Mr. Whitfield Diffie, who has his doctorate in technical sciences, distinguished engineer, Sun Microsystems from Mountain View, California, welcome; Mr. Stephen Walker, who is the President and CEO of Trusted Information Systems, Incorporated, Glenwood, Maryland; Mr. James Bidzos, President and CEO of RSA Data Security, Redwood City, California, thank you for being here; and, Marc Rotenberg, Director, Electronic Privacy Information Center, Washington, DC., Esquire, thank you also.
I appreciate it. And, we will start off then with Mr. Bachula.
STATEMENT OF HON. GARY R. BACHULA, ACTING UNDER SECRETARY OF COMMERCE FOR TECHNOLOGY, U.S. DEPARTMENT OF COMMERCE TECHNOLOGY ADMINISTRATION, WASHINGTON, DC
Mr. BACHULA. Thank you, Madam Chairwoman, for the opportunity to testify on H.R. 1903, the Computer Security Enhancement Act of 1997.
I, first, want to commend you and the Committee members and your staff for turning the attention of Congress to the vital issue of securing our government's and our Nation's information infrastructure. I do have a longer written statement which I would like to be included in the record and with your permission, I would offer some highlights in my oral testimony.
Page 8 PREV PAGE TOP OF DOC Mrs. MORELLA. With no objection, that will be the case.
Mr. BACHULA. Madam Chairwoman, we stand today at the dawn of a whole new world of electronic commerce, doing business digitally using the emerging information infrastructure. This new era will change all of our lives.
It will allow businesses to buy and sell, to recruit workers, make contracts, exchange money and to organize instantaneous supply chains around the globe. It will allow consumers a dizzying set of choices in banking, making travel reservations, home shopping and literally, will eventually, allow them to custom order products where hitting the return button on home PC will start in motion a process of custom designed assembly of materials, manufacturing and shipping that may occur in only a day or two.
Within a few years, you may be able to order a custom made suit fit to your exact measurements from a highly interactive electronic catalog that will allow you to see the suit on a model, maybe even a model of yourself, turn it around to three dimensions, allow you to try different styles, colors or fabrics before your eyes. And, then when you order that suit, you will set in motion a process where fabric will be shipped from a supplier in one State to a factory in another. Very high tech cutting machines will assemble that piece of clothing, and the suit will be delivered to your home in just a few days.
And, the system that ordered that suit will arrange for the payment, keep a record so you can order another. And, maybe it will send you a note a year or two later with a discount coupon asking whether you are ready for another one.
Or, imagine shopping for furniture and with the appropriate computer program trying out different pieces and styles of furniture in a very realistic but virtual representation of your own family room. If you like a particular couch, but need it to be 3 inches shorter to fit between your tables, you can make that request as well as test the look of different colors and styles.
Page 9 PREV PAGE TOP OF DOC And, again, when you order, you will set in motion a whole set of activities that some call manufacturing on demand. Others of us might just call that pretty cool.
But, electronic commerce, to grow and succeed to that kind of vision, requires a reliable, secure and trustworthy environment. To buy and sell over the network, we need to have confidence that I am who I say I am.
We need to have confidence in the integrity of some kinds of information, that some information has not and cannot be tampered with by hackers. We need to know that we can transact business perhaps with our doctors that is private.
We need to have access to public information, but also the assurance that the wrong people will not have access to classified or private information. The tools that make electronic commerce possible are the tools that we are talking about here today.
The discussions can get pretty detailed and esoteric. Sometimes the debates get passionate.
I am not a computer expert myself nor have I engaged in some of these emotional debates. I am here today to talk about NIST's role in computer security and enabling this exciting, rapidly evolving and potentially very lucrative for the U.S. economy, arena of electronic commerce.
When the Computer Security Act was enacted 10 years ago, things were a lot simpler, particularly in the Federal Government. On the whole, our computer systems were centralized; networks were isolated; applications were compartmentalized.
Physical threats to systems were the predominant concern at that time. The term ''virus'' was just beginning to become part of our lexicon. And, things like digital warfare or digital terrorism were very abstract notions.
Today, government agencies are increasingly delivering services and information directly to citizens via powerful computer applications, using technology that spans the range from large systems to desktop and laptop computers often connected in decentralized networks. These applications are increasingly interactive.
Page 10 PREV PAGE TOP OF DOC An individual virtually anywhere in the world can access government systems. In many cases, it is the kind of access that the government wants to encourage and should be providing. In other cases, unfortunately, it is not.
In this emerging global information infrastructure, government and private sector systems and networks are increasingly intertwined and, thus, face common threats and risks. Government must be keenly aware that the public is sensitive to issues of electronic access to confidential information, as demonstrated in complaints over access to social security benefits records on line.
Both government and private sectors recognize that the reliability of systems depends upon assurances of personal privacy. Both sectors also have similar requirements for confidentiality, integrity of data and access to public information.
In this rapidly changing environment, the Department of Commerce has and will continue to work with the information technology security framework established by the Executive Office of Management and Budget. OMB recently revised the basic management structure that agency computer security programs should establish, and it identifies specific supporting roles for NIST and other agencies.
NIST's primary responsibility in this area is to provide specific technical standards and guidance to assist federal agencies in meeting their security responsibilities. It's important to remember that it's each agency's responsibility to protect their systems and network, but OMB has provided a common management framework to do that and NIST provides technical guidance and standards.
And, we have played a central role in computer security for the U.S. government long before the passage of the Computer Security Act of 1987. Federal Information Processing Standards called by the acronym in government, FIPS, have provided a common basis for cost effective and reliable information technology and security for government.
Page 11 PREV PAGE TOP OF DOC By and large, in the development of these standards for federal agencies, NIST references and builds upon the standards developed in the private sector. Today, the government will use such industry-developed standards more and more with NIST participating fully in the voluntary standards process.
I would like to highlight a number of important initiatives that NIST is currently undertaking that we believe will make significant contributions toward more effective computer security practices. First, in the past year, we have reorganized and refocused our information technology activities, consolidating them in a new information technology laboratory. Computer security plays a significant and key role in this new organizational structure.
Mr. BRADY. Mr. Under Secretary, if I may interrupt for a moment, we have reserved another minute for your remarks.
Mr. BACHULA. Another minute? Okay. Thank you. NIST has put out standardor has put out a request for comments on a new advanced encryption standard. We are looking for comments on additional algorithms in the areas of digital signatures, looking at new technologies to include with the existing ones.
We are very much engaged in an effort to look at a new FIPS in the area of key agreement or exchange protocols. The bottom line is that we are doing a great deal to both provide cutting edge, new technologies and to assist federal agencies to comply with the security requirements that they have.
With respect to the proposed Computer Security Act, again, I applaud the Committee for its leadership. We support many of the provisions of this bill.
We strongly support and applaud the portions of the bill that enable NIST to assist, upon request from the private sector, in the establishment of non-federal public key management infrastructures. We support the provisions relating to NIST providing guidance and assistance to federal agencies, including evaluations and tests of commercially available security technologies.
Page 12 PREV PAGE TOP OF DOC We support Section 5, which provides that NIST will emphasize technology-neutral policy guidelines and must actively promote commercially available products for meeting the security and privacy requirements of federal agencies.
With respect to Section 6 and Section 8, we support the intent and principles behind those. We think that we need to find some improved language because of some possibilities of misunderstandings about that intent.
The one section of the bill that we must oppose, that the Administration must oppose, is Section 7, which provides for NIST to assess the availability and strength of foreign available cryptographic technology as they relate to export restrictions on encryption. The inclusion of these regulatory provisions in this bill clouds the bill's stated objective of improving the security of Federal Government systems.
It injects a debate into this room that probably belongs somewhere else. Moreover, current law and procedures already establish a government-wide process for making such evaluations.
Under current export control law, foreign availability evaluations are appropriately considered as one of many factors that bear on determinations of export control policy, including the area of encryption technologies.
The proposed section would put NIST, a non-regulatory agency, square in the middle of second-guessing both existing regulatory processes and existing executive branch determinations. Our plea to this Committee is to let NIST do what it does best and not throw us in the middle of this regulatory debate.
We support this bill. We would like to work with the Committee on a couple of language improvements in two sections.
Section 7 causes us a problem. But, by and large, this is a good piece of legislation and we very much applaud the Committee for its efforts.
Page 13 PREV PAGE TOP OF DOC [The prepared statement of Mr. Bachula follows:]
Insert offset folios 13-23
Mr. BRADY. Thank you, Mr. Under Secretary. I know that after the panel concludes, there will be some members of the Committee that will want to talk to you more about Section 7.
Mr. BACHULA. Sure.
Mr. BRADY. Thank you. Dr. Diffie.
STATEMENT OF WHITFIELD DIFFIE, DISTINGUISHED ENGINEER, SUN MICROSYSTEMS, MOUNTAIN VIEW, CA
Mr. DIFFIE. Thank you very much. I would like to thank the Committee for inviting me.
I am going to turn from looking at the future of computer security to looking at the history of how we got to the position we are in at the moment. As I sat down to make these remarks, I realized that NIST and I have been in the cryptographic business for almost exactly the same length of time. It's 25 years ago this coming August that an event I think is worth taking note of occurred.
Larry Roberts, who was the funder of the Arpanet, approached Howard Rosenbloom, who was either Deputy Director for Security or Deputy Director for Research at the time at NSA, and asked for help in development of security technology for the Arpanet. But, he didn't want the work to be classified and they couldn't agree. And, nothing further between those two agencies happened at that moment.
But, Larry Roberts turned and began talking to other people about the security problems of the network. And, one of them was my boss, John McArthy. And, John McArthy, in turn, talked to me.
Page 14 PREV PAGE TOP OF DOC And, effectively, from the fall of 1972 on, I was working full time in cryptography, having turned from previously theoretical work in computer science. At about the same time, the Bureau of Standards was soliciting for algorithms for what eventually became Federal Information Processing Standard 46, the data encryption standard.
And, although when that was proposed we argued a good deal about its adequacy thenand I was one of the big arguersI have to admit that it has served very well for the past 25 years. We are much better off with it than without it.
And, the work that we did in developing public key cryptography at Stanford has complemented the development, cryptographic developments at the Bureau of Standards. And, the two things have been used together in the development of appropriate commercial protection systems over this past generation. Now, that was the 1970's.
And, NSA cooperated at that timeand I think it was a genuine cooperationin the development of the data encryption standard. It appeared that by the early 1980's, they may have had second thoughts about this, having a cryptographic system that was out of their direct control in the way they had been used to.
And, in rapid succession, there was a national security decision directive that would vastly have expanded the authority of DOD over security arrangements throughout the Federal Government. There was a plan by NSA called the ''Commercial COMSEC Endorsement Plan'' to produce for the first time sort of directly under NSA's imprimatur and by its standard techniquethat is, using secret cryptographic systems that would be protected in tamper resistant hardwareto have what was called ''Type II'' cryptography for the protection of government unclassified sensitive information and all commercial and other information.
And, they would effectively, had that succeeded, have recaptured control over cryptography in the United States. Congress did not consider that appropriate.
It was the subject of widespread protests by industry, particularly the banking community which saw that it needed a much freer, much more openly developed technology. And, in 1987, Congress passed the Computer Security Act, which gave authority to the Department of Commerce, and particularly to theat approximately the same time renamedNational Institute of Standards and Technology for authority over computer security, network security, communications security standards for civilian government communications.
Page 15 PREV PAGE TOP OF DOC But, that Act had provisions in it for the NIST to consult with NSA. And, those became expanded into a Memorandum of Understanding between the two agencies that effectively gave NSA control over NIST's actions.
This is a natural outgrowth of having given the authority one way and the money the other way. NIST did not have the resources necessary to do, independently, the work that had been assigned to it.
And, under that regime, which I would trace as running from, let's say, 1989 until some time in the early 1990's, we saw the development and promulgation of three federal information processing standards of which only one, I think, has been generally acclaimed by the outside community. Those were a digital signature standard, developedincidentally, two out of three of these were developed using academic technology. But, they were developed at NSA.
A digital signature standard, which was not the one which had become a de facto industry standard, and although at a technical level there are pros and cons to each one of those, the effect was opposite to the intent of standardization. It created a rift. It was an attempt to displace an existing standard. And, so far, it has achieved only modest success.
Something more technical called the ''secure hash algorithm.'' That, based on work done at MIT, but elaborated at NSA. And, in general, that has been well received.
And, the most bizarre of the three, the Escrowed Encryption Standard or Clipper Chip, whose strangest feature, to my mind, is that it's a Department of Commerce standard that is based on secret technology that is legally and physically under the control of the Department of Defense and its contractors. So, although the Department of Commerce has legally promulgated the standard, that standard could be cut out from under it by Department of Defense action.
Just incidentally, I spent yesterday at the Armed Forces Communications Electronics exhibition, which is going on here in Washington. And, the government and industry people over there all seem to believe that this technology is about to be declassified.
Page 16 PREV PAGE TOP OF DOC The NSA people said they tried to get it done in time for the show and didn't succeed. But, maybe the situation is going to be regularized.
Now, I'm very pleased to say that quite recently NIST has begun to take actions that I think are much more consistent with the spirit of the Computer Security Act. They have promulgated abegun the development of the so-called Advanced Encryption Standard, the replacement for the existing Data Encryption Standard, and done soI mean, I think Webster said in the last century that the debate couldn't have gone better if his opponent had, you know, planned it that way.
I have to admit that they have followed a course which is very much the course I would have recommended. They began by asking for comments on proposed criteria against which a new standard should be judged.
They declared that the standard would be open, the standard would be unclassified. They are encouraging the submitters to explain everything about the standard, the proposals that they can.
And, I believe this is what is necessary in the modern world in order to have a cryptographic technology that will suit the needs of the diverse community that gives us the promise of this glorious future of Internet commerce and generally a vast improvement in communications that the technology promises.
The diversity of network communications is not measured in the thousands of miles across what the network is or in the millions of machines that are connected to it. It is measured in the diversity of authority, of purposes, of ownership of the devises connected to the network.
And, in order to have security in that environment, which is similar to what we've had all through historyyou have to have security in commercial environments; people have to protect goods; they have to assure orders; they have to keep certain secretswe need a technology that is openly developed and, therefore, can be trusted by everybody who uses it. So, I am very, very pleased to find this legislation, which seems to me to speak to the independence of NIST in performing to this task, to speak to the resources that it needs in performing this task, and I think this bill has come at exactly the right time to support and encourage NIST in what seems to be a return to the, as I would call it, spirit of the Computer Security Act of 1987.
Page 17 PREV PAGE TOP OF DOC Thank you.
[The prepared statement of Mr. Diffie follows:]
Insert offset folios 24-29
Mr. BRADY. Thank you, Dr. Diffie. And, I know, and each of the members knows, how difficult it is to try to summarize in 5 minutes. But, we do have your written statements.
And, we do have lots of questions afterwards. So, I appreciate it.
Mr. DIFFIE. I never feel it's any point in repeating the statement. You can read that. I tried to say something else.
Mr. BRADY. All of you are very patient. And, we appreciate it.
STATEMENT OF STEPHEN T. WALKER, PRESIDENT AND CEO, TRUSTED INFORMATION SYSTEMS, INCORPORATED, GLENWOOD, MD
Mr. WALKER. Thank you. I appreciate the opportunity to be here this morning. And, I will try to be very brief.
My experience here today is, I think, relevant. I spent 20 years as a government employee starting with the National Security Agency and then the Defense Advanced Research Projects Agency back when the Arpanet was getting started, and the Office of the Secretary of Defense.
For the last 14 years, I have grown my company, Trusted Information Systems, from a one-man consulting shop to a 300 employee publicly traded company. But, perhaps more important than any of that, I had the opportunity to spend 5 years in the early 1990's as a member of the Computer Systems Security and Privacy Advisory Board.
Page 18 PREV PAGE TOP OF DOC When I was asked to be a member, I had really no clue what it was all about. There were times when the board really didn't quite know what it was supposed to be doing.
But, when the Clipper initiative and the digital signature standard and the other things came out in the early 1990's, the board served a very crucial role, for which I am glad you are recognizing the need of the board and that the efforts of the board need to be enhanced.
I strongly support both the 1987 Computer Security Act and the bill that you are considering here today. I strongly support the open discussion in the public of issues of computer security. In my 30 plus years of experience, I have observed on a number of occasions that when these discussions drift behind closed doors, things don't go well. I am a strong believer in the Advisory Board and have had considerable firsthand experience with its impact during some of its most effective periods.
As this bill points out, NIST has a very important role in directing assistance to the civilian agencies, a role which, for various reasons, as pointed out in Willis Ware's, the resolutions passed recently and his testimony, written testimony here, it hasn't done as well as it could have done. I think the provisions of this bill that strengthen the role of NIST in providing help to civilian agencies is very, very important.
I do worryand will comment in a minuteon the provisions of the bill that assign NIST new product evaluation responsibilities. I'm not sure that my concern with that is the same as the Administration's concern; but, in fact, I believe that these are very difficult jobs that no one really knows very well how to do.
And, among other things, they will seriously distract NIST from the very important role that only it can do in providing help to the civilian agencies in understanding their computer security comments.
I would like to spend just a minute filling in a few niches of the history that Whit so eloquently commented on. The problems we are talking about here are not new. They date back, at least, to the introduction of DES back in the 1975 to 1977 time frame. Even then, there were struggles as to who should be providing advice to the civilian agencies on computer security and encryption.
Page 19 PREV PAGE TOP OF DOC In the late 1970's, President Carter signed Presidential Directive 24. Many people have forgotten about this one. It gave the National Telecommunications and Information Administration the responsibility for the unclassified use of encryption.
I know, from personal interactions with folks in the intelligence community, that caused great consternation and, in fact, was one of the things that prompted the passage ofor the signing by President Reagan of NSDD145 in 1984 as a backlash to that directive. That one, as Whit has pointed out, gave the national security community and, in particular, the National Security Agency significant responsibilities in the civilian government area.
The Computer Security Act of 1987, of course, was a backlash, a counter-backlash, if you will, to the NSDD145. And, it gave NIST the responsibility it has today, a very vital importance, to provide assistance to anyone handling sensitive and unclassified information, including the Department of Defense. And, that was always something that sort of stuck in various people's craws.
But, the debate, of course, didn't end there. The Memorandum of Understanding and the struggle over that, which Whit has commented on and I'm sure Marc will tell us something about a little bit later onbut I think the most important problem that followed the bill was the fact that the money wasn't there. Show me the money.
And, NIST did not have the ability to do the things that it was assigned to do in the bill. And, I'm glad that you all are considering improving that situation.
I note that at the height of the DOD's computer security activities in the late 1980's, they had a staff and resources 10 times the size of all of NIST's efforts in this area. I think Whit said pretty eloquently how that was going to work out.
The written statement of Willis Ware, which I have read and agree with, essentially said that the structure of the Act is satisfactory but that the implementation has had significant shortfalls. NIST has chosen in its use of its resources to focus more on research into new problems, next problems, than on the issue that is being pointed out here very strongly, that there are civil agencies who desperately need help solving some of these issues. And, they don't have the resources to figure out how to do that.
Page 20 PREV PAGE TOP OF DOC I think, as I said, this bill's focus on that is very important.
The Advisory Board is probably the most significant development in the Computer Security Act of 1987. The board has fostered open discussion and a public record of computer security issues such as the Clipper government key escrow system and the digital signature standard debates.
These would not have happened had there not been a board to lead the way in this and to help the governmenthelp the public sector better understand the dangers of government key escrow. I strongly commend the efforts here to enhance the board.
The requirement that the Federal Information Processing Standards must come to the board for a recommendation before sending it to the Secretary of Commerce, I hope some reason prevails there because frequently the board has no information about some of those standards. But, had that provision been there, the escrowed encryption standard, which we talked about earlier, might have been handled differently. And, a very costly and failed effort might have been precluded earlier.
I'm glad to note that back in February, the Administration has decided to abandon government key escrow on the Fortezza card. And, so we've actually perhaps fixed this issue in a relatively short period of time in the normal evolution of government programs.
I am concerned about the portions of the bill that direct the NIST to perform evaluations and tests of information technology. In Section 4 of the bill, the new paragraph 6 is a very difficult task which, I will say, NIST is not well qualified to perform, but that's not to put NIST down. No one is well qualified to perform that job.
The Defense Department spent an enormous amount of time, some of which I was responsible for starting, trying to do that in the 1980's and early 1990's. And, they did not succeed at it. And, so I worry here that we may be launching them on a very expensive task which we are not going to be very happy with the results of.
Page 21 PREV PAGE TOP OF DOC Similarly, Section 7's tasking to evaluate the capabilities of foreign encryption, while representing a very highly desirable objective that we all would like to see the results of is, itself, also a very difficult task and one that no one in government or industry has been able to perform effectively at this point.
Both of these provisions are sending NIST off on a difficult, expensive and time consuming, I fear, wild goose chase, the result of which, I'm afraid, no one will be happy with. Please, review these provisions carefully while they will consume vast resources and seriously distract NIST from the vital role of providing that consistent and sensible advice to civilian agencies.
Finally, the last point I would like to make, while I am not fundamentally opposed to another NRC study on cryptography, I seriously wonder how much closer we will be to effective public key infrastructure after the study proposed here. Perhaps I will be pleasantly surprised.
I thank you very much for the opportunity to present my views and hope they are somewhat helpful to you.
[The prepared statement of Mr. Walker follows:]
Insert offset folios 30-37
Mr. BRADY. You bet. Thank you, Mr. Walker. Mr. Bidzos, I understand you've had a big week. So, I look forward to your remarks.
STATEMENT OF D. JAMES BIDZOS, PRESIDENT, RSA DATA SECURITY, INCORPORATED, REDWOOD CITY, CA
Mr. BIDZOS. Thank you, Mr. Chairman. I also want to thank the Committee for the opportunity to be here.
Page 22 PREV PAGE TOP OF DOC I will make a few remarks, try to keep them brief. And, of course, I've submitted a statement.
Let me just say right up front that I'm very supportive of H.R. 1903. I think it is timely, important and offers the potential for the best return on investment in legislation that I've seen in the 12 years, half the time of some of these other gentlemen, that I've been in the business.
But, before I start, I hope I can steal 45 seconds to respond to what we've heard about Section 7 of the bill. I think the Committee has shown a little more wisdom than it is getting credit for. And, let me suggest both to Mr. Bachula and also to my friend, Steve, why I think that might be very, very appropriate.
The fastest growing software company in Germany is a company called Braukat. Braukat's business consists exclusively of replacing the encryption in American-made products that are sold in Germany.
So, when Netscape and Microsoft ship a product to Germany, to a German customer, with the weakened encryption that's required by our export regulations, Braukat comes in and replaces it with a strong encryption similar to, this is all encryption that my company designed, similar to the encryption that is in the U.S. version.
So, first of all, if it isn't the Commerce Department's responsibility to protect U.S. industry by identifying and monitoring this type of activity, whose job is it? I think the bill is right on the money in tasking NIST with those kinds of responsibilities.
I think the Commerce Department, as I will talk about in a moment, in the area of encryption has really let industry down in many, many ways. This is an excellent opportunity to get it back.
It is not difficult. It is not a distraction. It's not technically difficult to determine simply and solely if a foreign company has been able to successfully replace cryptography.
Page 23 PREV PAGE TOP OF DOC And, I am absolutely confident that should NIST ask them that Netscape and Microsoft would be delighted to make technical resources available if there is even the slimmest hope of some policy change that could be effected by their efforts. So, I think it is neither difficult nor inappropriate for NIST to take on this role.
It is perfectly appropriate for the Commerce Department to be helping U.S. industry in this way.
First of all, let me just say a few words about myself and my company. My company is RSA Data Security. It has been around since 1982. I've been running it for a little over 11 years.
We've been fortunate in that we've designed some very useful technology that has found great commercial success. Our encryption technology is embedded in just about every product that I suspect everybody in this room uses.
If you've surfed the net with Netscape Navigator, Microsoft Internet Explorer, if you use Lotus notes, if you use products from Oracle, IBM, AT&T, right on down the line, 400 companies, 100 million copies of products that contain our encryption technology, then you are an encryption user. The next time you are using Netscape Navigator, go to the About Netscape and go to the bit about security, and you will find an incredible tutorial about encryption that will tell you a lot about what this technology is doing.
Now, as unbelievable as what I am about to say may sound, in spite of the fact that these 100 million copies of off-the-shelf products exist and are being used by U.S. industry to reinvest themselves, to make themselves more efficient, to do all the things we read about all the time, companies and industries getting turned upside down by the World Wide Web, it is the policy of this Administration that those products cannot be used by civilian agencies of the Federal Government. They are required to use the products based on standard that Dr. Diffie described, the escrowed encryption standard, not what one might call one of the great successes of NIST in the area of standardization or NSA in its short foray into commercial product marketing and development; and, the digital signature standard which, as Dr. Diffie said, was an attempt to displace an existing standardalways a hard thing to do at best, not very successful.
Page 24 PREV PAGE TOP OF DOC The unfortunate victims of this policy are the civilian agencies of the Federal Government, who are simply trying to provide more security, which the Act directed them to do in 1987. It was a very timely and very good Act.
And, they are finding it very difficult to do that. They either have to pay a huge amount of money for products that contain technology that nobody really wants to support, which are the existing federal standards; or, they have to go through a very complex and difficult waiver process, although the Environmental Protection Agency and the Department of Agriculture have both done that; or, they have to do nothing at all and leave these systems vulnerable. And, obviously, that's unacceptable.
This Committee has recognized that. And, that is one of the very important things that this Act can fix.
The Computer Security Act was an example of great timing and good leadership in 1987. Obviously, the Congress identified the need for computer security.
It gave NIST the responsibility to provide the leadership in computer security for the federal agencies of government. Unfortunately, for reasons that we don't have time to discuss here, NIST was unable to take advantage of the opportunity created for it by Congress.
Perhaps it was the MOU. Perhaps it was a lot of other things.
NIST has done many good things in the area of computer security. But, when it comes to encryption, I'm afraid that they have turned the relationship with industry into an adversarial relationship when, in fact, there was a tremendous opportunity to work with industry; that while it has been missed, we have an opportunity now to correct it. And, I think that's what H.R. 1903 does.
I mentioned how unbelievable it is that in this day and age with that sort of distribution of 100 million products that can be used to reinvent government, according to the Vice President's own initiative, 40 of the 45 pilots in the Vice President's initiative, by the way, use the ''illegal technology.'' This bill would fix all of that.
Page 25 PREV PAGE TOP OF DOC This bill would direct NIST to get together with industry, to adopt market solutions, give NIST an opportunity to restore its leadership and its credibility with U.S. industry, which would provide an excellent benefit, an excellent result, which is giving the civilian federal agencies, all 120 some of them, the opportunity to simply address the computer security need that they understand and that is so important to them right now.
So, the bill would do wonderful things. It would cause NIST to adopt market solutions. It would give them the opportunity to follow up on these three initiatives that were discussedthe advanced encryption standard which, in light of today's story in the ''Wall Street Journal,'' if you saw it, it's critically important. The 25 year old DES was broken for the first time in history.
A momentous event happened within hours of the appearance of the McCain/Kerrey bill. No time to get into that today either.
But, at any rate, this demonstrates how important it is for NIST to take initiative. It's unfortunate that within 48 hours after DES was broken we are talking about an advanced encryption standard process that will probably take a couple of years.
Wouldn't it have been very, very good and so much better for us if this process had been started 2 or 3 years ago? We would be ahead of the curve instead of behind it.
The other thing that NIST could do is finish its correction of its signature standard and recognize what has gone on in industry.
And, the third thing it could do is complete its key management FIPS effort which, by the way, FOYI documents found by Epic show that NIST discovered, identified and recognized the need for a key management standard in 1989. And, we still don't have one today. This bill would allow them to get moving on it.
So, basically, in summary, the overall return on investment for this legislation is incredibly high. I think this is a classic example of a great return on a small piece of legislation that will pay dividends throughout the Federal Government, provide enhanced computer security.
Page 26 PREV PAGE TOP OF DOC It's just hard to see any down side whatsoever to this. And, I made my comments about Section 7. I won't say anymore.
So, basically, the benefits would be the additional security of federal systems, the restoring of NIST's opportunity to take a leadership role and partner with industry, benefit from all of that technology, bring it to federal agencies, be a showcase for computer security solutions, and lead rather than fight over waivers and other things with these federal agencies.
So, I strongly support this legislation. I want to thank the Committee and Madam Chairwoman for their leadership, for the willingness to pursue this and to invest the time.
It's timely. It's important. I couldn't be happier about it.
Thank you very much.
[The prepared statement of Mr. Bidzos follows:]
Insert offset folios 38-46
Mr. BRADY. Thank you, Mr. Bidzos. And, as we pass the mike to Mr. Rotenberg, I will yield the chair to our Chairwoman. Thank you.
Mrs. MORELLA. Mr. Brady did a terrific job. Mr. Rotenberg, we look forward to hearing your testimony.
STATEMENT OF MARC ROTENBERG, DIRECTOR, ELECTRONIC PRIVACY INFORMATION CENTER, AND ADJUNCT PROFESSOR, GEORGETOWN UNIVERSITY LAW CENTER, WASHINGTON, DC
Mr. ROTENBERG. Thank you very much, Madam Chairwoman. And, thank you to the Subcommittee for the chance to be here this morning.
Page 27 PREV PAGE TOP OF DOC I haven't been involved with cryptography for quite as long as some of the other members on the panel, but I was there at the birth of the Computer Security Act 10 years ago. And, I would like to say just a few words about this piece of legislation.
You know that at that time in the late 1980's, we didn't have the Internet, we didn't have the World Wide Web. There was not much commercial use of cryptography outside of the financial services sector.
And, we were, at the same time, very much concerned about the Soviet acquisition of western technology. Nonetheless, Congress, through bipartisan support, recognized the need to give NIST a primary role in the development of technical standards to protect computer security within the Federal Government and to create a process for openness, public accountability and private sector participation as those decisions were made.
Now, there have been some bumps in the road over the last 10 years. The Memorandum of Understanding, which was signed in 1989, I think took us on an unfortunate detour.
And, there have been a couple of technical standards discussed earlierthe escrowed encryption standard and the DSS, which have also created some problems. Nonetheless, the fundamental purpose of this legislation, I think, has stood the test of time.
What H.R. 1903 would do is strengthen the Computer Security Act of 1987, build on a solid foundation and ensure that computer security standards are responsive to the needs of the civilian agencies and make best use of private sector input and public advice. And, I can't stress just quite how urgent this is today, 10 years later, because today, in fact, we are increasingly dependent upon the Internet and the World Wide Web for all of the commercial activities and opportunities and electronic commerce that you've heard discussed earlier.
And, we are, at the same time, very much aware of the computer security risks that people face today on line. If you look at some of the recent opinion polls of computer users, what are they most concerned about? Privacy is right up there at the very top.
Page 28 PREV PAGE TOP OF DOC And, they are talking about their information in computer systems, in the Federal Government's computer systems. And, you know we have legislation that protects that information. But, without the technical standards that ensure that the systems are secure, it's not enough.
What H.R. 1903 does, then, is to ensure that private sector leadership will continue to play a critical role in the development of these standards. It will strengthen the Computer Systems Security and Privacy Advisory BoardI would like to say the island of sanity in the realm of computer security decision-making, that for anyone who has done some work with the boardand I've been there many times over the last 5 or 6 years and continue to be impressed by the very thoughtful, collaborative effort that the board has undertaken to get public input, the best technical advice and ensure that that's incorporated into decision-making.
H.R. 1903 strengthens the Advisory Board. And, I think this is very good.
Also, I would like to say just a word on Section 7. A couple of the witnesses earlier raised some concerns that perhaps Section 7 would be putting NIST in the job of doing some things it shouldn't be doing.
Section 7 actually, I think, is critical to the success of this legislation, because what Section 7 does is require the Department of Commerce to take note of the foreign availability of strong encryption products before the Secretary of Commerce is able to make decisions and recommendations on policy in this area. This is only, you know, common sense.
I mean, obviously these are contentious issues and different groups have different views about what the significance is of foreign availability. But, without some mechanism within the Federal Government to make sure that that information is available to policy makers, I think many of the decisions in this area will continue to be made with blinders on. And, that's not a good way to make policy.
Page 29 PREV PAGE TOP OF DOC Finally, if I could make just one brief recommendation regarding the proposed study for the National Research Council. As you may know, the NRC completed last year a very well regarded study on cryptography policy, a very complex issue, a comprehensive review and well received. And, I think they've done a good job and should continue to work in the area of computer security.
My only question, which I would like to raise at this point, is whether perhaps topics outside of public key management might also be considered. And, specifically this means looking at new techniques to promote privacy and security on line, techniques to promote anonymous or pseudo-anonymous commerce and communications that are now being explored in other countries.
I think this is also an important area of opportunity and growth for us. And, perhaps the NRC would look in this area as well.
But, speaking on behalf of a lot of people who are using the Internet today and concerned with privacy and security issues, I can tell you that H.R. 1903 is a very important step forward in the right direction. It builds on a solid foundation.
And, we would be happy to provide whatever support we can to move this along. Thank you.
[The prepared statement of Mr. Rotenberg follows:]
Insert offset folios 47-56
Mrs. MORELLA. Thank you, Mr. Rotenberg, for that. And, we are considering the concept of new techniques and would look forward to working with you on that.
I think what I will do for thebefore we go to vote, maybe for the first round of questioning, I willsince I was out for a bitas a courtesy, defer to Mr. Gordon for any questions.
Page 30 PREV PAGE TOP OF DOC Mr. GORDON. Thank you. We are on a tight framework here with a vote. And, I have a 5-minute rule just like you do.
And, so let me pose a question to you. And, then what I would like is for anyone on the Committee that would like to address it to crisply make some suggestions and then follow up with any kind of written comments that you would like.
Some States have begun to establish a legal framework for digital signatures. What, if any, should be the federal role to encourage the development of such requirements concerning the development of uniform standards or procedures for the certification authorities for this digital signature?
So, we will just start with anybody to make some quick comments. And, then I would like for you to follow up with any maybe written comments.
Mr. BIDZOS. I would be happy to offer one short answer to that question. You are correct, in that there are a number of efforts in various States. Utah has a Digital Signature Act, a number of States, to legitimize, identify and standardize the use of this digital signature technology. A number of private companies are working with a lot of local and state governments to do this.
I talked earlier about the different standards in place in the Federal Government. Essentially, what this whole process has done is built a large wall between industry and the Federal Government.
And, that wall is causing a problem, in that the Federal Government isn't playing a role in that entire process. So, we run the risk of islands of incompatibility if we continue to pursue this.
In fact, recent legislation in the Senate would propose that standards and products built according to new specifications would supersede all these efforts of the States. I think we are headed down the wrong road that way.
Page 31 PREV PAGE TOP OF DOC So, what's happened is in the absence of a leadership role by NIST over the last few years, industry and state and local and Federal Governments are going their own way. And, I think what one of the benefits of H.R. 1903 is that it would force the Federal Government to come together with industry and with the state and local governments.
Mr. GORDON. Excuse me. Any other suggestions? Yes, sir.
Mr. WALKER. I find myself agreeing with Jim. There are a number of suggestions that have been made over the last year by folks in the Administration that there should be some public infrastructure that would be sanctioned somehow by the Administration. I find that a very depressing thought.
And, linking it to export control and things like that I think is a very wrong thing. It's difficult to see industry just drifting into a way of doing this. That's where we are headed.
But, given the history of what has been happening over the last 7 or 8 years with the Clipper, digital signature and all the rest of these things, I would rather see the Federal Government stay back out of this. If NIST can help industry coordinate its activities, that's fine.
I really oppose
Mr. GORDON. I don't mean to be discourteous, but is there anybody else that would like to make a quick comment?
Mr. BACHULA. Congressman, the White House and the Department of Commerce, along with other federal agencies, have been working for some 6 months now with the National Governors' Association on an effort called the ''U.S. Innovation Partnership.'' It's an attempt to sort of collaboratively work on some problems in technology in general.
In the area of electronic commerce, the States have identified an interest in a collaborative, sort of not top down process by which they could work with the Federal Government to arrive at common solutions, not have it dictated to them. But, they dothey are looking for ways to arrive at a common solution rather than 50 separate ones.
Page 32 PREV PAGE TOP OF DOC And, they also recognize that it's not just a question of a technology but very often cases of state law, since they have commercial codes that may need to be updated in this area.
Mr. GORDON. Thank you. I'm afraid my time has run. And, I will welcome any further comments that you might want to submit.
Mrs. MORELLA. Because we have another vote on the Floor, we are going to adjourn for 10 minutes. And, whatever member of the Majority side comes back first, I will let take the chair so that we can continue with the questioning.
Thank you for your patience.
Mr. DAVIS (Presiding.) Thank you. Other members are in the middle of a vote, our second vote, to adjourn today on the House Floor. So, I'm the first one back.
I missed some of your testimony. I read some last night that we had in, but I had a markup of our D.C. Committee today. In fact, we took Mrs. Morella away.
But, I think I know enough to ask a few questions here. And, correct me if I've gone over some ground that you may have already covered.
Mr. Walker, let me just ask you at this point: I think you were saying that NIST's job in this isn't to do an evaluation but you could help and assist. If NIST isn't doing the evaluations, how are they going to know what kind of assistance to offer some of these other companies?
You know, which product is best and that kind of stuff if you are not in the evaluation process?
Page 33 PREV PAGE TOP OF DOC Mr. WALKER. This is a difficult situation thatbecause I am not at all opposed to this capability if it can exist. I am just fearful if NIST or the government can do this.
I am reminded of NIST in some other areas of its endeavors in the past where it was asked to comment on a particular commercial product, commented on what it thought was an honest appraisal of it and then came under great pressure from folks that were critical of that particular comment, whether it was right or wrong, and caused a lot of difficulty for the National Bureau of Standards in those days.
To the extent that they have backed off pretty much across the board, as I understand, in not doing qualitative evaluations of products, because they have a difficult time defending the findings when they are contrary to thewhatever the industry group was that asked for it. For example, with the Data Encryption Standard, the only test that NIST does is it, essentially, will take your supposed DES algorithm, put in a known key, grind it for a million times and see if you got the right answer. They will do that, but they won't comment any further on it.
What we are asking in this bill for them to do is actually go in and try to understand not only the qualities of products that where supposedly the person submitting it is willing to give them lots of background, but we are saying we've got to do it for foreign products where you don't have access to the information. All you can do is try to run the product and see what it does.
When all you can do is run the product and see what it does, you can comment on very specific tests that you might runconformance tests. It's very difficult in security to determine the things that a product doesn't do or the things that it does wrong.
I think the Defense Department, in its computer security initiative over the last 15 years, has spent an enormous amount of energy trying to come up with criteria for evaluating how good computer systems are. And, as much as I had hoped that would be a successful effort, I think it is pretty much viewed now as a failed effort.
Page 34 PREV PAGE TOP OF DOC And, I'm afraid we may be launching this off on to another repeat of that which will take enormous resources and for which the results, people aren't going to be happy with.
Mr. DAVIS. But, is part of your concern the fact that NIST is working right now on a limited budget in terms of setting priorities? This may not
Mr. WALKER. Well, of course, a limited budget is the beginning of the problem. But, I'm actually fearful that you may provide them an enormous budget and they will do the same thing that the DOD did with the trusted computer system evaluation criteriacreate a huge bureaucracy of 300 people and still not produce results that are the kind of things that we all want.
We would love to have people be able to say, ''Yes, this product is really good,'' or, ''That product is really not good.'' But, whenever the government says that product is not very good, it suddenly makes the government subject to all kinds of attacks and, as I understand it, all kinds of pressure through various legislative processes and elsewhere to, ''Oh, no, amend your comment, because it's not favorable to my constituent,'' or whatever. And, that's the situation that I don't think we want to get an organization like NIST into.
Mr. DAVIS. All right, thank you. Let me ask Mr. Bidzos if he has any comment on that?
Mr. BIDZOS. I disagree with Steve on this. I think NIST would not be so ambitious, because I think they would understand that it would be counterproductive.
Let me use an analogy. What we don't want to do is if we are talking about cars instead of encryption, we don't want to ask NIST to decide which car is better, because Steve is right, people, you know, they are going to start thinking about how comfortable the seats are, how do the brakes feel. That's not what we are about.
The analogy I am talking about here is, let's say, that U.S. car makers sold products overseas but a government restriction caused them to limit the car speed to 40 miles an hour. And, then we found out that a foreign company was selling an upgrade kit that made the car go 120 again, like the ones sold in the United States.
Page 35 PREV PAGE TOP OF DOC The question is: Does the car overseas, after the upgrade kit is added, go 120 or not? We are asking NIST to operate a radar gun, not to evaluate whether they like the car or whether it's as good as American cars.
And, if the answer is that there's an industry that U.S. government policy is creating that exists for no reason other than to fill the void left by export policy, if the Commerce Department isn't going to help us understand that problem, who is?
Whose job is it to protect U.S. industry in that case if not the Commerce Department?
And, I think the funding provided by H.R. 1903 would address this problem, would give NIST the authority, the money to go and do this job. And, I think they are smart enough not to go off and pursue things that don't make sense, especially when there's ample history through the Defense Department that it's just not a good thing to do.
Mr. DAVIS. Let me askI will give you a chance, Mr. Walker, but let me just ask Mr. Bachula, in your testimony you noted that the key technology focus areas in the NIST security program, I think the third one you had was to provide objective criteria for testing and assessing the functionality and assurance of security technology in products.
And, just to bring you into this a little bit, isn't that something NIST ought to already be doing?
Mr. BACHULA. It's important to look at all the words in that sentenceobjective criteria for testing but not to do the actual product testing. NIST is not an underwriter's laboratory. It's not a consumer's report.
We are a step removed from that. There are many private sector entitiesand I'm talking now about the broad area of standards testing, the measurementsthat provide the sort of direct services to American industry.
Page 36 PREV PAGE TOP OF DOC We are a step removed from that. We maintain basic units of measurements, derive units.
The standards and calibrations have to be traceable back to NIST. But, we are not in the actual product testing business. And, I don't think we want to be. And, good reasons have been expressed for that here.
Mr. DAVIS. Mr. Bachula, let me just add, Section 7, as I read it right now, doesn't impact the export control of encryption products. However, I think Congress is going to certainly roll over the Administration on an encryption policy.
You saw the Judiciary vote. And, I think that will be a done deal, and I wouldn't be surprised if the Administration reversed it.
That's above your pay grade, I guess, as this goes.
Mr. BACHULA. It's outside the purview of
Mr. DAVIS. Right.
Mr. BACHULA. (continuing) NIST at this point.
Mr. DAVIS. But, do you believe that by simply quantifying the strength of foreign encryption products you would harm national security?
Mr. BACHULA. I think what we have right now is an existing process, an existing regulatory process, existing Executive Branch rulings on how we evaluate export controls. This would have the effect of putting NIST in the middle of that process and, essentially, second-guessing other agencies.
It's not a role we welcome. It has been suggested here that it's not perhaps a role we could do well.
And, the kinds of resources that it might ultimately require raise a question of priorities. We can serve a far better role in this general area and not get into that business.
Page 37 PREV PAGE TOP OF DOC Mr. DAVIS. Let me askand, Mr. Walker, I will give you a chance to comment in a second. But, I haven't heard from a couple of the other panelists.
Let me ask Mr. Rotenberg, if you have any comments on this?
Mr. ROTENBERG. Yes, Congressman. You know, the Department of Commerce already plays a significant role in cryptography policy. I don't think there's any question about that.
What Section 7 of this bill tries to do is make sure that the role that they play is based on some solid evidence, which I think is good not only for science but also for public policy. Basically, it says if you are going to make some recommendations about cryptography in the United States, you really have to take note of what's available around the world.
And, I think this is, you know, just a baseline. I mean, you may come down somewhere else and you may still have some disagreements.
But, I really do have to disagree with Mr. Bachula on this point. I think that's a critical role for NIST to play.
Mr. DAVIS. Okay. Yes, Mr. Diffie, you haven't said anything yet.
Mr. DIFFIE. Well, I find myself torn, because I'm inclined to agree
Mr. DAVIS. You are going to break the tie up here. I think it's 2 to 2.
Mr. DIFFIE. I'm inclined to agree with the objectives of the section, but I'm inclined to think that people have underestimated the difficulty of this activity.
Three years ago before the Senate, Admiral John McConnell, Director of NSA, said a wonderful thing. He said, ''I do a market survey of the world's cryptography every 24 hours.''
Page 38 PREV PAGE TOP OF DOC Now, I think that's (a) true; and, (b) that you know how many billions of dollars they spend doing that. And, in some sense, evaluating cryptographic systems is the heart of cryptography and crypto analysis.
And, it's a very difficult job. And, I doubt that these resources are adequate to produce meaningful results to answer the kinds of issues that are being argued about in where you are saying, you know, ''Is this just being exported into a market where there are equivalent products or are the products that are there not actually equivalent to this one?''
So, I am enthusiastic about the idea. I'm not capable of speaking for its success.
Mr. DAVIS. Mr. Walker, I want to give you another chance.
Mr. WALKER. Thank you. I appreciate it.
I agree completely with what was just said. I am in favor of the objectives of this. I am very concerned about how it gets done.
Let me give you some practical experience we've had. Back in 1993, just when Clipper came out, the Software Publishers Association and Professor Lance Hoffman and TIS got together and said, ''Let's go out and see what foreign crypto is out there. Let's do a survey.''
And, we havewe did that survey with those folks. We have kept it going. It is available on our Web page. It's updated every quarter. We have found thousands of foreign products and thousands of U.S. products.
I testified in both the fall of 1993 and in the spring of 1994 and brought in the foreign products that we had bought. And, there wereit was really neat, because the staffers, before the testimony, said, ''Well, the Administration is telling us that there aren't any foreign products available.'' And, I was able to say, ''Well, of course, there are. We have a list of all of these.''
And, then they said, ''Well, you can't buy them.'' And, then I was able to prove that we could buy them, because we had a stack of them.
Page 39 PREV PAGE TOP OF DOC And, then the question was, ''Well, but they are not any good.'' And, the question was, ''Are they any good? How do you use these?''
Well, some of them are, in fact, implementations of DES, for example, or of other algorithms. But, the tough problem with encryption products is key management. How do you manage the keys?
Some of them tell you tothese are little simple file encryption products that say, ''Type in a pass code.'' Well, they use that pass code, then, to generate the key.
Well, they might generate a full 56-bit key or a 112-bit key. But, they might generate an 8-bit key or a 2-bit key. You don't know.
And, in fact, there have been allegations that some governments have influenced their companies in their countries to build flaws into systems that they might sell to the United States or elsewhere. It is very hard to know whether, in fact, there is a flaw in the key management system or perhaps even in the algorithm that you can't tell.
And, so I am concerned that asking NIST toputting NIST in a position of being able to say that a particular product somewhere is better than some other product and makinghaving the government make a decision based on that, you are really going down a slippery slope very, very fast here.
Mr. ROTENBERG. Mr. Chairman
Mr. DAVIS. Sure.
Mr. ROTENBERG. If I could just make one quick point.
Mr. DAVIS. Sure.
Mr. ROTENBERG. You know, my friend, Whit Diffie, I think, is right, that this is a difficult task, doing the evaluation. But, this isthe way this section is drafted is almost an appeal as a matter of right.
Page 40 PREV PAGE TOP OF DOC You see, what requires NIST to undertake this study is in the circumstance where the Secretary of Commerce has imposed or proposes to impose export restrictions on a product. So, here you have the U.S. government telling a U.S. firm, ''You cannot send this product overseas.'' And, the U.S. firm simply wants to say, ''Well, would you at least consider the fact that a similar product is currently available overseas?''
What Section 7 does is basically say to the Department of Commerce, ''If you are going to take that step, Mr. Secretary, you have to at least consider the fact that a similar product may already be available.'' And, I think this is very sensible, because if you don't do that you just give this blanket authority that I think, you know, is not sensible.
And, I think this is a critical piece of the bill, frankly.
Mr. DAVIS. Okay. Anybody else? Mr. Bidzos.
Mr. BIDZOS. Could I just add one more comment again?
Mr. DAVIS. Sure.
Mr. BIDZOS. I would take issue with Steve's comments and Whit's, because I think that things have changed so much in the last few years that it's not true anymore that it's that hard to measure things.
When you've got companies who are exploiting our export control laws by doing nothing other than specifically replacing that small crypto part, representing as a part of the product a smallyes, complex but a small part, the review process is very manageable.
Also, when I testified before Senate Burns' committee last summer, I brought along with me a couple of chips, encryption chips, manufactured by NTT, the world's largest company. All these things that Steve was talking abouthow do you generate keys and pass codes, maybe it's 2-bitsit's all in the chip. It works.
This is a $200 billion a year company that sells hundreds of millions of chips a year, and it knows how to make them. And, they work. And, there is nothing wrong with them. It's very easy to point to them and say, ''These work.''
Page 41 PREV PAGE TOP OF DOC This is an argument that has been put forth by other parts of the government, which is that, you know, you are not threatened competitively because the other products aren't as good. It is easy to demonstrate now that those products are as good.
And, as Marc points out, all we want to do is understand whether that's true or not. If you tell NIST that what they are going to do is take the money provided by H.R. 1903, go to Section 7 and duplicate what NSA tried to do in the 1980's and 1990's, sure, they are going to fail.
If you tell them that they are going to do an evaluation as comprehensive as NSA does when it attacks a crypto system it identifies, sure, they are going to fail. That is absolutely not what Section 7 asks NIST to do.
Mr. DAVIS. I think the last study on foreign availability is now 2 years old, and it was done by NIST.
Let me just ask one other question just to stir it up a little bit. Do you think thatwhat would be the result of a federal policy that divests NIST of its jurisdiction and gives these duties to NSA?
Mr. WALKER. I think I can speak for all of us in saying that would be a total disaster.
Mr. DAVIS. Okay. Does everybody agree with that?
Mr. BIDZOS. I think you would have a situation where an agency of the Defense Department is making economic policy. So, maybe that's the right question.
Is it okay for NSA to continue making economic policy? And, I submit the answer is no.
Mr. DAVIS. Actually, I appeared on a panel with Mr. Magaziner and a group of high technology executives. And, he just said, ''I agree with you on encryption, but the NSA boys won this battle.'' So, maybe they are making policy.
Page 42 PREV PAGE TOP OF DOC I am going to turn it over now to Chairwoman Morella and let her assume her Chairwoman's role. Connie.
Mrs. MORELLA. Well, gentlemen, we are finally reaching the finale. And, I appreciate your patience in being here and going through this, particularly the contributions that you have made to our understanding of this bill.
We may disagree with a couple of you on Section 7, but I think we can work out those problems. And, I appreciated Mr. Davis asking some of those questions and your responses.
I guess, Mr. Rotenberg, I wanted to ask you what is your appraisal or assessment of encryption standard setting efforts outside of the United States?
And, do you think we properly address that in this bill, H.R. 1903?
Mr. ROTENBERG. Well, I appreciate your question. I spent the past year working with the Organization for Economic Cooperation and Development on the framework for international cryptography policy.
And, what struck me, looking at how other governments were dealing with this issue, is how important it was to ensure that the Departments of Commerce and Trade and Telecommunications played an active role in this technical standard-setting arena, because I think as other governments realize today, you know, this is the future. And, these technologies are the technologies that are going to make possible commerce in the 21st Century.
So, my sense, having watched these developments in other countries is that today the need to strengthen our commercial side, civilian side, policy development is critical. And, I think in that respect, H.R. 1903 is, you know, absolutely on course.
It is the direction that I think that countries which are aware of the need to ensure strong and vibrant economies are taking.
Mrs. MORELLA. I think I saw you nodding affirmatively. And, I guess that means that you are in favor of his response, that we do need that comes out in H.R. 1903?
Page 43 PREV PAGE TOP OF DOC Mr. BIDZOS. Yes.
Mrs. MORELLA. I guess, you know, we've tried to focus on enhancing the Computer Security Act and not to be overwhelming. And, I guess, by and large, do you think we have done a good job with this bill?
Now, I think Mr. Rotenberg does, Mr. Bidzos does. Mr. Walker does?
Mr. WALKER. Yes.
Mrs. MORELLA. Okay. You are now on record. Okay, very good. And, I just wanted
Mr. WALKER. I think this is a very good bill. There are a few parts of it I think need to be looked at.
But, I agree completely with what you are saying and what is trying to be accomplished here.
Mrs. MORELLA. If you can give to this Subcommittee whatever your recommendations are, if there is some language within it that you think might be
Mr. WALKER. Well, that was part of the testimony that was
Mrs. MORELLA. That you have in it. So, you have given us that.
Mr. WALKER. And, I don't disagree. It's Section 7, I suppose, and also the section earlier, the new paragraph 6 somewhere, that says they should be evaluating products and all.
I'm just worried that, as my associates here have been saying, all Section 7 is doing is the following. Well, if that's all that Section 7 is doing, then I agree with it completely, too.
Mrs. MORELLA. Okay.
Page 44 PREV PAGE TOP OF DOC Mr. WALKER. My concern is that I was part of the government for 20 some years, and I've watched the government since then. And, when you say, ''Go do this,'' they tend to say, ''Oh, but in order to make sure I am doing it right, I have to do this and this and this.'' And, that turns into a gigantic situation, which is very expensive and ends up being unsatisfactory to anybody.
That's my real concern here, that whether you are tellingwhether the language is clear enough that this is the only thing they are going to do I think is debatable, because we've come to different views just reading the words. My concern is that if it is not very clear how limited it is that you want them to do that you may be creating a gigantic bureaucracy.
That's really my concern here, not with the principle that is trying to be accomplished. We do need to understand how these systems work, both foreign and domestic.
I just find it hardit has been hard up until now for people to do that. If it's all built into a chip, it's easy to test it.
But, a lot of these products involve a lot of software. There are threats that other governments have, in fact, directed companies to build flaws into these systems. I'm not going to mention specifics, but there have been these things in the press for some time. And, it's very hard to find out whether that's really true or not.
And, if you want NIST to be able to get into that level of detail, they won't succeed because no one else has. That's reallyit's a matter of degree as opposed to whether the principle is there or not.
Mrs. MORELLA. I appreciate your statement and your concern about misinterpretation and taking on too much responsibility in that interpretation layers.
Mr. Rotenberg, I think you would like to respond to that.
Mr. ROTENBERG. Madam Chairwoman, there was some discussion on this point earlier. And, I'm actually very pleased at Steve Walker's comment.
Page 45 PREV PAGE TOP OF DOC I think if there is an understanding here about what the intent of Section 7 isand I certainly take the section to mean simply that where the Secretary of Commerce is planning to impose some restriction through export control authority, it would be sensible to look at foreign availability. I think if we are in agreement on this point, then, you know, then maybe there is not really a problem here.
I think we are also in agreement on the complementary point, which is not the idea to do this sort of massive survey of everything on a real time basis. That would not be an appropriate role for NIST.
But, if the Secretary of Commerce is exercising export control authority, I think, you know, developers and firms and others, as a matter of right, should be able to say, ''Listen, before you make this decision that affects me or my company, you know, please consider what is happening in other countries.''
Mr. WALKER. I don't disagree with what you are saying. I think my real concern with Section 7I don't have it in front of meis the part that says 180 days after the bill is passed NIST will prepare criteria as to how all this will be done. Well, how far are we going to go?
I mean, do you have to understand whether the key management system really works and if there are any flaws in it? Because if you are going to say something is okay or good, I mean, this isthat's the partit's really the second portion where it talks about creating these criteria and publishing them that's going to be the difficult thing to do.
If we can come up with those criteria and everybody can be happy with them, then the 30 days response to a particular product is fine. I have just watched government develop criteria for testing things for enough years now that I am fearful that is going to be a hard thing to do.
Mrs. MORELLA. I understand what you are saying. It's simply that if you stay away from any time frames, sometimes these things get lost. And, so that's the inclination.
Page 46 PREV PAGE TOP OF DOC There is also a possibility that in report language that would accompany this bill there could be a clarification, just, you know, a possibility that could be worked out, too.
But, I really didn't give you, Mr. Diffie, an opportunity to respond. I would like to very much.
Mr. DIFFIE. Well, I think that actually, in listening to this discussion, I am reminded that user trust in security systems is the bottom line problem and, in some sense, the most difficult problem in all of security. And, I am suddenly more enthusiastic than I was when I walked in that NIST should get its toe farther into this water as an issue of technology indirectly, not an issueI think issues of intelligence policy and competition, you know, assignment of responsibility and all those things come up.
But, I think it is very important to see whether maybe old people like me are not stuck in our ways. And, I spoke while you were absent, saying, you know, I agreed with the objectives here, but I was worried that, after all, this is, in some sense, most of the activity of NSA, which is a multi-billion dollar activity.
And, so I despaired of doing it on a million dollar budget. But, I am beginning to think that, you know, there may be hidden requirement blocks there in my thinking and that it's definitely worth investigating whether this can be done in a way that will suit these objectives without getting ensnared in things that you didn't really need to do.
And, it wouldn't be the first time that I thought somebody was going to get ensnared and somebody had better footwork than I did and stepped around it.
Mrs. MORELLA. Oh, what an open-minded man. I appreciate that very much.
Mrs. MORELLA. And, now to Mr. Bachula. I would like to have you say the same thing that Mr. Diffie did.
Page 47 PREV PAGE TOP OF DOC [Laughter.]
Mr. BACHULA. Ms. Morella, your original question was did the Committee do a good job
Mrs. MORELLA. Yes.
Mr. BACHULA. (continuing) in drafting this bill.
Mr. BACHULA. And, let me say that I think this Committee always does a good job, particularly in its oversight of the Technology Administration and NIST.
Mr. BACHULA. I think that while we have discussed some portions of this bill and some issues that obviously bring out passion and strong views, we should not lose sight of the strong areas of agreement that we have among all of the witnesses here and with the Committeea stronger role for NIST in the area of computer security, updating the Act to sort of match the times, emphasis on the voluntary consensus process, working with industry, arriving at federal standards that are consistent with commercial standards and not trying to have separate.
While there was some very, very good discussion about the history in this regard, I think that where we are today in our efforts to seek comment on the Advanced Encryption Standard, to modify the DSS, to move in those directions, most of the witnesses basically agree that where we are today and where we believe we are going is where we ought to be. So, we have vast areas of agreement, both among the witnesses and with the Committee on this bill.
And, the emphasis on a section or two shouldn't override that.
Mrs. MORELLA. Thank you. Just one final question and, again, to Mr. Bachula.
I wondered what, in your opinion, is the significance of the DES being broken yesterday?
Page 48 PREV PAGE TOP OF DOC Can you tell us what NIST's role was in developing this Data Encryption Standard, what the procedures were that NIST followed and whatmaybe what input did NIST receive?
Mr. BACHULA. The DES standard, as you know, is some 20 years old. It has been highly successful.
It still works. I think it might be a disservice to consumers out there to think that somehow their ATM transactions are now threatened or that they can't use software to communicate with their bank.
The incident that was described in the ''Wall Street Journal'' today involved, at least according to the newspaper storyI mean, I don't have independent informationsomething like 10,000 people, 4 months of work, running through in sort of brute force the 72 quadrillion combinations that were needed to break the code. The normal hacker doesn't have that kind of capacity and capability.
At the same time, it does underscore the need for the Advanced Encryption Standard that we are working on in an open process with industry. So, the targets keep changing.
We are going to need to keep up with those changing technologies and are very much engaged in that process. But, I don't think that we want to have citizens frightened by today's newspaper story that they can'tthat their money in the bank account is somehow going to be stolen.
Mrs. MORELLA. Did you want to comment on that, Mr. Bidzos, since you are sort of an expert on it?
Mr. BIDZOS. Thank you. I'm not sure I'm an expert, but I would like to make a couple of comments.
This reminds me of a conversation. Part of Mr. Bachula's response reminds me of a conversation I heard between a couple of military men who were talking about a particular place where U.S. soldiers were serving, and they were talking about the odds of being one of the casualties.
Page 49 PREV PAGE TOP OF DOC And, it was pretty remote. You know, your chances are something like one in 80,000 of being killed over in this place.
And, then one fellow said, ''That's not bad.'' And, the other one said, ''Well, unless you are that one in 80,000.''
And, so as long as it's not your key, I guess it's okay. The problem isthe other problem is that 10,000 people out of the 80 million or 90 million who use the Internet worldwide is a ridiculously small number.
It can be done. It has been demonstrated that it can be done. It has to be taken seriously.
I think the more relevant comment is that I just think it's unfortunateI commend NIST for the AES project. It's very important.
And, one of the many wonderful things about H.R. 1903 is that it provides the funding and the mandate for NIST to continue this effort. That is critically important.
I would just point out that it'sit may not be too late. It certainly isn't too soon.
But, we arejust having heard 48 hours ago about DES being broken, we are at the beginning of a process that's going to go for at least 1 or 2 years in getting a new encryption standard in place. I think this bill, with its provisions, in the future would prevent this from happening.
NIST would have the mandate and the money to think ahead, to look ahead, plan ahead. And, we wouldn't be in the position that we are in now.
Mrs. MORELLA. I am going to turn the meeting over to Congressman Ehlers to conclude it after his questioning, to adjourn it, and ask your permission that members who would like to submit questions to you may be able to do so, because we would very much like to do that.
Page 50 PREV PAGE TOP OF DOC I wanted to thank you all also for being here and continuing to follow through with us on H.R. 1903.
Mr. EHLERS. Thank you, Madam Chairwoman. I suspect I could keep you here most of the afternoon with questions, but I won't do that because I have a 1 p.m. meeting and you would probably enjoy a break.
After hearing this loquacious panel, I decided one thing. Cryptographers are not cryptic, among other things.
Mr. EHLERS. And, I am really puzzled at the origin of that word. I will have to investigate that some time.
It doesn't have anything to do with cemeteries or mortuaries or your patterns of speech.
A couple of other side comments. Mr. Bachula, I don't know if you recall, but I was a member of the Michigan Legislature when you worked for Governor Blanchard. I suspect at that point neither of us expected to be sitting here facing each other in a room like this.
I suspect neither of us also expected that your boss, Governor Blanchard, would end up being in the same law firm as my friend, Senator Dole. So, life is full of funny coincidences.
On the issues of the day, I listened with interest to the discussions about Section 7 and the opinions, pro and con. And, one question, which any of you can answer, is if we remove the current export controls on encryption, do your problems with Section 7 go away? Obviously, it would have to be changed somewhat.
Page 51 PREV PAGE TOP OF DOC Mr. BIDZOS. I would just like to save you a trip to the library, Mr. Ehlers.
Cryptography is made up of two Greek root words, krupto and graphia. Being a native Greek, I am particularly interested in that myself.
And, they translate, respectively, into English as secret writing.
Mr. EHLERS. I read that at one time. It slipped my mind, which happens as you get older. Thank you.
Your response to the question, Mr. Walker.
Mr. WALKER. Well, if the motivation for Section 7 is to be able to provide the response to U.S. companies when they are concerned about not being able to export their product, if a foreign product that's better is already out there, if the export controls went away, then you wouldn't need Section 7.
Whether we still would want the ability to have somebody assess the quality of different products out there, that need is always going to be there whether they are U.S. products or whether they are foreign products or whatever. And, it is that assessment of how good these things are that I remember well being asked bybefore I testified here 3 or 4 years ago, we had bought a number of foreign products, and the question was just how good are they. And, it's very, very hard to figure that out.
So, the desire on the part of people to be told, ''Yes, this product is good,'' or, ''That product isn't good,'' is still going to be there even if export controls go away.
I suspect the incentive to push for Section 7 will go away if, in fact, the export controls are eliminated.
Mr. EHLERS. This need that you mentioned, would that be something that is worth government money being spent for?
Page 52 PREV PAGE TOP OF DOC Mr. WALKER. Yes. But, I hope it doesn't turn into the giant bureaucracy again.
I mean, the Defense Department had a problemit still doesin the 1970's called the ''Multilevel Security Problem.'' They were building computer systems around the world, and everyone who had access into the system had to have a top secret clearance because you couldn't trust the computer not to reveal top secret information to somebody with a lower clearance.
The WWMCCS system, which I was involved in when I was at the Pentagon, a huge problem. It's very expensive to clear everybody to a top secret level; and, yet, we couldn't trust the computers.
Well, I beganand a lot of people continued ona substantial effort to figure out can we determine whether commercially available systems are good enough to be able to be used in an environment where top secret information can be there but people with a lower clearance can have access to it. In some sense, that's an easier problem than the one we are trying to deal with here.
And, the Defense Department wasn't able to do it. I mean, they tried hard. But, we have verywe still have the multilevel security problem today.
I hope that the wording of Section 7 can be done in such a way that it doesn't become another multilevel security problem. But, I have watched these things happen enough times in my career that I'm very fearful that what will happen is NIST will, if I'm right, and I may be wrong, invest a lot of energy in trying to build these criteria because you asked for in 180 days the criteria before this process actually goes into effect. And, they will fail. They won't quite get it right.
People won't be happy with it. And, 2 or 3 years down the line, you will have another hearing here and you will say, ''Darn, you guys in NIST didn't do a good job at this,'' and you will chastise them and tell them to stop doing it or whatever.
Page 53 PREV PAGE TOP OF DOC And, I am just fearful we are going to go off on a wild goose chase here. It's not that the objectives of it aren't good and useful; and, it's not that if we can constrain it in some way that it can work.
My concern is thatand I saw this happen in the DOD process, we tried to come up with simple criteria and then people said, ''Well, yes, but suppose somebody finds something wrong? Suppose I endorse something and somebody finds something wrong with it? I had better make those criteria a little bit stronger. I better try to ask for more.'' We called it ''criteria creep.'' It was a technical term.
And, what happened is systems that were supposed to only be sort of good, suddenly the requirements for documentation and all became enormous. And, I'm just frightened of that process.
If we can do it short of that, then this is a good thing to do. It's probably a useful thing for the government to do even if export controls are eliminated.
Mr. EHLERS. Does anyone else wish to comment? Mr. Rotenberg.
Mr. ROTENBERG. Just briefly, Mr. Congressman. You asked the question if export controls were to go away would Section 7 be necessary. And, I think in some respects, the problem is anticipated that Section 7 would go away on its own accord, because the Secretary would not be exercising the authority. And, the need to conduct the evaluation would go away.
And, I think in this regard, as well, this is actually a very sensible provision. It basically says if you are going to exercise this authority and you do want to restrict the ability of U.S. firms to sell product overseas, then we need in place some mechanism.
And, I've been rereading the language. I actually think it's a very, sort of streamlined procedure that is described here in the legislation for creating the mechanism.
Page 54 PREV PAGE TOP OF DOC We need some mechanism to evaluate foreign availability. Now, if you choose not to exercise the authority, you know, it goes away.
But, as I said, it reallyI hear Mr. Walker's concerns and it's, you know, not because I disagree with him that there could be scenarios in which this is, you know, expensive and bureaucratic. But, I really don't see it in the bill. That doesn't seem to be the intent.
And, I actually don't see the authority there for what you have described.
Mr. EHLERS. Other comments? Mr. Diffie.
Mr. DIFFIE. TheI think that the question being asked is what is the importance of a capability to evaluate security systems. And, I think the answer is that independent of its application to this particular case of judging export decisions that it is perfectly appropriate for NIST, as a body whose work is the development of the technology underlying standards, to be given the mandate to attempt to develop an adequate appraisal technology which will be applicable to many things fromthey won't necessarily do the individual system evaluations once that technology has been developed, but in determining what you have to ask people about a proposed crypto system, for example, in order to be able to judge it against criteria at a reasonable cost.
I think that's something very, very appropriate to charge NIST with at the moment.
Mr. EHLERS. Mr. Bachula.
Mr. BACHULA. Sir, I think the testimony of the witnesses here has made it clear that there are two issues involved here. One is a NIST capability, which was just described, whether it should have it, what the resources would be, whether it could do it well, whether it's hard to do, whether it's easy to do. And, we have heard a variety of testimony on that subject matter.
Page 55 PREV PAGE TOP OF DOC The second question, though, is the provisions of this bill, which essentially modifies the existing regulatory process. And, that part of the bill, which puts NIST into a regulatory function, is what the Administration objects to.
It puts NIST, a non-regulatory agency, one that has never been in this business before, in the middle of a process of second-guessing other agencies' work. The question of foreign availability is one of the considerations that the existing regulatory process can consider.
This would seem to sort of raise the stakes on that issue. And, changing the existing regulatory process probably should be done in a different venue, not this bill.
Mr. EHLERS. I suspectand I haven't been involved, heavily involved, in the writing, but I believe the intent was not to involve you in the regulatory process anyway. And, perhaps the staff would want to talk to you about the language, if that's your concern.
Mr. BACHULA. But, if you listened to some of the other witnesses today, that's exactly what they are applauding about, the provisions as they read it, because they think it would modify the process.
Mr. EHLERS. Mr. Walker, last comment.
Mr. WALKER. In trying to figure out how to move forward on this, I seem to be the one that is bringing up technical objections here.
I think one of the strengths of the bill that may get us out of this if you proceed with Section 7 as it is, the Advisory Board. Having the Advisory Board role strengthened so that it can be involved in this, I think, would be an excellent way to try to ensure that the concerns I have of what might go wrong in building a bureaucratic process and all can be held in sway.
I mean, it's the kind of thing you all can't look at on a yearly basis or every 2 years or whatever, but the Advisory Board could. And, to the effect that the provisions of the bill strengthen the role of the Advisory Board and maybe in the documents that accompany the bill you can say, ''Hey, Advisory Board, keep a close eye on Section 7 so that it doesn't turn into a bureaucratic nightmare.'' And, it may be just exactly the kind of thing that Marc and I could agree would be a good way to proceed.
Page 56 PREV PAGE TOP OF DOC Mr. EHLERS. Thank you. Mr. Bidzos, do you have any comments? You haven't had an opportunity yet.
Mr. BIDZOS. I would just like to point out, with all due respect to Mr. Bachula, that NIST is now in the business of regulating the encryption industry because of its recently assumed responsibility for the export of cryptography recently handed to it from the State Department by the AdministrationI'm sorry, the Commerce Department.
But, it seems to me that what H.R. 1903 is proposing to do is to say, ''Gee, if that's going to be your job, then here are some funds with which you can conduct some investigation and research that should help you do it better.''
And, you know, I feel Steve's pain. I mean, it's pretty clear that he had a very, very painful experience in the government before. But, that doesn't mean we shouldn't let NIST try to do it.
And, in one sense, just because NSA has been doing many of the things that the Computer Security Act envisioned NIST doing doesn't mean that we should assume that NIST, if we correct that, will now try to do all of the things that NSA tried to do.
Mr. EHLERS. Thank you. I appreciate those comments. Just a few other quick questions.
Mr. Bachula, you referred at one point during the discussionand I don't recall exactly in reference to which aspect of the billa concern about the need to build up additional expertise whethermaybe I'm putting words in your mouth. But, you seem to be concerned about NIST being able to handle some of the functions that we are assigning to it here.
One question I just wanted to ask: Do you have contact with the NSA? Do they make available to you any of their expertise?
Obviously, they seem to have one of the world's greatest collections of cryptographic experts. Are they, by charter, not allowed to help you out or advise you?
Page 57 PREV PAGE TOP OF DOC Mr. BACHULA. I think they have an awesome set of skills. In terms of basics or technical expertise, NIST has access to NSA and other experts around the government, as does the regulatory body, the Bureau of Export Administration, which is the part of the Department of Commerce that right now deals with export regulations. They have access to the same kind of expertise.
And, in terms of foreign availability and these kinds of determinations that are being talked about, they do it now in that avenue.
But, NIST has had a long relationshipsome of it was described in the earlier history todaywith NSA. And, again, they have many resources.
One question about resources, which was raised by another witness, was how much would it take to do the job. And, I can't cite the dollars spent by NSA in this area, but I can tell you that itwe could replace NIST with the order of magnitude.
Mr. EHLERS. I suspect you are probably right on that. In Section 12, I notice there is a call for another NRC study.
And, I am wondering, first of all, what the opinion of the panel is on that. Is that necessary?
And, second, are any aspects of the previous NRC study on this topic, even though directed at something else specifically, that would be useful on this particular topic?
Are there any comments on that? Mr. Rotenberg.
Mr. ROTENBERG. Mr. Congressman, I mentioned briefly in my testimony, first of all, that the NRC did very good work this past year in their report on computer security. I think that was very thoughtful, very comprehensive and well regarded.
And, I think it is an enormous resource to the Federal Government, the National Research Council.
Page 58 PREV PAGE TOP OF DOC I propose specifically in my testimony that it may be appropriate for the NRC to begin looking at what are sometimes termed ''privacy enhancing technologies,'' ways to protect individual privacy, to promote commerce on line. There's obviously a great deal of interest in public key management. And, there may be some way to combine them.
But, this area, as well, I think is particularly important for users on the Internet today and is something the NRC would probably do a very good job with.
Mr. EHLERS. Thank you. Any other comments? Mr. Walker.
Mr. WALKER. I also believe that the NRC study that was concluded last year was very helpful. And, it was a comprehensive look across the board and made some of the best suggestions that have been made by the best learned bodies at the time.
And, in fact, a number of those folks were cleared and were able to participate in briefings from NSA and others and were able to come back and say that those concerns of, ''Well, it's classified and I can't tell you,'' are not worth the arguments that are being made. And, I thought that was a major contribution that panel made. And, so I'm not against NRC panels.
I do believe that public key infrastructure is an issue where industry is really taking the lead and needs to take the lead. And, I am, in fact, also concerned that when the government is making suggestions that export of cryptography or key recovery or whatever must be somehow coupled to a government approved public key infrastructure, that's a serious concern that we all should have.
And, so, in my testimony, I made comments thatI guess there is one other point I want to make. WhenI think it was in the fall of 1993the appropriation was first made for that study that was concluded in 1996, there was a great, ''Oh, good. It's going to take them at least 2 years to do that, and we don't have to do anything until they have, in fact, finished their study.'' And, public key infrastructure is something we need so badly that the notion that let's put it off to a study forI mean, it's going to take 6 or 8 months for it to get started and then 18 months for it to conclude.
Page 59 PREV PAGE TOP OF DOC So, to say that we are not going to do anything about moving ahead with the public key infrastructure until after the results of an NRC study are done again, I think is really, at this pointif this study can be expanded to more things of the sort that Marc is talking about, it's probably a very useful thing to do. To say let's focus it on public key infrastructure, these things can actually do harm because they put offnot the results of them but the fact that it's going to take 2 years for them to happen. And, so that's my concern with focusing on something that we so desperately need, that it may cause a lot of people to decide, ''I'm not going to do anything about public key infrastructure until after the results have happened.'' And, that puts us into the next millennium. And, we just don't need that.
Mr. EHLERS. Any other comments? Dr. Diffie.
Mr. DIFFIE. A public key infrastructure is something whose virtues arise almost entirely out of standardization. And, we have at the moment a standard standardization problem; namely, we need something desperately.
We are inclined to rush forward into it. Many people are inclined and, therefore, come out in competition.
If, by regulation, you select one of the competitors, you risk something like the experience with NTSC in television, which has cursed us in North America now for two generations. But, in return, we have the benefit of having television ahead of other people.
I think there is once again, there is a research problem of the sort that NIST exists to work on which is, ''Can we do something to coordinate efforts in public key infrastructure without, at the same time, tying people's hands, imposing unnecessary restrictions, et cetera?'' I don't know the answer to that question.
But, I am not convinced that NRCthat a study is the right action here. It's something much more like a coordinating committee that seems to me to be needed.
Page 60 PREV PAGE TOP OF DOC And, it just occurs to me, I mean, maybe the Computer Security Advisory Board would be a more appropriate group to be talking to everybody and to act as a forum for coordination among the various public key infrastructure activities that are already underway.
Mr. EHLERS. Mr. Bidzos.
Mr. BIDZOS. Well, I think what has happened is we've got this wall between industry and government, because we have totally different standards. Dr. Diffie is absolutely correct that those 2 years that we waited for the NRC report resulted in rapid development and progress in a public key infrastructure outside of government.
As I mentioned in my earlier comments, we have 100 million products that do inter-operate, that talk tomost of them talk to each other. They are based on standards that not only go to the encryption and the algorithm but formats and these credentials called ''certificates,'' all this sort of stuff. That all works.
And, I think, again, the bill is right on in terms of telling NIST to take a look at what the market is doing and plug into it, plug into that infrastructure; don't try to build your own, because you tried that and that hasn't worked.
And, so the bill addresses that problem, I think, that way.
Now, having somebody who looks at ways to make sure that these are coordinated efforts, that's very important. And, that was sort of my interpretation, making sure.
But, basically if we are correcting legislation that was introduced 10 years ago, it's worth investing a year of somebody's time to make sure that it's working so that we know in 1998 rather than 2008 that we've really gotten what we thought we were going to get from this bill.
Mr. EHLERS. Any other comments? Any other issues that anyone on the panel wishes to raise or any questions that you want to raise?
Page 61 PREV PAGE TOP OF DOC Mr. EHLERS. If not, I certainly thank you for your time and your attention and, above all, your expertise. It has been a very good panel.
I've learned a lot, and I'm sure the Committee has. We appreciate your comments on the bill and look forward to further contact with you.
Thank you very much. The meeting stands adjourned.
[Whereupon, at 12:50 p.m., Thursday, June 19, 1997, the hearing was adjourned.]
[The following material was received for the record:]
Insert offset folios 57-105
THE COMPUTER SECURITY ENHANCEMENT ACT OF 1997 TO AMEND THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY ACT TO ENHANCE THE ABILITY OF THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY TO IMPROVE COMPUTER SECURITY, AND FOR OTHER PURPOSES
COMMITTEE ON SCIENCE
SUBCOMMITTEE ON TECHNOLOGY
Page 62 PREV PAGE TOP OF DOC
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTH CONGRESS
JUNE 19, 1997
Printed for the use of the Committee on Science
COMMITTEE ON SCIENCE
F. JAMES SENSENBRENNER, Jr., Wisconsin, Chairman
SHERWOOD L. BOEHLERT, New York
HARRIS W. FAWELL, Illinois
CONSTANCE A. MORELLA, Maryland
CURT WELDON, Pennsylvania
DANA ROHRABACHER, California
STEVEN SCHIFF, New Mexico
JOE BARTON, Texas
KEN CALVERT, California
ROSCOE G. BARTLETT, Maryland
Page 63 PREV PAGE TOP OF DOCVERNON J. EHLERS, Michigan
DAVE WELDON, Florida
MATT SALMON, Arizona
THOMAS M. DAVIS, Virginia
GIL GUTKNECHT, Minnesota
MARK FOLEY, Florida
THOMAS W. EWING, Illinois
CHARLES W. ''CHIP'' PICKERING, Mississippi
CHRIS CANNON, Utah
KEVIN BRADY, Texas
MERRILL COOK, Utah
PHIL ENGLISH, Pennsylvania
GEORGE R. NETHERCUTT, JR., Washington
TOM A. COBURN, Oklahoma
PETE SESSIONS, Texas
GEORGE E. BROWN, Jr., California RMM*
RALPH M. HALL, Texas
BART GORDON, Tennessee
JAMES A. TRAFICANT, Jr., Ohio
TIM ROEMER, Indiana
ROBERT E. ''BUD'' CRAMER, Jr., Alabama
JAMES A. BARCIA, Michigan
PAUL MCHALE, Pennsylvania
EDDIE BERNICE JOHNSON, Texas
Page 64 PREV PAGE TOP OF DOCALCEE L. HASTINGS, Florida
LYNN N. RIVERS, Michigan
ZOE LOFGREN, California
LLOYD DOGGETT, Texas
MICHAEL F. DOYLE, Pennsylvania
SHEILA JACKSON LEE, Texas
BILL LUTHER, Minnesota
WALTER H. CAPPS, California
DEBBIE STABENOW, Michigan
BOB ETHERIDGE, North Carolina
NICK LAMPSON, Texas
DARLENE HOOLEY, Oregon
TODD R. SCHULTZ, Chief of Staff
BARRY C. BERINGER, Chief Counsel
PATRICIA S. SCHWARTZ, Chief Clerk/Administrator
VIVIAN A. TESSIERI, Legislative Clerk
ROBERT E. PALMER, Democratic Staff Director
Subcommittee on Technology
CONSTANCE A. MORELLA, Maryland, Chairwoman
CURT WELDON, Pennsylvania
ROSCOE G. BARTLETT, Maryland
VERNON J. EHLERS, Michigan
THOMAS M. DAVIS, Virginia
Page 65 PREV PAGE TOP OF DOCGIL GUTKNECHT, Minnesota
THOMAS W. EWING, Illinois
CHRIS CANNON, Utah
KEVIN BRADY, Texas
MERRILL COOK, Utah
BART GORDON, Tennessee
EDDIE BERNICE JOHNSON, Texas
LYNN N. RIVERS, Michigan
DEBBIE STABENOW, Michigan
JAMES A. BARCIA, Michigan
PAUL MCHALE, Pennsylvania
MICHAEL F. DOYLE, Pennsylvania
ELLEN O. TAUSCHER, California
*Ranking Minority Member
C O N T E N T S
June 19, 1997:
Hon. Gary R. Bachula, Acting Under Secretary for Technology, Technology Administration, U.S. Department of Commerce, Washington, DC
Whitfield Diffie, Distinguished Engineer, Sun Microsystems, Mountain View, CA
Page 66 PREV PAGE TOP OF DOCStephen T. Walker, President and CEO, Trusted Information Systems, Inc., Glenwood, MD
D. James Bidzos, President and CEO, RSA Data Security, Redwood City, CA
Marc Rotenberg, Esq. Director, Electronic Privacy Information Center, Washington, DC
Statement of Willis H. Ware, Chairman, Computer System Security and Privacy Advisory Board
Responses to Post-Hearing Questions by:
Hon. Gary R. Bachula
Stephen T. Walker
D. James Bidzos