Statement by The Honorable John
Thank you Mr. Chairman and members of the Committee. I am honored to be here and am pleased to have the opportunity to provide the Department of Defenses perspective on encryption export policy, a complicated, but enormously important issue with significant domestic and international ramifications. We recognize that this is an issue that involves the interest and requires the participation of virtually every Executive Branch department and agency, the Congress, as well as our international partners, industry and the private sector.
Mr. Chairman, you render a valuable service to the American people by holding a hearing that focuses on and analyzes an issue that directly affects, in many different ways, the quality of life of every American. I applaud your objective of seeking solutions that will balance the sometimes-diverse needs and perspectives within our society.
Before we address specific export controls, I would like to be perfectly clear about the guiding principles on encryption and information technology. These are consistent throughout the Department of Defense and the Administration.
Mr. Chairman, in the future, national security threats will not be confined to distant battlefields, nor to clearly identified opponents during declared hostilities. You and the committee understand the gravity of the decisions we face as we look to the future. In brief, Mr. Chairman, while the sponsors of H.R. 850 have labeled their bill the SAFE Act, in terms of national security and public safety, this is not "safe" legislation. Indeed, H.R. 850 threatens our national security.
In considering export controls in the context of the broad range of our national interests, the Administration has pursued a balanced approach. The approach is not static, but must be, and is, reviewed continuously to ensure adequate consideration of changes in technology, foreign policy, and national security interests. We think that these changes are best accomplished through regulation, rather than legislation, because of the flexibility needed to adapt quickly to changing technology. Please allow me a few minutes to discuss how we have successfully used the regulatory process. Candidly, we recognize that none of the diverse constituents are completely satisfied with the policies we currently have in place. I believe, however, that these constituents must honestly admit that we have made genuine progress from the updates implemented in our regulations. Lets look at what we already have in place today.
REVIEW OF OUR CURRENT ENCRYPTION REGULATIONS
In September 1998 the Administration announced the relaxation of encryption export regulations to meet the needs of industry, the national security and public safety communities, as well as average Americans who want to ensure that their privacy information is indeed private. As you well know, the decision to relax controls was reached only after careful review. We undertook a careful analysis and thoughtful dialogue among industry representatives, privacy rights constituents, and those departments and agencies of the Executive Branch responsible for ensuring and executing missions associated with public safety and national security. As a result, we currently have in place regulations that support the export of encryption products that secure electronic commerce and maintain U.S technological leadership in the international marketplace.
The 1998 update of our export policy, implemented through the regulatory process, opened a significant portion of the worlds economies to U.S. encryption products. As a result, the strongest encryption products with any key length now can be exported easily to those markets that clearly require stronger encryption:
With the controls in place, the U.S. continues to monitor and review carefully, through the licensing process, exports to certain sectors and countries, particularly those that represent a national security threat to the United States. We must continue to ensure that our policy neither aids and abets the conduct of computer crime/fraud against our citizens and corporations nor undermines the abilities of our national decision-makers, military leaders, and fighting forces.
POTENTIAL RAMIFICATIONS TO NATIONAL SECURITY IF WE EXTENSIVELY UPDATE CONTROLS OR DECONTROL
We are not averse to updating controls of current restrictions. We believe, however, that decisions on what restrictions to update or decontrol can be better made through a regulatory structure, vice a legislative one, which affords greater flexibility to changes in technology and our environment. We cannot drop controls immediately, putting strong encryption in the hands of terrorists, drug cartels, or battlefield foes. These groups would use strong encryption to circumvent lawful surveillance and deny law enforcement and national security authorities the crucial timely information needed to protect America.
I have mentioned only a few potential ramifications to the national security of this great nation if we decide to take the path of indiscriminate decontrol of encryption export restrictions. Some would argue that "the horse is out of the barn," that strong encryption already is available via the Internet and elsewhere, and that, therefore, we should abandon further controls. I beg to disagree. Public key encryption is simple in concept, but complex to use effectively, and on a large scale. There is no doubt that individuals can obtain strong encryption if they are willing to spend the time to manage keys, exchange certificates, pick the right algorithm, and implement it properly. However, such strong encryption is not, in fact, ubiquitously available overseas, and while we want to promote the export of U.S. encryption products, we see no advantage in accelerating the general availability of such products to those who would wish us ill.
Clearly, we need to proceed deliberately and cautiously. Moreover, as a prudent measure, the collective "we" (both Congress and the Administration) need to reflect on the emphasis placed by the Cox Committee on ensuring that protecting national security is an integral part of our export process.
DOD-SPECIFIC COMMENTS ON H.R. 850, THE SAFE ACT
I would like to focus for a few minutes to H.R. 850, the SAFE Act, and our views on how that legislation would affect the Department and other members of the national security community if enacted. I appreciate that a large number of distinguished representatives have co-sponsored this bill. Nonetheless, I believe that it is fatally flawed, in ways that will have severe consequences for national security, perhaps in ways that are not fully appreciated by the sponsors. Our concerns with the draft legislation lie mostly in Section 3, which:
In addition, the new section 2804, to be added to Title 18, would inhibit the development of key recovery, even as a viable commercial option for those corporations that desire guaranteed access to their data. Despite some assertions to the contrary, the government does not seek to impose mandatory key recovery (as you said, we will not pass the "Big Brother Act of 1999 either"). Your statement of 9 June is most eloquent in noting that the protections of the legal process in the safeguarding of our liberties. I also would note, however, that SAFEs prohibition on mandatory key escrow could have a direct impact on the private development of encryption products and services for use with the Federal government, which is planning to use key recovery products (beyond those especially designed or modified for military use) as an essential part of our internal control process. For example, some of our defense finance centers process over $40 million dollars of transactions an hour. There is no way that I am going to allow such activities to proceed without a way to recover the data. To the extent that we wish to make further use of the commercial products, commercial certificate managers, and other elements of the private sector, this bill will inhibit progress that could benefit business, government and citizens alike.
WHERE SHOULD WE GO FROM HERE?
Let me reiterate at this stage of the discussion that our current policy, as implemented in regulations, cannot possibly satisfy completely the conflicting requirements of all the constituents who have a stake in resolving this issue. The Administration continues to develop policy consistent with international and domestic market realities and national security and public safety concerns. For over a year, the Administration has been engaged in a dialogue with U.S. industry, privacy groups, and the national security and public safety communities to make our policy more responsive to diverse requirements. It is our objective to continue to work to find cooperative solutions that will allow us to maintain U.S. technological leadership in an international market, promote secure electronic commerce, protect important privacy concerns, and enhance the safety and security of U.S. citizens.
Mr. Chairman, we applaud your attention and desire to also help in the development of cooperative solutions to this most important issue. We, however, believe that the best way to achieve progress is through a constructive, cooperative dialogue, the results of which are implemented in regulation vice in legislation. The current regulatory structure combines balanced export control oversight with the flexibility needed to accommodate new developments in our national security, foreign policy, and economic interests.
The public debate over this issue has been and will continue to be spirited as we explore solutions to meet the diverse needs of our encryption policy stakeholders. We applaud the attempts of this committee to consider different perspectives in this forum, and compliment this committee for bringing attention to this critical issue. I thank you for the opportunity to present the Departments views and look forward to working with the Congress as it deliberates the important public policy issues raised by encryption.