Thank you Mr. Chairman and members of the Committee. I am honored to be here and am pleased to have the opportunity to provide the Department of Defense’s perspective on encryption export policy, a complicated, but enormously important issue with significant domestic and international ramifications. We recognize that this is an issue that involves the interest and requires the participation of virtually every Executive Branch department and agency, the Congress, as well as our international partners, industry and the private sector.

Mr. Chairman, you render a valuable service to the American people by holding a hearing that focuses on and analyzes an issue that directly affects, in many different ways, the quality of life of every American. I applaud your objective of seeking solutions that will balance the sometimes-diverse needs and perspectives within our society.

Before we address specific export controls, I would like to be perfectly clear about the guiding principles on encryption and information technology. These are consistent throughout the Department of Defense and the Administration.

First, DoD supports the use of strong encryption by our citizens domestically, by our businesses, and by the government. We all can agree that our nation’s infrastructures and business transactions need to be secured in cyberspace, safe from unauthorized access, industrial espionage and cyber-terrorism. Encryption is a most important issue among many technology questions that must be addressed and improved to foster a global electronic environment that Americans can trust and operate in safely.

To this end the Department is taking aggressive steps to secure our own networks, promote the use of Public Key Infrastructures for applications ranging from e-commerce to classified missions, purchase key recovery products for our own use, and encourage interoperability with allies.

We are not protecting ourselves from hypothetical threats. The spate of intrusions into government computer systems and web sites in recent weeks only reinforces the fact that there are genuine challenges in cyberspace. Encryption is not a panacea, but it is an underpinning to so many of our other activities that it is essential that we both have it available to ourselves, and limit its availability to those who would do us harm.

Second, we support a strong U.S. information technology industry. Our national security depends on it. Our military advantages stem, in no small measure, from the innovative performance of our industry, and we believe it is crucial to maintain our business edge in information technology and encryption. To a large measure, our ability to stay ahead of adversaries depends on the leadership of U.S. industry.

Finally, we are committed to ensuring America’s national security and public safety, and upholding the tenets of democracy worldwide. We must continue to provide the necessary intelligence support to our decision-makers and warfighters. We also must protect our forces, on the battlefield, and in stations around the world. Mr. Chairman, as you are well aware, intelligence is a key aspect of warfare, but it also has become an essential part of defending against terrorist activities that regrettably can strike at any time and in almost any place. Whether our future enemies use encryption on the battlefield, when organizing a terrorist plot, or to plan disruptions in cyberspace, we must view these threats to our national security very seriously.

Mr. Chairman, in the future, national security threats will not be confined to distant battlefields, nor to clearly identified opponents during declared hostilities. You and the committee understand the gravity of the decisions we face as we look to the future. In brief, Mr. Chairman, while the sponsors of H.R. 850 have labeled their bill the SAFE Act, in terms of national security and public safety, this is not "safe" legislation. Indeed, H.R. 850 threatens our national security.

In considering export controls in the context of the broad range of our national interests, the Administration has pursued a balanced approach. The approach is not static, but must be, and is, reviewed continuously to ensure adequate consideration of changes in technology, foreign policy, and national security interests. We think that these changes are best accomplished through regulation, rather than legislation, because of the flexibility needed to adapt quickly to changing technology. Please allow me a few minutes to discuss how we have successfully used the regulatory process. Candidly, we recognize that none of the diverse constituents are completely satisfied with the policies we currently have in place. I believe, however, that these constituents must honestly admit that we have made genuine progress from the updates implemented in our regulations. Let’s look at what we already have in place today.

REVIEW OF OUR CURRENT ENCRYPTION REGULATIONS

In September 1998 the Administration announced the relaxation of encryption export regulations to meet the needs of industry, the national security and public safety communities, as well as average Americans who want to ensure that their privacy information is indeed private. As you well know, the decision to relax controls was reached only after careful review. We undertook a careful analysis and thoughtful dialogue among industry representatives, privacy rights constituents, and those departments and agencies of the Executive Branch responsible for ensuring and executing missions associated with public safety and national security. As a result, we currently have in place regulations that support the export of encryption products that secure electronic commerce and maintain U.S technological leadership in the international marketplace.

The 1998 update of our export policy, implemented through the regulatory process, opened a significant portion of the world’s economies to U.S. encryption products. As a result, the strongest encryption products with any key length now can be exported easily to those markets that clearly require stronger encryption:

The banking and financial sector: American firms can now sell strong encryption products to foreign banking customers so that they may feel secure that their transactions are protected from those outsiders seeking to exploit valuable financial information for personal gain;

The health and medical sector: American firms can now sell strong encryption products to foreign health and medical customers so that they may now can feel secure that their medical information and records are protected, accessible only by those with a valid need-to-know for treatment and consultation;

The insurance sector: American firms can now sell strong encryption products to foreign insurance companies so that they may now may feel comfortable in the knowledge that information pertinent to their assets and liabilities is properly secured and accessible only by those who have expressed permissions or needs;

American corporations and their overseas subsidiaries: Mergers, partnerships, and conglomerates within the global market have made it necessary for our corporations to communicate, access, and share data through digital media such as the Internet. Our corporations now may feel certain that their proprietary data will be protected with some of the strongest encryption available;

Foreign trading partners: Adequate protection of valuable data is a concern not only within our country but also among members of the international market. As the world becomes virtually accessible almost immediately via connections through digital media and as conglomerates form to meet worldwide market demands, our partners are increasingly sensitive to the need to protect their valuable data. American corporations may now sell unlimited strength encryption products to their foreign trading partners; and,

On-line merchants: Foreign customers of American corporations now may feel confident that their electronic financial transactions and personal information are adequately protected. In this sector, we also approve critical e-business applications, such as supply chain automation, reservation systems, etc.

With the controls in place, the U.S. continues to monitor and review carefully, through the licensing process, exports to certain sectors and countries, particularly those that represent a national security threat to the United States. We must continue to ensure that our policy neither aids and abets the conduct of computer crime/fraud against our citizens and corporations nor undermines the abilities of our national decision-makers, military leaders, and fighting forces.

POTENTIAL RAMIFICATIONS TO NATIONAL SECURITY IF WE EXTENSIVELY UPDATE CONTROLS OR DECONTROL

We are not averse to updating controls of current restrictions. We believe, however, that decisions on what restrictions to update or decontrol can be better made through a regulatory structure, vice a legislative one, which affords greater flexibility to changes in technology and our environment. We cannot drop controls immediately, putting strong encryption in the hands of terrorists, drug cartels, or battlefield foes. These groups would use strong encryption to circumvent lawful surveillance and deny law enforcement and national security authorities the crucial timely information needed to protect America.

I have mentioned only a few potential ramifications to the national security of this great nation if we decide to take the path of indiscriminate decontrol of encryption export restrictions. Some would argue that "the horse is out of the barn," that strong encryption already is available via the Internet and elsewhere, and that, therefore, we should abandon further controls. I beg to disagree. Public key encryption is simple in concept, but complex to use effectively, and on a large scale. There is no doubt that individuals can obtain strong encryption if they are willing to spend the time to manage keys, exchange certificates, pick the right algorithm, and implement it properly. However, such strong encryption is not, in fact, ubiquitously available overseas, and while we want to promote the export of U.S. encryption products, we see no advantage in accelerating the general availability of such products to those who would wish us ill.

Clearly, we need to proceed deliberately and cautiously. Moreover, as a prudent measure, the collective "we" (both Congress and the Administration) need to reflect on the emphasis placed by the Cox Committee on ensuring that protecting national security is an integral part of our export process.

DOD-SPECIFIC COMMENTS ON H.R. 850, THE SAFE ACT

I would like to focus for a few minutes to H.R. 850, the SAFE Act, and our views on how that legislation would affect the Department and other members of the national security community if enacted. I appreciate that a large number of distinguished representatives have co-sponsored this bill. Nonetheless, I believe that it is fatally flawed, in ways that will have severe consequences for national security, perhaps in ways that are not fully appreciated by the sponsors. Our concerns with the draft legislation lie mostly in Section 3, which:

mandates the immediate decontrol of most commercial computer software encryption and specified hardware encryption exports after a one-time, 15-day technical review. By immediately decontrolling most encryption-related exports, SAFE would make the most powerful encryption technology available to our adversaries – terrorists, drug cartels, corrupt corporate subsidiaries, and other vessels of proliferation within countries that, from a national security perspective, are deemed untrustworthy. Widespread accessibility to top-notch encryption products by our adversaries would, moreover, undermine the Government’s ability to provide timely, critical intelligence data to our national leaders and warfighters. We appreciate the desire to minimize bureaucratic delays, but also feel that an automatic 15-day technical review period is too inflexible, given the increasing complexity of these products, and the often-subtle security implications.

eliminates encryption export controls based on there being comparable products available in the foreign market. The foreign availability argument is seductive, but flawed. We know that not all products reported as available overseas are actually available. We also know that some of the products on the foreign market are poorly implemented; others have non-existent user support or may not be widely used.

allows encryption exports to non-military end users in any country to which similar exports are allowed for use by foreign financial institutions. This blanket provision includes a dangerous loophole, for terrorists also are non-military end users, and may well be located in countries to which exports are permitted for financial institutions.

also eliminates end-use and post-export reporting which reduces the Government’s access to information of importance to the national security, foreign policy and public safety communities, issues such as force protection, proliferation of weapons of mass destruction, terrorism, and narcotics trafficking. I personally was skeptical that the post-export reporting information was being adequately used, and so recently ordered a review. While some of the details are classified, I am convinced that there is value in this reporting, and will be happy to share it with the committee at your convenience.

In addition, the new section 2804, to be added to Title 18, would inhibit the development of key recovery, even as a viable commercial option for those corporations that desire guaranteed access to their data. Despite some assertions to the contrary, the government does not seek to impose mandatory key recovery (as you said, we will not pass the "Big Brother Act of 1999 either"). Your statement of 9 June is most eloquent in noting that the protections of the legal process in the safeguarding of our liberties. I also would note, however, that SAFE’s prohibition on mandatory key escrow could have a direct impact on the private development of encryption products and services for use with the Federal government, which is planning to use key recovery products (beyond those especially designed or modified for military use) as an essential part of our internal control process. For example, some of our defense finance centers process over $40 million dollars of transactions an hour. There is no way that I am going to allow such activities to proceed without a way to recover the data. To the extent that we wish to make further use of the commercial products, commercial certificate managers, and other elements of the private sector, this bill will inhibit progress that could benefit business, government and citizens alike.

WHERE SHOULD WE GO FROM HERE?

Let me reiterate at this stage of the discussion that our current policy, as implemented in regulations, cannot possibly satisfy completely the conflicting requirements of all the constituents who have a stake in resolving this issue. The Administration continues to develop policy consistent with international and domestic market realities and national security and public safety concerns. For over a year, the Administration has been engaged in a dialogue with U.S. industry, privacy groups, and the national security and public safety communities to make our policy more responsive to diverse requirements. It is our objective to continue to work to find cooperative solutions that will allow us to maintain U.S. technological leadership in an international market, promote secure electronic commerce, protect important privacy concerns, and enhance the safety and security of U.S. citizens.

CONCLUSION

Mr. Chairman, we applaud your attention and desire to also help in the development of cooperative solutions to this most important issue. We, however, believe that the best way to achieve progress is through a constructive, cooperative dialogue, the results of which are implemented in regulation vice in legislation. The current regulatory structure combines balanced export control oversight with the flexibility needed to accommodate new developments in our national security, foreign policy, and economic interests.

The public debate over this issue has been and will continue to be spirited as we explore solutions to meet the diverse needs of our encryption policy stakeholders. We applaud the attempts of this committee to consider different perspectives in this forum, and compliment this committee for bringing attention to this critical issue. I thank you for the opportunity to present the Department’s views and look forward to working with the Congress as it deliberates the important public policy issues raised by encryption.