Where Industry and Security Intersect
What's New | Sitemap | Search
As we enter a new century, I welcome the opportunity to talk with you about the critical topic of information security. In the last decade, the emerging digital economy, spearheaded by the pervasive use of the Internet, has transformed our lives. Businesses around the world are taking advantage of the potential of cyberspace. Companies are increasing their productivity by networking their supply chain, selling services and goods on-line, interacting and training their employees over intranets and developing products and services in cyberspace.
As remarkable as today's innovations are, the years ahead hold even greater promise. Computers will become virtual partners in our lives. Homes are wired to integrate alarms, electronics, appliances, telephones and computers to simplify are lives. Researchers and scientists exchange information in cyber-conferences. Students learn in global classrooms. Banking, finance and shopping will increasingly migrate to the Internet. In economic terms, we no longer live within the confines of a country, although in political terms the world of the nation-state is still with us. The speed of technological change is creating a more dynamic and interdependent world where cooperation and joint initiatives have brought us closer together. Some contend that we are on a brink of a cyber-revolution, similar to the industrial revolution. In fact, we are in the midst of it, as evidenced in the 305 percent growth in e-commerce from 1998 to 1999 alone reaching $1.8 billion dollars in revenue in 1999.
These advances, of course, have security implications. Nations are faced with more than just "virtual" ramifications. While most people will use encryption for legitimate purposes, criminals and terrorists will continue to use it to conceal their activities. The United States, like other governments, is constantly assessing the national security and public safety implications of encryption in light of the rapidly evolving information security industry. The goal of our policy is to balance national security and public safety with commercial and privacy interests, but from a business perspective, encryption also plays an important role in securing the global information infrastructure and in creating and sustaining confidence in electronic commerce. As many of you can attest, encryption has posed a significant public policy challenge since its commercial introduction over the last decade.
Three years ago, the Clinton Administration announced its Framework for Global Electronic Commerce and asked private industry to lead the initiative. Since then, various agencies, including the Department of Commerce and Department of Justice, in cooperation with the private sector, have created programs to secure critical infrastructures and protect against cybercrime, but denial of service attacks, viruses and identity fraud, to name a few, continue to threaten our global infrastructure. The most recent target, wireless products, demonstrates how quickly these attacks can develop and threaten an industry and what serious risks we continue to face. For instance, in June, a spokesperson from Palm said they have not received any reports of viruses on their products. Ironically, less than one month later, Palm users reported a virus. An example closer to home is the recent attack on cellular phones in this country, which sent a similar chain-email to randomly dialed mobile data phones operating on GSM. Increasingly, it is clear that no computing device is protected from these malicious attacks, and the more networked we become, the more critical it becomes to guard against these assaults.
Not only are these attacks hampering consumer confidence, they are also costing us all money. A recent study estimates that computer viruses and hacking cost the global economy $1.6 trillion. Let me also note that most of these cyber attacks go unreported due their negative publicity effects. Even so, cybercrime weighs heavily on the minds of consumers. One survey indicates that 67 percent of those polled are concerned that they need more protection from cybercrime. Enhancing our efforts to protect critical infrastructures and combat computer intrusions must be a cooperative effort. We continue to engage our friends and allies in order to increase awareness of these problems. As part of that effort the U.S. participates in the G-8 High-Tech Crime Working Group that aids in conducting multilateral investigations. By 2002, the Computer Almanac estimates that 490 million people around the world will have Internet access. We must be prepared for the challenges that lie ahead.
One important tool in this fight is the deployment of cryptography for security, authentication and data confidentiality. Current technologies commonly used for these purposes are digital signatures, data encryption and message authentication codes. We encourage the use of these practices and other authentication technologies because they improve the integrity of the infrastructure. President Clinton recently signed the Electronic Signatures In Global And National Commerce Act to ensure that electronic contracts are afforded the same legal stature as paper documents. Other countries are following suit, and the EU is considering similar measures.
Just as electronic commerce has grown and changed, our encryption policy has also evolved in the last five years. In the past, the U.S. sought stringent controls on encryption exports. Developing a new encryption policy has been difficult because we did not want to hinder the legitimate use of encryption; yet at the same time we needed to continue to protect our vital national security, foreign policy and law enforcement interests. We have engaged in an intensive dialogue with all concerned parties to achieve the balance we are looking for.
In 1998, Vice President Gore unveiled two successive changes to streamline exports of encryption products to a number of vital industry sectors. These updates included permitting the export of unlimited strength encryption to U.S. companies and their subsidiaries, insurance and medical sectors, on-line merchants and their customers worldwide.
With respect to developing a common international approach to encryption policy, we continued to work with other countries through consultations led by Ambassador David Aaron. What quickly became evident is that most countries share our public safety and national security concerns and are interested in developing a harmonized international approach regarding compatible infrastructures for electronic commerce. By the end of 1998 we had made significant progress toward a common international approach to encryption controls through the Wassenaar Arrangement.
Our 1998 update did not end the debate over encryption controls, and we continued to adapt to market developments, further streamlining our policy in 1999 and again in 2000. To provide the balance we sought, we looked at three elements -- information security and privacy, a new framework for export controls, and updated tools for law enforcement. First, our strategy understands that sensitive electronic information, whether it is government or private, requires strong protection from unauthorized access. Second, it protects national security through encryption export controls while recognizing that changes in the global marketplace are making strong encryption products easily obtainable almost anywhere in the world, and that U.S. participation in that market enhances rather than compromises our security. Finally, it assures that, as strong encryption proliferates, law enforcement has adequate resources to protect our citizens from crime and terrorism.
The export control element of this strategy rests on three principles: a one-time technical review of encryption products in advance of sale, a streamlined post-export reporting system, and a license process that preserves the government's ability to review the sale of strong encryption to foreign government and military organizations and to nations of concern. Within that context, we have removed almost all export restrictions on encryption products.
For the last eight months, the United States has allowed all encryption products, including source code, toolkits and components, to be exported to any non-government entity, except to the terrorist-supporting countries, without a license. In addition, widely available retail products, for example, those downloaded free of charge over the Internet, can be exported to any user, including governments. Our January regulation relaxed restrictions on public domain encryption source code, and foreign products made with source code, toolkits or components do not require review by the U.S. Government for reexport. The regulation further streamlined requirements for U.S. companies by permitting exports of any encryption item to their foreign subsidiaries without a prior review. Foreign nationals working for U.S. companies in the United States no longer need an export license to work on encryption.
This month, the U.S. again is taking important steps to further a balanced, market-driven approach to encryption policy, steps which reflect the rapid technological progress in this sector. The most significant change, announced on July 17, is the release of the majority of encryption items, except cryptanalytic tools, immediately without a license to European Union members and eight additional countries -- Australia, Czech Republic, Hungary, Japan, New Zealand, Norway, Poland and Switzerland. We also permit the export of products that allow "open-door" cryptography and technology to these destinations, which facilitates next generation development. In addition, U.S. products, such as software development kits, that enable non-U.S.-sourced products to operate together can be exported to almost any destination.
Our new policy also addresses the market trend toward the development of short-range wireless products by permitting the export of products using this type of technology, such as Bluetooth and HomeRF, without a review or any follow-on reporting. Such consumer items include audio and video equipment, computer accessories, handheld devices, and household appliances. Through this low cost technology, many start-up companies will begin as home offices. Of course the good part is we will be able to tell our refrigerators to order more food, our washing machines to start a new load, and microwave ovens to cook our dinner, giving new meaning to the word "wired", or should I say "wireless"?
The U.S. approach fortifies three crucial growth areas: the "open source" movement, beta testing, and standards development. We extend liberal export treatment to the object code that is compiled from source code, which is available to the public. The object code must also remain "in the public domain" and can posted on the Internet without a license or review. Furthermore, beta versions of encryption software and the exchange of technology with standard organizations can now be transferred immediately without a license to further facilitate development. Our policy recognizes that most development takes place in an open forum and seeks to improve the development cycle of cutting-edge technologies. Further demonstrating the openness of our approach to standards, three out of the five Advanced Encryption Standard (AES) finalists are foreign-developed algorithms, which means that the replacement of DES, which we expect to be announced next week, could well be a foreign algorithm.
We also examined our reexport controls and decided that certain U.S. encryption items may now be considered for de minimis treatment. For example, U.S. encryption software that was incorporated into a foreign software was treated for reexport purposes one hundred percent U.S. origin. Thus U.S. components and software, mainly retail items, may now be under the U.S. content threshold after incorporation into foreign products. Examples of these possible items might include operating systems browsers and e-mail applications, for personal computers, or chips designed for use in mobile, wireless communication devices.
Lastly, we further streamlined our policy by permitting exporters to self-classify encryption products decontrolled by the Wassenaar Arrangement. For example, 64-bit mass market encryption products, which previously required a review, can be exported immediately.
Many of the recent changes I mentioned make our controls comparable to those of our EU partners, although our distinction between retail and non-retail products has allowed us to make the former more widely available than the EU directive would imply. The U.S. is committed at the highest levels of government to retaining that comparability.
However, let me be clear, in allowing the export of strong encryption without a license to almost anywhere in the world, except for certain countries like the seven state-supporters of terrorism, we have recognized that information technology is changing rapidly and constantly providing both new security capabilities and challenges. We are committed to update our policy to keep pace with changing market realities. A recent estimate by Forrester Research indicates that by 2004, global e-commerce will amount to $6.9 trillion, with North America accounting for just over half the total. In the European Union, e-commerce sales are expected to increase by 140 percent annually.
These impressive projections indicate we all need to devise viable policies to assure its continued growth. While there is always a danger we will lag behind the technology curve, the U.S. wishes to continue to work together with other nations in securing critical infrastructures, developing new technologies and standards and compatible systems, thwarting cybercrime, and promoting electronic commerce. We are also working to encourage the adoption of our philosophies of innovation, competition, open markets and universal service around the world. The Internet has created a global marketplace, and those principles are particularly important as the boundaries between countries break down through online transactions.
The United States has concluded that the benefits to protecting critical infrastructures, personal privacy and preventing cybercrime far outweigh the potential cost to our national security. The result has been significant liberalization of our export controls. Even so, cryptography remains a challenging public policy issue, but the issue of the future will be our collective ability to avoid the converse of export controls -- protectionist trade barriers or artificial standards, de facto or de jure, intended to keep foreign software products out of selected markets. We have too many of those trade disputes right now with the EU, and we don't need another one! It would be tragic if, having overcome the barriers created by export controls, we then find free trade in these products blocked by import barriers.
We need to work together to recognize the threats to public safety and national security posed by cybercrime and cyberterrorism, and to understand that networked computers are now integral to every segment of developed nations' critical infrastructure, from electronic power grids to transportation services. The logical consequence of cooperating on those threats in order to develop a secure cyberspace is freer trade, not discriminatory standards and trade barriers.
In light of the pace of global technological development, I cannot help but be inspired by current and future prospects for economic growth and prosperity globally. I hope the EU will join us in achieving this common goal. It is important for all nations to create compatible infrastructure protections for governments and businesses. Protecting our citizens and our economic systems is a responsibility that every government takes seriously. Our encryption and critical infrastructure policies well prepare us for the challenges of the twenty first century. I look forward to working together with you to achieve these goals.
In April of 2002 the Bureau of Export Administration (BXA) changed its name to the Bureau of Industry and Security(BIS). For historical purposes we have not changed the references to BXA in the legacy documents found in the Archived Press and Public Information.