Where Industry and Security Intersect
What's New | Sitemap | Search
Good afternoon. I am pleased to be here today to discuss the Administration's encryption policy and how it relates to the President's initiative on critical infrastructure protection.
First, a caveat. Encryption is only one piece of the larger critical infrastructure pie. Clearly, strong encryption helps protect electronic infrastructures. However, as important as encryption is for this purpose, we would not be wise to allow the debate over encryption policy to hinder our efforts in the larger critical infrastructure area. For this reason, we are developing policies in these two areas along separate tracks. By the time I finish my remarks, I hope you will agree with me that this is the best course of action.
Encryption is a critical issue for our country, and what we do in this area will have a profound impact on the safety and well-being of Americans everywhere. We should all be concerned about the national security and law enforcement implications of widespread use of strong encryption. We should also not forget the role encryption plays in providing us with economic security and privacy.
Export controls -- an integral part of our encryption policy -- are particularly challenging for policy makers because they involve technologies that are constantly evolving. Among all of the technologies that are currently subject to export controls, computer software is probably changing the most rapidly. In large part, this is due to the rapid growth and the continuous development of new ways to use it.
One of the many uses of the Internet which will have a significant affect on our lives is electronic commerce. A recent article in Fortune magazine, citing market research indicating as many as 17 million people will make purchases over the Internet in 1998, likened the growth of this new type of commercial activity to a tidal wave. An inevitable byproduct of this is similar growth in demand for encryption products.
The reason for this is that people simply will not make purchases electronically if they believe the infrastructure is not secure. Despite the fact that making a purchase at the store with a credit card has its own inherent security risks, the public perception is that electronic purchasing poses very high risks that credit card numbers will be intercepted and fraudulently used. Encryption can help to allay these fears, and allow electronic purchasing to continue its explosive growth.
Identity fraud is another problem that will continue to require attention as we come to rely more and more on the electronic infrastructure to do business. Apart from providing confidentiality of data, encryption can be used to authenticate users and to ensure that information passing through the infrastructure has not been altered in transmission. Current technologies commonly used for these purposes are digital signatures and message authentication codes, and they are being used more and more every day. The government would like to see these and other authentication technologies more widely used because they improve the integrity of the infrastructure. In addition, this use of encryption does not raise the same recovery issues as the use of encryption for confidentiality. Multiple spare keys would undermine confidence in the authentication system. Furthermore, government access to authentication keys would only hinder law enforcement's ability to prosecute criminals if such access can be used as a defense to cast doubt on the origin of evidence.
Authentication and information integrity are clearly major factors in the success of infrastructures for electronic commerce. But the technologies I have discussed are not necessarily the best, or only, approaches to the problem. Other technologies are beginning to appear in the market, some based on biometrics. These use fingerprint or eye scans for authentication. In the end, the market will decide which authentication technologies become the standard. Regardless of which succeeds, more work needs to be done to ensure that authentication technologies are secure and easy to use.
With regard to encryption for data confidentiality, the U.S. government continues to support a balanced approach which considers our commercial interests as well as protecting important law enforcement and national security interests. At the same time, we remain committed to promoting the growth of global electronic commerce to secure financial as well as business communications and transactions.
When we transferred jurisdiction over export controls on encryption products and technology from the State Department to the Commerce Department in December 1996, we were explicitly recognizing its dual-use nature. It just did not make sense to control encryption as if it were a weapon. Developing a new encryption policy was difficult because we did not want to hinder its legitimate use -- particularly for electronic commerce -- yet at the same time we wanted to protect our vital national security, foreign policy and law enforcement interests. We decided that the best way to accomplish this was to promote the development of strong encryption products that would allow lawful government access to plaintext.
The major feature of our policy was -- and is -- to promote the widespread development and distribution of recoverable encryption. In terms of our export regulations, we established an incentive for companies to develop this type of encryption by making it easier for them to export their 56-bit products, in exchange for a commitment to develop recoverable products. We believed that recoverable encryption was an answer to the question of how to pursue policy objectives which sometimes appeared to be contradictory.
Over 60 companies took us up on our offer by establishing recoverable encryption product development programs within their companies. In addition, we have given license exception eligibility to more than 20 key recovery encryption products. On top of this, the Commerce Department has reviewed over 2500 export license applications for encryption products, including encryption licensing arrangements that allow exports of unlimited quantities of certain types of encryption products to certain classes of end users.
It is important to note that export controls are not the only component of our encryption policy. Under the leadership of Ambassador David Aaron, the President's special envoy for cryptography, we initiated discussions with other countries to harmonize international controls on encryption. We also established pilot projects to show that recoverable technologies work. We are completing the process of establishing a key recovery standard for government use, and we established an advisory committee made up of a broad spectrum of interested parties to advise the government on encryption policy.
During the past two years, we have learned that there are many ways to achieve the goal of our encryption policy -- lawful access by government officials to the plaintext of encrypted information. The recovery encryption plans we received showed that different technical approaches to recovery exist. In licensing exports of encryption products under individual licenses, we also learned that, while some products may not meet the strict technical criteria of our regulations, they are nevertheless consistent with our policy goals. Finally, we learned that the use of non-recovery encryption within certain trusted industry sectors could also meet our national security and law enforcement needs.
Our approach has always been to promote industry-led, market-driven solutions to achieve a balance between all of our interests. This position has not changed. What has changed is the direction technology and the market are taking us. Key recovery technology is still a very important part of our current encryption policy, and we believe that there is a future for it, particularly for stored data; however, over the past two years, we have come to recognize that key recovery is not the only solution.
As I'm sure most of you know, we recently made several changes to our encryption policy that I would like to summarize for you. These changes show how we are broadening our policy to embrace other approaches to achieving our goals.
On September 22, we published a regulation implementing our announcement that we would allow the export under license exception of unlimited strength encryption to banks and financial institutions located in countries that are members of the financial action task force or have anti- money laundering laws. The regulation also allows exports under license exception of encryption products that are specially designed for financial transactions. This new policy recognizes the fact that the banking and financial communities cooperate with government authorities when information is required to combat financial and other crimes. The direct result of this policy change is that over 100 of the world's largest banks and almost 70% of the international financial institution market will now be eligible for strong American-made encryption.
In addition, we have been looking for ways to make sure our policy is consistent with market realities. Since last march, the Administration has been engaged in an intensive dialogue with U.S. industry on how our policy might be improved. The purpose of this dialogue was to find cooperative solutions that could assist law enforcement, while protecting national security, plus assuring continued U.S. technology leadership and promoting the privacy and security of U.S. firms and citizens in electronic commerce.
The result of this dialogue was an update to our encryption policy which Vice President Gore unveiled on September 16. This will not end the debate over encryption controls, but it does address some private sector concerns by further streamlining exports and reexports of key recovery products and other recoverable products. The policy update also liberalizes controls on 56-bit products and on products of unlimited bit length to certain industry sectors. Specifically, the new policy allows for:
The export of 56-bit DES worldwide to any enduser under a license exception
Exports of strong encryption to U.S. companies and their subsidiaries under a license exception
Exports of strong encryption to the insurance and medical sectors in 45 countries under a license exception
Exports of strong encryption to secure on-line transactions between on-line merchants and their customers in 45 countries under a license exception.
We recognize that this is an evolutionary process, and we intend to continue our dialogue with industry. Our policy must continue to adapt to technology and market changes. We will review our policies again within one year to see whether further change is necessary. Meanwhile, BXA is drafting regulations to implement this recent announcement, which we intend to publish this month.
With respect to developing a common international approach, Ambassador Aaron made significant progress last week when the Wassenaar Arrangement members agreed to control mass market encryption greater than 64-bits at the same time they eliminated controls on products below 56 bits. This is a clear indication that other countries share our public safety and national security concerns.
We have learned from experience that export control policies without a multilateral basis have little chance of being successful. Today, the United States enjoys a commanding lead in the world market for software products, including the market for encryption. If our policies encourage other countries to develop and export the products we are trying to control, we will not only lose our economic advantage in this critical market, but we will also fail to achieve our national security and law enforcement goals.
Public disagreement over encryption policy has been spirited, to say the least. Many of those on both sides of the debate have been unwilling to consider how their interests may coincide with the other, or how they might reach a compromise. This is what we have accomplished in our dialogue with industry, and it is important that this process continue. This is clearly the best way to pursue all of our policy objectives.
Finally, we cannot discount the possibility of congressional action in this area. The mood in Congress is clearly changing, as shown by the debate over satellite launches in China and the increasing focus on tougher export restrictions. In the short term, this may further law enforcement interests, but it may also retard private sector development of infrastructure security systems that use strong encryption.
Thus far congressional debate over encryption policy has been acrimonious, and Congress has been unable to pass encryption legislation. I believe it would be a mistake to pull the critical infrastructure issue into the encryption debate. Protecting our infrastructures is an urgent national priority. Encryption export policy is evolving toward allowing strong encryption for trusted components of the electronic commerce infrastructure. We are moving in the right direction on both issues. We don't want to jeopardize the successes we have had so far by unnecessarily linking one debate to the other.
When I consider the pace of technological development in this country, I cannot help but be excited about current and future prospects for economic growth and prosperity. Protecting the safety of our citizens and the foundations of our economic system is a responsibility the government takes very seriously. Our encryption and critical infrastructure policies will accomplish this, and will preserve U.S. economic strength as we move into the twenty first century.
Thank you.
In April of 2002 the Bureau of Export Administration (BXA) changed its name to the Bureau of Industry and Security(BIS). For historical purposes we have not changed the references to BXA in the legacy documents found in the Archived Press and Public Information.