4 July 1997
Source: http://www.access.gpo.gov/su_docs/aces/aaces002.html

-------------------------------------------------------------------------

[Congressional Record: June 27, 1997 (Senate)]
[Page S6724-S6726]
From the Congressional Record Online via GPO Access [wais.access.gpo.gov]
[DOCID:cr27jn97-82]


                        ENCRYPTION POLICY REFORM

  Mr. LOTT. Mr. President, I rise today to thank the junior Senator
from Montana for his leadership on the important issue. Senator Burns
has led a valiant effort to address an area that I believe is in great
need of reform. He has championed the cause of allowing citizens to
protect their information through readily available strong information
security technology. In the 104th Congress, he introduced legislation
that set the stage for our reform efforts in this Congress. Again, last
week, Senator Burns offered a compromise version of his original bill
before the Commerce Committee, but unfortunately this measure did not
pass. I hope that now we can go through a process to bring all parties
together, industry and Government, to try to relieve some of the
problems created by current law. We did not accomplish everything that
I wanted in Committee, but I am confident that there is still time to
improve this legislation. I want to congratulate Senator Burns and
others on the committee like Senator Ashcroft and Senator Dorgan who
have taken the time to understand the technology and to attempt to
effectively guide us through these difficult issues.
  Mr. President, the demand for strong information security will not
abate. Individuals, industry, and governments need the best information
security technology to protect their information. The Administration's
policy and the McCain-Kerrey bill allow export of 56-bit encryption,
with key recovery requirements. How secure is 56-bit encryption? That
question was answered the day before the Senate Commerce Committee
acted. Responding to a challenge, a secret message encoded with 56-bit
encryption was decoded in a brute force supercomputing effort known as
the ``Deschall Effort.'' The message that was decoded said ``Strong
cryptography makes the world a safer place.''
  Now that 56-bit encryption has been cracked by individuals working
together over the Internet, information protected by that technology is
vulnerable. The need to allow stronger security to protect information
is more acute than ever.
  Mr. BURNS. Mr. President, I appreciate the comments of the majority
leader. I too was opposed to the legislation approved by the committee
last week, but know that we still have the opportunity to pass a
meaningful bill that will allow American industry to compete with the
rest of the world in the global information marketplace. I believe that
we can pass a bill that will not compromise our national security or
law enforcement interests. As I sat through the markup last week, it
occurred to me that we had allowed the issue of encryption to be framed
as the

[[Page S6725]]

issue of child pornography or gambling. I want to be sure that all
parties understand that the reform of encryption security standards is
not related to these issues.
  I have often said that encryption is simply like putting a stamp on
an envelope rather than sending a postcard because you don't want
others to read your mail. Encryption is simply about people protecting
their private information, about companies and governments protecting
their information, from medical records to tax returns to intellectual
property from unauthorized access. Hackers, espionage agents, and those
just wanting to cause mischief must be restrained from access to
private information over the Internet.
  When used correctly, encryption can enable citizens in remote
locations to have access to the same information, the same technology,
the same quality of health care, that citizens of our largest cities
have. Perhaps most importantly, it is about ensuring that American
companies have the tools they need to continue to develop and provide
the leading technology in the global marketplace. Without this
leadership, our national security and sovereignty will surely be
threatened.
  Mr. DORGAN. Mr President, I would like to make a few comments to
associate myself with the comments of the majority leader and the
Senator from Montana. These two gentlemen have demonstrated great
leadership on this issue, and I especially admire their dedication to
educate our colleagues about this important issue. I believe that at
the bottom line, if we allow this critical technology to be stifled in
the United States I believe our national interests will be severely
undermined. We must do our best to allow U.S. companies to compete in
the world marketplace, and do so without in any way undercutting our
national security interests.
  I believe that the bill that was reported last week out of the
Commerce Committee does not achieve those objectives. In fact, I fear
that bill may be nothing more than an attempt to ensure that no bill
passes in Congress this year. This would be a victory for the
administration, which has rigorously resisted changes to their outdated
and obsolete policies. I must say that I try to support the
administration on many issues, but on this issue, I have found that
their arguments and policies simply do not withstand scrutiny.
  And, Mr. President, I was an original sponsor of the Burns bill and I
worked very hard with the Senator to help shape the consensus position
that was rejected by the committee. I would like to take a few moments
to set the record straight about the true differences between the
McCain-Kerrey bill and the Burns' approach.

  The bill that passed the committee certainly represents a victory for
those within the administration opposed to any relaxation of export
controls in this area. In fact, it may be a perfect bill from their
standpoint. It allows them to begin the process of domestic control
while actually freezing exports to a weak enough level of encryption
technology that was actually decoded by amateurs the very day before.
And it is very unclear to me exactly where the McCain-Kerrey reaches a
compromise position.
  The Burns' bill however, merely allows that we would allow export of
56-bit encryption immediately, but we would establish a process for
understanding the level of encryption that is generally available
throughout the world. That review process would include panels and
advisory boards consisting of government and industry representatives
equipped to determine the security strength of particular software that
is available in the world market. Our belief was that it was in the
national interest for American software companies to maintain
leadership in this area. The very notion that we would let foreign
companies get a head start on new technology while forcing American
companies to come to a government entity to plead for the right to
catch up was troubling enough to both Senator Burns and myself. But, we
agreed to this compromise because we thought it represented the
appropriate middle ground.
  As the majority leader reminded us, we did not accomplish what many
of us had hoped that we would while in Committee, but we will continue
to work within the process to improve the legislation. I remain
committed to encryption reform and will do everything possible to try
to educate my colleagues about this issue.
  Mr. ASHCROFT. Mr. President, I would like to add my comments on this
important issue. For over 2 years, I have participated in Commerce
Committee hearings to learn more about on encryption and the technology
issues that it encompasses. Last week, I voted for Senator Burns'
substitute and was disappointed when it was not approved by the
committee.
  I am concerned about the tone of the discussion at last week's
markup. It appeared to me that many on the committee are seeking ways
to outlaw the Internet. We are all troubled by any type of child
pornography or gambling on the Internet. These are not areas where any
member of Congress, any software or hardware vendor, or any member of
the general public I know, argues for anything less than the strictest
legal provisions. These matters are distasteful and wrong, but even if
we eliminated the Internet, we would not eliminate these offensive
concerns.
  As I said during the markup, we all know that cameras are used in
child pornography, but we don't talk of outlawing photography. And, we
also know that rental vehicles are often used in terrorist activities,
but we don't make it illegal to rent a car or truck.
  Mr. President, it appears to me that at the most fundamental level,
this debate is about the relationship of our citizens to our
Government. We all must take steps to insure that the rights of our
citizens are not violated. Our citizens should be able to communicate
privately, without the Government listening in--that is one of our most
basic rights.
  We have to be careful to ensure our law enforcement can have just the
necessary amount of access and then only in a manner consistent with
our Constitution.
  I am persuaded that a number of the new provisions in the McCain-
Kerrey bill are not necessary.
  I believe that many of the provisions will not even succeed at
achieving the end they seek. For example, a false choice has been
offered indicating that if the U.S. continues to enforce the export
policy on encryption that is currently in place, 40 bit and with
special permission up to 56-bit, then law enforcement could apprehend
terrorists, stop illegal gamblers and arrest pornographers. However,
this argument assumes that these criminals cannot find stronger
encryption elsewhere than in the United States. As has been shown
several times, this assumption is false. Robust encryption is
available. Germany, Japan, and the United Kingdom all have companies,
such as Siemens, Nippon and Brokat, that have developed and promote 128
bit encryption. Last week even the supporters of the administration's
approach, as expressed in the current legislation, admitted that
criminals who want the robust encryption can find access and use strong
encryption in their current dealings. This issue is a red herring.
  Moreover, the administration announced Wednesday that they will allow
the export of 128-bit encryption for bank transaction use involving
bank software in an apparent admission of the vulnerability of the 56-
bit strength. Also, the administration has continued to tell us during
the hearings on encryption and in private meetings with the FBI and
NSA, that 128-bit use outside the United States would end in terrible
consequences, and now 128-bit use outside the U.S. is being advocated.
We should remember that the Burns compromise only wanted to export 128-
bit with key recovery for trusted parties. The administration now
advocates 128-bit length encryption without any key recovery device, a
position that goes beyond the Burn's compromise, which they opposed. My
point, Mr. President is that this debate must change. We cannot
continue to focus on the key length since these standards become
obsolete on a daily basis. We need to focus on allowing trustworthy
parties to use robust encryption, not necessarily to sell as encryption
but to use in their transactions and in the development of software and
hardware.

[[Page S6726]]

  No nationwide key recovery system, or a new licensing requirement for
certificate authorities should be brought to the floor without thorough
examination, analysis and understanding. We must further study the
impact of these provisions well before this bill is brought to the
Senate floor.
  Mr. LOTT. Mr. President, I too would like to work with my colleagues
to improve the McCain-Kerrey bill before it is brought to the floor. I
would like to ask my good friend from Missouri to pay special attention
to this bill while it is under consideration by the Judiciary
Committee. I know that I can count on him to work hard to improve this
important legislation.
  Mr. ASHCROFT. Mr President: I want to indicate my willingness to
continue to work on this issue. As the majority leader well knows, I am
privileged to serve on the Senate Judiciary Committee where we will
address this issue after the July recess. I pledge to work with members
on that Committee and with other interested Senators and the leader to
try to move a bill in that committee that will capture the essence of
Burns substitute.
  Mr. LOTT. It remains my hope that we can work with Chairman McCain
and other members of the Committee to produce a bill that more of us
can support. We need to recognize that American industry will have
increased difficulty of competing in the international marketplace
unless we provide some real reform. It is as if we erected a 30-foot
wall between the United States and the rest of the world. The problem
is that in today marketplace, American industry only has a 10-foot
ladder while their foreign competition has a 35-foot ladder. Foreign
firms are able to climb the wall while our American industry faces an
insurmountable obstacle. This is both short-sighted and wrong.
  If we follow our current path, we will rue the day when we allowed
our policies drive world leadership of the important information
security business to shift to Germany, Russia, Japan or China. I fully
intend to work toward a legislative solution that will help solve the
problem while protecting American security interests. We need to create
the mechanisms that will allow American companies to have the same
sized ladders that the rest of the world can use.
  Mr. President, we all appreciate the legitimate law enforcement and
national security issues involved in this debate. Our national security
and law enforcement agencies need to work with industry to ensure that
our interests are protected. I remain convinced that we can do this in
a way that insures that our national security and sovereignty remains
protected.

                          ____________________