10 November 1997 Source: http://www.access.gpo.gov/su_docs/aces/aaces002.html ------------------------------------------------------------------------- [Congressional Record: November 9, 1997 (Extensions)] [Page E2289-E2290] From the Congressional Record Online via GPO Access [wais.access.gpo.gov] [DOCID:cr09no97-51] CONCERN ABOUT EXPORTS AND DOMESTIC CONTROLS ______ HON. BRAD SHERMAN of california in the house of representatives Saturday, November 8, 1997 Mr. SHERMAN. Mr. Speaker, the Clinton administration policy on encryption makes no sense, is costing the United States critical export dollars, and threatens the fundamental privacy rights of all Americans in the information age. For an administration that claims it is sympathetic to and supportive of America's high tech practitioners, what is happening today demonstrates exactly the opposite. Because for all the complexity of designing top of the line computer products and programs with information security--encryption--features, the issues here are not complex at all. Encryption is both the first and the last line of defense against hackers who would like to get into bank accounts or pry loose credit card information that can cost consumers and businesses dearly. Encryption is crucial for protecting customers and companies from criminal intrusion into both their private lives and their businesses. Yet the administration says it is addressing the concerns of national security and law enforcement by refusing to permit the export of software with 56 bits or greater encryption protection, unless the company agrees to commit to build key recovery products. It also suggests that the war against criminals, such as pornographers, credit card thieves, terrorists and others too numerous and too diverse to mention, will be all for naught unless government eavesdroppers are handed the keys to unlock all the billions of electronic transmissions that are made every day in today's electronic information age. Now as ridiculous as it might seem that this administration wants the capacity to tune in on everything going through the airwaves; nevertheless, that is the tool they say they need to protect all of us from today's criminal elements. It is rather mind-boggling to contemplate how the Federal payroll might explode if the NSA and the FBI were given the opportunity to monitor the messenger traffic that goes on every day of the week. But it is also mind-boggling to contemplate the picture of Uncle Sam riding roughshod over privacy rights that have been guaranteed under our Constitution since the days of our Founding Fathers. If American firms had a monopoly on encryption skills, and if these products were not available from anyone on either side of the Atlantic or Pacific, perhaps an argument could be made for restricting exports of products with encryption that could not be reproduced elsewhere. But that is not the case. What in fact the administration has done, and is doing, is creating, in the words of the New York Times, ``a bonanza for alert entrepreneurs outside the United States.'' And even then I see no good reason for restricting the use of encryption within the United States. I call my colleagues attention to an article from the New York Times of April 7, 1997. It tells the story of how the German firm of Brokat Information Systems has carved out a booming business selling powerful encryption technology around the world that the United States Government prohibits American companies from exporting. This German company actually markets its products by telling potential purchasers that they shouldn't use American export-crippling products. This should serve as a reminder that even if Congress should pass and the President should sign Fast Track authority to negotiate new trade agreements with some of our Latin American neighbors, we are not going to turn our trade deficit around if we persist on handing on a silver platter to foreign competitors markets that should be dominated by American firms. At this point I would like to insert the article from the New York Times, of April 7, entitled ``U.S. Restrictions on Exports Aid German Software Maker.'' [From the New York Times, Apr. 7, 1997] U.S. Restrictions on Exports Aid German Software Maker (By Edmund L. Andrews) Boeblingen, Germany, April 3.--Boris Anderer and his four partners have a message for the spy masters in America's national security establishment; thank you very, very much. Mr. Anderer is the managing director for marketing at Brokat Informationssystems G.m.b.H., a three-year-old software company here that is growing about as fast as it can hire computer programmers. When America Online wanted to offer online banking and shopping services in Europe, it turned to Brokat for the software that encodes transactions and protects them from hackers and on-line bandits. When Netscape Communications and Microsoft wanted to sell Internet software to Germany's biggest banks, they had to team up with Brokat to deliver the security guarantee that the banks demanded. But what is most remarkable is that Brokat's rapid growth stems in large part from the Alice in Wonderland working of American computer policy. Over the last two years, Brokat and a handful of other European companies have carved out a booming business selling powerful encryption technology around the world that the United States Government prohibits American companies from exporting. Mr. Anderer could not be happier. ``The biggest limitation on our growth is finding enough qualified people,'' he said, as he strode past rooms filled with programmers dressed in T- shirts and blue jeans. The company's work force has climbed to 110 from 30 in the last year, and the company wants to add another 40 by the end of the year. ``This company has grown so fast that I often don't know whether the people I see here have just started working or are just visitors,'' he said. Encryption technology has become a big battleground in the evolution of electronic commerce and the Internet. As in the United States, European banks and corporations are racing to offer on-line financial services, and many of these services are built around Internet programs sold by American companies like Netscape and Microsoft. Cryptography is crucial because it provides the only means for protecting customers and companies from electronic eavesdroppers. Although the market for encryption software is in itself tiny, it is a key to selling technology in the broader market of electronic commerce. Encryption is the first line of defense against hackers eager to pry loose credit card information and raid bank accounts, so it plays a critical role in the sale of Internet servers and transaction- processing systems. [[Page E2290]] Brokat, which has revenues of about 10 million marks ($6 million), uses its cryptography as a door-opener to sell much more complicated software that securely links conventional bank computer systems to a bank's internet gateways and on- line services. Netscape, Microsoft and computer equipment manufacturers all include encryption in the networking systems they sell to corporations. But the United States Government blocks American companies from exporting advanced encryption programs, because agencies like the Federal Bureau of Investigation and the National Security Agency fear that they will lose their ability to monitor the communications of suspected terrorists and criminals. Far from hindering the spread of powerful encryption programs, however, American policy has created a bonanza for alert entrepreneurs outside the United States. Brokat's hottest product is the Xpresso Security Package, a set of computer programs that bump up the relatively weak encryption capability of Internet browsers from Netscape and Microsoft. Besides America Online, Brokat's customers include more than 30 big banking and financial institutions around Europe. Deutsche Bank A.G. Germany's biggest bank, uses Brokat's software at its on-line subsidiary, Bank 24. Hypo Bank of Munich uses Brokat in its on-line discount stock brokerage operation. The Swiss national telephone company and the Zurcher Kantonalbank are also customers. Among Brokat's competitors, UK Web Ltd, based in London, is marketing an equally powerful encryption program in conjunction with a Silicon Valley company C2Net Software. Recently, UK Web and C2Net boasted of selling ``full- strength'' cryptography developed entirely outside the United States. ``We don't believe in using codes so weak that foreign governments, criminals or bored college students can break them,'' the two companies said in a statement, in a stinging swipe at the American export restrictions. Bigger companies are starting to jump into the fray as well. Siemens-Nixdorf, the computer arm of Siemens A.G., recently began marketing a high-security Internet server program that competes with products from Netscape. Companies can download the software from Siemens computers in Ireland. There is nothing illegal or even surprising about this. The basic building blocks for advanced encryption technology, in a series of mathematical algorithms or formulas, are all publicly available over the Internet. American companies like Netscape sell strong encryption programs within the United States, and companies like Brokat are even allowed to export their product to customers in the United States. For many computer executives, the real mystery is why the United States Government continues to restrict the export of encryption technology. ``The genie is out of the bottle,'' said Peter Harter, global public policy counsel at Netscape, who complained that American policy thwarts his company's ability to compete. ``I have a good product, and I can sell it to Citibank, but I can't sell it to Deutsche Bank,'' Mr. Harter said. ``It doesn't make any sense. Why shouldn't they be able to buy the same product at Citibank? It makes them mad, and it makes us mad.'' In response to industry complaints, American officials have repeatedly relaxed the restrictions on encryption over the last several years, and they did so again last November. But because the speed of computers has increased so rapidly, codes that seemed impenetrable just a few years ago can be cracked within a few hours. In a policy announced last fall, the Clinton Administration announced that it would allow American companies to freely export cryptography that used ``keys'' up to 40 bits in length. The longer the key, the more difficult a code is to crack. But banking and computer executives say that 40-bit codes are no longer safe and can be cracked in as little as a few hours by skilled computer backers. The minimum acceptable code, according to many bank executives, must have keys that are 128 bits long. ``From our point of view, there is at least the possibility that a 40-bit encryption program can be broken, and that means there is a danger that our transaction processing could be compromised,'' said Bernd Erlingheuser, a managing director at the Bank 24 unit of Deutsche Bank. Bank 24 has about 110,000 customers in Germany who gain access to banking services over the Internet using either the Netscape Navigator or Microsft's Internet Explorer. Anette Zinsser, a spokeswoman for Hypo Bank, concurred. ``Forty bits is just too low,'' she said. Hypo Bank offers Internet-based banking and discount brokerage services to about 28,000 customers. In a country not known for high-technology start-ups, Brokat jumped at the opportunity. Mr. Anderer, a former consultant at McKinsey & Company in Germany teamed up three years ago with two fraternity friends, Michael Janssen and Stefan Roever, and two seasoned computer experts, Achim Schlumpberger and Michael Schumacher. The group originally conceived of building a company around modular software components that were designed for the banking industry, and they financed the company for nearly two years through the money they earned from consulting projects. But they were quickly drawn in the area of encryption, and developed a series of programs around the Java technology of Sun Microsystems. The Xpresso encryption package is installed primarily on the central ``server'' computers that on-line services use to send material to individual personal computers. Customers who want to connect to a bank's server download a miniature program, or applet, that meshes with their Internet browser program and allows the customer's computer to set up an encrypted link with the server. The effect is to upgrade the 40-bit encryption program to a 128-bit program, which is extremely difficult for outsiders to crack. Now, in another step through the looking glass of encryption policy, Brokat is trying to export to the United States. There is no law against that, but American laws would theoretically prohibit a company that used Brokat's technology from sending the applets to their online customers overseas. So the company is now negotiating with the National Security Agency for permission to let American companies send their software overseas, which is where it started from in the first place. It Brokat convinces the spy masters, the precedent could help American software rivals. ``This could open a new opportunity that would benefit American companies if they understand the implications,'' Mr. Anderer said. ____________________