Legislation Governing Encryption Must Protect American National Security Interests

(Washington, D.C.): Yesterday, by a
stunning, bipartisan 45-1 vote, the House
of Representative’s National Security
Committee (HNSC) rejected the proposition
that national security interests should
be subordinated to the American computer
industry’s quest for short-term economic
advantage through the unregulated sale of
powerful encryption products. The
Committee’s action came at the initiative
of Rep. Curt Weldon
(R-PA) — a long-time member of the
Center for Security Policy’s Board of
Advisors — and Rep. Ron Dellums
(D-CA) on H.R. 695, the so-called
Security and Freedom through Encryption
(SAFE) Act.

This legislation, whose principal
House sponsor is Rep. Robert
Goodlatte
(R-VA), would govern
the domestic use and foreign export of
encryption software and related
technology. The bill was sequentially
referred to the National Security,
Commerce and Intelligence Committees
after its earlier, favorable
consideration by the Judiciary and
International Relations Committees. The
House Permanent Select Committee on
Intelligence (HPSCI) is expected to mark
up H.R. 695 tomorrow.

If the HPSCI follows the HNSC’s lead
by correcting key deficiencies in H.R.
695, it is entirely possible that
these two committees will do no more
important work this year on behalf of
U.S. national security interests.

The Issue

By its very nature, encryption — a
generic name for numerous means of
encoding computer, voice or other
transmissions of data so as to conceal
the contents from unauthorized access —
is one of the most complex and obscure of
sciences. This is especially true given
the direct relevance of this science to
protecting classified U.S. government
information and to penetrating foreign
governments and other entities’ secure
communications.

Due to advances in information
techniques, however, the know-how and
means for providing sophisticated
encryption capabilities has proliferated
dramatically in recent years. With the
burgeoning use of the Internet and other
electronic devices for conducting
business, the demand for means to keep
voice communications, data records and
data transfers private has also grown
tremendously.

U.S. manufacturers of computer
software and hardware — many of whom
have been major supporters of and enjoy
great influence with President Clinton
and his Administration — are demanding
an opportunity to meet this demand with
encryption products that will be
exceedingly robust, if not
impenetrable
. These companies, and
their congressional allies like Rep.
Goodlatte on the House side and Senators
Conrad Burns
(R-MT) and Patrick
Leahy
(D-VT), emphasize the
trade benefits such sales would accrue to
American producers and the U.S. trade
balance. They also contend that foreign
manufacturers of encryption technologies
will gladly supply products not available
from American sources. Similar arguments
have proven effective in obtaining
Administration support for the wholesale
elimination of export controls on
powerful computers — even some
supercomputers with obvious military
relevance.(1)

The Risk to National
Security

These arguments ignore, however, a
larger national interest: For years, the
United States has relied upon a highly
sophisticated signals intelligence
(SIGINT) capability to provide timely
access to information not otherwise
available to U.S. government
policy-makers. That information has
frequently served to avoid casualties,
preserve the peace, and help to win wars.
For example, it has recently been
disclosed that SIGINT contributed greatly
to shortening World War II, likely saving
hundreds of thousands of American lives
in the process. Many experts believe
that, without successful U.S. SIGINT
operations, the Cold War might have
turned into an unforgiving hot
war at critical junctures. There is no
reason to believe that signals
intelligence will be less critical to
American security in the dynamic and
increasingly turbulent international
environment of the future.

Unfortunately, it is hard to
quantify the precise dollar value of
American lives saved, terrorist incidents
thwarted or wars avoided thanks to
competent signals intelligence.

This is especially true since the
contribution made by U.S. SIGINT to
achieving such results must generally be
concealed, lest the sources and methods
that enabled the success be compromised
and, therefore, be unavailable for future
use. The unalterable fact is that this
capability will be irreparably harmed, if
not as a practical matter, eliminated if
the best American encryption technology
becomes universally available.

The Danger of Relaxed
Export Controls on Encryption Technology

The House National Security Committee
vote illustrates the value of heightening
congressional awareness of the gravity of
this situation. In recent months, over a
score of its members have at one time or
another been listed as co-sponsors of the
Goodlatte bill. All but one of them, Rep.
Adam Smith (D-WA) — whose district abuts
the home of Microsoft Corporation —
supported the Weldon-Dellums amendment.
In the course of yesterday’s mark-up, it
became clear that light shed on the
adverse implications of this legislation
persuaded them that encryption exports
must not be permitted if they will cause
“harm to the national security of
the United States.”

Unfortunately, President Clinton has
already issued one Executive Order
substantially weakening restraints on the
export of powerful encryption
capabilities. It did so in several ways:
First, the Executive Order removed
encryption technologies from the
relatively stringent State Department’s
Munitions Control List and made it part
of the notoriously lax Commerce
Department’s purview. Second, it allowed
40-bit encryption programs(2)
to be exported without a license. Third,
56-bit encryption programs are now
permitted to be exported without a
license, provided the exporter is working
on
a public key recovery technology
base. Finally, any product that
is part of a public key recovery system
may be exported without a license –
even if that key resides with the
purchaser
of such encryption.

The Goodlatte bill and its Burns-Leahy
counterpart in the Senate, however, would
go even further, effectively eliminating
all export controls on
encryption technology
. As a
result, even the most sophisticated
software currently available, featuring
128-bit coding that is judged to be
unbreakable using available decrypting
techniques, could be provided to foreign
purchasers irrespective of whether they
may be: potentially hostile foreign
governments’ militaries and espionage
services, proliferators of weapons of
mass destruction, terrorist
organizations, drug-traffickers,
organized crime or other threats to U.S.
interests.

Interestingly, lobbyists promoting the
Goodlatte bill have misled some
legislators into believing that H.R. 695
actually tightens encryption
export controls, instead of gutting them.
As the truth has become known, some
co-sponsors — including member of the
HNSC — have begun to remove their names
from the bill. It is a travesty that such
a fraud has been perpetrated on Members
of Congress; this fraud would amount to
malfeasance should it not be corrected
by, at a minimum, ensuring that the
existing export controls on encryption
technology can be preserved as long as
the President deems them required to
prevent “harm to the national
security of the United States.”

Law Enforcement Protections
Must Not Come at the Expense of National
Security

In this connection, there are also
grounds for concern about legislation
being considered in the Senate Commerce
Committee as an alternative to the
Burns-Leahy bill. This legislation has
been drafted by the Committee’s chairman
and ranking member, Sens. John
McCain
(R-AZ) and Bob
Kerrey
(D-NE) respectively, with
a view to addressing legitimate
domestic law enforcement equities
that
would also be seriously compromised by
the Goodlatte approach. This would be
done by creating incentives for U.S.
manufacturers to participate in an
encryption “key management
infrastructure” (i.e., establishing
means whereby federal agencies, with
appropriate court orders, can obtain the
ability to read encrypted
communications). It must be noted,
however, that — while this legislation’s
incentives aimed at encouraging such an
arrangement are significant — the
companies affected would be under no
obligation
to take part in this
arrangement.

Unfortunately, in an effort to appease
encryption industry unhappiness over that
measure, the McCain-Kerrey bill would
aggravate the present national security
problem on the export control front.
Notably, it would raise the
threshold for unlicenced exports from 40
bits to 56 bits.
This represents
a dramatic increase in the power of
encryption programs that will find their
way into the hands of hostile powers,
international terrorists and other
foreign criminal elements — and will add
substantially to the time and computing
power required by U.S. intelligence to
monitor their activities.

The McCain-Kerrey legislation also
calls for the creation of an industry-government
advisory board
tasked to
consider and jointly develop
recommendations concerning future
standards for encryption exports. Such an
arrangement would put those responsive to
multinational stockholders on an
essentially equal footing with government
agencies responsible for the national
security. In addition, the bill would mandate
foreign-availability assessments — a
pretext all-too-frequently used by
industry to argue for even the most
irresponsible transfers of U.S.
technology.(3)

U.S. Security Requirements
in an Age of Information Warfare

The House Intelligence Committee is
expected to consider one other
shortcoming of H.R. 695 which the
National Security Committee felt was
outside its jurisdiction — namely, the
Goodlatte bill’s failure to address the
urgent national security requirement for
a domestic key management infrastructure
.
Such an infrastructure is needed to
mitigate the growing threat posed by
information warfare (IW) against the
United States’ ever more
computer-dependent public services (e.g.,
energy, health, sanitation,
telecommunications, financial
institutions and markets and similar
industries). Put simply, the Nation will
be exceedingly vulnerable to IW if it is
unable to: detect, let alone prevent,
unauthorized penetrations of nominally
encryption-safeguarded computers critical
to large sectors of the economy; ensure
necessary interoperability of computers
using different encryption programs;
and/or assure key recovery where
required.

It is extremely important that members
of the HPSCI constructively address this
subject — as well as reinforce the
stance taken by their colleagues on the
National Security Committee concerning
export controls. Their counterparts on
the House Commerce Committee should —
and, for that matter, the counterpart
Senate committees — be doing no less.

The Bottom Line

Absent such efforts on the part of
national security-minded committees, the
deep pockets and questionable tactics of
interested parties in the computer
industry stand a good chance of pushing
through the Congress legislation that
would cause incalculable harm to the
defense and foreign policy interests of
the United States. This will be the
inevitable effect if H.R. 695 were
permitted to offer a possibly
impenetrable electronic cloak of secrecy
on our foreign adversaries while failing
to protect the public networks on which
our economy depends.

The undeniable fact is that U.S.
national security is dependent upon
America’s ability to collect intelligence
in peacetime on foreign threats — from
the activities of terrorist groups to the
trade in “weapons of mass
destruction” technology to the
status of nuclear-tipped missiles in
potentially unfriendly hands. What is
more, success in foreign affairs (from
trade to diplomacy to support for friends
and allies) often depends critically on
the contribution signals intelligence
makes to identifying and exploiting
opportunities to advance American values
and interests around the world.

As a result, responsible
legislators cannot afford to be
ambivalent about, to say nothing of indifferent
to
, initiatives that would make more
difficult the task of preserving the
United States’ ability to gather SIGINT.

Such a vital, long-term national security
priority must take precedence
over the ephemeral, if potentially
lucrative, commercial advantages of
selling powerful U.S. encryption software
abroad.

– 30 –

1. See the
Center’s Decision Brief
entitled What’s Good For
Silicon Graphics Is Not Necessarily Good
For America: Some Supercomputer Sales
Imperil U.S. Security
( href=”index.jsp?section=papers&code=97-D_102″>No. 97-D 102, 21
July 1997).

2. Such figures
refer to the number of variables used in
combination to conceal a given piece of
encrypted message traffic, one of several
factors determining the robustness of an
encryption program.

3. As the Center
noted last July, it is unclear on what
basis other industries selling
strategically sensitive products — for
example, the supercomputer, chemical and
biotechnology, machine tool, chip
manufacturers, etc. — would be denied
similar vehicles for demanding the
erosion or elimination of any remaining
export controls on the transfer of their
respective products.

Center for Security Policy

Please Share:

Leave a Reply

Your email address will not be published. Required fields are marked *