- Email: [email protected]
A “stumbling” US encryption policy
FEATURE
Wayne Madsen
that past administration attempts to get other countries to share their keys with US intelligence agencies proved fruitless. With regard to key recovery bilateral agreements, Gejdenson asked Reinsch to name the countries with which the US had entered into agreements. Reinsch stated that "the G-7 countries, the rest of the European Union, Australia, Canada, South Africa, Japan, and Israel" are mostly "moving in our direction".
44Are those in opposition to the administration's [encryption] policy prepared to sacrifice public safety in the interests of commercial gain?" Those words, uttered by Deputy Assistant Attorney General Robert Litt, would etch themselves in the minds of those who attended the 7 May 1997 House International Economic Policy and Trade hearing on "Encryption: Individual Rights vs National Security". The hearing was held to consider Representative Bob Goodlatte's liberalized encryption export bill.
Responding to Reinsch's rosy portrayal of foreign nations lining up with the United States, Representative Goodlatte, the author of House Resolution 695, the Security and Freedom through Encryption (SAFE) Act, said, "I don't want to base US security and privacy on any standard embraced by other countries." The congressman insisted that some countries were not good examples to follow when it came to protecting privacy.
A "Stumbling" US Encryption
Policy
In d e f e n d i n g the C l i n t o n a d m i n i s t r a t i o n ' s cryptographic policies to date, Litt was joined by William Reinsch, the Undersecretary of Commerce for Export Administration and William Crowell, the Deputy Director of the National Security Agency (NSA). Representative Sam Gejdenson of Connecticut referred to those policies as "stumbling". Reinsch, irritated at Gejdenson's use of the word "stumbling", insisted that the administration's new key recovery proposal was dissimilar to the previous discredited key escrow initiative. "This is not Clipper!" Reinsch protested to Gejdenson. Reinsch declared that the "market and government are moving in the same direction - - which is key recovery." Reinsch also said that the National Institute for Standards and Technology (NIST) was developing a Federal Standard for key recovery. He added that "the Government is not in the business of mandating private standards for private use." Speaking for NSA, Crowell repeated his often stated fear that failure to enact cryptography controls would lead to an "electronic Tower of Babel". That statement set off a wave of rolling eyeballs and shaking heads in the Rayburn House Office Building hearing room. Crowell added that, "NSA sees key management infrastructures as necessary and inevitable." G e j d e n s o n r e m i n d e d the three G o v e r n m e n t officials that he had been through the very same arguments before on the Clipper chip proposal. He said
Computer Fraud & Security July 1997 © 1997 Elsevier Science Ltd
Litt responded by saying that the US Government "does not go breaking into computer systems and file cabinets without a warrant". Goodlatte reminded Litt that under the administration' s leaked key recovery bill, law enforcement "would only need a letter from the Attorney General" to gain access to stored keys. Crowell, trying to salvage the key recovery bill in the midst of a clearly hostile subcommittee, cautioned that the passage of Goodlatte's SAFE bill would "limit the market for key recovery" because it would imply a prohibition of key recovery in the United States. Representative Brad Sherman of California told the three Government officials, "I believe in key recovery - - I have a key to my apartment hidden near my front door - - but I never thought about giving it to a Government agency !" "We don't want it!" Reinsch responded. Crowell joined in and said "We don't want to hold the keys of anyone." Responding to administration statements on key recovery agreements being negotiated by Ambassador D a v i d Aaron, Sherman c o n t e n d e d that "if any developed country wanted to take our software industry away from us, they would have every reason not to enter into a key recovery agreement with us". To which Goodlatte quickly added, "... and they would draw US software companies to their countries immediately".
FEATURE Sherman also argued, "It is not enough to get 50% or 60% [of the countries of the world] to agree - - you need all of them." Crowell insisted that "unilaterally opening up exports around the world will undermine our effort." Sherman shot back, "It will undermine an effort d o o m e d to failure." Sherman said to make the administration's plan feasible, "You'll have to do what the French have done." France has adopted draconian m e a s u r e s a i m e d at r e s t r i c t i n g the use of non-government approved cryptography. Finally, Sherman warned the NSA, Commerce, and Justice officials that "You don't have the votes [in Congress] to do what you want!" The three government officials were followed by a cross section of industry representatives, including John Gage, Chief Scientist at Sun Microsystems; Tom Parenty of Sybase, and Steve Walker of Trusted Information Systems (TIS). Using a live Internet demonstration, Gage demonstrated to the subcommittee the ease of downloading strong encryption programs from foreign sites. He pointed to the availability of programs such as IDEA, PGP, RSA, DES and Triple DES from computer systems in Finland, Croatia, Russia, Sweden, the Netherlands and Norway. All the industry representatives except for Walker of TIS supported the SAFE bill. Walker said after the Clipper debacle, TIS sought to develop an alternative solution. "User key recovery systems are middle ground solutions," Walker contended. Walker trumpeted the administration's so-called liberalized encryption export control policy announced in October 1996. He also noted that the administration had granted TIS a licence to export key recovery systems to Royal Dutch Shell. He also opined that there had been much progress by the administration on encryption export policy since 1993 and 1994. W a l k e r urged the subcommittee that Congress should only pass "minimalist" legislation protecting key recovery centres from liability for improperly used keys. Voicing his opposition to SAFE, Walker said that it was unwise to abolish export controls and that S A F E , like e a r l i e r b i l l s by f o r m e r Representative Maria Cantwell and Senator Patty Murray, would go down to defeat. Goodlatte, clearly irritated at Walker's statement,
interrupted, "Mr Walker. You supported the Cantwell bill." Walker replied, "Yes." Goodlatte responded, "This bill does the same thing - - it does not abolish export controls.., it says there will be no controls on what you can get overseas." Goodlatte then asked Walker, "What changed your mind?" Walker did not answer and proceeded to explain why PGP was a bad choice for encryption because it was "not integrated into products available today". Goodlatte pressed Walker to answer his earlier question. "Why have you changed your position?" Walker finally answered by saying, "I've tried to find a middle ground - - between hard liners and the others." Further responding to Walker's statement that SAFE was doomed to failure, Goodlatte stated, "There are 24 members of the House Judiciary Committee who ' are co-sponsors of this bill - - they are all pro-law enforcement." Goodlatte may not have been aware of NSA's history of lobbying Congress for and against legislation, something that it is legally prohibited from doing with appropriated funds. NSA used private corporations to lobby against passage of the Computer Security Act in 1986. Those corporations happened to be some of NSA's largest contractors. TIS is also a contractor to the NSA. It counts numerous ex-NSA staff among its employees and receives a relatively large amount of NSA funding. In a related matter, one of the original co-sponsors of SAFE, Representative Gerald Solomon of New York, withdrew his sponsorship and sent a "Dear Colleague" letter to his fellow representatives in which he cited the bill's deleterious effect on national security and law enforcement. One former senior government official confided that "it sounds like Solomon got the NSA treatment". When asked to elaborate, he said, "They gave him the classified national security pitch to scare the hell out of him." Although it worked in Solomon's case, Goodlatte picked up another seven co-sponsors after the "Dear Colleague" letter was sent. One aid to Goodlatte said, "We can only hope Solomon sends another letter!"
Computer Fraud & Security July 1997 © 1997 Elsevier Science Ltd
Wayne Madsen
that past administration attempts to get other countries to share their keys with US intelligence agencies proved fruitless. With regard to key recovery bilateral agreements, Gejdenson asked Reinsch to name the countries with which the US had entered into agreements. Reinsch stated that "the G-7 countries, the rest of the European Union, Australia, Canada, South Africa, Japan, and Israel" are mostly "moving in our direction".
44Are those in opposition to the administration's [encryption] policy prepared to sacrifice public safety in the interests of commercial gain?" Those words, uttered by Deputy Assistant Attorney General Robert Litt, would etch themselves in the minds of those who attended the 7 May 1997 House International Economic Policy and Trade hearing on "Encryption: Individual Rights vs National Security". The hearing was held to consider Representative Bob Goodlatte's liberalized encryption export bill.
Responding to Reinsch's rosy portrayal of foreign nations lining up with the United States, Representative Goodlatte, the author of House Resolution 695, the Security and Freedom through Encryption (SAFE) Act, said, "I don't want to base US security and privacy on any standard embraced by other countries." The congressman insisted that some countries were not good examples to follow when it came to protecting privacy.
A "Stumbling" US Encryption
Policy
In d e f e n d i n g the C l i n t o n a d m i n i s t r a t i o n ' s cryptographic policies to date, Litt was joined by William Reinsch, the Undersecretary of Commerce for Export Administration and William Crowell, the Deputy Director of the National Security Agency (NSA). Representative Sam Gejdenson of Connecticut referred to those policies as "stumbling". Reinsch, irritated at Gejdenson's use of the word "stumbling", insisted that the administration's new key recovery proposal was dissimilar to the previous discredited key escrow initiative. "This is not Clipper!" Reinsch protested to Gejdenson. Reinsch declared that the "market and government are moving in the same direction - - which is key recovery." Reinsch also said that the National Institute for Standards and Technology (NIST) was developing a Federal Standard for key recovery. He added that "the Government is not in the business of mandating private standards for private use." Speaking for NSA, Crowell repeated his often stated fear that failure to enact cryptography controls would lead to an "electronic Tower of Babel". That statement set off a wave of rolling eyeballs and shaking heads in the Rayburn House Office Building hearing room. Crowell added that, "NSA sees key management infrastructures as necessary and inevitable." G e j d e n s o n r e m i n d e d the three G o v e r n m e n t officials that he had been through the very same arguments before on the Clipper chip proposal. He said
Computer Fraud & Security July 1997 © 1997 Elsevier Science Ltd
Litt responded by saying that the US Government "does not go breaking into computer systems and file cabinets without a warrant". Goodlatte reminded Litt that under the administration' s leaked key recovery bill, law enforcement "would only need a letter from the Attorney General" to gain access to stored keys. Crowell, trying to salvage the key recovery bill in the midst of a clearly hostile subcommittee, cautioned that the passage of Goodlatte's SAFE bill would "limit the market for key recovery" because it would imply a prohibition of key recovery in the United States. Representative Brad Sherman of California told the three Government officials, "I believe in key recovery - - I have a key to my apartment hidden near my front door - - but I never thought about giving it to a Government agency !" "We don't want it!" Reinsch responded. Crowell joined in and said "We don't want to hold the keys of anyone." Responding to administration statements on key recovery agreements being negotiated by Ambassador D a v i d Aaron, Sherman c o n t e n d e d that "if any developed country wanted to take our software industry away from us, they would have every reason not to enter into a key recovery agreement with us". To which Goodlatte quickly added, "... and they would draw US software companies to their countries immediately".
FEATURE Sherman also argued, "It is not enough to get 50% or 60% [of the countries of the world] to agree - - you need all of them." Crowell insisted that "unilaterally opening up exports around the world will undermine our effort." Sherman shot back, "It will undermine an effort d o o m e d to failure." Sherman said to make the administration's plan feasible, "You'll have to do what the French have done." France has adopted draconian m e a s u r e s a i m e d at r e s t r i c t i n g the use of non-government approved cryptography. Finally, Sherman warned the NSA, Commerce, and Justice officials that "You don't have the votes [in Congress] to do what you want!" The three government officials were followed by a cross section of industry representatives, including John Gage, Chief Scientist at Sun Microsystems; Tom Parenty of Sybase, and Steve Walker of Trusted Information Systems (TIS). Using a live Internet demonstration, Gage demonstrated to the subcommittee the ease of downloading strong encryption programs from foreign sites. He pointed to the availability of programs such as IDEA, PGP, RSA, DES and Triple DES from computer systems in Finland, Croatia, Russia, Sweden, the Netherlands and Norway. All the industry representatives except for Walker of TIS supported the SAFE bill. Walker said after the Clipper debacle, TIS sought to develop an alternative solution. "User key recovery systems are middle ground solutions," Walker contended. Walker trumpeted the administration's so-called liberalized encryption export control policy announced in October 1996. He also noted that the administration had granted TIS a licence to export key recovery systems to Royal Dutch Shell. He also opined that there had been much progress by the administration on encryption export policy since 1993 and 1994. W a l k e r urged the subcommittee that Congress should only pass "minimalist" legislation protecting key recovery centres from liability for improperly used keys. Voicing his opposition to SAFE, Walker said that it was unwise to abolish export controls and that S A F E , like e a r l i e r b i l l s by f o r m e r Representative Maria Cantwell and Senator Patty Murray, would go down to defeat. Goodlatte, clearly irritated at Walker's statement,
interrupted, "Mr Walker. You supported the Cantwell bill." Walker replied, "Yes." Goodlatte responded, "This bill does the same thing - - it does not abolish export controls.., it says there will be no controls on what you can get overseas." Goodlatte then asked Walker, "What changed your mind?" Walker did not answer and proceeded to explain why PGP was a bad choice for encryption because it was "not integrated into products available today". Goodlatte pressed Walker to answer his earlier question. "Why have you changed your position?" Walker finally answered by saying, "I've tried to find a middle ground - - between hard liners and the others." Further responding to Walker's statement that SAFE was doomed to failure, Goodlatte stated, "There are 24 members of the House Judiciary Committee who ' are co-sponsors of this bill - - they are all pro-law enforcement." Goodlatte may not have been aware of NSA's history of lobbying Congress for and against legislation, something that it is legally prohibited from doing with appropriated funds. NSA used private corporations to lobby against passage of the Computer Security Act in 1986. Those corporations happened to be some of NSA's largest contractors. TIS is also a contractor to the NSA. It counts numerous ex-NSA staff among its employees and receives a relatively large amount of NSA funding. In a related matter, one of the original co-sponsors of SAFE, Representative Gerald Solomon of New York, withdrew his sponsorship and sent a "Dear Colleague" letter to his fellow representatives in which he cited the bill's deleterious effect on national security and law enforcement. One former senior government official confided that "it sounds like Solomon got the NSA treatment". When asked to elaborate, he said, "They gave him the classified national security pitch to scare the hell out of him." Although it worked in Solomon's case, Goodlatte picked up another seven co-sponsors after the "Dear Colleague" letter was sent. One aid to Goodlatte said, "We can only hope Solomon sends another letter!"
Computer Fraud & Security July 1997 © 1997 Elsevier Science Ltd