testimony by Steve Walker on Export controls

[David Farber <farber () linc cis upenn edu>]

                                 TESTIMONY


                                    BY


                             STEPHEN T. WALKER
                                 PRESIDENT
                     TRUSTED INFORMATION SYSTEMS, INC.


                                    FOR


          SUBCOMMITTEE ON ECONOMIC POLICY, TRADE AND ENVIRONMENT
                       COMMITTEE ON FOREIGN AFFAIRS
                       U.S. HOUSE OF REPRESENTATIVES


                             OCTOBER 12, 1993








Good Afternoon.  I am pleased to testify today about the negative
impact that U.S. export control regulations on cryptography are
having on one of the few industries where the U.S. remains
dominant worldwide:  the information system software industry. 
The major points of my testimony are that U.S. export controls do
not prevent the international availability of good quality
cryptography but do penalize the U.S. software industry and U.S.
business in general.


My name is Stephen T. Walker.  I am the founder and President of
Trusted Information Systems (TIS), Inc., a ten year old firm with
85 employees.  With offices in Glenwood, MD; Los Angeles, CA;
Mountain View, CA; Minneapolis, MN; and London, UK, TIS
specializes in research, product development, and consulting in
the fields of computer and communications security.  I am also
here representing the Software Publishers Association (SPA) and
its members on this most important topic.


The SPA is the principal trade association of the personal
computer software industry.  Since 1984, it has grown to over
1,000 members, representing the leading publishers in the
business, consumer, and education software markets.


My background includes twenty-two years as an employee of the
Department of Defense, with the National Security Agency (NSA),
the Defense Advanced Research Projects Agency, and the Office of
the Secretary of Defense.  During my final three years in
Government, I was the Director of Information Systems for the
Assistant Secretary of Defense for Communications, Command,
Control, and Intelligence (C3I).


In 1983, I left Government service and began my own consulting
firm, specializing in the area of information systems security. 
My company has experienced steady growth and now offers a variety
of products with improved information security for military and
civilian applications in addition to our continuing consulting
activities.  Several of these products are adversely affected by
U.S. Government export controls, as are the products of many SPA
members.


For the past two years, I have been a member of the Computer
System Security and Privacy Advisory Board (CSSPAB), chartered by
Congress in the Computer Security Act of 1987 to advise the
Executive and Legislative Branches on matters of national concern
in computer security.  In March 1992, the Board first called for
a national review of the balance between the interests of law
enforcement/national security and those of the public regarding
use of cryptography in the United States.  The Board has been
heavily involved in this review, receiving public input on the
Administration's Clipper Initiative, announced by the President
on April 16 of this year.  Participation in the Board's review
has been highly beneficial in helping me form my opinions in this
area.






OVERVIEW


The focus of attention at today's hearing is the negative impact
that U.S. export controls on cryptography are having on the U.S.
computer industry.  In May 1992, I testified before the House
Judiciary Committee, Subcommittee on Economic and Commercial Law
hearings, on the impact of U.S. export laws on our industry's
ability to protect itself from foreign industrial espionage.  I
also participated in similar hearings in July 1991 and June 1990
in which this topic was of major importance.  The export control
subject continues to arise in different contexts, but the
difficult problems lurking behind it are always the same.


The stakes for the software industry are high.  The U.S. holds
75% of the global market for packaged software.  Most software
companies make 35-40% of their revenue from exports; for some
companies exports are as much as 50% of their business.  When
demand for cryptographic products is increasing, export
restrictions essentially place an "earnings cap" on U.S. software
publishers.
 
A National Dilemma


The basic issue is a dilemma of truly national proportions
between the long standing and vital interests of our Government
to learn as much as it can about its adversaries--be they
criminals, terrorists, or other governments--on the one hand, and
the basic right to privacy that all Americans assume they have
and are seeking to extend to their personal and business
communications, whether by telephone, electronic mail, or other
forms of computer communications.


The resolution of this dilemma will have enormous impact on our
country for decades to come.  The Government's national security
interests contend that if good quality cryptography were to
become widely available in this country and the world, our
ability to wiretap criminals and listen in to terrorists and
other adversaries would be severely hurt.  Those seeking improved
privacy protection argue that encryption is needed to support
worldwide business operations and good quality cryptography is
already available worldwide.  Continuing U.S. Government
restrictions are only penalizing U.S. users with inferior U.S.-
developed security products and limiting U.S. industry from
participating in a rapidly growing international marketplace.


Technology Has Shifted


The core of the issue is a shift in technology over the past
twenty years that has fundamentally altered both business
communications needs and an advantage that law enforcement and
national security interests have enjoyed since the earliest days
of electronic communications.  Before radio and telephone
communications, governments had to resort to intercepting mail
and notes carried by spies to learn their adversaries' plans. 
When electronic communications became prevalent, governments
found they could intercept those communications relatively easily
with very useful results.  When encryption was applied to these
communications, it became more difficult to make sense of them,
but that turned into a test of wits among the mathematicians of
various countries.  Some were more successful than others.


During the time up to the 1980s, this behind-the-scenes struggle
was waged among governments with little if any effect on
individuals or business communities.  But technology shifts
beginning in the early 1980s and accelerating at breathtaking
rates today resulted in vast computer communications and security
capabilities for industrial and personal use worldwide and at the
same time have made it much harder for law enforcement and
national security interests to continue their interception roles. 




As we struggle to understand the complex issues confronting us in
this dilemma, we must recognize that even if U.S. commercial and
private interests were willing to forgo their right to private
communications and U.S. computer manufacturers were willing to
drop out of the international market for information products
employing good quality security protection, the ability of the
Government to decrypt the communications of its adversaries will
continue to diminish at ever increasing rates over the
foreseeable future, no matter what measures, such as employing
key escrow techniques or outlawing cryptography, our Government
may choose to take.


The technology shifts we are seeing here have interesting
parallels to those in the field of radar.  Since the beginning of
World War II, radar has played an essential role in defending
against attacks from the air.  But recent technology shifts have
produced stealth capabilities that for now, at least, effectively
defeat radar.  We will soon face an equivalent dilemma as stealth
measures become widely available:  how to prevent drug dealers,
terrorists, and other adversaries from using them to enter our
country undetected.  We could require that all aircraft have some
form of reflector that will guarantee that the Government can
detect them whenever it has the need, but it is unlikely that
those who wish to enter our airspace undetected will comply with
such requirements.


We must recognize that those who wish to protect their
communications from eavesdroppers will increasingly be able to do
so.  We must be careful not to continue to insist on misguided
measures to try to retain decryption capability that will
inevitably be eroded by technology, no matter how important we
feel that capability may be.


The Congress Must Act Now!


The principal vehicle that the Government's law enforcement and
national security interests have used to maintain the balance on
their side of this dilemma over the years has been the imposition
of strict export control measures on all cryptographic products
leaving this country.  In light of the ongoing and inevitable
technological shift toward better protection mechanisms and
increasing business communications needs, a review of this policy
is urgently needed.  Such a review must be conducted by someone
willing to understand the needs of both sides of the issue. 
Based on our experiences to date, I am convinced that the U.S.
Congress is the only organization with the authority and balanced
perspective to tackle such a tough issue.  I hope that these
hearings will be the beginning of a true national debate of this
most vital issue.
 
I would like to begin my testimony with a review of how these
export controls came into place and why they made good sense in
an earlier time but not necessarily now.  I will then discuss the
widespread and rapidly growing foreign availability of
cryptographic products that is making this technological shift so
hard for our intelligence capabilities.   Following this, I will
review the highly negative effect that U.S. export controls are
having on U.S. industries and the average U.S. citizen.






WHY DO WE HAVE EXPORT CONTROLS ON CRYPTOGRAPHY?


The method that governments have used for most of this century to
protect the privacy of their electronic communications and that
has gradually become available to individuals throughout the
world is called cryptography:  the scrambling of data prior to
transmission (encryption) and unscrambling upon receipt
(decryption).  


As governments came to rely upon cryptography to protect their
vital communications, groups of highly skilled mathematicians
were assembled by the same governments to attempt to break the
encrypted communications of their adversaries.


In David Kahn's 1973 book, The Codebreakers, he states:


     Codebreaking is the most important form of secret
     intelligence in the world today.  It produces much more and
     much more trustworthy information than spies, and this
     intelligence exerts great influence upon the policies of
     governments.


Few would argue that this statement remains just as true today as
when it was written.


Export Controls Were Essential Initially


All modern governments face the difficult competing tasks of
having good enough encryption capabilities to protect their own
communications while trying to defeat the encryption capabilities
of their adversaries.  As encryption hardware devices became
readily available, governments had to control where these devices
went in order to limit the availability of good cryptography to
hostile adversaries.  Export control on encryption devices became
an integral part of the Department of State munitions control
process, where it remains today.


With the advent of computers, the ability to perform encryption
functions using software programs rather than hardware made
encryption more readily available and its export control more
difficult.  In the 1970s, efforts to improve the protection of
domestic sensitive information led to publication of encryption
algorithms such as the Federal Information Processing Standard
(FIPS) Data Encryption Standard (DES) algorithm, which, while
intended to be implemented only in hardware, quickly became
available throughout the world in software.  


Personal computers gave individual users direct access to the
vast power of the computer and led to a revolution in how
businesses operate.  Now highly sensitive corporate plans and
financial information flow freely over the phone lines among
clusters of computers, and users are demanding improved security
for their sensitive information from their software suppliers.


The natural result of this evolution is the need to include good
quality encryption capabilities within modern software products
for sale to multinational corporations worldwide.  However,
governments still want to control where encryption devices go in
order to limit the availability of good quality encryption to
hostile adversaries.


But Times Have Changed


So a problem that twenty years ago only affected governments and
that led to the harsh export control restrictions presently in
place on encryption now threatens the ability of U.S. citizens
and businesses to protect their own sensitive information and the
ability of the U.S. software industry to market the products that
its multinational customers are demanding.  This is truly a
dilemma of national proportions that cannot be left solely in the
hands of the national security interests to resolve.


Few would argue that the Government should not continue listening
to the communications of its adversaries.  But now that we have a
worldwide economy with massive amounts of sensitive information
flowing in all directions at all times, few are willing to give
up the ability to provide reasonable protection to their own
information in order to help the Government eavesdrop.


"Listening In" Will Keep Getting Harder


Even if we could forgo our personal and business privacy needs
for the sake of the national security interests, the continuous
evolution of technology has already made it harder to listen in
to those who do not want to be heard than it was even a year ago. 
And that evolution will continue to make it even harder next year
and in every year that follows.


The same technologies that have brought about the personal
computer revolution are making good quality cryptography
available worldwide, and those people, businesses, and
governments that choose to protect their communications can now
do so quite effectively and at reasonable cost.  The task of
listening in to others is becoming more and more difficult every
day in spite of extensive export controls.


The widespread availability of encryption products worldwide will
make it ever harder to decrypt the communications of adversaries
who do not want to be heard, with or without excessive export
control measures.


It is important to note that whether the U.S. Government drops
export controls altogether on encryption products or attempts to
impose absolute restrictions even on domestic use of encryption,
the task of law enforcement and the national security community
to listen in to our adversaries is going to get progressively
harder day by day.


Now Export Controls Are Harmful to the Nation


Export controls served a useful purpose following World War II
and up to the early 1980s.  They protected the Government's
interests and did not interfere with the interests of private
citizens and commerce.  Since cryptography has become an
important tool for protecting the sensitive information of
everyone, not just governments, and since the technology to
implement good quality cryptography has now become readily
available worldwide, export controls on good quality cryptography
are no longer needed and are highly detrimental to the interests
of the nation.






HOW WIDESPREAD IS CRYPTOGRAPHY WORLDWIDE?


Since the publication of the Data Encryption Standard as a U.S.
Federal Information Processing Standard in 1977, cryptography has
shifted from the exclusive domain of governments to that of
individuals and businesses.  DES in both hardware and software
implementations is the de facto international standard against
which all other algorithms are measured.


DES must be recertified as a FIPS every five years.  In 1982, it
was recertified without controversy.  In 1987-1988, NSA
recommended against recertification except for specialized use
such as banking, but the recertification proceeded.  This year
the recertification is before the Secretary of Commerce awaiting
approval.  If approved, software implementations of DES will be
allowed for the first time.


DES was adopted by the U.S. and international banking community
shortly after its publication as a FIPS.  The banking community
fought for and obtained the right to export DES for financial
uses, primarily integrity checks but also for banking
confidentiality uses, and the right to generate their own keying
material (the random numbers that initialize the
encryption/decryption processes) without relying on any other
Government agency.


In the mid 1980s, DES was proposed as an international standard
by the International Standards Organization (ISO) as Data
Encryption Algorithm-1 (DEA-1).  Final approval was not made
because of an appeal by the U.S. suggesting that the ISO should
not approve any specific algorithms but leave that decision to
individual nations.


The availability of DES and the controversy that arose as soon as
it was published concerning whether it had weaknesses that NSA
could exploit fostered the highly fruitful academic research into
public key cryptography in the late 1970s.  Public key algorithms
have the major advantage that the sender does not need to have
established a previous secret key with the recipient for