1997-07-31 - excerpt from William P. Crowell

Header Data

From: “John W. Noerenberg” <jwn2@qualcomm.com>
To: cypherpunks@ssz.com
Message Hash: 7594deed2e5a48bf6c4085461e5c060d7f2c658ab0a82b5f87e64b436c40529b
Message ID: <v04000d12b006c4406797@[129.46.137.118]>
Reply To: N/A
UTC Datetime: 1997-07-31 23:47:15 UTC
Raw Date: Fri, 1 Aug 1997 07:47:15 +0800

Raw message

From: "John W. Noerenberg" <jwn2@qualcomm.com>
Date: Fri, 1 Aug 1997 07:47:15 +0800
To: cypherpunks@ssz.com
Subject: excerpt from William P. Crowell
Message-ID: <v04000d12b006c4406797@[129.46.137.118]>
MIME-Version: 1.0
Content-Type: text/plain



Excerpt from prepared testimony of William P. Crowell deputy director,
National Security Agency before the House National Security Committee
Wednesday, July 29, 1997:

[Intro elided]

Goodlatte Bill and  National Security

Before I go into the details of what the nation needs in a balanced
encryption policy - a policy that gets strong encryption to be used widely
while at the same time protects the nation's public safety and national
security - it is important to understand that the Goodlatte bill would
directly threaten national security.

First, the Goodlatte bill would impact our foreign intelligence mission.
The analysis of foreign communications has, literally, helped shorten
global wars and averted regional ones. The export control process is very
important since it gives us valuable insights into what is being exported,
to whom, and for what purpose.

Second, the Goodlatte bill would undermine international efforts to catch
terrorists, spies, and drug traffickers. Quite simply, such efforts save
American lives and protect our free society. Secretary of Defense Cohen and
Attorney General Reno sent letters to you last week that very clearly state
their support for encryption policies that account for these national
security and public safety interests. Not only would the Goodlatte bill
jeopardize national security, it would do very little to achieve the goal
of getting strong encryption used widely. For these reasons, it is
important to understand some of the technical aspects of encryption so we
can develop balanced policy solutions that are technically sound.

[crypto 101 elided]

 The Administration's Approach To Encryption Policy

  Reform Is Very Different From Earlier Key Escrow Initiatives

Some have argued that the Administration's recent policy initiative is the
same as previous key escrow initiatives. Their argument is disingenuous and
incorrect. The KMI initiative is about creating an environment in which
commercial encryption can flourish. Just as significant, the
Administration's proposal differs significantly from previous key escrow
initiatives because:

  -- It eliminates the  focus on bit lengths;
  -- The government doesn't hold the keys;
  -- A separate key escrow infrastructure is not required;
  -- Keys can be held overseas;
  -- It doesn't prescribe algorithms or limit them to hardware; and,
  -- Users' data recovery needs can be met.

With these impediments addressed, industry and government can work to
develop encryption products that will win acceptance in foreign markets and
establish infrastructure services to support those products. Several major
companies recognize these profound changes and have formed business
ventures to thrive within the new climate. In October 1996 IBM formed the
Key Recovery Alliance and that alliance has already grown to over 50
domestic and international companies. Alliance members include Apple,
Mitsubishi, Boeing, DEC, Hewlett Packard, Motorola, Novell, SUN, America
Online, Unisys, and RSA.

Despite Being Available, Encryption is Not Being Widely Used

Most measurements of encryption are inadequate (incomplete or inconclusive)
since they do not show how many people are using encryption. Encryption can
be measured in a number of ways. Depending on how it is measured, one could
misconstrue the data to conclude that "the encryption genie is out of the
bottle" or that the bottle is tightly plugged.

The fact of the matter is that encryption is widely available (e.g.,
embedded in tens of millions of commercial software products) but, based on
our impressions from market surveys, etc., is not widely used. Those who
argue that government encryption policies are outdated because "the
encryption genie is out of the bottle" (i.e., there are many products
advertised to contain encryption and some of them are available from the
Internet) must consider two important perspectives.

First, encryption is not now being, and will not be, used to its fullest
potential (with confidence by 100s of millions of people) until there is an
infrastructure in place to support it. Encryption is not a genie that will
magically solve the security problem. Nor is the Administration trying to
'keep the plug in the bottle'. The Administration wants to help promote a
full range of trusted security services providing privacy, authentication,
and data integrity while simultaneously fulfilling public safety and
national security responsibilities for our government, and governments
worldwide.

Second, serious users of security products don't use free security products
from the Internet. The president of a prominent Internet security
corporation was recently asked in a magazine article on this issue: "Since
encryption technology is available as freeware off the Internet, why would
anyone pay a company for it?" He responded by saying: "Freeware is worth
exactly what you pay for it. I'd rather not implement security systems
using software for which the source code is available to any 12- yearold
who thinks being a hacker is fun." In other words, when determining what
encryption you use to protect valuable business secrets, you should
consider who you're getting it from, how it got to you, and whether you'll
receive support when you need it.

U.S.  Encryption Policies Are Addressing Concerns That The Rest
Of The World Is Also Facing

The U.S. is not the only nation which has concerns that encryption use by
criminals can threaten public safety. All countries that are major
producers of cryptography control its export. Some of those countries have
voiced their displeasure with the U.S. decision to export 56-bit
encryption. Though the U.S. does not have domestic restrictions, some
countries do through import controls of encryption and its domestic use.
Recently, France, Israel, and Russia imposed import and domestic use
restrictions, and severe Asian, South American, and African countries have
informally done so for many years.

At this point, it would be over-generalizing to say that the world has
agreed to an approach on key recovery, but it is accurate to say that all
governments want authorized access to encrypted information. The U.S. is
not the only nation that recognizes the dual-edged nature of the encryption
tool.

Wrap Up

The Administration is basing its policies on the foundation that the need
for robust commercial encryption will grow and it has proposed policy
reforms to ensure that American companies and the public, can flourish in
the future encryption market. The Administration 's approach is not past
its time, it is just in time. The fundamental issue in play is how industry
will build key management infrastructures to support mass market products
with encryption. If infrastructures are built that support key recovery,
then the export control debate can be concluded. Otherwise, governments
worldwide are likely to resist the use of those products because of public
safety concerns. Though the Administration's proposed policies will have a
significant impact on NSA, I believe they are a reasonable response to a
complex, interdependent set of issues. I hope that the Administration can
continue to work with Congress and industry to reach a resolution of these
issues. Thank you for the opportunity to address this important matter.

####


john noerenberg
jwn2@qualcomm.com
pager: jwn2@pager.qualcomm.com
  --------------------------------------------------------------------
   "We need not to be left alone.  We need to be really
    bothered once in a while."
  -- Ray Bradbury, Farhenheit 451, 1953
  --------------------------------------------------------------------







Thread