SPECIAL WHITE HOUSE BRIEFING ENCRYPTION TECHNOLOGY - transcript

From rdom <rdom@thing.net>
Date Fri, 17 Sep 1999 07:11:43 -0700


[: hacktivism :]

Also David Sobel tells me EPIC has the text of the administration's new
crypto-bill on their web site:
  http://www.epic.org/crypto/legislation/cesa/


SPECIAL WHITE HOUSE BRIEFING
ENCRYPTION TECHNOLOGY

ATTORNEY GENERAL JANET RENO
SECRETARY OF COMMERCE WILLIAM DALEY
DEPUTY SECRETARY OF DEFENSE JOHN HAMRE
OMB CHIEF COUNSELOR FOR PRIVACY PETER SWIRE
PRESIDENT'S DEPUTY ASSISTANT FOR NATL SECURITY AFFAIRS JAMES STEINBERG
WHITE HOUSE
WASHINGTON, D.C.

MR. STEINBERG: Good afternoon.  As you all know, we're here today to
talk
about
encryption.  I want to begin by acknowledging and thanking some of my
colleagues
who are with us today: the attorney general, Janet Reno; Secretary
Daley;
Deputy
Secretary of Defense John Hamre; and Peter Swire, who is the chief
counselor
for
privacy at OMB.
I also want to thank John Podesta, who has been my coair in working this

interagency process over the last several years; Barbara McNamara, the
deputy
director of NSA, who has made an important contribution to the work that

we're
going to be discussing today; Bill Reinsch, undersecretary of Commerce;
Sally
Katzen, from OMB.  And I want to pay a particular thanks to Charlotte
Nepper
(sp) and Bruce McConnell (sp), who are the two staff people who really
made
this
all possible and have done an extraordinary amount of work on an
extraordinarily
difficult and technically complex subject.
We're here today to announce a series of actions that will bring new
balance to
the four pillars on which our encryption policy rests -- national
security,
public safety, privacy and commerce.  For two years, John Podesta and I
have
chaired a high-level interagency process to fashion policies to achieve
these
goals.  A year ago today, the vice president announced significant new
steps we
were taking to balance these competing tasks and called for a review of
our
policy in a year.  Since then, we have worked closely with members of
Congress
from both parties, with industry groups, like the Computer Assistance
Policy
Project and Americans for Computer Privacy, with members of our law
enforcement
community and with our national security community.
We found that there is no "one size fits all" solution to the issue of
encryption, that there are a variety of different solutions that respond
to
the
different aspects of this challenge.  By taking a pragmatic approach, we

have
crafted a new strategy that allows industry to compete effectively with
foreign
competitors while protecting our national defense, security and law
enforcement
interests.
This strategy is outlined in a report to the president authored by
Secretary
Cohen, Attorney General Reno, Secretary Daley and OMB Director Jack Lew.

And a
copy of that report we're releasing to you today.
There are three parts to the strategy that we are launching. First, the
federal
government is taking new steps to protect our vital national security
systems
from unauthorized access.  We will be securing our own systems with
encryption
and other security tools, and we will be partnering with the private
sector
to
develop more tools to protect our nation's communication infrastructure.

In doing so, we hope to serve as a model for the private sector.  In a
moment,
Deputy Secretary Hamre will describe this effort in more detail.
Second, we are launching a new framework for export controls that will
allow
American companies to export encryption hardware and software more
broadly,
while still protecting our vital national security needs.  We will
implement
this new framework by December 15th, after we have had an opportunity to

consult
with U.S. industry, the public and Congress.  Secretary Daley will
discuss
these
changes in detail in a moment.
Finally, we are taking new steps to ensure the public safety by helping
our
law
enforcement community stay one step ahead of the growing sophistication
of
encryption technology.  Given the growing use of encryption among
criminal
elements, we must update law enforcement's legal tools to ensure that it

can
lawfully access information during investigations.  Today we will be
submitting
new legislation to the Congress, called the Cyberspace Electronic
Security
Act,
that will provide a legal framework for both privacy protections and
legal
access to encryption keys.  The attorney general will describe our
effort
in
this area in more detail.
Finally, we will hear from Peter Swire, who will speak more specifically

about
how all the steps we are taking today will address America's concerns
for
privacy.
Before I turn to my colleagues, let me say a word about the pending
encryption
decontrol legislation in Congress.  We believe that the new strategy we
are
presenting today provides a more balanced approach to the issue than the

proposals that are now before Congress. We look forward to working with
Congress
to implement a solution that meets the needs of all those involved.
However,
the president will not sign any encryption legislation that does not
protect
national security and law enforcement interests.
With that, let me turn to Deputy Secretary Hamre.
MR. HAMRE: Good afternoon.  I had a little prepared speech to give, but
I
got
thrown off here.  I was just handed a wire clipping that basically says
that
the
White House threw national security and law enforcement overboard in
order
to
give a concession to the high- tech industry.  And I've got to tell you,

that's
just completely wrong.  The national security establishment -- the
Department
of
Defense, the intelligence community -- strongly supports this strategy.
Indeed,
we created the first draft of the strategy and presented it to our
colleagues
in
the interagency process.  We in the Defense Department did it because I
think
we feel the problem more intensively than does anyone else in the United

States.
We are the largest-single entity that operates in cyberspace.  No one is
as
large as we are.  We are just as vulnerable in cyberspace as is anybody,

and we
strongly need the sorts of protections that come with strong encryption
and
a
key infrastructure that we're calling for in this strategy.

We also have a responsibility to provide to the president and to senior
decision-makers timely information, so that they can protect this
country.
And
for that reason, we needed a very integrated approach.  And these three
pillars,
which you have heard about -- we'll -- can answer any further questions
--
are
absolutely essential if we're going to be able to protect this country
in
the
future.  We strongly agree with this and think it's exactly the right
thing
to
do.
This is a balanced program.  But I've got to tell you, it's going to
require
significant investment on the part of the Department of Defense and the
intelligence community to put all the pieces in place. We will have to
develop
new tools to be able to do our job.  We will resource that appropriately
in
the
budget that we've prepared, that will be submitted next January.
All three elements of this strategy are essential.  And I may highlight
--
it's
very crucial -- that the law enforcement element of this is essential
for
national security.  You cannot distinguish in cyberspace whether an
attack
comes
inside the United States or from outside of the United States, and only
the
law
enforcement community is allowed to act inside the United States.  We
must
have
that part of this strategy enacted, and we ask for help in doing that
from
the
Congress.
I too would like to say that there are -- there continues to be pressure

for
legislation in the Congress that would strip away any controls over
encryption
products.  One of the bills is called the SAFE (sp) Act.  The only
person
who
would be safe, if that were passed, would be spies, who would be free to

export
anything of national security interest, without any surveillance at all.

We
cannot support that, and the department would ask the president to veto
it,
if
it were passed.
We strongly support this strategy.  The entire establishment within the
national
security establishment was instrumental in crafting it.  We would ask
for
--
the
Congress for its help.  And I'd also like to thank my colleagues who
were
so
instrumental in helping us work through these problems, and for our
colleagues
that worked out the fine details when we went to finalize the strategy.
Q What's the push behind the loosening up, then?  I mean, what is --
MR.  : Helen, let's get everyone -- get everybody's opening statements,
and
then
we'll take questions.  SEC. DALEY: We can all welcome today's update of
our
encryption policy.  It is a good example of government process that has
worked.
The agencies involved, from national security, law enforcement, and
commerce,
all had a common objective: to provide the tools to keep our nation
safe,
while
taking technological advances and market changes into account.  This may

have
taken a little longer than some would have liked, but in our opinion
this
outcome is a sound one.
This new update continues to provide the balanced encryption policy that

the
president wants and is a policy that will continue to protect our
national
security while letting us take advantage of the substantial promise of
electronic commerce.
In saying that, I want to be clear that the Commerce Department supports

all
three parts of this program -- the export control liberalization is
balanced by
the additional tools for law enforcement and additional resources
being
devoted to improving the privacy and security of government information
systems.
Today's update continues the three fundamental principles of our policy
--
one-time tactical review, post-export reporting, and the ability to deny

exports
to governments and military end-users.
First, the new regulations will permit any encryption product or
software
with
a
key length of 64 bits to be exported under a license exception to
commercial
firms and other non-government end-users in any country, except for the
seven
state supporters of terrorism.  This means that exporters will be able
to
ship
freely once Commerce has reviewed their products and classified them.
We've
decided that encryption exports which we previously allowed only for a
company's
internal use can now be used for external purposes such as communication

with
other firms, supply chains and customers.  This step will be very
helpful
in
building electronic commerce.
Additionally, telecommunication and Internet service providers will now
be
able
to use any encryption commodity or software to provide services to
commercial
firms and nongovernment end-users.
Second, retail products with key lengths over 64 bits, those that do not

requite
substantial support, are sold in tangible form, or have been
specifically
designed for individual customer use, may be exported under a license
exception
to all end-users, including governments, except in the seven state
supporters
of
terrorism.
These regulatory changes basically open the entire commercial sector as
a
market
for strong U.S. encryption products.  Exports to governments can be
approved
under a license.
Third, the new regulations will also implement our international
commitments
for
encryption controls.  Last year, the Wassenaar arrangement -- 33
countries
which
have common controls on exports, including encryption -- made a number
of
changes to modernize the multilateral encryption controls.
Among these changes, the U.S. will decontrol exports of 56 bits DES and
equivalent products, including tool kits and chips, to all users and
destinations, except the seven state supporters of terrorism, after a
technical
review.  In addition, exports with key lengths of 64 bits or less,
including
chips that fall under the Wassenaar arrangement's definition of mass
market
loss, will be decontrolled.
As I mentioned, post-export reporting is a fundamental part of our new
export
policy.  Reporting will now be required for any export to a non-U.S.
entity
of
any product above 64 bits.  Reporting helps ensure compliance with our
regulations and also allows us to reduce licensing requirements.

When we draft our regulations, we intend to consult with industry to
ensure
that
the reporting requirements will be streamlined to reflect business
models
and
practices, and will be based on what companies normally collect.  We
hope
to
have the implementing regulations published in the Federal Register
before
December 15th. This approach will provide the framework for U.S.
industry
to
construct a new global network for electronic commerce, while
maintaining
reasonable national security safeguards.
ATTY GEN. RENO: The president today is transmitting to the Congress a
legislative proposal entitled, "The Cyberspace Electronic Security Act
of
1999,"
better known as CESA.  The Department of Justice Developed this
legislation
with
the assistance of numerous agencies within government.
The legislation would support the use of encryption by legitimate
citizens
to
protect their privacy, and address the growing use of encryption by
criminals
using it to hide evidence.  In brief, the advent and eventual widespread

use of
encryption poses significant challenges to law enforcement and to public

safety.
Under existing law, investigators have a variety of legal tools to
collect

evidence of crime in such forms as communications or stored data on
computers.
These tools are rendered useless when encryption is used to scramble the

evidence so that law enforcement cannot decode it in a timely manner, if
at
all.
When stopping a terrorist attack or seeking to recover a kidnapped
child,
encountering encryption may mean the difference between success and
catastrophic
failures.
At the same time, encryption is critically important for protecting our
privacy
and our security.  And the administration, the Department of Justice,
and
the
FBI strongly support the use of encryption by our law-abiding citizens
for
these
purposes.
CESA, therefore, balances the needs of privacy and public safety. It
establishes
significant new protections for the privacy of persons who use
encryption
legally, but it also assists law enforcement's efforts to maintain its
current
ability to obtain useable evidence as encryption becomes more common.
CESA contains a number of key provisions.  First, it provides special
protections for decryption keys stored with third-party recovery agents,

and it
establishes limitations on government use and disclosure of decryption
keys
obtained by court processes.  These new provisions significantly protect

privacy.  However, CESA does not limit in any way an individual's choice

about
whether to use a recovery agent.

A person may use a recovery agent or not, as he or she chooses.
CESA also authorizes appropriations for the Technical Support Center and

the
FBI, a center which will serve as a centralized technical force for
federal,
state and local law enforcement in responding to increasing use of
encryption
by
criminals.  Law enforcement throughout our nation will depend upon this
center
to find ways to obtain usable evidence under existing law, despite the
use
of
encryption by criminals and terrorists.
Finally, CESA protects the confidentiality of government techniques used
to
obtain usable evidence, such as techniques developed by the Technical
Support
Center, and ensures that industry proprietary information can be
protected
in
criminal trials.  Open disclosure of law enforcement techniques, for
example,
can jeopardize future investigations and severely hamper law
enforcement.
I believe that in adopting this policy, the administration has
fundamentally
altered the encryption debate.  The administration is working towards a
number
of important goals, ensuring that American industry remains competitive,

that
our citizens have the strongest protection available for their data and
their
communications, and that law enforcement maintains its ability to
protect
public
safety from criminals and terrorists.
Of course, we continue to be concerned that criminals and terrorists
will
benefit from the widespread use of strong encryption, which will allow
them
to
cloak their communications and other evidence of illicit activities from

authorized law enforcement investigations.
We must recognize that the policy the administration is announcing today

will
result in greater availability of encryption, which will mean that more
terrorists and criminals will use encryption.  We must deal responsibly
with
that result by attempting to assist law enforcement in its efforts to
protect
the public safety through the passage of CESA.
That said, this legislation does not provide any new authority for law
enforcement to be able to obtain usable evidence from criminals.
Instead,
we
will continue to operate under our existing authorities and attempt to
meet
the
threat of the criminal use of encryption.  We are hopeful that these
existing
authorities will prove sufficient.

In conclusion, we must have a balanced policy that reflects the needs
of
privacy, electronic commerce, national security and public safety.
Today's
announcement substantially relaxes export controls, allowing American
industry
to compete fairly in the international marketplace, while maintaining
those
minimal controls that are essential for national security.  At the same
time,
by
transmitting CESA to Congress and urging its enactment, the president is

addressing the needs of public safety; thus, the administration is
taking a
substantial step, a very substantial step, to address the needs of all
stakeholders.


MR. SWIRE: My name's Peter Swire.  I'm the chief counselor for privacy
at
OMB.
I'm here to underscore that today's announcement reflects the Clinton
administration's full support for the use of encryption and other new
technologies to provide privacy and security to law-abiding citizens in
the
digital age.  The encryption measures announced today properly balance
all
of
the competing interests, including privacy, electronic commerce, and
public
safety.
Encryption itself is a privacy- and security-enhancing technology.
Especially
for open networks, such as the Internet, encryption is needed to make
sure
that
the intendant recipients can read a message, but that hackers and other
third
parties cannot. Today's announcement will broaden the use of strong
mass-market
encryption for individuals and businesses.
In the part of today's announcement that updates the rules for law
enforcement,
the Cyberspace Electronic Security Act retains all of the existing legal

protections for information in a home or business. It goes beyond
current
law
and provides new privacy protections for individuals and businesses who
choose
to store key information with an outside company.  Think of your bank
ATM
card.
What would it be like if you forgot your password and could not obtain
access
to
the money in your account?  That is precisely what can happen with
strong
encryption.  If you lose the password, then all that encrypted material
is
scrambled forever and lost.
Because encryption has become so unbreakable, prudent people need
backups.
Under CESA, if you decide to give your key or password to an outside
company,
then law enforcement has to meet strict new judicially supervised
standards
to
get that information.  With this proposed legislation, it would be a
civil
and
criminal violation for the company to release the information
improperly,
and
also a violation for law enforcement officers to try to get that
information
without a court order.
Similarly, for added security, and to prevent misuse of your private key

information, if this proposal becomes law, there would be restrictions
on
selling information regarding encryption customers to other private
parties.
With that said, I want to be clear about what CESA does not do. CESA is
technology-neutral and does not regulate the hardware or software used
for
encryption.  CESA does not require anyone to use key escrow, nor does it

regulate how key escrow might develop in the private sector.  The only
effect
of
CESA on key escrow is to provide privacy assurances for those who freely

choose
to give their backups or their key information to others.  Some
information
stored outside of your home deserves to be carefully protected.
In sum, the announcement today shows the commitment of the
administration
to
real protection for privacy in the information age while balancing with
the
important other public interests we have all been discussing.

Q Ms. Reno, you said just a moment ago that you hoped that this
legislation
would give existing authorities -- that the existing authorities will
be
sufficient in getting access to the decryption keys.  Seems to me
there's a
big
space between "hope" and "will".
ATTY GEN. RENO: Based on our experience, our conversations with
industry,
with
all concerned, we think the existing authorities will be sufficient, and
we
look
forward to working with industry in that effort.
Q Mr. Hamre, you've testified on the Hill and others in the
administration
many
times opposing the SAFE Act.  At those times you laid out the exact
scenario
that the attorney general says will now come to pass.  You said they
were
unspeakable dangers that should be avoided.  Now this policy is called a

balanced policy.  What shifted in the last few months?
MR. HAMRE: Well, maybe you should go back and look at the testimony,
because
what was objectionable to us in the SAFE Act and in the PROTECT Act,
these
two
bills, was that it stripped away the things that are essential for
national
security: a meaningful technical review of encryption products before
they're
exported and reporting about where they have gone and how they've been
installed
after the fact.  That was essential if we're going to be able to protect

the
country, and that was stripped away by the PROTECT Act and the SAFE Act.

So
they're very different.
Q Will the policy include end user reporting for where a mass market
product is
sold?
MR. HAMRE: We're still in the final stages of working through the
details.
I
can defer to Secretary Daley or to Undersecretary Reinsch to talk about
the
specifics.  We will promulgate those regulations later here within
weeks.
And
then you'll see it at that time.  We are going to try very much to
follow
the
industry norm for software, for example, between mass market and
non-mass
market
products.

Q And what is the big push behind this?  Is it the market?  I mean is it

these
corporations have pressured -- put pressure on the administration?
MR. HAMRE: No, I -- when you raised the question earlier you talked
about
the
big push for relaxation.  We don't -- first of all, that's only taking
--
Q It isn't relaxation?
MR. HAMRE: Actually, I don't think so.  I think it's a very different
approach
to the export problem.  The path that we were on before was a very
complex
path.
There were certain countries that were allowed; certain countries
weren't.
Certain sectors were allowed; certain sectors weren't.  Certain strength

levels,
and above one strength level it had a different set of rules than
others.
Certain trading partners were allowed, and certain trading partners
weren't.

It
was enormously complex, and in that kind of environment lots of mistakes

are
made.  And frankly, security risks abound in that sort of an
environment.

We decided we needed to promote a very different approach with very,
very
simple
rules that everyone could understand, that would give us a chance --
we're
still
going to have to do a lot of work, we in the national security
establishment,
to
live in this kind of an environment.  It's going to take a good deal of
research.  We'll have to develop new tools and techniques.  This is part
of
the
job.  But we were going to have to do that anyway, and we think this is
going
to
be a much better process for us.  It's not a relaxation.  It's really a
very
different approach.
Q Have you talked to Chairman Spence or Chairman Goss about this yet?
And
if
so, what kind of reaction did you get from them?
MR. HAMRE: I have spoken with both Chairman Goss and Chairman Spence.
Both
of
them were very strong in agreeing with us in our request to protect us
from
legislation that would have really stripped away any national security
protection against strong encryption.  Both of them support what we're
doing.

Both of them have very specific questions that we're going to need to
answer.
They, too, want to know a lot of the details that the rest of you are
interested
in.  We believe that we will be able to demonstrate to them we can
protect
the
country with this new framework.
But let me again emphasize, all three parts of this framework are
essential.

We
must have a strong commitment to security products, security
infrastructure.

We
need to buy that.  We have to have a new regime for export control.  And
we
also
need to have stronger tools for law enforcement.
Q Where are the stronger tools?  I mean, Ms. Reno was saying in her
comments
this legislation does not provide any new authority for law enforcement.

We've
got some extra funding.  Where are the stronger tools?
ATTY GEN. RENO: The stronger tools lie in the technical support center,
because
what we're trying to do is not create a new authority; we're trying to
match
technology to the existing authority.  And we think, after conversation
with
industry and the working relationship that we've developed with them,
that
through this technical support center, we will be able to do so.
Q Beyond the extra funding, is there anything specific you can point to
in
here
that's --

ATTY GEN. RENO: One, for example, is the protection of methods used so
that
as
we -- we will not have to reveal them in one matter and be prevented,
therefore,
from using them in the next matter that comes along.
Q Ms. Reno, would you describe this as a relaxing of restrictions?  And
if
so,
how can you possibly support it after having opposed it for all this
time?
ATTY GEN. RENO: What we did approximately a year ago is to meet with
industry.
We talked to them in a very full and frank way.  We said, together let's

look
at
it.  They sympathized with our law enforcement responsibilities.  And
they
said,
if we can work together, they suggested the concept of a technical
support
center; we can, I think, according to the people that were there,
address
the
problem.

In the interim, we have had the opportunity to have those discussions,
to
expand
on that dialogue, and I think we will be able to.
Q How closely was the vice president involved in this effort? Did he
meet
with
you regularly, you know, receive drts, that sort of thing?
ATTY GEN. RENO: I would have to let his office speak for it. But I can
remember
approximately two meetings with the vice president.
Q Why wouldn't you consider this a relaxing of restrictions on
encryption?
ATTY GEN. RENO: No.
Q Mr. Daley, why the decision to maintain export licenses for government

sales?
Assuming that a lot of governments still own telecommunication companies

and
high-tech agencies.
SEC. DALEY: Well, we want to make sure that the foreign policy
considerations
are taken into impact as we move forward.
MR. HAMRE: Because we insisted on it.
SEC. DALEY: That was a simpler answer!  (Laughter.)
Q How does this comply with Wassenaar?
SEC. DALEY: Bill?
Bill, why don't you just come up here.
WILLIAM REINSCH (Undersecretary of Commerce for Export Administration):
What
the
Wassenaar partners decided to do last December was set up certain rules
that
said in some cases encryption was decontrolled, and in other cases it
had
to be
controlled via the national laws and systems of each of the individual
partners.
This action is consistent with that because we are decontrolling, that
is
removing from our system lower-level encryption, consistent with the
Wassenaar
levels, which are 56 or 54 bits, depending upon what you're talking
about.
Above that level, we are permitting the encryption to be exported
following
a
technical review and subject to a license exception, which is a process
that we
use that's consistent with international licensing regimes and the
Wassenaar
standards.
Q So below (64 ?), you don't need a technical review?
MR. REINSCH: No, I didn't say that.  Technical reviews are required, but

it's a
one-time technical review.  When we reviewed the product once, we don't
need to
review it every time.  And for the low- level products, which are
primarily
the
older products, many of those reviews have already been conducted, and I

don't
think that we're necessarily going to have to do that all over again.
Q So what's the difference in a technical review between the higher
encryption
products and the lower?  I guess I'm thinking --
MR. REINSCH: I don't think there's a difference in the review. I'm
saying
there's some cases where we've already done it.  And this is a very
fast-moving
sector; there's, you know, new products every week.  And we're going to
have to
review each of the products as they come up and as people want to export

them.




[: hacktivism :]
[: for unsubscribe instructions or list info consult the list FAQ :]
[: http://hacktivism.tao.ca/ :]