CRYPTOGRAPHY

Encryption Issues


PRESERVING AMERICA'S PRIVACY
AND SECURITY IN THE NEXT CENTURY:

A STRATEGY FOR AMERICA IN CYBERSPACE

 

A REPORT TO
THE PRESIDENT OF THE UNITED STATES

16 September 1999

 

William Cohen, Secretary of Defense
Janet Reno, Attorney General
Jacob J. Lew, Director of the Office of Management and Budget
William Daley, Secretary of Commerce

1. A TIME OF PIVOTAL CHANGE

 

American history has been punctuated by periods in which the Nation had to respond to sweeping social, economic and technological developments. In the best of times, people working together in government and industry became the engine of progress that shaped the character of the time and facilitated new prosperity and opportunity for Americans. Three examples illustrate this point.

Opening the Heartland And Expanding the Frontier.

Beginning with the Louisiana Purchase in 1803, the government initiated a remarkably successful policy to open up a vast new area. Over the next five decades, the United States doubled the size of its territory. Under the government's plan, land grants were given to railroads to open the Midwest and in turn to create a future market for rail services. Land was awarded to homesteaders, and yet other parcels were reserved as income sources for institutions of higher education.

The technological advance of the railroad was the engine pulling this growth. From the 1820s to 1900, American railroads added an average of more than 2,000 miles of track each year. By the close of the 19th century, the combination of these factors had served to triple the size of our nation. The Administration and the Congress, working together and in concert with technology advances, created an infrastructure for a new society.

Industrialization and the Great Depression Produce a New Society.

Around the turn of the century, the country was firmly in the Industrial Age. Technical innovations in automation and machinery spurred the growth of factories, assembly lines and mass production in our nation's cities. The Ford assembly line for the Model T and the Wright brother's flight catapulted us into a mobile society and drove further technological innovations. Telephones became more commonplace and the nation began to shrink as news and information traveled faster. As a nation, we created new opportunities in industries never heard of, and created a new class of wealth, based on opportunity and innovation, not birthright. The economy moved from an agrarian society to an industrial society.

But the growth and prosperity experienced by many halted when the Great Depression gripped the country. In response, the government developed a series of creative policies and programs that brought government and business to the common task of restoring productivity to America. While there were a number of social programs, government support for technology was key to driving development. For example, the government took a pivotal role in expanding the electrical grids that would become the backbone of our national infrastructure, first with the creation of the Tennessee Valley Authority in 1933 and two years later with the creation of the Rural Electrification Administration. Electrical technology, in the ensuing years, radically altered the capabilities of America's rural farms and industry. Just as important, it created a transmission belt that further disseminated the ideas and technology being generated in the nation's cities.

A World War Produces a Global Community and the American Century.

In a third case, World War II shattered the international political system at the same time that it brought an end to 19th century colonialism. The creation of the World Bank, the International Monetary Fund, and the rules for a global trading system became the cornerstones of the emerging global economy.

The urgent need for increased production and the burst of scientific funding associated with the war effort - sustained by a continuing Federal commitment to new science and technology in the following years - vaulted the United States into the age of electronics and computers - the beginning of the Information Age.

Advances in telecommunications, such as broad-band carrier systems and switching devices, combined with innovations in the computer industry to give individuals more power than ever to process large amounts of information and transmit that information at ever-greater speeds. Further, this country's goal to reach the moon by the end of the 1960s fueled development of advanced electronics, increased computing power and communications capabilities. At the same time, technological leaps in computer memory and data storage enabled the centralized use (and, unfortunately, misuse) of information to examine or profile individuals, consumers, and groups. As these issues emerged, our legal system responded. Looking back, the "Information Economy" that Americans recognize today could be seen emerging as early as the late 1940s.

Each of these examples was a pivotal episode in American history in which complex social, economic, and technological forces came together. Facing the challenges of the day, America's governmental, societal and technical leaders crafted a new vision of the future, and in the process became pioneers on a new frontier of opportunity and promise.

America now faces a new time of pivotal change, enormous opportunity, and promise. This time, technology itself presents both an opportunity and a threat to global society increasingly dependent on, and connected by, advanced computing and communications. Continuing a balanced strategy that advances our national interests is the challenge of our day.

2. CYBER AMERICA: GREAT PROMISE & SERIOUS RISKS

America now stands on the brink of revolution fueled by machines - computers - and networks of computers that facilitate the instant exchange of and access to ideas and information. The computer has and will continue to revolutionize virtually all aspects of American society, just as electricity, the power grid and the railroad changed our forefathers' society.

The Computer as an Economic Engine.

It is well-known that the computer, and its application in business, commerce, education and recreation has transformed the American economy. America is becoming a country of "knowledge workers," with the ubiquitous application of computer technology at its core. America's productivity today is grounded in computer applications and networks. Bar codes speed us through shopping lines and simultaneously facilitate store manager record-keeping and reordering. Airline reservations can be booked from home computers. Everything from clothes to books to software can be purchased over the Internet. American companies are discarding their proprietary computer systems and using the Internet and the Web to increase productivity, network their entire chain of suppliers, and deliver "just-in-time" training to their employees. American students can conduct original research with colleagues on machines around the world with but a few keystrokes. Travelers can monitor current weather conditions in another country. Scientists can "conference" electronically and transmit astounding volumes of information in seconds to colleagues on other continents.

As remarkable as today's innovations are, the years ahead hold even greater promise. Computers will become virtual partners in all aspects of our lives. Homes will be centrally wired to allow integrated alarms, electronics, appliances, telephones, and computers to simplify our lives. Education will become more adaptive to the routines of individual students, and banking, finance, and shopping will increasingly migrate to the home and portable computing devices.

And in this process and through networking, computers have created the well-known "cyberspace" that eliminates the traditional boundaries of time and place and links governments, businesses, and individuals in the same electronic environment.

The Dangers of Cyberspace.

Like any new tool in previous eras, computers can be used by those who prey on the innocent. International narcotics traffickers now routinely communicate with each other via computer messages. Hostile governments and even some trans-national organizations are establishing cyber-warfare efforts, assigned the mission of crippling America's domestic infrastructure through computer attacks. Hackers destroy cyber-property by defacing home pages and maliciously manipulating private information. Pedophiles stalk unsuspecting children in computer chat rooms. Individuals post home pages with instructions to manufacture pipe bombs, chemical weapons, and even biological agents. Crooks break into business computers, either stealing funds directly or extorting payments from companies anxious to avoid more expensive disruption. Disgruntled employees, with valid access to their companies' system, can take steps to disrupt the business operations or steal proprietary, sensitive, and financial information. And our personal data is at risk of being unlawfully accessed and read by malicious individuals, without our knowledge, as it resides on or traverses communications and computer networks.

These concerns are not hypothetical. We have seen these types of activities, and other equally dangerous activity, in past and ongoing cases. The danger posed by evil individuals using these powerful new tools grows by the day. Just as other technologies have the risk of being abused, it is necessary for us to evaluate how to respond. Without protective action, we will not be safe. America must take responsible steps to ensure that this promising electronic environment is safe for law-abiding citizens and businesses.

3. BALANCING AMERICA'S BEDROCK VALUES

While these problems seem unprecedented, in fact they represent a return to the bedrock problems faced by America's constitutional founders. American democracy became and remains a new experiment in government - balancing the rights of individuals against the imperatives of society and limiting the reach of government into personal, private lives, while mandating a government responsibility for public safety and security for all citizens.

Computers are now at the center of competing American values. In honest, law abiding citizens' hands, the computer becomes an indispensable tool for education, personal and commercial business, research and development, and communications. In criminal hands, the same computer becomes a tool of destruction and criminality.

Enter Encryption.

Over the past decade, another information technology has emerged that amplifies this tension - encryption. Encryption includes special instructions that scramble a clear readable message in complex ways that make it unreadable. For the strongest forms of encryption, only the intended recipient can unscramble the message and read the original plain text, unless someone else has gained access to the corresponding decoding software and decryption key.

Originally only available and used by military agencies, strong encryption is now available to many and has become a building block for the new digital economy. It is essential to provide security and privacy for electronic commerce and e-business. Encryption is critical because it allows individuals, businesses, and other organizations to share information privately without it being unlawfully intercepted or accessed by a third party, to establish their identities, and to maintain the integrity of information. Without the use of encryption, it is difficult to establish the trust that people and firms need to do business with each other, or to have confidence to run their business electronically. With the use of encryption:

  • Individuals and consumers can securely conduct their finances and communicate with each other over the Web.
  • Firms can transmit their software, music, movies, reports and other forms of intellectual property over the Internet while minimizing the risks of widespread piracy.
  • Businesses can protect their company proprietary information over the Internet, with confidence that the information is secure from prying eyes.
  • Firms can develop products more rapidly, as teams of engineers around the world can collaborate on their designs in real-time over secure high-speed networks.

However, while the majority of users will use encryption for legitimate, lawful purposes, we must recognize that terrorists, pedophiles and drug gangs are increasingly using encryption to conceal their activities. Hence, encryption has posed a serious public policy challenge over the past decade.

The Federal Government has sought to maintain a balance between privacy and commercial interests on one hand and public safety and national security concerns on the other by limiting the export of strong encryption software. Preserving this balance has become increasingly difficult with the clear need for strong encryption for electronic commerce, growing sophistication of foreign encryption products and the proliferation of software vendors, and expanded distribution mechanisms. In the process, all parties have become less satisfied with the inevitable compromises that have had to be struck. U.S. companies believe their markets are increasingly threatened by foreign manufacturers in a global economy where businesses, consumers, and individuals demand that strong encryption be integrated into computer systems, networks, and applications. National security organizations worry that the uncontrolled export of encryption will result in diversion of powerful tools to end users of concern. Law enforcement organizations see criminals increasingly adopting tools that put them beyond the reach of lawful surveillance.

At the end of the century, these are the important national interests that must be reconciled. Determining a policy direction for encryption has become more complex, and more urgent, for all those affected. A strategic paradigm that better achieves balance is needed.

4. A NEW PARADIGM TO PROTECT PROSPERITY, PRIVACY, & SECURITY

To support America's prosperity and protect her security and safety, we propose a new paradigm to advance our national interests. The new paradigm should be comprised of three pillars - information security and privacy, a new framework for export controls, and updated tools for law enforcement. We discuss each in turn.

I. Information Security & Privacy.

As a nation, we have become increasingly dependent on computers and telecommunications. These new technologies create vast opportunities for personal expression and electronic commerce, while also creating new risks to public safety and national security. Computers and telecommunications rely on open protocols and ultra-accessibility, thus making individuals' and organizations' words and actions vulnerable to outsiders in new and potentially frightening ways. A first pillar of our new paradigm must be to promote information security and privacy - to assure the security and privacy of stored and transmitted data from unauthorized and unlawful access.

The President has recognized the challenge of updating privacy for new technologies: "We've been at this experiment in Government for 223 years now. We started with a Constitution that was rooted in certain basic values and written by some incredibly brilliant people who understood that times would change, and that definitions of fundamental things like liberty and privacy would change, and that circumstances would require people to rise to the challenges of each new era by applying old values in practical ways."

In updating enduring constitutional values for the computer age, we need to assure that our citizens' personal data and communications are appropriately protected. Businesses need to privately communicate with their employees and manufacturing partners without risk that their proprietary information will be compromised through unauthorized access. Encryption is one of the necessary tools that can be used in this technological environment to secure information. Therefore, we encourage the use of strong encryption by American citizens and businesses to protect their personal and commercial information from unauthorized and unlawful access.

We must also recognize the inherent security risks posed by the spread of and dependence on "open systems" and ready accessibility. The Defense Department's situation is typical. Twenty years ago the Defense Department operated largely proprietary communications systems over government owned switches and circuits. DOD technology was homebuilt and tightly controlled. Today, the U.S. DOD has more computer users than any other organization in the world - 2.1 million computers access over 10,000 networks on an average work day. Even so, 95 percent of DOD's communications occur over public circuits or with commercial software and hardware. The Defense Department's reliance on commercial products and services is repeated throughout the country by government agencies and the private sector.

If the Department of Defense is to function safely in cyberspace, it must use strong tools for encryption and identity authentication. It is not just military operations and data that must be protected. All government agencies and all business activities will increasingly need a full set of security tools to ensure access, privacy and absolute confidence in business operations that utilize computer technology.

We recognize that information technology is changing rapidly and constantly providing both new security capabilities and challenges and, hence, we will never reach a "perfect solution." Nevertheless, there are many efforts underway throughout the government to address the need for more secure systems. By adopting commercial approaches, where appropriate, and sponsoring R&D to fill needed capabilities, we believe the Federal government should, by example, lead the way for America to develop and use the tools and procedures for information security and privacy in the next century.

The Department of Defense, for example, has allocated over $500 million to develop a comprehensive security management infrastructure. This infrastructure will utilize a range of encryption products (with stronger products for more sensitive applications involving higher levels of classification), and a public key infrastructure (PKI) to identify and authenticate those who use our information networks. The Department is also adopting stronger standards for network configuration and operator qualification and certification, and is taking steps to better detect unauthorized intrusions into DOD networks.

The Federal government must continue to promote the development of stronger encryption technologies for federal use. The advanced encryption standard (AES) is in the final stages of a public selection process. Once promulgated, AES could become as ubiquitous as today's digital encryption standard (DES) which has contributed greatly to the growth of electronic commerce.

In the Federal government, the Department of Defense is a leading proponent of information security through its information assurance initiative, and other agencies are recognizing the need for increased diligence in maintaining adequate security of Federal information and systems. We encourage each agency to vigilantly build security enhancements into their business operations in risk-based and cost-effective ways that enable, not impede, the agency's ability to perform its mission.

Further, we believe that the Congress and Executive Branch should work together to promote both the awareness of information privacy and security and the development of appropriate tools and resources by the private sector, and to consider whether tangible incentives are appropriate. Given the rapid changes in technology, we advocate a technology neutral approach. This approach would have the public and private sectors working together to encourage development of a broad range of privacy and security products and processes and share promising practices with one another. We believe equally strongly that security infrastructures and the deployment of security products - should neither be mandated nor prohibited. Public and private organizations must determine their risks and be free to choose their own solutions.

The government's requirement to protect its own sensitive and privacy information is matched by individual's and the private sector's own interests in proper handling of sensitive information. Many in industry and elsewhere are already developing and using sophisticated security and privacy products and processes. Government should act as a facilitator and catalyst and help stimulate the development of commercial products that will help all Americans protect their sensitive information.

In sum, the first pillar of the new paradigm calls on the Federal government, the Congress and all others to partner in promoting ways to bring information security and privacy to the Information age. Working together, we can develop tools and procedures for safe operation in cyberspace, applying enduring constitutional values to our new circumstances.

II. Encryption Export Controls for the New Millennium.

At the dawn of the new millennium, technology is advancing at such a rapid pace that attempts to control its global spread under the existing export control regime need to be regularly reevaluated. Encryption will continue to enable new economic realities that must be considered in a balanced approach to export controls.

Encryption products and services are needed around the world to provide confidence and security for electronic commerce and business. With the growing demand for security, encryption products are increasingly sold on the commodity market, and encryption features are being embedded into everyday operating systems, spreadsheets, word processors, and cell phones. Encryption has become a vital component of the emerging global information infrastructure and digital economy. In this new economy, innovation and imagination are the engines, and it is economic achievement that underpins America's status in the world and provides the foundation of our national security. We recognize that U.S. information technology companies lead the world in product quality and innovation, and it is an integral part of the Administration's policy of balance to see that they retain their competitive edge in the international market place.

We as a nation must balance our desire and the need to assist industry with a prudent, objective and steady judgment about how to protect national security; a judgment that acknowledges that technological advantages may add new dimensions to an already complicated problem set. We must ensure that the advantages this technology affords us are not extended to those who wish us ill or who harbor criminal intent. This judgment must be informed by both foreign and domestic realities.

While the U.S. is a huge market for telecommunications goods and services, the other nations of the globe present markets much larger than our domestic demand. Our networks are inextricably bound to those of our allies and adversaries alike. Likewise, America's interests do not end at our borders. American diplomats, service men and women, as well as countless business people work and live around the globe. America's interests are served by the ability to send and receive proprietary, personal and classified information to exactly where it is needed around the world. Likewise, America's interests are served daily by shared actions with our allies, which require accurate and authentic information be exchanged. Our policy must acknowledge these vital interests.

But even as we do, it is imperative that we uphold international understandings, and strive with other nations to prevent the acquisition of encryption technology to sponsors of terrorism, international criminal syndicates or those attempting to increase the availability of weapons of mass destruction. We must also meet our responsibilities to support our national decision-makers and our military war fighters with intelligence information in time to make a difference.

Accordingly, the Administration has revised its approach to encryption export controls by emphasizing three simple principles that protect important national security interests: a meaningful technical review of encryption products in advance of sale, a streamlined post-export reporting system that provides us an understanding of where encryption is being exported but is aligned with industry's business and distribution models, and a license process that preserves the right of government to review and, if necessary, deny the sale of strong encryption products to foreign government and military organizations and to nations of concern. With these three principles in place, the Federal Government would remove almost all export restrictions on encryption products. This approach will provide a stable framework that also will allow U.S. industry to participate in constructing and securing the global networked environment. This approach also maintains reasonable national security safeguards by monitoring the availability of encryption products and limiting their use in appropriate situations.

The Administration intends to codify this new policy in export regulations by December 15, 1999, following consultations on details with affected industries and other private sector organizations.

However, with this new framework for export controls, the national security organizations will need to develop new technical tools and capabilities to deal with the rapid expansion of encrypted communications in support of its mission responsibilities. The Congress will need to support such new tools and technical capabilities through necessary appropriations.

III. Updated tools for Law Enforcement.

Because of the need for and use of strong encryption globally, governments need to develop new tools to deal with the rapid expansion of encrypted communications. Updated tools for law enforcement that specifically address the challenges of encryption constitute the third pillar of the new strategy. We cannot ignore the fact that encryption will be used in harmful ways - by child pornographers seeking to hide pictures of exploited children, or commercial spies stealing trade secrets from American corporations, or terrorists communicating plans to destroy property and kill innocent civilians. Even more significant, because cyberspace knows no boundaries and because it is not immediately clear if a cyber-attack involves Americans or foreigners, America's national security will increasingly depend on strong and capable law enforcement organizations. This is because the United States military and intelligence agencies have long been restricted by law from undertaking operations inside the United States against American citizens. Accordingly, America's national defense is now increasingly reliant on ensuring that our law enforcement community is capable of protecting America in cyberspace.

Under existing law and judicial supervision, law enforcement agents are provided with a variety of legal tools to collect evidence of illegal activity. With appropriate court orders, law enforcement may conduct electronic surveillance or search for and seize evidence. In an encrypted world, law enforcement may obtain the legal authority to access a suspect's communications or data, but the communications or data are rendered worthless, because they cannot be understood and cannot be decoded by law enforcement in a timely manner. Stopping a terrorist attack or seeking to recover a kidnapped child may require timely access to plaintext, and such access may be defeated by encryption. Hence, law enforcement's legal tools should be updated, consistent with constitutional principles, so that when law enforcement obtains legal authority to access a suspect's data or communications, law enforcement will also be able to read it.

Quite simply, even in a world of ubiquitous encryption, law enforcement with court approval must be able to obtain plaintext so that it can protect public safety and national security. Therefore, we must undertake several important and balanced initiatives.

First, we need to ensure that law enforcement maintains its ability to access decryption information stored with third parties, but only pursuant to rules that ensure appropriate privacy protections are in place. To ensure this result, the Administration and the Congress must develop legislation to create a legal framework that enhances privacy over current law and permits decryption information to be safely stored with third parties (by prohibiting, for example, third party disclosure of decryption information), but allows for law enforcement access when permitted by court order or some other appropriate legal authority.

Second, since criminals will not always store keys with third party recovery agents, we must ensure that law enforcement has the personnel, equipment, and tools necessary to investigate crime in an encrypted world. This requires that the Congress fund the Technical Support Center as proposed by the Administration, and work with the Administration to ensure that the confidentiality of the sources and methods developed by the Technical Support Center can be maintained.

Third, it is well recognized that industry is designing, deploying and maintaining the information infrastructure, as well as providing encryption products for general use. Industry has always expressed support, both in word and in action, for law enforcement, and has itself worked hard to ensure the safety of the public. Clearly, industry must continue to do so, and firms must be in a position to share proprietary information with government without fear of that information's disclosure or that they will be subject to liability. Therefore, the law must provide protection for industry and its trade secrets as it works with law enforcement to support public safety and national security. The law must also assure that sensitive investigative techniques remain useful in current and future investigations by protecting them from unnecessary disclosure in litigation. These protections must be consistent with fully protecting defendants' rights to a fair trial under the Constitution's Due Process clause and the Sixth Amendment.

The Administration and the Congress need to work jointly to pass legislation that provides these updated authorities. The Administration is in the final stages of drafting legislation and will shortly submit it to the Congress for consideration.

It is imperative to emphasize that the malicious use of encryption is not just a law enforcement issue - it is also a national security issue. The new framework for export controls must be complemented by providing updated, but limited, authorities to law enforcement.

5. CONCLUSION

America stands on the pivot point of a crucial time in its ongoing development, and we face once again the ongoing debate in this country between individuals' rights and the collective needs of society. The genius of our Constitution is in the balanced way it addressed that debate and in the procedures it created for continuing that discussion as the society and the economy evolved. For our own part, we enter that debate determined to preserve that same balance of the rights and responsibilities that has characterized our country through its history, but we are equally determined not to be thoughtlessly bound to old approaches and old technologies. Our challenge is to adapt our historical approach to the technological challenges we face. We believe the new paradigm described above achieves that objective.

We can now see a future with great promise and - and serious consequences - posed by the same technical developments. How well we handle these important challenges will shape the next century. It is far better that we approach these problems from a cooperative perspective. The past years of confrontation must be replaced by an era of collaboration. For only by working together, which is the rich history of this nation, can we ensure our economic viability and protect ourselves from those who would do us harm.


Return to Encryption Issues