[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fw: Transcript of White House crypto-briefing this afternoon




-----Ursprüngliche Nachricht-----
Von: Declan McCullagh <declan@well.com>
An: politech@vorlon.mit.edu <politech@vorlon.mit.edu>
Datum: Freitag, 17. September 1999 01:48
Betreff: FC: Transcript of White House crypto-briefing this afternoon


>Also David Sobel tells me EPIC has the text of the administration's new
>crypto-bill on their web site:
>  http://www.epic.org/crypto/legislation/cesa/
>
>
>SPECIAL WHITE HOUSE BRIEFING
>ENCRYPTION TECHNOLOGY
>
>ATTORNEY GENERAL JANET RENO
>SECRETARY OF COMMERCE WILLIAM DALEY
>DEPUTY SECRETARY OF DEFENSE JOHN HAMRE
>OMB CHIEF COUNSELOR FOR PRIVACY PETER SWIRE
>PRESIDENT'S DEPUTY ASSISTANT FOR NATL SECURITY AFFAIRS JAMES STEINBERG
>WHITE HOUSE
>WASHINGTON, D.C.
>
>MR. STEINBERG: Good afternoon.  As you all know, we're here today to talk
>about
>encryption.  I want to begin by acknowledging and thanking some of my
>colleagues
>who are with us today: the attorney general, Janet Reno; Secretary Daley;
>Deputy
>Secretary of Defense John Hamre; and Peter Swire, who is the chief counselor
>for
>privacy at OMB.
>I also want to thank John Podesta, who has been my coair in working this
>interagency process over the last several years; Barbara McNamara, the deputy
>director of NSA, who has made an important contribution to the work that we're
>going to be discussing today; Bill Reinsch, undersecretary of Commerce; Sally
>Katzen, from OMB.  And I want to pay a particular thanks to Charlotte Nepper
>(sp) and Bruce McConnell (sp), who are the two staff people who really made
>this
>all possible and have done an extraordinary amount of work on an
>extraordinarily
>difficult and technically complex subject.
>We're here today to announce a series of actions that will bring new
>balance to
>the four pillars on which our encryption policy rests -- national security,
>public safety, privacy and commerce.  For two years, John Podesta and I have
>chaired a high-level interagency process to fashion policies to achieve these
>goals.  A year ago today, the vice president announced significant new
>steps we
>were taking to balance these competing tasks and called for a review of
>our
>policy in a year.  Since then, we have worked closely with members of Congress
>from both parties, with industry groups, like the Computer Assistance Policy
>Project and Americans for Computer Privacy, with members of our law
>enforcement
>community and with our national security community.
>We found that there is no "one size fits all" solution to the issue of
>encryption, that there are a variety of different solutions that respond to
>the
>different aspects of this challenge.  By taking a pragmatic approach, we have
>crafted a new strategy that allows industry to compete effectively with
>foreign
>competitors while protecting our national defense, security and law
>enforcement
>interests.
>This strategy is outlined in a report to the president authored by Secretary
>Cohen, Attorney General Reno, Secretary Daley and OMB Director Jack Lew.
>And a
>copy of that report we're releasing to you today.
>There are three parts to the strategy that we are launching. First, the
>federal
>government is taking new steps to protect our vital national security systems
>from unauthorized access.  We will be securing our own systems with encryption
>and other security tools, and we will be partnering with the private sector to
>develop more tools to protect our nation's communication infrastructure.
>
>In doing so, we hope to serve as a model for the private sector.  In a moment,
>Deputy Secretary Hamre will describe this effort in more detail.
>Second, we are launching a new framework for export controls that will allow
>American companies to export encryption hardware and software more broadly,
>while still protecting our vital national security needs.  We will implement
>this new framework by December 15th, after we have had an opportunity to
>consult
>with U.S. industry, the public and Congress.  Secretary Daley will discuss
>these
>changes in detail in a moment.
>Finally, we are taking new steps to ensure the public safety by helping our
>law
>enforcement community stay one step ahead of the growing sophistication of
>encryption technology.  Given the growing use of encryption among criminal
>elements, we must update law enforcement's legal tools to ensure that it can
>lawfully access information during investigations.  Today we will be
>submitting
>new legislation to the Congress, called the Cyberspace Electronic Security
>Act,
>that will provide a legal framework for both privacy protections and legal
>access to encryption keys.  The attorney general will describe our effort in
>this area in more detail.
>Finally, we will hear from Peter Swire, who will speak more specifically about
>how all the steps we are taking today will address America's concerns for
>privacy.
>Before I turn to my colleagues, let me say a word about the pending encryption
>decontrol legislation in Congress.  We believe that the new strategy we are
>presenting today provides a more balanced approach to the issue than the
>proposals that are now before Congress. We look forward to working with
>Congress
>to implement a solution that meets the needs of all those involved.  However,
>the president will not sign any encryption legislation that does not protect
>national security and law enforcement interests.
>With that, let me turn to Deputy Secretary Hamre.
>MR. HAMRE: Good afternoon.  I had a little prepared speech to give, but I got
>thrown off here.  I was just handed a wire clipping that basically says that
>the
>White House threw national security and law enforcement overboard in order to
>give a concession to the high- tech industry.  And I've got to tell you,
>that's
>just completely wrong.  The national security establishment -- the Department
>of
>Defense, the intelligence community -- strongly supports this strategy.
>Indeed,
>we created the first draft of the strategy and presented it to our colleagues
>in
>the interagency process.  We in the Defense Department did it because I think
>we feel the problem more intensively than does anyone else in the United
>States.
>We are the largest-single entity that operates in cyberspace.  No one is as
>large as we are.  We are just as vulnerable in cyberspace as is anybody,
>and we
>strongly need the sorts of protections that come with strong encryption and a
>key infrastructure that we're calling for in this strategy.
>
>We also have a responsibility to provide to the president and to senior
>decision-makers timely information, so that they can protect this country.
>And
>for that reason, we needed a very integrated approach.  And these three
>pillars,
>which you have heard about -- we'll -- can answer any further questions -- are
>absolutely essential if we're going to be able to protect this country in the
>future.  We strongly agree with this and think it's exactly the right thing to
>do.
>This is a balanced program.  But I've got to tell you, it's going to require
>significant investment on the part of the Department of Defense and the
>intelligence community to put all the pieces in place. We will have to develop
>new tools to be able to do our job.  We will resource that appropriately in
>the
>budget that we've prepared, that will be submitted next January.
>All three elements of this strategy are essential.  And I may highlight --
>it's
>very crucial -- that the law enforcement element of this is essential for
>national security.  You cannot distinguish in cyberspace whether an attack
>comes
>inside the United States or from outside of the United States, and only the
>law
>enforcement community is allowed to act inside the United States.  We must
>have
>that part of this strategy enacted, and we ask for help in doing that from the
>Congress.
>I too would like to say that there are -- there continues to be pressure for
>legislation in the Congress that would strip away any controls over encryption

>products.  One of the bills is called the SAFE (sp) Act.  The only person who
>would be safe, if that were passed, would be spies, who would be free to
>export
>anything of national security interest, without any surveillance at all.  We
>cannot support that, and the department would ask the president to veto it, if
>it were passed.
>We strongly support this strategy.  The entire establishment within the
>national
>security establishment was instrumental in crafting it.  We would ask for --
>the
>Congress for its help.  And I'd also like to thank my colleagues who were so
>instrumental in helping us work through these problems, and for our colleagues
>that worked out the fine details when we went to finalize the strategy.
>Q What's the push behind the loosening up, then?  I mean, what is --
>MR.  : Helen, let's get everyone -- get everybody's opening statements, and
>then
>we'll take questions.  SEC. DALEY: We can all welcome today's update of our
>encryption policy.  It is a good example of government process that has
>worked.
>The agencies involved, from national security, law enforcement, and commerce,
>all had a common objective: to provide the tools to keep our nation safe,
>while
>taking technological advances and market changes into account.  This may have
>taken a little longer than some would have liked, but in our opinion this
>outcome is a sound one.
>This new update continues to provide the balanced encryption policy that the
>president wants and is a policy that will continue to protect our national
>security while letting us take advantage of the substantial promise of
>electronic commerce.
>In saying that, I want to be clear that the Commerce Department supports all
>three parts of this program -- the export control liberalization is
>balanced by
>the additional tools for law enforcement and additional resources
>being
>devoted to improving the privacy and security of government information
>systems.
>Today's update continues the three fundamental principles of our policy --
>one-time tactical review, post-export reporting, and the ability to deny
>exports
>to governments and military end-users.
>First, the new regulations will permit any encryption product or software with
>a
>key length of 64 bits to be exported under a license exception to commercial
>firms and other non-government end-users in any country, except for the seven
>state supporters of terrorism.  This means that exporters will be able to ship
>freely once Commerce has reviewed their products and classified them.  We've
>decided that encryption exports which we previously allowed only for a
>company's
>internal use can now be used for external purposes such as communication with
>other firms, supply chains and customers.  This step will be very helpful in
>building electronic commerce.
>Additionally, telecommunication and Internet service providers will now be
>able
>to use any encryption commodity or software to provide services to commercial
>firms and nongovernment end-users.
>Second, retail products with key lengths over 64 bits, those that do not
>requite
>substantial support, are sold in tangible form, or have been specifically
>designed for individual customer use, may be exported under a license
>exception
>to all end-users, including governments, except in the seven state supporters
>of
>terrorism.
>These regulatory changes basically open the entire commercial sector as a
>market
>for strong U.S. encryption products.  Exports to governments can be approved
>under a license.
>Third, the new regulations will also implement our international commitments
>for
>encryption controls.  Last year, the Wassenaar arrangement -- 33 countries
>which
>have common controls on exports, including encryption -- made a number of
>changes to modernize the multilateral encryption controls.
>Among these changes, the U.S. will decontrol exports of 56 bits DES and
>equivalent products, including tool kits and chips, to all users and
>destinations, except the seven state supporters of terrorism, after a
>technical
>review.  In addition, exports with key lengths of 64 bits or less, including
>chips that fall under the Wassenaar arrangement's definition of mass market
>loss, will be decontrolled.
>As I mentioned, post-export reporting is a fundamental part of our new export
>policy.  Reporting will now be required for any export to a non-U.S. entity of
>any product above 64 bits.  Reporting helps ensure compliance with our
>regulations and also allows us to reduce licensing requirements.
>
>When we draft our regulations, we intend to consult with industry to ensure
>that
>the reporting requirements will be streamlined to reflect business models and
>practices, and will be based on what companies normally collect.  We hope to
>have the implementing regulations published in the Federal Register before
>December 15th. This approach will provide the framework for U.S. industry to
>construct a new global network for electronic commerce, while maintaining
>reasonable national security safeguards.
>ATTY GEN. RENO: The president today is transmitting to the Congress a
>legislative proposal entitled, "The Cyberspace Electronic Security Act of
>1999,"
>better known as CESA.  The Department of Justice Developed this legislation
>with
>the assistance of numerous agencies within government.
>The legislation would support the use of encryption by legitimate citizens to
>protect their privacy, and address the growing use of encryption by criminals
>using it to hide evidence.  In brief, the advent and eventual widespread
>use of
>encryption poses significant challenges to law enforcement and to public
>safety.
>Under existing law, investigators have a variety of legal tools to
>collect
>evidence of crime in such forms as communications or stored data on computers.
>These tools are rendered useless when encryption is used to scramble the
>evidence so that law enforcement cannot decode it in a timely manner, if at
>all.
>When stopping a terrorist attack or seeking to recover a kidnapped child,
>encountering encryption may mean the difference between success and
>catastrophic
>failures.
>At the same time, encryption is critically important for protecting our
>privacy
>and our security.  And the administration, the Department of Justice, and the
>FBI strongly support the use of encryption by our law-abiding citizens for
>these
>purposes.
>CESA, therefore, balances the needs of privacy and public safety. It
>establishes
>significant new protections for the privacy of persons who use encryption
>legally, but it also assists law enforcement's efforts to maintain its current
>ability to obtain useable evidence as encryption becomes more common.
>CESA contains a number of key provisions.  First, it provides special
>protections for decryption keys stored with third-party recovery agents,
>and it
>establishes limitations on government use and disclosure of decryption keys
>obtained by court processes.  These new provisions significantly protect
>privacy.  However, CESA does not limit in any way an individual's choice about
>whether to use a recovery agent.
>
>A person may use a recovery agent or not, as he or she chooses.
>CESA also authorizes appropriations for the Technical Support Center and the
>FBI, a center which will serve as a centralized technical force for federal,
>state and local law enforcement in responding to increasing use of encryption
>by
>criminals.  Law enforcement throughout our nation will depend upon this center
>to find ways to obtain usable evidence under existing law, despite the use of
>encryption by criminals and terrorists.
>Finally, CESA protects the confidentiality of government techniques used to
>obtain usable evidence, such as techniques developed by the Technical Support
>Center, and ensures that industry proprietary information can be protected in
>criminal trials.  Open disclosure of law enforcement techniques, for example,
>can jeopardize future investigations and severely hamper law enforcement.
>I believe that in adopting this policy, the administration has fundamentally
>altered the encryption debate.  The administration is working towards a number
>of important goals, ensuring that American industry remains competitive, that
>our citizens have the strongest protection available for their data and their
>communications, and that law enforcement maintains its ability to protect
>public
>safety from criminals and terrorists.
>Of course, we continue to be concerned that criminals and terrorists will
>benefit from the widespread use of strong encryption, which will allow them to
>cloak their communications and other evidence of illicit activities from
>authorized law enforcement investigations.
>We must recognize that the policy the administration is announcing today will
>result in greater availability of encryption, which will mean that more
>terrorists and criminals will use encryption.  We must deal responsibly with
>that result by attempting to assist law enforcement in its efforts to protect
>the public safety through the passage of CESA.
>That said, this legislation does not provide any new authority for law
>enforcement to be able to obtain usable evidence from criminals.  Instead, we
>will continue to operate under our existing authorities and attempt to meet
>the
>threat of the criminal use of encryption.  We are hopeful that these existing
>authorities will prove sufficient.
>
>In conclusion, we must have a balanced policy that reflects the needs
>of
>privacy, electronic commerce, national security and public safety.  Today's
>announcement substantially relaxes export controls, allowing American industry
>to compete fairly in the international marketplace, while maintaining those
>minimal controls that are essential for national security.  At the same time,
>by
>transmitting CESA to Congress and urging its enactment, the president is
>addressing the needs of public safety; thus, the administration is taking a
>substantial step, a very substantial step, to address the needs of all
>stakeholders.
>
>
>MR. SWIRE: My name's Peter Swire.  I'm the chief counselor for privacy at OMB.
>I'm here to underscore that today's announcement reflects the Clinton
>administration's full support for the use of encryption and other new
>technologies to provide privacy and security to law-abiding citizens in the
>digital age.  The encryption measures announced today properly balance all of
>the competing interests, including privacy, electronic commerce, and public
>safety.
>Encryption itself is a privacy- and security-enhancing technology.  Especially
>for open networks, such as the Internet, encryption is needed to make sure
>that
>the intendant recipients can read a message, but that hackers and other third
>parties cannot. Today's announcement will broaden the use of strong
>mass-market
>encryption for individuals and businesses.
>In the part of today's announcement that updates the rules for law
>enforcement,
>the Cyberspace Electronic Security Act retains all of the existing legal
>protections for information in a home or business. It goes beyond current law
>and provides new privacy protections for individuals and businesses who choose
>to store key information with an outside company.  Think of your bank ATM
>card.
>What would it be like if you forgot your password and could not obtain access
>to
>the money in your account?  That is precisely what can happen with strong
>encryption.  If you lose the password, then all that encrypted material is
>scrambled forever and lost.
>Because encryption has become so unbreakable, prudent people need backups.
>Under CESA, if you decide to give your key or password to an outside company,
>then law enforcement has to meet strict new judicially supervised standards to
>get that information.  With this proposed legislation, it would be a civil and
>criminal violation for the company to release the information improperly, and
>also a violation for law enforcement officers to try to get that information
>without a court order.
>Similarly, for added security, and to prevent misuse of your private key
>information, if this proposal becomes law, there would be restrictions on
>selling information regarding encryption customers to other private parties.
>With that said, I want to be clear about what CESA does not do. CESA is
>technology-neutral and does not regulate the hardware or software used for
>encryption.  CESA does not require anyone to use key escrow, nor does it
>regulate how key escrow might develop in the private sector.  The only effect
>of
>CESA on key escrow is to provide privacy assurances for those who freely
>choose
>to give their backups or their key information to others.  Some information
>stored outside of your home deserves to be carefully protected.
>In sum, the announcement today shows the commitment of the administration to
>real protection for privacy in the information age while balancing with the
>important other public interests we have all been discussing.
>
>Q Ms. Reno, you said just a moment ago that you hoped that this legislation
>would give existing authorities -- that the existing authorities will
>be
>sufficient in getting access to the decryption keys.  Seems to me there's a
>big
>space between "hope" and "will".
>ATTY GEN. RENO: Based on our experience, our conversations with industry, with
>all concerned, we think the existing authorities will be sufficient, and we
>look
>forward to working with industry in that effort.
>Q Mr. Hamre, you've testified on the Hill and others in the administration
>many
>times opposing the SAFE Act.  At those times you laid out the exact scenario
>that the attorney general says will now come to pass.  You said they were
>unspeakable dangers that should be avoided.  Now this policy is called a
>balanced policy.  What shifted in the last few months?
>MR. HAMRE: Well, maybe you should go back and look at the testimony, because
>what was objectionable to us in the SAFE Act and in the PROTECT Act, these two
>bills, was that it stripped away the things that are essential for national
>security: a meaningful technical review of encryption products before they're
>exported and reporting about where they have gone and how they've been
>installed
>after the fact.  That was essential if we're going to be able to protect the
>country, and that was stripped away by the PROTECT Act and the SAFE Act.  So
>they're very different.
>Q Will the policy include end user reporting for where a mass market
>product is
>sold?
>MR. HAMRE: We're still in the final stages of working through the details.  I
>can defer to Secretary Daley or to Undersecretary Reinsch to talk about the
>specifics.  We will promulgate those regulations later here within weeks.  And
>then you'll see it at that time.  We are going to try very much to follow the
>industry norm for software, for example, between mass market and non-mass
>market
>products.
>
>Q And what is the big push behind this?  Is it the market?  I mean is it these
>corporations have pressured -- put pressure on the administration?
>MR. HAMRE: No, I -- when you raised the question earlier you talked about the
>big push for relaxation.  We don't -- first of all, that's only taking --
>Q It isn't relaxation?
>MR. HAMRE: Actually, I don't think so.  I think it's a very different approach
>to the export problem.  The path that we were on before was a very complex
>path.
>There were certain countries that were allowed; certain countries weren't.
>Certain sectors were allowed; certain sectors weren't.  Certain strength
>levels,
>and above one strength level it had a different set of rules than others.
>Certain trading partners were allowed, and certain trading partners weren't.
>It
>was enormously complex, and in that kind of environment lots of mistakes are
>made.  And frankly, security risks abound in that sort of an environment.
>
>We decided we needed to promote a very different approach with very, very
>simple
>rules that everyone could understand, that would give us a chance -- we're
>still
>going to have to do a lot of work, we in the national security establishment,
>to
>live in this kind of an environment.  It's going to take a good deal of
>research.  We'll have to develop new tools and techniques.  This is part of
>the
>job.  But we were going to have to do that anyway, and we think this is going
>to
>be a much better process for us.  It's not a relaxation.  It's really a very
>different approach.
>Q Have you talked to Chairman Spence or Chairman Goss about this yet?  And if
>so, what kind of reaction did you get from them?
>MR. HAMRE: I have spoken with both Chairman Goss and Chairman Spence. Both of
>them were very strong in agreeing with us in our request to protect us from
>legislation that would have really stripped away any national security
>protection against strong encryption.  Both of them support what we're
>doing.
>Both of them have very specific questions that we're going to need to answer.
>They, too, want to know a lot of the details that the rest of you are
>interested
>in.  We believe that we will be able to demonstrate to them we can protect the
>country with this new framework.
>But let me again emphasize, all three parts of this framework are essential.
>We
>must have a strong commitment to security products, security infrastructure.
>We
>need to buy that.  We have to have a new regime for export control.  And we
>also
>need to have stronger tools for law enforcement.
>Q Where are the stronger tools?  I mean, Ms. Reno was saying in her comments
>this legislation does not provide any new authority for law enforcement.
>We've
>got some extra funding.  Where are the stronger tools?
>ATTY GEN. RENO: The stronger tools lie in the technical support center,
>because
>what we're trying to do is not create a new authority; we're trying to match
>technology to the existing authority.  And we think, after conversation with
>industry and the working relationship that we've developed with them, that
>through this technical support center, we will be able to do so.
>Q Beyond the extra funding, is there anything specific you can point to in
>here
>that's --
>
>ATTY GEN. RENO: One, for example, is the protection of methods used so that as
>we -- we will not have to reveal them in one matter and be prevented,
>therefore,
>from using them in the next matter that comes along.
>Q Ms. Reno, would you describe this as a relaxing of restrictions?  And if so,
>how can you possibly support it after having opposed it for all this time?
>ATTY GEN. RENO: What we did approximately a year ago is to meet with industry.
>We talked to them in a very full and frank way.  We said, together let's look
>at
>it.  They sympathized with our law enforcement responsibilities.  And they
>said,
>if we can work together, they suggested the concept of a technical support
>center; we can, I think, according to the people that were there, address the
>problem.
>
>In the interim, we have had the opportunity to have those discussions, to
>expand
>on that dialogue, and I think we will be able to.
>Q How closely was the vice president involved in this effort? Did he meet with
>you regularly, you know, receive drts, that sort of thing?
>ATTY GEN. RENO: I would have to let his office speak for it. But I can
>remember
>approximately two meetings with the vice president.
>Q Why wouldn't you consider this a relaxing of restrictions on encryption?
>ATTY GEN. RENO: No.
>Q Mr. Daley, why the decision to maintain export licenses for government
>sales?
>Assuming that a lot of governments still own telecommunication companies and
>high-tech agencies.
>SEC. DALEY: Well, we want to make sure that the foreign policy considerations
>are taken into impact as we move forward.
>MR. HAMRE: Because we insisted on it.
>SEC. DALEY: That was a simpler answer!  (Laughter.)
>Q How does this comply with Wassenaar?
>SEC. DALEY: Bill?
>Bill, why don't you just come up here.
>WILLIAM REINSCH (Undersecretary of Commerce for Export Administration): What
>the
>Wassenaar partners decided to do last December was set up certain rules that
>said in some cases encryption was decontrolled, and in other cases it had
>to be
>controlled via the national laws and systems of each of the individual
>partners.
>This action is consistent with that because we are decontrolling, that is
>removing from our system lower-level encryption, consistent with the Wassenaar
>levels, which are 56 or 54 bits, depending upon what you're talking about.
>Above that level, we are permitting the encryption to be exported following a
>technical review and subject to a license exception, which is a process
>that we
>use that's consistent with international licensing regimes and the Wassenaar
>standards.
>Q So below (64 ?), you don't need a technical review?
>MR. REINSCH: No, I didn't say that.  Technical reviews are required, but
>it's a
>one-time technical review.  When we reviewed the product once, we don't
>need to
>review it every time.  And for the low- level products, which are primarily
>the
>older products, many of those reviews have already been conducted, and I don't
>think that we're necessarily going to have to do that all over again.
>Q So what's the difference in a technical review between the higher encryption
>products and the lower?  I guess I'm thinking --
>MR. REINSCH: I don't think there's a difference in the review. I'm saying
>there's some cases where we've already done it.  And this is a very
>fast-moving
>sector; there's, you know, new products every week.  And we're going to
>have to
>review each of the products as they come up and as people want to export them.
>
>###
>
>
>
>--------------------------------------------------------------------------
>POLITECH -- the moderated mailing list of politics and technology
>To subscribe: send a message to majordomo@vorlon.mit.edu with this text:
>subscribe politech
>More information is at http://www.well.com/~declan/politech/
>--------------------------------------------------------------------------