Förderverein Informationstechnik und Gesellschaft

Reinsch on U.S. Crypto Policy

Bureau of Export Administration U. S. Department of Commerce

Testimony of William A. Reinsch Under Secretary for Export Administration Department of Commerce

Before the House Committee on International Relations Subcommittee on International Economic Policy and Trade

Encryption: Security in a High Tech Era

May 18, 1999

Thank you, Madam Chairman, for the opportunity to testify on the direction of the Administration's encryption policy. We have made a great deal of progress since my last testimony before this Committee on this subject.

Even so, encryption remains a hotly debated issue. The Administration continues to support a balanced approach which considers privacy and commerce as well as protecting important law enforcement and national security equities. We have been consulting closely with industry and its customers to develop a policy that provides that balance in a way that also reflects the evolving realities of the market place.

The Internet and other digital media are becoming increasingly important to the conduct of international business. There were 43.2 million Internet hosts worldwide last January compared to only 5.8 million in January 1995. One of the many uses of the Internet which will have a significant effect on our everyday lives is electronic commerce. According to a recent study, the value of e-commerce transactions in 1996 was $12 million. The projected value of e-commerce in 2000 is $2.16 billion. To cite one example, travel booked on Microsoft's Website has doubled every year since 1997, going from 500,000 to an estimated 2.2 million this year. Many service industries which traditionally required face-to-face interaction such as banks, financial institutions and retail merchants are now providing cyber service. Customers can now sit at their home computers and access their banking and investment accounts or buy a winter jacket with a few strokes of their keyboard.

Furthermore, most businesses maintain their records and other proprietary information electronically. They now conduct many of their day-to-day communications and business transactions via the Internet and E-mail. An inevitable byproduct of this growth of electronic commerce is the need for strong encryption to provide the necessary secure infrastructure for digital communications, transactions and networks. The disturbing increase in computer crime and electronic espionage has made people and businesses wary of posting their private and company proprietary information on electronic networks if they believe the infrastructure may not be secure. A robust secure infrastructure can help allay these fears, and allow electronic commerce to continue its explosive growth.


This past year, we also made progress on developing a common international approach to encryption controls through the Wassenaar Arrangement. Established in 1996 as the successor to COCOM, it is a multilateral export control arrangement among 33 countries whose purpose is to prevent destabilizing accumulations of arms and civilian items with military uses in countries or regions of concern. Wassenaar provides the basis for many of our export controls.

In December, through the hard work of Ambassador David Aaron, the President's special envoy on encryption, the Wassenaar Arrangement members agreed on several changes relating to encryption controls. These changes go a long way toward increasing international security and public safety by providing countries with a stronger regulatory framework for managing the spread of robust encryption.

Specific changes to multilateral encryption controls include removing multilateral controls on all encryption products at or below 56 bit and certain consumer items regardless of key length, such as entertainment TV systems, DVD products, and on cordless telephone systems designed for home or office use.

Most importantly, the Wassenaar members agreed to remove encryption software from Wassenaar's General Software Note and replace it with a new cryptography note. Drafted in 1991, when banks, government and militaries were the primary users of encryption, the General Software Note allowed countries to permit the export of mass market encryption software without restriction. The GSN was created to release general purpose software used on personal computers, but it inadvertently encouraged some signatory countries to permit the unrestricted export of encryption software. It was essential to modernize the GSN and close the loophole that permitted the uncontrolled export of encryption with unlimited key length. Under the new cryptography note, mass market hardware has been added and a 64-bit key length or below has been set as an appropriate threshold. This will result in government review of the dissemination of mass market software of up to 64 bits.

I want to be clear that this does not mean encryption products of more than 64 bits cannot be exported. Our own policy permits that, as does the policy of most other Wassenaar members. It does mean, however, that such exports must be reviewed by governments consistent with their national export control procedures.

Export control policies without a multilateral approach have little chance of success. Agreement, by the Wassenaar members, to close the loophole for mass market encryption products is a strong indication that other countries are beginning to share our public safety and national security concerns. Contrary to what many people thought two years ago, we have found that most major encryption producing countries are interested in developing a harmonized international approach to encryption controls.

At the same time, we recognize that this is an evolutionary process, and we intend to continue our dialogue with industry. Our policy should continue to adapt to technology and market changes. We will review our policy again this year with a view toward making further changes. An important component of our review is input from industry, which we are receiving through our continuing dialogue.