Tech Law Journal

Capitol Dome
News, records, and analysis of legislation, litigation, and regulation affecting the computer, internet, communications and information technology sectors

TLJ Links: Home | Calendar | Subscribe | Back Issues | Reference
Other: Thomas | USC | CFR | FR | FCC | USPTO | CO | NTIA | EDGAR

Transcript of Internet Caucus Panel Discussion.
Re: Administration's new encryption policy.

Date: September 28, 1999.
Source: Tech Law Journal recorded the event, transcribed the audio recording, and then converted it into HTML. Parts of the recording were of low quality, and there may be errors in this transcription. Copyright 1999 Tech Law Journal. All rights reserved.


Summary of Panel Discussion
Opening Statement of William Reinsch.
Opening Statement of James Robinson.
Opening Statement of Linton Wells.
Opening Statement of Peter Swire.
John Schwartz Question for Goodlatte regarding status of SAFE Act.
Goodlatte response regarding SAFE Act, and Goodlatte questions for Reinsch regarding export controls (request for details on the one time technical review, information required, protections for proprietary information, length of review period, meaning of meaningful review, and differences in review process of SAFE and CESA.
Reinsch response.
Goodlatte questions regarding whether the regulations will be delayed if CESA is not enacted, and government access to escrowed keys for medical and banking records.
Reinsch response.
Weldon statement.
Reinsch statement regarding export of source code.

[The introductory statements are not transcribed.]

William Reinsch.  I appreciate the Congressman Goodlatte's comments. He has been steadfast in his efforts on this, and I think the legislation, as I have said before, _____would not as prolonged as it is, were it not for his personal efforts, and his relentless approach to this. I have had the pleasure to testify with him frequently, and it has been truly a pleasure.

On the other hand, if I never have to do it again, that would also be all right. [laughter] I found a way to have this issue behind us.

Let me say briefly what we have done with respect to my little piece of this, and then I will turn it over to my colleagues, who will speak about their pieces, and I urge you to stay and listen to all of them, because what the White House announced on September 16 was a three part program, and it is the other two parts that my colleagues are going to talk about that really provide front, the foundation, and the rationale for the export control decision, and have enabled us to go forward with export control changes that we think are helpful to the marketplace, and the industry, but which at the same time we think preserve our national security and law enforcement equities. Unfortunately, in a sense, in the media the export control changes have captured more of the news, which I can certainly understand under the circumstances, but in fact it is the other two legs of the stool that really are the more important, because the provide the foundation for what we have done.

One of those stools is additional tools for law enforcement, which are embodied largely in the Cyberspace Electronic Security Act, and Jim Robinson is going to address that shortly.

The other leg is additional attention being paid by the government, centered initially in the defense department, on development of more secure and more private systems. And we hope that we can use the Defense Department's effort and a substantial amount of money that they are going to put into that project to develop model systems, not only for themselves, but also for the federal government, and ultimately, we hope, the private sector as well. A lot of that has to do with authentication, and not solely with data encryption. I just want to make that comment in passing, and Lin Wells, from the Department of Defense, from Deputy Secretary Hamre's office, is going to go into greater detail on that as well.

Peter Swire, who is the President's privacy advisory, is also going to talk about how the decision we are making, in _____  with the administration's privacy objectives, and is consistent with those.

What I want to do is simply to describe to you what we have done in the area of export controls, in gross, if you will, and then wait for questions, if you have any specifics, recognizing that the reg is not up here yet, and some of this remains for consultation with industry.

What we have done is attempt to simplify a somewhat complicated export licensing regime, now, in which we divide the world by products, by countries, by sectors, and have a number of cross-cutting matrices that has produced a lot of inquiries, and I think generally, created some confusion. And we have tried to simplify substantially, and in the process, recognize what I have been saying from the beginning in my testimony on this, is, and that is, that our policy is designed to reflect market realities.

We've taken account market -- we have taken market realities into account. We have observed the marketplace closely in the year that has intervened since our last policy update in 1998, and we believe what we have done reflects where the marketplace is going on this subject. In that regard, we have essentially, divided products in sort of in two ways.

One, by level, we have conformed with our Wassenaar Arrangement international obligations pursuant to the agreement that was struck last December, and will be decontrolling products at either the 56 bit level, or the 64 bit level, depending on what kind of product it was, consistent with Wassenaar rules. And so, below those levels, we will not be requiring licenses, or license exceptions. We will not be requiring reporting.

Above those levels we are dividing products essentially into two categories, what I would call retail products, and the fact sheet which we passed out which is available on several websites, including BXA's, details in a little bit more language what, how we define as retail, but essentially, these are products which do not require substantial support for installation and use, and which have been specifically designed for individual consumer use, and other things, the details of the definition is one of the things we _____ consult on.

That is one category. Everything else is in the other category. And we will refer to that publically as custom, or customized, products, specialized products, or some other term like that. But, we intend to define retail universe, and simply put the rest in the other category.

All of these products will go through the same one time technical review that is currently part of our policy, and we envision that continuing to be part of our policy, the same kind of review we are undertaking now.

In addition, there will be post export reporting requirements for all of these products, that is in these latter two categories -- retail and custom products. The principles, if you will, by which we will develop those post export required, reporting requirements, are first, that, we will not ask businesses to report information that they are not now collecting, and we will attempt to follow business models in the requirements that we set up. This is an area where we intend to consult extensively with manufacturers, and other parts of this change, before a reg we have some more to learn about business models, and we want to have an extensive consultation with industry about that. We have already begun that informally, but we will be done some more formal things shortly. We are committing to finish and issue our reg not later than December 15.

Now, with respect to those two products, the difference in controls is very simple. Everything in both the retail and the custom product areas, are going to be let out on license exception, which means after the one time review, without have the necessity of getting an individual license. They'll all be let out to private, individual, and commercial end users. The sole difference is that for the custom products, for government and military end users, you will need an additional license. That is not a round about way of saying those licenses will be denied. In fact, those licenses are required now, and those licenses are often approved now. So, simply the fact that we require a license does not mean denial. But a license will be necessary for custom products in the government military end user area. It will not be necessary for the retail products, even for government end users.

This is a much simplified system. It is a way of freeing up that product that, I think, goes beyond the PROTECT ACT, and is, Mr. Goodlatte and I can argue about this, we haven't actually had an argument about it yet, but I think it's, it's comparable in some respects, perhaps not in all, to liberalization in the SAFE ACT. There are some differences. It is consistent with our Wassenaar Arrangement international obligations. It is consistent with market realities, as we have observed and understood ____ in the last year.

And, I think that it is permitted because of the other two legs of the announcement, which my colleagues are going to talk about. Now, having said that, the only comment, further comment I would make is I am happy to do, have questions about this, recognizing that we still have a consultation process to go through, and we don't have a regulation to share it with you.

What has happened since September 16 though is that, unfortunately, the fine intelligent thoughtful questions that would come from a group like the Internet Caucus, have not been predominant. And what has been predominant is the comments that have come from the paranoid caucus, which I am sure is a different group of people from anyone in this room.

And they are all looking for the fine print. They are looking for the catch in what we have announced. And my final statement is simply, there isn't any catch. You know. It is what it is. And this isn't a scam, or some kind of game.

We have made the announcement we have made. And we have made it because we think that this is the best way to enhance law enforcement's tools, capacity to keep up with, or deal with a rapidly changing world in this area. Now, we have done it in a way that we think is consistent with our obligation to defend the country's national security. That is what it is. There isn't any catch. And I would be glad to go into detail with you about that at a later point. But, I don't, I don't, I want to be clear about our intensions here. There isn't any hidden agenda.

With that explanation I think I will close and defer to, I believe, Mr. Robinson is going to be next? I that right?

James Robinson: I am Jim Robinson. I am the Assistant Attorney General for the Criminal Division in the Justice Department. And has been noted, there has been, as we know, a long, sometimes divisive, debate over encryption policy. And I guess I would say that, puts me in mind, new developments of some comments that Justice Felix Frankfurter once made in a Supreme Court opinion, in which he said, "wisdom so seldom comes, that it ought not to be rejected simply because it comes late," I suppose, you could argue.

I think that we have come to the conclusion that the best way to approach these issues that have been subject of serious concern by the people who are hear and members of this caucus, approach it in the context of cooperation, rather than confrontation. And it has been our view, from the law enforcement perspective, that among the considerations that need to be at the table in discussing this important topic was the need, not only to protect the privacy of citizens, and not only to protect the interests of industry for business opportunities, but also the interests of the American people for national security and public safety.

The September 16th announcement is a first step in trying to accommodate each of these important areas. As part of the proposals, as has been mentioned is, Cyberspace Electronic Security Act of 1991, 1999 I am sorry, CESA. This legislation would support the use of encryption by legitimate citizens to protect privacy, and would at the same time also recognize the growing use of encryption by criminals seeking to hide evidence. And this a very serious proposition for those of us in law enforcement.

I was the United States Attorney for the Eastern District of Michigan twenty years ago. We didn't have to worry about this. If we had probable cause, we could seek and secure a search warrant to seize documents, stored documents. We could also seek a court order for electronic surveillance. And we did not encounter unreadable gibberish. And, what we are seeking with regard to law enforcement is to the brave new world where encryption increasingly will become widespread. And, I think it can have serious repercussions, and I think it better to cut, to have this debate, not in the wake of a situation in which we have been unable to recover a kidnapped a victim, or prevent a major terrorist act, because of our inability, having seized material, to read it in a way that allows us to prevent criminal activities.

The components of CESA seeks to balance the needs of privacy and public safety. It establishes significant new protections for the privacy of persons who appropriately use encryption, but also assists law enforcement's efforts to maintain its current ability to obtain usable evidence in court as encryption becomes increasingly more common.

Just to summarize briefly. The number of key provision in the legislation. It provides special protection for decryption keys stored with third party recover agents, and establishes limitations on government use and disclosure of those decryption keys obtained through court processes. These provisions will protect privacy, will not in any way limit any person's individual choice about whether to use a recovery agent or not. This is a re-emergence of the Clipper Chip approach to this issue.

CESA will also authorize appropriations to the technical support center at the Federal Bureau of Investigation, which will serve as a centralized technical source for federal, state, and local law enforcement, as it seeks increasingly to deal with situations in which we appropriately, through court authorization, secure access to communications and stored electronic data, which because of powerful encryption, we won't be able to deal with without the technical capacity to address it.

And finally, it protects the confidentiality of government techniques utilized to obtain, usable evidence, techniques, such as those that we expect will be developed by the technical support center, and will assure that proprietary information, provided to the government to assist us, in provided, developed by the government, can be, to the extent consistent with constitutional limitations, be protected from disclosure, so as to destroy the usefulness of that information.

I believe that in adopting this policy the administration has altered the encryption debate as has been noted. I think that the administration is trying to work towards a number of goals, all of which are very important. And from a law enforcement perspective, it is very important that the vital interests of law enforcement to protect the public not be left on the cutting room floor, as we continue on with the development of these important legislative proposals.

We continue to be concerned that criminals and terrorists will benefit from strong encryption, and will attempt to cloak their communications and their evidence through the use encryption.

But, we cannot hold the sea back. We know that. We have to deal with a new world of technology that has happened over many many years with lots of technological developments, and this is another one we are going to have to deal with, and I think a cooperative approach, a balanced policy, is the best way to do it. We think that the policy that has been announced is one that has great merit. And, we from a law enforcement perspective, support this approach and look forward to working with Members of Congress in advancing these proposals.

Linton Wells: My name is Lin Wells. I am the Principle Deputy Assistant Secretary of Defense for Command, Control, Communications and Intelligence. The policy that was announced on the sixteenth of September has three pillars to it.

One was strong information security and privacy. The second was a new framework for export controls. And the third was updated tools for law enforcement.

What I would like to talk about is the Defense Department's interest in the information security, and some of the reasons why we support the national security perspective, the new export control regime.

Defense is a big player in this information security world. We have over 2.1 million computers, and over ten thousand networks on any given day. We are spending something over 500 million dollars, half a billion dollars, to put together a comprehensive security management infrastructure.

When we talk about the security management information security, we often use the term information assurance. And this to us means five things. It means you must be able to protect the confidentiality of the information in your network. It means that you have to maintain the integrity of your databases. It means you must be able to authenticate and identify who is in your networks. And it means you must be able to non-repudiate, if you will, a contract signed in cyberspace cannot later be repudiated. And finally, the information has to get there. The infrastructure has to be available.

Secretary Reinsch talked about the authentication phase of encryption. This is very important to us, as we have seen more and more penetrations into our networks. We have to know who is in those networks.

We also know we can't do this by ourselves. This has got to be a partnership between the government and private industry. The tools of the commercial marketplace are getting stronger. We need to find a way to leverage them, and then to build on them, so the government products, as needs be for our own particular needs.

The point is we can't do it along. Therefore, we have a vested interest in promoting the development of encryption tools in the private sector, not encryption, information and security tools, in the private sector. And acting as a facilitator and a catalyst for bringing these along together.

This also is a question, if you will, of critical infrastructure, which there is not time to get into today. But it is intimately involved in this public private sector partnership.

We feel very strongly that security infrastructures and the deployment of security products should neither be mandated nor prohibited. There has been a lot of discussion about key recovery, key escrow, whatever tag the techniques.

In defense, one of our defense mega centers, which writes contracts, does over 40 million dollars worth of contracting per hour. There is no way from a business practices point of view that we are not going to be able to recover the information generated by the employees in that center. We have to have to have some one to recover it if it is encrypted and someone through dishonesty or mistake locked it up. So, we have a vested interest that in no way is nefarious. It is purely a business practice in maintaining key recovery techniques.

I turn to the export controls briefly. The three pillars on which the export control rests is a meaningful technical review, a streamlined reporting procedure that is consistent with business practices, and the ability to deny to military, government, or terrorists end users the products that circumstances permit. Those are the sine quo non from the national security community's point of view. Because those are part of the policy, we are more than pleased, more than happy to support the relaxation of export controls in other areas.

Some have characterized this as the national security community caving in to the export controls. That is not at all the case. There is very strong support for this program from the national security community.

Peter Swire: Greetings. My name is Peter Swire. I am the chief counsel for privacy in the White House. And, John Podesta had hoped to participate today in this. As you know, he was the Chair of the government's encryption working group. He, unfortunately, had another engagement, asked me to come and speak on the topic.

I am going to talk briefly about my own background that is relevant, about the administration's process, and how we got up to September 16th, and then some things about law enforcement, and where we stand now in going forward.

As chief counselor for privacy, part of the background is that I taught the law of cyberspace in law schools, including encryption, and, Ohio State University, where I taught, there is a scholarly article on encryption called the "Uses and Limits of Financial Cryptography, A Law Professor's Perspective." And, I say this in part to show that over the last several years the administration has continued to bring in the people of a lot of sources, many people in the Justice Department, Defense, and other agencies who have learned over time more and more about encryption, and more and more how vital it is  within the Internet community and the e-commerce world. And, throughout the many different agencies and throughout the Congress and industry, we have had a gradual learning about the issue, and I think that helps explain at least part of the evolution in policy over time.

The administration process leading up to September 16th, what you see here today is, I think, a reflection of the many different sorts of agencies and goals that were involved together in trying to come up with an overall package that is good policy for the country. And so we have national security concerns, and law enforcement concerns. We want to have strong electronic commerce. We want to have the privacy and security individuals protected in our new electronic age.

And the questions are all along, how do we put together a package that meets those different goals. And those are all goals we want. And so, that is a big challenge.

In terms of the announcement in September, there have been reports that the timing, or the exact content of the announcement was very tied in with particular Presidential politics for next year. I would like to say that that misses the mark. That that, those reports do not match the process that I was involved in, and that I saw. And I think that is relevant to you all as you look at the efforts here to get encryption policy right for this next period.

When I taught the law of cyberspace I taught encryption. And when we talked about law enforcement and national security from two different perspectives, both of which I think have a lot of validity, and informed why this has been a hard problem. One perspective is one that Congressman Goodlatte, I heard, on TV recently express, and I think he did it very well, which is a perspective that encryption prevents crime. That if we can send our trade secrets within companies, if we can do our contracts within the Pentagon, if we can send our personal letters to our loved ones using the Internet, if we can use corporate intranets, in all of these ways, having this security wrapped around our communications, stops bad guys from taking our information. It is a way to reduce crime. And that is an important truth and insight.

There is another important truth and insight also. Which is, that if we have bad people -- terrorists, drug cartels, your favorite kind of bad people -- if you have bad people that have hard drives full of encrypted information, or have a worldwide email network full of encrypted information, they can store data, or communicate data, free from scrutiny if there is strong encryption. They can have a get out of jail free area on their hard drive that nobody can read, and keep records in a way that nobody criminal enterprises have never been able to do in history. That is a valid truth too.

What has been so hard on encryption is that both of these things are true. Encryption helps protect against crime. Encryption can also be used for crime. And as we have been learning as a society about how to deploy strong crypto, and how to use it, we have faced really difficult problems about to resolve those truths. What I think we have today, and we have heard from the panel, from the different parts of the administration, is that as of September 1999, the administration is saying that the package that we are now supporting, on the basis of having looked at how this really works, is a package that will let Defense Department, and the rest of government have strong encryption to do the things we need to do, that is going to allow e-commerce to use encryption in many important ways that will foster e-commerce, and, that deserves a tailored response to the particular law enforcement problems that do come up from encryption. And that tailored response is the CESA bill, the Computer. I am loosing the acronym right now. But, that the Computer Encryption Security Act? I am sorry.

Robinson: Cyberspace ...

Swire: Cyberspace Electronic Security Act. Sorry. I have encryption anxiety here. I can't get my acronyms right. The, the, a couple of points about CESA to point out. One provision is that trade secrets should not be easily disclosed in court. And investigative techniques of law enforcement should not be easily disclosed in court, and thus, lost forever. And so, consistent with Constitutional protections, we ought to get the right rules in place so that crypto related legal things don't get exposed unnecessarily.

The second provision is a privacy enhancing provision. It is based on choice. If you choose to create a business model. If you choose as an individual to have some company keep key related information, CESA would improve the level of privacy protection over the law today. It would say, you have to get a court order under the standards laid out in the statute, and only then can that third party provider hand over key related information. Today, if you go to the third party, there is no such legal requirement. This is a privacy enhancement. It is related to encryption. It is a tailored response.

And, the last part of CESA is that we should fund law enforcement to have capabilities to keep up with the information age. That they have to learn computers, just like all the companies are learning computers. And we should fund that adequately. I think that is a tailored response. It is a common sense response. It respects law enforcement and national security, while building an encryption world that is going to help the e-commerce and privacy and security and these other goals we are all trying to achieve.


John Schwartz: We have a little time for questions. I would like to start off by asking Congressman Goodlatte, in light of all that has been said here right now, what does this mean for the SAFE Act? If peace has really broken out, is the bill moot? Are you still going to go back? And I would like some of the panelists to discuss your response.

Rep. Bob Goodlatte: Thank you John. I was going to pose a question myself. You said it all right. I will answer yours.

Schwartz: You can answer my question with a question, as well.

Goodlatte: I know we also have Congressman Curt Weldon to come and give his perspective. We would like to give him an opportunity to do that. But the answer to the question regarding the SAFE Act is that it is alive and well. Curt just asked me when I originally introduced it. It was back in 1996. This is the third Congress in which it has been introduced. And it has grown from having one hearing held in Judiciary, and a handful of cosponsors, to 258 bipartisan cosponsors. It is ready to go to the floor of the House.

Whether and when it goes to the floor, I think, depends in large part on what we are short on at this point in time, and why this panel discussion is so timely, and that is the details. The presentation made by the administration, I think, is long on promise in addressing all of the different problems that they mention and that the SAFE Act is intended to address. but it is short on detail. And so, in that regard, I would like to ask the members of the panel a couple of questions.

One. One of the big issues here in terms of liberalizing export control is making sure that companies that manufacture these products are able to get them on the Internet and marketplace in a timely fashion, while at the same time giving the administration an opportunity to look at them, to determine what effect they may have on our national security concerns, and others, and that is called in the SAFE Act and in the administration proposal, a one time technical review. We don't have many details on what that means, and I am hoping that Bill Reinsch can tell us precisely what it does mean, what type of information companies will be required to provide as a part of the technical review, what steps the administration will take to make sure that any proprietary information will provided by industry is protected against hackers and industrial spies, and how long will this review period last? The administration objected to the SAFE Act as not providing a meaningful review prior to export, and so, we want to know what one time technical review is, and a meaningful review, and what your review process will include that the SAFE Act does not?

Reinsch: Well. Let me respond to that the best I can. The SAFE Act, as I recall, was amended in the House International Relations Committee to change the time limit from 15 to 30 days. I suspect with your acquiescence, if perhaps now you support, 30 is about what it takes us now on average. I am sure there are people in the room who will stand up to say it took longer. But, on average, I think that that is a reasonable number, and that is what we have been able to do, and that's what we think we can do, and we strive for better, and I think as, as is always the case with a change of policy, in the short run, there will be a hump, because everybody will come in with products, and we are going to get backlogged.

But, and that is just in the nature, we don't, Congress has, has, declined over the years to give us additional resources to wrestle with this problem. I say that even though I don't think that either you or Weldon are on the Appropriations Committee. So, you know, so we will get through the hump as best we can, but, I think thirty days is a reasonable time period. And, I think that the Congress seems to think so too, based on the House activity.

With respect to protection of proprietary information, or, I think, we have an exceptionally good record at that. Most of the information that BXA processes, if you will, is protected from disclosure by law. And, as a result we have had built in over the years a lot of procedures to make sure that we can maintain that standard. And, I think this information in that respect is frankly as important as any body else's information as far as proprietary data is concerned. We have a lot of it. And, I think we have a good record of not letting it out. And, I don't expect anything to be different in this case. And, I don't think, I am subject to correction from industry people in the audience, I don't think that that has been a problem with respect to our stewardship over encryption over the last two and a half years.

With respect to purpose and review, I would simply say two things. One, this is not a new thing. You know, it is more, if you will, prominent piece of our policy because we have eliminated a lot of other pieces of our policy. But in fact, we have done technical reviews from the beginning. Industry has not only not objected to them, but in many cases welcomed them.

As Mr. Goodlatte pointed out, his bill makes space for them, and provides for them as well. This has not been a controversial concept. If you want to know exactly what goes on with respect to the dialogue between the government and the industry in technical review, I would suggest that you ask the industry, and ask them to comment to you on what goes on. And, we don't envision what is going to happen in the future as different as what has happened in the past.

Goodlatte: Thanks. If I might ask one other question for our Justice Department folks, and Bill, perhaps you could address this too.

In two parts: the first part, Bill Reinsch, the discussions that I have privately with you and others have assured me that while all three of these aspects of the administration's proposal are very important, that they are not linked to each other, and my question is, will the export regulations be changed or delayed from your December 15 deadline, if the Congress has not passed the Cyberspace Electronic Security Act by that date?

And then for the Justice Department: under CESA the government may obtain encryption keys if there is not constitutionally protected expectation of privacy in the plain text. Does this limitation also cover information that is not constitutionally protected, but is only protected by statute, as is the case with medical records, and bank records?

Reinsch: December 15 is a no later than date. We hope that it will be earlier. In our experience, in the past, particularly in 1998, it took a good while, because we had a consultation, we envision going with the new and final proposed regs, so, the reg will lead the way. I don't see circumstances that would have us going beyond that date, including the non-enactment of CESA. And, that is a firm no later than date as far as I am concerned. And the announcement that we made is very clear that there are no contingencies or conditions attached to it. What we did say is that we are all, and this means the Department of Commerce, the Department of Defense, the Department of Justice, and the other agencies of government in support of CESA, and committed to urging the Congress to move forward quickly and expeditiously. But, that doesn't mean that the export control liberalization is contingent upon its enactment. It is a large, significant, major piece of legislation, as Mr. Robinson said, and I think that one of the things that Congress will want to do, and we hope they will do, is look at it closely. But, that is their obligation.

Schwartz: Congressman Weldon, thank you very much for being here. Do you have any questions.

Rep. Curt Weldon: Thank you. Let me see if I can liven things up here in the last couple of minutes of the luncheon. First of all, I apologize for being late. And I thank Bob and the members of the caucus for inviting me here.

Pardon me if I seem a little bit confused to our panel, but, I am, and have been, with the change in direction which has occurred. But before I begin, let me say at the outset one of my biggest projects for the past four years has been to build what is becoming the first smart region in America, linking up all of the institutions within a four state region -- Pennsylvania, Delaware, New Jersey, and Maryland -- _____. In fact, over the weekend, I hosted the Minister _____, who is the Minister of Information Technology for Malaysia. As we signed an ____ with them for uplink downlink ties between our hub initiative in the four states, and the new Malaysian super-computing corridor project that they are building in Malaysia. So, I am a strong advocate for the use of information technology.

But my other hat is to chair the Research Committee for National Security. And when Bob introduced his bill three years ago, my door was pounded incessantly by the Defense Secretary and his staff, by the Director of the CIA, and by the head of the NSA, and I would note for the record neither the CIA nor the NSA is here today.

Who is actually speaking for them today, I might add? OK.

NSA and CIA came in, and in a very intense way, lobbied me personally, and I am not a computer expert, nor am I a lawyer, and they asked me to give access to my subcommittee and the full Armed Services Committee to look at the security implications of the change in Bob's legislation. I respect Bob. I think that he is an outstanding member. But I felt that I owed it to my committee, and my responsibility to Congress to listen to what the administration was going to tell me.

We arranged a series of classified hearings and briefings. And, as with any Member of Congress expressing concern about the ability for our forces involved in a hostile environment to be able to respond quickly, ____ back to 1991 in Desert Storm where my understanding is that our commanders in the field had Saddam Hussein's commands before his own command officers had them, because of our ability to intercept and break the codes of Saddam's military. I want to make sure that we have that capability in the future. I responded in a very positive way to the argument that was being made by the CIA, by the NSA, and by DOD. And we took some very tough positions.

In fact, Ron Dellums and I offered the amendment last year that had only one dissenting vote in the House, and this year passed by a vote of 48 to 6.

In the past year none of those briefings have changed. And the people who have come to me as a Member of the National Security Committee, there has been no lessening of their impression of the threat. Yet all of a sudden I am told, and John Hamre, I think, he made the courtesy of calling me in advance, that there was a change.

Now, I agree with the gentleman from the White House, for the administration, that it was coincidence that this happened the day before Vice President Gore went to Silicon Valley. I agree that that was just a coincidence.

But the point is that when John Hamre briefed me, and gave me the three key points of this change, there are a lot of unanswered questions. He assured me that in discussions that he had had with people like Bill Gates and Gerstner from IBM that there would be, kind of a, I don't know whether it's a, unstated ability to get access to systems if we needed it. Now, I want to know if that is part of the policy, or is that just something that we are being assured of, that needs to be spoke. Because, if there is some kind of a tacit understanding, I would like to know what it is.

Because that is going to be subjected to future administrations, if it is not written down in a clear policy way. I want to know more about this end use certificate. In fact, sitting on the Cox Committee as I did, I saw the fallacy of our end use certificate that we were supposedly getting for HPCs going into China, which didn't work. So, I would like to know what the policies are. So, I guess what I would say is, I am happy that there seems to be a comming together. In fact, when I first got involved with NSA and DOD and CIS, and why can't you sit down with industry, and work this out. In fact, I called Gerstner, and I said, can't you IBM people, and can't you software people get together and find the middle ground, instead of us having to do legislation.

But I am not convinced that what we are doing here is necessarily logical. And I am not convinced that all of us, in fact, have the same understanding of what it is that you are coming out with in terms of a new policy position. And I guess we won't know that until the terms of the December 15th regulations are spelled out, and then we can debate the fine points, which is part of what Bob's question alluded to today

I don't want to hurt industry. In fact, I have advocated that we give significant new tax breaks to the encryption and software industry in this country to give them more incentive to stay in America and do their work here. But, I am also, as a senior member of the Security Committee, as a Chairman of the Research Committee, to seeing 47 billion dollars a year of our tax money going to Pentagon's IT systems, I want to be absolutely certain that in terms of our ability to deal with intelligence overseas, to be able to have information dominance overseas, to be able to use the kinds of tools that the CIA and the Defense Department needs in adversarial relationships that we are in fact providing that through this new policy.

So, I guess the devil is in the details, the proof is in the pudding, and I am going to withhold my support for what you have done until I have seen the details that you are supposedly going to review for us on December 15.

My question is also why wasn't the head of the NSA and CIA invited to appear? Was that the panel? Or, was that the decision of the administration?

Jerry Berman: [He said he invited the administration to send whoever they wanted.]

Weldon: My only question is, since, the administration used the CIA, and the NSA, to come to me as a Member of Congress to argue their position for the past two years. I would like to have had the NSA and the CIA here at the table so I could ask them the same questions that I am posing you. And I am not going to be happy until I get that opportunity.

______?: Congressman, we will make that opportunity available to you.

Weldon: I think it should have been done though in a public forum.

______?: Thank you.

Swire: Just one small, in the announcement on the 16th that Deputy Secretary Hamre spoke for Defense and national security, Attorney General Reno spoke for Justice and law enforcement. Secretary Daley for Commerce. I was asked to speak on privacy, as a representation of important goals that we were trying to meld together for this overall policy.

Weldon: I understand that. And John Hamre told me that when he called me a of couple of days before the announcement was going to be made. My point is, that when the administration wanted people to carry their water up on the Hill, they sent the head of the CIA and the head of NSA to see us personally. They did not have John Hamre do it. Although John did part of that. And I think that we should be hearing from the CIA and NSA directly because they are the people I am concerned, in terms of being able to break into systems of foreign adversaries, of both real and potential adversaries. I want to hear from them.

And I think we owe it to the public, as we have had an about face in this policy, and that is what I think that it is. I want to hear what has changed, and whether or not they are satisfied. Once again, I am not an information technology expert. I am not a lawyer. But, I want to hear from them. I want to get them to look me in the eye to tell me they are satisfied, and they are satisfied because what we have done here is consistent with their ability to provide the kind of level of security that we need in the future.

Wells: If I could say Congressman, one of the piece of the rollout was that the national security community will need additional tools. And, we look forward to the Congress to support that with appropriations.

Weldon: And we will do that. We have given, for the past five years, more money for the issue of information dominance in our defense bill, than the administration's request in each year. In fact, both ______ and John Hamre have had full and unequivocal support for all of their needs, as well as the needs of the CIA and the FBI, I mean the CIA and the NSA.

Schwartz: Congressman, I didn't really think we headed off into dull before, but when you said you were going to liven it up, you sure delivered on your promise.

I don't know that we have room, time for more for questions. I would like to ask one more, just to toss it out, because their is one distinction that is getting some attention. _____ for asking and getting a response on. And that is the distinction in the three tier platform of retail products versus everything else. One of the most important cases going on now is about source code being promoted by an academic, Professor Bernstein, and the export controls have been called a prior restraint, a violation of the First Amendment, and yet if that distinction is still going to be in place, it seems one of the most prominent issues, is not being addressed. That is what I have heard, and I would like to get some response from y'all on whether this thing is off.

Reinsch: We have not changed our policy with respect to the export of source code, so to the extent there was a problem, if you want to use that word before, the problem continues. I wouldn't want to comment on pending litigation in any substantive way, and I don't know what the, the, proponents of those various suits, of which Bernstein is only one, intend to do. But, we haven't changed our policy on source code. The court, when it considered this issue in that case, concluded that, we think, erroneously, but concluded that, the system of licensing that the government had did not meet the test, if you will, of an appropriate prior restraint. ...


[Editor's note: The final few minutes of the program  were questions from the audience, and answers from the panel. It is not transcribed here.]


Subscriptions | FAQ | Notices & Disclaimers | Privacy Policy
Copyright 1998-2008 David Carney, dba Tech Law Journal. All rights reserved.
Phone: 202-364-8882. P.O. Box 4851, Washington DC, 20008.