Statement Before the Senate Committee on the Judiciary Subcommittee on Technology, Terrorism, and Government Information Dorothy E. Denning, Georgetown University William E. Baugh, Jr., Science Applications International Corporation September 3, 1997 Thank you for the opportunity to testify on the subject of our recent study on organized crime and terrorist use of encryption. The study was conducted at the invitation of the National Strategy Information Center for presentation at the April meeting of the U.S. Working Group on Organized Crime. The NSIC asked us to define the problem created by the increasing availability of new technologies and sophisticated encryption, assess the impact such technologies are likely to have with regard to organized crime, and outline government and private sector options for responding to this problem. We also considered the use of encryption in terrorist cases. In late February we began distributing a questionnaire seeking input about cases where encryption was encountered and about trends in the use of high technologies in crime. This questionnaire was electronically mailed to members of the High Tech Crime Investigations Association list and the G-TWO-I intelligence list as well as to numerous individuals in law enforcement and computer forensics. Some recipients forwarded it to other individuals and lists. We also sought input from the FBI and from investigators attending the FBI International Conference on Computer Crime in March. In addition, we had many informal conversations with people we knew in law enforcement. Our contacts included people outside the United States. The study was not intended to exhaustively survey all law enforcement agencies. Neither did we collect information about national security cases, including wiretaps conducted under the Foreign Intelligence Surveillance Act or the SIGINT operations conducted by the National Security Agency, as this information is classified. This information must be factored into any policy decisions, particularly given the security threats we face today from weapons of mass destruction, terrorism, and global organized crime. Our principle finding is that we are at the leading edge of what could become a serious threat to law enforcement. This threat must not be brushed aside. Terrorists and criminals are increasingly using encryption and other advanced technologies to hide their activities. Indications are that use of these technologies will continue and expand. We received reports of a few cases where encryption had derailed an investigation, including two cases of intellectual property theft and one of counterfeiting. FBI Director Freeh testified in March that encryption had frustrated 5 intercepts in 1995 and 12 in 1996. At hearings in June, Senator Grassley told of an 11-year old boy who committed suicide after being sexually molested. Thus far, the police have been unable to decrypt his personal organizer, which investigators believe might contain information about the man whom his mother believed molested him. The investigation has been on hold for over a year and a half. We have also heard that other investigations are currently being obstructed by encryption. The majority of investigations we heard about were not stopped by encryption. In most cases, authorities obtained the key by consent, found it on a disk, or cracked the system in some way, for example by guessing the password or exploiting a weakness in the overall system. The cases involving the Aum Shinrikyo cult, Ramsey Yousef, and Aldrich Ames were of this nature. Alternatively, investigators used other evidence such as printed copies of encrypted documents, other paper documents, unencrypted conversations and files, witnesses, and information acquired through other, more intrusive, surveillance technologies such as bugs. The Yousef case also fell into this category, as he could have been convicted on unencrypted evidence. Even when the encryption was broken, however, it delayed investigations, sometimes by months or years, and added to their cost, in a few cases costing agencies hundreds of thousands of dollars to crack open encrypted files. We thought it important to get some estimate of the percentage and total number of cases in which encryption is encountered. The FBI's Computer Analysis and Response Team (CART) assisted us in that effort by counting the number of encryption cases handled at headquarters and estimating the number of cases handled by the field offices. CART estimated that in 1996, encryption was encountered in 5-6% of 2,000 computer forensics cases, that is, more than 100 cases. Using the 5% figure and an estimate of the number of computer forensics cases in the U.S. and worldwide, we estimated that the total number of computer forensics cases involving encryption was about 250-500 in the U.S. and 500-1000 globally. These are cases involving stored data, including messages in e-mail folders. We also estimated an annual growth rate of 50-100%. We were unable to estimate the frequency with which encryption is encountered in Title III communication intercepts as such data has not been collected. Most of the investigators we talked to said that they had not yet detected substantial use of encryption by large organized crime groups. This can be attributed to several factors, including the difficulty and overhead of using encryption (particularly the personnel time involved) and a general sense that their environments are already reasonably isolated and protected from law enforcement. However, some groups are reported to be using it, for example, the Cali cartel is encrypting phone conversations and Dutch organized crime is encrypting stored data. Efforts to decrypt data for law enforcement agencies or corporations in need of recovering from lost keys have been largely successful because of weaknesses in the systems as a whole. Eric Thompson of AccessData Corporation reported an 80-85% recovery rate with large-scale commercial commodity software applications. He also noted that 90% of systems were broken somewhere other than at the encryption engine level, for example, in the way the data is pre-processed. That success rate is likely to drop, however, as vendors integrate stronger encryption into their products and get smarter about security. It is not possible to break well-designed cyrptosystems that use key lengths much greater than 56 bits. It is not just a matter of paying enough money or getting enough people on the Internet to help out. The resources simply do not exist -- anywhere. The impact of encryption on law enforcement will be strongly affected by whatever encryption is integrated into popular desktop software and network servers, particularly that which is pre-installed at the time of purchase. Future systems will offer strong file encryption and end-to-end message security for electronic mail, web transactions, telephony, and other network traffic. It will be easy to use and globally interoperable at unbreakable key lengths. Many criminals will simply use this encryption rather than going to the trouble of installing add-on products which require greater effort to use or have limited interoperability. Even if they use add-ons within their own circles, they may use the integrated encryption when communicating with others. What companies put into their major product lines, therefore, will make a difference. In most cases involving pedophiles and computer hackers, the subjects were technically sophisticated enough to install and use Pretty Good Privacy, which uses 128-bit keys. PGP can be downloaded for free from Internet sites all over the world. The most recent version, PGP 5.0, was recently installed on a server in Norway after dozens of volunteers scanned in the source code from a printed version, which is not subject to export controls. The Italian mafia is said to have downloaded PGP rather than hiring outside help. Dutch organized crime, on the other hand, hired hackers to help them with encryption; the hackers themselves use PGP. As the population becomes better educated about technology and encryption, more and more criminals will have the knowledge and skills needed to evade law enforcement, particularly given the ease with which unbreakable, user-friendly software encryption can be distributed and obtained on the Internet. This adds to the difficulty of addressing the problem. Although the focus of our study was encryption, we received numerous reports of other technologies that have interfered with investigations, including anonymous remailers, remote storage, hacker toolkits that disable auditing, cloned cell phones, and cell phone cards. Some law enforcement agencies have had tremendous problems just getting access to the communications independent of whether they are encrypted. Communications are obscured by file formats and digital compression. Secret messages can be hidden in image and sound files with user-friendly steganography software. All of these technologies also add to the difficulty of addressing the encryption problems. We recommend ongoing collection of data on the use of encryption in criminal and national security cases, including Title III and FISA wiretaps and computer forensics cases. We need to know the extent to which it is encountered. Counting cases, however, is not enough. We need to know the impact on the cases. What type of encryption was used and in what application environment? Was the encryption broken? If so, how? If not, was the investigation successful anyway? What was the cost to law enforcement in terms of dollars and time? Encryption policy must seriously recognize the need to protect the economic competitiveness of industry by promoting the export and use of encryption by U.S. businesses. As FBI Director Freeh has testified on numerous occasions, foreign governments have been using their powerful intelligence services and tools to spy on U.S. companies doing business internationally. Businesses must have ready access to strong encryption to protect their intellectual property. In conclusion, encryption is a critical international issue with severe impact and benefits to business and order. Encryption policy demands our thoughtful and immediate attention, a partnership between business and government, and collaboration with our international colleagues so that both domestic and international communications and stored information can be protected.