                                
  Statement Before the Subcommittee on Courts and Intellectual Property
        Committee on the Judiciary, U.S. House of Representatives
                                
                            Dorothy E. Denning
                                
            Georgetown University, Computer Science Department
                      Reiss 225, Washington DC 20057
                 202-687-5703, denning@cs.georgetown.edu
                  http://www.cs.georgetown.edu/~denning
                                
                              March 4, 1999


Thank you for the opportunity to testify on H.R.  850, the "Security and
Freedom Through Encryption (SAFE) Act."  There are three points that I
would like to make.

First, the sad state of security of our country's information
infrastructures will not be solved by this bill.  This is because the
security problems are not the result of using exportable encryption, but
rather of not using any encryption at all and of not employing other
essential safeguards.  Sensitive data, including passwords, is routinely
transmitted and stored in the clear.  Of the thousands of incidents
reported to the Computer Emergency Response Center, I am not aware of
any that can be attributed to faulty encryption caused by export
controls.

Security also requires much more than encryption.  Encryption will not
stop insiders from compromising proprietary information, siphoning money
from bank accounts, and planting destructive time bombs.  It will not
stop hackers from exploiting security holes in order to penetrate
systems, deface Web pages, and disrupt service.  It will not prevent
Trojan horses, disguised as appealing software programs, from entering
users' computers and stealing passwords and other secrets while they are
being typed.

In short, encryption is not a silver bullet.  It must be augmented with
other security measures, both technical and procedural.  These include
access controls, authentication, auditing, configuration management,
vulnerability testing and repair, intrusion and misuse detection,
malicious code detection, and security training and awareness.
Cryptographic technologies for authentication, including digital
signatures, are not restricted for export and are at least as important
as technologies for confidentiality protection.

My second point, which is related to the first, is that high levels of
security can be achieved within the context of current export control
policy.  I'm not just talking about domestic users and U.S.  owned
companies.  An international enterprise can protect its assets by
employing fully exportable encryption products that use 128-bit keys or
longer and say "Made in USA."

Let me outline one way that can be done.  I make two assumptions.
First, encryption must be considered within the context of a
comprehensive enterprise-wide information security program that
encompasses an organization's customers, suppliers, partners,
shareholders, consultants, and others who do business with the
organization.  Second, an organization must be able to protect and
retain control over its sensitive information, whether in storage or in
transit.  These two assumptions lead to an encryption approach that is
integrated with an enterprise access control policy.  The approach
ensures that authorized persons can get the keys needed to decrypt data
but that unauthorized persons cannot.  It allows for immediate
revocation of a user's decryption capabilities.  And it provides an
audit of every decryption so that policy violations can be detected.  It
does not require an organization to use third-party key management
services, though this would be an option.  I recently reviewed a product
that offers these protections and is approved for export.

My third and final point is that the current approach of gradually
easing export controls may be optimal.  If cryptography is
over-regulated, our economic competitiveness, technology leadership, and
civil liberties are at risk.  There can be little doubt that export
controls drive some business overseas.  Yet if these controls are lifted
entirely, law enforcement and national defense are at greater risk.
Even though export controls do not prevent domestic or foreign
adversaries from getting access to strong encryption, they have
influenced major product lines.  Many criminals and terrorists use these
products rather than going to the trouble of installing add-ons.

Today, Americans enjoy a strong and growing economy and a declining rate
in crime.  The Administration's encryption policy has imperiled neither
our economic competitiveness nor our ability to fight crime and provide
for national defense.  I am concerned that H.R.  850, either in its
current form or with amendments such as those introduced in the last
Congress to impose domestic regulations, could upset the delicate
balance among our national interests.

In summary, H.R.  850 is not the key to safe electronic commerce or to
protecting our critical infrastructures.  This is because export
controls are not the problem.  The bill would help American companies
compete in the global marketplace, but it would also remove industry
incentives to accommodate law enforcement and national defense
interests.

A few years ago, the National Research Council conducted an extensive
study of encryption policy at the request of Congress.  They made
several excellent recommendations, including the progressive relaxation,
but not elimination, of export controls.  Their proposed course of
action is generally consistent with the steps taken by the
Administration.  This cautious approach to export liberalization may be
the best one.