Statement by Rep. Bart Gordon (D-TN).
Re: introduction of HR 1572, Digital Signature Act of 1999.
Date: April 27, 1999.
Source: Congressional Record, April 27, 1999, page E775.

HON. BART GORDON
in the House of Representatives

TUESDAY, APRIL 27, 1999

Mr. GORDON. Mr. Speaker, today I am pleased to introduce the Digital Signature Act of 1999. The purpose of this legislation is to require the National Institute of Standards and Technology (NIST) to develop minimum technical standards and guidelines for Federal agencies to follow when deploying digital signature technologies. In addition, the legislation authorizes the Under Secretary of Commerce for Technology to establish a National Policy Panel for Digital Signatures to explore the factors associated with the development of a National Digital Signature Infrastructure based on uniform standards to enable the widespread utilization of digital signature systems in the private sector.

I want to make clear that this legislation is technology neutral. Rather it encourages federal agencies to use uniform criteria in deploying digital signature technology and to ensure that their system are interoperable. It also encourages agencies to use commercial-off-the shelf software (COTS) whenever possible to meet their needs.

By now, we are all aware of how the Internet is revolutionizing telecommunications and the business world. In less than ten years, the Internet has grown from a network linking a small, self-proscribed group of scientists to a telecommunication network linking millions of people around the world. The potential uses of the Internet seem unlimited. One of the most rapidly growing areas in electronic commerce. Statistics indicate electronic commerce was an $8 billion industry in 1998. Analysts now expect electronic commerce to explode into a $108 billion industry by 2003.

When the Internet was first developed, virtually all users were known to each other or they were easily identifiable. However, with the rapid growth of the Internet we have lost the ability to actually `know' who we are communicating with is who they say they are. In order to exchange sensitive documents or to do business transactions with confidence it is important that an electronic authentication system is developed through which both the sender and recipient can be uniquely identified. One type of electronic authentication which is both secure and provides unique identification of the sender and recipient of messages is asymmetric cryptography, commonly referred to as a digital signature.

I am not alone in my belief that digital signatures are a key element in the continuing growth of electronic commerce. The European Commission recently drafted a directive on a common framework for a comprehensive digital signature infrastructure. In addition, the Canadian government is already utilizing digital signatures for its transactions. These actions are designed to promote the growth of electronic commerce, but they will also enhance the position of European and Canadian companies that are developing digital signature systems. This is an attempt to become the world leader in electronic commerce.

In the United States, we have a number of companies which offer digital signature services. The States are beginning to enact a patchwork of laws on digital signatures that could inhibit the widespread use of digital signatures. While I don't believe the government should dictate any one digital signature system, we should develop a level playing field which will encourage rather than hinder the development of a truly national infrastructure. It is my intent that the Digital Signature Act be a first step in this direction. This legislation has two simple goals: (1) develop uniform guidelines for Federal agencies to follow when they use digital signatures and encourage agencies to maximize the interoperability of their systems; and (2) establish a national policy panel for digital signatures to begin a dialog on the development of a national digital signature infrastructure.

My legislation requires the National Institute of Standards and Technology (NIST) to develop minimum technical standards and guidelines for use by Federal agencies when developing their digital signature infrastructure and to give due consideration to the interoperability of their system. Whenever possible, the legislation encourages agencies to use commercial-off-the-shelf products.

Agencies are currently developing and beginning to deploy digital signatures technologies. However, there is little coordination between agencies to ensure that the standards they use are consistent and that the technologies that they deploy are interoperable. NIST is charged with developing, with input from industry, technical standards and guidelines which ensure that the agencies deploy digital signature infrastructures that are both secure and interoperable. If agencies develop a variety of incompatible systems, I believe the result will be to discourage the widespread use of this electronic authentication technique by making it more complicated rather than easier to conduct business with the Federal Government.

Agencies would be required to report back to Congress what they are doing to develop digital signature systems, and why, if applicable, they are not following NIST guidelines.

In addition, the bill requires NIST to develop minimum technical criteria for agencies' use for electronic certification and management systems, both `in-house' systems or if they use a private entity. Once again, this is an attempt to level the playing field among Federal agencies to promote the private sector development of these goods and services.

To promote a uniform environment for certification authorities, the bill establishes a national panel, under the auspices of the Department of Commerce's Technology Administration to develop model practices and procedures, uniformity among jurisdictions that license certification authorities, and uniform audit standards for certification authorities. This national panel, with broadly based representation from all stakeholders, will provide the coordination needed to put in place the national infrastructure that is a prerequisite for the widespread use of digital signatures.

In closing, I want to make clear that this legislation does not favor any digital signature system, but attempts to begin to create a minimum uniform framework for Federal agencies to make communicating with the Federal Government easier and more secure. I also want to make clear that this legislation is an outline or work in progress. The framework of the Internet is dynamic. It would be short-sighted to draft Internet related legislation that is static and unresponsive. I expect further refinements and will continue to work with industry groups, the States, the administration and other stakeholders as we move through the legislative process.