Prepared text of speech by Rep. Bob Goodlatte (R-VA).
Re: Information security, privacy, encryption, and export controls.
Date: August 6, 2001.
Source: Office of Rep. Goodlatte.

Thank you for inviting me to join you this morning to kick off your e-security conference. I am pleased to be here to discuss the current cyber-issues facing Congress. Continued growth in the information technology industry is the key to maintaining and strengthening the competitiveness of the American economy in the 21st century.

Like other pivotal moments in human history, the Information Technology Revolution is transforming the tools and ideas that affect the way individuals communicate and think both privately and commercially. The American experience alone is replete with illustrations of new technologies generating faster economic growth: from the expansion of the railway system to the harnessing of electricity to the development of the jet engine.

As the information technology industry continues its phenomenal growth, the Federal Government needs to ensure that it plays an enabling  and not an inhibiting role in supporting the movement of industry and people into the Information Age.

It is critical that policy makers recognize that the information technology industry has become a thriving force in our economy because of the simple fact that it has largely been left alone to develop and grow according to the demands of free market processes.

Increasing use of the Internet depends on developing and retaining consumer confidence in this unique medium.  The Federal Government can play a vital role in educating Americans on the value, reliability, and security of technology, particularly the Internet. Privacy and security issues are among the major obstacles hindering the installation of Internet access in every American home.

PRIVACY

I was asked to address you this morning to discuss "the Government and Cyber-Security: Balancing Regulation and Freedom." Perhaps no issue presents as difficult a balance between regulation and freedom as privacy.

The issue of privacy and security of personal information on the Internet is growing more important every day. As consumers continue to look to the Internet more and more for commercial, financial, and business activities, the need for adequate privacy protections also continues to increase.

Last year, I coordinated a retreat for Republican Members, to hear from experts in industry, academia, and various think tanks on this increasingly important issue. I can say with confidence that it was a great success, and I think Members learned a great deal about the issue. We discussed what the main privacy concerns of our constituents are, including the collection of personal information on the Internet, the disclosure of personal financial information by financial institutions, and identity theft and other criminal uses of personal information such as fraud.

We also learned about the complexities of how information is used by commercial entities, and that any privacy legislation needs to permit the beneficial uses of information as well as address consumer concerns. Finally, we learned that we need to use a combination of tools to address privacy: 1) targeted legislation that specifically identifies the harm we're trying to regulate; 2) education to ensure consumers know what their rights are and how to exercise those rights; 3) technological tools on the Internet to allow consumers to control their information better; and 4) policies that encourage and reward businesses for self regulation and protecting consumer privacy. We also have to be careful not to increase identity theft and fraud by making information unavailable to businesses and law enforcement to detect and stop crime.

About 95 percent of the time, self-regulation has shown itself to be quite successful. Many businesses have formed alliances for the purpose of creating and administering self­regulatory programs. Industry has also developed tools such as "seals of approval" to encourage website operators to educate consumers about the privacy policies for that site.

Congress must approach the issue of comprehensive online privacy legislation in a careful and deliberative manner. As we look at whether and how to legislate in this area, we must work with industry and the Administration to ensure that Members are educated on the current state of privacy protections and the efforts by Industry to address the privacy demands of online consumers.

To its credit, Congress is moving cautiously in considering privacy legislation. The House Commerce Committee has held a comprehensive series of online privacy hearings throughout the year. I expect that some legislation will soon result from those hearings.

It is more likely that with the shift of power in the Senate, we will see significant privacy legislation introduced and considered in the Senate. Senator Hollings, Chairman of the Senate Commerce Committee, has made no secret of the fact that he is currently putting together a comprehensive privacy bill. I fear that Chairman Hollings' proposal will not achieve the appropriate balance between regulation and freedom that we are discussing today, but I will reserve judgment until I have seen specific legislation.

I believe that the solution can be found in private initiative and through targeted federal action, by striking a balance between ensuring adequate consumer protections and encouraging the development of electronic commerce.

ENCRYPTION

I also want to take some time this morning, as the author of the Security And Freedom through Encryption (SAFE) Act, to give you an update of recent encryption policy developments.

Without strong encryption in place to protect our national infrastructure, computer hackers and criminals can break into the Defense Department's computers or shut down the U.S. electric power grid with considerable ease. Strong encryption ensures that both our civilian and military infrastructures are protected. Strong encryption is critical to preventing crime and protecting privacy in the digital age. As the blue-ribbon National Research Council noted in its landmark report on encryption policy:

If cryptography can protect the trade secrets and proprietary information of businesses and thereby reduce economic espionage (which it can), it also supports in a most important manner the job of law enforcement. If cryptography can help protect nationally critical information systems and networks against unauthorized penetration (which it can), it also supports the national security of the United States.

Strong encryption helps fight terrorism. Without strong encryption, our nuclear power plants, air traffic control networks, financial markets, and national security infrastructures are completely vulnerable against those who seek to do America harm. Only by allowing the use of strong encryption can we hope to make digital communications, on-line transactions, and America's national infrastructures safe and secure.

Current levels of security on the Internet and in "cyberspace" are terribly inadequate. Every day billions of dollars are traded through electronic transactions. Our Social Security information, tax records, driving records and other confidential documents are sent by way of electronic messaging all over the globe. Before consumers can perform on-line banking, before the true potential of the information superhighway can be reached, everyone must be sure that their transactions and electronic mail will not be accessed or stolen by criminal hackers and computer thieves.

The most effective way to ensure that communications are secure is through the use of encryption. Simply defined, encryption is the use of software or hardware to scramble messages into unreadable code so they can only be understood by people authorized to read (or hear) them. The widespread use of strong encryption will allow people to keep their cellular and computer communications free from unwanted intruders.

As you may know, the Administration announced in September, 1999 that it would make fundamental changes in its encryption policy, moving largely in the direction of the SAFE Act. Specifically, the Administration announced that it would allow retail U.S. encryption products to be exported without significant restrictions to non-government entities, after a one-time review of those products. The Administration further announced that licenses would still be required for exports to terrorist states or to foreign governments, and that regulations implementing this new policy would be issued by December 15, 1999.

The September announcement was long on promise but short on detail, so Congress continued to closely monitor the development of the new encryption regulations. During the succeeding months, draft regulations were circulated. Each of these drafts caused great concern among the high-tech industry, privacy organizations, and Congress, as they were far more restrictive than the new policy announced in September.

Just prior to the December 15 deadline, the Administration announced that it would need another month in order to issue the regulations. Unlike the earlier process, however, draft regulations circulated in late December and early January were a much closer reflection of the September policy announcement. After years of overly restrictive encryption policies that refused to recognize the realities of the global marketplace, the Administration finally issued new regulations on January 14, 2000 to allow U.S. companies to compete worldwide. The new encryption regulations were well received by industry, privacy groups, and Congress.

The new regulations are a significant relaxation of export controls on U.S. encryption products. They allow retail U.S. encryption products to be exported without significant restrictions to non-government entities, after a one-time, 30-day review of those products. For exports to terrorist states or foreign governments, licenses are still required.

These regulations are a significant improvement from earlier drafts. The definition of retail products now seems to include Internet sales and most mass-market products. The definition of government entities now seems to be limited to government agencies and entities performing government functions (like building networks for government agencies). These are positive changes.

Again, one of the important issues to watch will be the manner in which these regulations are implemented.  Companies large and small will have to interpret the regulations in the application process. If the regulations mean what they say, then companies will be able to export their products quickly and easily.  If they are interpreted in a different manner, and U.S. companies continue to be restricted from fully competing in the global marketplace, then Congress will have to become involved.

Following the announcement that European Union companies can export encryption products of any strength without a license within the EU and to Australia, Canada, the Czech Republic, Hungary, Japan, New Zealand, Norway, Poland, Switzerland, and the U.S., the Administration recently announced a further relaxation of U.S. encryption policy by allowing U.S. encryption products to be exported to the aforementioned countries without having to undergo the 30-day review.

There can be no doubt that the Administration's new encryption policy was a direct result of the 258 bipartisan cosponsors of the SAFE Act, and the commitment of the Republican and Democratic leadership to move this bill through the House. I would have preferred to establish U.S. encryption policy legislatively instead of through the regulatory process. Doing so would have made it more difficult to change that policy in the future.  However, the initial regulations and recent further relaxation of those regulations are a positive step and so far, seem to be meeting the goal of allowing U.S. companies to fully compete in the global marketplace.

Congress is continuing to monitor the implementation of the new encryption regulations, to make sure that they are allowing U.S. companies to fully compete in the global marketplace by freely exporting strong encryption products.  Congress remains ready to act legislatively if the regulatory process breaks down, but so far, that process seems to be working effectively.

The regulations are a positive step forward towards a common sense encryption policy.

I applaud the Administration for listening to Congress, industry and privacy organizations, and the American people in coming up with a plan that acknowledges the realities of the global marketplace in adopting a common sense encryption export policy that will prevent economic crime, promote our national security, and allow U.S. companies to fully compete in the global marketplace.

EXPORT CONTROLS

A related issue of importance to e-security is the future of computer exports. Overly restrictive export controls limit the ability of U.S. computer companies to compete in the global marketplace. With the development of new technologies, current restrictions that were written to limit the export of supercomputers are limiting the export of personal computers. Restricting the export of American-made personal computers ensures that foreign computer companies will dominate this market.

As you know, the export of dual-use commodities, items that have both civilian and military applications, is regulated by the Export Administration Act (EAA) of 1979. The Act provides the statutory basis for the U.S. export control system, authorizing the President to control exports for national security and foreign policy considerations, to negotiate multilateral control arrangements, and to issue regulations to prevent U.S. companies from adhering to foreign boycotts. The EAA, set to expire August 20, was recently extended for three months through November 20 of this year.  This stop-gap authorization should give both the House and Senate sufficient time to consider various export reform legislation including the "Export Administration Act of 2001" (S. 149), a comprehensive rewrite of the EAA, introduced by Senators Enzi and Gramm.

The difficulty in passing a comprehensive rewrite of the EAA has resulted, in part, from the continuing tension between national security and commercial concerns. Export control legislation gives rise to difficult questions that are integral to the working and efficacy of the export control system.

The first question is the extent to which technology can be controlled. The flow of technology cannot be effectively controlled, and U.S. dominance of cutting-edge technology can no longer be assumed. Unilateral controls will not stop other countries from obtaining advanced technology because they will simply obtain the technology from other nations.

Unilateral export controls are also becoming increasingly unworkable as the economy undergoes globalization. The current export control system is predicated on goods being manufactured or assembled in one country. In many industries, however, component parts are manufactured worldwide and are considered commodities. If these parts are not available from one source on a timely basis, they can be obtained elsewhere. Purchasing managers at Daimler Chrysler Aerospace, for example, reportedly have been instructed to reduce dependence on American components for defense and space technology products because of delays associated with American licensing procedures.

Both the EAA and S. 149 attempt to balance the sensitivity of an item to U.S. national security interests with the ability to obtain these items from other sources. The EAA defines an item as having foreign availability if that item or a substantially identical article can be purchased outside the United States by a controlled country in sufficient quantity or quality such that it would render controls on the item ineffective. S. 149 incorporates those criteria and adds price competitiveness as an additional standard to determine foreign availability. In addition to foreign availability, S. 149 provides that items may be decontrolled for mass market characteristics. The legislation defines an item as having mass market characteristics if the good is sold in extensive volume to multiple buyers, if it has a wide distribution network, if it can be shipped by normal means, or if it can be utilized for its intended purpose with little alteration.

In addition, due to rapid technological innovation, the level of computing power (measured in millions of technical operations per second or MTOPS) that requires licensing under the commodity control list repeatedly has been increased. Computers with microprocessors such as the Apple G4 or the Intel Pentium III, widely available for household use today, almost reached these limits before MTOPS thresholds were increased in 1999. This raises the valid concern that the regulatory framework of using MTOPS limits to determine computer power could impede the ability of the industry to export commodity level computers. S. 149 contains a provision to repeal sections of the 1998 National Defense Authorization Act that established MTOPS performance levels above which no computers could be sold to certain high risk countries without a license.

Under the current authority, the President can raise theoretical performance levels to account for advances in technology, but only 180 days after he has submitted a report to Congress justifying the new levels.  In 2000, the review period for MTOPS adjustment was reduced from 6 months to 60 days. Recent studies conducted by the General Accounting Office, and the Center for Strategic and International Studies have concluded that the MTOPS standard is ineffective, but these studies came to no consensus on a control metric to replace it.

Another question is whether the current bifurcated export control system is the optimal administrative arrangement in the post Cold War world. Under the current system, the Department of Commerce receives applications for licenses of dual-use goods. The Department then refers license applications to other agencies, as it considers appropriate, for review within a specified time period, but these agencies cannot veto a license application. A disputed application continues through an appeals process. This complex application and review process creates delays and inefficiency that hinder competition.

An export reform bill is likely to pass before the November deadline. S. 149 is scheduled to be on the floor of the Senate on September 4, the first order of business for the Senate after returning from the August district work period, and a House bill, H.R. 2581, introduced by Representative Gilman, was reported out of the International Relations Committee on August 1.

Any rewrite of the EAA should include the following key ingredients: (1) streamlined procedures that will lead to faster licensing decisions, shortening the review time before technology products can be exported, and (2) regarding high performance computers, moving away from MTOPS to a system that looks at the technology as a whole and is flexible with increases in technology.

Undersecretary of Commerce for Export Administration Kenneth Juster recently made comments about ensuring that our export control policy does not impede national security. While this sounds good on the surface, if it ends up meaning that technology companies must jump through countless hoops before exporting their products and significantly slows down the export process, Congress may have to get involved.

CONCLUSION

It is clear that if the potential of the Internet is to be fully realized, we must allow it to continue to flourish by ensuring that the qualities that made the Internet a revolutionary tool for both business and consumers - freedom from burdensome government regulations, high levels of competition based upon low cost barriers to entry, and open consumer access - remain fundamental components of the Internet for future generations.

I thank you again for inviting me to address you this morning and now I'll be glad to answer any questions you might have.