For other versions of this document, see http://wikileaks.org/wiki/CRS-98-905 ------------------------------------------------------------------------------ 98-905 F November 4, 1998 CRS Report for Congress Received through the CRS Web The Encryption Debate: Intelligence Aspects Keith G. Tidball and Richard A. Best, Jr. Specialist in National Defense Foreign Affairs and National Defense Division Summary The 106th Congress is expected to resume an ongoing debate on restricting the export of sophisticated computer encryption systems. In the 105th Congress strong support for removing encryption export restrictions and allowing U.S. software firms to compete in the world marketplace was balanced by concern that widespread availability of such systems could undercut important law enforcement and intelligence interests. No encryption legislation passed in the 105th Congress. The Clinton Administration relaxed some restrictions on encryption sales based on existing export legislation, but opposes the complete lifting of restrictions out of concern that use of highly sophisticated encryption might hinder law enforcement and intelligence collection efforts. The views of law enforcement agencies have been forcefully set forth by FBI Director Louis Freeh, but less has been said about the implications for the collection of foreign intelligence especially by the National Security Agency (NSA) which is responsible for acquiring information from foreign communications. Although such concerns are necessarily shrouded in secrecy, they are likely to have an important influence in the ongoing congressional debate. This report will not be updated. Background Encryption and decryption are methods of using cryptography, the science of writing and reading messages in code, to safeguard the confidentiality of data and communications. A message that is encrypted is electronically scrambled--translated by a computer according to an equation or algorithm into unreadable text that can only be understood by someone who possesses the key to unscramble it, or decrypt, it. Simple encryption systems can be "broken" by brute force--using computers to try every possible combination. Messages encrypted by the stronger systems now becoming available can be broken only after many years of computer time or if there is access to the key. To better protect their information, businesses and consumers want the stronger computer encryption products that have become available in recent years. Encryption software producers also want the opportunity to sell stronger encryption products competitively in international markets. At present no restrictions govern the sale or use Congressional Research Service ~ The Library of Congress CRS-2 of any encryption product in the United States, but, pursuant to statutes that govern exports in general, successive Administrations have placed limits on the sales of strong encryption products abroad. Recognizing that some sophisticated encryption products are available from foreign firms or are downloadable from the Internet, the Clinton Administration has sought to accommodate--at least to some extent--the demands of the software industry that export restrictions be lifted or at least modified. Executive Order 13026 of November 15, 1996, permits exports of strong encryption systems if producers create and maintain key recovery agents (essentially spare keys) that can be made available to duly authorized government entities. In September 1998 the Administration announced an intention to permit the sales of strong encryption products (after a one-time review) to financial institutions, insurance companies, and to the health and medical 1 sector in some 45 nations. Many in Congress advocate legislation that would remove export regulations (with narrow exceptions) and allow U.S. firms to take advantage of worldwide demands for encryption products. At the same time, law enforcement officials are concerned that stronger encryption may serve to protect the communications of those engaged in illegal activity. Federal, state, and local authorities conduct approximately 1,200 court-ordered criminal wiretaps each year,2 but law enforcement specialists are faced with growing difficulties in gathering information protected by sophisticated encryption. Investigators have discovered encrypted communications in a minimum of 500, and possibly up to 1000, criminal cases over the past few years, and the number of criminal cases is growing at an estimated annual rate of 50-100 percent.3 According to Louis Freeh, Director of the Federal Bureau of Investigation (FBI), "Law enforcement remains in unanimous agreement that the widespread use of robust non-recoverable encryption will ultimately devastate our ability to fight crime and terrorism. Uncrackable encryption allows, and will continue to allow with increasing regularity, drug lords, terrorists, and even violent gangs to communicate about their criminal intentions with impunity and to maintain electronically stored evidence of the crimes impervious to lawful search and seizure."4 1 For further information and analysis of encryption technology, discussion of the debate between the Administration and industry representatives, and the status of legislation, see CRS Issue Brief IB96039, Encryption Technology: Congressional Issues. 2 Roberto Suro and Elizabeth Corcoran. "U.S. Law Enforcement Wants Keys to High-Tech Cover," Washington Post, March 30, 1998, p. A4. 3 Dorothy E. Denning and William E. Baugh, Jr., Encryption and Evolving Technologies: Tools of Organized Crime and Terrorism, U.S. Working Group on Organized Crime, (Washington: National Strategy Information Center, 1997), p. 13. 4 Prepared testimony for hearing before the House Appropriations Subcommittee for the Departments of Commerce, Justice, and State, the Judiciary, and related Agencies, March 5, 1998. For an extensive discussion of the relationship of law enforcement and encryption issues, see Charles Doyle, Encryption, Key Recovery & Law Enforcement: Selected Legal Issues and Legislative Proposals, CRS Report 97-845 A, September 12, 1997. In testimony on September 3, 1997 before the Subcommittee on Technology, Terrorism, and Government Information of the Senate Judiciary Committee, Director Freeh advocated that even encryption systems sold within the United States be required to include key recovery provisions. In effect, Freeh has urged tighter restrictions on the encryption industry even as industry leaders were pressing for relaxation of current regulations. Freeh's views have not, however, been adopted by the Clinton Administration. CRS-3 Free speech advocates and civil libertarians support the removal of export controls and strongly oppose facilitating government access to private communications. Any key recovery process, they note, is only so reliable as the custodians of the keys. Further, they argue that on balance strong encryption serves law enforcement by deterring or preventing such abuses as credit card theft and hostile efforts to tamper with databases. It is also pointed out that in some foreign countries human-rights advocates must shield their communications from hostile governments which might be able to obtain key recovery documentation if it exists. The Role of the National Security Agency More widespread use of sophisticated encryption systems outside the United States would also have significant implications for national defense and intelligence policymaking and operations. In general, law enforcement agencies gather and analyze information to support efforts to prosecute illegal activities; foreign intelligence agencies gather and analyze information to support national security policymaking, diplomacy, and military operations. Extensive overlap exists between the efforts of law enforcement and foreign intelligence agencies, especially in such areas as narcotics trafficking and terrorism. A considerable body of legislation, however, separates the roles, missions, and authorities of intelligence agencies from those of the FBI and other law enforcement agencies. Ongoing efforts of the U.S. Government to acquire foreign intelligence through signals intelligence (sigint) are necessarily kept secret.5 There is an extensive historical literature about U.S. sigint efforts during the World War II era, based in part on documents available in the National Archives;6 the massive Cold War sigint effort has been discussed in various journalistic accounts, but is not widely appreciated by the public.7 In post-Cold War years officials have been somewhat more forthcoming about the U.S. sigint effort. Responsible for sigint, as well as the protection of official U.S. communications, is the National Security Agency (NSA), headquartered at Fort Meade, Maryland. Reportedly Maryland's largest employer,8 NSA was created by presidential memorandum on November 1, 1952 consolidating separate sigint elements of the military services. The Director, NSA, at present Army Lieutenant General Kenneth A. Minihan, traditionally has been a military officer of flag rank with a civilian deputy. NSA is part of the Defense Department but has a recognized independent status as a collector of 5 See 18 USC 798. 6 During World War II U.S. cryptanalysts had great success in breaking Japanese diplomatic and naval codes. In discovering plans to attack Midway Island, they contributed to a crucial defeat of the Japanese fleet. Many observers believe that U.S. sigint efforts directly contributed to the shortening of the war by at least a year. 7 See James Bamford, The Puzzle Palace: A Report on NSA, America's Most Secret Agency (Boston: Houghton Mifflin, 1982) and the series of articles by Scott Shane and Tom Bowman, "No Such Agency," Baltimore Sun, December 3-15, 1995. 8 Shane and Bowman, December 3, 1995. CRS-4 intelligence relating to both military and non-military topics for the entire federal government. Along with imagery and reporting by human agents, sigint is a major source of intelligence and is the most expensive of the intelligence disciplines. The Senate Intelligence Committee has noted, "By collecting and analyzing signals intelligence, U.S. intelligence agencies seek to understand the policies, intentions, and plans of foreign state and nonstate actors. Signals intelligence plays an important role in the formation of American foreign and defense policy. It is also a significant factor in U.S. efforts to protect its citizens and soldiers against terrorism, the proliferation of weapons of mass destruction, narcotics trafficking, international crime and other threats to our nation's security."9 NSA officials have been involved in the preparation of the Administration's initiatives on encryption providing technical advice and serving as public spokesmen. In testimony prepared for the House National Security Committee in July 1997, NSA's Deputy Director, William P. Crowell, argued that the Administration's goal was to create an international framework in which the use of strong encryption will grow. Specifically, he advocated a requirement for key recovery capabilities (i.e. keys to encryption systems would be held by third parties). Such keys would logically be desired by any company concerned about emergency or back-up access to its data. They would, according to the Administration's position, be available to law enforcement agencies with proper authorization and, potentially, to intelligence agencies. Crowell acknowledged the widespread availability of encryption systems from foreign companies or downloadable from the Internet, but argued that legitimate consumers will seek out the infrastructure support that U.S. firms can best provide; few companies would trust an encryption system downloaded from the Internet. Although FBI Director Freeh has had a higher public profile, NSA officials have made clear to Congress their serious concern about loosening export restrictions on sophisticated encryption systems. Crowell testified to the House National Security Committee that the immediate decontrol of strong encryption products "would make our signals intelligence mission much more difficult and ultimately result in the loss of intelligence.... This would greatly complicate our exploitation of foreign targets, including military targets."10 NSA officials are undoubtedly concerned that widespread use of strong encryption will frustrate their ability to provide sigint regarding foreign entities, including terrorist groups operating internationally. NSA officials anticipate that American encryption software backed by an extensive infrastructure, when marketed, is likely to become a standard for international commercial communications. If arrangements for legal access 9 U.S. Congress, Senate, 105th Congress, 2nd session, Select Committee on Intelligence, Authorizing Appropriations for Fiscal Year 1999 for the Intelligence Activities of the United States Government and the Central Intelligence Agency Retirement and Disability System and for Other Purposes, S. Rept. 105-185, May 7, 1998, p. 15. 10 Quoted in U.S. Congress, House of Representatives, 105th Congress, 1st session, Committee on National Security, Security and Freedom Through Encryption (SAFE) Act of 1997, House Rept. 105-108, Part 3, September 12, 1997, p. 5. CRS-5 to such communications are not made, vast quantities of information of vital importance to the national security will be unavailable. This is likely even though some foreign entities will make use of non-U.S. encryption systems. NSA officials indicate a desire to see U.S. software manufacturers remain competitive in international markets and believe that U.S. systems will remain the standard even with key recovery in place. It is often noted that ordinary telephones continue to be used for sensitive communications because they are convenient and reliable even though more secure systems exist. Legislative Proposals Although the strength of encryption products sold and used in the U.S. is not regulated, pursuant to the International Emergency Economic Powers Act and other legislation11 strict limits are imposed on the types of encryption that can be exported. Legislative proposals have been introduced that would preempt export current regulations for encryption systems and allow the U.S. software industry to market their products worldwide. H.R. 695, introduced by Representative Goodlatte on February 12, 1997 became the focus of interest in the House. It would prohibit requirements that exported encryption systems include capabilities to permit recovery by third parties as well as eliminate export controls on "generally available" commercial encryption except for military end-uses or to identified individuals or organizations in specific foreign countries. H.R. 695, with over 245 co-sponsors, was strongly backed by the software industry. It was approved by the Judiciary, International Relations, and Commerce Committees with only minor amendments and had support by some in the House leadership. It nonetheless elicited strong opposition not only from law enforcement officials, but also from defense and intelligence agencies. Subsequent to briefings by NSA and other agencies, the National Security and Intelligence Committees amended H.R. 695 in September 1997 to impose by statute restrictions on encryption exports that the original bill was designed to eliminate. The National Security Committee concluded that "[u]nrestricted export of capabilities that make it more difficult for the United States to comprehend the plans and activities of hostile military forces could significantly degrade the technological advantage presently held by U.S. combat forces."12 The Committee proposed an amendment to the legislation that would give the President statutory authority to determine the maximum level of encryption products that could be exported without a license, with exceptions to be made with the concurrence of the Secretary of Defense. Arguing that the original version of H.R. 695 "left our intelligence and intelligence- related capabilities at considerable risk,"13 the Intelligence Committee went further and 11 The background of this legislation is discussed in Glennon J. Harrison et al., Export Administration Legislation, CRS Report 96-492E, August 27, 1996. See also Jeanne J. Grimmett, Encryption Export Controls, CRS Report 97-837 A, September 12, 1997. 12 H. Rept. 105-108, Part 3, p. 3. 13 U.S. Congress, House of Representatives, 105th Congress, 1st session, Permanent Select Committee on Intelligence, Security and Freedom Through Encryption ("SAFE") Act of 1997, House Rept. 105-108, Part 4, September 16, 1997, p. 14. Some Members also noted that a policy built on different regulations for domestic and foreign sales complicates the possibility of CRS-6 inserted a new section (2803) making it unlawful to sell in interstate or foreign commerce any encryption product that does not provide duly authorized persons an immediate decryption capability. The Intelligence Committee stated that "it is important to the country's security interests" that the "the intelligence community [be able] to continue to support our policy makers, deployed forces, and U.S. interests at home and overseas."14 In the Senate, S. 909, introduced by Senators McCain, Kerrey, and Hollings essentially codified existing domestic use and export policies. It was strongly opposed by the software industry and was not scheduled for floor consideration. S. 2067, introduced by Senator Ashcroft on May 12, 1998, would remove encryption export restrictions and establish a National Electronic Technologies Center to provide information about sophisticated technological developments to concerned government agencies. Another bill, H.R. 1903 that would encourage various efforts to enhance the security of communications without addressing the export of encryption systems was passed by the House on September 16, 1997, but the Senate did not take action on it. Senate Majority Leader Trent Lott strongly advocated modernizing export controls of encryption, 15 and in June 1998 House Speaker Newt Gingrich indicated that he would personally chair a task force to design a plan to ease encryption restrictions.16 The 105th Congress adjourned, however, without floor action on encryption bills. Although the Clinton Administration has placed emphasis on establishing a dialogue between affected agencies and the encryption industry, and has further liberalized export regulations in September 1998, no agreement is expected to be achieved in the near future. As one industry spokesman noted: "Both sides, on the outer edges of the debate, have enough votes to cancel each other out--in Congress and even in the Administration."17 Conclusion The Government's need for signals intelligence is a significant factor in the encryption debate, but it is one that cannot, for security reasons, be fully analyzed in public discourse. NSA officials have repeatedly stressed the dangers of widespread use of strong encryption systems by foreign entities. They have argued, in particular, that H.R. 695 "would directly threaten national security." Although some both in the executive branch and Congress are inclined to support the position of the software industry, it appears that any consensus will, to some extent, accommodate NSA's concerns. effective international cooperation on encryption policies. Additional Views of Representatives Dicks, Skelton, and Bishop, ibid., p. 44. 14 Ibid., p. 26. 15 Congressional Record, October 21, 1997, pp. S10879-10881. 16 Lisa M. Bowman, "Gingrich Talks Tech in the Valley," Ziff Davis Net News, June 30, 1998. 17 Aaron W. Cross of IBM, quoted in Congressional Quarterly, June 13, 1998, p. 1591. ------------------------------------------------------------------------------ For other versions of this document, see http://wikileaks.org/wiki/CRS-98-905