EPIC logo

 
                        106th Congress  1st Session                      
 
                         HOUSE OF REPRESENTATIVES                        
 
                              Rept.  106 117                             
 
                                  Part 4                                 
 
 
 
                      PROTECTION OF NATIONAL SECURITY                    
 
 
                           AND PUBLIC SAFETY ACT                         
 
 
 
                               R E P O R T                               
 
 
                                  OF THE                                 
 
 
                       COMMITTEE ON ARMED SERVICES                       
 
                         HOUSE OF REPRESENTATIVES                        
 
 
                                    ON                                   
 
 
                                 H.R. 850                                
 
 
                              together with                              
 
 
                    ADDITIONAL AND SUPPLEMENTAL VIEWS                    
 
 
       [Including cost estimate of the Congressional Budget Office]      
 
 
 
   July 23, 1999.--Committed to the Committee of the Whole House on the  
 State of the Union and ordered to be printed                            
 
                            C O N T E N T S                             
         Purpose and Background                                           4
         Legislative History                                              9
         Section-by-Section Analysis                                      9
            Section 1--Short Title                                        9
            Section 2--Exports of Encryption                              9
            Section 3--License Exception For Certain Encryption Products  9
            Section 4--One-time Product Review                            10
            Section 5--Eligibility Levels                                 10
            Section 6--Encryption Licenses Required                       10
            Section 7--Waiver Authority                                   10
            Section 8--Encryption Industry and Information Security Board 10
            Section 9--Market Share Survey                                10
            Section 10--Definitions                                       11
         Committee Position                                               11
         Fiscal Data                                                      11
            Congressional Budget Office Estimate                          11
            Congressional Budget Office Cost Estimate                     11
            Committee Cost Estimate                                       12
         Oversight Findings                                               12
         Constitutional Authority Statement                               13
         Statement of Federal Mandates                                    13
         Record Vote                                                      13
         Additional views of Congressman J.C. Watts, Jr.                  15
         Supplemental views of Congressman Patrick J. Kennedy             16
 
 
106 th Congress                                                         
 
Rept.  106 117                                                         
                                                                            
 
HOUSE OF REPRESENTATIVES                                                
 
                               1st Session                              
 
                                 Part 4                                 
 
                                                                      
 
                PROTECTION OF NATIONAL SECURITY AND PUBLIC SAFETY ACT          
 
 
 
                  July  23, 1999.--Ordered to be printed                 
                                                                      
 
     Mr. Spence, from the Committee on Armed Services, submitted the     
                               following                                 
                               R E P O R T                               
 
                              together with                              
 
                    ADDITIONAL AND SUPPLEMENTAL VIEWS                    
 
                         [To accompany H.R. 850]                         
 
       [Including cost estimate of the Congressional Budget Office]      
 
 
     The Committee on Armed Services, to whom was referred the bill (H.R. 
  850) to amend title 18, United States Code, to affirm the rights of     
  United States persons to use and sell encryption and to relax export    
  controls on encryption, having considered the same, report favorably    
  thereon with amendments and recommend that the bill as amended do pass. 
   The amendments are as follows:                                         
 
     Strike out all after the enacting clause and insert in lieu thereof  
  the following:                                                          
 
          SECTION 1. SHORT TITLE.                                                 
 
     This Act may be cited as the ``Protection of National Security and   
  Public Safety Act"
                                                    
          SEC. 2. EXPORTS OF ENCRYPTION.                                          
 
     (a) Authority to Control Exports.--The President shall control the   
  export of all dual-use encryption products.                             
     (b) Authority to Deny Export for National Security                   
  Reasons.--Notwithstanding any provision of this Act, the President may  
  deny the export of any encryption product on the basis that its export  
  is contrary to the national security interests of the United States.    
     (c) Decisions Not Subject to Judicial Review.--Any decision made by  
  the President or his designee with respect to the export of encryption  
  products under this Act shall not be subject to judicial review.
        
          SEC. 3. LICENSE EXCEPTION FOR CERTAIN ENCRYPTION PRODUCTS.              
 
     Encryption products with encryption strength equal to or less than   
  the level identified in section 5 shall be eligible for export under a  
  license exception if-- 
                                                 
    (1) such encryption product is submitted for a 1-time technical review;
 
       (2) such encryption product does not require licensing under        
   otherwise applicable regulations;
                                       
       (3) such encryption product is not intended for a country, end user,
   or end use that is by regulation ineligible to receive such product, and
   the encryption product is otherwise qualified for export; and 
          
       (4) the exporter, at the time of submission of the product for      
   technical review, provides the names and addresses of its distribution  
   chain partners.
                                                         
          SEC. 4. ONE-TIME PRODUCT REVIEW.                                        
 
     The President shall specify the information that must be submitted   
  for the 1-time review referred to in section 3.
                         
          SEC. 5. ELIGIBILITY LEVELS.                                             
 
     (a) Initial Eligibility Level.--Not later than 180 days after the    
  date of the enactment of this Act, the President shall notify the       
  Congress of the maximum level of encryption strength that may be        
  exported from the United States under license exception pursuant to     
  section 3 without harm to the national security interests of the United 
  States. Such level shall not become effective until 30 days after such  
  notification. 
                                                          
     (b) Periodic Review of Eligibility Level.--The President shall, at   
  the end of each successive 180-day period after the notice provided to  
  the Congress under subsection (a), notify the Congress of the maximum   
  level of encryption strength, which may not be lower than that in effect
  under this section during that 180-day period, that may be exported from
  the United States under a license exception pursuant to section 3       
  without harm to the national security interests of the United States.   
  Such level shall not become effective until 30 days after such          
  notification.
                                                           
          SEC. 6. ENCRYPTION LICENSES REQUIRED.                                   
 
     (a) United States Products Exceeding Certain Bit Length.--An export  
  license is required for the export of any encryption product designed or
  manufactured within the United States with an encryption strength       
  exceeding the maximum level eligible for a license exception under      
  section 3. 
                                                             
     (b) Requirements for Export License Application.--To apply for an    
  export license, the applicant shall submit--
                            
    (1) the product for technical review;                                  
 
    (2) a certification identifying--                                      
 
    (A) the intended end use of the product; and                           
 
    (B) the expected end user of the product;                              
 
    (3) in instances where the export is to a distribution chain partner-- 
 
       (A) proof that the distribution chain partner has contractually     
   agreed to abide by all laws and regulations of the United States        
   concerning the export and reexport of encryption products designed or   
   manufactured within the United States; and
                              
    (B) the name and address of the distribution chain partner; and        
 
    (4) any other information required by the President.                   
 
   (c)  Post-Export Reporting.--                                          
 
       (1) Unauthorized use.--Any exporter of encryption products that are 
   designed or manufactured within the United States shall submit a report 
   to the Secretary at any time the exporter has reason to believe that any
   such product exported pursuant to this section is being diverted to a   
   use or user not approved at the time of export.
                         
       (2) Distribution chain partners.--All exporters of encryption       
   products that are designed and manufactured within the United States,   
   and all distribution chain partners of such exporters, shall submit to  
   the Secretary a report which shall specify--
                            
    (A) the particular product sold;                                       
 
    (B) the name and address of the end user of the product; and           
 
    (C) the intended use of the product sold.                              
 
          SEC. 7. WAIVER AUTHORITY.                                               
 
     (a) In General.--The President may by Executive order waive the      
  applicability of any provision of section 3 to a person or entity if the
  President determines that the waiver is necessary to protect the national 
  security interests of the United States. The President shall, not later than 
  15 days after making such determination, submit a report to the committees 
  referred to in subsection (c) that includes the factual basis upon which
  such determination was made. The report may be in classified format.
    
     (b) Waivers for Certain Classes of End Users.--The President may by  
  Executive order waive the licensing requirements of section 6 for       
  specific classes of end users identified as being eligible for receipt  
  of encryption commodities and software under license exception in       
  section 740.17 of title 15, Code of Federal Regulations, as in effect on
  July 17, 1999. The President shall, not later than 15 days after issuing
  such a waiver, submit a report to the committees referred to in         
  subsection (c) that includes the factual basis upon which such waiver   
  was made. The report may be in classified format.
                       
     (c) Committees.--The committees referred to in subsections (a) and   
  (b) are the Committee on International Relations, the Committee on Armed
  Services, and the Permanent Select Committee on Intelligence of the     
  House of Representatives, and the Committee on Foreign Relations, the   
  Committee on Armed Services, and the Select Committee on Intelligence of
  the Senate.
                                                             
          SEC. 8. ENCRYPTION INDUSTRY AND INFORMATION SECURITY BOARD.             
 
     (a) Encryption Industry and Information Security Board               
  Established.--There is hereby established an Encryption Industry and    
  Information Security Board. The Board shall undertake an advisory role  
  for the President on the matter of foreign availability of encryption   
  products.
                                                               
     (b) Membership.--(1) The Board shall be composed of 12 members, as   
  follows: 
                                                               
    (A) The Secretary, or the Secretary's designee.                        
 
    (B) The Attorney General, or his or her designee.                      
 
    (C) The Secretary of Defense, or his or her designee.                  
 
    (D) The Director of Central Intelligence, or his or her designee.      
 
    (E) The Director of the Federal Bureau of Investigation, or his or  
   her designee.
                                                           
    (F) The Special Assistant to the President for National Security    
   Affairs, or his or her designee, who shall chair the Board.
             
    (G) Six representatives from the private sector who have expertise  
   in the development, operation, marketing, law, or public policy relating
   to information security or technology. Members under this subparagraph  
   shall each serve for 5-year terms.
                                      
      (2) The six private sector representatives described in paragraph    
   (1)(G) shall be appointed as follows:
                                   
    (A) Two by the Speaker of the House of Representatives.                
 
    (B) One by the Minority Leader of the House of Representatives.        
 
    (C) Two by the Majority Leader of the Senate.                          
 
    (D) One by the Minority Leader of the Senate.                          
 
      (c) Meetings.--The Board shall meet at such times and in such places 
   as the Secretary may prescribe, but not less frequently than every four 
   months. 
                                                                
     (d) Findings and Recommendations.--The chair of the Board shall      
  convey the findings and recommendations of the Board to the President   
  and to the Congress within 30 days after each meeting of the Board. The 
  recommendations of the Board are not binding upon the President.
        
     (e) Limitation.--The Board shall have no authority to review any     
  export determination made pursuant to this Act.
                         
     (f) Termination.--This section shall cease to be effective 10 years  
  after the date of the enactment of this Act.
                            
          SEC. 9. MARKET SHARE SURVEY.                                            
 
     The Secretary shall, at least once every 6 months, conduct a market  
  share survey of foreign markets for encryption products. The Secretary  
  shall publish the results of the survey in the Federal Register. The    
  publication shall include an assessment of the market share of each     
  foreign encryption product in each market surveyed and a description of 
  the general characteristics of each encryption product.
                 
          SEC. 10. DEFINITIONS.                                                   
 
   In this Act:                                                           
 
       (1) Encryption.--The term ``encryption'' means the transformation or
   scrambling of data, for the purpose of protecting such data, from       
   plaintext to an unreadable or incomprehensible format, regardless of the
   techniques used for such transformation or scrambling and regardless of 
   the medium in which such data occur or can be found.
                    
       (2) Export and exporter.--The term ``export'' includes reexport, the
   term ``exporter'' includes ``reexporter''.
                              
       (3) Secretary.--The term ``Secretary'' means the Secretary of       
   Commerce.                                                               
 
 
   Amend the title so as to read:                                          
 
 
  A bill to protect national security and public safety through the      
 balanced use of export controls on encryption products.                 
 
                          PURPOSE AND BACKGROUND                         
 
      H.R. 850 is similar to a bill (H.R. 695) with the same name and chief
   sponsor introduced in the 105th Congress. It would decontrol the export 
   of encryption software products, and computers that contain encryption  
   software, considered to be ``generally available.''
                     
      The committee recognizes that the impetus for the bill stems from the
   explosive growth of the Internet and the rise in electronic commerce in 
   recent years, which has led to increased concerns over information      
   security. A growing number of individuals and businesses now have access
   to the Internet and the capability to transmit volumes of personal and  
   proprietary data from one user to another nearly instantaneously. As    
   technology advances, the risk that the secure transmission of this      
   information may be compromised by computer ``hackers'' is increasing.   
   This risk has resulted in calls for greater encryption capabilities.
    
      Encryption is a means of scrambling or encoding electronic data so   
   that its contents are protected from unauthorized interception or       
   disclosure. Many software application programs already feature          
   encryption capabilities to afford users a degree of privacy and security
   when conducting electronic transactions. For example, Netscape          
   Communications Corporation's World Wide Web browser can transmit        
   information in a secure, encrypted mode that allows individuals to order
   products and services by credit card over the internet with a reasonable
   expectation that any personal information transmitted will be protected.
 
      The domestic use of encryption products is presently unrestricted,   
   since their use by law-abiding citizens and companies can increase      
   public confidence in the security of electronic transactions. However,  
   in the hands of terrorists or criminals, the capability to scramble     
   communications or encode information may hinder efforts to thwart       
   planned terrorist acts or apprehend international drug smugglers.       
   Therefore, the export of encryption capabilities is controlled for      
   important national security and foreign policy reasons. 
                
      In particular, the committee notes that the U.S. military has made   
   information warfare a key element of U.S. military strategy. It is a    
   tenet of this element of U.S. strategy that the United States must be   
   able to protect its own communications from interception while          
   exploiting the weaknesses in the information systems and communications 
   of potential adversaries. Much of the U.S. military's battlefield       
   advantage relies on information dominance and the ability to decipher   
   the communications of the enemy. Capabilities that make it more         
   difficult for the United States to detect the plans and activities of   
   hostile military forces could significantly degrade the technological   
   advantage presently held by U.S. combat forces.
                         
      The Institute for National Strategic Studies at the National Defense 
   University has identified seven areas of information warfare that could 
   play decisive roles in combat, including electronic warfare, cyber      
   warfare, command and control warfare, intelligence-based warfare, and   
   so-called ``hacker'' warfare. The Institute's 1996 Strategic Assessment 
   study noted the growing importance of information warfare and the       
   desirability for U.S. exploitation of a potential adversary's           
   vulnerabilities. The study declared that ``if the United States could   
   override an enemy's military computers, it might achieve an advantage   
   comparable to neutralizing the enemy's command apparatus.'' In addition,
   it noted the value of attacking an adversary's commercial computer      
   systems, i.e., banking, power, telecommunications, and safety systems.  
   The ability to ``wreak havoc'' on these systems, the study noted,       
   ``would be a powerful new instrument of power.'' However, as technology 
   advances, the proliferation of increasingly sophisticated and difficult 
   to decipher encryption capabilities overseas may make it more difficult 
   for the United States to maintain its military superiority and achieve  
   tactical battlefield advantages.
                                        
      The capabilities and security of encryption products generally depend
   on the length of the encryption algorithm or electronic ``key'' required
   to decrypt the data, as measured by the number of data ``bits'' in the  
   key. Generally speaking, the longer the key (or number of key bits) the 
   more secure the encryption program and the more difficult it is to      
   ``break the code.'' Until January 1997, U.S. policy allowed the         
   unrestricted export of encryption software with keys up to 40 bits in   
   length. As a result of growing concerns over the ability to protect the 
   integrity and contents of personal and proprietary data, and in response
   to industry demands to market more capable encryption software overseas,
   export controls on U.S.-origin encryption products were relaxed in 1996 
   and again in 1998. This has led to concerns that U.S. export control    
   policy is weighted more heavily toward privacy and economic concerns    
   rather than national security considerations.
                           
      Because of their national security implications, the United States   
   has traditionally considered encryption products to be sensitive        
   ``munitions'' items and their export has been controlled by the State   
   Department. However, in October 1996, the Clinton Administration decided
   to transfer jurisdiction over the export of commercial encryption       
   products from the State Department to the Commerce Department, which is 
   responsible for export controls on ``dual use'' items with military and 
   civilian application. In addition, the Administration agreed to allow   
   the export of encryption products with keys of up to 56 bits in length, 
   beginning in January 1997, provided that the exporting companies develop
   a ``key recovery'' plan over the next two years that would allow access 
   to the decryption keys by government law-enforcement agents or          
   intelligence officials, if necessary, in order to decode scrambled      
   information. The Administration's key recovery plan was criticized by   
   industry as unworkable and a disincentive for foreign customers to      
   purchase American encryption products. However, U.S. companies appeared 
   to be complying with the key recovery requirements necessary to obtain  
   U.S. government export approval, as the number of export licenses       
   granted for encryption software increased.
                              
      In announcing the liberalized export control policy, Vice President  
   Gore stated that it would ``support the growth of electronic commerce,  
   increase the security of the global information (sic.), and sustain the 
   economic competitiveness of U.S. encryption product manufacturers * *   
   *.'' However, an Administration talking points paper on the decision    
   noted that ``this export liberalization poses risks to public safety and
   national security. The Administration is willing to tolerate that risk, 
   for a limited period, in order to accelerate the development of a global
   key management infrastructure.'' In addition, in a letter to Congress in
   November 1996, President Clinton acknowledged that ``the export of      
   encryption products transferred to Department of Commerce control could 
   harm national security and foreign policy interests of the United  
   States even where comparable products are or appear to be available from
   foreign sources.''
                                                      
      The purported availability of comparable encryption products from    
   foreign sources remains a major argument used by industry to support    
   further liberalization of export controls. According to a               
   recently-released study conducted by George Washington University's     
   Cyberspace Policy Institute (CPI), more than 800 encryption products are
   now available overseas in 35 countries--a 22 percent increase in the    
   past year and a half. However, the national security community has      
   argued that many of these products do not perform as advertised or are  
   not effectively utilized. In addition, as the CPI study notes, only 20  
   percent of these products contain ``strong'' encryption. In testimony   
   before the committee on July 1, 1999, Deputy Secretary of Defense John  
   Hamre stated, ``The foreign availability argument is seductive, but     
   flawed.'' Strong encryption ``is not, in fact, ubiquitously available   
   overseas,'' he stated, adding that ``we see no advantage in accelerating
   the general availability of such products to those who would wish us    
   ill.'' Deputy Attorney General Jamie Gorelick testified in September    
   1996 that the availability of encryption software over the internet     
   ``does not undermine the utility of controls on exports of software or  
   hardware products. The simple fact is that the majority of businesses   
   and individuals with a serious need for strong encryption do not and    
   will not rely on encryption downloaded from the internet.'' Lifting U.S.
   export controls, she argued, would ``[damage] our own national security 
   interests'' and may not provide the expected benefits to industry if the
   removal of U.S. export controls leads to the introduction by other      
   countries of import restrictions.
                                       
      In spite of these national security concerns, controls over the      
   export of U.S.-origin encryption products continued to be liberalized.  
   In June 1997, Netscape Communications Corporation and Microsoft         
   Corporation received permission to export encryption products up to 128 
   bits in length for use exclusively for banking and financial            
   transactions. On September 16, 1998, the Administration announced a     
   further relaxation of export controls on encryption. As part of this    
   liberalization, the export of encryption products with key lengths up to
   56 bits was completely decontrolled. Moreover, strong encryption        
   products of any key length are now allowed to be exported, license-free,
   to several sectors of industry in 44 countries. These include           
   subsidiaries of U.S. firms; insurance companies; health and medical     
   organizations; and on-line merchants. The Administration also abandoned 
   its insistence on development of a mandatory key recovery               
   infrastructure. 
                                                        
      H.R. 850, and companion legislation in the Senate, represent a       
   further attempt to significantly liberalize U.S. encryption policy. In  
   particular, H.R. 850 would:
                                             
       (1) prohibit the government from requiring the use of               
   key-recoverable encryption systems; 
                                    
       (2) prohibit the government from controlling the export or re-export
   of commercially-available encryption-capable software or computers using
   such software;  
                                                        
       (3) grant the Commerce Department exclusive authority to control    
   exports of all hardware, software, and technology for information       
   security, except that designed for military use; and 
                   
       (4) direct the Secretary of Commerce to allow the export or         
   re-export of encryption-capable software for non-military end-uses in   
   any country, or computers using such software based on considerations of
   foreign availability. 
                                                  
      By prohibiting the government from requiring the use of key          
   recovery-capable encryption products, section 2 of H.R. 850 would       
   seriously impact the ability of the Department of Defense to effectively
   monitor the thousands of business and contract actions taken each day by
   the Department. In addition, this section would undermine government    
   efforts to foster the voluntary development by industry of a key        
   management infrastructure.
                                              
      The committee notes that section 3 of H.R. 850 carries the most      
   serious implications for U.S. national security. This section removes   
   virtually all controls on the exportability of encryption products and  
   greatly increases the likelihood that strong encryption products will be
   used by international terrorists to hide their plans. The committee     
   notes that encryption is already being used by terrorists, and believes 
   that the United States should not facilitate the spread of even         
   stronger, unbreakable encryption capabilities to individuals or entities
   that seek to harm Americans. H.R. 850, as introduced, would do just     
   that.
                                                                   
      In his testimony before the committee on July 1, 1999, Deputy        
   Secretary of Defense John Hamre stated, ``I can unequivocally tell you  
   Osama bin Laden (the accused mastermind of the U.S. Embassy bombings in 
   Kenya and Tanzania) and other bad guys in the world are not only using  
   information technology but encrypted information technology.''          
   Testifying before the committee on July 13, 1999, FBI Director Louis    
   Freeh noted that Ramzi Yousef, convicted conspirator in the World Trade 
   Center bombing, used encrypted computer files to mask his plans to blow 
   up 11 U.S. airliners. It took ``months and months'' to decrypt that     
   information. Director Freeh noted that ``if those were plans that were  
   imminent and we were in the possession of that [encrypted] information, 
   we would not have been able to solve that.''
                            
      The committee also notes that section 3 of H.R. 850 would remove all 
   controls on the export of high-performance computers (so-called         
   ``supercomputers'') if those computers contain encryption products or   
   software that are ``generally available.'' In the committee's view, this
   is one of the most significant and potentially dangerous flaws in H.R.  
   850. In light of the evidence that U.S. supercomputers were             
   inappropriately transferred to entities of concern in Russia and China, 
   and the recommendations to tighten export controls on high-performance  
   computers contained in the report of the Congressionally-mandated Select
   Committee on U.S. National Security and Military/Commercial Concerns    
   With the People's Republic of China (the ``Cox Committee''), the removal
   of export restrictions on such machines would have significant          
   consequences for U.S. national security. Further, this section would    
   also supersede section 1211 of the National Defense Authorization Act   
   for Fiscal Year 1998 (Public Law 105 85), which is designed to prevent  
   the inadvertent export of supercomputers to questionable end users in   
   countries of proliferation concern.
                                     
      In summary, the committee concludes that H.R. 850, as introduced,    
   would harm U.S. national security interests. According to Deputy        
   Secretary of Defense Hamre, H.R. 850 ``would seriously weaken our       
   national security.'' In a March 24, 1999 letter to House Judiciary      
   Committee Chairman Henry Hyde, Secretary Hamre stated, ``The passage of 
   legislation that immediately decontrols the export of strong  
   encryption will result in the loss or delay of essential intelligence   
   reporting because it may take too long to decrypt the information--if   
   indeed we can decrypt it at all * * *. H.R. 850 threatens our ability to
   do just that.'' In a May 24, 1999 letter to Chairman Spence, Secretary  
   Hamre concluded that ``H.R. 850 is anything but safe legislation.'' In  
   his testimony before the committee on July 1, 1999, Secretary Hamre     
   declared that the ``unregulated release of the strongest encryption is  
   going to do one thing: put more troops' lives at risk. Period.'' In her 
   testimony before the committee on July 1, 1999, National Security Agency
   (NSA) Deputy Director McNamara testified that it will ``greatly         
   complicate our exploitation of foreign targets'' and make NSA's job     
    ``difficult, if not impossible.'' She argued that ``the immediate       
    decontrol of encryption exports as proposed in the SAFE Act * * *       
    [would] put national security at serious risk.''
                        
      The committee notes that the Administration has also criticized the  
   move to decontrol the export of encryption products on law-enforcement  
   grounds. For example, in a July 16, 1999 letter to Chairman Spence, the 
   President of the International Association of Chiefs of Police stated   
   that H.R. 850 ``would pose an enormous danger to both law enforcement   
   and to society as a whole.'' 
                                           
      In response to these concerns, the committee agreed to amend H.R. 850
   by deleting all after the enacting clause and substituting language that
   would grant the President authority to control exports of all dual-use  
   encryption technology. The amendment also would allow for export without
   a license (referred to as a ``license exception'') for the export of    
   encryption products with a strength at or below the maximum threshold   
   established by the President. Export of these products would only occur 
   under a ``license exception'' after a one-time government review. The   
   President would also be able to waive an export under license exception 
   for national security reasons. The amendment would also direct the      
   President to notify Congress on a semi-annual basis of the appropriate  
   threshold for the strength of encryption products that may be exported  
   without harm to U.S. national security. The Congress would have a 30-day
   period to review the appropriateness of the notified level.
             
      The amendment would establish licensing criteria for the export of   
   encryption items with a strength that exceeds the maximum threshold     
   established by the President for license exception. It would also be    
   consistent with current Administration policy that allows the export of 
   strong encryption to certain industry sectors, such as financial and    
   medical institutions. In addition, the amendment would establish an     
   encryption industry and information security board to review and advise 
   the President on the foreign availability of encryption products.
       
                           LEGISLATIVE HISTORY                           
 
      H.R. 850, the ``Security and Freedom through Encryption (SAFE) Act,''
   was introduced by Representative Bob Goodlatte (R VA) on February 25,   
   1999. The bill was reported April 27, 1999 by the House Committee on    
   Judiciary (H. Report 106 117, Part I), and was reported (amended) on    
   July 2, 1999 by the House Committee on Commerce (H. Rept. 106 117, Part 
   II). The bill was also referred to the Committee on International       
   Relations, the Permanent Select Committee on Intelligence, and the      
   Committee on Armed Services. 
                                           
      On July 1, 1999 the Committee on Armed Services held a hearing on    
   H.R. 850. Testimony was taken from Deputy Secretary of Defense John     
   Hamre and Deputy Director of the National Security Agency Barbara       
   McNamara. The focus of the hearing was to assess the bill's impact on   
   U.S. national security.  
                                               
      On July 13, 1999, a second full committee hearing was held. Testimony
   was received from Attorney General Janet Reno, FBI Director Louis Freeh,
   Under Secretary of Commerce for Export Administration William Reinsch,  
   and industry witnesses regarding the legislation's impact on national   
   security, law enforcement, and public safety.
                           
      On July 21, 1999, the committee held a mark-up session to consider   
   H.R. 850. The committee adopted an amendment in the nature of a         
   substitute by a record vote of 47 to 6. The amended version of the bill 
   was reported favorably by a voice vote. The record vote result can be   
   found at the end of this report.
                                        
                       SECTION-BY-SECTION ANALYSIS                       
 
      The following is a section-by-section analysis of the amendment in   
   the nature of a substitute adopted by the committee.
                    
           Section 1--Short title                                                  
 
      This section would cite the Act as the ``Protection of National      
   Security and Public Safety Act.''
                                       
           Section 2--Exports of encryption                                        
 
      This section would grant the President authority to control the      
   export of all dual-use encryption products and would allow the President
   to deny the export of any encryption product if such export would be    
   contrary to the national security interest. It would also ensure that   
   any Presidential decision with respect to the export of encryption      
   products is not subject to judicial review.
                             
           Section 3--License exception for certain encryption products            
 
      This section would allow an encryption product of a strength less    
   than or equal to the threshold established by the President in section 5
   to be exported without a license (``license exception'') if certain     
   conditions are met, including submission of the product for a one-time  
   technical review.
                                                       
           Section 4--One-time product review                                      
 
 
      This section would require the President to specify the information  
   that must be submitted for the one-time product review.
                 
           Section 5--Eligibility levels                                           
 
      This section would require the President to establish, within 180    
   days of enactment, the maximum level of encryption strength that may be 
   exported under license exception without harm to U.S. national security 
   interests. It would also require the President to review this threshold 
   level every six months. In both cases, the level would not take effect  
   until 30 days after the Congress is notified. In effect, this section   
   would grant the President the flexibility to adjust the export licensing
   threshold as the level of technology advances, consistent with U.S.     
   national security requirements.
                                         
           Section 6--Encryption licenses required                                 
 
      This section would require an export license for an encryption       
   product with a strength that exceeds the threshold level established by 
   the President in section 5. It would require an exporter seeking an     
   export license to submit the encryption product for technical review and
   to provide a certification identifying the intended end use and end user
   of the product. In instances where the export is to a distribution chain
   partner, it would require submission of the name and address of the     
   partner, along with proof that the partner has contractually agreed to  
   abide by all U.S. export and re-export laws and regulations. This       
   section would also require exporters to notify the Secretary of Commerce
   if they have reason to believe that their encryption product is being   
   used in an unapproved manner or by an unapproved end user. This section 
   would also require distribution chain partners to submit a report on the
   intended end use and end user of the product.
                           
           Section 7--Waiver authority                                             
 
      This section would allow the President to waive the license exception
   requirements in section 3 for national security reasons. It would also  
   allow the President to exempt certain industry sectors from the         
   licensing requirements in section 6 after notifying Congress. This would
   be consistent with current Administration policy which allows the       
   unlicensed export of strong encryption products to certain sectors of   
   industry, such as financial and medical institutions.
                   
           Section 8--Encryption industry and information security board           
 
      This section would establish an advisory board to review and advise  
   the President on the foreign availability of encryption products. The   
   board would be composed of six government officials and six members from
   the private sector. The findings of the board would be conveyed to the  
   President and the Congress.
                                             
           Section 9--Market share survey                                          
 
      This section would require the Secretary of Commerce to conduct, at  
   least once every six months, a market share survey of foreign markets   
   for encryption products.  
                                              
           Section 10--Definitions                                                 
 
   This section would define terms used in this Act.                       
 
                            COMMITTEE POSITION                           
 
      On July 21, 1999, the Committee on Armed Services, a quorum being    
   present, approved H.R. 850 as amended, by a voice vote.
                 
                               FISCAL DATA                               
 
      Pursuant to clause 3(d)(2)(A) of rule XIII of the Rules of the House 
   of Representatives, the committee attempted to ascertain annual outlays 
   resulting from the bill during fiscal year 2000 and the four following  
   fiscal years. The results of such efforts are reflected in the cost     
   estimate prepared by the Director of the Congressional Budget Office    
   under section 402 of the Congressional Budget Act of 1974, which is     
   included in this report pursuant to clause 3(c)(3) of rule XIII of the  
   Rules of the House. 
                                                    
           Congressional Budget Office Estimate                                    
 
      In compliance with clause 3(c)(3) of rule XIII of the Rules of the   
   House of Representatives, the cost estimate prepared by the             
   Congressional Budget Office and submitted pursuant to section 402(a) of 
   the Congressional Budget Act of 1974 is as follows:                     
 
        July  22, 1999.                                                        
 
 
 
          Hon.  Floyd Spence,
          Chairman, Committee on Armed Services, 
          House of Representatives, Washington, DC.                               
 
       Dear Mr. Chairman: The Congressional Budget Office has prepared the 
   enclosed cost estimate for H.R. 850, the Protection of National Security
   and Public Safety Act.
                                                  
      If you wish further details on this estimate, we will be pleased to  
   provide them. The CBO staff contact is Mark Hadley.                     
   Sincerely,                                                              
 
         Dan L. Crippen,  Director.                                             
 
                CONGRESSIONAL BUDGET OFFICE COST ESTIMATE                
 
 
           Protection of National Security and Public Safety Act                   
 
      H.R. 850 would clarify the President's authority to control the      
   export of encryption products. The effectiveness or strength of         
   contemporary encryption products is measured by the number of bits that 
   make up the key for the encryption algorithm. (The term ``key'' refers  
   to the mathematical code used to translate encrypted information back   
   into its original, unencrypted format.) Under current policy, domestic  
   producers may export encryption products with key lengths of up to 56   
   bits and stronger products for specified industries.
                    
      Under the bill, the President would determine the maximum strength of
   encryption products that may be exported (with review and potential     
   updates of that maximum every 180 days). In addition, the bill would    
   allow the President to deny the export of any encryption product if the 
   export of such product is contrary to the national security interest of 
   the United States. H.R. 850 would establish a board to advise the       
   President on the export of encryption products. Finally, the bill would 
   require the Department of Commerce to conduct a market share survey of  
   foreign markets for encryption products every six months.
               
      Based on information from the Department of Commerce, CBO estimates  
   that implementing H.R. 850 would cost about $1 million a year, subject  
   to appropriation of the necessary mounts. H.R. 850 would not affect     
   direct spending or receipts; therefore, pay-as-you-go procedures would  
   not apply. H.R. 850 contains no intergovernmental or private-sector     
   mandates as defined in the Unfunded Mandates Reform Act and would impose
   no costs on state, local, or tribal governments. 
                       
      CBO has completed numerous other estimates of bills affecting the    
   export of encryption products, including three versions of H.R. 850.    
   Differences between this estimate and our previous estimates reflect    
   differences between the bills. On April 21, 1999, CBO transmitted a cost
   estimate for H.R. 850 as ordered reported by the House Committee on the 
   Judiciary on March 24, 1999. On July 1, 1999, CBO transmitted an        
   estimate for H.R. 850 as ordered reported by the House Committee on     
   Commerce on June 23, 1999. On July 16, 1999, CBO transmitted an estimate
   of H.R. 850 as ordered reported by the House Committee on International 
   Relations on July 13, 1999. And on July 9, 1999, CBO transmitted an     
   estimate for S. 798, the Promote Reliable Online Transactions to        
   Encourage Commerce and Trade (PROTECT) Act of 1999, as ordered reported 
   by the Senate Committee on Commerce, Science, and Transportation on June
   23, 1999. CBO estimated that the versions reported by the Judiciary     
   Committee and the International Relations Committee would each cost     
   between $3 million and $5 million over the 2000 2004 period and that the
   House Commerce Committee's version of H.R. 850 and the Senate bill (S.  
   798) would each increase costs by at least $25 million over the same    
   period.
                                                                 
      The CBO staff contact is Mark Hadley. This estimate was approved by  
   Robert A. Sunshine, Deputy Assistant Director for Budget Analysis.
      
           Committee cost estimate                                                 
 
      Pursuant to clause 3(d) of rule XIII of the Rules of the House of    
   Representatives, the committee generally concurs with the estimate      
   contained in the report of the Congressional Budget Office.
             
                            OVERSIGHT FINDINGS                           
 
      With respect to clause 3(c)(1) of rule XIII of the Rules of the House
   of Representatives, this legislation results from hearings and other    
   oversight activities conducted by the committee pursuant to clause      
   2(b)(1) of rule X.
                                                      
      With respect to clause 3(c)(2) of rule XIII of the Rules of the House
   of Representatives and section 308(a)(1) of the Congressional Budget Act
   of 1974, this legislation does not include any new spending or credit   
   authority, nor does it provide for any increase or decrease in tax      
   revenues or expenditures. The fiscal features of this legislation are   
   addressed in the estimate prepared by the Director of the Congressional 
   Budget Office under section 402 of the Congressional Budget Act of 1974.
 
      With respect to clause 3(c)(4) of rule XIII of the Rules of the House
   of Representatives, the committee has not received a report from the    
   Committee on Government Reform and Oversight pertaining to the subject  
   matter of H.R. 850. 
                                                    
                    CONSTITUTIONAL AUTHORITY STATEMENT                   
 
      Pursuant to clause 3(d)(1) of rule XIII of the Rules of the House of 
   Representatives, the committee finds the authority for this legislation 
   in Article I, section 8 of the United States Constitution.
              
                      STATEMENT OF FEDERAL MANDATES                      
 
      Pursuant to section 423 of Public Law 104 4, this legislation        
   contains no federal mandates with respect to state, local, and tribal   
   governments, nor with respect to the private sector. Similarly, the bill
   provides no unfunded federal intergovernmental mandates.
                
                               RECORD VOTE                               
 
      In accordance with clause 3(b) of rule XIII of the Rules of the House
   of Representatives, a record vote was taken with respect to the         
   committee's consideration of H.R. 850. The record of this vote can be   
   found on the following page.
                                            
      The committee ordered H.R. 850, as amended, reported to the House    
   with a favorable recommendation by a voice vote, a quorum being present.
 
   Offset folios 20 insert here                                            
 
 
 
                                      ADDITIONAL VIEWS                            
 
      Mr. Chairman, I submit the following additional comments for         
   inclusion to the committee report for H.R. 850 and thank you for your   
   considerations.
                                                         
      As an original co-sponsor of the Security and Freedom Through        
   Encryption Act (SAFE) I demonstrated my support for an open market. It  
   is my belief that we can and should be the world's leader in the        
   development and marketing of technologies, and as a member of Congress  
   we have a responsibility to protect the security of the American people.
 
      The amended version of H.R. 850 is the first step to take a serious  
   look at what is required to release technologies and protect National   
   Security. I look forward to continued discussions on this issue and the 
   establishment of a performance threshold for encryption that will serve 
   both the private and public sector.                                     
 
         J.C. Watts,  Jr.                                                       
 
 
                                     SUPPLEMENTAL VIEWS                           
 
      As a Member of the House Armed Services Committee, I am the first to 
   stand in support of our national security. But now is the time to       
   legislate a balanced encryption policy in the United States.
            
      Over the course of the 106th Congress, I have met with and talked to 
   numerous experts in the computer and security field. The experts I spoke
   with represented various views on export controls to encode, or encrypt,
   electronic communications. Now is the time for Congress to make a       
   decision for a well thought out encryption policy for this great country
   of ours.  
                                                              
      It is my belief, that current U.S. regulations limit the export of   
   encryption and unfairly handicap American high-technology companies.    
   Even though we are the leaders in information technology, it is vital   
   that we maintain our strategic information dominance. What is imperative
   is that our law enforcement and national security agencies must do more 
   to develop alternative means for achieving their missions while focusing
   on strong encryption. 
                                                  
      The provisions of the SAFE Act would remove most license requirements
   for exports of recoverable products. It would remove existing barriers  
   to secure e-commerce and business-to-business transactions. The SAFE    
   Act, however, would not absolve the computer industry of its            
   obligations, to law enforcement, or to the intelligence community.
      
      We all acknowledge that the United States leads the world in the     
   production of computer hardware and software, and technology is the     
   engine driving the global economy. We as a country, should not sit idly 
   by and let U.S. companies lose their edge in the world market because   
   they can't deliver the kind of secure products and services that        
   customers demand.
                                                       
      H.R. 850 ensures that safety and security become the cornerstones of 
   the information superhighway. If U.S. encryption continues to be        
   restricted, foreign products may soon dominate the worldwide market,    
   hindering our ability to gather intelligence against terrorists and     
   criminals. 
                                                             
      I would also like to state for the record that for reasons stated    
   above, I would not have voted for the Weldon, Sisisky, and Andrews      
   Substitute Amendment, had I been present.                               
 
         Patrick J. Kennedy.                                                    
 
 
                                                                                  

Return to the EPIC Crypto Policy Archive