EPIC logo

 
 
 
                            THE WHITE HOUSE
 
                     Office of the Press Secretary
________________________________________________________________________
For Immediate Release                                 September 16, 1999
 
 
     PRESERVING AMERICA'S PRIVACY AND SECURITY IN THE NEXT CENTURY:
                  A STRATEGY FOR AMERICA IN CYBERSPACE
 
 
 
 
                              A REPORT TO
                   THE PRESIDENT OF THE UNITED STATES
 
                           September 16, 1999
 
 
 
 
       William Cohen                       Janet Reno
       Secretary of Defense                Attorney General
 
 
 
       Jacob J. Lew                        William Daley
       Director of the Office              Secretary of Commerce
       of Management and Budget
 
 
 
     PRESERVING AMERICA'S PRIVACY AND SECURITY IN THE NEXT CENTURY:
                  A STRATEGY FOR AMERICA IN CYBERSPACE
 
 
 
1.   A TIME OF PIVOTAL CHANGE
 
     American history has been punctuated by periods in which the Nation
had to respond to sweeping social, economic and technological
developments.  In the best of times, people working together in
government and industry became the engine of progress that shaped the
character of the time and facilitated new prosperity and opportunity for
Americans.  Three examples illustrate this point.
 
     Opening the Heartland and expanding the frontier.  Beginning with
the Louisiana Purchase in 1803, the government initiated a remarkably
successful policy to open up a vast new area. Over the next five
decades, the United States doubled the size of its territory. Under the
government's plan, land grants were given to railroads to open the
Midwest and in turn to create a future market for rail services.  Land
was awarded to homesteaders, and yet other parcels were reserved as
income sources for institutions of higher education.
 
     The technological advance of the railroad was the engine pulling
this growth.  From the 1820s to 1900, American railroads added an
average of more than 2,000 miles of track each year. By the close of the
19th century, the combination of these factors had served to triple the
size of our nation. The Administration and the Congress, working
together and in concert with technology advances, created an
infrastructure for a new society.
 
     Industrialization and the Great Depression Produce a New Society.
Around the turn of the century, the country was firmly in the Industrial
Age.  Technical innovations in automation and machinery spurred the
growth of factories, assembly lines and mass-production in our nation's
cities.  The Ford assembly line for the Model T and the Wright brother's
flight catapulted us into a mobile society and drove further
technological innovations.  Telephones became more commonplace and the
nation began to shrink as news and information traveled faster.  As a
nation, we created new opportunities in industries never heard of, and
created a new class of wealth, based on opportunity and innovation, not
birthright.  The economy moved from an agrarian society to an industrial
society.
 
     But the growth and prosperity experienced by many halted when the
Great Depression gripped the country.  In response, the government
developed a series of creative policies and programs that brought
government and business to the common task of restoring productivity to
America.  While there were a number of social programs, government
support for technology was key to driving development.  For example, the
government took a pivotal role in expanding the electrical grids that
would become the backbone of our national infrastructure, first with the
creation of the Tennessee Valley Authority in 1933 and two years later
with the creation of the Rural Electrification Administration.
Electrical technology, in the ensuing years, radically altered the
capabilities of America's rural farms and industry.  Just as important,
it created a transmission belt that further disseminated the ideas and
technology being generated in the nation's cities.
 
     A World War Produces a Global Community and the American Century.
In a third case, World War II shattered the international political
system at the same time that it brought an end to 19th century
colonialism.  The creation of the World Bank, the International Monetary
Fund, and the rules for a global trading system became the cornerstones
of the emerging global economy.
 
     The urgent need for increased production and the burst of
scientific funding associated with the war effort -- sustained by a
continuing Federal commitment to new science and technology in the
following years -- vaulted the United States into the age of electronics
and computers - the beginning of the Information Age.
 
     Advances in telecommunications, such as broad-band carrier systems
and switching devices, combined with innovations in the computer
industry to give individuals more power than ever to process large
amounts of information and transmit that information at ever-greater
speeds.  Further, this country's goal to reach the moon by the end of
the 1960s fueled development of advanced electronics, increased
computing power and communications capabilities.  At the same time,
technological leaps in computer memory and data storage enabled the
centralized use (and, unfortunately, misuse) of information to examine
or profile individuals, consumers, and groups.  As these issues emerged,
our legal system responded.  Looking back, the "Information Economy"
that Americans recognize today could be seen emerging as early as the
late 1940s.
 
     Each of these examples was a pivotal episode in American history in
which complex social, economic, and technological forces came together.
Facing the challenges of the day, America's governmental, societal and
technical leaders crafted a new vision of the future, and in the process
became pioneers on a new frontier of opportunity and promise.
 
     America now faces a new time of pivotal change, enormous
opportunity, and promise.  This time, technology itself presents both an
opportunity and a threat to global society increasingly dependent on,
and connected by, advanced computing and communications.   Continuing a
balanced strategy that advances our national interests is the challenge
of our day.
 
2.   Cyber America:  Great Promise and Serious Risks
 
 America now stands on the brink of revolution fueled by machines -
computers - and networks of computers that facilitate the instant
exchange of and access to ideas and information.  The computer has and
will continue to revolutionize virtually all aspects of American
society, just as electricity, the power grid and the railroad changed
our forefathers'  society.
 
     The Computer as an Economic Engine.  It is well known that the
computer, and its application in business, commerce, education and
recreation has transformed the American economy.  America is becoming a
country of "knowledge workers," with the ubiquitous application of
computer technology at its core.  America's productivity today is
grounded in computer applications and networks.  Barcodes speed us
through shopping lines and simultaneously facilitate store manager
recordkeeping and reordering.  Airline reservations can be booked from
home computers.  Everything from clothes to books to software can be
purchased over the Internet.  American companies are discarding their
proprietary computer systems and using the Internet and the Web to
increase productivity, network their entire chain of suppliers, and
deliver "just-in-time"  training to their employees. American students
can conduct original research with colleagues on machines around the
world with but a few keystrokes.  Travelers can monitor current weather
conditions in another country.  Scientists can "conference"
electronically and transmit astounding volumes of information in seconds
to colleagues on other continents.
 
     As remarkable as today's innovations are, the years ahead hold even
greater promise.  Computers will become virtual partners in all aspects
of our lives.  Homes will be centrally wired to allow integrated alarms,
electronics, appliances, telephones, and computers to simplify our
lives.  Education will become more adaptive to the routines of
individual students, and banking, finance, and shopping will
increasingly migrate to the home and portable computing devices.
 
     And in this process and through networking, computers have created
the well-known "cyberspace" that eliminates the traditional boundaries
of time and place and links governments, businesses, and individuals in
the same electronic environment.
 
     The Dangers of Cyberspace.   Like any new tool in previous eras,
computers can be used by those who prey on the innocent.  International
narcotics traffickers now routinely communicate with each other via
computer messages.  Hostile governments and even some transnational
organizations are establishing cyber-warfare efforts, assigned the
mission of crippling America's domestic infrastructure through computer
attacks.  Hackers destroy cyber-property by defacing homepages and
maliciously manipulating private information.  Pedophiles stalk
unsuspecting children in computer chat rooms.  Individuals post
homepages with instructions to manufacture pipebombs, chemical weapons,
and even biological agents.  Crooks break into business computers,
either stealing funds directly or extorting payments from companies
anxious to avoid more expensive disruption.  Disgruntled employees, with
valid access to their companies'  system, can take steps to disrupt the
business operations or steal proprietary, sensitive, and financial
information.  And our personal data is at risk of being unlawfully
accessed and read by malicious individuals, without our knowledge, as it
resides on or traverses communications and computer networks.
 
     These concerns are not hypothetical.  We have seen these types of
activities, and other equally dangerous activity, in past and on-going
cases.  The danger posed by evil individuals using these powerful new
tools grows by the day.  Just as other technologies have the risk of
being abused, it is necessary for us to evaluate how to respond.
Without protective action, we will not be safe.  America must take
responsible steps to ensure that this promising electronic environment
is safe for law abiding citizens and businesses.
 
3.   Balancing America's Bedrock Values
 
     While these problems seem unprecedented, in fact they represent a
return to the bedrock problems faced by America's constitutional
founders.  American democracy became and remains a new experiment in
government--balancing the rights of individuals against the imperatives
of society and limiting the reach of government into personal, private
lives, while mandating a government responsibility for public safety and
security for all citizens.
 
     Computers are now at the center of competing American values.  In
honest, law abiding citizens' hands, the computer becomes an
indispensable tool for education, personal and commercial business,
research and development, and communications.  In criminal hands, the
same computer becomes a tool of destruction and criminality.
 
     Enter encryption.  Over the past decade, another information
technology has emerged that amplifies this tension - encryption.
Encryption includes special instructions that scramble a clear readable
message in complex ways that make it unreadable.  For the strongest
forms of encryption, only the intended recipient can unscramble the
message and read the original plain text, unless someone else has gained
access to the corresponding decoding software and decryption key.
 
     Originally only available and used by military agencies, strong
encryption is now available to many and has become a building block for
the new digital economy.  It is essential to provide security and
privacy for electronic commerce and e-business.  Encryption is critical
because it allows individuals, businesses, and other organizations to
share information privately without it being unlawfully intercepted or
accessed by a third party, to establish their identities, and to
maintain the integrity of information.  Without the use of encryption,
it is difficult to establish the trust that people and firms need to do
business with each other, or to have confidence to run their business
electronically.  With the use of encryption:
 
-    Individuals and consumers can securely conduct their finances and
communicate with each other over the Web.
 
-    Firms can transmit their software, music, movies, reports and other
forms of intellectual property over the Internet while minimizing the
risks of widespread piracy.
 
-    Businesses can protect their company proprietary information over
the Internet, with confidence that the information is secure from prying
eyes.
 
-    Firms can develop products more rapidly, as teams of engineers
around the world can collaborate on their designs in real-time over
secure high-speed networks.
 
However, while the majority of users will use encryption for legitimate,
lawful purposes, we must recognize that terrorists, pedophiles and drug
gangs are increasingly using encryption to conceal their activities.
Hence, encryption has posed a serious public policy challenge over the
past decade.
 
     The Federal Government has sought to maintain a balance between
privacy and commercial interests on one hand and public safety and
national security concerns on the other by limiting the export of strong
encryption software.  Preserving this balance has become increasingly
difficult with the clear need for strong encryption for electronic
commerce, growing sophistication of foreign encryption products and the
proliferation of software vendors, and expanded distribution mechanisms.
In the process, all parties have become less satisfied with the
inevitable compromises that have had to be struck. U.S. companies
believe their markets are increasingly threatened by foreign
manufacturers in a global economy where businesses, consumers, and
individuals demand that strong encryption be integrated into computer
systems, networks, and applications.  National security organizations
worry that the uncontrolled export of encryption will result in
diversion of powerful tools to end users of concern.  Law enforcement
organizations see criminals increasingly adopting tools that put them
beyond the reach of lawful surveillance.
 
     At the end of the century, these are the important national
interests that must be reconciled.  Determining a policy direction for
encryption has become more complex, and more urgent, for all those
affected.  A strategic paradigm that better achieves balance is needed.
 
 
4.   A New Paradigm to Protect Prosperity, Privacy and Security
 
     To support America's prosperity and protect her security and
safety, we propose a new paradigm to advance our national interests.
The new paradigm should be comprised of three pillars - information
security and privacy, a new framework for export controls, and updated
tools for law enforcement.  We discuss each in turn.
 
     I.  Information Security and Privacy.  As a nation, we have become
increasingly dependent on computers and telecommunications.  These new
technologies create vast opportunities for personal expression and
electronic commerce, while also creating new risks to public safety and
national security.  Computers and telecommunications rely on open
protocols and ultra-accessibility, thus making individuals' and
organizations' words and actions vulnerable to outsiders in new and
potentially frightening ways.  A first pillar of our new paradigm must
be to promote information security and privacy - to assure the security
and privacy of stored and transmitted data from unauthorized and
unlawful access.
 
     The President has recognized the challenge of updating privacy for
new technologies:  "We've been at this experiment in Government for 223
years now.  We started with a Constitution that was rooted in certain
basic values and written by some incredibly brilliant people who
understood that times would change, and that definitions of fundamental
things like liberty and privacy would change, and that circumstances
would require people to rise to the challenges of each new era by
applying old values in practical ways."
 
     In updating enduring constitutional values for the computer age, we
need to assure that our citizens' personal data and communications are
appropriately protected.   Businesses need to privately communicate with
their employees and manufacturing partners without risk that their
proprietary information will be compromised through unauthorized access.
Encryption is one of the necessary tools that can be used in this
technological environment to secure information.  Therefore, we
encourage the use of strong encryption by American citizens and
businesses to protect their personal and commercial information from
unauthorized and unlawful access.
 
     We must also recognize the inherent security risks posed by the
spread of and dependence on "open systems" and ready accessibility.  The
Defense Department's situation is typical.  Twenty years ago the Defense
Department operated largely proprietary communications systems over
government owned switches and circuits.  DOD technology was homebuilt
and tightly controlled.  Today, the U.S. DOD has more computer users
than any other organization in the world - 2.1 million computers access
over 10,000 networks on an average work day.  Even so, 95% of DOD's
communications occur over public circuits or with commercial software
and hardware.  The Defense Department's reliance on commercial products
and services is repeated throughout the country by government agencies
and the private sector.
 
     If the Department of Defense is to function safely in cyberspace,
it must use strong tools for encryption and identity authentication.  It
is not just military operations and data that must be protected.  All
government agencies and all business activities will increasingly need a
full set of security tools to ensure access, privacy and absolute
confidence in business operations that utilize computer technology.
 
     We recognize that information technology is changing rapidly and
constantly providing both new security capabilities and challenges and,
hence, we will never reach a "perfect solution."  Nevertheless, there
are many efforts underway throughout the government to address the need
for more secure systems.  By adopting commercial approaches, where
appropriate, and sponsoring R&D to fill needed capabilities, we believe
the Federal government should, by example, lead the way for America to
develop and use the tools and procedures for information security and
privacy in the next century.
 
     The Department of Defense, for example, has allocated over $500
million to develop a comprehensive security management infrastructure.
This infrastructure will utilize a range of encryption products (with
stronger products for more sensitive applications involving higher
levels of classification), and a public key infrastructure (PKI) to
identify and authenticate those who use our information networks.  The
Department is also adopting stronger standards for network configuration
and operator qualification and certification, and is taking steps to
better detect unauthorized intrusions into DOD networks.
 
     The Federal government must continue to promote the development of
stronger encryption technologies for federal use.  The advanced
encryption standard (AES) is in the final stages of a public selection
process.  Once promulgated, AES could become as ubiquitous as today's
digital encryption standard (DES) which has contributed greatly to the
growth of electronic commerce.
 
     In the Federal government, the Department of Defense is a leading
proponent of information security through its information assurance
initiative, and other agencies are recognizing the need for increased
diligence in maintaining adequate security of Federal information and
systems.  We encourage each agency to vigilantly build security
enhancements into their business operations in risk-based and
cost-effective ways that enable, not impede, the agency's ability to
perform its mission.
 
     Further, we believe that the Congress and Executive Branch should
work together to promote both the awareness of information privacy and
security and the development of appropriate tools and resources by the
private sector, and to consider whether tangible incentives are
appropriate.  Given the rapid changes in technology, we advocate a
technology neutral approach.  This approach would have the public and
private sectors working together to encourage development of a broad
range of privacy and security products and processes and share promising
practices with one another.  We believe equally strongly that security
infrastructures and the deployment of security products -- should
neither be mandated nor prohibited.  Public and private organizations
must determine their risks and be free to choose their own solutions.
 
     The government's requirement to protect its own sensitive and
privacy information is matched by individual's and the private sector's
own interests in proper handling of sensitive information.  Many in
industry and elsewhere are already developing and using sophisticated
security and privacy products and processes. Government should act as a
facilitator and catalyst and help stimulate the development of
commercial products that will help all Americans protect their sensitive
information.
 
     In sum, the first pillar of the new paradigm calls on the Federal
government, the Congress and all others to partner in promoting ways to
bring information security and privacy to the Information age.  Working
together, we can develop tools and procedures for safe operation in
cyberspace, applying enduring constitutional values to our new
circumstances.
 
     II.  Encryption Export Controls for the New Millennium.  At the
dawn of the new millennium, technology is advancing at such a rapid pace
that attempts to control its global spread under the existing export
control regime need to be regularly reevaluated. Encryption will
continue to enable new economic realities that must be considered in a
balanced approach to export controls.
 
     Encryption products and services are needed around the world to
provide confidence and security for electronic commerce and business.
With the growing demand for security, encryption products are
increasingly sold on the commodity market, and encryption features are
being embedded into everyday operating systems, spreadsheets, word
processors, and cell phones.  Encryption has become a vital component of
the emerging global information infrastructure and digital economy.  In
this new economy, innovation and imagination are the engines, and it is
economic achievement that underpins America's status in the world and
provides the foundation of our national security.  We recognize that
U.S. information technology companies lead the world in product quality
and innovation, and it is an integral part of the Administration's
policy of balance to see that they retain their competitive edge in the
international market place.
 
     We as a nation must balance our desire and the need to assist
industry with a prudent, objective and steady judgment about how to
protect national security; a judgment that acknowledges that
technological advantages may add new dimensions to an already
complicated problem set. We must ensure that the advantages this
technology affords us are not extended to those who wish us ill or who
harbor criminal intent. This judgment must be informed by both foreign
and domestic realities.
 
     While the U.S. is a huge market for telecommunications goods and
services, the other nations of the globe present markets much larger
than our domestic demand.  Our networks are inextricably bound to those
of our allies and adversaries alike.  Likewise, America's interests do
not end at our borders.  American diplomats, service men and women, as
well as countless business people work and live around the globe.
America's interests are served by the ability to send and receive
proprietary, personal and classified information to exactly where it is
needed around the world.  Likewise, America's interests are served daily
by shared actions with our allies, which require accurate and authentic
information be exchanged.  Our policy must acknowledge these vital
interests.
 
     But even as we do, it is imperative that we uphold international
understandings, and strive with other nations to prevent the acquisition
of encryption technology to sponsors of terrorism, international
criminal syndicates or those attempting to increase the availability of
weapons of mass destruction.  We must also meet our responsibilities to
support our national decision makers and our military war fighters with
intelligence information in time to make a difference.
 
     Accordingly, the Administration has revised its approach to
encryption export controls by emphasizing three simple principles that
protect important national security interests:  a meaningful technical
review of encryption products in advance of sale, a streamlined
post-export reporting system that provides us an understanding of where
encryption is being exported but is aligned with industry's business and
distribution models, and a license process that preserves the right of
government to review and, if necessary, deny the sale of strong
encryption products to foreign government and military organizations and
to nations of concern.  With these three principles in place, the
Federal Government would remove almost all export restrictions on
encryption products.  This approach will provide a stable framework that
also will allow U.S. industry to participate in constructing and
securing the global networked environment.  This approach also maintains
reasonable national security safeguards by monitoring the availability
of encryption products and limiting their use in appropriate situations.
 
     The Administration intends to codify this new policy in export
regulations by December 15, 1999, following consultations on details
with affected industries and other private sector organizations.
 
     However, with this new framework for export controls, the national
security organizations will need to develop new technical tools and
capabilities to deal with the rapid expansion of encrypted
communications in support of its mission responsibilities.  The Congress
will need to support such new tools and technical capabilities through
necessary appropriations.
 
     III.  Updated tools for Law Enforcement.  Because of the need for
and use of strong encryption globally, governments need to develop new
tools to deal with the rapid expansion of encrypted communications.
Updated tools for law enforcement that specifically address the
challenges of encryption constitute the third pillar of the new
strategy.  We cannot ignore the fact that encryption will be used in
harmful ways - by child pornographers seeking to hide pictures of
exploited children, or commercial spies stealing trade secrets from
American corporations, or terrorists communicating plans to destroy
property and kill innocent civilians. Even more significant, because
cyberspace knows no boundaries and because it is not immediately clear
if a cyberattack involves Americans or foreigners, America's national
security will increasingly depend on strong and capable law enforcement
organizations.  This is because the United States military and
intelligence agencies have long been restricted by law from undertaking
operations inside the United States against American citizens.
Accordingly, America's national defense is now increasingly reliant on
ensuring that our law enforcement community is capable of protecting
America in cyber space.
 
     Under existing law and judicial supervision, law enforcement agents
are provided with a variety of legal tools to collect evidence of
illegal activity. With appropriate court orders, law enforcement may
conduct electronic surveillance or search for and seize evidence.  In an
encrypted world, law enforcement may obtain the legal authority to
access a suspect's communications or data, but the communications or
data are rendered worthless, because they cannot be understood and
cannot be decoded by law enforcement in a timely manner.  Stopping a
terrorist attack or seeking to recover a kidnapped child may require
timely access to plaintext, and such access may be defeated by
encryption.  Hence, law enforcement's legal tools should be updated,
consistent with constitutional principles, so that when law enforcement
obtains legal authority to access a suspect's data or communications,
law enforcement will also be able to read it.
 
     Quite simply, even in a world of ubiquitous encryption, law
enforcement with court approval must be able to obtain plaintext so that
it can protect public safety and national security.  Therefore, we must
undertake several important and balanced initiatives.
 
     First, we need to ensure that law enforcement maintains its ability
to access decryption information stored with third parties, but only
pursuant to rules that ensure appropriate privacy protections are in
place.  To ensure this result, the Administration and the Congress must
develop legislation to create a legal framework that enhances privacy
over current law and permits decryption information to be safely stored
with third parties (by prohibiting, for example, third party disclosure
of decryption information), but allows for law enforcement access when
permitted by court order or some other appropriate legal authority.
 
     Second, since criminals will not always store keys with third party
recovery agents, we must ensure that law enforcement has the personnel,
equipment, and tools necessary to investigate crime in an encrypted
world.  This requires that the Congress fund the Technical Support
Center as proposed by the Administration, and work with the
Administration to ensure that the confidentiality of the sources and
methods developed by the Technical Support Center can be maintained.
 
     Third, it is well recognized that industry is designing, deploying
and maintaining the information infrastructure, as well as providing
encryption products for general use.  Industry has always expressed
support, both in word and in action, for law enforcement, and has itself
worked hard to ensure the safety of the public. Clearly, industry must
continue to do so, and firms must be in a position to share proprietary
information with government without fear of that information's
disclosure or that they will be subject to liability.  Therefore, the
law must provide protection for industry and its trade secrets as it
works with law enforcement to support public safety and national
security.  The law must also assure that sensitive investigative
techniques remain useful in current and future investigations by
protecting them from unnecessary disclosure in litigation.  These
protections must be consistent with fully protecting defendants' rights
to a fair trial under the Constitution's Due Process clause and the
Sixth Amendment.
 
     The Administration and the Congress need to work jointly to pass
legislation that provides these updated authorities.  The Administration
is in the final stages of drafting legislation and will shortly submit
it to the Congress for consideration.
 
     It is imperative to emphasize that the malicious use of encryption
is not just a law enforcement issue - it is also a national security
issue.  The new framework for export controls must be complemented by
providing updated, but limited authorities to law enforcement.
 
 
5.   Conclusion
 
     America stands on the pivot point of a crucial time in its ongoing
development, and we face once again the on-going debate in this country
between individuals' rights and the collective needs of society.  The
genius of our Constitution is in the balanced way it addressed that
debate and in the procedures it created for continuing that discussion
as the society and the economy evolved.  For our own part, we enter that
debate determined to preserve that same balance of the rights and
responsibilities that has characterized our country through its history,
but we are equally determined not to be thoughtlessly bound to old
approaches and old technologies.  Our challenge is to adapt our
historical approach to the technological challenges we face.  We believe
the new paradigm described above achieves that objective.
 
We can now see a future with great promise and - and serious
consequences - posed by the same technical developments.  How well we
handle these important challenges will shape the next century.  It is
far better that we approach these problems from a cooperative
perspective.  The past years of confrontation must be replaced by an era
of collaboration.  For only by working together, which is the rich
history of this nation, can we ensure our economic viability and protect
ourselves from those who would do us harm.
 
                                 # # #
 

Return to the EPIC Crypto Policy Archive