PREPARED TESTIMONY OF
KENNETH W. DAM
MAX PAIN PROFESSOR OF AMERICAN AND FOREIGN LAW, UNIVERSITY OF CHICAGO
LAW SCHOOL AND CHAIR, COMMITTEE TO STUDY NATIONAL CRYPTOGRAPHY POLICY,
NATIONAL RESEARCH COUNCIL, WASHINGTON, D.C.
BEFORE THE SENATE JUDICIARY COMMITTEE
CRYPTOGRAPHY'S ROLE IN SECURING THE INFORMATION SOCIETY

July 9, 1997

Good morning, Mr. Chairman and Members of the Committee.

As you probably know, I chaired a committee of the National Research Council which last year released a report entitled Cryptography's Role in Securing the Information Society. Asked to examine the balance among various national security, law enforcement, business, and privacy interests, we were composed of individuals with expertise in many relevant fields: computers, communications, and cryptography; law enforcement, intelligence, civil liberties, national security, diplomacy, and international trade; and it included individuals from the private sector, both vendors and users. The fact that these individuals, with diverse interests and stakes, were able to come to a strong consensus demonstrates that agreement on policy in this area is indeed possible.

Furthermore, 13 of the 16 members of the committee received security clearances to examine the classified material alleged to be relevant to the debate. These cleared members unanimously concluded that the debate over national cryptography policy can be carried out in a reasonable manner on an unclassified basis.All parties to the debate over encryption policy agree that it is important to protect personal financial transactions, medical records, and corporate secrets -- such as bidding information and proprietary research -- from criminals and corporate spies. All parties also agree that encryption is one very important tool for protecting all forms of electronic information.

But the policy dilemma arises from the fact that while encryption is a vital tool for protecting the legitimate information interests of the nation's businesses and the privacy of its citizens, it can also be used in a wide range of illegal or harmful activities -- by terrorists, by hostile military forces, by drug cartels, and so on.

However, in May 1996, our committee concluded that this picture of law enforcement and national security competing against privacy and business needs for confidentiality was incomplete. After all, protecting a company's proprietary information against industrial spies is very much a part of law enforcement. Protecting critical national information systems and networks against unauthorized intruders is a key responsibility of national security. Thus, as the committee pointed out, the use of cryptography can help law enforcement and national security as well as hinder them. We also found that export controls to discourage the export of strong encryption had a negative impact on information security products available to the domestic market, even though the domestic market was and is ostensibly unregulated.

The Administration's Policy Approach

The Administration's approach to the policy dilemma was -- and is -- to rely on a technology known then as key escrow and now as key recovery. This policy includes:

liberalizing export controls conditioned on developer agreement to build and market key recovery products in the future.

connecting key recovery to the use of a public key infrastructure that would otherwise be used for authentication and confidentiality purposes.

development of a yet-to-be-formulated Federal Information Processing Standard for key recovery.

Relevant NRC Findings and Recommendations

Our report addressed many of the issues raised in today's debate over key recovery, and I want to relate to you some of our committee's relevant findings and recommendations. For example, we found that policies that support key recovery have been motivated primarily by law enforcement needs, rather than by those of national security, and that key recovery has much less utility for national security than for law enforcement.

The role of the market

We emphasized the role of market forces in policy. In particular, we argued that national policy on cryptography that runs counter to user needs and against market forces is unlikely to be successful over the long term. Market-friendly policy would emphasize the freedom of domestic users to determine cryptographic functionality, protection, and implementations according to their security needs as they see fit, including the use or non-use of key recovery. For example, businesses have articulated a need in many cases for recovering the keys to encrypted files, but not such a need for monitoring the content of their encrypted communications. Furthermore, the development of products with encryption should be driven largely by market forces rather than by government-imposed requirements or standards.

On key recovery

As noted earlier, key recovery is functionally the same as escrowed encryption, though the details are different in some cases. We concluded that while key recovery encryption is a promising technology, it is relatively unproven and entails its own potential risks. It is promising because if it is properly implemented and widely deployed, it could allow law enforcement and national security authorities to obtain legally authorized access to relevant encrypted data in specific instances. Similarly, it would enable businesses and individuals to recover encrypted stored data to which access has been inadvertently lost.

On the other hand, many unresolved issues remain. For example: The extent to which key recovery agents can protect keys is unknown. Key recovery agents involve people, and when people are involved, human vulnerabilities and weaknesses may lead to compromises of the system. Wholesale compromise of keys could lead to catastrophic losses for businesses. The introduction of key recovery features into encryption products may introduce technical vulnerabilities that could be exploited by an adversary, and no one knows how likely such an eventuality is.

Liability issues are unresolved. While a business may enter into a contractual arrangement with a key recovery agent that specifies liabilities, a customer or supplier of that business who is damaged by the compromise of a key may not have similar recourse. Furthermore, there is a tension between reducing liability through statute to promote key recovery and reassuring users that their interests will be protected in the event of large losses. While resolving some of these issues may ultimately require legislation, key recovery is so new today that it is speculation rather than experience that would underlie any proposed legislation in this area.

Rather than aggressively promoting key recovery as a proven technology, we concluded that the government should explore key recovery for its own internal uses to gain working experience with this technology and to demonstrate its utility in a convincing way to the commercial sector. Even if and when commercial utility is demonstrated, we believe that adoption of key recovery systems or standards by the commercial sector should be voluntary and based on business needs, not government pressure.

We took this stand for several reasons.

First, not enough is yet known about how best to implement key recovery on a large scale. The operational complexities of a large- scale infrastructure are significant, and approaches proposed today for dealing with those complexities are not based on real experience. A more prudent approach to setting policy would be to develop a base of experience that would guide policy decisions on how key recovery might work on a large scale in practice.

Second, because of the ease with which key recovery can be circumvented technically, it is not at all clear that key recovery will be a real solution to the most serious problems that law enforcement authorities feel they will face. Administration officials freely acknowledge that their various initiatives promoting key recovery are not intended to address all criminal uses of encryption, but in fact those most likely to have information to conceal will be motivated to circumvent key recovery encryption products.

Third, information services and technologies are undergoing rapid evolution and change today, and nearly all technology transitions are characterized by vendors creating new devices and services. Imposing a particular solution to the encryption dilemma at this time is likely to have a significant negative impact on the natural market development of applications made possible by new information services and technologies. While the nation may choose to bear these costs in the future, it is particularly unwise to bear them in anticipation of a large-scale need that may not arise and in light of the nation's collective ignorance about how key recovery would work on a large scale.

Fourth and most importantly, not enough is yet known about how the market will respond to key recovery, nor how it will prefer the concept to be implemented, if at all. Given the importance of market forces to the long-term success of national cryptography policy, a more prudent approach to policy would be to learn more about how in fact the market will respond before advocating a specific solution driven by the needs of government. This is especially true when the reaction of export markets to key recovery is unknown and key-sharing or information-sharing arrangements between governments have not yet been established.

A process of deliberate exploration rather than aggressive promotion would allow the development of a body of experience demonstrating that key recovery encryption does not pose undue risks to users. In a market-driven system, this body of experience will begin to accrue in small steps. As this body of experience grows, government will have the ability to make wise decisions about the appropriate rules and regulations that should govern key recovery agents. These include issues such as standards, liability, contract terms, and so on.

Since our report was released in 1996, a number of vendors have indeed released products or made product announcements about encryption products that support key recovery. As the key recovery products of these and other vendors are adopted and used in the private sector and by government, experience with this technology will grow. In several years, this accumulated experience could well induce our committee to revisit its conclusions. After all, we explicitly cast our report in transitional terms, rather than address the issues once and for all.

Finally, we recognized that considerations of public safety and national security made it undesirable to maintain an entirely laissez- faire approach to national cryptography policy. Consequently, we crafted several recommendations to describe what we thought were appropriate affirmative steps, and I can describe these if you wish.

As a footnote, our committee tackled a very controversial problem and came to consensus on it. Had we operated in conformance to the requirements of the Federal Advisory Committee Act, such a consensus would have been impossible to reach.

That concludes my prepared testimony, and I am pleased to address any questions you may have.