Page 1 TOP OF DOC
H.R. 1903—THE COMPUTER SECURITY ENHANCEMENT ACT OF
1997—TO AMEND THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY ACT
TO ENHANCE THE ABILITY OF THE NATIONAL INSTITUTE OF STANDARDS AND
TECHNOLOGY TO IMPROVE COMPUTER SECURITY, AND FOR OTHER PURPOSES
THURSDAY, JUNE 19, 1997
U.S. House of Representatives,
Committee on Science,
Subcommittee on Technology,
Washington, DC.
The Subcommittee met at 10:47 a.m., in room 2318
of the Rayburn House Office Building, Hon. Constance A. Morella, Chairwoman
of the Subcommittee, presiding.
Mrs. MORELLA. I am going to call to order
the meeting of the Science Committee, the Subcommittee on Technology.
I thank our panelists for being so patient. We did
decide in the vote not to adjourn.
[Laughter.]
Mrs. MORELLA. There was a plan to have a
series of other votes, which is why I was delayed and other members of the
Subcommittee are delayed. And, they just decided they were going to try to
negotiate a problem they have with the rule on the defense bill. And,
therefore, we will commence our hearing, which is quite important.
Today's hearing is going to focus on H.R. 1903,
the Computer Security Enhancement Act of 1997. I would like to begin by
complimenting the Subcommittee's Ranking Member, Bart Gordon, for his hard
work in helping craft a bipartisan bill to address our government's
computer security needs.
And, along with Mr. Gordon, Science Committee
Chairman Sensenbrenner, Ranking Democratic Member Brown, Committee Vice
Chair Ehlers, Representatives Davis, Stabenow, Jackson Lee, Sessions,
Pickering, Traficant, Cook, Cannon and I have all introduced H.R. 1903. The
bill amends and updates the Computer Security Act of 1987, which gave the
National Institute of Standards and Technology the lead responsibility for
developing security standards and technical guidelines for civilian
government agencies' computer security.
Page 2 PREV PAGE TOP OF DOC
Specifically—and I will run down the
highlights of the bill—it reduces the cost and improves the
availability of computer security technologies for federal agencies by
requiring NIST to promote the federal use of off-the-shelf products for
meeting civilian agency computer security needs. Second, it enhances the
role of the independent Computer System Security and Privacy Advisory Board
in NIST's decision-making process. The board, which is made up of
representatives from industry, federal agencies and other outside experts,
should assist NIST in its development of standards and guidelines for
federal systems.
It also requires NIST to develop standardized
tests and procedures to evaluate the strength of foreign encryption
products. Through such tests and procedures, NIST, with assistance from the
private sector, will be able to judge the relative strength of foreign
encryption, thereby defusing some of the concerns associated with the
export of domestic encryption products.
Fourth, it clarifies that NIST's standards and
guidelines are to be used for the acquisition of security technologies for
the Federal Government and are not intended as restrictions on the
production or use of encryption by the private sector.
The bill also addresses the shortage of university
students studying computer security. I find this really remarkable, that of
the 5,500 PhD's in computer science awarded over the last 5 years in Canada
and the United States, only 16 were in fields related to computer
security.
To help address such shortfalls, the bill
establishes a new computer science fellowship program for graduate and
undergraduate students studying computer security. The bill sets aside
$250,000 a year, for each of the next 2 fiscal years, to enable NIST to
finance computer security fellowships under an existing NIST grant
program.
And, finally, the bill requires the National
Research Council to conduct a study to assess the desirability of creating
public key infrastructures. The study will also address advances in
technology required for public key infrastructure.
Page 3 PREV PAGE TOP OF DOC
You know, all of these measures I have
brought out are intended to accomplish two goals. First, to assist NIST in
meeting the ever-increasing computer security needs of federal civilian
agencies; second, to allow the Federal Government, through NIST, to harness
the ingenuity of the private sector to help address its computer security
needs.
Since the passage of the Computer Security Act,
the networking revolution has improved the ability of federal agencies to
process and transfer data. It has also made that same data more vulnerable
to corruption and theft.
You know, in February, the General Accounting
Office highlighted computer security as a government-wide, high risk issue
in its ''High Risk Series.'' GAO specifically identified the lack of
adequate security for federal civilian computer systems as a significant
problem.
While this is the first time that GAO included
computer security in its high risk series, it's not the first time that GAO
has addressed this issue. Since June of 1993, the General Accounting Office
has issued over 30 reports detailing serious information security
weaknesses at federal agencies.
And, in a September 1996 report, GAO reported that
over the past 2 years, serious information control weaknesses existed at 10
of the 15 largest federal agencies. The significance of these weaknesses
cannot be understated.
According to another GAO report, in 1995 alone,
the Department of Defense may have experienced as many as 250,000 attacks
to its computer systems. It's estimated that fully 64 percent of these
attacks succeeded in gaining access to DOD systems.
Concurrent with the release of GAO's high risk
report, this Subcommittee held the second in a series of computer security
briefings that I had initiated in the 104th Congress. During the briefing,
members of the Science Committee heard from some of the most respected
experts in the field. They all agreed that the Federal Government must do
more to secure the sensitive electronic data it possesses.
Page 4 PREV PAGE TOP OF DOC
In response, I included increased
authorizations, with the approval of this Subcommittee, of $10 million a
year in H.R. 1271, the Federal Aviation Administration Research,
Engineering and Development Authorization Act of 1997, and $4 million a
year in H.R. 1274, which was the NIST Authorization Act of 1997. These
increases, if appropriated, should allow the FAA to conduct the research
required to improve the security of its computer systems and enable NIST to
increase its efforts to improve computer security in federal agencies.
The increase in authorizations, however, is only
one part of the solution. Updating the Computer Security Act to enable NIST
to better utilize private sector advances in computer security technologies
is another.
The Federal Government is not alone in its need to
secure electronic information. The corruption of electronic data threatens
every sector of our economy.
The market for high quality computer security
products is enormous. And, the U.S. software and hardware industries are
responding. The passage of H.R. 1903, I believe, will enable the Federal
Government, through NIST, to benefit from these technological advances.
I look forward to hearing from our distinguished
panelists today. And, in my estimation, it's a good bill. And, I am hopeful
we can move it through the legislative process in short order.
And, I am now delighted and honored to recognize
the Ranking Member of this Subcommittee for his comments, Mr. Gordon.
[The text of H.R. 1903 follows:]
Insert offset folios 1-12
Mr. GORDON. Thank you. I want to join
Chairwoman Morella in welcoming everyone to this hearing.
Not a day goes by that we don't see some reference
in the news to the Internet and the explosive growth of electronic
commerce. What was originally envisioned as a network for defense
communications and university research is now an international
communications network of which we are just beginning to realize its
potential.
Page 5 PREV PAGE TOP OF DOC
Both the Office of Technology Assessment and
National Research Council reports have identified a major obstacle to the
growth of electronic commerce—the lack of widespread use of
encryption products. The Computer Security Enhancement Act of 1997 is the
first step to encourage the use of encryption products, both by the federal
agencies and the private sector. This is, in turn—or, this in turn
will support the growth of electronic commerce.
The Computer Security Enhancement Act of 1997,
which amends the Computer Security Act of 1987, depends on the close
collaboration and cooperation between the National Institute of Standards
and Technology and industry in developing standard reference materials and
reference standards that are key to commerce. This legislation highlights
the need for NIST to expand its activities in the area of electronic
commerce.
H.R. 1903 strengthens NIST's role in coordinating
federal agencies' efforts to utilize encryption and digital identification
products. It encourages federal agencies to adopt and use commercially
available encryption technologies whenever possible.
In addition, this legislation allows NIST to
evaluate the technical merit of industry claims of the strength of
generally available foreign encryption products. Hopefully, this will
defuse some of the tension surrounding the issue of export of domestic
encryption products.
Not only is this legislation consistent with the
recommendations of the Office of Technology Assessment and the National
Research Council, it is also in line with a set of resolutions adopted by
the NIST Computer System Security and Privacy Advisory Board on June 6,
1997. Finally, I believe this bill is consistent with the goals of
President Clinton's upcoming policy announcement on electronic
commerce.
I believe that the most important underlying
element of H.R. 1903 is that it recognizes that government and private
sector computer security needs are similar. Hopefully, the result will be
lower cost and better security for everyone.
Page 6 PREV PAGE TOP OF DOC
It has been a pleasure working with
Chairwoman Morella on crafting this piece of legislation. I look forward to
working with her to move this bill through the legislative process.
I want to thank our witnesses for taking the time
to appear before us. And, I look forward to hearing your comments.
Mrs. MORELLA. Thanks, Mr. Gordon. I want to
recognize Mr. Brady from Texas, who is here. Do you have any opening
comments that you would like to make?
Mr. BRADY. No, thank you.
Mrs. MORELLA. Ms. Rivers from Michigan.
Ms. RIVERS. No, thank you.
Mrs. MORELLA. All right. And, Mr. Ehlers
from Michigan also.
Mr. EHLERS. Thank you, Madam Chairwoman.
Just a few words. I apologize for being late, but I was—interestingly
enough, I was at a meeting with the Speaker and several members on the
encryption problem, export encryption problem, and had a very fruitful
discussion.
I think very few people realize the importance of
computer security and the importance of proper encryption of data flowing
over the Internet and other public means of communications. And, I am very
pleased that we have this hearing.
I am pleased with your interest in the topic,
Madam Chairwoman. And, I am pleased we are taking action on this.
I think it's extremely important for our Nation to
be ahead of the curve on this. And, I hope we can soon change—even
though that's not directly the concern here, I hope we can soon change our
national export policy on encryption so that we can continue to maintain
the lead on this issue and can show the rest of the world how it should be
done.
Thank you very much.
Page 7 PREV PAGE TOP OF DOC
Mrs. MORELLA. Thank you, Mr. Ehlers. I
am glad you were at that meeting.
And, I note also—in my opening comments, I
indicated that you are also a co-sponsor of this legislation we are
considering.
And, now on to hear the distinguished panel that
we have. Thank you, again, first of all, for your patience. You found out
what it's like to testify here in the House of Representatives. I am sure
that the Senate is probably not even as timely as we are.
I would like to just recognize—and we will
proceed in this order, probably asking you to speak maybe not more than
about 5 minutes, knowing that your total testimonies will be included in
the record; so, if you want to, abbreviate—the Honorable Gary
Bachula, the Acting Under Secretary for Technology in the Technology
Administration of the U.S. Department of Commerce; Mr. Whitfield Diffie,
who has his doctorate in technical sciences, distinguished engineer, Sun
Microsystems from Mountain View, California, welcome; Mr. Stephen Walker,
who is the President and CEO of Trusted Information Systems, Incorporated,
Glenwood, Maryland; Mr. James Bidzos, President and CEO of RSA Data
Security, Redwood City, California, thank you for being here; and, Marc
Rotenberg, Director, Electronic Privacy Information Center, Washington,
DC., Esquire, thank you also.
I appreciate it. And, we will start off then with
Mr. Bachula.
STATEMENT OF HON. GARY R. BACHULA, ACTING UNDER SECRETARY OF COMMERCE FOR
TECHNOLOGY, U.S. DEPARTMENT OF COMMERCE TECHNOLOGY ADMINISTRATION,
WASHINGTON, DC
Mr. BACHULA. Thank you, Madam Chairwoman,
for the opportunity to testify on H.R. 1903, the Computer Security
Enhancement Act of 1997.
I, first, want to commend you and the Committee
members and your staff for turning the attention of Congress to the vital
issue of securing our government's and our Nation's information
infrastructure. I do have a longer written statement which I would like to
be included in the record and with your permission, I would offer some
highlights in my oral testimony.
Page 8 PREV PAGE TOP OF DOC
Mrs. MORELLA. With no objection, that
will be the case.
Mr. BACHULA. Madam Chairwoman, we stand
today at the dawn of a whole new world of electronic commerce, doing
business digitally using the emerging information infrastructure. This new
era will change all of our lives.
It will allow businesses to buy and sell, to
recruit workers, make contracts, exchange money and to organize
instantaneous supply chains around the globe. It will allow consumers a
dizzying set of choices in banking, making travel reservations, home
shopping and literally, will eventually, allow them to custom order
products where hitting the return button on home PC will start in motion a
process of custom designed assembly of materials, manufacturing and
shipping that may occur in only a day or two.
Within a few years, you may be able to order a
custom made suit fit to your exact measurements from a highly interactive
electronic catalog that will allow you to see the suit on a model, maybe
even a model of yourself, turn it around to three dimensions, allow you to
try different styles, colors or fabrics before your eyes. And, then when
you order that suit, you will set in motion a process where fabric will be
shipped from a supplier in one State to a factory in another. Very high
tech cutting machines will assemble that piece of clothing, and the suit
will be delivered to your home in just a few days.
And, the system that ordered that suit will
arrange for the payment, keep a record so you can order another. And, maybe
it will send you a note a year or two later with a discount coupon asking
whether you are ready for another one.
Or, imagine shopping for furniture and with the
appropriate computer program trying out different pieces and styles of
furniture in a very realistic but virtual representation of your own family
room. If you like a particular couch, but need it to be 3 inches shorter to
fit between your tables, you can make that request as well as test the look
of different colors and styles.
Page 9 PREV PAGE TOP OF DOC
And, again, when you order, you will set in
motion a whole set of activities that some call manufacturing on demand.
Others of us might just call that pretty cool.
But, electronic commerce, to grow and succeed to
that kind of vision, requires a reliable, secure and trustworthy
environment. To buy and sell over the network, we need to have confidence
that I am who I say I am.
We need to have confidence in the integrity of
some kinds of information, that some information has not and cannot be
tampered with by hackers. We need to know that we can transact business
perhaps with our doctors that is private.
We need to have access to public information, but
also the assurance that the wrong people will not have access to classified
or private information. The tools that make electronic commerce possible
are the tools that we are talking about here today.
The discussions can get pretty detailed and
esoteric. Sometimes the debates get passionate.
I am not a computer expert myself nor have I
engaged in some of these emotional debates. I am here today to talk about
NIST's role in computer security and enabling this exciting, rapidly
evolving and potentially very lucrative for the U.S. economy, arena of
electronic commerce.
When the Computer Security Act was enacted 10
years ago, things were a lot simpler, particularly in the Federal
Government. On the whole, our computer systems were centralized; networks
were isolated; applications were compartmentalized.
Physical threats to systems were the predominant
concern at that time. The term ''virus'' was just beginning to become part
of our lexicon. And, things like digital warfare or digital terrorism were
very abstract notions.
Today, government agencies are increasingly
delivering services and information directly to citizens via powerful
computer applications, using technology that spans the range from large
systems to desktop and laptop computers often connected in decentralized
networks. These applications are increasingly interactive.
Page 10 PREV PAGE TOP OF DOC
An individual virtually anywhere in the world
can access government systems. In many cases, it is the kind of access that
the government wants to encourage and should be providing. In other cases,
unfortunately, it is not.
In this emerging global information
infrastructure, government and private sector systems and networks are
increasingly intertwined and, thus, face common threats and risks.
Government must be keenly aware that the public is sensitive to issues of
electronic access to confidential information, as demonstrated in
complaints over access to social security benefits records on line.
Both government and private sectors recognize that
the reliability of systems depends upon assurances of personal privacy.
Both sectors also have similar requirements for confidentiality, integrity
of data and access to public information.
In this rapidly changing environment, the
Department of Commerce has and will continue to work with the information
technology security framework established by the Executive Office of
Management and Budget. OMB recently revised the basic management structure
that agency computer security programs should establish, and it identifies
specific supporting roles for NIST and other agencies.
NIST's primary responsibility in this area is to
provide specific technical standards and guidance to assist federal
agencies in meeting their security responsibilities. It's important to
remember that it's each agency's responsibility to protect their systems
and network, but OMB has provided a common management framework to do that
and NIST provides technical guidance and standards.
And, we have played a central role in computer
security for the U.S. government long before the passage of the Computer
Security Act of 1987. Federal Information Processing Standards called by
the acronym in government, FIPS, have provided a common basis for cost
effective and reliable information technology and security for
government.
Page 11 PREV PAGE TOP OF DOC
By and large, in the development of these
standards for federal agencies, NIST references and builds upon the
standards developed in the private sector. Today, the government will use
such industry-developed standards more and more with NIST participating
fully in the voluntary standards process.
I would like to highlight a number of important
initiatives that NIST is currently undertaking that we believe will make
significant contributions toward more effective computer security
practices. First, in the past year, we have reorganized and refocused our
information technology activities, consolidating them in a new information
technology laboratory. Computer security plays a significant and key role
in this new organizational structure.
Mr. BRADY. Mr. Under Secretary, if I may
interrupt for a moment, we have reserved another minute for your
remarks.
Mr. BACHULA. Another minute? Okay. Thank
you. NIST has put out standard—or has put out a request for comments
on a new advanced encryption standard. We are looking for comments on
additional algorithms in the areas of digital signatures, looking at new
technologies to include with the existing ones.
We are very much engaged in an effort to look at a
new FIPS in the area of key agreement or exchange protocols. The bottom
line is that we are doing a great deal to both provide cutting edge, new
technologies and to assist federal agencies to comply with the security
requirements that they have.
With respect to the proposed Computer Security
Act, again, I applaud the Committee for its leadership. We support many of
the provisions of this bill.
We strongly support and applaud the portions of
the bill that enable NIST to assist, upon request from the private sector,
in the establishment of non-federal public key management infrastructures.
We support the provisions relating to NIST providing guidance and
assistance to federal agencies, including evaluations and tests of
commercially available security technologies.
Page 12 PREV PAGE TOP OF DOC
We support Section 5, which provides that
NIST will emphasize technology-neutral policy guidelines and must actively
promote commercially available products for meeting the security and
privacy requirements of federal agencies.
With respect to Section 6 and Section 8, we
support the intent and principles behind those. We think that we need to
find some improved language because of some possibilities of
misunderstandings about that intent.
The one section of the bill that we must oppose,
that the Administration must oppose, is Section 7, which provides for NIST
to assess the availability and strength of foreign available cryptographic
technology as they relate to export restrictions on encryption. The
inclusion of these regulatory provisions in this bill clouds the bill's
stated objective of improving the security of Federal Government
systems.
It injects a debate into this room that probably
belongs somewhere else. Moreover, current law and procedures already
establish a government-wide process for making such evaluations.
Under current export control law, foreign
availability evaluations are appropriately considered as one of many
factors that bear on determinations of export control policy, including the
area of encryption technologies.
The proposed section would put NIST, a
non-regulatory agency, square in the middle of second-guessing both
existing regulatory processes and existing executive branch determinations.
Our plea to this Committee is to let NIST do what it does best and not
throw us in the middle of this regulatory debate.
We support this bill. We would like to work with
the Committee on a couple of language improvements in two sections.
Section 7 causes us a problem. But, by and large,
this is a good piece of legislation and we very much applaud the Committee
for its efforts.
Page 13 PREV PAGE TOP OF DOC
[The prepared statement of Mr. Bachula
follows:]
Insert offset folios 13-23
Mr. BRADY. Thank you, Mr. Under Secretary.
I know that after the panel concludes, there will be some members of the
Committee that will want to talk to you more about Section 7.
Mr. BACHULA. Sure.
Mr. BRADY. Thank you. Dr. Diffie.
STATEMENT OF WHITFIELD DIFFIE, DISTINGUISHED ENGINEER, SUN MICROSYSTEMS,
MOUNTAIN VIEW, CA
Mr. DIFFIE. Thank you very much. I would
like to thank the Committee for inviting me.
I am going to turn from looking at the future of
computer security to looking at the history of how we got to the position
we are in at the moment. As I sat down to make these remarks, I realized
that NIST and I have been in the cryptographic business for almost exactly
the same length of time. It's 25 years ago this coming August that an event
I think is worth taking note of occurred.
Larry Roberts, who was the funder of the Arpanet,
approached Howard Rosenbloom, who was either Deputy Director for Security
or Deputy Director for Research at the time at NSA, and asked for help in
development of security technology for the Arpanet. But, he didn't want the
work to be classified and they couldn't agree. And, nothing further between
those two agencies happened at that moment.
But, Larry Roberts turned and began talking to
other people about the security problems of the network. And, one of them
was my boss, John McArthy. And, John McArthy, in turn, talked to me.
Page 14 PREV PAGE TOP OF DOC
And, effectively, from the fall of 1972 on, I
was working full time in cryptography, having turned from previously
theoretical work in computer science. At about the same time, the Bureau of
Standards was soliciting for algorithms for what eventually became Federal
Information Processing Standard 46, the data encryption standard.
And, although when that was proposed we argued a
good deal about its adequacy then—and I was one of the big
arguers—I have to admit that it has served very well for the past 25
years. We are much better off with it than without it.
And, the work that we did in developing public key
cryptography at Stanford has complemented the development, cryptographic
developments at the Bureau of Standards. And, the two things have been used
together in the development of appropriate commercial protection systems
over this past generation. Now, that was the 1970's.
And, NSA cooperated at that time—and I think
it was a genuine cooperation—in the development of the data
encryption standard. It appeared that by the early 1980's, they may have
had second thoughts about this, having a cryptographic system that was out
of their direct control in the way they had been used to.
And, in rapid succession, there was a national
security decision directive that would vastly have expanded the authority
of DOD over security arrangements throughout the Federal Government. There
was a plan by NSA called the ''Commercial COMSEC Endorsement Plan'' to
produce for the first time sort of directly under NSA's imprimatur and by
its standard technique—that is, using secret cryptographic systems
that would be protected in tamper resistant hardware—to have what was
called ''Type II'' cryptography for the protection of government
unclassified sensitive information and all commercial and other
information.
And, they would effectively, had that succeeded,
have recaptured control over cryptography in the United States. Congress
did not consider that appropriate.
It was the subject of widespread protests by
industry, particularly the banking community which saw that it needed a
much freer, much more openly developed technology. And, in 1987, Congress
passed the Computer Security Act, which gave authority to the Department of
Commerce, and particularly to the—at approximately the same time
renamed—National Institute of Standards and Technology for authority
over computer security, network security, communications security standards
for civilian government communications.
Page 15 PREV PAGE TOP OF DOC
But, that Act had provisions in it for the
NIST to consult with NSA. And, those became expanded into a Memorandum of
Understanding between the two agencies that effectively gave NSA control
over NIST's actions.
This is a natural outgrowth of having given the
authority one way and the money the other way. NIST did not have the
resources necessary to do, independently, the work that had been assigned
to it.
And, under that regime, which I would trace as
running from, let's say, 1989 until some time in the early 1990's, we saw
the development and promulgation of three federal information processing
standards of which only one, I think, has been generally acclaimed by the
outside community. Those were a digital signature standard,
developed—incidentally, two out of three of these were developed
using academic technology. But, they were developed at NSA.
A digital signature standard, which was not the
one which had become a de facto industry standard, and although at a
technical level there are pros and cons to each one of those, the effect
was opposite to the intent of standardization. It created a rift. It was an
attempt to displace an existing standard. And, so far, it has achieved only
modest success.
Something more technical called the ''secure hash
algorithm.'' That, based on work done at MIT, but elaborated at NSA. And,
in general, that has been well received.
And, the most bizarre of the three, the Escrowed
Encryption Standard or Clipper Chip, whose strangest feature, to my mind,
is that it's a Department of Commerce standard that is based on secret
technology that is legally and physically under the control of the
Department of Defense and its contractors. So, although the Department of
Commerce has legally promulgated the standard, that standard could be cut
out from under it by Department of Defense action.
Just incidentally, I spent yesterday at the Armed
Forces Communications Electronics exhibition, which is going on here in
Washington. And, the government and industry people over there all seem to
believe that this technology is about to be declassified.
Page 16 PREV PAGE TOP OF DOC
The NSA people said they tried to get it done
in time for the show and didn't succeed. But, maybe the situation is going
to be regularized.
Now, I'm very pleased to say that quite recently
NIST has begun to take actions that I think are much more consistent with
the spirit of the Computer Security Act. They have promulgated
a—begun the development of the so-called Advanced Encryption
Standard, the replacement for the existing Data Encryption Standard, and
done so—I mean, I think Webster said in the last century that the
debate couldn't have gone better if his opponent had, you know, planned it
that way.
I have to admit that they have followed a course
which is very much the course I would have recommended. They began by
asking for comments on proposed criteria against which a new standard
should be judged.
They declared that the standard would be open, the
standard would be unclassified. They are encouraging the submitters to
explain everything about the standard, the proposals that they can.
And, I believe this is what is necessary in the
modern world in order to have a cryptographic technology that will suit the
needs of the diverse community that gives us the promise of this glorious
future of Internet commerce and generally a vast improvement in
communications that the technology promises.
The diversity of network communications is not
measured in the thousands of miles across what the network is or in the
millions of machines that are connected to it. It is measured in the
diversity of authority, of purposes, of ownership of the devises connected
to the network.
And, in order to have security in that
environment, which is similar to what we've had all through
history—you have to have security in commercial environments; people
have to protect goods; they have to assure orders; they have to keep
certain secrets—we need a technology that is openly developed and,
therefore, can be trusted by everybody who uses it. So, I am very, very
pleased to find this legislation, which seems to me to speak to the
independence of NIST in performing to this task, to speak to the resources
that it needs in performing this task, and I think this bill has come at
exactly the right time to support and encourage NIST in what seems to be a
return to the, as I would call it, spirit of the Computer Security Act of
1987.
Page 17 PREV PAGE TOP OF DOC
Thank you.
[The prepared statement of Mr. Diffie
follows:]
Insert offset folios 24-29
Mr. BRADY. Thank you, Dr. Diffie. And, I
know, and each of the members knows, how difficult it is to try to
summarize in 5 minutes. But, we do have your written statements.
And, we do have lots of questions afterwards. So,
I appreciate it.
Mr. DIFFIE. I never feel it's any point in
repeating the statement. You can read that. I tried to say something
else.
Mr. BRADY. All of you are very patient.
And, we appreciate it.
Mr. Walker.
STATEMENT OF STEPHEN T. WALKER, PRESIDENT AND CEO, TRUSTED INFORMATION
SYSTEMS, INCORPORATED, GLENWOOD, MD
Mr. WALKER. Thank you. I appreciate the
opportunity to be here this morning. And, I will try to be very brief.
My experience here today is, I think, relevant. I
spent 20 years as a government employee starting with the National Security
Agency and then the Defense Advanced Research Projects Agency back when the
Arpanet was getting started, and the Office of the Secretary of
Defense.
For the last 14 years, I have grown my company,
Trusted Information Systems, from a one-man consulting shop to a 300
employee publicly traded company. But, perhaps more important than any of
that, I had the opportunity to spend 5 years in the early 1990's as a
member of the Computer Systems Security and Privacy Advisory Board.
Page 18 PREV PAGE TOP OF DOC
When I was asked to be a member, I had really
no clue what it was all about. There were times when the board really
didn't quite know what it was supposed to be doing.
But, when the Clipper initiative and the digital
signature standard and the other things came out in the early 1990's, the
board served a very crucial role, for which I am glad you are recognizing
the need of the board and that the efforts of the board need to be
enhanced.
I strongly support both the 1987 Computer Security
Act and the bill that you are considering here today. I strongly support
the open discussion in the public of issues of computer security. In my 30
plus years of experience, I have observed on a number of occasions that
when these discussions drift behind closed doors, things don't go well. I
am a strong believer in the Advisory Board and have had considerable
firsthand experience with its impact during some of its most effective
periods.
As this bill points out, NIST has a very important
role in directing assistance to the civilian agencies, a role which, for
various reasons, as pointed out in Willis Ware's, the resolutions passed
recently and his testimony, written testimony here, it hasn't done as well
as it could have done. I think the provisions of this bill that strengthen
the role of NIST in providing help to civilian agencies is very, very
important.
I do worry—and will comment in a
minute—on the provisions of the bill that assign NIST new product
evaluation responsibilities. I'm not sure that my concern with that is the
same as the Administration's concern; but, in fact, I believe that these
are very difficult jobs that no one really knows very well how to do.
And, among other things, they will seriously
distract NIST from the very important role that only it can do in providing
help to the civilian agencies in understanding their computer security
comments.
I would like to spend just a minute filling in a
few niches of the history that Whit so eloquently commented on. The
problems we are talking about here are not new. They date back, at least,
to the introduction of DES back in the 1975 to 1977 time frame. Even then,
there were struggles as to who should be providing advice to the civilian
agencies on computer security and encryption.
Page 19 PREV PAGE TOP OF DOC
In the late 1970's, President Carter signed
Presidential Directive 24. Many people have forgotten about this one. It
gave the National Telecommunications and Information Administration the
responsibility for the unclassified use of encryption.
I know, from personal interactions with folks in
the intelligence community, that caused great consternation and, in fact,
was one of the things that prompted the passage of—or the signing by
President Reagan of NSDD–145 in 1984 as a backlash to that directive.
That one, as Whit has pointed out, gave the national security community
and, in particular, the National Security Agency significant
responsibilities in the civilian government area.
The Computer Security Act of 1987, of course, was
a backlash, a counter-backlash, if you will, to the NSDD–145. And, it
gave NIST the responsibility it has today, a very vital importance, to
provide assistance to anyone handling sensitive and unclassified
information, including the Department of Defense. And, that was always
something that sort of stuck in various people's craws.
But, the debate, of course, didn't end there. The
Memorandum of Understanding and the struggle over that, which Whit has
commented on and I'm sure Marc will tell us something about a little bit
later on—but I think the most important problem that followed the
bill was the fact that the money wasn't there. Show me the money.
And, NIST did not have the ability to do the
things that it was assigned to do in the bill. And, I'm glad that you all
are considering improving that situation.
I note that at the height of the DOD's computer
security activities in the late 1980's, they had a staff and resources 10
times the size of all of NIST's efforts in this area. I think Whit said
pretty eloquently how that was going to work out.
The written statement of Willis Ware, which I have
read and agree with, essentially said that the structure of the Act is
satisfactory but that the implementation has had significant shortfalls.
NIST has chosen in its use of its resources to focus more on research into
new problems, next problems, than on the issue that is being pointed out
here very strongly, that there are civil agencies who desperately need help
solving some of these issues. And, they don't have the resources to figure
out how to do that.
Page 20 PREV PAGE TOP OF DOC
I think, as I said, this bill's focus on that
is very important.
The Advisory Board is probably the most
significant development in the Computer Security Act of 1987. The board has
fostered open discussion and a public record of computer security issues
such as the Clipper government key escrow system and the digital signature
standard debates.
These would not have happened had there not been a
board to lead the way in this and to help the government—help the
public sector better understand the dangers of government key escrow. I
strongly commend the efforts here to enhance the board.
The requirement that the Federal Information
Processing Standards must come to the board for a recommendation before
sending it to the Secretary of Commerce, I hope some reason prevails there
because frequently the board has no information about some of those
standards. But, had that provision been there, the escrowed encryption
standard, which we talked about earlier, might have been handled
differently. And, a very costly and failed effort might have been precluded
earlier.
I'm glad to note that back in February, the
Administration has decided to abandon government key escrow on the Fortezza
card. And, so we've actually perhaps fixed this issue in a relatively short
period of time in the normal evolution of government programs.
I am concerned about the portions of the bill that
direct the NIST to perform evaluations and tests of information technology.
In Section 4 of the bill, the new paragraph 6 is a very difficult task
which, I will say, NIST is not well qualified to perform, but that's not to
put NIST down. No one is well qualified to perform that job.
The Defense Department spent an enormous amount of
time, some of which I was responsible for starting, trying to do that in
the 1980's and early 1990's. And, they did not succeed at it. And, so I
worry here that we may be launching them on a very expensive task which we
are not going to be very happy with the results of.
Page 21 PREV PAGE TOP OF DOC
Similarly, Section 7's tasking to evaluate
the capabilities of foreign encryption, while representing a very highly
desirable objective that we all would like to see the results of is,
itself, also a very difficult task and one that no one in government or
industry has been able to perform effectively at this point.
Both of these provisions are sending NIST off on a
difficult, expensive and time consuming, I fear, wild goose chase, the
result of which, I'm afraid, no one will be happy with. Please, review
these provisions carefully while they will consume vast resources and
seriously distract NIST from the vital role of providing that consistent
and sensible advice to civilian agencies.
Finally, the last point I would like to make,
while I am not fundamentally opposed to another NRC study on cryptography,
I seriously wonder how much closer we will be to effective public key
infrastructure after the study proposed here. Perhaps I will be pleasantly
surprised.
I thank you very much for the opportunity to
present my views and hope they are somewhat helpful to you.
[The prepared statement of Mr. Walker
follows:]
Insert offset folios 30-37
Mr. BRADY. You bet. Thank you, Mr. Walker.
Mr. Bidzos, I understand you've had a big week. So, I look forward to your
remarks.
STATEMENT OF D. JAMES BIDZOS, PRESIDENT, RSA DATA SECURITY, INCORPORATED,
REDWOOD CITY, CA
Mr. BIDZOS. Thank you, Mr. Chairman. I also
want to thank the Committee for the opportunity to be here.
Page 22 PREV PAGE TOP OF DOC
I will make a few remarks, try to keep them
brief. And, of course, I've submitted a statement.
Let me just say right up front that I'm very
supportive of H.R. 1903. I think it is timely, important and offers the
potential for the best return on investment in legislation that I've seen
in the 12 years, half the time of some of these other gentlemen, that I've
been in the business.
But, before I start, I hope I can steal 45 seconds
to respond to what we've heard about Section 7 of the bill. I think the
Committee has shown a little more wisdom than it is getting credit for.
And, let me suggest both to Mr. Bachula and also to my friend, Steve, why I
think that might be very, very appropriate.
The fastest growing software company in Germany is
a company called Braukat. Braukat's business consists exclusively of
replacing the encryption in American-made products that are sold in
Germany.
So, when Netscape and Microsoft ship a product to
Germany, to a German customer, with the weakened encryption that's required
by our export regulations, Braukat comes in and replaces it with a strong
encryption similar to, this is all encryption that my company designed,
similar to the encryption that is in the U.S. version.
So, first of all, if it isn't the Commerce
Department's responsibility to protect U.S. industry by identifying and
monitoring this type of activity, whose job is it? I think the bill is
right on the money in tasking NIST with those kinds of
responsibilities.
I think the Commerce Department, as I will talk
about in a moment, in the area of encryption has really let industry down
in many, many ways. This is an excellent opportunity to get it back.
It is not difficult. It is not a distraction. It's
not technically difficult to determine simply and solely if a foreign
company has been able to successfully replace cryptography.
Page 23 PREV PAGE TOP OF DOC
And, I am absolutely confident that should
NIST ask them that Netscape and Microsoft would be delighted to make
technical resources available if there is even the slimmest hope of some
policy change that could be effected by their efforts. So, I think it is
neither difficult nor inappropriate for NIST to take on this role.
It is perfectly appropriate for the Commerce
Department to be helping U.S. industry in this way.
First of all, let me just say a few words about
myself and my company. My company is RSA Data Security. It has been around
since 1982. I've been running it for a little over 11 years.
We've been fortunate in that we've designed some
very useful technology that has found great commercial success. Our
encryption technology is embedded in just about every product that I
suspect everybody in this room uses.
If you've surfed the net with Netscape Navigator,
Microsoft Internet Explorer, if you use Lotus notes, if you use products
from Oracle, IBM, AT&T, right on down the line, 400 companies, 100
million copies of products that contain our encryption technology, then you
are an encryption user. The next time you are using Netscape Navigator, go
to the About Netscape and go to the bit about security, and you will find
an incredible tutorial about encryption that will tell you a lot about what
this technology is doing.
Now, as unbelievable as what I am about to say may
sound, in spite of the fact that these 100 million copies of off-the-shelf
products exist and are being used by U.S. industry to reinvest themselves,
to make themselves more efficient, to do all the things we read about all
the time, companies and industries getting turned upside down by the World
Wide Web, it is the policy of this Administration that those products
cannot be used by civilian agencies of the Federal Government. They are
required to use the products based on standard that Dr. Diffie described,
the escrowed encryption standard, not what one might call one of the great
successes of NIST in the area of standardization or NSA in its short foray
into commercial product marketing and development; and, the digital
signature standard which, as Dr. Diffie said, was an attempt to displace an
existing standard—always a hard thing to do at best, not very
successful.
Page 24 PREV PAGE TOP OF DOC
The unfortunate victims of this policy are
the civilian agencies of the Federal Government, who are simply trying to
provide more security, which the Act directed them to do in 1987. It was a
very timely and very good Act.
And, they are finding it very difficult to do
that. They either have to pay a huge amount of money for products that
contain technology that nobody really wants to support, which are the
existing federal standards; or, they have to go through a very complex and
difficult waiver process, although the Environmental Protection Agency and
the Department of Agriculture have both done that; or, they have to do
nothing at all and leave these systems vulnerable. And, obviously, that's
unacceptable.
This Committee has recognized that. And, that is
one of the very important things that this Act can fix.
The Computer Security Act was an example of great
timing and good leadership in 1987. Obviously, the Congress identified the
need for computer security.
It gave NIST the responsibility to provide the
leadership in computer security for the federal agencies of government.
Unfortunately, for reasons that we don't have time to discuss here, NIST
was unable to take advantage of the opportunity created for it by
Congress.
Perhaps it was the MOU. Perhaps it was a lot of
other things.
NIST has done many good things in the area of
computer security. But, when it comes to encryption, I'm afraid that they
have turned the relationship with industry into an adversarial relationship
when, in fact, there was a tremendous opportunity to work with industry;
that while it has been missed, we have an opportunity now to correct it.
And, I think that's what H.R. 1903 does.
I mentioned how unbelievable it is that in this
day and age with that sort of distribution of 100 million products that can
be used to reinvent government, according to the Vice President's own
initiative, 40 of the 45 pilots in the Vice President's initiative, by the
way, use the ''illegal technology.'' This bill would fix all of that.
Page 25 PREV PAGE TOP OF DOC
This bill would direct NIST to get together
with industry, to adopt market solutions, give NIST an opportunity to
restore its leadership and its credibility with U.S. industry, which would
provide an excellent benefit, an excellent result, which is giving the
civilian federal agencies, all 120 some of them, the opportunity to simply
address the computer security need that they understand and that is so
important to them right now.
So, the bill would do wonderful things. It would
cause NIST to adopt market solutions. It would give them the opportunity to
follow up on these three initiatives that were discussed—the advanced
encryption standard which, in light of today's story in the ''Wall Street
Journal,'' if you saw it, it's critically important. The 25 year old DES
was broken for the first time in history.
A momentous event happened within hours of the
appearance of the McCain/Kerrey bill. No time to get into that today
either.
But, at any rate, this demonstrates how important
it is for NIST to take initiative. It's unfortunate that within 48 hours
after DES was broken we are talking about an advanced encryption standard
process that will probably take a couple of years.
Wouldn't it have been very, very good and so much
better for us if this process had been started 2 or 3 years ago? We would
be ahead of the curve instead of behind it.
The other thing that NIST could do is finish its
correction of its signature standard and recognize what has gone on in
industry.
And, the third thing it could do is complete its
key management FIPS effort which, by the way, FOYI documents found by Epic
show that NIST discovered, identified and recognized the need for a key
management standard in 1989. And, we still don't have one today. This bill
would allow them to get moving on it.
So, basically, in summary, the overall return on
investment for this legislation is incredibly high. I think this is a
classic example of a great return on a small piece of legislation that will
pay dividends throughout the Federal Government, provide enhanced computer
security.
Page 26 PREV PAGE TOP OF DOC
It's just hard to see any down side
whatsoever to this. And, I made my comments about Section 7. I won't say
anymore.
So, basically, the benefits would be the
additional security of federal systems, the restoring of NIST's opportunity
to take a leadership role and partner with industry, benefit from all of
that technology, bring it to federal agencies, be a showcase for computer
security solutions, and lead rather than fight over waivers and other
things with these federal agencies.
So, I strongly support this legislation. I want to
thank the Committee and Madam Chairwoman for their leadership, for the
willingness to pursue this and to invest the time.
It's timely. It's important. I couldn't be happier
about it.
Thank you very much.
[The prepared statement of Mr. Bidzos
follows:]
Insert offset folios 38-46
Mr. BRADY. Thank you, Mr. Bidzos. And, as
we pass the mike to Mr. Rotenberg, I will yield the chair to our
Chairwoman. Thank you.
Mrs. MORELLA. Mr. Brady did a terrific job.
Mr. Rotenberg, we look forward to hearing your testimony.
STATEMENT OF MARC ROTENBERG, DIRECTOR, ELECTRONIC PRIVACY INFORMATION
CENTER, AND ADJUNCT PROFESSOR, GEORGETOWN UNIVERSITY LAW CENTER,
WASHINGTON, DC
Mr. ROTENBERG. Thank you very much, Madam
Chairwoman. And, thank you to the Subcommittee for the chance to be here
this morning.
Page 27 PREV PAGE TOP OF DOC
I haven't been involved with cryptography for
quite as long as some of the other members on the panel, but I was there at
the birth of the Computer Security Act 10 years ago. And, I would like to
say just a few words about this piece of legislation.
You know that at that time in the late 1980's, we
didn't have the Internet, we didn't have the World Wide Web. There was not
much commercial use of cryptography outside of the financial services
sector.
And, we were, at the same time, very much
concerned about the Soviet acquisition of western technology. Nonetheless,
Congress, through bipartisan support, recognized the need to give NIST a
primary role in the development of technical standards to protect computer
security within the Federal Government and to create a process for
openness, public accountability and private sector participation as those
decisions were made.
Now, there have been some bumps in the road over
the last 10 years. The Memorandum of Understanding, which was signed in
1989, I think took us on an unfortunate detour.
And, there have been a couple of technical
standards discussed earlier—the escrowed encryption standard and the
DSS, which have also created some problems. Nonetheless, the fundamental
purpose of this legislation, I think, has stood the test of time.
What H.R. 1903 would do is strengthen the Computer
Security Act of 1987, build on a solid foundation and ensure that computer
security standards are responsive to the needs of the civilian agencies and
make best use of private sector input and public advice. And, I can't
stress just quite how urgent this is today, 10 years later, because today,
in fact, we are increasingly dependent upon the Internet and the World Wide
Web for all of the commercial activities and opportunities and electronic
commerce that you've heard discussed earlier.
And, we are, at the same time, very much aware of
the computer security risks that people face today on line. If you look at
some of the recent opinion polls of computer users, what are they most
concerned about? Privacy is right up there at the very top.
Page 28 PREV PAGE TOP OF DOC
And, they are talking about their information
in computer systems, in the Federal Government's computer systems. And, you
know we have legislation that protects that information. But, without the
technical standards that ensure that the systems are secure, it's not
enough.
What H.R. 1903 does, then, is to ensure that
private sector leadership will continue to play a critical role in the
development of these standards. It will strengthen the Computer Systems
Security and Privacy Advisory Board—I would like to say the island of
sanity in the realm of computer security decision-making, that for anyone
who has done some work with the board—and I've been there many times
over the last 5 or 6 years and continue to be impressed by the very
thoughtful, collaborative effort that the board has undertaken to get
public input, the best technical advice and ensure that that's incorporated
into decision-making.
H.R. 1903 strengthens the Advisory Board. And, I
think this is very good.
Also, I would like to say just a word on Section
7. A couple of the witnesses earlier raised some concerns that perhaps
Section 7 would be putting NIST in the job of doing some things it
shouldn't be doing.
Section 7 actually, I think, is critical to the
success of this legislation, because what Section 7 does is require the
Department of Commerce to take note of the foreign availability of strong
encryption products before the Secretary of Commerce is able to make
decisions and recommendations on policy in this area. This is only, you
know, common sense.
I mean, obviously these are contentious issues and
different groups have different views about what the significance is of
foreign availability. But, without some mechanism within the Federal
Government to make sure that that information is available to policy
makers, I think many of the decisions in this area will continue to be made
with blinders on. And, that's not a good way to make policy.
Page 29 PREV PAGE TOP OF DOC
Finally, if I could make just one brief
recommendation regarding the proposed study for the National Research
Council. As you may know, the NRC completed last year a very well regarded
study on cryptography policy, a very complex issue, a comprehensive review
and well received. And, I think they've done a good job and should continue
to work in the area of computer security.
My only question, which I would like to raise at
this point, is whether perhaps topics outside of public key management
might also be considered. And, specifically this means looking at new
techniques to promote privacy and security on line, techniques to promote
anonymous or pseudo-anonymous commerce and communications that are now
being explored in other countries.
I think this is also an important area of
opportunity and growth for us. And, perhaps the NRC would look in this area
as well.
But, speaking on behalf of a lot of people who are
using the Internet today and concerned with privacy and security issues, I
can tell you that H.R. 1903 is a very important step forward in the right
direction. It builds on a solid foundation.
And, we would be happy to provide whatever support
we can to move this along. Thank you.
[The prepared statement of Mr. Rotenberg
follows:]
Insert offset folios 47-56
Mrs. MORELLA. Thank you, Mr. Rotenberg, for
that. And, we are considering the concept of new techniques and would look
forward to working with you on that.
I think what I will do for the—before we go
to vote, maybe for the first round of questioning, I will—since I was
out for a bit—as a courtesy, defer to Mr. Gordon for any
questions.
Page 30 PREV PAGE TOP OF DOC
Mr. GORDON. Thank you. We are on a
tight framework here with a vote. And, I have a 5-minute rule just like you
do.
And, so let me pose a question to you. And, then
what I would like is for anyone on the Committee that would like to address
it to crisply make some suggestions and then follow up with any kind of
written comments that you would like.
Some States have begun to establish a legal
framework for digital signatures. What, if any, should be the federal role
to encourage the development of such requirements concerning the
development of uniform standards or procedures for the certification
authorities for this digital signature?
So, we will just start with anybody to make some
quick comments. And, then I would like for you to follow up with any maybe
written comments.
Mr. BIDZOS. I would be happy to offer one
short answer to that question. You are correct, in that there are a number
of efforts in various States. Utah has a Digital Signature Act, a number of
States, to legitimize, identify and standardize the use of this digital
signature technology. A number of private companies are working with a lot
of local and state governments to do this.
I talked earlier about the different standards in
place in the Federal Government. Essentially, what this whole process has
done is built a large wall between industry and the Federal Government.
And, that wall is causing a problem, in that the
Federal Government isn't playing a role in that entire process. So, we run
the risk of islands of incompatibility if we continue to pursue this.
In fact, recent legislation in the Senate would
propose that standards and products built according to new specifications
would supersede all these efforts of the States. I think we are headed down
the wrong road that way.
Page 31 PREV PAGE TOP OF DOC
So, what's happened is in the absence of a
leadership role by NIST over the last few years, industry and state and
local and Federal Governments are going their own way. And, I think what
one of the benefits of H.R. 1903 is that it would force the Federal
Government to come together with industry and with the state and local
governments.
Mr. GORDON. Excuse me. Any other
suggestions? Yes, sir.
Mr. WALKER. I find myself agreeing with
Jim. There are a number of suggestions that have been made over the last
year by folks in the Administration that there should be some public
infrastructure that would be sanctioned somehow by the Administration. I
find that a very depressing thought.
And, linking it to export control and things like
that I think is a very wrong thing. It's difficult to see industry just
drifting into a way of doing this. That's where we are headed.
But, given the history of what has been happening
over the last 7 or 8 years with the Clipper, digital signature and all the
rest of these things, I would rather see the Federal Government stay back
out of this. If NIST can help industry coordinate its activities, that's
fine.
I really oppose——
Mr. GORDON. I don't mean to be
discourteous, but is there anybody else that would like to make a quick
comment?
Yes, sir.
Mr. BACHULA. Congressman, the White House
and the Department of Commerce, along with other federal agencies, have
been working for some 6 months now with the National Governors' Association
on an effort called the ''U.S. Innovation Partnership.'' It's an attempt to
sort of collaboratively work on some problems in technology in general.
In the area of electronic commerce, the States
have identified an interest in a collaborative, sort of not top down
process by which they could work with the Federal Government to arrive at
common solutions, not have it dictated to them. But, they do—they are
looking for ways to arrive at a common solution rather than 50 separate
ones.
Page 32 PREV PAGE TOP OF DOC
And, they also recognize that it's not just a
question of a technology but very often cases of state law, since they have
commercial codes that may need to be updated in this area.
Mr. GORDON. Thank you. I'm afraid my time
has run. And, I will welcome any further comments that you might want to
submit.
Thank you.
Mrs. MORELLA. Because we have another vote
on the Floor, we are going to adjourn for 10 minutes. And, whatever member
of the Majority side comes back first, I will let take the chair so that we
can continue with the questioning.
Thank you for your patience.
[Brief Recess.]
AFTER RECESS
Mr. DAVIS (Presiding.) Thank you. Other
members are in the middle of a vote, our second vote, to adjourn today on
the House Floor. So, I'm the first one back.
I missed some of your testimony. I read some last
night that we had in, but I had a markup of our D.C. Committee today. In
fact, we took Mrs. Morella away.
But, I think I know enough to ask a few questions
here. And, correct me if I've gone over some ground that you may have
already covered.
Mr. Walker, let me just ask you at this point: I
think you were saying that NIST's job in this isn't to do an evaluation but
you could help and assist. If NIST isn't doing the evaluations, how are
they going to know what kind of assistance to offer some of these other
companies?
You know, which product is best and that kind of
stuff if you are not in the evaluation process?
Page 33 PREV PAGE TOP OF DOC
Mr. WALKER. This is a difficult
situation that—because I am not at all opposed to this capability if
it can exist. I am just fearful if NIST or the government can do this.
I am reminded of NIST in some other areas of its
endeavors in the past where it was asked to comment on a particular
commercial product, commented on what it thought was an honest appraisal of
it and then came under great pressure from folks that were critical of that
particular comment, whether it was right or wrong, and caused a lot of
difficulty for the National Bureau of Standards in those days.
To the extent that they have backed off pretty
much across the board, as I understand, in not doing qualitative
evaluations of products, because they have a difficult time defending the
findings when they are contrary to the—whatever the industry group
was that asked for it. For example, with the Data Encryption Standard, the
only test that NIST does is it, essentially, will take your supposed DES
algorithm, put in a known key, grind it for a million times and see if you
got the right answer. They will do that, but they won't comment any further
on it.
What we are asking in this bill for them to do is
actually go in and try to understand not only the qualities of products
that where supposedly the person submitting it is willing to give them lots
of background, but we are saying we've got to do it for foreign products
where you don't have access to the information. All you can do is try to
run the product and see what it does.
When all you can do is run the product and see
what it does, you can comment on very specific tests that you might
run—conformance tests. It's very difficult in security to determine
the things that a product doesn't do or the things that it does wrong.
I think the Defense Department, in its computer
security initiative over the last 15 years, has spent an enormous amount of
energy trying to come up with criteria for evaluating how good computer
systems are. And, as much as I had hoped that would be a successful effort,
I think it is pretty much viewed now as a failed effort.
Page 34 PREV PAGE TOP OF DOC
And, I'm afraid we may be launching this off
on to another repeat of that which will take enormous resources and for
which the results, people aren't going to be happy with.
Mr. DAVIS. But, is part of your concern the
fact that NIST is working right now on a limited budget in terms of setting
priorities? This may not——
Mr. WALKER. Well, of course, a limited
budget is the beginning of the problem. But, I'm actually fearful that you
may provide them an enormous budget and they will do the same thing that
the DOD did with the trusted computer system evaluation
criteria—create a huge bureaucracy of 300 people and still not
produce results that are the kind of things that we all want.
We would love to have people be able to say,
''Yes, this product is really good,'' or, ''That product is really not
good.'' But, whenever the government says that product is not very good, it
suddenly makes the government subject to all kinds of attacks and, as I
understand it, all kinds of pressure through various legislative processes
and elsewhere to, ''Oh, no, amend your comment, because it's not favorable
to my constituent,'' or whatever. And, that's the situation that I don't
think we want to get an organization like NIST into.
Mr. DAVIS. All right, thank you. Let me ask
Mr. Bidzos if he has any comment on that?
Mr. BIDZOS. I disagree with Steve on this.
I think NIST would not be so ambitious, because I think they would
understand that it would be counterproductive.
Let me use an analogy. What we don't want to do is
if we are talking about cars instead of encryption, we don't want to ask
NIST to decide which car is better, because Steve is right, people, you
know, they are going to start thinking about how comfortable the seats are,
how do the brakes feel. That's not what we are about.
The analogy I am talking about here is, let's say,
that U.S. car makers sold products overseas but a government restriction
caused them to limit the car speed to 40 miles an hour. And, then we found
out that a foreign company was selling an upgrade kit that made the car go
120 again, like the ones sold in the United States.
Page 35 PREV PAGE TOP OF DOC
The question is: Does the car overseas, after
the upgrade kit is added, go 120 or not? We are asking NIST to operate a
radar gun, not to evaluate whether they like the car or whether it's as
good as American cars.
And, if the answer is that there's an industry
that U.S. government policy is creating that exists for no reason other
than to fill the void left by export policy, if the Commerce Department
isn't going to help us understand that problem, who is?
Whose job is it to protect U.S. industry in that
case if not the Commerce Department?
And, I think the funding provided by H.R. 1903
would address this problem, would give NIST the authority, the money to go
and do this job. And, I think they are smart enough not to go off and
pursue things that don't make sense, especially when there's ample history
through the Defense Department that it's just not a good thing to do.
Mr. DAVIS. Let me ask—I will give you
a chance, Mr. Walker, but let me just ask Mr. Bachula, in your testimony
you noted that the key technology focus areas in the NIST security program,
I think the third one you had was to provide objective criteria for testing
and assessing the functionality and assurance of security technology in
products.
And, just to bring you into this a little bit,
isn't that something NIST ought to already be doing?
Mr. BACHULA. It's important to look at all
the words in that sentence—objective criteria for testing but not to
do the actual product testing. NIST is not an underwriter's laboratory.
It's not a consumer's report.
We are a step removed from that. There are many
private sector entities—and I'm talking now about the broad area of
standards testing, the measurements—that provide the sort of direct
services to American industry.
Page 36 PREV PAGE TOP OF DOC
We are a step removed from that. We maintain
basic units of measurements, derive units.
The standards and calibrations have to be
traceable back to NIST. But, we are not in the actual product testing
business. And, I don't think we want to be. And, good reasons have been
expressed for that here.
Mr. DAVIS. Mr. Bachula, let me just add,
Section 7, as I read it right now, doesn't impact the export control of
encryption products. However, I think Congress is going to certainly roll
over the Administration on an encryption policy.
You saw the Judiciary vote. And, I think that will
be a done deal, and I wouldn't be surprised if the Administration reversed
it.
That's above your pay grade, I guess, as this
goes.
Mr. BACHULA. It's outside the purview
of——
Mr. DAVIS. Right.
Mr. BACHULA. (continuing) —NIST at
this point.
Mr. DAVIS. But, do you believe that by
simply quantifying the strength of foreign encryption products you would
harm national security?
Mr. BACHULA. I think what we have right now
is an existing process, an existing regulatory process, existing Executive
Branch rulings on how we evaluate export controls. This would have the
effect of putting NIST in the middle of that process and, essentially,
second-guessing other agencies.
It's not a role we welcome. It has been suggested
here that it's not perhaps a role we could do well.
And, the kinds of resources that it might
ultimately require raise a question of priorities. We can serve a far
better role in this general area and not get into that business.
Page 37 PREV PAGE TOP OF DOC
Mr. DAVIS. Let me ask—and, Mr.
Walker, I will give you a chance to comment in a second. But, I haven't
heard from a couple of the other panelists.
Let me ask Mr. Rotenberg, if you have any comments
on this?
Mr. ROTENBERG. Yes, Congressman. You know,
the Department of Commerce already plays a significant role in cryptography
policy. I don't think there's any question about that.
What Section 7 of this bill tries to do is make
sure that the role that they play is based on some solid evidence, which I
think is good not only for science but also for public policy. Basically,
it says if you are going to make some recommendations about cryptography in
the United States, you really have to take note of what's available around
the world.
And, I think this is, you know, just a baseline. I
mean, you may come down somewhere else and you may still have some
disagreements.
But, I really do have to disagree with Mr. Bachula
on this point. I think that's a critical role for NIST to play.
Mr. DAVIS. Okay. Yes, Mr. Diffie, you
haven't said anything yet.
Mr. DIFFIE. Well, I find myself torn,
because I'm inclined to agree——
Mr. DAVIS. You are going to break the tie
up here. I think it's 2 to 2.
Mr. DIFFIE. I'm inclined to agree with the
objectives of the section, but I'm inclined to think that people have
underestimated the difficulty of this activity.
Three years ago before the Senate, Admiral John
McConnell, Director of NSA, said a wonderful thing. He said, ''I do a
market survey of the world's cryptography every 24 hours.''
Page 38 PREV PAGE TOP OF DOC
Now, I think that's (a) true; and, (b) that
you know how many billions of dollars they spend doing that. And, in some
sense, evaluating cryptographic systems is the heart of cryptography and
crypto analysis.
And, it's a very difficult job. And, I doubt that
these resources are adequate to produce meaningful results to answer the
kinds of issues that are being argued about in where you are saying, you
know, ''Is this just being exported into a market where there are
equivalent products or are the products that are there not actually
equivalent to this one?''
So, I am enthusiastic about the idea. I'm not
capable of speaking for its success.
Mr. DAVIS. Mr. Walker, I want to give you
another chance.
Mr. WALKER. Thank you. I appreciate it.
I agree completely with what was just said. I am
in favor of the objectives of this. I am very concerned about how it gets
done.
Let me give you some practical experience we've
had. Back in 1993, just when Clipper came out, the Software Publishers
Association and Professor Lance Hoffman and TIS got together and said,
''Let's go out and see what foreign crypto is out there. Let's do a
survey.''
And, we have—we did that survey with those
folks. We have kept it going. It is available on our Web page. It's updated
every quarter. We have found thousands of foreign products and thousands of
U.S. products.
I testified in both the fall of 1993 and in the
spring of 1994 and brought in the foreign products that we had bought. And,
there were—it was really neat, because the staffers, before the
testimony, said, ''Well, the Administration is telling us that there aren't
any foreign products available.'' And, I was able to say, ''Well, of
course, there are. We have a list of all of these.''
And, then they said, ''Well, you can't buy them.''
And, then I was able to prove that we could buy them, because we had a
stack of them.
Page 39 PREV PAGE TOP OF DOC
And, then the question was, ''Well, but they
are not any good.'' And, the question was, ''Are they any good? How do you
use these?''
Well, some of them are, in fact, implementations
of DES, for example, or of other algorithms. But, the tough problem with
encryption products is key management. How do you manage the keys?
Some of them tell you to—these are little
simple file encryption products that say, ''Type in a pass code.'' Well,
they use that pass code, then, to generate the key.
Well, they might generate a full 56-bit key or a
112-bit key. But, they might generate an 8-bit key or a 2-bit key. You
don't know.
And, in fact, there have been allegations that
some governments have influenced their companies in their countries to
build flaws into systems that they might sell to the United States or
elsewhere. It is very hard to know whether, in fact, there is a flaw in the
key management system or perhaps even in the algorithm that you can't
tell.
And, so I am concerned that asking NIST
to—putting NIST in a position of being able to say that a particular
product somewhere is better than some other product and making—having
the government make a decision based on that, you are really going down a
slippery slope very, very fast here.
Mr. ROTENBERG. Mr.
Chairman——
Mr. DAVIS. Sure.
Mr. ROTENBERG. If I could just make one
quick point.
Mr. DAVIS. Sure.
Mr. ROTENBERG. You know, my friend, Whit
Diffie, I think, is right, that this is a difficult task, doing the
evaluation. But, this is—the way this section is drafted is almost an
appeal as a matter of right.
Page 40 PREV PAGE TOP OF DOC
You see, what requires NIST to undertake this
study is in the circumstance where the Secretary of Commerce has imposed or
proposes to impose export restrictions on a product. So, here you have the
U.S. government telling a U.S. firm, ''You cannot send this product
overseas.'' And, the U.S. firm simply wants to say, ''Well, would you at
least consider the fact that a similar product is currently available
overseas?''
What Section 7 does is basically say to the
Department of Commerce, ''If you are going to take that step, Mr.
Secretary, you have to at least consider the fact that a similar product
may already be available.'' And, I think this is very sensible, because if
you don't do that you just give this blanket authority that I think, you
know, is not sensible.
And, I think this is a critical piece of the bill,
frankly.
Mr. DAVIS. Okay. Anybody else? Mr.
Bidzos.
Mr. BIDZOS. Could I just add one more
comment again?
Mr. DAVIS. Sure.
Mr. BIDZOS. I would take issue with Steve's
comments and Whit's, because I think that things have changed so much in
the last few years that it's not true anymore that it's that hard to
measure things.
When you've got companies who are exploiting our
export control laws by doing nothing other than specifically replacing that
small crypto part, representing as a part of the product a small—yes,
complex but a small part, the review process is very manageable.
Also, when I testified before Senate Burns'
committee last summer, I brought along with me a couple of chips,
encryption chips, manufactured by NTT, the world's largest company. All
these things that Steve was talking about—how do you generate keys
and pass codes, maybe it's 2-bits—it's all in the chip. It works.
This is a $200 billion a year company that sells
hundreds of millions of chips a year, and it knows how to make them. And,
they work. And, there is nothing wrong with them. It's very easy to point
to them and say, ''These work.''
Page 41 PREV PAGE TOP OF DOC
This is an argument that has been put forth
by other parts of the government, which is that, you know, you are not
threatened competitively because the other products aren't as good. It is
easy to demonstrate now that those products are as good.
And, as Marc points out, all we want to do is
understand whether that's true or not. If you tell NIST that what they are
going to do is take the money provided by H.R. 1903, go to Section 7 and
duplicate what NSA tried to do in the 1980's and 1990's, sure, they are
going to fail.
If you tell them that they are going to do an
evaluation as comprehensive as NSA does when it attacks a crypto system it
identifies, sure, they are going to fail. That is absolutely not what
Section 7 asks NIST to do.
Mr. DAVIS. I think the last study on
foreign availability is now 2 years old, and it was done by NIST.
Let me just ask one other question just to stir it
up a little bit. Do you think that—what would be the result of a
federal policy that divests NIST of its jurisdiction and gives these duties
to NSA?
Mr. WALKER. I think I can speak for all of
us in saying that would be a total disaster.
Mr. DAVIS. Okay. Does everybody agree with
that?
Mr. BIDZOS. I think you would have a
situation where an agency of the Defense Department is making economic
policy. So, maybe that's the right question.
Is it okay for NSA to continue making economic
policy? And, I submit the answer is no.
Mr. DAVIS. Actually, I appeared on a panel
with Mr. Magaziner and a group of high technology executives. And, he just
said, ''I agree with you on encryption, but the NSA boys won this battle.''
So, maybe they are making policy.
Page 42 PREV PAGE TOP OF DOC
I am going to turn it over now to Chairwoman
Morella and let her assume her Chairwoman's role. Connie.
Mrs. MORELLA. Well, gentlemen, we are
finally reaching the finale. And, I appreciate your patience in being here
and going through this, particularly the contributions that you have made
to our understanding of this bill.
We may disagree with a couple of you on Section 7,
but I think we can work out those problems. And, I appreciated Mr. Davis
asking some of those questions and your responses.
I guess, Mr. Rotenberg, I wanted to ask you what
is your appraisal or assessment of encryption standard setting efforts
outside of the United States?
And, do you think we properly address that in this
bill, H.R. 1903?
Mr. ROTENBERG. Well, I appreciate your
question. I spent the past year working with the Organization for Economic
Cooperation and Development on the framework for international cryptography
policy.
And, what struck me, looking at how other
governments were dealing with this issue, is how important it was to ensure
that the Departments of Commerce and Trade and Telecommunications played an
active role in this technical standard-setting arena, because I think as
other governments realize today, you know, this is the future. And, these
technologies are the technologies that are going to make possible commerce
in the 21st Century.
So, my sense, having watched these developments in
other countries is that today the need to strengthen our commercial side,
civilian side, policy development is critical. And, I think in that
respect, H.R. 1903 is, you know, absolutely on course.
It is the direction that I think that countries
which are aware of the need to ensure strong and vibrant economies are
taking.
Mrs. MORELLA. I think I saw you nodding
affirmatively. And, I guess that means that you are in favor of his
response, that we do need that comes out in H.R. 1903?
Page 43 PREV PAGE TOP OF DOC
Mr. BIDZOS. Yes.
Mrs. MORELLA. I guess, you know, we've
tried to focus on enhancing the Computer Security Act and not to be
overwhelming. And, I guess, by and large, do you think we have done a good
job with this bill?
Now, I think Mr. Rotenberg does, Mr. Bidzos does.
Mr. Walker does?
Mr. WALKER. Yes.
Mrs. MORELLA. Okay. You are now on record.
Okay, very good. And, I just wanted——
Mr. WALKER. I think this is a very good
bill. There are a few parts of it I think need to be looked at.
But, I agree completely with what you are saying
and what is trying to be accomplished here.
Mrs. MORELLA. If you can give to this
Subcommittee whatever your recommendations are, if there is some language
within it that you think might be——
Mr. WALKER. Well, that was part of the
testimony that was——
Mrs. MORELLA. That you have in it. So, you
have given us that.
Mr. WALKER. And, I don't disagree. It's
Section 7, I suppose, and also the section earlier, the new paragraph 6
somewhere, that says they should be evaluating products and all.
I'm just worried that, as my associates here have
been saying, all Section 7 is doing is the following. Well, if that's all
that Section 7 is doing, then I agree with it completely, too.
Mrs. MORELLA. Okay.
Page 44 PREV PAGE TOP OF DOC
Mr. WALKER. My concern is that I was
part of the government for 20 some years, and I've watched the government
since then. And, when you say, ''Go do this,'' they tend to say, ''Oh, but
in order to make sure I am doing it right, I have to do this and this and
this.'' And, that turns into a gigantic situation, which is very expensive
and ends up being unsatisfactory to anybody.
That's my real concern here, that whether you are
telling—whether the language is clear enough that this is the only
thing they are going to do I think is debatable, because we've come to
different views just reading the words. My concern is that if it is not
very clear how limited it is that you want them to do that you may be
creating a gigantic bureaucracy.
That's really my concern here, not with the
principle that is trying to be accomplished. We do need to understand how
these systems work, both foreign and domestic.
I just find it hard—it has been hard up
until now for people to do that. If it's all built into a chip, it's easy
to test it.
But, a lot of these products involve a lot of
software. There are threats that other governments have, in fact, directed
companies to build flaws into these systems. I'm not going to mention
specifics, but there have been these things in the press for some time.
And, it's very hard to find out whether that's really true or not.
And, if you want NIST to be able to get into that
level of detail, they won't succeed because no one else has. That's
really—it's a matter of degree as opposed to whether the principle is
there or not.
Mrs. MORELLA. I appreciate your statement
and your concern about misinterpretation and taking on too much
responsibility in that interpretation layers.
Mr. Rotenberg, I think you would like to respond
to that.
Mr. ROTENBERG. Madam Chairwoman, there was
some discussion on this point earlier. And, I'm actually very pleased at
Steve Walker's comment.
Page 45 PREV PAGE TOP OF DOC
I think if there is an understanding here
about what the intent of Section 7 is—and I certainly take the
section to mean simply that where the Secretary of Commerce is planning to
impose some restriction through export control authority, it would be
sensible to look at foreign availability. I think if we are in agreement on
this point, then, you know, then maybe there is not really a problem
here.
I think we are also in agreement on the
complementary point, which is not the idea to do this sort of massive
survey of everything on a real time basis. That would not be an appropriate
role for NIST.
But, if the Secretary of Commerce is exercising
export control authority, I think, you know, developers and firms and
others, as a matter of right, should be able to say, ''Listen, before you
make this decision that affects me or my company, you know, please consider
what is happening in other countries.''
Mr. WALKER. I don't disagree with what you
are saying. I think my real concern with Section 7—I don't have it in
front of me—is the part that says 180 days after the bill is passed
NIST will prepare criteria as to how all this will be done. Well, how far
are we going to go?
I mean, do you have to understand whether the key
management system really works and if there are any flaws in it? Because if
you are going to say something is okay or good, I mean, this
is—that's the part—it's really the second portion where it
talks about creating these criteria and publishing them that's going to be
the difficult thing to do.
If we can come up with those criteria and
everybody can be happy with them, then the 30 days response to a particular
product is fine. I have just watched government develop criteria for
testing things for enough years now that I am fearful that is going to be a
hard thing to do.
Mrs. MORELLA. I understand what you are
saying. It's simply that if you stay away from any time frames, sometimes
these things get lost. And, so that's the inclination.
Page 46 PREV PAGE TOP OF DOC
There is also a possibility that in report
language that would accompany this bill there could be a clarification,
just, you know, a possibility that could be worked out, too.
But, I really didn't give you, Mr. Diffie, an
opportunity to respond. I would like to very much.
Mr. DIFFIE. Well, I think that actually, in
listening to this discussion, I am reminded that user trust in security
systems is the bottom line problem and, in some sense, the most difficult
problem in all of security. And, I am suddenly more enthusiastic than I was
when I walked in that NIST should get its toe farther into this water as an
issue of technology indirectly, not an issue—I think issues of
intelligence policy and competition, you know, assignment of responsibility
and all those things come up.
But, I think it is very important to see whether
maybe old people like me are not stuck in our ways. And, I spoke while you
were absent, saying, you know, I agreed with the objectives here, but I was
worried that, after all, this is, in some sense, most of the activity of
NSA, which is a multi-billion dollar activity.
And, so I despaired of doing it on a million
dollar budget. But, I am beginning to think that, you know, there may be
hidden requirement blocks there in my thinking and that it's definitely
worth investigating whether this can be done in a way that will suit these
objectives without getting ensnared in things that you didn't really need
to do.
And, it wouldn't be the first time that I thought
somebody was going to get ensnared and somebody had better footwork than I
did and stepped around it.
Mrs. MORELLA. Oh, what an open-minded man.
I appreciate that very much.
[Laughter.]
Mrs. MORELLA. And, now to Mr. Bachula. I
would like to have you say the same thing that Mr. Diffie did.
Page 47 PREV PAGE TOP OF DOC
[Laughter.]
Mr. BACHULA. Ms. Morella, your original
question was did the Committee do a good job——
Mrs. MORELLA. Yes.
Mr. BACHULA. (continuing) —in
drafting this bill.
[Laughter.]
Mr. BACHULA. And, let me say that I think
this Committee always does a good job, particularly in its oversight of the
Technology Administration and NIST.
[Laughter.]
Mr. BACHULA. I think that while we have
discussed some portions of this bill and some issues that obviously bring
out passion and strong views, we should not lose sight of the strong areas
of agreement that we have among all of the witnesses here and with the
Committee—a stronger role for NIST in the area of computer security,
updating the Act to sort of match the times, emphasis on the voluntary
consensus process, working with industry, arriving at federal standards
that are consistent with commercial standards and not trying to have
separate.
While there was some very, very good discussion
about the history in this regard, I think that where we are today in our
efforts to seek comment on the Advanced Encryption Standard, to modify the
DSS, to move in those directions, most of the witnesses basically agree
that where we are today and where we believe we are going is where we ought
to be. So, we have vast areas of agreement, both among the witnesses and
with the Committee on this bill.
And, the emphasis on a section or two shouldn't
override that.
Mrs. MORELLA. Thank you. Just one final
question and, again, to Mr. Bachula.
I wondered what, in your opinion, is the
significance of the DES being broken yesterday?
Page 48 PREV PAGE TOP OF DOC
Can you tell us what NIST's role was in
developing this Data Encryption Standard, what the procedures were that
NIST followed and what—maybe what input did NIST receive?
Mr. BACHULA. The DES standard, as you know,
is some 20 years old. It has been highly successful.
It still works. I think it might be a disservice
to consumers out there to think that somehow their ATM transactions are now
threatened or that they can't use software to communicate with their
bank.
The incident that was described in the ''Wall
Street Journal'' today involved, at least according to the newspaper
story—I mean, I don't have independent information—something
like 10,000 people, 4 months of work, running through in sort of brute
force the 72 quadrillion combinations that were needed to break the code.
The normal hacker doesn't have that kind of capacity and capability.
At the same time, it does underscore the need for
the Advanced Encryption Standard that we are working on in an open process
with industry. So, the targets keep changing.
We are going to need to keep up with those
changing technologies and are very much engaged in that process. But, I
don't think that we want to have citizens frightened by today's newspaper
story that they can't—that their money in the bank account is somehow
going to be stolen.
Mrs. MORELLA. Did you want to comment on
that, Mr. Bidzos, since you are sort of an expert on it?
Mr. BIDZOS. Thank you. I'm not sure I'm an
expert, but I would like to make a couple of comments.
This reminds me of a conversation. Part of Mr.
Bachula's response reminds me of a conversation I heard between a couple of
military men who were talking about a particular place where U.S. soldiers
were serving, and they were talking about the odds of being one of the
casualties.
Page 49 PREV PAGE TOP OF DOC
And, it was pretty remote. You know, your
chances are something like one in 80,000 of being killed over in this
place.
And, then one fellow said, ''That's not bad.''
And, the other one said, ''Well, unless you are that one in 80,000.''
And, so as long as it's not your key, I guess it's
okay. The problem is—the other problem is that 10,000 people out of
the 80 million or 90 million who use the Internet worldwide is a
ridiculously small number.
It can be done. It has been demonstrated that it
can be done. It has to be taken seriously.
I think the more relevant comment is that I just
think it's unfortunate—I commend NIST for the AES project. It's very
important.
And, one of the many wonderful things about H.R.
1903 is that it provides the funding and the mandate for NIST to continue
this effort. That is critically important.
I would just point out that it's—it may not
be too late. It certainly isn't too soon.
But, we are—just having heard 48 hours ago
about DES being broken, we are at the beginning of a process that's going
to go for at least 1 or 2 years in getting a new encryption standard in
place. I think this bill, with its provisions, in the future would prevent
this from happening.
NIST would have the mandate and the money to think
ahead, to look ahead, plan ahead. And, we wouldn't be in the position that
we are in now.
Mrs. MORELLA. I am going to turn the
meeting over to Congressman Ehlers to conclude it after his questioning, to
adjourn it, and ask your permission that members who would like to submit
questions to you may be able to do so, because we would very much like to
do that.
Page 50 PREV PAGE TOP OF DOC
I wanted to thank you all also for being here
and continuing to follow through with us on H.R. 1903.
Mr. Ehlers.
Mr. EHLERS. Thank you, Madam Chairwoman. I
suspect I could keep you here most of the afternoon with questions, but I
won't do that because I have a 1 p.m. meeting and you would probably enjoy
a break.
After hearing this loquacious panel, I decided one
thing. Cryptographers are not cryptic, among other things.
[Laughter.]
Mr. EHLERS. And, I am really puzzled at the
origin of that word. I will have to investigate that some time.
It doesn't have anything to do with cemeteries or
mortuaries or your patterns of speech.
A couple of other side comments. Mr. Bachula, I
don't know if you recall, but I was a member of the Michigan Legislature
when you worked for Governor Blanchard. I suspect at that point neither of
us expected to be sitting here facing each other in a room like this.
I suspect neither of us also expected that your
boss, Governor Blanchard, would end up being in the same law firm as my
friend, Senator Dole. So, life is full of funny coincidences.
On the issues of the day, I listened with interest
to the discussions about Section 7 and the opinions, pro and con. And, one
question, which any of you can answer, is if we remove the current export
controls on encryption, do your problems with Section 7 go away? Obviously,
it would have to be changed somewhat.
Mr. Bidzos.
Page 51 PREV PAGE TOP OF DOC
Mr. BIDZOS. I would just like to save
you a trip to the library, Mr. Ehlers.
Cryptography is made up of two Greek root words,
krupto and graphia. Being a native Greek, I am particularly interested in
that myself.
And, they translate, respectively, into English as
secret writing.
Mr. EHLERS. I read that at one time. It
slipped my mind, which happens as you get older. Thank you.
Your response to the question, Mr. Walker.
Mr. WALKER. Well, if the motivation for
Section 7 is to be able to provide the response to U.S. companies when they
are concerned about not being able to export their product, if a foreign
product that's better is already out there, if the export controls went
away, then you wouldn't need Section 7.
Whether we still would want the ability to have
somebody assess the quality of different products out there, that need is
always going to be there whether they are U.S. products or whether they are
foreign products or whatever. And, it is that assessment of how good these
things are that I remember well being asked by—before I testified
here 3 or 4 years ago, we had bought a number of foreign products, and the
question was just how good are they. And, it's very, very hard to figure
that out.
So, the desire on the part of people to be told,
''Yes, this product is good,'' or, ''That product isn't good,'' is still
going to be there even if export controls go away.
I suspect the incentive to push for Section 7 will
go away if, in fact, the export controls are eliminated.
Mr. EHLERS. This need that you mentioned,
would that be something that is worth government money being spent for?
Page 52 PREV PAGE TOP OF DOC
Mr. WALKER. Yes. But, I hope it
doesn't turn into the giant bureaucracy again.
I mean, the Defense Department had a
problem—it still does—in the 1970's called the ''Multilevel
Security Problem.'' They were building computer systems around the world,
and everyone who had access into the system had to have a top secret
clearance because you couldn't trust the computer not to reveal top secret
information to somebody with a lower clearance.
The WWMCCS system, which I was involved in when I
was at the Pentagon, a huge problem. It's very expensive to clear everybody
to a top secret level; and, yet, we couldn't trust the computers.
Well, I began—and a lot of people continued
on—a substantial effort to figure out can we determine whether
commercially available systems are good enough to be able to be used in an
environment where top secret information can be there but people with a
lower clearance can have access to it. In some sense, that's an easier
problem than the one we are trying to deal with here.
And, the Defense Department wasn't able to do it.
I mean, they tried hard. But, we have very—we still have the
multilevel security problem today.
I hope that the wording of Section 7 can be done
in such a way that it doesn't become another multilevel security problem.
But, I have watched these things happen enough times in my career that I'm
very fearful that what will happen is NIST will, if I'm right, and I may be
wrong, invest a lot of energy in trying to build these criteria because you
asked for in 180 days the criteria before this process actually goes into
effect. And, they will fail. They won't quite get it right.
People won't be happy with it. And, 2 or 3 years
down the line, you will have another hearing here and you will say, ''Darn,
you guys in NIST didn't do a good job at this,'' and you will chastise them
and tell them to stop doing it or whatever.
Page 53 PREV PAGE TOP OF DOC
And, I am just fearful we are going to go off
on a wild goose chase here. It's not that the objectives of it aren't good
and useful; and, it's not that if we can constrain it in some way that it
can work.
My concern is that—and I saw this happen in
the DOD process, we tried to come up with simple criteria and then people
said, ''Well, yes, but suppose somebody finds something wrong? Suppose I
endorse something and somebody finds something wrong with it? I had better
make those criteria a little bit stronger. I better try to ask for more.''
We called it ''criteria creep.'' It was a technical term.
And, what happened is systems that were supposed
to only be sort of good, suddenly the requirements for documentation and
all became enormous. And, I'm just frightened of that process.
If we can do it short of that, then this is a good
thing to do. It's probably a useful thing for the government to do even if
export controls are eliminated.
Mr. EHLERS. Does anyone else wish to
comment? Mr. Rotenberg.
Mr. ROTENBERG. Just briefly, Mr.
Congressman. You asked the question if export controls were to go away
would Section 7 be necessary. And, I think in some respects, the problem is
anticipated that Section 7 would go away on its own accord, because the
Secretary would not be exercising the authority. And, the need to conduct
the evaluation would go away.
And, I think in this regard, as well, this is
actually a very sensible provision. It basically says if you are going to
exercise this authority and you do want to restrict the ability of U.S.
firms to sell product overseas, then we need in place some mechanism.
And, I've been rereading the language. I actually
think it's a very, sort of streamlined procedure that is described here in
the legislation for creating the mechanism.
Page 54 PREV PAGE TOP OF DOC
We need some mechanism to evaluate foreign
availability. Now, if you choose not to exercise the authority, you know,
it goes away.
But, as I said, it really—I hear Mr.
Walker's concerns and it's, you know, not because I disagree with him that
there could be scenarios in which this is, you know, expensive and
bureaucratic. But, I really don't see it in the bill. That doesn't seem to
be the intent.
And, I actually don't see the authority there for
what you have described.
Mr. EHLERS. Other comments? Mr. Diffie.
Mr. DIFFIE. The—I think that the
question being asked is what is the importance of a capability to evaluate
security systems. And, I think the answer is that independent of its
application to this particular case of judging export decisions that it is
perfectly appropriate for NIST, as a body whose work is the development of
the technology underlying standards, to be given the mandate to attempt to
develop an adequate appraisal technology which will be applicable to many
things from—they won't necessarily do the individual system
evaluations once that technology has been developed, but in determining
what you have to ask people about a proposed crypto system, for example, in
order to be able to judge it against criteria at a reasonable cost.
I think that's something very, very appropriate to
charge NIST with at the moment.
Mr. EHLERS. Mr. Bachula.
Mr. BACHULA. Sir, I think the testimony of
the witnesses here has made it clear that there are two issues involved
here. One is a NIST capability, which was just described, whether it should
have it, what the resources would be, whether it could do it well, whether
it's hard to do, whether it's easy to do. And, we have heard a variety of
testimony on that subject matter.
Page 55 PREV PAGE TOP OF DOC
The second question, though, is the
provisions of this bill, which essentially modifies the existing regulatory
process. And, that part of the bill, which puts NIST into a regulatory
function, is what the Administration objects to.
It puts NIST, a non-regulatory agency, one that
has never been in this business before, in the middle of a process of
second-guessing other agencies' work. The question of foreign availability
is one of the considerations that the existing regulatory process can
consider.
This would seem to sort of raise the stakes on
that issue. And, changing the existing regulatory process probably should
be done in a different venue, not this bill.
Mr. EHLERS. I suspect—and I haven't
been involved, heavily involved, in the writing, but I believe the intent
was not to involve you in the regulatory process anyway. And, perhaps the
staff would want to talk to you about the language, if that's your
concern.
Mr. BACHULA. But, if you listened to some
of the other witnesses today, that's exactly what they are applauding
about, the provisions as they read it, because they think it would modify
the process.
Mr. EHLERS. Mr. Walker, last comment.
Mr. WALKER. In trying to figure out how to
move forward on this, I seem to be the one that is bringing up technical
objections here.
I think one of the strengths of the bill that may
get us out of this if you proceed with Section 7 as it is, the Advisory
Board. Having the Advisory Board role strengthened so that it can be
involved in this, I think, would be an excellent way to try to ensure that
the concerns I have of what might go wrong in building a bureaucratic
process and all can be held in sway.
I mean, it's the kind of thing you all can't look
at on a yearly basis or every 2 years or whatever, but the Advisory Board
could. And, to the effect that the provisions of the bill strengthen the
role of the Advisory Board and maybe in the documents that accompany the
bill you can say, ''Hey, Advisory Board, keep a close eye on Section 7 so
that it doesn't turn into a bureaucratic nightmare.'' And, it may be just
exactly the kind of thing that Marc and I could agree would be a good way
to proceed.
Page 56 PREV PAGE TOP OF DOC
Mr. EHLERS. Thank you. Mr. Bidzos, do
you have any comments? You haven't had an opportunity yet.
Mr. BIDZOS. I would just like to point out,
with all due respect to Mr. Bachula, that NIST is now in the business of
regulating the encryption industry because of its recently assumed
responsibility for the export of cryptography recently handed to it from
the State Department by the Administration—I'm sorry, the Commerce
Department.
But, it seems to me that what H.R. 1903 is
proposing to do is to say, ''Gee, if that's going to be your job, then here
are some funds with which you can conduct some investigation and research
that should help you do it better.''
And, you know, I feel Steve's pain. I mean, it's
pretty clear that he had a very, very painful experience in the government
before. But, that doesn't mean we shouldn't let NIST try to do it.
And, in one sense, just because NSA has been doing
many of the things that the Computer Security Act envisioned NIST doing
doesn't mean that we should assume that NIST, if we correct that, will now
try to do all of the things that NSA tried to do.
Mr. EHLERS. Thank you. I appreciate those
comments. Just a few other quick questions.
Mr. Bachula, you referred at one point during the
discussion—and I don't recall exactly in reference to which aspect of
the bill—a concern about the need to build up additional expertise
whether—maybe I'm putting words in your mouth. But, you seem to be
concerned about NIST being able to handle some of the functions that we are
assigning to it here.
One question I just wanted to ask: Do you have
contact with the NSA? Do they make available to you any of their
expertise?
Obviously, they seem to have one of the world's
greatest collections of cryptographic experts. Are they, by charter, not
allowed to help you out or advise you?
Page 57 PREV PAGE TOP OF DOC
Mr. BACHULA. I think they have an
awesome set of skills. In terms of basics or technical expertise, NIST has
access to NSA and other experts around the government, as does the
regulatory body, the Bureau of Export Administration, which is the part of
the Department of Commerce that right now deals with export regulations.
They have access to the same kind of expertise.
And, in terms of foreign availability and these
kinds of determinations that are being talked about, they do it now in that
avenue.
But, NIST has had a long relationship—some
of it was described in the earlier history today—with NSA. And,
again, they have many resources.
One question about resources, which was raised by
another witness, was how much would it take to do the job. And, I can't
cite the dollars spent by NSA in this area, but I can tell you that
it—we could replace NIST with the order of magnitude.
Mr. EHLERS. I suspect you are probably
right on that. In Section 12, I notice there is a call for another NRC
study.
And, I am wondering, first of all, what the
opinion of the panel is on that. Is that necessary?
And, second, are any aspects of the previous NRC
study on this topic, even though directed at something else specifically,
that would be useful on this particular topic?
Are there any comments on that? Mr. Rotenberg.
Mr. ROTENBERG. Mr. Congressman, I mentioned
briefly in my testimony, first of all, that the NRC did very good work this
past year in their report on computer security. I think that was very
thoughtful, very comprehensive and well regarded.
And, I think it is an enormous resource to the
Federal Government, the National Research Council.
Page 58 PREV PAGE TOP OF DOC
I propose specifically in my testimony that
it may be appropriate for the NRC to begin looking at what are sometimes
termed ''privacy enhancing technologies,'' ways to protect individual
privacy, to promote commerce on line. There's obviously a great deal of
interest in public key management. And, there may be some way to combine
them.
But, this area, as well, I think is particularly
important for users on the Internet today and is something the NRC would
probably do a very good job with.
Mr. EHLERS. Thank you. Any other comments?
Mr. Walker.
Mr. WALKER. I also believe that the NRC
study that was concluded last year was very helpful. And, it was a
comprehensive look across the board and made some of the best suggestions
that have been made by the best learned bodies at the time.
And, in fact, a number of those folks were cleared
and were able to participate in briefings from NSA and others and were able
to come back and say that those concerns of, ''Well, it's classified and I
can't tell you,'' are not worth the arguments that are being made. And, I
thought that was a major contribution that panel made. And, so I'm not
against NRC panels.
I do believe that public key infrastructure is an
issue where industry is really taking the lead and needs to take the lead.
And, I am, in fact, also concerned that when the government is making
suggestions that export of cryptography or key recovery or whatever must be
somehow coupled to a government approved public key infrastructure, that's
a serious concern that we all should have.
And, so, in my testimony, I made comments
that—I guess there is one other point I want to make. When—I
think it was in the fall of 1993—the appropriation was first made for
that study that was concluded in 1996, there was a great, ''Oh, good. It's
going to take them at least 2 years to do that, and we don't have to do
anything until they have, in fact, finished their study.'' And, public key
infrastructure is something we need so badly that the notion that let's put
it off to a study for—I mean, it's going to take 6 or 8 months for it
to get started and then 18 months for it to conclude.
Page 59 PREV PAGE TOP OF DOC
So, to say that we are not going to do
anything about moving ahead with the public key infrastructure until after
the results of an NRC study are done again, I think is really, at this
point—if this study can be expanded to more things of the sort that
Marc is talking about, it's probably a very useful thing to do. To say
let's focus it on public key infrastructure, these things can actually do
harm because they put off—not the results of them but the fact that
it's going to take 2 years for them to happen. And,
so that's my concern with focusing on something that we so desperately
need, that it may cause a lot of people to decide, ''I'm not going to do
anything about public key infrastructure until after the results have
happened.'' And, that puts us into the next millennium. And, we just don't
need that.
Mr. EHLERS. Any other comments? Dr.
Diffie.
Mr. DIFFIE. A public key infrastructure is
something whose virtues arise almost entirely out of standardization. And,
we have at the moment a standard standardization problem; namely, we need
something desperately.
We are inclined to rush forward into it. Many
people are inclined and, therefore, come out in competition.
If, by regulation, you select one of the
competitors, you risk something like the experience with NTSC in
television, which has cursed us in North America now for two generations.
But, in return, we have the benefit of having television ahead of other
people.
I think there is— once again, there is a
research problem of the sort that NIST exists to work on which is, ''Can we
do something to coordinate efforts in public key infrastructure without, at
the same time, tying people's hands, imposing unnecessary restrictions, et
cetera?'' I don't know the answer to that question.
But, I am not convinced that NRC—that a
study is the right action here. It's something much more like a
coordinating committee that seems to me to be needed.
Page 60 PREV PAGE TOP OF DOC
And, it just occurs to me, I mean, maybe the
Computer Security Advisory Board would be a more appropriate group to be
talking to everybody and to act as a forum for coordination among the
various public key infrastructure activities that are already underway.
Mr. EHLERS. Mr. Bidzos.
Mr. BIDZOS. Well, I think what has happened
is we've got this wall between industry and government, because we have
totally different standards. Dr. Diffie is absolutely correct that those 2
years that we waited for the NRC report resulted in rapid development and
progress in a public key infrastructure outside of government.
As I mentioned in my earlier comments, we have 100
million products that do inter-operate, that talk to—most of them
talk to each other. They are based on standards that not only go to the
encryption and the algorithm but formats and these credentials called
''certificates,'' all this sort of stuff. That all works.
And, I think, again, the bill is right on in terms
of telling NIST to take a look at what the market is doing and plug into
it, plug into that infrastructure; don't try to build your own, because you
tried that and that hasn't worked.
And, so the bill addresses that problem, I think,
that way.
Now, having somebody who looks at ways to make
sure that these are coordinated efforts, that's very important. And, that
was sort of my interpretation, making sure.
But, basically if we are correcting legislation
that was introduced 10 years ago, it's worth investing a year of somebody's
time to make sure that it's working so that we know in 1998 rather than
2008 that we've really gotten what we thought we were going to get from
this bill.
Mr. EHLERS. Any other comments? Any other
issues that anyone on the panel wishes to raise or any questions that you
want to raise?
[No response.]
Page 61 PREV PAGE TOP OF DOC
Mr. EHLERS. If not, I certainly thank
you for your time and your attention and, above all, your expertise. It has
been a very good panel.
I've learned a lot, and I'm sure the Committee
has. We appreciate your comments on the bill and look forward to further
contact with you.
Thank you very much. The meeting stands
adjourned.
[Whereupon, at 12:50 p.m., Thursday, June 19,
1997, the hearing was adjourned.]
[The following material was received for the
record:]
Insert offset folios 57-105
44–187CC
1997
THE COMPUTER SECURITY ENHANCEMENT ACT OF 1997 TO AMEND THE NATIONAL
INSTITUTE OF STANDARDS AND TECHNOLOGY ACT TO ENHANCE THE ABILITY OF THE
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY TO IMPROVE COMPUTER
SECURITY, AND FOR OTHER PURPOSES
HEARING
BEFORE THE
COMMITTEE ON SCIENCE
SUBCOMMITTEE ON TECHNOLOGY
Page 62 PREV PAGE TOP OF DOC
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTH CONGRESS
FIRST SESSION
JUNE 19, 1997
[No. XX]
Printed for the use of the Committee on Science
COMMITTEE ON SCIENCE
F. JAMES SENSENBRENNER, Jr., Wisconsin, Chairman
SHERWOOD L. BOEHLERT, New York
HARRIS W. FAWELL, Illinois
CONSTANCE A. MORELLA, Maryland
CURT WELDON, Pennsylvania
DANA ROHRABACHER, California
STEVEN SCHIFF, New Mexico
JOE BARTON, Texas
KEN CALVERT, California
ROSCOE G. BARTLETT, Maryland
Page 63 PREV PAGE TOP OF DOC
VERNON J. EHLERS, Michigan
DAVE WELDON, Florida
MATT SALMON, Arizona
THOMAS M. DAVIS, Virginia
GIL GUTKNECHT, Minnesota
MARK FOLEY, Florida
THOMAS W. EWING, Illinois
CHARLES W. ''CHIP'' PICKERING, Mississippi
CHRIS CANNON, Utah
KEVIN BRADY, Texas
MERRILL COOK, Utah
PHIL ENGLISH, Pennsylvania
GEORGE R. NETHERCUTT, JR., Washington
TOM A. COBURN, Oklahoma
PETE SESSIONS, Texas
GEORGE E. BROWN, Jr., California RMM*
RALPH M. HALL, Texas
BART GORDON, Tennessee
JAMES A. TRAFICANT, Jr., Ohio
TIM ROEMER, Indiana
ROBERT E. ''BUD'' CRAMER, Jr., Alabama
JAMES A. BARCIA, Michigan
PAUL MCHALE, Pennsylvania
EDDIE BERNICE JOHNSON, Texas
Page 64 PREV PAGE TOP OF DOC
ALCEE L. HASTINGS, Florida
LYNN N. RIVERS, Michigan
ZOE LOFGREN, California
LLOYD DOGGETT, Texas
MICHAEL F. DOYLE, Pennsylvania
SHEILA JACKSON LEE, Texas
BILL LUTHER, Minnesota
WALTER H. CAPPS, California
DEBBIE STABENOW, Michigan
BOB ETHERIDGE, North Carolina
NICK LAMPSON, Texas
DARLENE HOOLEY, Oregon
TODD R. SCHULTZ, Chief of Staff
BARRY C. BERINGER, Chief Counsel
PATRICIA S. SCHWARTZ, Chief Clerk/Administrator
VIVIAN A. TESSIERI, Legislative Clerk
ROBERT E. PALMER, Democratic Staff Director
Subcommittee on Technology
CONSTANCE A. MORELLA, Maryland, Chairwoman
CURT WELDON, Pennsylvania
ROSCOE G. BARTLETT, Maryland
VERNON J. EHLERS, Michigan
THOMAS M. DAVIS, Virginia
Page 65 PREV PAGE TOP OF DOC
GIL GUTKNECHT, Minnesota
THOMAS W. EWING, Illinois
CHRIS CANNON, Utah
KEVIN BRADY, Texas
MERRILL COOK, Utah
BART GORDON, Tennessee
EDDIE BERNICE JOHNSON, Texas
LYNN N. RIVERS, Michigan
DEBBIE STABENOW, Michigan
JAMES A. BARCIA, Michigan
PAUL MCHALE, Pennsylvania
MICHAEL F. DOYLE, Pennsylvania
ELLEN O. TAUSCHER, California
*Ranking Minority Member
**Vice Chairman
(ii)
C O N T E N T S
June 19, 1997:
Hon. Gary R. Bachula, Acting Under Secretary for Technology, Technology
Administration, U.S. Department of Commerce, Washington, DC
Whitfield Diffie, Distinguished Engineer, Sun Microsystems, Mountain View,
CA
Page 66 PREV PAGE TOP OF DOC
Stephen T. Walker, President and CEO, Trusted Information Systems,
Inc., Glenwood, MD
D. James Bidzos, President and CEO, RSA Data Security, Redwood City,
CA
Marc Rotenberg, Esq. Director, Electronic Privacy Information Center,
Washington, DC
APPENDIX
Statement of Willis H. Ware, Chairman, Computer
System Security and Privacy Advisory Board
Responses to Post-Hearing Questions by:
Hon. Gary R. Bachula
Whitfield Diffie
Stephen T. Walker
D. James Bidzos
Marc Rotenberg
(iii)
