Note: The following answers were provided by NSA to the Senate Subcommittee on Technology and the Law in response to their follow- up questions to the May 3, 1994 hearings.Senate Subcommittee on Technology and the Law Hearing on the Administration's Key Escrow Encryption Standard Written Questions for VADM McConnell 1. The Defense Authorization Bill for Fiscal Year 1994 has authorized $800,000 to be spent by the National Research Council of the National Academy of Sciences to conduct a study of federal encryption policy. Can we wait to implement the key escrow encryption program until we have the benefit of the NRC's study? Do you think this study is necessary? Should this study be expedited? Answer: We do not believe that we can wait until after the NRC study is completed in 1996 to begin implementation of the key escrow initiative. The information technology industry is dynamic and fast-moving, and to wait another two years or more would, we believe, jeopardize the success of the initiative. Industry demand for encryption products is growing, and the technology is available now to meet that demand with encryption products that provide an outstanding level of security to the user conduct lawful wiretaps. To wait for the completion of the NRC study to other encryption products which would defeat lawful wiretaps. We believe that such a delay would not be in the best interest of the American people. Neither do we believe that the study should be expedited. For our part, we will carefully consider the conclusions of the NRC study. We expect that it will give very careful consideration to the issues, and we would not want the pressure of an unnecessarily short deadline to limit the study group's ability to produce the best report possible. 2. The Administration has said that it is continuing to restrict export of the most sophisticated encryption devices, in part, "because of the concerns of our allies who fear that strong encryption technology would inhibit their law enforcement capabilities." Do we really need to help our allies by prohibiting the export of strong American encryption products, since those same countries can simply control the encryption bought within their borders? Answer: Exports of encryption products are subject to review primarily to protect U.S. national interests, including national security, law enforcement, foreign policy, and other important interests. The law enforcement concerns of our allies are a consideration, especially as the ability of our allies to combat terrorism, drug trafficking, and other international law enforcement problems can have direct benefits to the United States. However, foreign law enforcement concerns do not drive our export control policy. We would continue to review encryption exports to protect U.S. national interests even if foreign law enforcement concerns disappeared. 3. Do you know whether foreign governments would be interested in importing key escrow encryption products to which they hold the decoding keys? Answer: Several foreign governments have expressed interest in key escrow encryption technology due to their own law enforcement concerns. There have been some preliminary discussions, but issues such as who would hold the escrowed keys and the circumstances of government access to escrowed keys must be fully vetted. 4. The Government wants the key escrow encryption standard to become the de facto industry standard in the United States. Would the Government abandon the Clipper Chip program if it is shown to be unsuccessful beyond government use? Answer: We do not expect the program to be unsuccessful beyond government. We have developed a sound security product that we expect will find many uses in government information systems and further believe that government use will bring with it a commercial market, particularly in the defense sector. We have developed a sound security product that we expect will find many uses in government information systems regardless of its success in commercial markets. 5. Openly available devices, such as Intel-compatible microprocessors, have seen dramatic gains, but only because everyone was free to try to build a better version. Given the restrictions on who can build devices with the classified skipjack algorithm, how will key escrow chips keep up with advances in semiconductor speed, power, capacity and integration? Answer: Despite the requirements that a firm must meet to produce key escrow encryption chips, we expect that there will be a number of manufacturers competing against each other to produce the best product, and that such competition will drive them to keep up with the latest technological advances. It is worth noting that only a few companies can produce the sophisticated microprocessors you reference, yet the competition in that market has driven them to achieve remarkable advances in that technology. NSA's STU-III secure telephone program provides an example of a cryptographic product line that keeps pace with technology. The presence of a classified algorithm does not preclude keeping pace with technology. Through NSA's use of a competitive, multi-vendor approach, STU-III secure telephone products have continued to evolve in response to user requirements and technological advances despite their use of a classified encryption algorithm and the consequent need for security restrictions on the manufacturers. 6. How well does the Skipjack algorithm work on telecommunications operating at very high speeds. Is NSA working on another algorithm, called BATON, that could be used in high speeds with a key escrow system? Will Capstone be compatible with BATON? Answer: Using currently available microelectronics technology the SKIPJACK algorithm could not be used for encryption at very high speeds. BATON is the name of an algorithm developed by NSA that could be used at higher rates of speed. We have no plans to develop key escrow encryption devices using BATON, however. Instead, we are considering another algorithm for use at high speeds with a key escrow system. A high-speed key escrow device based on an algorithm other than SKIPJACK would not be "compatible with Capstone" in the sense that traffic encrypted by such a device could not be decrypted by Capstone, and vice versa. However, since such a device would be used for much higher-speed applications than those for which Capstone was designed, there would be no need for it to be compatible with Capstone in that sense. 7. Can Capstone be used to encrypt video programming? If so, have cable companies been approached by any government agency to use Capstone to scramble or encrypt cable program? Answer: Capstone could be used to encrypt any digital signal, including video programming, operating at up to about 10 million bits per second. It could be used for encrypting individual video channels but not for bulk encryption of many channels multiplexed together in a single link. NSA is not aware of any government agency approaching cable companies to urge the use of Capstone. Two manufacturers have asked us about the suitability of key escrow devices for this purpose, however. 8. Encryption software is available that can be used with Clipper to encypt a message before after it has been encrypted with Clipper. This "double encrypting" risks bypassing the key escrow feature. If a sender first encrypts the message with software using DES, and then transmits the message "double encrypted" with Clipper, can tell you from looking at the cipher, or encrypted text, that the underlying message was encrypted? Answer: The only way to tell that a message has been "double encrypted" in this way would be to decrypt the "outer layer" of encryption, i.e. that done with Clipper. Only then would one be able to tell that the message had first been encrypted with something else. *Questions for Senator Pressler: Q: Admiral, as you are aware, critics of the Administration's proposal argue that as a practical matter, no criminal, foreign spy, or terrorist of any sophisticated would be foolish enough to use an encryption device designed by the NSA and approved by the FBI. How do you respond? Why do[n't you] think the people whose telecommunications the NSA and the FBI want most to decode will be the very people most unlikely to use this technology? Answer: From what we know today, the overriding requirement that spies, terrorist, and criminals have is for readily available and easy to use equipment that interoperates. Key escrow encryption is not meant to be a tool to catch criminals. It will make excellent encryption available to legitimate businesses and private citizens without allowing criminals to use the telecommunications system to plan and commit crimes with impunity. We believe it would be irresponsible for government to make excellent encryption broadly available knowing that its use by criminals would make it impossible for law enforcement agencies to conduct lawful wiretaps against them. The Department of Justice credits information gleaned through wiretaps as leading to more than 20,000 felony convictions since the early 1980s. This would not have been possible if the criminals had been using encryption systems the FBI could not break. Without government action, however, this fortunate situation will change. At present most people, and most criminals, don't use encryption. However, there is an increasing public awareness of the value of encryption for protecting private personal and business communications. Increasing demand for encryption by the public will likely lead to the widespread use of some form of standardized encryption on the public telecommunications network. This development would have great benefits for the country. Legitimate businesses an private individuals could use the telecommunications system secure in the knowledge that their private information such as business records and credit card numbers could not be intercepted by third parties. But there is a down side. Criminals, terrorists, and others could also use the system to plan crimes, launder money, and the like, completely secure in the knowledge that law enforcement agencies could not listen to those communications. Just as legitimate businesses operate much more efficiently and effectively using the telecommunications system than they could without it, so will criminal enterprises be able to operate more efficiently and effectively if they no longer have to avoid using the telecommunications system. The United States is faced with a choice. We can sit back and watch as the emerging national information infrastructure becomes a valuable tool for criminals and terrorists to use to plan and carry out their activities with complete security, or we can take steps to maintain the current ability of government to conduct lawful wiretaps so that prudent criminals will have to find other less efficient ways to operate and foolish ones may be caught. Key escrow encryption is the later option. Q: Would widespread use of the Skipjack algorithm harm U.S. exports? Do you think it is unlikely foreign businesses will purchase American encryption technology if the U.S. Government holds a set of the decoding keys? Answer: I do not believe that widespread use of key escrow encryption in the United States will harm U.S. exports. If it has any effect at all, it could increase exports somewhat. Key escrow encryption products provide another option for foreign purchasers that they have not had in the past; to the extent that foreigners doe purchase key escrow encryption products, it will mean an increase in exports. Meanwhile, U.S. exporters are free to continue to sell the products they currently sell in foreign markets and to seek license approvals for new products. It is difficult to predict the foreign market for U.S. key escrow encryption technology. Businesses that fear U.S. Government interception of their communications presumably would avoid products for which the U.S. Government hold keys. However, there are a number of reasons why foreign businesses might purchase them. One major reason would be to communicate securely with U.S. businesses that use them. In addition, the superior level of security provided by key escrow products (against all but lawful U.S. Government access) may make them attractive to foreign business that do not view U.S Government access as a major concern. While some prospective users abroad may steer clear of key escrow products because the United States will retain access, there may be many who believe they are unlikely to be targeted by U.S. intelligence in any case or for whom the superior security offered by key escrow encryption products against threats of greater concern may make key escrow products an attractive option. For example, a distributor of pay-TV programming may depend on encryption to ensure that only those viewers who pay for the service can decrypt the TV signal. Such a distributor probably would not be concerned about the threat of access by the United States Government, and might favor suitable key escrow encryption products over competing products that use weaker encryption algorithms. Q: You were present when the previous panelist, Stephen Walker, described how present U.S. laws prohibit his company from exporting encryption products. As I understand it, Senator Murray's bill S.1846, attempts to relax these export controls somewhat. Please give us your views on this legislation. Answer: I support the Administration's position, as announced by the White House on February 4, that current export controls must remain in place and that regulatory changes should be implemented to speed exports and reduce the licensing burden on exporters. The bill you reference appears to be inconsistent with the Administration position. I would be happy to provide you further information on the Administration's reasons for maintaining the current export controls in an appropriate setting. *Questions from Senator Murray: Q: In my office in the Hart building this February, I downloaded from the Internet an Austrian program that uses DES encryption. This was on a laptop computer, using a modem over a phone line. The Software Publishers' Association says there are at least 120 DES or comparable programs world wide. However, U.S. export control laws prohibit American exporters from selling comparable DES programs abroad. With at least 20 million people hooked up to the Internet, how do U.S. export controls actually prevent criminals, terrorists, or whoever from obtaining DES encryption software? Answer: Serious users of encryption do not entrust their security to software distributed via networks o bulletin boards. There is simply too much risk that viruses, Trojan Horses, programming errors, and other security flaws may exist in such software which could not be detected by the user. Serious users of encryption, those who depend on encryption to protect valuable data and cannot afford to take such chances, instead turn to other sources in which they can have greater confidence. Such serious users include not only entitles which may threaten U.S. national security interests, but also businesses and other major consumers of encryption products. Encryption software distribution via Internet, bulletin board, or modem does not undermine the effectiveness of encryption export controls.