THIS SEARCH     THIS DOCUMENT     THIS CR ISSUE     GO TO
Next Hit        Forward           Next Document     New CR Search
Prev Hit        Back              Prev Document     HomePage
Hit List        Best Sections     Daily Digest      Help
                Doc Contents      

[Page: S3771]  GPO's PDF
---

   Mr. McCAIN. Mr. President, yesterday I introduced a bill to ``Promote Reliable On-Line Transactions to Encourage Commerce and Trade,'' the PROTECT Act. This legislation seeks to promote electronic commerce by encouraging and facilitating the use of encryption in interstate commerce consistent with the protection of United States law enforcement and national security goals and missions.

   During the last Congress, there was a very intense debate surrounding the encryption issue. That debate, as with any discussion regarding encryption technology, centered around the challenge of balancing free trade objectives with national security and law enforcement interests. There were various proposals put forward. None, however, emerged as a viable solution. In the end, the debate became polarized, as many became entrenched upon basic approaches, losing sight of the overall policy objectives upon which everyone generally agreed.

   It was my objective to get outside the box of last year's debate. In the past, balancing commercial and national security interests has been treated as a zero sum game, as if the only way to forward commercial interest was at the expense of national security, or vice versa. This is simply not the case. Certainly, advanced encryption technologies present a unique set of challenges for the national security and law enforcement community. However, these challenges are not insurmountable.

   What the PROTECT Act does, is to lay out a forward-looking approach to encryption exportation, a course that puts into place a rational, fact-based procedure for making export decisions, that places high priority on bringing the national security and law enforcement community up to speed in a digital age, and that ultimately provides a national security backstop to make certain that advanced encryption products do not fall into the hands of those who would threaten the national security interests of the United States.

   Title I of the legislation deals with domestic encryption. The bill establishes that private sector use, development, manufacture, sale, distribution and import of encryption products, standards and services shall be voluntary and market driven. Further, the government is prevented from tying encryption used for confidentiality to encryption used for authentification. It is established that it is lawful for any person in the United States, and for any U.S. person in a foreign country, to develop, manufacture, sell, distribute, import, or use any encryption product.

   The PROTECT Act prohibits mandatory government access to plaintext. The bill prohibits the government from standards setting or creating approvals or incentives for providing government access to plaintext, while preserving existing authority for law enforcement and national security agencies to obtain access to information under existing law.

   Title II of the legislation deals with government procurement procedures.

[Page: S3772]  GPO's PDF

   The Federal government is encouraged to purchase encryption products for its own use, but is required to ensure that such products will interoperate with other commercial encryption products, and the government is prohibited from requiring citizens to use a specific encryption product to interact with the government.

   Title II of the PROTECT Act authorizes and directs NIST to complete establishment of the Advanced Encrytion Standard by January 1, 2002. Further, the bill ensures the process is led by the private sector and open to comment. Beyond the NIST role in establishing the AES, the Commerce Department is expressly prohibited from setting encryption standards--including U.S. export controls --for private computers.

   A critical component of the PROTECT Act is improving the government's technological capabilities. Much of the concern from law enforcement and national security agencies is rooted in the unfortunate reality that the government lags desperately behind in their understanding of advanced technologies, and their ability to achieve goals and missions in the digital age.

   This legislation expands NIST's Information Technology Laboratory duties to include: (a) obtaining information regarding the most current hardware, software, telecommunications and other capabilities to understand how to access information transmitted across networks; (b) researching and developing new and emerging techniques and technologies to facilitate access to communications and electronic information; (c) researching and developing methods to detect and prevent unwanted intrusions into commercial computer networks; (d) providing assistance in responding to information security threats at the request of other Federal agencies and law enforcement; (e) facilitating the development and adoption of ``best information security practices'' between the agencies and the private sector.

   The duties of the Computer System Security and Privacy Board are expanded to include providing a forum for communication and coordination between industry and the Federal government regarding information security issues, and fostering dissemination of general, nonproprietary and nonconfidential developments in important information security technologies to appropriate federal agencies.

   Title V of the legislation deals with the export of encryption products. The Secretary of Commerce is granted sole jurisdiction over commercial encryption products, except those specifically designed or modified for military use, including command and control and intelligence applications. The legislation clarifies that the U.S. government may continue to impose export controls on all encryption products to terrorist countries, and embargoed countries; that the U.S. government may continue to prohibit exports of

   particular encryption products to specific individuals, organizations, country, or countries; and that encryption products remain subject to all export controls imposed for any reason other than the existence of encryption in the product.

   Encryption products utilizing a key length of 64 bits or less are decontrolled. Further, certain additional products may be exported or reexported under license exception. These include: recoverable products; encryption products to legitimate and responsible entities or organizations and their strategic partners, including on-line merchants; encryption products sold or licensed to foreign governments that are members of NATO, ASEAN, and OECD; computer hardware or computer software that does not itself provide encryption capabilities, but that incorporates APIs of interaction with encryption products; and technical assistance or technical data associated with the installation and maintenance of encryption products.

   The Commerce Department is required to make encryption products and related computer services eligible for a license exception after a 15-day, one-time technical review. Exporters may export encryption products if no action is taken within the 15-day period.

   A formal process is established whereby encryption products employing a key length greater than 64 bits may be granted an exemption from export controls . Under the procedures established by this legislation, encryption products may be exported under license exception if: the Secretary of Commerce determines that the product or service is exportable under the Export Administration Act, or if the Encryption Export Advisory Board created under this Act determines, and the Secretary agrees, that the product or services is, generally available, publicly available, or a comparable encryption product is available, or will be available in 12 months, from a foreign supplier.

   As referenced, the PROTECT Act creates an Encryption Export Advisory Board to make recommendations regarding general, public and foreign availability of encryption products to the Secretary of Commerce who must make such decisions to allow an exemption. The Secretary's decision is subject to judicial review. The President may override any decision of the Board or Secretary for purposes of national security without judicial review. This process is critical. It ensures that the manufacturer or exporter of an encryption product may rely upon the Board's determination that the product is generally or publicly available or that a comparable foreign product is available, and may thus export the product without consequences. However, a critical national security backstop is provided. Regardless of the recommendation of the board, or the decision of the Secretary, the President is granted the absolute authority to deny the export of encryption technology in order to protect U.S. national security interest. However, a process of review is established whereby market-availability, and other relevant information may be gathered and presented in order to ensue that such determinations are informed and rational.

   Any products with greater than a 64 bit key length that has been granted previous exemptions by the administration are grandfathered, and decontrolled for export . Upon adoption of the AES, but not later than January 1, 2002, the Secretary must decontrol encryption products if the encryption employed is the AES or its equivalent.

   Finally, the PROTECT Act prohibits the Secretary from imposing any reporting requirements on any encryption product not subject to U.S. export controls or exported under a license exception.

   Mr. President, as I have stated, my purpose in putting this legislation together was to get outside the zero sum game thinking that has become so indicative of the debate surrounding the encryption export controls . I would like to commend the outstanding and creative leadership of Senator BURNS on this issue. He is a leader on technology issues in the Senate, and has played an invaluable role in developing this approach. I look forward to working with him, and our other original cosponsor in building the support necessary to see the PROTECT Act signed into law during this Congress.

THIS SEARCH     THIS DOCUMENT     THIS CR ISSUE     GO TO
Next Hit        Forward           Next Document     New CR Search
Prev Hit        Back              Prev Document     HomePage
Hit List        Best Sections     Daily Digest      Help
                Doc Contents