> ... I cannot conceive that the NSA or some even blacker
> agency of the US intelligence community has not obtained a complete set
> of source code for all major releases and upgrades of Windows and
> NT/2000 and probably many major MS applications.
He's right, and not just for Windows...
Under the old export controls, NSA could demand source code as a
condition of granting ANY export license. Even under today's utterly
serene and benevolent regime (Big Brother says we're currently not at
war with Oceania) there's still this mysterious "one-time review" for
commercial software exports. I believe it exists almost solely for
the purpose of giving NSA access to source code, so it can, in its own
words, "game the system" to get back-door access to encrypted data.
If you don't think NSA is using export controls as a lever to work
covertly with US industry to undermine the security of US products,
read this abridged transcript of classified hearings held with the
House International Relations subcommittee in July, 1997. (This
unclassified version was later released.) The whole thing is at:
http://jya.com/hir-hear.htm
[page 17]
5 STATEMENT OF WILLIAM P. CROWELL, DEPUTY DIRECTOR, NATIONAL
6 SECURITY AGENCY
7
8 Mr. Crowell. Since this is a closed session, I would
9 like to go a lot further than we have in a lot of hearings
10 about the national security implications.
11 I would like to begin by saying that the National
12 Security Agency in particular understands that we have a dual
13 responsibility with regard to this issue. We have a
14 responsibility for providing signals intelligence to the
15 Nation, intelligence information which is vital for us being
16 able to do our war planning and our weapons developments,
17 weapons assessments, all of those kinds of things, [redaction
18 ---------------------------] and so we have an interest in <===
19 [redaction----------] the encryption system. But we also have <===
20 an interest in protecting information, and that is part of
21 national security, and we recognize that.
[page 29]
1 Mr. Hamilton. In other words, you cannot accept any
2 export -- anything with keys longer than 56 bits? You cannot
3 accept those exports?
4 Director Freeh. Yes, with all the other provisions of
5 the bill with respect to exports.
6 Mr. Hamilton. That is your bottom line?
7 Mr. Reinsch. Let me phrase it slightly differently, if I
8 may, because this is closed. Coming to terms with this issue
9 is an evolutionary process. You have just referred to some
10 phases of the evolution, and I think your point is well taken ...
[page 30]
4 Mr. Reinsch. This is an evolutionary process. So I want
5 to look down the road, and I can't walk you very far down that
6 road quite yet, but think a little bit about what we are
7 saying. What he needs is key recovery. What he needs is
8 review of each product once before it goes out the door. <===
9 Mr. Crowell. And key management infrastructure.
10 Mr. Reinsch. I was including that. The question is how
11 do we get there? We were trying to get there through export
12 controls. That may or may not be the best way. Arguably
13 import control might be the better way, but nobody wants to do
14 import controls, and they are off the map.
15 If you can think of a better way to get to where we want
16 to go, then I think that that is a worthwhile discussion to
17 have, but we haven't been able to come up with a better way.
18 And the more we erode the export control base, the farther
19 away we get from our goal.
[page 31; This is Rep. Goodlatte speaking:]
19 Sun Microsystems just a few weeks ago announced a program
20 with a Russian company to create the cryptography, import it
21 into the United States, attach it to the underlying software.
22 Sun Microsystems would sell it domestically, and the Russians
23 would sell it internationally. Everybody would be able to
24 communicate with each other, bypass our export control laws,
25 and suddenly we have the Russians creating our cryptography
[page 32]
1 rather than U.S. companies.
2 It makes no sense, in my opinion, to allow that kind of
3 transition of an industry that we dominate to take place and
4 take away from Mr. Crowell the opportunity to work with the <===
5 domestic U.S. companies on a case-by-case, confidential basis <===
6 to create the kind of information they need to have to game <===
7 the system and instead turn that over to foreign governments <===
...
[page 34]
14 Mr. Crowell. I will repeat something I said when I came
15 in. We have accepted that we will be faced with a much harder
16 problem in the future than we have been in the past. We have
17 accepted that. We have found U.S. industry very cooperative. <===
18 Many of them, though, in this new software world don't even <===
19 know that this is a U.S. program. There is a need for an <===
20 instrument, just like the FCC has. When you get a garage door
21 opener, it is licensed so that you will not turn on your
22 neighbor's TV with the garage door opener. There is a need
23 for a licensing process [redaction----------------------------
24 ------------------------------------------------------]. If
25 I gave you a diagram of encryption, you not only have to know
[page 35]
1 the key, you have to know the algorithm to be able to break
2 it. We are not trying to game it. And some companies are not <===
3 going to risk their future by gaming with us. And it should <===
4 not be thought that every U.S. company will do that. <===
[page 44]
15 Ms. Lofgren. If I may, as Bill pointed out earlier, the
16 transition or change pace is different because of the
17 availability of technology. I can't remember, I thought it
18 was you, Bill, but once the barrier is lifted, it moves in a
19 way that did not occur in World War II times. And I guess the
20 concern I have, I know the CEOs in most of these companies. <===
21 They are more than willing to do whatever they can -- I mean, <===
22 if you went to them and said, here is a terrorist, we need
23 your help, they would help you. If we in effect move this
24 offshore, you are going to even lose that ability. I mean, it
25 is a wild crew, I grant you that. They live in a different
[page 45]
1 world. But they are patriotic Americans. They don't want
2 harm to our country.
3 Director Freeh. Look, there is no greater supporter to
4 public safety than the common carriers, whether it was one
5 company or whether it was many companies. And for years we
6 went to them with court orders, and they would give us the
7 access to John Gotti's conversations willingly. But unless
8 their technology had that access point, and with a digital
9 system it would not have that access point, and they would not
10 voluntarily build it and'pay for it but for the 1994 statute
11 which this Congress passed, that is the kind of incentive that
12 has to be had to create a structure so they can do what they
13 want to do, I agree with you, which is support us.
[page 56]
19 Mr. Goodlatte. Well, security concerns are legitimate.
20 The problem is that what they are proposing to do will not
21 work. And that is the concern I have. We are more than
22 willing to work with them in any other way. But I would just
23 suggest to you as the Chairman of the International Relations
24 Committee, they haven't answered what I think is the critical
25 question, and the Speaker raised this question the other day,
[57]
1 and that is if we attempt to force the route of key recovery
2 or key escrow, and alternatives develop around the worlds and
3 they are developing right now, to get this cryptography
4 without having to comply with this mechanism set up by the
5 U.S. Government, then the ability that the NSA has had for <===
6 many years to work with domestic suppliers of encryption and <===
7 software in general, to get the information they need to work <===
8 that will be lost because you will be dealing with Russian and <===
9 Irish and Indian and countries and companies all over the <===
10 world that are not going to be cooperating with them for their <===
11 systems.
12 I think that their basic fundamental underlying <===
13 proposition, which is that they will be able to game the <===
14 system if they have this filter that they run U.S. software <===
15 through, will in the end result in a very insecure situation. <===
16 They will no longer have that capability because they will not
17 have U.S. industry there to deal with them.
18 Chairman Gilman. How do you respond to that?
19 Mr. Crowell. First of all, the implication there is that <===
20 we rely on U.S. companies altering their products in order to <===
21 make us successful, and I would like to categorically state <===
22 that that is not -- <===
23 Mr. Goodlatte. They are giving you information about the <===
24 product. <===
25 Mr. Crowell. Well, that is true. We would like to have <===
[page 58]
1 information on the product, [redaction------------------------ <===
2 --------------------------------------------------------------
3 --------------------------------------------------------------
4 -----------------------------------] So it will not change the
5 equation for us, [redaction-----------------------------------
6 ------]
7 Mr. Goodlatte. That is my point, not yours. <===
8 Mr. Crowell. Yes, we will be up against very large
9 odds. I mentioned at the beginning that there are two
10 considerations here. One is having a sound foundation for
11 U.S. protection, governmental and nongovernmental critical
12 infrastructure, and we believe that the building of a key
13 management infrastructure and key recovery to protect public
14 interest and electronic government is a very, very important
15 part of that. We believe that export controls that are <===
16 relaxed in terms of restrictions on bit lengths and all of <===
17 those kinds of things, but that require one-time review on a <===
18 rapid basis, encourage cooperation with U.S. industry and will <===
19 be required by virtually every nation in the world and will
20 not differentiate U.S. industry from the rest of the world.
21 Mr. Goodlatte. If you get one-time review, but don't <===
22 have any standard that you are applying to that review, would <===
23 that satisfy you? We were talking with Mr. Hamilton about <===
24 what they would take as a bottom line to resolve this.
25 Mr. Crowell. Not if it precipitously, without any other
[page 59]
1 criteria, allowed to any user anywhere in the world, including
2 rogue states, the availability of any strength encryption.
3 No, we have had other criteria that we have included, and the <===
4 administrative procedures that we follow allow us to have that <===
5 flexibility. You do not have the mandatory -- name a product <===
6 you don't have the same level of mandatory decontrol that you
7 are advocating for encryption.
8 Mr. Goodlatte. Well, we are arguing the same side of the
9 issue when we say that, because --
10 Mr. Crowell. We often are, sir.
John
