10 November 1997
Source: http://www.access.gpo.gov/su_docs/aces/aaces002.html

-------------------------------------------------------------------------

[Congressional Record: November 9, 1997 (Extensions)]
[Page E2289-E2290]
From the Congressional Record Online via GPO Access [wais.access.gpo.gov]
[DOCID:cr09no97-51]


              CONCERN ABOUT EXPORTS AND DOMESTIC CONTROLS

                                 ______


                           HON. BRAD SHERMAN

                             of california

                    in the house of representatives

                       Saturday, November 8, 1997

  Mr. SHERMAN. Mr. Speaker, the Clinton administration policy on
encryption makes no sense, is costing the United States critical export
dollars, and threatens the fundamental privacy rights of all Americans
in the information age.
  For an administration that claims it is sympathetic to and supportive
of America's high tech practitioners, what is happening today
demonstrates exactly the opposite. Because for all the complexity of
designing top of the line computer products and programs with
information security--encryption--features, the issues here are not
complex at all.
  Encryption is both the first and the last line of defense against
hackers who would like to get into bank accounts or pry loose credit
card information that can cost consumers and businesses dearly.
Encryption is crucial for protecting customers and companies from
criminal intrusion into both their private lives and their businesses.
  Yet the administration says it is addressing the concerns of national
security and law enforcement by refusing to permit the export of
software with 56 bits or greater encryption protection, unless the
company agrees to commit to build key recovery products. It also
suggests that the war against criminals, such as pornographers, credit
card thieves, terrorists and others too numerous and too diverse to
mention, will be all for naught unless government eavesdroppers are
handed the keys to unlock all the billions of electronic transmissions
that are made every day in today's electronic information age.
  Now as ridiculous as it might seem that this administration wants the
capacity to tune in on everything going through the airwaves;
nevertheless, that is the tool they say they need to protect all of us
from today's criminal elements. It is rather mind-boggling to
contemplate how the Federal payroll might explode if the NSA and the
FBI were given the opportunity to monitor the messenger traffic that
goes on every day of the week. But it is also mind-boggling to
contemplate the picture of Uncle Sam riding roughshod over privacy
rights that have been guaranteed under our Constitution since the days
of our Founding Fathers.
  If American firms had a monopoly on encryption skills, and if these
products were not available from anyone on either side of the Atlantic
or Pacific, perhaps an argument could be made for restricting exports
of products with encryption that could not be reproduced elsewhere. But
that is not the case. What in fact the administration has done, and is
doing, is creating, in the words of the New York Times, ``a bonanza for
alert entrepreneurs outside the United States.'' And even then I see no
good reason for restricting the use of encryption within the United
States.
  I call my colleagues attention to an article from the New York Times
of April 7, 1997. It tells the story of how the German firm of Brokat
Information Systems has carved out a booming business selling powerful
encryption technology around the world that the United States
Government prohibits American companies from exporting. This German
company actually markets its products by telling potential purchasers
that they shouldn't use American export-crippling products.
  This should serve as a reminder that even if Congress should pass and
the President should sign Fast Track authority to negotiate new trade
agreements with some of our Latin American neighbors, we are not going
to turn our trade deficit around if we persist on handing on a silver
platter to foreign competitors markets that should be dominated by
American firms.
  At this point I would like to insert the article from the New York
Times, of April 7, entitled ``U.S. Restrictions on Exports Aid German
Software Maker.''

                [From the New York Times, Apr. 7, 1997]

         U.S. Restrictions on Exports Aid German Software Maker

                         (By Edmund L. Andrews)

       Boeblingen, Germany, April 3.--Boris Anderer and his four
     partners have a message for the spy masters in America's
     national security establishment; thank you very, very much.
       Mr. Anderer is the managing director for marketing at
     Brokat Informationssystems G.m.b.H., a three-year-old
     software company here that is growing about as fast as it can
     hire computer programmers.
       When America Online wanted to offer online banking and
     shopping services in Europe, it turned to Brokat for the
     software that encodes transactions and protects them from
     hackers and on-line bandits. When Netscape Communications and
     Microsoft wanted to sell Internet software to Germany's
     biggest banks, they had to team up with Brokat to deliver the
     security guarantee that the banks demanded.
       But what is most remarkable is that Brokat's rapid growth
     stems in large part from the Alice in Wonderland working of
     American computer policy. Over the last two years, Brokat and
     a handful of other European companies have carved out a
     booming business selling powerful encryption technology
     around the world that the United States Government prohibits
     American companies from exporting.
       Mr. Anderer could not be happier. ``The biggest limitation
     on our growth is finding enough qualified people,'' he said,
     as he strode past rooms filled with programmers dressed in T-
     shirts and blue jeans.
       The company's work force has climbed to 110 from 30 in the
     last year, and the company wants to add another 40 by the end
     of the year.
       ``This company has grown so fast that I often don't know
     whether the people I see here have just started working or
     are just visitors,'' he said.
       Encryption technology has become a big battleground in the
     evolution of electronic commerce and the Internet. As in the
     United States, European banks and corporations are racing to
     offer on-line financial services, and many of these services
     are built around Internet programs sold by American companies
     like Netscape and Microsoft.
       Cryptography is crucial because it provides the only means
     for protecting customers and companies from electronic
     eavesdroppers.
       Although the market for encryption software is in itself
     tiny, it is a key to selling technology in the broader market
     of electronic commerce. Encryption is the first line of
     defense against hackers eager to pry loose credit card
     information and raid bank accounts, so it plays a critical
     role in the sale of Internet servers and transaction-
     processing systems.

[[Page E2290]]

       Brokat, which has revenues of about 10 million marks ($6
     million), uses its cryptography as a door-opener to sell much
     more complicated software that securely links conventional
     bank computer systems to a bank's internet gateways and on-
     line services. Netscape, Microsoft and computer equipment
     manufacturers all include encryption in the networking
     systems they sell to corporations.
       But the United States Government blocks American companies
     from exporting advanced encryption programs, because agencies
     like the Federal Bureau of Investigation and the National
     Security Agency fear that they will lose their ability to
     monitor the communications of suspected terrorists and
     criminals.
       Far from hindering the spread of powerful encryption
     programs, however, American policy has created a bonanza for
     alert entrepreneurs outside the United States. Brokat's
     hottest product is the Xpresso Security Package, a set of
     computer programs that bump up the relatively weak encryption
     capability of Internet browsers from Netscape and Microsoft.
       Besides America Online, Brokat's customers include more
     than 30 big banking and financial institutions around Europe.
     Deutsche Bank A.G. Germany's biggest bank, uses Brokat's
     software at its on-line subsidiary, Bank 24. Hypo Bank of
     Munich uses Brokat in its on-line discount stock brokerage
     operation. The Swiss national telephone company and the
     Zurcher Kantonalbank are also customers.
       Among Brokat's competitors, UK Web Ltd, based in London, is
     marketing an equally powerful encryption program in
     conjunction with a Silicon Valley company C2Net Software.
     Recently, UK Web and C2Net boasted of selling ``full-
     strength'' cryptography developed entirely outside the United
     States.
       ``We don't believe in using codes so weak that foreign
     governments, criminals or bored college students can break
     them,'' the two companies said in a statement, in a stinging
     swipe at the American export restrictions.
       Bigger companies are starting to jump into the fray as
     well. Siemens-Nixdorf, the computer arm of Siemens A.G.,
     recently began marketing a high-security Internet server
     program that competes with products from Netscape. Companies
     can download the software from Siemens computers in Ireland.
       There is nothing illegal or even surprising about this. The
     basic building blocks for advanced encryption technology, in
     a series of mathematical algorithms or formulas, are all
     publicly available over the Internet. American companies like
     Netscape sell strong encryption programs within the United
     States, and companies like Brokat are even allowed to export
     their product to customers in the United States.
       For many computer executives, the real mystery is why the
     United States Government continues to restrict the export of
     encryption technology. ``The genie is out of the bottle,''
     said Peter Harter, global public policy counsel at Netscape,
     who complained that American policy thwarts his company's
     ability to compete.
       ``I have a good product, and I can sell it to Citibank, but
     I can't sell it to Deutsche Bank,'' Mr. Harter said. ``It
     doesn't make any sense. Why shouldn't they be able to buy the
     same product at Citibank? It makes them mad, and it makes us
     mad.''
       In response to industry complaints, American officials have
     repeatedly relaxed the restrictions on encryption over the
     last several years, and they did so again last November. But
     because the speed of computers has increased so rapidly,
     codes that seemed impenetrable just a few years ago can be
     cracked within a few hours.
       In a policy announced last fall, the Clinton Administration
     announced that it would allow American companies to freely
     export cryptography that used ``keys'' up to 40 bits in
     length. The longer the key, the more difficult a code is to
     crack. But banking and computer executives say that 40-bit
     codes are no longer safe and can be cracked in as little as a
     few hours by skilled computer backers. The minimum acceptable
     code, according to many bank executives, must have keys that
     are 128 bits long.
       ``From our point of view, there is at least the possibility
     that a 40-bit encryption program can be broken, and that
     means there is a danger that our transaction processing could
     be compromised,'' said Bernd Erlingheuser, a managing
     director at the Bank 24 unit of Deutsche Bank. Bank 24 has
     about 110,000 customers in Germany who gain access to banking
     services over the Internet using either the Netscape
     Navigator or Microsft's Internet Explorer.
       Anette Zinsser, a spokeswoman for Hypo Bank, concurred.
     ``Forty bits is just too low,'' she said. Hypo Bank offers
     Internet-based banking and discount brokerage services to
     about 28,000 customers.
       In a country not known for high-technology start-ups,
     Brokat jumped at the opportunity. Mr. Anderer, a former
     consultant at McKinsey & Company in Germany teamed up three
     years ago with two fraternity friends, Michael Janssen and
     Stefan Roever, and two seasoned computer experts, Achim
     Schlumpberger and Michael Schumacher.
       The group originally conceived of building a company around
     modular software components that were designed for the
     banking industry, and they financed the company for nearly
     two years through the money they earned from consulting
     projects. But they were quickly drawn in the area of
     encryption, and developed a series of programs around the
     Java technology of Sun Microsystems.
       The Xpresso encryption package is installed primarily on
     the central ``server'' computers that on-line services use to
     send material to individual personal computers. Customers who
     want to connect to a bank's server download a miniature
     program, or applet, that meshes with their Internet browser
     program and allows the customer's computer to set up an
     encrypted link with the server. The effect is to upgrade the
     40-bit encryption program to a 128-bit program, which is
     extremely difficult for outsiders to crack.
       Now, in another step through the looking glass of
     encryption policy, Brokat is trying to export to the United
     States. There is no law against that, but American laws would
     theoretically prohibit a company that used Brokat's
     technology from sending the applets to their online customers
     overseas. So the company is now negotiating with the National
     Security Agency for permission to let American companies send
     their software overseas, which is where it started from in
     the first place.
       It Brokat convinces the spy masters, the precedent could
     help American software rivals. ``This could open a new
     opportunity that would benefit American companies if they
     understand the implications,'' Mr. Anderer said.



                          ____________________
