PRESERVING AMERICA'S PRIVACY AND SECURITY IN THE NEXT CENTURY:
A STRATEGY FOR AMERICA IN CYBERSPACE

A REPORT TO
THE PRESIDENT OF THE UNITED STATES

September 16, 1999

William Cohen, Secretary of Defense
Janet Reno, Attorney General
Jacob J. Lew, Director of the Office of Management and Budget
William Daley, Secretary of Commerce


PRESERVING AMERICA'S PRIVACY AND SECURITY IN THE NEXT CENTURY:
A STRATEGY FOR AMERICA IN CYBERSPACE
 

1. A TIME OF PIVOTAL CHANGE

American history has been punctuated by periods in which the
Nation had to respond to sweeping social, economic and technological
developments. In the best of times, people working together in
government and industry became the engine of progress that shaped the
character of the time and facilitated new prosperity and opportunity
for Americans. Three examples illustrate this point.

Opening the Heartland and Expanding the Frontier.

Beginning with the Louisiana Purchase in 1803, the government
initiated a remarkably successful policy to open up a vast new area.
Over the next five decades, the United States doubled the size of its
territory. Under the government's plan, land grants were given to
railroads to open the Midwest and in turn to create a future market
for rail services. Land was awarded to homesteaders, and yet other
parcels were reserved as income sources for institutions of higher
education.

The technological advance of the railroad was the engine pulling
this growth. From the 1820s to 1900, American railroads added an
average of more than 2,000 miles of track each year. By the close of
the 19th century, the combination of these factors had served to
triple the size of our nation. The Administration and the Congress,
working together and in concert with technology advances, created an
infrastructure for a new society.


Industrialization and the Great Depression Produce a New Society.

Around the turn of the century, the country was firmly in the
Industrial Age. Technical innovations in automation and machinery
spurred the growth of factories, assembly lines and mass production
in our nation's cities. The Ford assembly line for the Model T and
the Wright brother's flight catapulted us into a mobile society and
drove further technological innovations. Telephones became more
commonplace and the nation began to shrink as news and information
traveled faster. As a nation, we created new opportunities in
industries never heard of, and created a new class of wealth, based
on opportunity and innovation, not birthright. The economy moved
from an agrarian society to an industrial society.

But the growth and prosperity experienced by many halted when the
Great Depression gripped the country. In response, the government
developed a series of creative policies and programs that brought
government and business to the common task of restoring productivity
to America. While there were a number of social programs, government
support for technology was key to driving development. For example,
the government took a pivotal role in expanding the electrical grids
that would become the backbone of our national infrastructure, first
with the creation of the Tennessee Valley Authority in 1933 and two
years later with the creation of the Rural Electrification
Administration. Electrical technology, in the ensuing years,
radically altered the capabilities of America's rural farms and
industry. Just as important, it created a transmission belt that
further disseminated the ideas and technology being generated in the
nation's cities.


A World War Produces a Global Community and the American Century.

In a third case, World War II shattered the international
political system at the same time that it brought an end to 19th
century colonialism. The creation of the World Bank, the
International Monetary Fund, and the rules for a global trading
system became the cornerstones of the emerging global economy.

The urgent need for increased production and the burst of
scientific funding associated with the war effort -- sustained by a
continuing Federal commitment to new science and technology in the
following years -- vaulted the United States into the age of
electronics and computers -- the beginning of the Information Age.
 

Advances in telecommunications, such as broad-band carrier systems
and switching devices, combined with innovations in the computer
industry to give individuals more power than ever to process large
amounts of information and transmit that information at ever-greater
speeds. Further, this country's goal to reach the moon by the end of
the 1960s fueled development of advanced electronics, increased
computing power and communications capabilities. At the same time,
technological leaps in computer memory and data storage enabled the
centralized use (and, unfortunately, misuse) of information to
examine or profile individuals, consumers, and groups. As these
issues emerged, our legal system responded. Looking back, the
"Information Economy" that Americans recognize today could be seen
emerging as early as the late 1940s.

Each of these examples was a pivotal episode in American history
in which complex social, economic, and technological forces came
together. Facing the challenges of the day, America's governmental,
societal and technical leaders crafted a new vision of the future,
and in the process became pioneers on a new frontier of opportunity
and promise.

America now faces a new time of pivotal change, enormous
opportunity, and promise. This time, technology itself presents both
an opportunity and a threat to global society increasingly dependent
on, and connected by, advanced computing and communications.
Continuing a balanced strategy that advances our national interests
is the challenge of our day.


2. CYBER AMERICA: GREAT PROMISE AND SERIOUS RISKS

America now stands on the brink of revolution fueled by machines
-- computers -- and networks of computers that facilitate the instant
exchange of and access to ideas and information. The computer has
and will continue to revolutionize virtually all aspects of American
society, just as electricity, the power grid and the railroad changed
our forefathers' society.

The Computer as an Economic Engine.

It is well-known that the computer, and its application in
business, commerce, education and recreation has transformed the
American economy. America is becoming a country of "knowledge
workers," with the ubiquitous application of computer technology at
its core. America's productivity today is grounded in computer
applications and networks. Bar codes speed us through shopping lines
and simultaneously facilitate store manager record-keeping and
reordering. Airline reservations can be booked from home computers.
Everything from clothes to books to software can be purchased over
the Internet. American companies are discarding their proprietary
computer systems and using the Internet and the Web to increase
productivity, network their entire chain of suppliers, and deliver
"just-in-time" training to their employees. American students can
conduct original research with colleagues on machines around the
world with but a few keystrokes. Travelers can monitor current
weather conditions in another country. Scientists can "conference"
electronically and transmit astounding volumes of information in
seconds to colleagues on other continents.

As remarkable as today's innovations are, the years ahead hold
even greater promise. Computers will become virtual partners in all
aspects of our lives. Homes will be centrally wired to allow
integrated alarms, electronics, appliances, telephones, and computers
to simplify our lives. Education will become more adaptive to the
routines of individual students, and banking, finance, and shopping
will increasingly migrate to the home and portable computing devices.

And in this process and through networking, computers have created
the well-known "cyberspace" that eliminates the traditional
boundaries of time and place and links governments, businesses, and
individuals in the same electronic environment.


The Dangers of Cyberspace.

Like any new tool in previous eras, computers can be used by those
who prey on the innocent. International narcotics traffickers now
routinely communicate with each other via computer messages. Hostile
governments and even some trans-national organizations are
establishing cyber-warfare efforts, assigned the mission of crippling
America's domestic infrastructure through computer attacks. Hackers
destroy cyber-property by defacing home pages and maliciously
manipulating private information. Pedophiles stalk unsuspecting
children in computer chat rooms. Individuals post home pages with
instructions to manufacture pipe bombs, chemical weapons, and even
biological agents. Crooks break into business computers, either
stealing funds directly or extorting payments from companies anxious
to avoid more expensive disruption.
Disgruntled employees, with valid access to their companies'
system, can take steps to disrupt the business operations or steal
proprietary, sensitive, and financial information. And our personal
data is at risk of being unlawfully accessed and read by malicious
individuals, without our knowledge, as it resides on or traverses
communications and computer networks.

These concerns are not hypothetical. We have seen these types of
activities, and other equally dangerous activity, in past and ongoing
cases. The danger posed by evil individuals using these powerful new
tools grows by the day. Just as other technologies have the risk of
being abused, it is necessary for us to evaluate how to respond.
Without protective action, we will not be safe. America must take
responsible steps to ensure that this promising electronic
environment is safe for law-abiding citizens and businesses.


3. BALANCING AMERICA'S BEDROCK VALUES

While these problems seem unprecedented, in fact they represent a
return to the bedrock problems faced by America's constitutional
founders. American democracy became and remains a new experiment in
government -- balancing the rights of individuals against the
imperatives of society and limiting the reach of government into
personal, private lives, while mandating a government responsibility
for public safety and security for all citizens.

Computers are now at the center of competing American values. In
honest, law abiding citizens' hands, the computer becomes an
indispensable tool for education, personal and commercial business,
research and development, and communications. In criminal hands, the
same computer becomes a tool of destruction and criminality.

Enter Encryption.

Over the past decade, another information technology has emerged
that amplifies this tension -- encryption. Encryption includes
special instructions that scramble a clear readable message in
complex ways that make it unreadable. For the strongest forms of
encryption, only the intended recipient can unscramble the message
and read the original plain text, unless someone else has gained
access to the corresponding decoding software and decryption key.

Originally only available and used by military agencies, strong
encryption is now available to many and has become a building block
for the new digital economy. It is essential to provide security and
privacy for electronic commerce and e-business. Encryption is
critical because it allows individuals, businesses, and other
organizations to share information privately without it being
unlawfully intercepted or accessed by a third party, to establish
their identities, and to maintain the integrity of information.
Without the use of encryption, it is difficult to establish the trust
that people and firms need to do business with each other, or to have
confidence to run their business electronically. With the use of
encryption:

-- Individuals and consumers can securely conduct their finances
and communicate with each other over the Web.

-- Firms can transmit their software, music, movies, reports and
other forms of intellectual property over the Internet while
minimizing the risks of widespread piracy.

-- Businesses can protect their company proprietary information
over the Internet, with confidence that the information is secure
from prying eyes.

-- Firms can develop products more rapidly, as teams of engineers
around the world can collaborate on their designs in real-time over
secure high-speed networks.

However, while the majority of users will use encryption for
legitimate, lawful purposes, we must recognize that terrorists,
pedophiles and drug gangs are increasingly using encryption to
conceal their activities. Hence, encryption has posed a serious
public policy challenge over the past decade.

The Federal Government has sought to maintain a balance between
privacy and commercial interests on one hand and public safety and
national security concerns on the other by limiting the export of
strong encryption software. Preserving this balance has become
increasingly difficult with the clear need for strong encryption for
electronic commerce, growing sophistication of foreign encryption
products and the proliferation of software vendors, and expanded
distribution mechanisms. In the process, all parties have become
less satisfied with the inevitable compromises that have had to be
struck. U.S. companies believe their markets are increasingly
threatened by foreign manufacturers in a global economy where
businesses, consumers, and individuals demand that strong encryption
be integrated into computer systems, networks, and applications.
National security organizations worry that the uncontrolled export of
encryption will result in diversion of powerful tools to end users of
concern. Law enforcement organizations see criminals increasingly
adopting tools that put them beyond the reach of lawful surveillance.

At the end of the century, these are the important national
interests that must be reconciled. Determining a policy direction
for encryption has become more complex, and more urgent, for all
those affected. A strategic paradigm that better achieves balance is
needed.


4. A NEW PARADIGM TO PROTECT PROSPERITY, PRIVACY AND SECURITY

To support America's prosperity and protect her security and
safety, we propose a new paradigm to advance our national interests.
The new paradigm should be comprised of three pillars -- information
security and privacy, a new framework for export controls, and
updated tools for law enforcement. We discuss each in turn.

I. Information Security and Privacy.

As a nation, we have become increasingly dependent on computers
and telecommunications. These new technologies create vast
opportunities for personal expression and electronic commerce, while
also creating new risks to public safety and national security.
Computers and telecommunications rely on open protocols and
ultra-accessibility, thus making individuals' and organizations'
words and actions vulnerable to outsiders in new and potentially
frightening ways. A first pillar of our new paradigm must be to
promote information security and privacy -- to assure the security
and privacy of stored and transmitted data from unauthorized and
unlawful access.

The President has recognized the challenge of updating privacy for
new technologies: "We've been at this experiment in Government for
223 years now. We started with a Constitution that was rooted in
certain basic values and written by some incredibly brilliant people
who understood that times would change, and that definitions of
fundamental things like liberty and privacy would change, and that
circumstances would require people to rise to the challenges of each
new era by applying old values in practical ways."

In updating enduring constitutional values for the computer age,
we need to assure that our citizens' personal data and communications
are appropriately protected. Businesses need to privately
communicate with their employees and manufacturing partners without
risk that their proprietary information will be compromised through
unauthorized access. Encryption is one of the necessary tools that
can be used in this technological environment to secure information.
Therefore, we encourage the use of strong encryption by American
citizens and businesses to protect their personal and commercial
information from unauthorized and unlawful access.

We must also recognize the inherent security risks posed by the
spread of and dependence on "open systems" and ready accessibility.
The Defense Department's situation is typical. Twenty years ago
the Defense Department operated largely proprietary communications
systems over government owned switches and circuits. DOD technology
was homebuilt and tightly controlled. Today, the U.S. DOD has more
computer users than any other organization in the world -- 2.1
million computers access over 10,000 networks on an average work day.
Even so, 95 percent of DOD's communications occur over public
circuits or with commercial software and hardware. The Defense
Department's reliance on commercial products and services is repeated
throughout the country by government agencies and the private sector.

If the Department of Defense is to function safely in cyberspace,
it must use strong tools for encryption and identity authentication.
It is not just military operations and data that must be protected.
All government agencies and all business activities will increasingly
need a full set of security tools to ensure access, privacy and
absolute confidence in business operations that utilize computer
technology.

We recognize that information technology is changing rapidly and
constantly providing both new security capabilities and challenges
and, hence, we will never reach a "perfect solution." Nevertheless,
there are many efforts underway throughout the government to address
the need for more secure systems. By adopting commercial approaches,
where appropriate, and sponsoring R&D to fill needed capabilities, we
believe the Federal government should, by example, lead the way for
America to develop and use the tools and procedures for information
security and privacy in the next century.

The Department of Defense, for example, has allocated over $500
million to develop a comprehensive security management
infrastructure. This infrastructure will utilize a range of
encryption products (with stronger products for more sensitive
applications involving higher levels of classification), and a public
key infrastructure (PKI) to identify and authenticate those who use
our information networks. The Department is also adopting stronger
standards for network configuration and operator qualification and
certification, and is taking steps to better detect unauthorized
intrusions into DOD networks.

The Federal government must continue to promote the development of
stronger encryption technologies for federal use. The advanced
encryption standard (AES) is in the final stages of a public
selection process. Once promulgated, AES could become as ubiquitous
as today's digital encryption standard (DES) which has contributed
greatly to the growth of electronic commerce.

In the Federal government, the Department of Defense is a leading
proponent of information security through its information assurance
initiative, and other agencies are recognizing the need for increased
diligence in maintaining adequate security of Federal information and
systems. We encourage each agency to vigilantly build security
enhancements into their business operations in risk-based and
cost-effective ways that enable, not impede, the agency's ability to
perform its mission.

Further, we believe that the Congress and Executive Branch should
work together to promote both the awareness of information privacy
and security and the development of appropriate tools and resources
by the private sector, and to consider whether tangible incentives
are appropriate. Given the rapid changes in technology, we advocate
a technology neutral approach. This approach would have the public
and private sectors working together to encourage development of a
broad range of privacy and security products and processes and share
promising practices with one another. We believe equally strongly
that security infrastructures and the deployment of security products
-- should neither be mandated nor prohibited. Public and private
organizations must determine their risks and be free to choose their
own solutions.

The government's requirement to protect its own sensitive and
privacy information is matched by individual's and the private
sector's own interests in proper handling of sensitive information.
Many in industry and elsewhere are already developing and using
sophisticated security and privacy products and processes.
Government should act as a facilitator and catalyst and help
stimulate the development of commercial products that will help all
Americans protect their sensitive information.

In sum, the first pillar of the new paradigm calls on the Federal
government, the Congress and all others to partner in promoting ways
to bring information security and privacy to the Information age.
Working together, we can develop tools and procedures for safe
operation in cyberspace, applying enduring constitutional values to
our new circumstances.

-- 
II. Encryption Export Controls for the New Millennium.

At the dawn of the new millennium, technology is advancing at such
a rapid pace that attempts to control its global spread under the
existing export control regime need to be regularly reevaluated.
Encryption will continue to enable new economic realities that must
be considered in a balanced approach to export controls.

Encryption products and services are needed around the world to
provide confidence and security for electronic commerce and business.
With the growing demand for security, encryption products are
increasingly sold on the commodity market, and encryption features
are being embedded into everyday operating systems, spreadsheets,
word processors, and cell phones. Encryption has become a vital
component of the emerging global information infrastructure and
digital economy. In this new economy, innovation and imagination are
the engines, and it is economic achievement that underpins America's
status in the world and provides the foundation of our national
security. We recognize that U.S. information technology companies
lead the world in product quality and innovation, and it is an
integral part of the Administration's policy of balance to see that
they retain their competitive edge in the international market place.

We as a nation must balance our desire and the need to assist
industry with a prudent, objective and steady judgment about how to
protect national security; a judgment that acknowledges that
technological advantages may add new dimensions to an already
complicated problem set. We must ensure that the advantages this
technology affords us are not extended to those who wish us ill or
who harbor criminal intent. This judgment must be informed by both
foreign and domestic realities.

While the U.S. is a huge market for telecommunications goods and
services, the other nations of the globe present markets much larger
than our domestic demand. Our networks are inextricably bound to
those of our allies and adversaries alike. Likewise, America's
interests do not end at our borders. American diplomats, service men
and women, as well as countless business people work and live around
the globe. America's interests are served by the ability to send and
receive proprietary, personal and classified information to exactly
where it is needed around the world. Likewise, America's interests
are served daily by shared actions with our allies, which require
accurate and authentic information be exchanged. Our policy must
acknowledge these vital interests.

But even as we do, it is imperative that we uphold international
understandings, and strive with other nations to prevent the
acquisition of encryption technology to sponsors of terrorism,
international criminal syndicates or those attempting to increase the
availability of weapons of mass destruction. We must also meet our
responsibilities to support our national decision-makers and our
military war fighters with intelligence information in time to make a
difference.

Accordingly, the Administration has revised its approach to
encryption export controls by emphasizing three simple principles
that protect important national security interests: a meaningful
technical review of encryption products in advance of sale, a
streamlined post-export reporting system that provides us an
understanding of where encryption is being exported but is aligned
with industry's business and distribution models, and a license
process that preserves the right of government to review and, if
necessary, deny the sale of strong encryption products to foreign
government and military organizations and to nations of concern.
With these three principles in place, the Federal Government would
remove almost all export restrictions on encryption products. This
approach will provide a stable framework that also will allow U.S.
industry to participate in constructing and securing the global
networked environment. This approach also maintains reasonable
national security safeguards by monitoring the availability of
encryption products and limiting their use in appropriate situations.

The Administration intends to codify this new policy in export
regulations by December 15, 1999, following consultations on details
with affected industries and other private sector organizations.

However, with this new framework for export controls, the national
security organizations will need to develop new technical tools and
capabilities to deal with the rapid expansion of encrypted
communications in support of its mission responsibilities. The
Congress will need to support such new tools and technical
capabilities through necessary appropriations.


III. Updated tools for Law Enforcement.

Because of the need for and use of strong encryption globally,
governments need to develop new tools to deal with the rapid
expansion of encrypted communications. Updated tools for law
enforcement that specifically address the challenges of encryption
constitute the third pillar of the new strategy. We cannot ignore
the fact that encryption will be used in harmful ways -- by child
pornographers seeking to hide pictures of exploited children, or
commercial spies stealing trade secrets from American corporations,
or terrorists communicating plans to destroy property and kill
innocent civilians. Even more significant, because cyberspace knows
no boundaries and because it is not immediately clear if a
cyber-attack involves Americans or foreigners, America's national
security will increasingly depend on strong and capable law
enforcement organizations. This is because the United States
military and intelligence agencies have long been restricted by law
from undertaking operations inside the United States against American
citizens. Accordingly, America's national defense is now
increasingly reliant on ensuring that our law enforcement community
is capable of protecting America in cyberspace.

Under existing law and judicial supervision, law enforcement
agents are provided with a variety of legal tools to collect evidence
of illegal activity. With appropriate court orders, law enforcement
may conduct electronic surveillance or search for and seize evidence.
In an encrypted world, law enforcement may obtain the legal authority
to access a suspect's communications or data, but the communications
or data are rendered worthless, because they cannot be understood and
cannot be decoded by law enforcement in a timely manner. Stopping a
terrorist attack or seeking to recover a kidnapped child may require
timely access to plaintext, and such access may be defeated by
encryption. Hence, law enforcement's legal tools should be updated,
consistent with constitutional principles, so that when law
enforcement obtains legal authority to access a suspect's data or
communications, law enforcement will also be able to read it.

Quite simply, even in a world of ubiquitous encryption, law
enforcement with court approval must be able to obtain plaintext so
that it can protect public safety and national security. Therefore,
we must undertake several important and balanced initiatives.

First, we need to ensure that law enforcement maintains its
ability to access decryption information stored with third parties,
but only pursuant to rules that ensure appropriate privacy
protections are in place. To ensure this result, the Administration
and the Congress must develop legislation to create a legal framework
that enhances privacy over current law and permits decryption
information to be safely stored with third parties (by prohibiting,
for example, third party disclosure of decryption information), but
allows for law enforcement access when permitted by court order or
some other appropriate legal authority.
 

Second, since criminals will not always store keys with third
party recovery agents, we must ensure that law enforcement has the
personnel, equipment, and tools necessary to investigate crime in an
encrypted world. This requires that the Congress fund the Technical
Support Center as proposed by the Administration, and work with the
Administration to ensure that the confidentiality of the sources and
methods developed by the Technical Support Center can be maintained.

Third, it is well recognized that industry is designing, deploying
and maintaining the information infrastructure, as well as providing
encryption products for general use. Industry has always expressed
support, both in word and in action, for law enforcement, and has
itself worked hard to ensure the safety of the public. Clearly,
industry must continue to do so, and firms must be in a position to
share proprietary information with government without fear of that
information's disclosure or that they will be subject to liability.
Therefore, the law must provide protection for industry and its trade
secrets as it works with law enforcement to support public safety and
national security. The law must also assure that sensitive
investigative techniques remain useful in current and future
investigations by protecting them from unnecessary disclosure in
litigation. These protections must be consistent with fully
protecting defendants' rights to a fair trial under the
Constitution's Due Process clause and the Sixth Amendment.

The Administration and the Congress need to work jointly to pass
legislation that provides these updated authorities. The
Administration is in the final stages of drafting legislation and
will shortly submit it to the Congress for consideration.

It is imperative to emphasize that the malicious use of encryption
is not just a law enforcement issue -- it is also a national security
issue. The new framework for export controls must be complemented by
providing updated, but limited, authorities to law enforcement.


5. CONCLUSION

America stands on the pivot point of a crucial time in its ongoing
development, and we face once again the ongoing debate in this
country between individuals' rights and the collective needs of
society. The genius of our Constitution is in the balanced way it
addressed that debate and in the procedures it created for continuing
that discussion as the society and the economy evolved. For our own
part, we enter that debate determined to preserve that same balance
of the rights and responsibilities that has characterized our country
through its history, but we are equally determined not to be
thoughtlessly bound to old approaches and old technologies. Our
challenge is to adapt our historical approach to the technological
challenges we face. We believe the new paradigm described above
achieves that objective.

We can now see a future with great promise and -- and serious
consequences -- posed by the same technical developments. How well
we handle these important challenges will shape the next century. It
is far better that we approach these problems from a cooperative
perspective. The past years of confrontation must be replaced by an
era of collaboration. For only by working together, which is the
rich history of this nation, can we ensure our economic viability and
protect ourselves from those who would do us harm.