[Cantwell's crypto export bill was introduced as HR3627, then folded into HR3937, after which it was removed, and thus did not pass. This is the amendment removing it, followed by commentary and analysis from the House Intelligence Committee.] 103D CONGRESS REPT. 103-531 2nd Session Part 2 HOUSE OF REPRESENTATIVES OMNIBUS EXPORT ADMINISTRATION ACT OF 1994 JUNE 16, 1994. Ordered to be printed Mr. GLICKMAN, from the Permanent Select Committee on Intelligence, submitted tbe following REPORT [To accompany HR. 3937] [Including cost estimate of the Congressional Budget Office] (omitted) The Permanent Select Committee on Intelligence, to whom was referred the bill (H.R. 3937) entitled the "Export Administration Act of 1994", having considered the same, report favorably thereon with amendments and recommend that the bill as amended do pass. The amendments (stated in terms of the section numbers of the bill as reported from the Committee on Foreign Affairs) are as follows: Strike out subparagraph (C) of section 109(b)(1). Amend subsection (c) of section 117 to read as follows: (c) ASSESSMENT OF ENCRYPTION SOFTWARE MARKET.- (1) PRESIDENTIAL REPORT REQUIRED.-Not later than 150 days after the date of enactment of this Act, the President shall submit a report to the Committee on Banking, Housing, and Urban Affairs of the Senate and the Committee on Foreign Affairs of the House of Representatives. (2) CONTENTS OF REPORT.-The report required by paragraph (1) shall- (A) assess the current and future international market for computer software with encryption; (B) assess the impact of United States encryption export controls on the international competitiveness of the United States computer software industry and their economic consequences, including the impact on exports and jobs in the United States computer software industry; and (C) review the types, quality and market penetration of foreign produced encryption software products and any controls that influence the international marketability of encryption software products. (3) CONSULTATION.-In preparing the report required under paragraph (1), the President shall consult with representatives of the United States computer software industry. Confidential business information provided by United States industry in the course of preparing the report shall not be disclosed, except with the permission of the submitter or when aggregated so that the source of the information cannot be identified. PURPOSE The principal purpose of H.R. 3937, as amended, is to revise the statutory basis for the control of exports of dual-use commodities and technologies. SEQUENTIAL REFERRAL H.R. 3937 was originally referred to the Committee on Foreign Affairs. The Permanent Select Committee on Intelligence has jurisdiction over intelligence-related activities pursuant to clause 2(a) of rule XLVIII of the Rules of the House of Representatives. The bill was therefore sequentially referred to the Committee on May 25, 1994 for a period ending not later than June 17, 1994, for consideration of matters within its jurisdiction. ITEMS OF SPECIAL INTEREST Computerized data base amendment H.R. 3937 as reported from the Committee on Foreign Affairs contains a provision (Section 109(b)(1)(C)) that requires the Director of Central Intelligence (DCI) to "collect all intelligence information regarding controlled end users" and have the information "accessible in computerized form" at the Central Intelligence Agency (CIA) no later than December 31, 1994. As written, this provision requires the entire universe of intelligence information on controlled end users to be brought together in one computerized data base. This collection effort in itself could be a serious drain on CIA resources and slow its responsiveness to requests for assistance from the Department of Commerce on export license determinations. More importantly, the provision would also be inconsistent with current requirements on compartmentation of classified information. The Foreign Affairs Committee report suggests that the DCI would be required to make this data base available to the Secretary of Commerce -- without any exception for protection of the identities of sources. The intelligence community now responds to requests from the Secretary of Commerce for information to assist in export licensing determinations. The Committee has not been advised of serious criticisms of the current system with respect to the timeliness or completeness of intelligence provided to the Department of Commerce. The Committee urges the DCI to ensure that the process for providing intelligence needed by the Secretary of Commerce to make export licensing determinations is working effectively, but the Committee is not persuaded Section 109(b)(1)(C) would assist in this regard. The Committee thus adopted an amendment to strike the provision from the bill. Encryption amendment Summary The Committee proposes a process for reviewing and, as appropriate, reforming encryption export control policy. The process rests on three pillars: a comprehensive evaluation of technical, national security, and economic considerations; scientific research and technological development; and government-private sector cooperation. The amendment requires the President to prepare a report, within 150 days of enactment of the legislation, assessing the current and future international market for computer software with encryption. The report's findings, which must be prepared in consultation with representatives of the U.S. software industry, must take into account types, quality, and market penetration of foreignproduced encryption software and controls affecting the marketability of encryption software. The report must also evaluate the effect of export controls on U.S. software manufacturers, with particular attention to competitiveness, export revenues, and employment in the domestic industry. The Committee strongly urges the National Institute of Standards and Technology (NIST), with the technical advice and assistance of the National Security Agency (NSA), to establish a cooperative research and development consortium to develop software encryption consistent with law enforcement and national security requirements. The consortium should solicit the participation of industrial, academic, and other interested parties. The Committee recommends that the President present Congress with the results of research conducted by the cooperative research and development consortium and recommendations, as appropriate, for reforms to encryption export control policy. These recommendations should be based on the presidential study required in the amendment. It is the Committee's intent that the recommendations be derived from a comprehensive and continuing review of the technical, national security, and economic underpinnings of current policy. Background Cryptology is vital to the U.S. intelligence community. Without the ability to decrypt enciphered communications, the value of signals intelligence activities would be diminished significantly. The history of the U.S. intelligence community, through and including operations during the Persian Gulf War, is replete with instances when the intelligence community's cryptanalytic skills provided the critical ingredient to successful U.S. military operations. Cryptology also plays a prominent role in the intelligence community's ability to meet new challenges in the post-Cold War world: the proliferation of weapons of mass destruction, terrorism, narcotics trafficking, and economic competitiveness. Through oversight of the intelligence community and annual review of the intelligence budget, the Committee has demonstrated strong interest and support for cryptologic programs. It has regularly examined cryptologic successes, the contribution of cryptology to the national security and other important national interests, and cryptologic challenges. The cryptologic programs NSA manages represent a significant annual investment and are appropriately the subject of intense scrutiny during the Committee's annual budget process. Further, as part of its oversight responsibilities of cryptologic programs, the Committee recently received a thorough, classified briefing on the damaging implications of altering the present encryption export control regime. The intelligence community's cryptologic success depends in part on controlling the use of encryption by targets of intelligence interest. This assists in the provision of responsive, timely, and accurate intelligence support to policymakers and the military. Controlling the dissemination of sophisticated encryption has been and will continue to be critical to those successes and U.S. national security interests. The Committee continues to support that goal. With these concerns in mind, the export of equipment and computer software containing encryption is controlled pursuant to the Arms Export Control Act. Under the International Traffic in Arms Regulations (ITAR) promulgated under the Act, encryption is included on the Munitions List on the advice of the Secretary of Defense who identifies defense items and services the uncontrolled export of which would threaten national security. This mechanism is critical to ensuring that encryption software exports that would damage the intelligence community's performance are regulated consistent with national security interests. Exports of encryption controlled pursuant to the ITAR are permitted under export licenses, granted pursuant to strict terms and conditions. Although carefully controlled, the present regime is dynamic. Like other export control regimes, it has undergone significant revision in recent years, although not in ways which would jeopardize national security. Under current policy, licensing jurisdiction for all but the most powerful encryption software has been transferred from the Department of State to the Department of Commerce where under much less stringent conditions, it can be exported under general licenses. In 1992, special arrangements were implemented to provide expedited transfer of commodity jurisdiction for certain forty bit key encryption software to the Commerce Department where it can be exported under a general license. (Each binary digit in a cryptographic key, is referred to as a bit. For a given algorithm, longer keys are generally stronger than shorter ones.) Export of Data Encryption Standard (DES) encryption, which has a fifty-six bit key algorithm, is permitted under certain circumstances. U.S. software producers can export DES-based software to overseas subsidiaries of U.S. companies and any financial institution. In addition, it can be shipped to any customer and all destinations for verification and authentication applications. On February 4, 1994, the Administration announced its proposal to implement reforms that will permit any U.S. person to take DES-based encryption software overseas for personal use. The changes made over time to the export control system for encryption, like the original decision to list it on the Munitions List, have been carefully reviewed through a process which takes into account the implications of the changes for national security requirements. It remains the foundation of a successful, effective regulatory scheme. Purpose and Need The Committee is concerned that section 117(c) as reported by the Committee on Foreign Affairs does not adequately address the national security interests put at risk by the uncontrolled export of encryption. Section 117(c) dismantles the existing system which permits the control of this critical technology to all destinations by providing the intelligence community an opportunity to evaluate whether the export of encryption is in the national interest. The decontrol contemplated by section 117(c), as well as shifting licensing authority from the Arms Export Control Act to the Export Administration Act, will, in the Committee's judgment, jeopardize the national security. The amendment the Committee adopted replaces this version of section 117(c) with a requirement for a Presidential study, thereby maintaining existing regulatory authorities and procedures. The market environment facing U.S. companies is critical to determining the proper boundary of export controls. Claims that U.S. software companies must compete in a global market in which foreign produced encryption is freely available, thus placing them at a disadvantage, are founded primarily on anecdotal evidence. The amendment seeks to fill this information deficiency by requiring the President to conduct a study, in consultation with representatives of the U.S. computer software industry, of the international market for computer software with encryption. The study is to assess the current market, as well as the market prospects, and be completed within 150 days of enactment. The study must assess the effect of export controls on the international competitiveness of the U.S. industry, including foregone export revenues and employment levels. Additionally, the report must review types, quality, and market penetration of foreign-produced encryption software products and any controls influencing the international marketability of encryption software. The Committee recognizes that the report may have to be classified, in whole or in part, to protect national security information. Determining the state of the international encryption market and the relative position of U.S. companies in it is but one part of assessing export policy; technology must also be considered. The Committee notes that liberalization of encryption export controls has resulted, and will continue to result, from technological advances. The Committee realizes the growing need for information security and recognizes that privacy afforded by encryption products and technology will come to be increasingly valued. To balance the desire for privacy in communications with law enforcement and national security interests, the Committee fully supports additional research on the development of encryption software. The Committee, therefore, strongly recommends that NIST, with the technical advice and assistance of NSA, establish a cooperative research consortium. The purpose of the consortium is to develop encryption software which can protect the privacy of users and is available consistent with U.S. law enforcement and national security interests. The consortium should solicit the participation of industrial, academic, and other interested parties. The Committee notes that NIST and NSA have already expressed interest in such a research program, as have representatives of the software industry, and the Committee encourages these steps. The Committee expects that the research and development program that it recommends will be implemented as expeditiously as possible, with the full and complete support of NIST and NSA. The Committee believes that the policy review process must reflect the dynamism of the industry and the research and development efforts previously suggested. This should be accomplished in a comprehensive fashion and in a manner that provides certainty to interested parties that these issues will be reviewed periodically. The Committee recommends that the President report to Congress the results of the research program the Committee recommends and recommendations for reforms of encryption export control policy based on the findings of the study required in the Amendment. A final report should be submitted to Congress within three years of the enactment of this Act and at least one interim report should be submitted no later than eighteen months after enactment. These reports may be submitted, in whole or in part, in classified form if necessary. In addition, the Committee recommends that the President continue to examine the present export licensing system for encryption software and make procedural reforms, consistent with overall policy. This extension of the Export Administration Act makes the transition from export control regimes of the Cold War to systems more appropriate to a post-Cold War world of different threats and opportunities. The Committee believes that encryption export controls will remain invaluable to the intelligence community's efforts to protect national security and other national interests. The Committee also recognizes the need to retain the competitive edge U.S. companies enjoy in the market for encryption. The Committee's action balances those interests within the context of changing export control policy and thus is consistent with the themes of H.R. 3937. Other issues The Committee appreciates the willingness of the Committee on Foreign Affairs to discuss concerns of the intelligence community with respect to transactions involving the export of goods and technologies reportable under the National Security Act of 1947, and protection of sources and methods and ongoing criminal investigations under certain conditions. SECTION-BY-SECTION ANALYSIS The amendments ordered reported by the Permanent Select Committee on Intelligence modify the following sections of H.R. 3937 as reported by the Committee on Foreign Affairs: (1) Amendment to Section 109(b)(1)(C). The amendment deletes Section 109(b)(1)(C) of H.R. 3937 as reported from the Committee on Foreign Affairs. (2) Amendment to Section 117(c). The amendment strikes the text of Section 117(c) of H.R. 3937 as reported by the Committee on Foreign Affairs and substitutes in lieu thereof a requirement that the President, not later than 150 days after enactment of the Act, shall submit a report to the Committee on Banking, Housing, and Urban Affairs of the Senate and the Committee on Foreign Affairs of the House of Representatives. The report shall: (1) assess the current and future international market for computer software with encryption; (2) assess the impact of United States encryption export controls on the international competitiveness of the United States computer software industry and their economic consequences, including the impact on exports and jobs in the United States computer software industry; and (3) review the types, quality and market penetration of foreign produced encryption software products and any controls that influence the international market ability of encryption software products. The President is directed to consult with representatives of the United States computer software industry in preparing the report. The Committee urges the President to continue to study and assess the issues which are the subject of the report and to issue periodic updates of the report. COMMITTEE POSITION On June 15, 1994, the Permanent Select Committee on Intelligence, a quorum being present, met to consider H.R. 3937 as reported from the Committee on Foreign Affairs. Amendments were offered to the bill that (1) substitute for Section 117(c) a requirement that the President assess the encryption software market and report his findings to the Committee on Banking, Housing, and Urban Affairs of the Senate and the Committee on Foreign Affairs of the House of Representatives within 150 days after the enactment of the Act; and (2) delete Section 109(b)(1XC) that requires the Director of Central Intelligence to collect all intelligence regarding controlled end users and to establish an electronic database of this intelligence. The amendments were approved by a recorded vote of 13 yeas and 0 nays and H.R. 3937, as amended, was ordered reported by voice vote. OVERSIGHT FINDINGS With respect to clause 2(1X3XA) of rule XI of the Rules of the House of Representatives, the Committee has held hearings and briefings concerning the consequences of the uncontrolled export of computer software with encryption. FISCAL YEAR COSTS PROJECTIONS The Committee agrees with the comments on cost projections of the Committee on Foreign Affairs as stated in Report 103-531, Part 1. [SECTIONS ON CONGRESSIONAL BUDGET OFFICE COST ESTIMATES OMITTED]