Report text available as:

  • TXT
  • PDF   (PDF provides a complete and accurate display of this text.) Tip ?

106th Congress                                            Rept. 106-117
                        HOUSE OF REPRESENTATIVES
 1st Session                                                     Part 4
_______________________________________________________________________

                                     




                    PROTECTION OF NATIONAL SECURITY


                         AND PUBLIC SAFETY ACT

                               __________

                              R E P O R T

                                 OF THE

                      COMMITTEE ON ARMED SERVICES

                        HOUSE OF REPRESENTATIVES

                                   ON

                                H.R. 850

                             together with

                   ADDITIONAL AND SUPPLEMENTAL VIEWS

      [Including cost estimate of the Congressional Budget Office]

                                     


                                     

 July 23, 1999.--Committed to the Committee of the Whole House on the 
              State of the Union and ordered to be printed

                               __________

                    U.S. GOVERNMENT PRINTING OFFICE
58-132                     WASHINGTON : 1999


                            C O N T E N T S

                              ----------                              
                                                                   Page

Purpose and Background...........................................     4
Legislative History..............................................     9
Section-by-Section Analysis......................................     9
    Section 1--Short Title.......................................     9
    Section 2--Exports of Encryption.............................     9
    Section 3--License Exception For Certain Encryption Products.     9
    Section 4--One-time Product Review...........................    10
    Section 5--Eligibility Levels................................    10
    Section 6--Encryption Licenses Required......................    10
    Section 7--Waiver Authority..................................    10
    Section 8--Encryption Industry and Information Security Board    10
    Section 9--Market Share Survey...............................    10
    Section 10--Definitions......................................    11
Committee Position...............................................    11
Fiscal Data......................................................    11
    Congressional Budget Office Estimate.........................    11
    Congressional Budget Office Cost Estimate....................    11
    Committee Cost Estimate......................................    12
Oversight Findings...............................................    12
Constitutional Authority Statement...............................    13
Statement of Federal Mandates....................................    13
Record Vote......................................................    13
Additional views of Congressman J.C. Watts, Jr...................    15
Supplemental views of Congressman Patrick J. Kennedy.............    16

                                 (iii)

106th Congress                                            Rept. 106-117
                        HOUSE OF REPRESENTATIVES
 1st Session                                                     Part 4

======================================================================



 
         PROTECTION OF NATIONAL SECURITY AND PUBLIC SAFETY ACT

                                _______


                 July 23, 1999.--Ordered to be printed

                                _______
                                

    Mr. Spence, from the Committee on Armed Services, submitted the 
                               following

                              R E P O R T

                             together with

                   ADDITIONAL AND SUPPLEMENTAL VIEWS

                        [To accompany H.R. 850]

      [Including cost estimate of the Congressional Budget Office]

  The Committee on Armed Services, to whom was referred the 
bill (H.R. 850) to amend title 18, United States Code, to 
affirm the rights of United States persons to use and sell 
encryption and to relax export controls on encryption, having 
considered the same, report favorably thereon with amendments 
and recommend that the bill as amended do pass.
  The amendments are as follows:
  Strike out all after the enacting clause and insert in lieu 
thereof the following:

SECTION 1. SHORT TITLE.

  This Act may be cited as the ``Protection of National Security and 
Public Safety Act''.

SEC. 2. EXPORTS OF ENCRYPTION.

  (a) Authority to Control Exports.--The President shall control the 
export of all dual-use encryption products.
  (b) Authority to Deny Export for National Security Reasons.--
Notwithstanding any provision of this Act, the President may deny the 
export of any encryption product on the basis that its export is 
contrary to the national security interests of the United States.
  (c) Decisions Not Subject to Judicial Review.--Any decision made by 
the President or his designee with respect to the export of encryption 
products under this Act shall not be subject to judicial review.

SEC. 3. LICENSE EXCEPTION FOR CERTAIN ENCRYPTION PRODUCTS.

  Encryption products with encryption strength equal to or less than 
the level identified in section 5 shall be eligible for export under a 
license exception if--
          (1) such encryption product is submitted for a 1-time 
        technical review;
          (2) such encryption product does not require licensing under 
        otherwise applicable regulations;
          (3) such encryption product is not intended for a country, 
        end user, or end use that is by regulation ineligible to 
        receive such product, and the encryption product is otherwise 
        qualified for export; and
          (4) the exporter, at the time of submission of the product 
        for technical review, provides the names and addresses of its 
        distribution chain partners.

SEC. 4. ONE-TIME PRODUCT REVIEW.

  The President shall specify the information that must be submitted 
for the 1-time review referred to in section 3.

SEC. 5. ELIGIBILITY LEVELS.

  (a) Initial Eligibility Level.--Not later than 180 days after the 
date of the enactment of this Act, the President shall notify the 
Congress of the maximum level of encryption strength that may be 
exported from the United States under license exception pursuant to 
section 3 without harm to the national security interests of the United 
States. Such level shall not become effective until 30 days after such 
notification.
  (b) Periodic Review of Eligibility Level.--The President shall, at 
the end of each successive 180-day period after the notice provided to 
the Congress under subsection (a), notify the Congress of the maximum 
level of encryption strength, which may not be lower than that in 
effect under this section during that 180-day period, that may be 
exported from the United States under a license exception pursuant to 
section 3 without harm to the national security interests of the United 
States. Such level shall not become effective until 30 days after such 
notification.

SEC. 6. ENCRYPTION LICENSES REQUIRED.

  (a) United States Products Exceeding Certain Bit Length.--An export 
license is required for the export of any encryption product designed 
or manufactured within the United States with an encryption strength 
exceeding the maximum level eligible for a license exception under 
section 3.
  (b) Requirements for Export License Application.--To apply for an 
export license, the applicant shall submit--
          (1) the product for technical review;
          (2) a certification identifying--
                  (A) the intended end use of the product; and
                  (B) the expected end user of the product;
          (3) in instances where the export is to a distribution chain 
        partner--
                  (A) proof that the distribution chain partner has 
                contractually agreed to abide by all laws and 
                regulations of the United States concerning the export 
                and reexport of encryption products designed or 
                manufactured within the United States; and
                  (B) the name and address of the distribution chain 
                partner; and
          (4) any other information required by the President.
  (c) Post-Export Reporting.--
          (1) Unauthorized use.--Any exporter of encryption products 
        that are designed or manufactured within the United States 
        shall submit a report to the Secretary at any time the exporter 
        has reason to believe that any such product exported pursuant 
        to this section is being diverted to a use or user not approved 
        at the time of export.
          (2) Distribution chain partners.--All exporters of encryption 
        products that are designed and manufactured within the United 
        States, and all distribution chain partners of such exporters, 
        shall submit to the Secretary a report which shall specify--
                  (A) the particular product sold;
                  (B) the name and address of the end user of the 
                product; and
                  (C) the intended use of the product sold.

SEC. 7. WAIVER AUTHORITY.

  (a) In General.--The President may by Executive order waive the 
applicability of any provision of section 3 to a person or entity if 
the President determines thatthe waiver is necessary to protect the 
national security interests of the United States. The President shall, 
not later than 15 days after making such determination, submit a report 
to the committees referred to in subsection (c) that includes the 
factual basis upon which such determination was made. The report may be 
in classified format.
  (b) Waivers for Certain Classes of End Users.--The President may by 
Executive order waive the licensing requirements of section 6 for 
specific classes of end users identified as being eligible for receipt 
of encryption commodities and software under license exception in 
section 740.17 of title 15, Code of Federal Regulations, as in effect 
on July 17, 1999. The President shall, not later than 15 days after 
issuing such a waiver, submit a report to the committees referred to in 
subsection (c) that includes the factual basis upon which such waiver 
was made. The report may be in classified format.
  (c) Committees.--The committees referred to in subsections (a) and 
(b) are the Committee on International Relations, the Committee on 
Armed Services, and the Permanent Select Committee on Intelligence of 
the House of Representatives, and the Committee on Foreign Relations, 
the Committee on Armed Services, and the Select Committee on 
Intelligence of the Senate.

SEC. 8. ENCRYPTION INDUSTRY AND INFORMATION SECURITY BOARD.

  (a) Encryption Industry and Information Security Board Established.--
There is hereby established an Encryption Industry and Information 
Security Board. The Board shall undertake an advisory role for the 
President on the matter of foreign availability of encryption products.
  (b) Membership.--(1) The Board shall be composed of 12 members, as 
follows:
          (A) The Secretary, or the Secretary's designee.
          (B) The Attorney General, or his or her designee.
          (C) The Secretary of Defense, or his or her designee.
          (D) The Director of Central Intelligence, or his or her 
        designee.
          (E) The Director of the Federal Bureau of Investigation, or 
        his or her designee.
          (F) The Special Assistant to the President for National 
        Security Affairs, or his or her designee, who shall chair the 
        Board.
          (G) Six representatives from the private sector who have 
        expertise in the development, operation, marketing, law, or 
        public policy relating to information security or technology. 
        Members under this subparagraph shall each serve for 5-year 
        terms.
    (2) The six private sector representatives described in paragraph 
(1)(G) shall be appointed as follows:
          (A) Two by the Speaker of the House of Representatives.
          (B) One by the Minority Leader of the House of 
        Representatives.
          (C) Two by the Majority Leader of the Senate.
          (D) One by the Minority Leader of the Senate.
    (c) Meetings.--The Board shall meet at such times and in such 
places as the Secretary may prescribe, but not less frequently than 
every four months.
  (d) Findings and Recommendations.--The chair of the Board shall 
convey the findings and recommendations of the Board to the President 
and to the Congress within 30 days after each meeting of the Board. The 
recommendations of the Board are not binding upon the President.
  (e) Limitation.--The Board shall have no authority to review any 
export determination made pursuant to this Act.
  (f) Termination.--This section shall cease to be effective 10 years 
after the date of the enactment of this Act.

SEC. 9. MARKET SHARE SURVEY.

  The Secretary shall, at least once every 6 months, conduct a market 
share survey of foreign markets for encryption products. The Secretary 
shall publish the results of the survey in the Federal Register. The 
publication shall include an assessment of the market share of each 
foreign encryption product in each market surveyed and a description of 
the general characteristics of each encryption product.

SEC. 10. DEFINITIONS.

  In this Act:
          (1) Encryption.--The term ``encryption'' means the 
        transformation or scrambling of data, for the purpose of 
        protecting such data, from plaintext to an unreadable or 
        incomprehensible format, regardless of the techniques used for 
        such transformation or scrambling and regardless of the medium 
        in which such data occur or can be found.
          (2) Export and exporter.--The term ``export'' includes 
        reexport, the term ``exporter'' includes ``reexporter''.
          (3) Secretary.--The term ``Secretary'' means the Secretary of 
        Commerce.

    Amend the title so as to read:

    A bill to protect national security and public safety 
through the balanced use of export controls on encryption 
products.

                         PURPOSE AND BACKGROUND

    H.R. 850 is similar to a bill (H.R. 695) with the same name 
and chief sponsor introduced in the 105th Congress. It would 
decontrol the export of encryption software products, and 
computers that contain encryption software, considered to be 
``generally available.''
    The committee recognizes that the impetus for the bill 
stems from the explosive growth of the Internet and the rise in 
electronic commerce in recent years, which has led to increased 
concerns over information security. A growing number of 
individuals and businesses now have access to the Internet and 
the capability to transmit volumes of personal and proprietary 
data from one user to another nearly instantaneously. As 
technology advances, the risk that the secure transmission of 
this information may be compromised by computer ``hackers'' is 
increasing. This risk has resulted in calls for greater 
encryption capabilities.
    Encryption is a means of scrambling or encoding electronic 
data so that its contents are protected from unauthorized 
interception or disclosure. Many software application programs 
already feature encryption capabilities to afford users a 
degree of privacy and security when conducting electronic 
transactions. For example, Netscape Communications 
Corporation's World Wide Web browser can transmit information 
in a secure, encrypted mode that allows individuals to order 
products and services by credit card over the internet with a 
reasonable expectation that any personal information 
transmitted will be protected.
    The domestic use of encryption products is presently 
unrestricted, since their use by law-abiding citizens and 
companies can increase public confidence in the security of 
electronic transactions. However, in the hands of terrorists or 
criminals, the capability to scramble communications or encode 
information may hinder efforts to thwart planned terrorist acts 
or apprehend international drug smugglers. Therefore, the 
export of encryption capabilities is controlled for important 
national security and foreign policy reasons.
    In particular, the committee notes that the U.S. military 
has made information warfare a key element of U.S. military 
strategy. It is a tenet of this element of U.S. strategy that 
the United States must be able to protect its own 
communications from interception while exploiting the 
weaknesses in the information systems and communications of 
potential adversaries. Much of the U.S. military's battlefield 
advantage relies on information dominance and the ability to 
decipher the communications of the enemy. Capabilities that 
make it more difficult for the United States to detect the 
plans and activities of hostile military forces could 
significantly degrade the technological advantage presently 
held by U.S. combat forces.
    The Institute for National Strategic Studies at the 
National Defense University has identified seven areas of 
information warfare that could play decisive roles in combat, 
including electronic warfare, cyber warfare, command and 
control warfare, intelligence-based warfare, and so-called 
``hacker'' warfare. The Institute's 1996 Strategic Assessment 
study noted the growing importance of information warfare and 
the desirability for U.S. exploitation of a potential 
adversary's vulnerabilities. The study declared that ``if the 
United States could override an enemy's military computers, it 
might achieve an advantage comparable to neutralizing the 
enemy's command apparatus.'' In addition, it noted the value of 
attacking an adversary's commercial computer systems, i.e., 
banking, power, telecommunications, and safety systems. The 
ability to ``wreak havoc'' on these systems, the study noted, 
``would be a powerful new instrument of power.'' However, as 
technology advances, the proliferation of increasingly 
sophisticated and difficult to decipher encryption capabilities 
overseas may make it more difficult for the United States to 
maintain its military superiority and achieve tactical 
battlefield advantages.
    The capabilities and security of encryption products 
generally depend on the length of the encryption algorithm or 
electronic ``key'' required to decrypt the data, as measured by 
the number of data ``bits'' in the key. Generally speaking, the 
longer the key (or number of key bits) the more secure the 
encryption program and the more difficult it is to ``break the 
code.'' Until January 1997, U.S. policy allowed the 
unrestricted export of encryption software with keys up to 40 
bits in length. As a result of growing concerns over the 
ability to protect the integrity and contents of personal and 
proprietary data, and in response to industry demands to market 
more capable encryption software overseas, export controls on 
U.S.-origin encryption products were relaxed in 1996 and again 
in 1998. This has led to concerns that U.S. export control 
policy is weighted more heavily toward privacy and economic 
concerns rather than national security considerations.
    Because of their national security implications, the United 
States has traditionally considered encryption products to be 
sensitive ``munitions'' items and their export has been 
controlled by the State Department. However, in October 1996, 
the Clinton Administration decided to transfer jurisdiction 
over the export of commercial encryption products from the 
State Department to the Commerce Department, which is 
responsible for export controls on ``dual use'' items with 
military and civilian application. In addition, the 
Administration agreed to allow the export of encryption 
products with keys of up to 56 bits in length, beginning in 
January 1997, provided that the exporting companies develop a 
``key recovery'' plan over the next two years that would allow 
access to the decryption keys by government law-enforcement 
agents or intelligence officials, if necessary, in order to 
decode scrambled information. The Administration's key recovery 
plan was criticized by industry as unworkable and a 
disincentive for foreign customers to purchase American 
encryption products. However, U.S. companies appeared to be 
complying with the key recovery requirements necessary to 
obtain U.S. government export approval, as the number of export 
licenses granted for encryption software increased.
    In announcing the liberalized export control policy, Vice 
President Gore stated that it would ``support the growth of 
electronic commerce, increase the security of the global 
information (sic.), and sustain the economic competitiveness of 
U.S. encryption product manufacturers * * * .'' However, an 
Administration talking points paper on the decision noted that 
``this export liberalization poses risks to public safety and 
national security. The Administration is willing to tolerate 
that risk, for a limited period, in order to accelerate the 
development of a global key management infrastructure.'' In 
addition, in a letter to Congress in November 1996, President 
Clinton acknowledged that ``the export of encryption products 
transferred to Department of Commerce control could 
harmnational security and foreign policy interests of the United States 
even where comparable products are or appear to be available from 
foreign sources.''
    The purported availability of comparable encryption 
products from foreign sources remains a major argument used by 
industry to support further liberalization of export controls. 
According to a recently-released study conducted by George 
Washington University's Cyberspace Policy Institute (CPI), more 
than 800 encryption products are now available overseas in 35 
countries--a 22 percent increase in the past year and a half. 
However, the national security community has argued that many 
of these products do not perform as advertised or are not 
effectively utilized. In addition, as the CPI study notes, only 
20 percent of these products contain ``strong'' encryption. In 
testimony before the committee on July 1, 1999, Deputy 
Secretary of Defense John Hamre stated, ``The foreign 
availability argument is seductive, but flawed.'' Strong 
encryption ``is not, in fact, ubiquitously available 
overseas,'' he stated, adding that ``we see no advantage in 
accelerating the general availability of such products to those 
who would wish us ill.'' Deputy Attorney General Jamie Gorelick 
testified in September 1996 that the availability of encryption 
software over the internet ``does not undermine the utility of 
controls on exports of software or hardware products. The 
simple fact is that the majority of businesses and individuals 
with a serious need for strong encryption do not and will not 
rely on encryption downloaded from the internet.'' Lifting U.S. 
export controls, she argued, would ``[damage] our own national 
security interests'' and may not provide the expected benefits 
to industry if the removal of U.S. export controls leads to the 
introduction by other countries of import restrictions.
    In spite of these national security concerns, controls over 
the export of U.S.-origin encryption products continued to be 
liberalized. In June 1997, Netscape Communications Corporation 
and Microsoft Corporation received permission to export 
encryption products up to 128 bits in length for use 
exclusively for banking and financial transactions. On 
September 16, 1998, the Administration announced a further 
relaxation of export controls on encryption. As part of this 
liberalization, the export of encryption products with key 
lengths up to 56 bits was completely decontrolled. Moreover, 
strong encryption products of any key length are now allowed to 
be exported, license-free, to several sectors of industry in 44 
countries. These include subsidiaries of U.S. firms; insurance 
companies; health and medical organizations; and on-line 
merchants. The Administration also abandoned its insistence on 
development of a mandatory key recovery infrastructure.
    H.R. 850, and companion legislation in the Senate, 
represent a further attempt to significantly liberalize U.S. 
encryption policy. In particular, H.R. 850 would:
          (1) prohibit the government from requiring the use of 
        key-recoverable encryption systems;
          (2) prohibit the government from controlling the 
        export or re-export of commercially-available 
        encryption-capable software or computers using such 
        software;
          (3) grant the Commerce Department exclusive authority 
        to control exports of all hardware, software, and 
        technology for information security, except that 
        designed for military use; and
          (4) direct the Secretary of Commerce to allow the 
        export or re-export of encryption-capable software for 
        non-military end-uses in any country, or computers 
        using such software based on considerations of foreign 
        availability.
    By prohibiting the government from requiring the use of key 
recovery-capable encryption products, section 2 of H.R. 850 
would seriously impact the ability of the Department of Defense 
to effectively monitor the thousands of business and contract 
actions taken each day by the Department. In addition, this 
section would undermine government efforts to foster the 
voluntary development by industry of a key management 
infrastructure.
    The committee notes that section 3 of H.R. 850 carries the 
most serious implications for U.S. national security. This 
section removes virtually all controls on the exportability of 
encryption products and greatly increases the likelihood that 
strong encryption products will be used by international 
terrorists to hide their plans. The committee notes that 
encryption is already being used by terrorists, and believes 
that the United States should not facilitate the spread of even 
stronger, unbreakable encryption capabilities to individuals or 
entities that seek to harm Americans. H.R. 850, as introduced, 
would do just that.
    In his testimony before the committee on July 1, 1999, 
Deputy Secretary of Defense John Hamre stated, ``I can 
unequivocally tell you Osama bin Laden (the accused mastermind 
of the U.S. Embassy bombings in Kenya and Tanzania) and other 
bad guys in the world are not only using information technology 
but encrypted information technology.'' Testifying before the 
committee on July 13, 1999, FBI Director Louis Freeh noted that 
Ramzi Yousef, convicted conspirator in the World Trade Center 
bombing, used encrypted computer files to mask his plans to 
blow up 11 U.S. airliners. It took ``months and months'' to 
decrypt that information. Director Freeh noted that ``if those 
were plans that were imminent and we were in the possession of 
that [encrypted] information, we would not have been able to 
solve that.''
    The committee also notes that section 3 of H.R. 850 would 
remove all controls on the export of high-performance computers 
(so-called ``supercomputers'') if those computers contain 
encryption products or software that are ``generally 
available.'' In the committee's view, this is one of the most 
significant and potentially dangerous flaws in H.R. 850. In 
light of the evidence that U.S. supercomputers were 
inappropriately transferred to entities of concern in Russia 
and China, and the recommendations to tighten export controls 
on high-performance computers contained in the report of the 
Congressionally-mandated Select Committee on U.S. National 
Security and Military/Commercial Concerns With the People's 
Republic of China (the ``Cox Committee''), the removal of 
export restrictions on such machines would have significant 
consequences for U.S. national security. Further, this section 
would also supersede section 1211 of the National Defense 
Authorization Act for Fiscal Year 1998 (Public Law 105-85), 
which is designed to prevent the inadvertent export of 
supercomputers to questionable end users in countries of 
proliferation concern.
    In summary, the committee concludes that H.R. 850, as 
introduced, would harm U.S. national security interests. 
According to Deputy Secretary of Defense Hamre, H.R. 850 
``would seriously weaken our national security.'' In a March 
24, 1999 letter to House Judiciary Committee Chairman Henry 
Hyde, Secretary Hamre stated, ``The passage oflegislation that 
immediately decontrols the export of strong encryption will result in 
the loss or delay of essential intelligence reporting because it may 
take too long to decrypt the information--if indeed we can decrypt it 
at all * * *. H.R. 850 threatens our ability to do just that.'' In a 
May 24, 1999 letter to Chairman Spence, Secretary Hamre concluded that 
``H.R. 850 is anything but safe legislation.'' In his testimony before 
the committee on July 1, 1999, Secretary Hamre declared that the 
``unregulated release of the strongest encryption is going to do one 
thing: put more troops' lives at risk. Period.'' In her testimony 
before the committee on July 1, 1999, National Security Agency (NSA) 
Deputy Director McNamara testified that it will ``greatly complicate 
our exploitation of foreign targets'' and make NSA's job ``difficult, 
if not impossible.'' She argued that ``the immediate decontrol of 
encryption exports as proposed in the SAFE Act * * * [would] put 
national security at serious risk.''
    The committee notes that the Administration has also 
criticized the move to decontrol the export of encryption 
products on law-enforcement grounds. For example, in a July 16, 
1999 letter to Chairman Spence, the President of the 
International Association of Chiefs of Police stated that H.R. 
850 ``would pose an enormous danger to both law enforcement and 
to society as a whole.''
    In response to these concerns, the committee agreed to 
amend H.R. 850 by deleting all after the enacting clause and 
substituting language that would grant the President authority 
to control exports of all dual-use encryption technology. The 
amendment also would allow for export without a license 
(referred to as a ``license exception'') for the export of 
encryption products with a strength at or below the maximum 
threshold established by the President. Export of these 
products would only occur under a ``license exception'' after a 
one-time government review. The President would also be able to 
waive an export under license exception for national security 
reasons. The amendment would also direct the President to 
notify Congress on a semi-annual basis of the appropriate 
threshold for the strength of encryption products that may be 
exported without harm to U.S. national security. The Congress 
would have a 30-day period to review the appropriateness of the 
notified level.
    The amendment would establish licensing criteria for the 
export of encryption items with a strength that exceeds the 
maximum threshold established by the President for license 
exception. It would also be consistent with current 
Administration policy that allows the export of strong 
encryption to certain industry sectors, such as financial and 
medical institutions. In addition, the amendment would 
establish an encryption industry and information security board 
to review and advise the President on the foreign availability 
of encryption products.

                          LEGISLATIVE HISTORY

    H.R. 850, the ``Security and Freedom through Encryption 
(SAFE) Act,'' was introduced by Representative Bob Goodlatte 
(R-VA) on February 25, 1999. The bill was reported April 27, 
1999 by the House Committee on Judiciary (H. Report 106-117, 
Part I), and was reported (amended) on July 2, 1999 by the 
House Committee on Commerce (H. Rept. 106-117, Part II). The 
bill was also referred to the Committee on International 
Relations, the Permanent Select Committee on Intelligence, and 
the Committee on Armed Services.
    On July 1, 1999 the Committee on Armed Services held a 
hearing on H.R. 850. Testimony was taken from Deputy Secretary 
of Defense John Hamre and Deputy Director of the National 
Security Agency Barbara McNamara. The focus of the hearing was 
to assess the bill's impact on U.S. national security.
    On July 13, 1999, a second full committee hearing was held. 
Testimony was received from Attorney General Janet Reno, FBI 
Director Louis Freeh, Under Secretary of Commerce for Export 
Administration William Reinsch, and industry witnesses 
regarding the legislation's impact on national security, law 
enforcement, and public safety.
    On July 21, 1999, the committee held a mark-up session to 
consider H.R. 850. The committee adopted an amendment in the 
nature of a substitute by a record vote of 47 to 6. The amended 
version of the bill was reported favorably by a voice vote. The 
record vote result can be found at the end of this report.

                      SECTION-BY-SECTION ANALYSIS

    The following is a section-by-section analysis of the 
amendment in the nature of a substitute adopted by the 
committee.

Section 1--Short title

    This section would cite the Act as the ``Protection of 
National Security and Public Safety Act.''

Section 2--Exports of encryption

    This section would grant the President authority to control 
the export of all dual-use encryption products and would allow 
the President to deny the export of any encryption product if 
such export would be contrary to the national security 
interest. It would also ensure that any Presidential decision 
with respect to the export of encryption products is not 
subject to judicial review.

Section 3--License exception for certain encryption products

    This section would allow an encryption product of a 
strength less than or equal to the threshold established by the 
President in section 5 to be exported without a license 
(``license exception'') if certain conditions are met, 
including submission of the product for a one-time technical 
review.

Section 4--One-time product review

    This section would require the President to specify the 
information that must be submitted for the one-time product 
review.

Section 5--Eligibility levels

    This section would require the President to establish, 
within 180 days of enactment, the maximum level of encryption 
strength that may be exported under license exception without 
harm to U.S. national security interests. It would also require 
the President to review this threshold level every six months. 
In both cases, the level would not take effect until 30 days 
after the Congress is notified. In effect, this section would 
grant the President the flexibility to adjust the export 
licensing threshold as the level of technology advances, 
consistent with U.S. national security requirements.

Section 6--Encryption licenses required

    This section would require an export license for an 
encryption product with a strength that exceeds the threshold 
level established by the President in section 5. It would 
require an exporter seeking an export license to submit the 
encryption product for technical review and to provide a 
certification identifying the intended end use and end user of 
the product. In instances where the export is to a distribution 
chain partner, it would require submission of the name and 
address of the partner, along with proof that the partner has 
contractually agreed to abide by all U.S. export and re-export 
laws and regulations. This section would also require exporters 
to notify the Secretary of Commerce if they have reason to 
believe that their encryption product is being used in an 
unapproved manner or by an unapproved end user. This section 
would also require distribution chain partners to submit a 
report on the intended end use and end user of the product.

Section 7--Waiver authority

    This section would allow the President to waive the license 
exception requirements in section 3 for national security 
reasons. It would also allow the President to exempt certain 
industry sectors from the licensing requirements in section 6 
after notifying Congress. This would be consistent with current 
Administration policy which allows the unlicensed export of 
strong encryption products to certain sectors of industry, such 
as financial and medical institutions.

Section 8--Encryption industry and information security board

    This section would establish an advisory board to review 
and advise the President on the foreign availability of 
encryption products. The board would be composed of six 
government officials and six members from the private sector. 
The findings of the board would be conveyed to the President 
and the Congress.

Section 9--Market share survey

    This section would require the Secretary of Commerce to 
conduct, at least once every six months, a market share survey 
of foreign markets for encryption products.

Section 10--Definitions

    This section would define terms used in this Act.

                           committee position

    On July 21, 1999, the Committee on Armed Services, a quorum 
being present, approved H.R. 850 as amended, by a voice vote.

                              fiscal data

    Pursuant to clause 3(d)(2)(A) of rule XIII of the Rules of 
the House of Representatives, the committee attempted to 
ascertain annual outlays resulting from the bill during fiscal 
year 2000 and the four following fiscal years. The results of 
such efforts are reflected in the cost estimate prepared by the 
Director of the Congressional Budget Office under section 402 
of the Congressional Budget Act of 1974, which is included in 
this report pursuant to clause 3(c)(3) of rule XIII of the 
Rules of the House.

Congressional Budget Office Estimate

    In compliance with clause 3(c)(3) of rule XIII of the Rules 
of the House of Representatives, the cost estimate prepared by 
the Congressional Budget Office and submitted pursuant to 
section 402(a) of the Congressional Budget Act of 1974 is as 
follows:

                                                     July 22, 1999.
Hon. Floyd Spence,
Chairman, Committee on Armed Services,
House of Representatives, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for H.R. 850, the 
Protection of National Security and Public Safety Act.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Mark Hadley.
            Sincerely,
                                          Dan L. Crippen, Director.

               congressional budget office cost estimate

Protection of National Security and Public Safety Act

    H.R. 850 would clarify the President's authority to control 
the export of encryption products. The effectiveness or 
strength of contemporary encryption products is measured by the 
number of bits that make up the key for the encryption 
algorithm. (The term ``key'' refers to the mathematical code 
used to translate encrypted information back into its original, 
unencrypted format.) Under current policy, domestic producers 
may export encryption products with key lengths of up to 56 
bits and stronger products for specified industries.
    Under the bill, the President would determine the maximum 
strength of encryption products that may be exported (with 
review and potential updates of that maximum every 180 days). 
In addition, the bill would allow the President to deny the 
export of any encryption product if the export of such product 
is contrary to the national security interest of the United 
States. H.R. 850 would establish a board to advise the 
President on the export of encryption products. Finally, the 
bill would require the Department of Commerce to conduct a 
market share survey of foreign markets for encryption products 
every six months.
    Based on information from the Department of Commerce, CBO 
estimates that implementing H.R. 850 would cost about $1 
million a year, subject to appropriation of the necessary 
mounts. H.R. 850 would not affect direct spending or receipts; 
therefore, pay-as-you-go procedures would not apply. H.R. 850 
contains no intergovernmental or private-sector mandates as 
defined in the Unfunded Mandates Reform Act and would impose no 
costs on state, local, or tribal governments.
    CBO has completed numerous other estimates of bills 
affecting the export of encryption products, including three 
versions of H.R. 850. Differences between this estimate and our 
previous estimates reflect differences between the bills. On 
April 21, 1999, CBO transmitted a cost estimate for H.R. 850 as 
ordered reported by the House Committee on the Judiciary on 
March 24, 1999. On July 1, 1999, CBO transmitted an estimate 
for H.R. 850 as ordered reported by the House Committee on 
Commerce on June 23, 1999. On July 16, 1999, CBO transmitted an 
estimate of H.R. 850 as ordered reported by the House Committee 
on International Relations on July 13, 1999. And on July 9, 
1999, CBO transmitted an estimate for S. 798, the Promote 
Reliable Online Transactions to Encourage Commerce and Trade 
(PROTECT) Act of 1999, as ordered reported by the Senate 
Committee on Commerce, Science, and Transportation on June 23, 
1999. CBO estimated that the versions reported by the Judiciary 
Committee and the International Relations Committee would each 
cost between $3 million and $5 million over the 2000-2004 
period and that the House Commerce Committee's version of H.R. 
850 and the Senate bill (S. 798) would each increase costs by 
at least $25 million over the same period.
    The CBO staff contact is Mark Hadley. This estimate was 
approved by Robert A. Sunshine, Deputy Assistant Director for 
Budget Analysis.

Committee cost estimate

    Pursuant to clause 3(d) of rule XIII of the Rules of the 
House of Representatives, the committee generally concurs with 
the estimate contained in the report of the Congressional 
Budget Office.

                           oversight findings

    With respect to clause 3(c)(1) of rule XIII of the Rules of 
the House of Representatives, this legislation results from 
hearings and other oversight activities conducted by the 
committee pursuant to clause 2(b)(1) of rule X.
    With respect to clause 3(c)(2) of rule XIII of the Rules of 
the House of Representatives and section 308(a)(1) of the 
Congressional Budget Act of 1974, this legislation does not 
include any new spending or credit authority, nor does it 
provide for any increase or decrease in tax revenues or 
expenditures. The fiscal features of this legislation are 
addressed in the estimate prepared by the Director of the 
Congressional Budget Office under section 402 of the 
Congressional Budget Act of 1974.
    With respect to clause 3(c)(4) of rule XIII of the Rules of 
the House of Representatives, the committee has not received a 
report from the Committee on Government Reform and Oversight 
pertaining to the subject matter of H.R. 850.

                   constitutional authority statement

    Pursuant to clause 3(d)(1) of rule XIII of the Rules of the 
House of Representatives, the committee finds the authority for 
this legislation in Article I, section 8 of the United States 
Constitution.

                     statement of federal mandates

    Pursuant to section 423 of Public Law 104-4, this 
legislation contains no federal mandates with respect to state, 
local, and tribal governments, nor with respect to the private 
sector. Similarly, the bill provides no unfunded federal 
intergovernmental mandates.

                              record vote

    In accordance with clause 3(b) of rule XIII of the Rules of 
the House of Representatives, a record vote was taken with 
respect to the committee's consideration of H.R. 850. The 
record of this vote can be found on the following page.
    The committee ordered H.R. 850, as amended, reported to the 
House with a favorable recommendation by a voice vote, a quorum 
being present.



                            ADDITIONAL VIEWS

    Mr. Chairman, I submit the following additional comments 
for inclusion to the committee report for H.R. 850 and thank 
you for your considerations.
    As an original co-sponsor of the Security and Freedom 
Through Encryption Act (SAFE) I demonstrated my support for an 
open market. It is my belief that we can and should be the 
world's leader in the development and marketing of 
technologies, and as a member of Congress we have a 
responsibility to protect the security of the American people.
    The amended version of H.R. 850 is the first step to take a 
serious look at what is required to release technologies and 
protect National Security. I look forward to continued 
discussions on this issue and the establishment of a 
performance threshold for encryption that will serve both the 
private and public sector.

                                                    J.C. Watts, Jr.

                           SUPPLEMENTAL VIEWS

    As a Member of the House Armed Services Committee, I am the 
first to stand in support of our national security. But now is 
the time to legislate a balanced encryption policy in the 
United States.
    Over the course of the 106th Congress, I have met with and 
talked to numerous experts in the computer and security field. 
The experts I spoke with represented various views on export 
controls to encode, or encrypt, electronic communications. Now 
is the time for Congress to make a decision for a well thought 
out encryption policy for this great country of ours.
    It is my belief, that current U.S. regulations limit the 
export of encryption and unfairly handicap American high-
technology companies. Even though we are the leaders in 
information technology, it is vital that we maintain our 
strategic information dominance. What is imperative is that our 
law enforcement and national security agencies must do more to 
develop alternative means for achieving their missions while 
focusing on strong encryption.
    The provisions of the SAFE Act would remove most license 
requirements for exports of recoverable products. It would 
remove existing barriers to secure e-commerce and business-to-
business transactions. The SAFE Act, however, would not absolve 
the computer industry of its obligations, to law enforcement, 
or to the intelligence community.
    We all acknowledge that the United States leads the world 
in the production of computer hardware and software, and 
technology is the engine driving the global economy. We as a 
country, should not sit idly by and let U.S. companies lose 
their edge in the world market because they can't deliver the 
kind of secure products and services that customers demand.
    H.R. 850 ensures that safety and security become the 
cornerstones of the information superhighway. If U.S. 
encryption continues to be restricted, foreign products may 
soon dominate the worldwide market, hindering our ability to 
gather intelligence against terrorists and criminals.
    I would also like to state for the record that for reasons 
stated above, I would not have voted for the Weldon, Sisisky, 
and Andrews Substitute Amendment, had I been present.

                                                Patrick J. Kennedy.