Good morning, Mr. Chairman and members of the Committee. I thank you for the invitation to testify this morning in favor of H.R. 695, the Security and Freedom through Encryption Act. This is the second time I've appeared before Congress to support legislation to put common sense into our crypto export policy.
I am a Staff Engineer with Qualcomm Incorporated in San Diego. We develop and manufacture digital cellular telephones and other advanced wireless systems. For the past decade I have also been involved in the development of the Internet. I have seen firsthand the effect of outmoded export controls on the security and integrity of these technologies.
While encryption is only one element of network security, it is a vital one. Strong, modern encryption algorithms have been published worldwide since the 1970s. Where we're behind is in their application to real systems to protect the public. And export controls are the main culprit.
Ask the Administration why the rules exist. They'll say -- if they say anything -- "That's classified. But if we could tell you, you'd agree with us."
Three years ago this book came out: Applied Cryptography by Bruce Schneier. It includes extensive listings of encryption software source code, making it subject to the US export laws. So I asked the State Department if it was exportable, and they said that it was "in the public domain", and outside their jurisdiction. But they said that the floppy disks available from the author were excluded. So I asked again: what about this floppy disk containing exactly the same source code that's printed in the book?
Incredibly, they ruled that this floppy disk is a munition requiring a license to export. Identical information -- in print form it's exportable, on a disk it's not. Apparently they believe only Americans can type. Not that anyone would really have to. This same software has also been on an Internet site in Italy for over two years, and the Administration knows it.
Now what could they possibly know to justify their position? So far I have been unsuccessful in gaining relief in either the executive branch or the courts. Now the Administration even claims they could also ban the export of printed books and papers like Applied Cryptography -- they just "choose" not to. And they maintain that no one -- not the Courts, not Congress, and least of all a private citizen like myself -- has the wisdom to question their policies.
The chilling effect of export controls extends into the cellular industry. Instead of using widely available and trusted ciphers like those in Applied Cryptography, export concerns prompted the US cellular industry to adopt "dumbed down" ciphers for the new generation of digital cell phones. And now it seems that these ciphers are even weaker than we thought. In my written testimony is an abstract of a new paper being released today by Wagner, Schneier and Kelsey describing how to break the Cellular Message Encryption Algorithm in minutes to hours on a single computer. Digital cell phones are still much harder to intercept than regular analog ones, but they are not nearly as secure as they could have been or as we thought they were. I'm convinced it is only a matter of time before the criminals break the new digital systems just as they have the analog one. To be fair, industry politics and public apathy also played a role, but export controls were definitely the major factor.
In my written testimony I've included further information on my case and on the widespread availability of encryption software on the Internet. And of course I'm happy to answer any questions you may have.
Note: this document is available on the Internet as