3

International bank transactions are now routinely encrypted, which they never really were before. Dozens of firms among the Fortune 500 are now guarding their messages by cipher systems for the first time.

All this activity has caused the National Security Agency, the nation's codemaking and codebreaking organization, to grow anxious about the possible reduction in American intelligence as a consequence of improved foreign codemaking. The foreign governments in question are not, of course, the major powers, such as the Soviet Union or France, whose codes have long been unbreakable, but the developing nations. Their codes, now often solvable, will eventually become unbreakable. N.S.A. wants to delay this as much no possible. It might seem that the messages of these nations do not contain anything worthwhile. But further reflection will snow that most of the post-World War II hotspots have been in just such countries: the nations of the Mideast, Korea, the Congo, Cuba, Vietnam, Iran, Afghanistan. So their messages are worth reading.

Eager to preserve national security, the N.S.A. has sought to slow down public work in cryptology. At its direction, the Patent Office placed under secrecy orders two applications for patents for cipher devices (after heavy adverse publicity, the orders were withdrawn). One of its employees sought to intimidate researchers in the field by citing the federal International Traffic in Arms Regulations (ITAR), which require a license to export "technical data" on, among other things such as guns and warships, "cryptographic devices." "Technical data" includes "unclassified information" and "exporting" includes publishing in a periodical with subscribers outside of the country or talking at a symposium in the U.S. with foreign nationals present. Though the N.S.A. employee pulled his stunt on his own, the agency never repudiated his effort. Moreover, it brought the ITAR to the attention of many cryptologists who never knew they existed and made many of them think twice before publishing their work. Perhaps feeling that the administratively-based ITAR were not strong enough to proceed under, N.S.A. sought to have inserted in a bill a provision that all cryptologic information be subject to export controls. This effort, too, failed. The N.S.A. director, Vice Admiral Bobby Inman, greatly concerned about the new activity in cryptology, broke the agency's rule of silence and spoke out publicly on the need for restraint. He said he is considering restrictions on "domestic dissemination of nongovernmental technical information relating to cryptology." In addition, he is visiting leading nongovernmental cryptologists in universities and research laboratories in a soft sell to get them to lay off. In at least one case, he has succeeded.

Is all this not merely a case of a bureaucracy's simply trying to protect its job or to conserve the power its vastly superior knowledge of the field gives it? No. For though the N.S.A. is indeed trying to do both these things, so are the

cryptologists in business and academe.

Thoughts of tenure and raises and fame are not far from their minds when they analyze ciphers or write about them. So this argument cuts both ways and may not fairly be used against the N.S.A.

Instead the issue is whether what the N.S.A. is trying to do is the best for the country. Should the government suppress cryptology on national security grounds?

The question should not be answered by a knee-jerk negative. It deserves consideration. For without security, there is no freedom. Moreover, the nation has responded to the same question in another area with an affirmative if legislation is any evidence. The Atomic Energy Act places under government control not Just go enanos

-

"special nuclear material" but "all data" concerning them. This was the basis for the action against The Progressive's publication of publicly available material on an atomic bomb. (The ITAR provide another broad weapon for control in many areas, though its publication provisions seem not to have been tested in court.)

Some people might argue that codes differ fundamentally from atomic bombs: No code has ever killed anyone. The N.S.A. would retort that the difference is more apparent than real. Good codes are a form of weapon. By enabling a nation or a terrorist group to keep their plans secret longer, they reduce the time available to the United States to take countermeasures and so in effect do kill people.

-

There are weaknesses in this response. It could turn almost every activity of a free society into a weapon that could be used against it. Every news story, every campaign speech about President Carter's mistakes and weaknesses could be seen as helping the enemy. The development of microprocessors, which are revolutionizing our lives but which, by conferring great computing power upon a nation, also expand its cryptologic capabilities, may be viewed as a boon to American rivals. Nevertheless, the N.S.A. argument has validity in some cases, as with atom bombs. How are these cases to be determined?

The test should be whether the activity in question benefits the nation at home more than it harms it abroad. The argument seems to hold with nuclear recipes. Why should it not also apply to cryptology? Do any benefits accrue to the nation from the unrestricted development and publication of studies on codes and ciphers? Four do.

One is that work in cryptology can help improve the nation's own cryptologic effort. Two of the most important concepts in American codes and ciphers were developed by amateurs. One was an inventor, Edward Hebern of California, and the other was better known as a President of the United States: Thomas Jefferson. It may be that the time of individual innovation is over in cryptology

5

as it is largely in science. But still, two computer scientists recently independently invented a revolutionary new concept, the one I mentioned before, public-key cryptography. Though cryptologists in N.S.A. and/or its British counterpart had devised this earlier, its reinvention by two individuals demonstrates that nongovernmental workers can yet do important work. Such results help America more than other nations because America is more advanced. A negative instance may help show the importance of outside input. In 1940, Nazi Germany ordered all books on cryptology withdrawn from circulation. No one would claim that this was one of the main causes of Germany's catastrophic defeat in the war of the cryptologists, whose loss so harmed Germany on the fields of battle. But this censorship could not have helped Germany.

Another benefit to the nation is that work in crypto

can produce results of importance in allied fields, such as communications, mathematics, and computer science. During World War II, for example, Claude Shannon got some of the ideas for information theory, one of the most seminal ideas of our time, while working on cryptologic problems. Here, too, such results help America more than other nations. The rich grow richer not only financially, but scientifically.

A further benefit is continuing protection of information that needs protection. As computer scientist and cryptologist Martin Hellman of Stanford University has pointed out, the United States is the most computerized nation on earth and so has the most to lose from hostile penetration of its data networks and data banks. Crypto-systems do not retain their integrity forever: they grow increasingly vulnerable as computation speeds increase and costs decrease. New systems must therefore be constantly developed. Cannot the N.S.A. provide these new systems? Many people do not trust it, in view of its history of intercepting private American telephone calls and its apparent tampering with a cryptosystem approved for non-national security use, as for transmission or storage of social security records (the National Bureau of Standard's Data Encryption Standard). Private initiative in cryptology is therefore needed to assure people that their data is truly protected. Is their personal peace of mind worth a decline in national security? Το ask this question is to ask whether democracy is worth its costs. Most Americans will say yes.

A final benefit is that refusing to restrict cryptologic studies erects yet another rampart against the chipping away of American liberties. Is this rampart, again, worth the danger to national security? Yes, because the danger is not as acute as the N.S.A. wishes people to see it. N.S.A. wants people to think that publication of cryptologic material would slam shut its window into Third World countries. In fact such publication has little effect. The nations who need this information most cannot utilize it. They have no way of embodying it in machines and they do not have the personnel to properly use this high-technology equipment even when it is available, as salesmen for cipher-machine firms will attest. They have many needs to fill before they spend money on cipher machines. And publication of a new cipher will not automatically cause them to abandon their old system, for few men are as intransigent in their beliefs as cryptographers are about the unbreakability of the ciphers they have invented or introduced. The national security dangers are not so great as to dismantle individual freedom.

For all of these reasons, then, no limitation should be placed on the study of cryptology. And beyond them all lies something more fundamental that, in the end, will probably prevent any restrictions anyway. It is called the First Amendment.

I thank you.

Mr. PREYER. Thank you very much, Mr. Kahn. I think it is clear from your testimony that you obviously know an awful lot about the history of cryptologies and about cryptology. You modestly omitted that you were the author of a classic book on the subject, "The Codebreakers." I should have announced that when I introduced you at the outset.

Before we go into questions, I would suggest we hear all of the panel witnesses.

I would like to call on Dr. Davida at this time. He is a scientist from Wisconsin who applied for a patent on an encryption device and was denied because of a secrecy order. We will be interested in hearing about your experience.

STATEMENT OF GEORGE DAVIDA, ASSOCIATE PROFESSOR, DEPARTMENT OF ELECTRICAL ENGINEERING AND COMPUTER SCIENCE, UNIVERSITY OF WISCONSIN-MILWAUKEE, MILWAUKEE, WIS.

Mr. DAVIDA. My experience in national security came about in a rather interestng way. Under the university's institutional patent agreement with the National Science Foundation, the Wisconsin Alumni Research Foundation is able to file for patents when work done by University of Wisconsin scientists comes to fruition.

When the patent application was sent to the Commerce Department we subsequently received a secrecy order enjoining us from disclosing the contents which we would have had we gone to the market with it.

Subsequently, after the descriptions of events appeared in the newspaper, the chancellor was able to get in touch with the Secretary of Commerce who at the time was Juanita Kreps, and Admiral Inman, and the order was lifted on June 13, 1978.

I would like to summarize some of the things I said in my prepared statement, Mr. Chairman. They relate to essentially two things: The effects of secrecy orders on researchers and others and also the fundamental question which David Kahn has stated so well and that is, Does our work advesely affect national security? I would first like to say that the effect of the secrecy order in the university environment is rather negative. Basically secrecy and education are incompatible. Learning in the university depends on the free flow of information in order to happen. Students and faculty learn from each other through discussions, communications, and reading of each other's work in the journals out in the

open.

Some other difficulties were raised by the secrecy order. The reason is that it is difficult to comply with a secrecy order on work which was done previously in an unclassified manner.

For example, the first time I learned of the secrecy order was in a telephone conversation and with several students listening in, who could not help it. Obviously it was not a secret anymore. Some other things that came about were rather disturbing. The secrecy order, it turns out, involves not just the investigator and the people who had handled the material but anyone else who may have received the report.

That raised some very interesting problems for us. We didn't know who had gotten the report because normally the requests are

handled by the department staff in a routine manner. As a result, we could not readily compile a list as required by the order as to who had received the report so that he could then be informed of the secrecy order.

One thing that was also bothersome about that was that we would in effect be involving other colleagues in the secrecy order. As a matter of fact one colleague of mine would not open letters from me for a while. Then, other questions arose about responsibilities that the investigator may have in enforcing or complying with the order. What would happen if subsequently the material was disclosed again? Would he be responsible for any disclosures which may have occurred?

Other questions arose about the student's research. Could the student in fact graduate or would he be denied his degree because of the secrecy?

A minor effect of the secrecy order was that we wasted an awful lot of time responding to it.

I would like to also address some specific questions which you raised, Mr. Chairman, in a letter to me recently. That is, that the Director of the NSA, Admiral Inman, had stated in an interview, I believe, that because there was a profit motive on the part of the university, that then we could not claim that we had academic freedom issues involved.

I am somewhat surprised about that because I didn't think profit was incompatible with our activities and particularly with university research where profit in fact enhances academic freedom. Without profit, a great deal of research could not be conducted since universities would be constantly having to seek funds from State and Federal agencies with all kinds of strings attached.

But the fundamental question we come to is, Does research in data security affect the national security adversely? In my opinion it does not. In my opinion, the research we are doing in fact enhances national security. The applications that are coming about almost daily, many of them are new. The application of computers to areas like medical data bases and electronic mail systems results in systems that are extremely vulnerable to threats of eavesdropping, record mutilation, record theft, privacy violations, etc.

Encryption, in my opinion is the best method of protecting computerized data. I don't think the other techniques we are studying are as effective. It is one of the most successful techniques to protect data in a computer system.

I think our ability to protect data in medical data bases, electronic mail, electronic funds tranfer, and other applications should enhance the security of the country.

Another question that arises Mr. Chairman, is: Does encryption research that we do help other countries, hostile countries in particular, to use our results to protect their communications and hence deny us intelligence?

This is somewhat difficult to answer because it would depend on whether or not you choose to believe that hostile countries would believe that our crypto systems are secure. I should simply point out that our own scientists don't believe the Government's data encryption standards are secure and I can't see how other countries can believe it.