Maintaining the secrecy of information is the fundamental function of encryption items. Persons abroad may use such items to harm the U.S.’s law enforcement efforts, as well as its foreign policy and national security interests. The U.S. Government has a critical interest in ensuring that persons opposed to the United States are not able to conceal hostile or criminal activities, and that the legitimate needs for protecting important and sensitive information of the public and private sectors are met.
Since the transfer of dual-use encryption items from the United States Munitions List to the Commerce Control List (CCL) on December 6, 1996, export controls on encryption have evolved commensurate with electronic commerce and information technology (IT) developments, and to address continuing U.S. national security and law enforcement concerns. Since 2000, U.S. encryption export policy has been directed by three fundamental practices: technical review of encryption products prior to sale, streamlined post-export reporting, and license reviews of proposed transactions involving strong encryption to certain foreign government end-users and countries of concern. U.S. encryption policy also seeks to ensure that American companies are not disadvantaged by the European Union’s “license-free zone.”
Following extensive interagency consultations and discussions with Technical Advisory Committees and industry representatives, on December 9, 2004 the Department of Commerce published a rule to simplify and strengthen the U.S. export policy for encryption items (69 FR 71356). Highlights of the changes included: recognition of the 2004 expansion of the European Union (EU) in License Exception ENC; clarification of the criteria by which the licensing requirement to “government end-users” outside the EU “license-free zone” is determined; a reduced requirement to notify the U.S. Government of changes to source code posted on the Internet pursuant to License Exception TSU; and explicit authority for the U.S. Government to request additional information about an encryption product following the initial 30-day License Exception ENC review period.
Encryption products can be used to conceal the communications of terrorists, drug smugglers, and others intent on harming U.S. interests. Cryptographic products and software also have military and intelligence applications that, in the hands of hostile nations, could pose a threat to U.S. national security. The national security, foreign policy, and law enforcement interests of the United States are protected by encryption export controls. These controls are consistent with Executive Order (E.O.) 13026, which was issued on November 15, 1996, and the Presidential Memorandum of the same date.
1. Probability of Achieving the Intended Foreign Policy Purpose. The Secretary has determined that, consistent with E.O. 13026 of November 15, 1996, and the Presidential Memorandum of the same date, the updated U.S. encryption export controls achieve the intended purpose of implementing technical review procedures for commercial encryption items and restricting the export of encryption items in situations that would be contrary to U.S. national security or foreign policy interests. The Secretary has determined that these controls are likely to achieve the intended foreign policy purpose, in light of other factors, including the availability of encryption items from other countries; and that the foreign policy purpose cannot fully be achieved through negotiations with the participating states of the Wassenaar Arrangement (WA) or through alternative means. Commensurate with the growth of electronic commerce and the Internet, and the emergence of new security protocols such as for short-range wireless communications, the number of countries with the technology to produce highly sophisticated, dual-use encryption products continues to grow. However, since much of the world’s commercial cryptography is supplied by a core group of information technology (IT) industry leaders using standard algorithms and protocols, encryption export controls can be effective in achieving their intended foreign policy purpose.
2. Compatibility with Foreign Policy Objectives. The Secretary has determined that these controls are compatible with U.S. foreign policy objectives, and that the extension of these controls will not have significant adverse foreign policy consequences. The controls are consistent with the U.S. foreign policy goal of preventing U.S. exports (and subsequent reexports) that might contribute to destabilizing military capabilities or to the capabilities of international terrorists or criminals. In addition, foreign policy concerns and non-proliferation considerations will continue to determine the United States’ licensing policy to embargoed and sanctioned destinations. Updated U.S. encryption export controls implement multilateral agreements and protect U.S. citizens overseas, as well as critical infrastructure assets at home.
3. Reaction of Other Countries. The Secretary has determined that the continued implementation of U.S. encryption export controls is generally accepted in the international community, and that any adverse reaction to these controls is not likely to render the controls ineffective, nor are they counter-productive to the foreign policy interests of the United States. Other countries, particularly those capable of producing highly sophisticated encryption products, recognize the need to control exports of such products for national security and law enforcement reasons. The U.S. Government and its key trading and security partners recognize the desirability of securing critical infrastructures, developing new technologies and standards, preventing cybercrime, and promoting electronic commerce, while restricting goods that could compromise common security and foreign policy interests.
As a result, participating states of the Wassenaar Arrangement (WA) and other multilateral fora, such as the EU, continue to work with the U.S. Government on encryption export controls and generally share U.S. security concerns and economic interests relative to trade in encryption. As a recent and significant example, during the April 2005 WA Experts Group meeting, the United States submitted a proposal to create a WA control on quantum cryptography, a family of techniques that make use of specific properties of quantum particles for high-grade “information security” applications. In the December 2005 WA Plenary meeting, the WA participating states agreed to the U.S. proposal to control quantum cryptography.
4. Economic Impact on U.S. Industry. The Secretary has determined that the continued implementation of encryption regulations will allow U.S. industry to maintain its leadership position in the global market for encryption as well as other IT products, while ensuring that essential protections for U.S. national security and foreign policy interests, as well as the public safety, are upheld. The Secretary has determined that any adverse effect of these controls on the U.S. economy, including on the competitive position of the United States in the international economy, does not exceed the benefit to U.S. foreign policy objectives.
Except for a limited range of encryption items (such as high-end “network infrastructure” products, commercial encryption source code items, and products for which the cryptography has been customized or tailored for government end-users or end-uses) for which a license is required to certain government end-users outside the EU “license-free zone”, dual-use encryption products may be exported and reexported to any destination outside Country Group E:1 after a one-time technical review has been conducted pursuant to either the License Exception ENC (15 C.F.R. § 740.17) or the “mass market” encryption provisions of the Export Administration Regulations (EAR) (15 C.F.R. § 742.15(b)(2)).
Throughout Fiscal Year 2005, the Department of Commerce processed a substantial number of pre-export encryption review requests for a variety of products with encryption features. This activity continues to reflect the ever-expanding trade in encryption items, and the wide commercial applicability of such items. The Department received approximately 1,600 technical review requests for over 2,600 controlled encryption products, components, toolkits, and source code items. Types of products reviewed include commodities and software for desktop and laptop computers, wireless handheld devices, e-business applications, network security, and telecommunications platforms. These encryption reviews comprised 28 percent of the Department’s total output of commodity classifications in Fiscal Year 2005. Of the 2,099 encryption products reviewed during the Fiscal Year, the Bureau of Industry and Security (BIS) classified 88 percent (or 1,852 encryption reviews) as “unrestricted” (1,256) or “mass market” (596) encryption items, making them eligible for export and reexport without a license to government and non-government end-users in most countries.
Additionally, during Fiscal Year 2005, the Department approved 636 license applications for “restricted” encryption items (such as high-end routers and other network infrastructure equipment) and technology (excluding so-called “deemed exports” that are eligible under License Exception ENC to most foreign national employees). These 636 licenses for “restricted encryption items,” valued at $61.2 million, were destined to non-sanctioned end-users outside Country Group E:1 for which licenses were required.
The Department returned without action (RWA) 100 applications for encryption items classified under ECCNs 5A002, 5D002 and 5E002, valued at $130 million. Many of the RWA applications did not require a license, as the transaction was authorized under License Exception ENC. In Fiscal Year 2005, there were no denials of encryption commodities based on issues specific to encryption policy.
Overall, the Department processed approximately 18 percent more encryption review requests and license applications in Fiscal Year 2005 than in Fiscal Year 2004.
5. Effective Enforcement of Controls. The Secretary has determined the United States has the ability to effectively enforce these controls. Detection of some encryption transactions is difficult since encryption components are often incorporated into other products and encryption software can be transferred over the Internet. However, the importance and value ascribed to commercial encryption products does lead to traceable transfers and distributions. Over the course of implementing U.S. encryption export controls under the EAR, the Department of Commerce has determined that it is easier to enforce controls on proprietary encryption technology and commercial encryption commodities and software than it would be to restrict free distributions of “open source” encryption software under a license requirement.
The U.S. Government continually consults with U.S. industry regarding encryption policy. The objective of these consultations is to develop updated policy solutions to assist law enforcement, protect U.S. national security, ensure continued U.S. technological leadership, and promote the privacy and security of U.S. firms and citizens engaged in electronic commerce in an increasingly networked world. Such consultations have proven successful, as evidenced by the increasing number of encryption items submitted for technical review, constructive industry input on matters of regulations and policy, and continued industry commitment to assist law enforcement to better understand current and future encryption technologies.
In discussions leading to the development of simplified encryption regulations published on December 9, 2004, the Department of Commerce worked closely with the BIS Technical Advisory Committees (TACs) (such as the Regulations and Procedures Technical Advisory Committee (RPTAC) and the Information Systems Technical Advisory Committee (ISTAC)), industry groups (such as the Alliance for Network Security) and the exporting community to ensure that industry comments on U.S. encryption export controls were taken into consideration. U.S. industry provided valuable input on business models and practices for making encryption classification decisions, creating “mass market” products, and seeking de minimis determinations. Industry’s input aided in the creation of simplified regulatory provisions relevant to these issues.
In the months following the December 9, 2004 rule publication, the TACs and industry groups have expressed their satisfaction with the updated regulations, particularly with respect to reduced case processing times and more transparent application requirements. The Department of Commerce will continue to work with industry and the interagency community to ensure that developments in information technology are continually monitored so that U.S. encryption export controls can continue to achieve the stated objectives.
In an October 13, 2005, Federal Register notice (70 FR 59678), the Department of Commerce solicited comments from industry on the effectiveness of U.S. foreign policy-based export controls. Comments were solicited from all six of the Department’s Technical Advisory Committees, as well as from the President’s Export Council Subcommittee on Export Administration. Comments also were solicited from the public via the BIS website. The comment period closed on November 14, 2005, and four comments were received. A detailed review of all comments received can be found in Appendix I.
The U.S. Government has taken the lead in global efforts to prevent international criminals, terrorists, and designated state sponsors of terrorism from acquiring sophisticated encryption products, and urged other supplier nations to adopt export controls comparable to those of the United States. As a result, the major industrial partners of the U.S. Government maintain export controls on encryption equipment and technology. U.S. encryption policy reflects continual consultation with other nations, such as the participating states of the Wassenaar Arrangement, members of the European Union, and key bilateral strategic partners.
Encryption items are included under the WA Basic List of dual-use goods and technologies, with controls based on the encryption strength (e.g., key size) and use of specified dual-use items. In addition, the WA Cryptography Note stands as the basis for evaluating “mass market” encryption items covered by the Wassenaar control list. These controls have been maintained, without major structural or strategic changes, since 2000.
In 2005, due to the emerging viability of sophisticated quantum cryptography techniques for both military and commercial applications, the United States consulted with WA partners and quickly reached multilateral agreement on instituting dual-use export controls on quantum cryptography items. In addition, during the reporting period the WA reached agreement on a U.S. proposal to decontrol electronics design automation (EDA) tools containing embedded encryption that is not user-accessible. Such items serve a limited purpose of ensuring that design specifications for commercial electronic components (such as microprocessors and integrated circuits) are not compromised during the manufacturing process. The United States also held technical consultations with key strategic partners on issues raised in WA discussions regarding cellular communications, finding agreement on the application of existing WA controls in this area of encryption policy.
Through a wide range of diplomatic cooperation with law enforcement officials in friendly countries, the U.S. Government continues to undertake bilateral and multilateral efforts to keep encryption products out of the hands of terrorists and other criminals. The U.S. Government continues to encourage other nations to adopt appropriate restrictions on the export of encryption products. These efforts supplement, but do not replace, the effectiveness of U.S. encryption export controls.
The United States recognizes the ongoing adoption and widespread use of encryption world wide, and the continued development of foreign-made encryption hardware and software. The U.S. Government continues to monitor global IT marketplace and encryption policy developments so that updated U.S. regulations will enable American companies to maintain their technological leadership in a manner that safeguards U.S. national security and public safety interests. The U.S. Government does consult with other governments to secure cooperation in controlling the unfettered availability of encryption items. However, the U.S. Government’s foreign policy concerns override the impact of foreign availability.