Prepared Remarks by Dr. Cheryl L. Shavers
Under Secretary of Commerce for Technology
Press Briefing to Announce Proposed Advanced Encryption Standard
October 2, 2000 11:00 a.m.
- Everyone is talking about how information technologies are revolutionizing the way we work, the way we buy, the way we sell, the way we learn, the way we get government services, and the way we entertain ourselves.
- And "everyone" is right. We're truly in the midst of an extraordinary period of change, enabled by new information technologies and applications. In fact, I think we may just be in the early stages of that revolution.
- The potential is enormous. But so is the opportunity for failure if we don't pay more attention to the basics. And security is one of those basics.
- For E-Business, E-Government or E-Anything to succeed, buyers, sellers – everyone who relies on electronic information – need to be confident that their information is secure.
- Without that confidence throughout the community of information providers and users, the growth of information technology and business, consumer, and government applications will be hampered. Without that confidence, we won't be able to count on the continued strong economic growth that is being fueled by our information technology advances.
- That's why the Secretary's announcement today of the Department of Commerce's choice for the proposed new Advanced Encryption Standard is so important.
- Encryption, a form for encoding information, is a key means for assuring information security. The Data Encryption Standard – or DES -- is the principal technique used by the government to protect sensitive, unclassified information.
- The Secretary of Commerce approved DES as a standard in 1977. DES uses an encryption technique developed in the mid 1970s by IBM and then adopted by the Federal government – by NIST, in fact -- as a federal standard in 1977.
- With the continued growth in computing power over the following decades, however, the time has come to replace DES. It no longer provides the level of security needed by many applications. A variant known as "Triple DES" does provide much stronger security, but it is not efficient at doing that job.
- In 1996, NIST – a part of the Technology Administration -- began planning a standards development process to find a successor to DES, to be known as the Advanced Encryption Standard, or AES. NIST made their plans public in January 1997.
- AES draws upon the private sector technology and is designed to provide strong security well into the new century.
- During the following years, NIST has organized and managed an international competition to select a successor algorithm. Of twenty-one entries, fifteen met the minimum requirements. Five of those were selected as finalists. Today we will announce the algorithm we are proposing to be the AES.
- NIST Director Ray Kammer will explain the process in more detail.
- We anticipate AES will play a pivotal role in securing electronic transactions for many years to come.
- The federal government, in this case NIST, plays a key role as facilitator of the AES development. I may be a bit biased, but I think that NIST and its Information Technology Laboratory has done a superb job at managing this difficult assignment. It's been an open and fair competition. Our goal was to identify the best possible encryption technique, and that was not an easy task – but it was very well done.
- This is a proposed standard that will be used by federal civilian agencies -- if adopted by the Secretary of Commerce after the public comment process. But it also will be used voluntarily by huge portions of the private sector.
- Many in the private sector will rely upon the government's endorsement of this standard, once approved, as a strong vote of confidence in its security. Of course, I want to make it clear that those in the private sector may use any encryption technique they choose.
- While encryption is important to security, no single security technique addresses all security threats. Everyone must use multiple tools and approaches, both technological as well as well as human and organizational. Encryption of information, for example, cannot stop an insider from leaking your sensitive business secrets.
- But this is a crucial element in our nation's security strategy to protect sensitive information. We're taking a big step forward today. Thank you.