8 Synthesis, Findings, and Recommendations
8.1 SYNTHESIS AND FINDINGS
In an age of explosive worldwide growth of electronic data storage and communications, many vital national interests require the effective protection of information. Especially when used in coordination with other tools for information security, cryptography in all of its applications, including data confidentiality, data integrity, and user authentication, is a most powerful tool for protecting information.
8.1.1 The Problem of Information Vulnerability
Because digital representations of large volumes of information are increasingly pervasive, both the benefits and the risks of digital representation have increased. The benefits are generally apparent to users of information technologylarger amounts of information, used more effectively and acquired more quickly, can increase the efficiency with which businesses operate, open up entirely new business opportunities, and play an important role in the quality of life for individuals.
The risks are far less obvious. As discussed in Chapter 1, one of the most significant risks of a digital information age is the potential vulnerability of important information as it is communicated and stored. When information is transmitted in computer-readable form, it is highly vulnerable to unauthorized disclosure or alteration:
• Many communications are carried over channels (e.g., satellites, cellular telephones, and local area networks) that are easily tapped. Tapping wireless channels is almost impossible to detect and to stop, and tapping local area networks may be very hard to detect or stop as well. Other electronic communications are conducted through data networks that can be easily penetrated (e.g., the Internet).
• Approximately 10 billion words of information in computer-readable form can be scanned for $1 today (as discussed in Chapter 1), allowing intruders, the malicious, or spies to separate the wheat from the chaff very inexpensively. For example, a skilled person with criminal intentions can easily develop a program that recognizes and records all credit card numbers in a stream of unencrypted data traffic.1 The decreasing cost of computation will reduce even further the costs involved in such searches.
• Many users do not know about their vulnerabilities to the theft or compromise of information; in some instances, they are ignorant of or even complacent about them. Indeed, the insecurity of computer networks today is much more the result of poor operational practices on the part of users and poor implementations of technology on the part of product developers than of an inadequate technology base or a poor scientific understanding.
In the early days of computing, the problems caused by information vulnerability were primarily the result of relatively innocent trespasses of amateur computer hackers who were motivated mostly by technical curiosity. But this is no longer true, and has not been true for some time. The fact that the nation is moving into an information age on a large scale means that a much larger number of people are likely to have strong financial, political, or economic motivations to exploit information vulnerabilities that still exist. For example, electronic interceptions and other technical operations account for the largest portion of economic and industrial information lost by U.S. corporations to foreign parties, as noted in Chapter 1.
Today, the consequences of large-scale information vulnerability are potentially quite serious:
• U.S. business, governmental, and individual communications are
1 The feasibility of designing a program to recognize text strings that represent credit card numbers has been demonstrated most recently by the First Virtual Corporation. See press release of February 7, 1996, "First Virtual Holdings Identifies Major Flaw in Software-Based Encryption of Credit Cards; Numbers Easily Captured by Automated Program," First Virtual Corporation, San Diego, Calif. Available on-line at http://www.fv.com/gabletxt/ release2_7_96.html.
targets or potential targets for intelligence organizations of foreign governments, competitors, vandals, suppliers, customers, and organized crime. Businesses send through electronic channels considerable amounts of confidential information, including items such as project and merger proposals, trade secrets, bidding information, corporate strategies for expansion in critical markets, research and development information relevant to cost reduction or new products, product specifications, and expected delivery dates. Most importantly, U.S. businesses must compete on a worldwide basis. International exposure increases the vulnerability to compromise of sensitive information. Helping to defend U.S. business interests against such compromises of information is an important function of law enforcement.
• American values such as personal rights to privacy are at stake. Private citizens may conduct sensitive financial transactions electronically or by telephone. Data on their medical histories, including mental illnesses, addictions, sexually transmitted diseases, and personal health habits, are compiled in the course of providing medical care. Driving records, spending patterns, credit histories, and other financial information are available from multiple sources. All such information warrants protection.
• The ability of private citizens to function in an information economy is at risk. Even today, individuals suffer as criminals take over their identities and run up huge credit card bills in their names. Toll fraud on cellular telephones is so large that some cellular providers have simply terminated international connections in the areas that they serve. Inaccuracies as the result of incorrectly posted information ruin the credit records of some individuals. Protecting individuals against such problems warrants public concern and is again an area in which law enforcement and other government authorities have a role to play.
• The federal government has an important stake in assuring that its important and sensitive political, economic, law enforcement, and military information, both classified and unclassified, is protected from misuse by foreign governments or other parties whose interests are hostile to those of the United States.
• Elements of the U.S. civilian infrastructure such as the banking system, the electric power grid, the public switched telecommunications network, and the air traffic control system are central to so many dimensions of modern life that protecting these elements must have a high priority. Defending these assets against information warfare and crimes of theft, misappropriation, and misuse potentially conducted by hostile nations, terrorists, criminals, and electronic vandals is a matter of national security and will require high levels of information protection and strong security safeguards.
8.1.2 Cryptographic Solutions to Information Vulnerabilities
Cryptography does not solve all problems of information security; for example, cryptography cannot prevent a party authorized to view information from improperly disclosing that information. Although it is not a "silver bullet" that can stand by itself, cryptography is a powerful tool that can be used to protect information stored and communicated in digital form: cryptography can help to assure confidentiality of data, to detect unauthorized alterations in data and thereby help to maintain its integrity, and to authenticate the asserted identity of an individual or a computer system (Chapter 2). Used in conjunction with other information security measures, cryptography has considerable value in helping law-abiding citizens, businesses, and the nation as a whole defend their legitimate interests against information crimes and threats such as fraud, electronic vandalism, the improper disclosure of national security information, or information warfare.
Modern cryptographic techniques used for confidentiality make it possible to develop and implement ciphers that are for all practical purposes impossible for unauthorized parties to penetrate but that still make good economic sense to use.
• Strong encryption is economically feasible today. For example, many integrated circuit chips that would be used in a computer or communications device can inexpensively accommodate the extra elements needed to implement the Data Encryption Standard (DES) encryption algorithm. If implemented in software, the cost is equally low, or even lower.
• Public-key cryptography can help to eliminate the expense of using couriers, registered mail, or other secure means for exchanging keys. Compared to a physical infrastructure for key exchange, an electronic infrastructure based on public-key cryptography to exchange keys will be faster and more able to facilitate secure communications between parties that have never interacted directly with each other prior to the first communication. Public-key cryptography also enables the implementation of the digital equivalent of a written signature, enabling safer electronic commerce.
• Encryption can be integrated by vendors into end-user applications and hardware for the benefit of the large majority of users who do not have the technical skill to perform their own integration. Encryption can also be made automatic and transparent in ways that require no extra action on the part of the user, thus ensuring that cryptographic protection will be present regardless of user complacency or ignorance.
8.1.3 The Policy Dilemma Posed by Cryptography
The confidentiality of information that cryptography can provide is useful not only for the legitimate purposes of preventing information crimes (e.g., the theft of trade secrets or unauthorized disclosure of sensitive medical records) but also for illegitimate purposes (e.g., shielding from law enforcement officials a conversation between two terrorists planning to bomb a building). Although strong automatic encryption implemented as an integral part of data processing and communications provides confidentiality for "good guys" against "bad guys" (e.g., U.S. business protecting information against economic intelligence efforts of foreign nations), it unfortunately also protects "bad guys" against "good guys'' (e.g., terrorists evading law enforcement agencies). Under appropriate legal authorization such as a court order, law enforcement authorities may gain access to "bad guy" information for the purpose of investigating and prosecuting criminal activity. Similarly, intelligence gathering for national security and foreign policy purposes depends on having access to information of foreign governments and other foreign entities. (See Chapter 3.) Because such activities benefit our society as a whole (e.g., by limiting organized crime and terrorist activities), "bad guy" use of cryptography used for confidentiality poses a problem for society as a whole, not just for law enforcement and national security personnel.
Considered in these terms, it is clear that the development and widespread deployment of cryptography that can be used to deny government access to information represents a challenge to the balance of power between the government and the individual. Historically, all governments, under circumstances that further the common good, have asserted the right to compromise the privacy of individuals (e.g., through opening mail, tapping telephone calls, inspecting bank records); unbreakable cryptography for confidentiality provides the individual with the ability to frustrate assertions of that right.
The confidentiality that cryptography can provide thus creates conflicts. Nevertheless, all of the stakes described aboveprivacy for individuals, protection of sensitive or proprietary information for businesses and other organizations in the prevention of information crimes, ensuring the continuing reliability and integrity of nationally critical information systems and networks, law enforcement access to stored and communicated information for purposes of investigating and prosecuting crime, and national security access to information stored or communicated by foreign powers or other entities and organizations whose interests and intentions are relevant to the national security and the foreign policy interests of the United Statesare legitimate. Informed public discussion of the issues must begin by acknowledging the legitimacy of both infor-
mation security for law-abiding individuals and businesses and information gathering for law enforcement and national security purposes.
A major difficulty clouding the public policy debate regarding cryptography has been that certain elements have been removed from public view due to security classification. However, for reasons noted in the preface, the cleared members of the committee (13 of its 16 members) concluded that the debate over national cryptography policy can be carried out in a reasonable manner on an unclassified basis. Although many of the details relevant to policy makers are necessarily classified, these details are not central to making policy arguments one way or the other. Classified material, while important to operational matters in specific cases, is not essential to the big picture of why policy has the shape and texture that it does today nor to the general outline of how technology will, and policy should, evolve in the future.
To manage the policy dilemma created by cryptography, the United States has used a number of tools to balance the interests described above. For many years, concern over foreign threats to national security has been the primary driver of a national cryptography policy that has sought to maximize the protection of U.S. military and diplomatic communications while denying the confidentiality benefits of cryptography to foreign adversaries through the use of controls on the export of cryptographic technologies, products, and related technical information (Chapter 4). More recently, the U.S. government has aggressively promoted escrowed encryption as the technical foundation for national cryptography policy, both to serve domestic interests in providing strong protection for legitimate uses while enabling legally authorized access by law enforcement officials when warranted and also as the basis for more liberal export controls on cryptography (Chapter 5).
Both escrowed encryption and export controls have generated considerable controversy. Escrowed encryption has been controversial because its promotion by the U.S. government appears to some important constituencies to assert the primacy of information access needs of law enforcement and national security over the information security needs of businesses and individuals. Export controls on cryptography have been controversial because they pit the interests of U.S. vendors and some U.S multinational corporations against some of the needs of national security.
8.1.4 National Cryptography Policy for the Information Age
In a world of ubiquitous computing and communications, a concerted effort to protect the information assets of the United States is critical. While cryptography is only one element of a comprehensive approach to information security, it is nevertheless an essential element. Given the
committee's basic charge to focus on national cryptography policy rather than national policy for information security, the essence of the committee's basic conclusion about policy is summarized by the following principle:
Basic Principle: U.S. national policy should be changed to support the broad use of cryptography in ways that take into account competing U.S. needs and desires for individual privacy, international economic competitiveness, law enforcement, national security, and world leadership.
In practice, this principle suggests three basic objectives for national cryptography policy:
1. Broad availability of cryptography to all legitimate elements of U.S. society. Cryptography supports the confidentiality and integrity of digitally represented information (e.g., computer data, software, video) and the authentication of individuals and computer systems communicating with other computer systems; these capabilities are important in varying degrees to protecting the information security interests of many different private and public stakeholders, including law enforcement and national security. Furthermore, cryptography can help to support law enforcement objectives in preventing information crimes such as economic espionage.
2. Continued economic growth and leadership of key U.S. industries and businesses in an increasingly global economy, including but not limited to U.S. computer, software, and communications companies. Such leadership is an integral element of national security. U.S. companies in information technology today have undeniable strengths in foreign markets, but current national cryptography policy threatens to erode these advantages. The largest economic opportunities for U.S. firms in all industries lie in using cryptography to support their critical domestic and international business activities, including international intrafirm and interfirm communications with strategic partners, cooperative efforts with foreign collaborators and researchers in joint business ventures, and real-time connections to suppliers and customers, rather than in selling information technology (Chapter 4).
3. Public safety and protection against foreign and domestic threats. Insofar as possible, communications and stored information of foreign parties whose interests are hostile to those of the United States should be accessible to U.S. intelligence agencies. Similarly, the communications and stored information of criminal elements that are a part of U.S. and global society should be available to law enforcement authorities as authorized by law (Chapter 3).
Objectives 1 and 2 argue for a policy that actively promotes the use of strong cryptography on a broad front and that places few restrictions on the use of cryptography. Objective 3 argues that some kind of government role in the deployment and use of cryptography may continue to be necessary for public safety and national security reasons. The committee believes that these three objectives can be met within a framework recognizing that on balance, the advantages of more widespread use of cryptography outweigh the disadvantages.
The committee concluded that cryptography is one important tool for protecting information and that it is very difficult for governments to control; it thus believes that the widespread nongovernment use of cryptography in the United States and abroad is inevitable in the long run. Cryptography is important because when it is combined with other measures to enhance information security, it gives end users significant control over their information destinies. Even though export controls have had a nontrivial impact on the worldwide spread of cryptography in previous years, over the long term cryptography is difficult to control because the relevant technology diffuses readily through national boundaries; export controls can inhibit the diffusion of products with encryption capabilities but cannot contain the diffusion of knowledge (Chapter 4). The spread of cryptography is inevitable because in the information age the security of information will be as important in all countries as other attributes valued today, such as the reliability and ubiquity of information.
Given the inevitability that cryptography will become widely available, policy that manages how cryptography becomes available can help to mitigate the deleterious consequences of such availability. Indeed, governments often impose regulations on various types of technology that have an impact on the public safety and welfare, and cryptography may well fall into this category. National policy can have an important effect on the rate and nature of the transition from today's world to that of the long-term future. Still, given the importance of cryptography to a more secure information future and its consequent importance to various dimensions of economic prosperity, policy actions that inhibit the use of cryptography should be scrutinized with special care.
The committee's policy recommendations are intended to facilitate a judicious transition between today's world of high information vulnerability and a future world of greater information security, while to the extent possible meeting government's legitimate needs for information gathering for law enforcement, national security, and foreign policy purposes. National cryptography policy should be expected to evolve over time in response to events driven by an era of rapid political, technological, and economic change.
The committee recognizes that national cryptography policy is intended to address only certain aspects of a much larger information security problem faced by citizens, businesses, and government. Nevertheless, the committee found that current national policy is not adequate to support the information security requirements of an information society. Cryptography is an important dimension of information security, but current policy discourages the use of this important tool in both intentional and unintentional ways, as described in Chapters 4 and 6. For example, through the use of export controls, national policy has explicitly sought to limit the use of encryption abroad but has also had the effect of reducing the domestic availability of products with strong encryption capabilities to businesses and other users. Furthermore, government action that discourages the use of cryptography contrasts sharply with national policy and technological and commercial trends in other aspects of information technology. Amidst enormous changes in the technological environment in the past 20 years, today the federal government actively pursues its vision of a national information infrastructure, and the use of computer and communications technology by private parties is growing rapidly.
The committee believes that a mismatch between the speed at which the policy process moves and the speed with which new products develop has had a profound impact on the development of the consensus necessary with respect to cryptography policy (Chapters 4 and 6). This mismatch has a negative impact on both users and vendors. For example, both are affected by an export control regime that sometimes requires many months or even years to make case-by-case decisions on export licensing, while high-value sales to these users involving integrated products with encryption capabilities can be negotiated and consummated on a time scale of days or weeks. Since the basic knowledge underlying cryptography is well known, cryptographic functionality can be implemented into new products on the time scale of new releases of products (several months to a year). Both users and vendors are affected by the fact that significant changes in the export control regulations governing cryptography have not occurred for 4 years (since 1992) at a time when needs for information security are growing, a period that could have accommodated several product cycles. Promulgation of cryptographic standards not based on commercial acceptability (e.g., the Escrowed Encryption Standard (FIPS 185), the Digital Signature Standard (FIPS 180-1)) raised significant industry opposition (from both vendors and users) and led to controversy and significant delays in or outright resistance to commercial adoption of these standards.
These examples suggest that the time scales on which cryptography policy is made and is operationally implemented are incompatible with
the time scales of the marketplace. A more rapid and market-responsive decision-making process would leverage the strengths of U.S. businesses in the international marketplace before significant foreign competition develops. As is illustrated by the shift in market position from IBM to Microsoft in the 1980s, the time scale on which significant competition can arise is short indeed.
Attempts to promote a policy regime that runs against prevailing commercial needs, practice, and preference may ultimately result in a degree of harm to law enforcement and national security interests far greater than what would have occurred if a more moderate regime had been promoted in the first place. The reason is that proposed policy regimes that attempt to impose market-unfriendly solutions will inevitably lead to resistance and delay; whether desirable or not, this is a political reality. Responsible domestic businesses, vendors, and end users are willing to make some accommodations to U.S. national interests in law enforcement and national security, but cannot be expected to do so willingly when those accommodations are far out of line with the needs of the market. Such vendors and users are likely to try to move ahead on their ownand quickly soif they believe that government requirements are not reasonable. Moreover, foreign vendors may well attempt to step into the vacuum. The bottom line is that the U.S. government may have only a relatively small window of time in which to influence the deployment of cryptography worldwide.
The committee also notes that the public debate has tended to draw lines that divide the policy issues in an overly simplistic manner, i.e., setting the privacy of individuals and businesses against the needs of national security and law enforcement. As observed above, such a dichotomy does have a kernel of truth. But viewed in the large, the dichotomy as posed is misleading. If cryptography can protect the trade secrets and proprietary information of businesses and thereby reduce economic espionage (which it can), it also supports in a most important manner the job of law enforcement. If cryptography can help protect nationally critical information systems and networks against unauthorized penetration (which it can), it also supports the national security of the United States. Framing national cryptography policy in this larger context would help to reduce some of the polarization among the relevant stakeholders.
Finally, the national cryptography policy of the United States is situated in an international context, and the formulation and implementation of U.S. policy must take into account international dimensions of the problem if U.S. policy is to be successful. These international dimensions, discussed in Chapter 6 and Appendix G, include the international scope of business today; the possibility of significant foreign competition in
information technology; an array of foreign controls on the export, import, and use of cryptography; important similarities in the interests of the United States and other nations in areas such as law enforcement and antiterrorist activities; and important differences in other areas such as the relationship between the government and the governed.
The recommendations below address several critical policy areas. Each recommendation is cast in broad terms, with specifically actionable items identified for each when appropriate. In accordance with the committee's finding that the broad picture of cryptography policy can be understood on an unclassified basis, no findings or recommendations were held back on the basis of classification, and this report is unclassified in its entirety.
Recommendation 1: No law should bar the manufacture, sale, or use of any form of encryption within the United States.
This recommendation is consistent with the position of the Clinton Administration that legal prohibitions on the domestic use of any kind of cryptography are inappropriate,2 and the committee endorses this aspect of the Administration's policy position without reservation.
For technical reasons described in Chapter 7, the committee believes that a legislative ban on the use of unescrowed encryption would be largely unenforceable. Products using unescrowed encryption are in use today by millions of users, and such products are available from many difficult-to-censor Internet sites abroad. Users could pre-encrypt their data, using whatever means were available, before their data were accepted by an escrowed encryption device or system. Users could store their data on remote computers, accessible through the click of a mouse but otherwise unknown to anyone but the data owner; such practices could occur quite legally even with a ban on the use of unescrowed encryption. Knowledge of strong encryption techniques is available from official U.S. government publications and other sources worldwide, and experts understanding how to use such knowledge might well be in high demand from criminal elements. Even demonstrating that a given communication or data file is "encrypted" may be difficult to prove, as algo-
2 For example, see "Questions and Answers About the Clinton Administration's Encryption Policy," February 4, 1994. Reprinted in David Banisar (ed.), 1994 Cryptography and Privacy Sourcebook, Electronic Privacy Information Center, Washington, D.C., 1994.
rithms for data compression illustrate. Such potential technical circumventions suggest that even with a legislative ban on the use of unescrowed cryptography, determined users could easily evade the enforcement of such a law.
In addition, a number of constitutional issues, especially those related to free speech, would be almost certain to arise. Insofar as a ban on the use of unescrowed encryption would be treated (for constitutional purposes) as a limitation on the "content" of communications, the government would have to come forward with a compelling state interest to justify the ban. These various considerations are difficult, and in some cases impossible, to estimate in advance of particular legislation as applied to a specific case, but the First Amendment issues likely to arise with a ban on the use of unescrowed encryption are not trivial. In addition, many people believe with considerable passion that government restrictions on the domestic use of cryptography would threaten basic American values such as the right to privacy and free speech. Even if the constitutional issues could be resolved in favor of some type of ban on the use of unescrowed encryption, these passions would surely result in a political controversy that could divide the nation and at the very least impede progress on the way to the full use of the nation's information infrastructure.
Finally, a ban on the use of any form of encryption would directly challenge the principle that users should be responsible for assessing and determining their own approaches to meeting their security needs. This principle is explored in greater detail in Recommendation 3.
Recommendation 2: National cryptography policy should be developed by the executive and legislative branches on the basis of open public discussion and governed by the rule of law.
In policy areas that have a direct impact on large segments of the population, history demonstrates that the invocation of official government secrecy often leads to public distrust and resistance. Such a result is even more likely where many members of society are deeply skeptical about government.
Cryptography policy set in the current social climate is a case in point. When cryptography was relevant mostly to government interests in diplomacy and national security, government secrecy was both necessary and appropriate. But in an era in which cryptography plays an important role in protecting information in all walks of life, public consensus and government secrecy related to information security in the private sector are largely incompatible. If a broadly acceptable social consensus that satisfies the interests of all legitimate stakeholders is to be found regard-
ing the nation's cryptographic future, a national discussion of the issue must occur.
The nation's best forum for considering multiple views across the entire spectrum is the U.S. Congress, and only comprehensive congressional deliberation and discussion conducted in the open can generate the public acceptance that is necessary for policy in this area to succeed. In turn, a consensus derived from such deliberations, backed by explicit legislation when necessary, will lead to greater degrees of public acceptance and trust, a more certain planning environment, and better connections between policy makers and the private sector on which the nation's economy and social fabric rest. For these reasons, congressional involvement in the debate over cryptography policy is an asset rather than a liability. Moreover, some aspects of cryptography policy will require legislation if they are to be properly implemented (as discussed under Recommendation 5.3).
This argument does not suggest that there are no legitimate secrets in this area. However, in accordance with the committee's conclusion that the broad outlines of national cryptography policy can be analyzed on an unclassified basis, the committee believes that the U.S. Congress can also debate the fundamental issues in the open. Nor is the committee arguing that all aspects of policy should be handled in Congress. The executive branch is necessarily an important player in the formulation of national cryptography policy, and of course it must implement policy. Moreover, while working with the Congress, the executive branch must develop a coherent voice on the matter of cryptography policyone that it does not currently haveand establish a process that is efficient, comprehensive, and decisive in bringing together and rationalizing many disparate agency views and interests.
Instances in which legislation may be needed are found in Recommendations 4, 5, and 6.
Recommendation 3: National cryptography policy affecting the development and use of commercial cryptography should be more closely aligned with market forces.
As cryptography has assumed greater importance to nongovernment interests, national cryptography policy has become increasingly disconnected from market reality and the needs of parties in the private sector. As in many other areas, national policy on cryptography that runs counter to user needs and against market forces is unlikely to be successful over the long term. User needs will determine the large-scale demand for information security, and policy should seek to exploit the advantages of market forces whenever and wherever possible. Indeed, many decades of
experience with technology deployment suggest that reliance on user choices and market forces is generally the most rapid and effective way to promote the widespread utilization of any new and useful technology. Since the committee believes that the widespread deployment and use of cryptography will be in the national interest, it believes that national cryptography policy should align itself with user needs and market forces to the maximum feasible extent.
The committee recognizes that considerations of public safety and national security make it undesirable to maintain an entirely laissez-faire approach to national cryptography policy. But it believes that government intervention in the market should be carefully tailored to specific circumstances. The committee describes a set of appropriate government interventions in Recommendations 4, 5, and 6.
A national cryptography policy that is aligned with market forces would emphasize the freedom of domestic users to determine cryptographic functionality, protection, and implementations according to their security needs as they see fit. Innovation in technologies such as escrowed encryption would be examined by customers for their business fitness of purpose. Diverse user needs would be accommodated; some users will find it useful to adopt some form of escrowed encryption to ensure their access to encrypted data, while others will find that the risks of escrowed encryption (e.g., the dangers of compromising sensitive information through a failure of the escrowing system) are not worth the benefits (e.g., the ability to access encrypted data the keys to which have been lost or corrupted). Since no single cryptographic solution or approach will fit the business needs of all users, users will be free to make their own assessments and judgments about the products they wish to use. Such a policy would permit, indeed encourage, vendors to implement and customers to use products that have been developed within an already-existing framework of generally accepted encryption methods and to choose key sizes and management techniques without restriction.
Standards are another dimension of national cryptography policy with a significant impact on commercial cryptography and the market (Chapter 6). Cryptographic standards that are inconsistent with prevailing or emerging industry practice are likely to encounter significant market resistance. Thus, to the maximum extent possible, national cryptography policy that is more closely aligned with market forces should encourage adoption by the federal government and private parties of cryptographic standards that are consistent with prevailing industry practice.
Finally, users in the private sector need confidence that products with cryptographic functionality will indeed perform as advertised. To the maximum degree possible, national cryptography policy should support
the use of algorithms, product designs, and product implementations that are open to public scrutiny. Information security mechanisms for widespread use that depend on a secret algorithm or a secret implementation invite a loss of public confidence, because they do not allow open testing of the security, they increase the cost of hardware implementations, and they may prevent the use of software implementations as described below. Technical work in cryptography conducted in the open can expose flaws through peer review and assure the private sector user community about the quality and integrity of the work underlying its cryptographic protection (Chapter 5).
Government classification of algorithms and product implementations clearly inhibits public scrutiny, and for the nongovernment sector, government classification in cryptography is incompatible with most commercial and business interests in information security. Moreover, the use of classified algorithms largely precludes the use of software solutions, since it is impossible to prevent a determined and technically sophisticated opponent from reverse-engineering an algorithm implemented in software. A similar argument applies to unclassified company-proprietary algorithms and product designs, although the concerns that arise with classified algorithms and implementations are mitigated somewhat by the fact that it is often easier for individuals to enter into the nondisclosure agreements necessary to inspect proprietary algorithms and product designs than to obtain U.S. government security clearances. Legally mandated security requirements to protect classified information also add to costs in a way that protection of company-proprietary information does not.
Recommendation 4: Export controls on cryptography should be progressively relaxed but not eliminated.
For many years, the United States has controlled the export of cryptographic technologies, products, and related technical information as munitions (on the U.S. Munitions List (USML) administered by the State Department). These controls have been used to deny potential adversaries access to U.S. encryption technology that might reveal important characteristics of U.S. information security products and/or be used to thwart U.S. attempts at collecting signals intelligence information. To date, these controls have been reasonably effective in containing the export of U.S. hardware-based products with encryption capabilities (Chapter 4). However, software-based products with encryption capabilities and cryptographic algorithms present a more difficult challenge because they can more easily bypass controls and be transmitted across national borders. In the long term, as the use of encryption grows worldwide, it is probable
that national capability to conduct traditional signals intelligence against foreign parties will be diminished (as discussed in Chapter 3).
The current export control regime on strong cryptography is an increasing impediment to the information security efforts of U.S. firms competing and operating in world markets, developing strategic alliances internationally, and forming closer ties with foreign customers and suppliers. Some businesses rely on global networks to tie together branch offices and service centers across international boundaries. Other businesses are moving from a concept of operations that relies on high degrees of vertical integration to one that relies on the ''outsourcing" of many business functions and activities. Consistent with rising emphasis on the international dimensions of business (for both business operations and markets), many U.S. companies must exchange important and sensitive information with an often-changing array of foreign partners, customers, and suppliers. Under such circumstances, the stronger level of cryptographic protection available in the United States is not meaningful when an adversary can simply attack the protected information through foreign channels.
Export controls also have had the effect of reducing the domestic availability of products with strong encryption capabilities. As noted in Chapter 4, the need for U.S. vendors (especially software vendors) to market their products to an international audience leads many of them to weaken the encryption capabilities of products available to the domestic market, even though no statutory restrictions are imposed on that market. Thus, domestic users face a more limited range of options for strong encryption than they would in the absence of export controls.
Looking to the future, both U.S. and foreign companies have the technical capability to integrate high-quality cryptographic features into their products and services. As demand for products with encryption capabilities grows worldwide, foreign competition could emerge at a level significant enough to damage the present U.S. world leadership in this critical industry. Today, U.S. information technology products are widely used in foreign markets because foreign customers find the package of features offered by those products to be superior to packages available from other, non-U.S. vendors, even though the encryption capabilities of U.S. products sold abroad are known to be relatively weak. However, for growing numbers of foreign customers with high security needs, the incremental advantage of superior nonencryption features offered by U.S. products may not be adequate to offset perceived deficiencies in encryption capability. Under such circumstances, foreign customers may well turn to non-U.S. sources that offer significantly better encryption capabilities in their products.
Overly restrictive export controls thus increase the likelihood that
significant foreign competition will step into a vacuum left by the inability of U.S. vendors to fill a demand for stronger encryption capabilities integrated into general-purpose products. The emergence of significant foreign competition for the U.S. information technology industry has a number of possible long-term negative effects on U.S. national and economic security that policy makers would have to weigh against the contribution these controls have made to date in facilitating the collection of signals intelligence in support of U.S. national security interests (a contribution that will probably decline over time). Stimulating the growth of important foreign competitors would undermine a number of important national interests:
• The national economic interest, which is supported by continuing and even expanding U.S. world leadership in information technology supports. Today, U.S. information technology vendors have a window of opportunity to set important standards and deploy an installed base of technology worldwide, an opportunity that should be exploited to the maximum degree possible. Conversely, strong foreign competition would not be in the U.S. economic self-interest.
• Traditional national security interests, which are supported by leadership by U.S. vendors in supplying products with encryption capabilities to the world market. For example, it is desirable for the U.S. government to keep abreast of the current state of commercially deployed encryption technology, a task that is much more difficult to accomplish when the primary suppliers of such technology are foreign vendors rather than U.S. vendors.
• U.S. business needs for trustworthy information protection, which are supported by U.S. encryption products. Foreign vendors could be influenced by their governments to offer for sale to U.S. firms products with weak or poorly implemented cryptography. If these vendors were to gain significant market share, the information security of U.S. firms could be adversely affected.
• Influence over the deployment of cryptography abroad, which is supported by the significant impact of U.S. export controls on cryptography as the result of the strength of the U.S. information technology industry abroad. To the extent that the products of foreign competitors are available on the world market, the United States loses influence over cryptography deployments worldwide.
The committee believes that the importance of the U.S. information technology industry to U.S. economic interests and national security is large enough that some prudent risks can be taken to hedge against the potential damage to that industry, and some relaxation of export controls on cryptography is warranted. In the long term, U.S. signals intelligence
capability is likely to decrease in any case. Consequently, the committee believes that the benefits of relaxationnamely helping to promote better information security for U.S. companies operating internationally and to extend U.S. leadership in this critical industryare worth the short-term risk that the greater availability of U.S. products with stronger encryption capabilities will further impede U.S. signals intelligence capability.
Relaxation of export controls on cryptography is consistent with the basic principle of encouraging the use of cryptography in an information society for several reasons. First, relaxation would encourage the use of cryptography by creating an environment in which U.S. and multinational firms and users are able to use the same security products in the United States and abroad and thus to help promote better information security for U.S. firms operating internationally. Second, it would increase the availability of good cryptography products in the United States. Third, it would expand U.S. business opportunities overseas for information technology sales incorporating stronger cryptography for confidentiality by allowing U.S. vendors to compete with foreign vendors on a more equal footing, thereby helping to maintain U.S. leadership in fields critical to national security and economic competitiveness (as described in Chapter 4).
Some of these thoughts are not new. For example, in referring to a decision to relax export controls on computer exports, then-Deputy Secretary of Defense William Perry said that "however much we want to control [computers] that are likely to be available on retail mass markets, it will be impractical to control them," and that "we have to recognize we don't have any ability to control computers which are available on the mass retail market from non-CoCom countries."3 He further noted that the U.S. government can no longer "set the standards and specifications of computers. They're going to be set in the commercial industry, and our job is to adapt to those if we want to stay current in the latest computer technology." The committee believes that exports of information technology products with encryption capabilities are not qualitatively different.
At the same time, cryptography is inherently dual-use in character (more so than most other items on the USML), with important applications to both civilian and military purposes. While this fact suggests to some that the export of all cryptography should be regulated under the Commerce Control List (CCL), the fact remains that cryptography is a particularly critical military application for which few technical alternatives are available. The USML is designed to regulate technologies with such applications for reasons of national security (as described in Chapters 3 and 4), and thus the committee concluded that the current export control regime on
3 William J. Perry, Deputy Secretary of Defense, "Breakfast with Reporters, Friday, October 15, 1993, on Computer Exports," transcript of an on-the-record briefing.
cryptography should be relaxed but not eliminated. The committee believes that this action would have two major consequences:
• Relaxation will achieve a better balance between U.S. economic needs and the needs of law enforcement and national security.
• Retention of some controls will mitigate the loss to U.S. national security interests in the short term, allow the United States to evaluate the impact of relaxation on national security interests before making further changes, and "buy time" for U.S. national security authorities to adjust to a new technical reality.
Consistent with Recommendation 3, the committee believes that the export control regime for cryptography should be better aligned with technological and market trends worldwide. Recommendations 4.1 and 4.2 below reflect the committee's judgments about how the present export control regime should be relaxed expeditiously. However, it should be noted that some explicit relaxations in the export control regime have occurred over the last 15 years (see Chapter 4), although not to an extent that has fully satisfied vendor interests in liberalization. For example, under current export rules, the USML governs the export of software applications without cryptographic capabilities per se if they are designed with "hooks" that would, among other things, make it easy to interface a foreign-supplied, stand-alone cryptography module to the application (turning it into an integrated product with encryption capability so far as the user is concerned). However, the U.S. government set a precedent in 1995 by placing on the CCL the software product of a major vendor that incorporates a cryptographic applications programming interface (CAPI; as described in Chapter 7 and Appendix K).
Recommendation 4.3 is intended to provide for other important changes in the export control regime that would help to close the profound gap described in Chapter 4 regarding the perceptions of national security authorities vis-à-vis those of the private sector, including both technology vendors and users of cryptography; such changes would reduce uncertainty about the export control licensing process and eliminate unnecessary friction between the export control regime and those affected by it.
Recommendations 4.1 and 4.2 describe changes to the current export control regime, and unless stated explicitly, leave current regulations and proposals in place. However, the committee believes that certain features of the current regime are sufficiently desirable to warrant special attention here. Specifically,
• Certain products with encryption capabilities are subject to a more liberal export control regime by virtue of being placed on the CCL rather than the USML; these products include those providing cryptographic confidentiality that are specially designed, developed, or modified for use
in machines for banking or money transactions and are restricted to use only in such transactions; and products that are limited in cryptographic functionality to providing capabilities for user authentication, access control, and data integrity without capabilities for confidentiality. Any change to the export control regime for cryptography should maintain at least this current treatment for these types of products.
• Since items on the CCL by definition have potential military uses, they are subject to trade embargoes against rogue nations. Thus, even products with encryption capabilities that are on the CCL require individual licenses and specific U.S. government approval if they are intended for use by a rogue destination. Furthermore, U.S. vendors are prohibited from exporting such products even to friendly nations if they know that those products will be re-exported to rogue nations. Maintaining the embargo of products with encryption capabilities against rogue nations supports the U.S. national interest and should not be relaxed now or in the future.
Finally, the committee notes that relaxation of export controls is only the first step on the road to greater use of cryptography around the world. As described in Chapter 6 and Appendix G, foreign nations are sovereign entities with the power and authority to apply import controls on products with encryption capabilities. It is thus reasonable to consider that a relaxation of U.S. export controls on cryptography may well prompt other nations to consider import controls; in such a case, U.S. vendors may be faced with the need to develop products with encryption capabilities on a nation-by-nation basis. Anticipating such eventualities as well as potential markets for escrowed encryption in both the United States and abroad, vendors may wish to develop families of "escrowable" products (as discussed in Chapter 7) that could easily be adapted to the requirements of various nations regarding key escrow; however, none of the three recommendations below, 4.1 through 4.3, is conditioned on such development.
Recommendation 4.1Products providing confidentiality at a level that meets most general commercial requirements should be easily exportable.4 Today, products with encryption capabilities that incorporate the 56-bit DES algorithm provide this level of confidentiality and should be easily exportable.
4 For purposes of Recommendation 4.1, a product that is "easily exportable" will automatically qualify for treatment and consideration (i.e., commodity jurisdiction, or CJ) under the CCL. Automatic qualification refers to the same procedure under which software products using RC2 or RC4 algorithms for confidentiality with 40-bit key sizes currently qualify for the CCL.
A collateral requirement for products covered under Recommendation 4.1 is that a product would have to be designed so as to preclude its repeated use to increase confidentiality beyond the acceptable level (i.e., today, it would be designed to prevent the use of triple-DES). However, Recommendation 4.1 is intended to allow product implementations of layered encryption (i.e., further encryption of already-encrypted data, as might occur when a product encrypted a message for transmission on an always-encrypted communications link).
For secret keys used in products covered by Recommendation 4.1, public-key protection should be allowed that is at least as strong as the cryptographic protection of message or file text provided by those products, with appropriate safety margins that protect against possible attacks on these public-key algorithms.5 In addition, to accommodate vendors and users who may wish to use proprietary algorithms to provide encryption capabilities, the committee believes that products incorporating any combination of algorithm and key size whose cryptographic characteristics for confidentiality are substantially equivalent to the level allowed under Recommendation 4.1 (today, 56-bit DES) should be granted commodity jurisdiction (CJ) to the CCL on a case-by-case basis.
An important collateral condition for products covered under Recommendation 4.1 (and 4.2 below) is that steps should be taken to mitigate the potential harm to U.S. intelligence-collection efforts that may result from the wider use of such products. Thus, the U.S. government should require that vendors of products with cryptographically provided confidentiality features exported under the relaxed export control regime of Recommendation 4.1 (and 4.2 below) must provide to the U.S. government under strict nondisclosure agreements (a) full technical specifications of their product, including source code and wiring schematics if necessary, and (b) reasonable technical assistance upon request in order to assist the U.S. government in understanding the product's internal operations. These requirements are consistent with those that govern export licenses granted under the case-by-case review procedure for CJ decisions today, and the nondisclosure agreements would protect proprietary vendor interests.
These requirements have two purposes. First, they would enable the U.S. government to validate that the product complies with all of the conditions required for export jurisdiction under the CCL. Second, they
5 For example, the committee believes that a Rivest-Shamir-Adelman (RSA) or DiffieHellman key on the order of 1,024 bits would be appropriate for the protection of a 56-bit DES key. The RSA and Diffie-Hellman algorithms are asymmetric. Chapter 2 discusses why key sizes differ for asymmetric and symmetric algorithms.
would allow more cost-effective use of intelligence budgets for understanding the design of exported cryptographic systems.
Note that these requirements do not reduce the security provided by well-designed cryptographic systems. The reason is that a well-designed cryptographic system is designed on the principle that all security afforded by the system must reside in the secrecy of an easily changed, user-provided key, rather than in the secrecy of the system design or implementation. Because the disclosure of internal design and implementation information does not entail the disclosure of cryptographic keys, the security afforded by a well-designed cryptographic system is not reduced by these requirements.
Finally, the level of cryptographic strength that determines the threshold of easy exportability should be set at a level that promotes the broad use of cryptography and should be adjusted upward periodically as technology evolves.
The committee believes that today, products that incorporate 56-bit DES for confidentiality meet most general commercial requirements and thus should be easily exportable. The ability to use 56-bit DES abroad will significantly enhance the confidentiality available to U.S. multinational corporations conducting business overseas with foreign partners, suppliers, and customers and will improve the choice of products with encryption capabilities available to domestic users, as argued in Chapter 4.
Relaxation of export controls in the manner described in Recommendation 4.1 will help the United States to maintain its worldwide market leadership in products with encryption capabilities. The committee believes that many foreign customers unwilling to overlook the perceived weaknesses of 40-bit RC2/RC4 encryption, despite superior noncryptography features in U.S. information technology products, are likely to accept DES-based encryption as being adequate. Global market acceptance of U.S. products incorporating DES-based encryption is more conducive to U.S. national security interests in intelligence collection than is market acceptance of foreign products incorporating even stronger algorithm and key size combinations that may emerge to fill the vacuum if U.S. export controls are not relaxed.
Why DES? The Data Encryption Standard was promulgated by the National Bureau of Standards in 1975 as the result of an open solicitation by the U.S. government to develop an open encryption standard suitable for nonclassified purposes. Over the last 20 years, DES has gained widespread acceptance as a standard for secret-key cryptography and is currently being used by a wide range of users, both within the United States and throughout the world. This acceptance has come from a number of very important aspects that make DES a unique cryptographic solution. Specifically, DES provides the following major benefits:
• DES provides a significantly higher level of confidentiality protection than does 40-bit RC2 or RC4, the key-size and algorithm combination currently granted automatic commodity jurisdiction to the CCL. In the committee's judgment, DES provides a level of confidentiality adequate to promote broader uses of cryptography, whereas the public perception that 40-bit RC2/RC4 is "weak" does not provide such a level (even though the wide use of 40-bit RC2/RC4 would have significant benefits for information security in practice).6
• Since its inception, DES has been certified by the U.S. government as a high-quality solution for nonclassified security problems. Although future certification cannot be assured, its historical status has made it a popular choice for private sector purposes. Indeed, a large part of the global financial infrastructure is safeguarded by products and capabilities based on DES. Moreover, the U.S. government has developed a process by which specific DES implementations can be certified to function properly, increasing consumer confidence in implementations so certified.
• The analysis of DES has been conducted in open forums over a relatively long period of time (20 years). DES is one of a handful of encryption algorithms that has had such public scrutiny, and no flaws have been discovered that significantly reduce the work factor needed to break it; no practical shortcuts to exhaustive search for cryptanalytic attacks on DES have been found.
• DES can be incorporated into any product without a licensing agreement or fees. This means that any product vendor can include DES in its products with no legal or economic impact on its product lines.
• DES has nearly universal name recognition among both product vendors and users. Users are more likely to purchase DES-based products because they recognize the name.
• Since many foreign products are marketed as incorporating DES, U.S. products incorporating DES will not suffer a competitive market disadvantage with respect to encryption features.
These major benefits of DES are the result of the open approach taken in its development and its long-standing presence in the industry. The brute-force decryption of a single message encrypted with a 40-bit RC4 algorithm has demonstrated to information security managers around
6 In other words, the market reality is that a side-by-side comparison of two products identical except for their domestic vs. exportable encryption capabilities always results in a market assessment of the stronger product as providing a "baseline" level of security and the weaker one as being inferior, rather than the weaker product providing the baseline and the stronger one being seen as superior.
the world that such a level of protection may be inadequate for sensitive information, as described in Chapter 4. A message encrypted with a 56-bit key would require about 216 (65,536) times as long to break, and since a 40-bit decryption has been demonstrated using a single workstation for about a week, it is reasonable to expect that a major concerted effort, including the cost of design, operation, and maintenance (generally significantly larger than the cost of the hardware itself), would be required for effective and efficient exhaustive-search decryption with the larger 56-bit key (as described in Chapter 7).
As described in Chapter 7, the economics of DES make it an attractive choice for providing protection within mass-market products and applications intended to meet general commercial needs. When integrated into an application, the cost of using DES in practice is relatively small, whereas the cost of cracking DES is significantly higher. Since most information security threats come from individuals within an enterprise or individuals or small organizations outside the enterprise, the use of DES to protect information will be sufficient to prevent most problems. That is, DES is "good enough" for most information security applications and is likely to be good enough for the next decade because only the most highly motivated and well-funded organizations will be capable of sustaining brute-force attacks on DES during that time.
Some would argue that DES is already obsolete and that what is needed is a completely new standard that is practically impossible to break for the foreseeable future. Since computer processing speeds double every 1.5 years (for the same component costs), an exhaustive search for cryptographic keys becomes roughly 1,000 times easier every 15 years or so. Over time, any algorithm based on a fixed key length (DES uses a 56-bit key) becomes easier to attack. While the committee agrees that a successor to DES will be needed in the not-so-distant future, only DES has today the record of public scrutiny and practical experience that is necessary to engender public confidence. Developing a replacement for DES, complete with such a record, will take years by itself, and waiting for such a replacement will leave many of today's information vulnerabilities without a viable remedy. Adopting DES as today's standard will do much to relieve pressures on the export control regime stemming from commercial users needing to improve security, and will give the United States and other nations time to formulate a long-term global solution, which may or may not include provisions to facilitate authorized government access to encrypted data, based on the knowledge gained from emerging escrow techniques, digital commerce applications, and certificate authentication systems, which are all in their infancy today.
Given that a replacement for DES will eventually be necessary, product designers and users would be well advised to anticipate the need to
upgrade their products in the future. For example, designers may need to design into the products of today the ability 'to negotiate cryptographic protocols with the products of tomorrow. Without this ability, a transition to a new cryptographic standard in the future might well be very expensive and difficult to achieve.
The committee recognizes that the adoption of Recommendation 4.1 may have a negative impact on the collection of signals intelligence. Much of the general intelligence produced today depends heavily on the ability to monitor and select items of interest from the large volumes of communications sent in the clear. If most of this traffic were encrypted, even at the levels allowed for liberal export today, the selection process would become vastly more difficult. Increasing the threshold of liberal exportability from 40-bit RC2/RC4 to 56-bit DES will not, in itself, add substantially to the difficulties of message selection. Foreign users of selected channels of high-interest communications would, in many cases, not be expected to purchase and use U.S. encryption products under any circumstances and thus in these cases would not be affected by a change in the U.S. export control regime. However, it is likely that the general use of 56-bit DES abroad will make it less likely that potentially significant messages can be successfully decrypted.
The overwhelming acceptance of DES makes it the most natural candidate for widespread use, thereby significantly increasing the security of most systems and applications. The committee believes that such an increase in the "floor" of information security outweighs the additional problems caused to national security agencies when collecting information. Since DES has been in use for 20 years, those agencies will at least be facing a problem that has well-known and well-understood characteristics. Recommendation 5 addresses measures that should help national security authorities to develop the capabilities necessary to deal with these problems.
Recommendation 4.2Products providing stronger confidentiality should be exportable on an expedited basis to a list of approved companies if the proposed product user is willing to provide access to decrypted information upon legally authorized request.
Recommendation 4.1 addresses the needs of most general commercial users. However, some users for some purposes will require encryption capabilities at a level higher than that provided by 56-bit DES. The Administration's proposal to give liberal export consideration to software products with 64-bit encryption provided that those products are escrowed with a qualified escrow agent is a recognition that some users
may need encryption capabilities stronger than those available to the general commercial market.
The philosophy behind the Administration's proposal is that the wide foreign availability of strong encryption will not significantly damage U.S. intelligence-gathering and law enforcement efforts if the United States can be assured of access to plaintext when necessary. Recommendation 4.2 builds on this philosophy to permit liberal export consideration of products with encryption capabilities stronger than that provided by 56-bit DES to users that are likely to be ''trustworthy," i.e., willing to cooperate in providing access to plaintext for U.S. law enforcement authorities when a legally authorized request is made to those companies. (How firms are designated as approved companies is described below.) These approved firms will determine for themselves how to ensure access to plaintext, and many of them may well choose to use escrowed encryption products. A firm that chooses to use escrowed encryption would be free to escrow the relevant keys with any agent or agents of its own choosing, including those situated within the firm itself.
Note that while Recommendation 4.2 builds on the philosophy underlying the Administration's current software encryption proposal, it stands apart from it. In other words, Recommendation 4.2 should not be regarded as a criticism of, as a substitute for, or in contrast to the Administration's proposal.
From the standpoint of U.S. law enforcement interests, continued inclusion on the list of approved firms is a powerful incentive for a company to abide by its agreement to provide access to plaintext under the proper circumstances. While Recommendation 4.2 does not stipulate that companies must periodically requalify for the list, a refusal or inability to cooperate when required might well result in a company being dropped from the list and publicly identified as a noncooperating company, and subject the parties involved to the full range of sanctions that are available today to enforce compliance of product recipients with end-use restrictions (as described in Chapter 4).
Recommendation 4.2 also provides a tool with which the United States can promote escrowed encryption in foreign nations. Specifically, the presence of escrowed encryption products that are in fact user-escrowed would help to deploy a base of products on which the governments of the relevant nations could build policy regimes supporting escrowed encryption. It has the further advantage that it would speed the deployment of escrowed encryption in other countries because shipment of escrowed encryption products would not have to wait for the completion of formal agreements to share escrowed keys across international boundaries, a delay that would occur under the current U.S. proposal on escrowed encryption software products.
U.S. vendors benefit from Recommendation 4.2 because the foreign customers on the list of approved companies need not wait for the successful negotiation of formal agreements. Moreover, since Recommendation 4.2 allows approved companies to establish and control their own escrow agents, it eliminates the presence or absence of escrowing features as a competitive disadvantage. A final benefit for the U.S. vendor community is that Recommendation 4.2 reduces many bureaucratic impediments to sales to approved companies on the list, a benefit particularly valuable to smaller vendors that lack the legal expertise to negotiate the export control regime.
Customers choosing products covered under Recommendation 4.2 benefit because they retain the choice about how they will provide access to decrypted information. Potential customers objecting to Administration proposals on the export of escrowed encryption because their cryptographic keys might be compromised can be reassured that keys to products covered by Recommendation 4.2 could remain within their full control. If these customers choose to use escrowed encryption products to meet the need for access, they may use escrow agents of their own choosing, which may be the U.S. government, a commercial escrow agent as envisioned by the Administration's proposal, or an organization internal to the customer company.
Recommendation 4.2 is silent on how much stronger the encryption capabilities of covered products would be as compared to the capabilities of the products covered by Recommendation 4.1. The Administration has argued that the 64-bit limit on its current proposal is necessary because foreign parties with access to covered products might find a way to bypass the escrowing features. However, Recommendation 4.2 covers products that would be used by approved firms that, by assumption, would not be expected to tamper with products in a way that would prevent access to plaintext when necessary or would bypass the escrowing features of an escrowed encryption product. (The risks inherent in this assumption are addressed below in Requirements 1 through 3 for approved companies.) In addition, the committee observes that providing much stronger cryptographic confidentiality (e.g., 80 or 128 bits of key size rather than 56 or 64) would provide greater incentives for prospective users to adopt these products.
What firms constitute the list of approved companies? Under current practice, it is generally the case that a U.S.-controlled firm (i.e., a U.S. firm operating abroad, a U.S.-controlled foreign firm, or a foreign subsidiary of a U.S. firm) will be granted a USML license to acquire and export for its own use products with encryption capabilities stronger than that provided by 40-bit RC2/RC4 encryption. Banks and financial institutions (including stock brokerages and insurance companies), whether U.S.-con-
trolled/owned or foreign-owned, are also generally granted USML licenses for stronger cryptography for use in internal communications and communications with other banks even if these communications are not limited strictly to banking or money transactions. Such licenses are granted on the basis of an individual review rather than through a categorical exemption from the USML.
Building on this practice, the committee believes that this category should be expanded so that a U.S.-controlled firm is able to acquire and export products covered under Recommendation 4.2 to its foreign suppliers and customers for the purpose of regular communications with the U.S.-controlled firm. A number of USML licenses for cryptography have implemented just such an arrangement, but the purpose of Recommendation 4.2 is to make these arrangements far more systematic and routine.
In addition, foreign firms specifically determined by U.S. authorities to be major and trustworthy firms should qualify for the list of approved companies. To minimize delay for U.S. information technology vendors and to help assure their competitiveness with foreign vendors, a list of the firms eligible to purchase U.S. products with encryption capabilities and/ or the criteria for inclusion on the list should be made available upon request. Over time, it would be expected that the criteria would grow to be more inclusive so that more companies would qualify.
All firms on this list of approved companies would agree to certain requirements:
• Requirement 1The firm will provide an end-user certification that the exported products will be used only for intrafirm business or by foreign parties in regular communications with the U.S. or approved foreign firm involved.
• Requirement 2The firm will take specific measures to prevent the transfer of the exported products to other parties.
• Requirement 3The firm agrees to provide the U.S. government with plaintext of encrypted information when presented with a properly authorized law enforcement request and to prove, if necessary, that the provided plaintext does indeed correspond to the encrypted information of interest. The use of escrowed encryption products would not be required, although many companies may find such products an appropriate technical way to meet this requirement.
The firms on the list of approved companies are likely to have needs for information security products of the highest strength possible for the environment in which they operate, because they are more likely to be the targets of the major concerted cryptanalytic effort described in Recommendation 4.1. On the other hand, some risks of diversion to unintended
purposes do remain, and a firm's obligation to abide by Requirements 1 through 3 is a reasonable precaution that protects against such risks. Note also that the approved companies are defined in such a way as to increase the likelihood that they will be responsible corporate citizens, and as such responsive to relevant legal processes that may be invoked if access to plaintext data is sought. Further, they are likely to have assets in the United States that could be the target of appropriate U.S. legal action should they not comply with any of the three requirements above.
Recommendation 4.3The U.S. government should streamline and increase the transparency of the export licensing process for cryptography.
As discussed in Chapters 4 and 6, the committee found a great deal of uncertainty regarding rules, time lines, and the criteria used in making decisions about the exportability of particular products. To reduce such uncertainty, as well as to promote the use of cryptography by legitimate users, the following changes in the export licensing process should occur.
a. For cryptography submitted to the State Department for export licensing, the presumptive decision should be for approval rather than disapproval. Licensing decisions involving cryptography should be presumed to be approvable unless there is a good reason to deny the license. The committee understands that foreign policy considerations may affect the granting of export licenses to particular nations, but once national security concerns have been satisfied with respect to a particular export, cryptography should not be regarded for export control purposes as differing from any other item on the CCL. Thus, if telephone switches were to be embargoed to a particular nation for foreign policy reasons, cryptography should be embargoed as well. But if telephone switches are allowed for export, cryptography should be allowed if national security concerns have been satisfied, even if other items on the USML are embargoed.
b. The State Department's licensing process for cryptography exports should be streamlined to provide more expeditious decision making. A streamlined process would build on procedural reforms already achieved and might further include the imposition of specific deadlines (e.g., if a license approved by the National Security Agency (NSA) is not denied by the State Department within 14 days, the license is automatically approved) or the establishment of a special desk within the State Department specifically with the expertise for dealing with cryptography; such a desk would consult with country or regional desks but would
not be bound by their decisions or schedules for action. Such streamlining would greatly reduce the friction caused by exports determined to be consistent with U.S. national security interests but denied or delayed for reasons unrelated to national security.
c. The U.S. government should take steps to increase vendor and user understanding of the export control regime with the intent of bridging the profound gap in the perceptions of national security authorities and the private sector, including both technology vendors and users of cryptography. These steps would build on the efforts already undertaken over the last several years in this area. Possible additional steps that might be taken to reduce this gap include:
• Sponsorship of an annual briefing regarding the rules and regulations governing the export of cryptography. While established information technology vendors have learned through experience about most of the rules and regulations and informal guidelines that channel decision making regarding export licenses, newer firms lack a comparable base of experience. The U.S. government should seek a higher degree of clarity regarding what exporting vendors must do to satisfy national security concerns.
• Clarification of the rules regarding export of technical data. For example, foreign students attending U.S. universities can be exposed to any cryptographic source code without consequence, whereas U.S. vendors violate the law in developing products with encryption capabilities if they hire non-U.S. citizens to work as designers or implementors. For very complex products, it is very difficult if not impossible to "partition" the projects so that the non-U.S. citizen is unable to gain access to the cryptographic code. Such apparent inconsistencies should be reconciled, keeping in mind practicality and enforceability.
Recommendation 5: The U.S. government should take steps to assist law enforcement and national security to adjust to new technical realities of the information age.
For both law enforcement and national security, cryptography is a two-edged sword. In the realm of national security, the use of cryptography by adversaries impedes the collection of signals intelligence. Managing the damage to the collection of signals intelligence is the focus of export controls, as discussed in Chapter 4 and in the text accompanying Recommendation 4. At the same time, cryptography can help to defend vital information assets of the United States; the use of cryptography in this role is discussed in Recommendations 5.1 and 5.2 below.
From the standpoint of law enforcement, cryptography provides tools that help to prevent crime, e.g., by helping law-abiding businesses and individuals defend themselves against information crimes, such as the theft of proprietary information and the impersonation of legitimate parties by illegitimate ones. Crime prevention is an important dimension of law enforcement, especially when the crimes prevented are difficult to detect. Nevertheless, the public debate to date has focused primarily on the impact of cryptography on criminal prosecutions and investigations.
The committee accepts that the onset of an information age is likely to create many new challenges for public safety, among them the greater use of cryptography by criminal elements of society. If law enforcement authorities are unable to gain access to the encrypted communications and stored information of criminals, some criminal prosecutions will be significantly impaired, as described in Chapter 3.
The Administration's response to this law enforcement problem has been the aggressive promotion of escrowed encryption as a pillar of the technical foundation for national cryptography policy. The committee understands the Administration's rationale for promoting escrowed encryption but believes that escrowed encryption should be only one part of an overall strategy for dealing with the problems that encryption poses for law enforcement and national security.
In the context of an overall strategy, it is important to examine the specific problems that escrowed encryption might solve. For example, Administration advocates of escrowed encryption have argued that the private sector needs techniques for recovering the plaintext of stored encrypted data for which the relevant keys have been lost. To the extent that this is true, the law enforcement need for access to encrypted records could be substantially met by the exercise of the government's compulsory process authority (including search warrants and subpoenas) for information relevant to the investigation and prosecution of criminal activity against both the encrypted records and any relevant cryptographic keys, whether held by outside escrow agents or by the targets of the compulsory process. In this way, law enforcement needs for access to encrypted files, records, and stored communications such as e-mail are likely to be met by mechanisms established to serve private sector needs.
Communications (i.e., digital information in transit) pose a different problem from that of data storage. Neither private individuals nor businesses have substantial needs for exceptional access to the plaintext of encrypted communications. Thus, it is unlikely that users would voluntarily adopt on a large scale measures intended to ensure exceptional access to such communications. Law enforcement authorities are understandably concerned that they will be denied information vital for the investigation and prosecution of criminal activity. At the same time, it is
not clear that encrypted digital communications will in fact be the most important problem for law enforcement authorities seeking to gain access to digital information.
In the short term, voice communications are almost certainly more important to law enforcement than are data communications, a problem addressed through Recommendation 5.2. Over the longer term, the challenges to law enforcement authorities from data communications are likely to grow as data communications become more ubiquitous and as the technical distinction between voice and data blurs. The committee believes that advanced information technologies are likely to lead to explosive increases in the amount of electronic information being transmitted (e.g., e-mail); given the likelihood that the spread of encryption capabilities will be much slower than the rate at which the volume of electronic communications increases, the opportunities for authorized law enforcement exploitation of larger amounts of unprotected computer-readable information may well increase in the short run. Nevertheless, when encrypted data communications do become ubiquitous, law enforcement may well face a serious challenge. For this reason, Recommendation 5.3, dealing with an exploration of escrowed encryption, sets into motion a prudent "hedge" strategy against this eventuality; Recommendation 5.4 begins the process of seeking to discourage criminal use of cryptography; and Recommendation 5.5 addresses the development of new technical capabilities to meet the challenge of encryption.
Against this backdrop, Recommendation 5.3 is only one part of an overall strategy for dealing with the problems that encryption poses for law enforcement and national security.
Recommendation 5.1The U.S. government should actively encourage the use of cryptography in nonconfidentiality applications such as user authentication and integrity checks.
The nonconfidentiality applications of cryptography (e.g., digital signatures, authentication and access controls, nonrepudiation, secure time/ date stamps, integrity checks) do not directly threaten law enforcement or national security interests and do not in general pose the same policy dilemma as confidentiality does. Since the deployment of infrastructures for the nonconfidentiality uses of cryptography is a necessary (though not sufficient) condition for the use of cryptography for confidentiality, the nation may take large steps in this area without having to resolve the policy dilemmas over confidentiality, confident that those steps will be beneficial to the nation in their own right. Policy can and should promote nonconfidentiality applications of cryptography in all relevant areas.
One of the most important of these areas concerns protection against
systemic national vulnerabilities. Indeed, in areas in which confidence in and availability of a national information network are most critical, nonconfidentiality uses of cryptography are even more important than are capabilities for confidentiality. For example, ensuring the integrity of data that circulates in the air traffic control system is almost certainly more important than ensuring its confidentiality; ensuring the integrity (accuracy) of data in the banking system is often more important than ensuring its confidentiality.7
Nonconfidentiality applications of cryptography support reliable user authentication. Authentication of users is an important crime-fighting measure, because authentication is the antithesis of anonymity. Criminals in general seek to conceal their identities; reliable authentication capabilities can help to prevent unauthorized access and to audit improper accesses that do occur. Nonconfidentiality applications of cryptography support reliable integrity checks on data; used properly, they can help to reduce crimes that result from the alteration of data (such as changing the payable amount on a check).
To date, national cryptography policy has not fully supported these nonconfidentiality uses. Some actions have been taken in this area, but these actions have run afoul of government concerns about confidentiality. For example, the government issued a Federal Information Processing Standard (FIPS) for the Digital Signature Standard in 1993, based on an unclassified algorithm known as the Digital Signature Algorithm. This FIPS was strongly criticized by industry and the public, largely because it did not conform to the de facto standard already in use at the time, namely one based on the Rivest-Shamir-Adelman (RSA) algorithm. Government sources told the committee that one reason the government deemed the RSA algorithm inappropriate for promulgation as a FIPS was that it is capable of providing strong confidentiality (and thus is not freely exportable) as well as digital signature capability. The two other reasons were the desire to promulgate an approach to digital signatures that would be royalty-free (RSA is a patented algorithm) and the desire to reduce overall system costs for digital signatures.8 Export controls on cryptography for confidentiality have also had some spillover effect in affecting the foreign
7 This is not to say that confidentiality plays no role in protecting national information systems from unauthorized penetration. As noted in Chapter 2, cryptographically provided confidentiality can be one important (though secondary) dimension of protecting information systems from unauthorized penetration.
8 For a discussion of the patent issues involved in the decision regarding the Digital Signature Standard and the concern over confidentiality, see Office of Technology Assessment, Information Security and Privacy in Network Environments, OTA-TCT-606, U.S. Government Printing Office, Washington, D.C., 1994, pp. 167-168 and pp. 217-222.
availability of cryptography for authentication purposes, as described in Chapter 4.
The government has expressed considerably more concern in the public debate regarding the deleterious impact of widespread cryptography used for confidentiality than over the deleterious impact of not deploying cryptographic capabilities for user authentication and data integrity. The government has not fully exercised the regulatory influence it does have over certain sectors (e.g., telecommunications, air traffic control) to promote higher degrees of information security that would be met through the deployment of nonconfidentiality applications of cryptography. Finally, the committee believes that since today's trend among vendors and users is to build and use products that integrate multiple cryptographic capabilities (for confidentiality and for authentication and integrity) with general-purpose functionality, government actions that discourage capabilities for confidentiality also tend to discourage the development and use of products with authentication and integrity capabilities even if there is no direct prohibition or restriction on products with only capabilities for the latter (Chapter 4).
What specific actions can the government take to promote nonconfidentiality applications of cryptography? For illustrative purposes only, the committee notes that the government could support and foster technical standards and/or standards for business practices that encourage nonconfidentiality uses based on de facto commercial standards. One example would be the promulgation of a business requirement that all data electronically provided to the government be certified with an integrity check and a digital signature. A second example would be enactment of legislation and associated regulations setting standards to which all commercial certification authorities should conform; greater clarity regarding the liabilities, obligations, and responsibilities for certificate authorities would undoubtedly help to promote applications based on certification authorities. A third example is that the U.S. government has a great deal of expertise in the use of cryptography and other technologies for authentication purposes; an aggressive technology transfer effort in this domain would also help to promote the use of reliable authentication methods.
A final dimension of this issue is that keys used in nonconfidentiality applications of cryptography, especially ones that support established and essential business practices or legal constructs (e.g., digital signatures, authentication, integrity checks), must be controlled solely by the immediate and intended parties to those applications. Without such assurances, outside access to such keys could undermine the legal basis and threaten the integrity of these practices carried out in the electronic domain. Whatever benefits might accrue to government authorities acting
in the interests of public safety or national security from being able to forge digital signatures or alter digital data clandestinely would pale by comparison to the loss of trust in such mechanisms that would result from even a hint that such activities were possible.
Recommendation 5.2The U.S. government should promote the security of the telecommunications networks more actively. At a minimum, the U.S. government should promote the link encryption of cellular communications9 and the improvement of security at telephone switches.
As described in Chapter 1, the public switched telecommunications network (PSTN) is both critical to many sectors of the national economy and is undergoing rapid evolution. While the U.S. government has taken some steps to improve the security of the PSTN, much more could be done based on the regulatory authority that the U.S. government has in this area.
The encryption of wireless voice communications would prevent eavesdropping that is all too easy in today's largely analog cellular telephone market. As wireless communications shift from analog to digital modes of transport, encryption will become easier even as the traffic itself becomes harder to understand. A requirement to encrypt wireless communications may also accelerate the shift to wireless modes of digital transport. However, because of the cost of retrofitting existing cellular services, this recommendation is intended to apply only to the deployment of future cellular services.
Security in telephone switches could be improved in many ways. For example, a requirement for adequate authentication to access such switches would prevent unauthorized access from maintenance ports; such ports often provide remote access to all switch functions, a level of access equal to what could be obtained by an individual standing in the control center. Yet such ports are often protected with nothing more than a single password. Telecommunications service providers could also provide services for link encryption of traffic on wired landlines (Chapter 7).
By addressing through the telecommunications service providers the public's demands for greater security in voice communications (especially
9 "Link encryption" refers to the practice of encrypting information being communicated in such a way that it is encrypted only in between the node from which it is sent and the node where it is received; while the information is at the nodes themselves, it is unencrypted. In the context of link encryption for cellular communications, a cellular call would be encrypted between the mobile handset and the ground station. When carried on the landlines of the telephone network, the call would be unencrypted.
those such as cellular telephone traffic) that are widely known to be nonsecure, government would maintain law enforcement access for lawfully authorized wiretaps through the requirements imposed on carriers today to cooperate with law enforcement in such matters. For example, a cellular telephone connects to the PSTN through a ground station; since in general, the cellular telephone service provider must feed its traffic to the PSTN in unencrypted form, encrypted cellular telephone traffic from the mobile handset would be decrypted at the ground station, at which point law enforcement could gain authorized access. Thus, legitimate law enforcement access would not, in general, be impeded by link encryption of cellular traffic until communications systems that bypass the PSTN entirely become common.
Recommendation 5.2 is an instance of a general philosophy that link (or node) security provided by a service provider offers more opportunities for providing law enforcement with legally authorized access than does security provided by the end user. In the case of voice communications, improved security over the telecommunications network used for voice communications and provided by the owners and operators of that networka good thing in its own right and consistent with the basic principle of this reportwould also reduce the demand for (and thus the availability of) devices used to provide end-to-end encryption of voice communications. Without a ready supply of such devices, a criminal user would have to go to considerable trouble to obtain a device that could thwart a lawfully authorized wiretap.
Recommendation 5.2 focuses on voice communications, given that for the foreseeable future, voice is likely to be the most common form of communication used by the general public (and hence by criminals as well). The committee recognizes that data communications will pose certain problems for law enforcement, and this is the focus of Recommendation 5.3.
Recommendation 5.3To better understand how escrowed encryption might operate, the U.S. government should explore escrowed encryption for its own uses. To address the critical international dimensions of escrowed communications, the U.S. government should work with other nations on this topic.
As described in Chapter 5, escrowed encryption (as a generic concept, not limited to the Clipper/Capstone initiatives of the U.S. government) has both benefits and risks from a public policy standpoint. The purpose of encryption is to provide users with high degrees of assurance that their sensitive information will remain secure. The primary benefit of escrowed encryption for law enforcement and national security is that when prop-
erly implemented and widely deployed, it provides such assurance but nevertheless enables law enforcement and national security authorities to obtain access to escrow-encrypted data in specific instances when authorized by law. Escrowed encryption also enables businesses and individuals to recover encrypted stored data to which access has been inadvertently lost, and businesses to exercise a greater degree of control over their encrypted communications. Finally, by meeting demands for better information security emanating from legitimate business and private interests, escrowed encryption may dampen the market for unescrowed encryption products that would provide similar security but without features for government exceptional access that law enforcement and national security authorities could use for legitimate and lawfully authorized purposes.
The risks of escrowed encryption are also considerable. Escrowed encryption provides a potentially lower degree of confidentiality than does properly implemented unescrowed encryption, because escrowed encryption is specifically designed to permit external access and then relies on procedures and technical controls implemented and executed by human beings to prevent unauthorized use of that access. While policy makers have confidence that procedures can be established and implemented without a significant reduction of information security, skeptics place little faith in such procedural safeguards. Maintaining system security is difficult enough without the deliberate introduction of a potential security hole, and the introduction of another route of attack on procedures simply complicates the job of the information defender. In addition, the widespread adoption of escrowed encryption, even on a voluntary basis, would lay into place mechanisms, procedures, and organizations that could be used to promulgate and/or enforce more restrictive cryptography policies. With such elements in place, some critics of escrowed encryption fear that procedural safeguards against government abuse that are administrative in nature, or that rest on the personal assurances of government officials, could be eviscerated by a future administration or Congress.
The committee believes that many policy benefits can be gained by an operational exploration of escrowed encryption by the U.S. government, but also that aggressive promotion of the concept is not appropriate at this time for four reasons.
First, not enough is yet known about how best to implement escrowed encryption on a large scale. The operational complexities of a large-scale infrastructure are significant (especially in an international context of cross-border communications), and approaches proposed today for dealing with those complexities are not based on real experience. A more prudent approach to setting policy would be to develop a base of experience that would guide policy decisions on how escrowed encryption might work on a large scale in practice.
Second, because of the ease with which escrowed encryption can be circumvented technically, it is not at all clear that escrowed encryption will be a real solution to the most serious problems that law enforcement authorities will face. Administration officials freely acknowledge that their various initiatives promoting escrowed encryption are not intended to address all criminal uses of encryption, but in fact those most likely to have information to conceal will be motivated to circumvent escrowed encryption products.
Third, information services and technologies are undergoing rapid evolution and change today, and nearly all technology transitions are characterized by vendors creating new devices and services. Imposing a particular solution to the encryption dilemma at this time is likely to have a significant negative impact on the natural market development of applications made possible by new information services and technologies. While the nation may choose to bear these costs in the future, it is particularly unwise to bear them in anticipation of a large-scale need that may not arise and in light of the nation's collective ignorance about how escrowed encryption would work on a large scale.
Fourth and most importantly, not enough is yet known about how the market will respond to the capabilities provided by escrowed encryption, nor how it will prefer the concept to be implemented, if at all. Given the importance of market forces to the long-term success of national cryptography policy, a more prudent approach to policy would be to learn more about how in fact the market will respond before advocating a specific solution driven by the needs of government.
For these reasons, the committee believes that a policy of deliberate exploration of the concept of escrowed encryption is better suited to the circumstances of today than is the current policy of aggressive promotion. The most appropriate vehicle for such an exploration is, quite naturally, government applications. Such exploration would enable the U.S. government to develop and document the base of experience on which to build a more aggressive promotion of escrowed encryption should circumstances develop in such a way that encrypted communications come to pose a significant problem for law enforcement. This base would include significant operating experience, a secure but responsive infrastructure for escrowing keys, and devices and products for escrowed encryption whose unit costs have been lowered as the result of large government purchases.
In the future, when experience has been developed, the U.S. government, by legislation and associated regulation, will have to clearly specify the responsibilities, obligations, and liabilities of escrow agents (Chapter 5). Such issues include financial liability for the unauthorized release or negligent compromise of keys, criminal penalties for the deliberate and
knowing release of keys to an unauthorized party, statutory immunization of users of escrowed encryption against claims of liability that might result from the use of such encryption, and the need for explicit legal authorization for key release. Such legislation (and regulations issued pursuant to such legislation) should allow for and, when appropriate, distinguish among different types of escrow agents, including organizations internal to a user company, private commercial firms for those firms unwilling or unable to support internal organizations for key holding, and government agencies.
Such government action is a necessary (but not sufficient) condition for the growth and spread of escrowed encryption in the private sector. Parties whose needs may call for the use of escrowed encryption will need confidence in the supporting infrastructure before they will entrust encryption keys to the safekeeping of others. Moreover, if the government is to actively promote the voluntary use of escrowed encryption in the future, it will need to convince users that it has taken into account their concerns about compromise and abuse of escrowed information. The best way to convince users that these agents will be able to live up to their responsibilities is to point to a body of experience that demonstrates their ability to do so. In a market-driven system, this body of experience will begin to accrue in small stepssome in small companies, some in bigger onesrather than springing up fully formed across the country in every state and every city. As this body of experience grows, government will have the ability to make wise decisions about the appropriate standards that should govern escrow agents.
In addition, the U.S. government should pursue discussions with other nations on how escrowed encryption might operate internationally (Appendix G). The scope of business and law enforcement today crosses national borders, and a successful U.S. policy on cryptography will have to be coordinated with policies of other nations. Given that the developed nations of the world have a number of common interests (e.g., in preserving authorized law enforcement access to communications, in protecting the information assets of their domestic businesses), the process begun at the Organization for Economic Cooperation and Development in December 1995 is a promising forum in which these nations can bring together representatives from business, law enforcement, and national security to discuss matters related to cryptography policy over national borders. Fruitful topics of discussion might well include how to expand the network of Mutual Law Enforcement Assistance Treaties that bind the United States and other nations to cooperate on law enforcement matters. Broader cooperation should contribute to the sharing of information regarding matters that involve the criminal use of encryption; national policies that encourage the development and export of ''escrowable" encryp-
tion products; understanding of how to develop a significant base of actual experience in operating a system of escrowed encryption for communications across national borders; and the negotiation of sector-specific arrangements (e.g., a specific set of arrangements for banks) that cross international boundaries.
Recommendation 5.4Congress should seriously consider legislation that would impose criminal penalties on the use of encrypted communications in interstate commerce with the intent to commit a federal crime.
The purpose of such a statute would be to discourage the use of cryptography for illegitimate purposes. Criminalizing the use of cryptography in this manner would provide sanctions analogous to the existing mail fraud statutes, which add penalties to perpetrators of fraud who use the mail to commit their criminal acts. Such a law would focus the weight of the criminal justice system on individuals who were in fact guilty of criminal activity, whereas a mandatory prohibition on the use of cryptography would have an impact on law-abiding citizens and criminals alike.
A concern raised about the imposition of penalties based on a peripheral aspect of a criminal act is that it may be used to secure a conviction even when the underlying criminal act has not been accomplished. The statute proposed for consideration in Recommendation 5.4 is not intended for this purpose, although the committee understands that it is largely the integrity of the judicial and criminal justice process that will be the ultimate check on preventing its use for such purposes.
As suggested in Chapter 7, any statute that criminalizes the use of encryption in the manner described in Recommendation 5.4 should be drawn narrowly. The limitation of Recommendation 5.4 to federal crimes restricts its applicability to major crimes that are specifically designated as such; it does not extend to the much broader class of crimes that are based on common law. Under Recommendation 5.4, federal jurisdiction arises from the limitation regarding the use of communications in interstate commerce. The focus of Recommendation 5.4 on encrypted communications recognizes that private sector parties have significant incentives to escrow keys used for encrypting stored data, as described in Recommendation 5.3. A statute based on Recommendation 5.4 should also make clear that speaking in foreign languages unknown to many people would not fall within its reach. Finally, the use of "encrypted" communications should be limited to communications encrypted for confidentiality purposes, not for user authentication or data integrity purposes. The drafters of the statute would also have to anticipate other potential sources of ambiguity such as the use of data compression techniques that also ob-
scure the true content of a communication and the lack of a common understanding of what it means to "use encrypted communications" when encryption may be a ubiquitous and automatic feature in a communications product.
Finally, the committee recognizes the existence of debate over the effectiveness of laws targeted against the use of certain mechanisms (e.g., mail, guns) to commit crimes. Such a debate should be part of a serious consideration of a law such as that described in Recommendation 5.4. However, the committee is not qualified to resolve this debate, and the committee takes no position on this particular issue.
A second aspect of a statutory approach to controlling the socially harmful uses of encryption could be to expand its scope to include the criminalization of the intentional use of cryptography in the concealment of a crime. With such an expanded scope, the use of cryptography would constitute a prima facie act of concealment, and thus law enforcement officials would have to prove only that cryptography was used intentionally to conceal a crime. On the other hand, its more expansive scope might well impose additional burdens on businesses and raise other concerns, and so the committee takes no stand on the desirability of such an expansion of scope.
The committee notes the fundamental difference between Recommendation 5.4 and Recommendation 1. Recommendation 1 says that the use of any type of encryption within the United States should be legal, but not that any use of encryption should be legal. Recommendation 5.4 says that the nation should consider legislation that would make illegal a specific use of encryption (of whatever type), namely the use of encrypted communications in interstate commerce with the intent of committing a federal crime.
Recommendation 5.5High priority should be given to research, development, and deployment of additional technical capabilities for law enforcement and national security for use in coping with new technological challenges.
Over the past 50 years, both law enforcement and national security authorities have had to cope with a variety of changing technological circumstances. For the most part, they have coped with these changes quite well. This record of adaptability provides considerable confidence that they can adapt to a future of digital communications and stored data as well, and they should be strongly supported in their efforts to develop new technical capabilities.
Moreover, while the committee's basic thrust is toward a wider use of cryptography throughout society, considerable time can be expected to
elapse before cryptography is truly ubiquitous. For example, Recommendation 4.1 is likely to accelerate the widespread use of DES, but market forces will still have the dominant effect on its spread. Even if export controls were removed tomorrow, vendors would still take time to decide how best to proceed, and the use of DES across the breadth of society will take even longer. Thus, law enforcement and national security authorities have a window in which to develop new capabilities for addressing future challenges. Such development should be supported, because effective new capabilities are almost certain to have a greater impact on their future information collection efforts than will aggressive attempts to promote escrowed encryption to a resistant market.
An example of such support would be the establishment of a technical center for helping federal, state, and local law enforcement authorities with technical problems associated with new information technologies.10 Such a center would of course address the use by individuals of unescrowed encryption in the commission of criminal acts, because capabilities to deal with this problem will be necessary whether or not escrowed encryption is widely deployed. Moreover, for reasons of accessibility and specific tailoring of expertise to domestic criminal matters, it is important for domestic law enforcement to develop a source of expertise on the matter. A second problem of concern to law enforcement authorities is obtaining the digital stream carrying the targeted communications. The task of isolating the proper digital stream amidst multiple applications and multiplexed channels will grow more complex as the sophistication of applications and technology increases, and law enforcement authorities will need to have (or procure) considerable technical skill to extract useful information out of the digital streams involved. These skills will need to be at least as good as those possessed by product vendors.
Compared to the use of NSA expertise, a technical center for law enforcement would have a major advantage in being dedicated to serving law enforcement needs, and hence its activities and expertise relevant to prosecution would be informed and guided by the need to discuss analytical methods in open court without concern for classification. Moreover, such a center could be quite useful to state and local law enforcement authorities who currently lack the level of access to NSA expertise accorded the Federal Bureau of Investigation (FBI).
10 This example is consistent with the FBI proposal for a Technical Support Center (TSC) to serve as a central national law enforcement resource to address problems related to encryption and to technological problems with an impact on access to electronic communications and stored information. The FBI proposes that a TSC would provide law enforcement with capabilities in signals analysis (e.g., protocol recognition), mass media analysis (e.g., analysis of seized computer media), and cryptanalysis on encrypted data communications or files.
National security authorities recognize quite clearly that future capabilities to undertake traditional signals intelligence will be severely challenged by the spread of encryption and the introduction of new communications media. In the absence of improved cryptanalytic methods, cooperative arrangements with foreign governments, and new ways of approaching the information collection problem, losses in traditional signals intelligence capability would likely result in a diminished effectiveness of the U.S. intelligence community. To help ensure the continuing availability of strategic and tactical intelligence, efforts to develop alternatives to traditional signals intelligence collection techniques should be given high priority in the allocation of financial and personnel resources before products covered by Recommendation 4.1 become widely used.
Recommendation 6: The U.S. government should develop a mechanism to promote information security in the private sector.
Although the committee was asked to address national cryptography policy, any such policy is necessarily only one component of a national information security policy. Without a forward-looking and comprehensive national information security policy, changes in national cryptography policy may have little operational impact on U.S. information security. Thus, the committee believes it cannot leave unaddressed the question of a national information security policy, although it recognizes that it was not specifically chartered with such a broad issue in mind.
The committee makes Recommendation 6 based on the observation that the U.S. government itself is not well organized to meet the challenges posed by an information society. Indeed, no government agency has the responsibility to promote information security in the private sector. The information security interests of most of the private sector have no formal place at the policy-making table: the National Security Agency represents the classified government community, while the charter of the National Institute of Standards and Technology directs it to focus on the unclassified needs of the government (and its budget is inadequate to do more than that). Other organizations such as the Information Infrastructure Task Force and the Office of Management and Budget have broad influence but few operational responsibilities. As a result, business and individual stakeholders do not have adequate representation in the development of information security standards and export regimes.
For these reasons, the nation requires a mechanism that will provide accountability and focus for efforts to promote information security in the private sector. The need for information security cuts across many dimensions of the economy and the national interest, suggesting that absent
a coordinated approach to promoting information security, the needs of many stakeholders may well be given inadequate attention and notice.
The importance of close cooperation with the private sector cannot be overemphasized. While the U.S. government has played an important role in promoting information security in the past (e.g., in its efforts to promulgate DES, its stimulation of a market for information security products through the government procurement process, its outreach to increase the level of information security awareness regarding Soviet collection attempts, and the stimulation of national debate on this critical subject), information security needs in the private sector in the information age will be larger than ever before (as argued in Recommendation 3). Thus, close consultations between government and the private sector are needed before policy decisions are made that affect how those needs can be addressed. Indeed, many stakeholders outside government have criticized what they believe to be an inadequate representation of the private sector at the decision-making table. While recognizing that some part of such criticism simply reflects the fact that these stakeholders did not get all that they wanted from policy makers, the committee believes that the policy-making process requires better ways for representing broadly both government and nongovernment interests in cryptography policy. Those who are pursuing enhanced information security and those who have a need for legal access to stored or communicated information must both be included in a robust process for managing the often-competing issues and interests that will inevitably arise over time.
How might the policy-making process include better representation of nongovernment interests? Experiences in trade policy suggest the feasibility of private sector advisors, who are often needed when policy cuts across many functional and organizational boundaries and interests both inside and outside government. National policy on information security certainly falls into this cross-cutting category, and thus it might make sense for the government to appoint parties from the private sector to participate in government policy discussions relevant to export control decisions and/or decisions that affect the information security interests of the private sector. Despite the committee's conclusion that the broad outlines of national cryptography policy can be argued on an unclassified basis, classified information may nevertheless be invoked in such discussions and uncleared participants asked to leave the room. To preclude this possibility, these individuals should have the clearances necessary to engage as full participants in order to promote an effective interchange of views and perspectives. While these individuals would inevitably reflect the interests of the organizations from which they were drawn, their essential role would be to present to the government their best technical
and policy advice, based on their expertise and judgment, on how government policy would best serve the national interest.
How and in what areas should the U.S. government be involved in promoting information security? One obvious category of involvement is those areas in which the secure operation of information systems is critical to the nation's welfareinformation systems that are invested with the public trust, such as those of the banking and financial system, the public switched telecommunications network, the air traffic control system, and extensively automated utilities such as the electric power grid. Indeed, the U.S. government is already involved to some extent in promoting the security of these systems, and these efforts should continue and even grow.
In other sectors of the economy, the committee sees no particular reason for government involvement in areas in which businesses are knowledgeable (e.g., their own operational practices, their own risk-benefit assessments), and the role of the U.S. government is most properly focused on providing information and expertise that are not easily available to the private sector. Specifically, the government should build on existing private-public partnerships and private sector efforts in disseminating information (e.g., the Forums of Incident Response and Security Teams (FIRST), the Computer Emergency Response Team (CERT), the I-4 group, the National Counterintelligence Center) to take a vigorous and proactive role in collecting and disseminating information to promote awareness of the information security threat. For illustrative purposes only, some examples follow. The government might:
• Establish mechanisms in which the sharing of sanitized securityrelated information (especially information related to security breaches) could be undertaken without disadvantaging the companies that reveal such information. Such efforts might well build on efforts in the private sector to do the same thing.
• Undertake a program to brief senior management in industry on the information security threat in greater detail than is usually possible in open forums but without formal security clearances being required for those individuals. Such briefings would mean that specific threat information might have to be declassified or treated on a "for official use only" basis.
• Expand the NIST program that accredits firms to test products involving cryptography for conformance to various Federal Information Processing Standards. As of this writing, three private companies today have been accredited to evaluate and certify compliance of products claiming to conform to FIPS 140-1, the FIPS for cryptographic modules; both
the range of FIPSs subject to such evaluation and the number of certifying companies could be increased.
• Help industry to develop common understandings regarding cryptography and information security standards that would constitute fair defenses against damages. These common understandings would help to reduce uncertainty over liability and "responsible practice."
• Undertake technology transfer efforts that would help the private sector to use powerful and capable authentication technologies developed by government. As noted elsewhere in this section, authentication is an application of cryptography that poses a minimal public policy dilemma, and so the use of such government-developed technology should not be particularly controversial.
Finally, in describing the need for a mechanism to promote information security in the private sector, the committee does not make a recommendation on its specific form because its charter did not call for it to address the question of government organization. As discussed in Chapter 7, such a mechanism could be a new coordinating office for information security in the Executive Office of the President. It could be one or more existing agencies or organizations with a new charter or set of responsibilities. It could be a new government agency or organization, although in the current political climate such an agency would demand the most compelling justification. It could be a quasi-governmental body or a governmentally chartered private organization, examples of which are described in Chapter 6. Because of NSA's role within the defense and intelligence communities and its consequent concern about defense and intelligence threats and systems, the committee believes the NSA is not the proper agency to assume primary responsibility for a mission that is primarily oriented toward the needs of the private sector. At the same time, experts from all parts of the U.S. government should be encouraged to assist in analyzing vulnerabilities; if such assistance requires new legislative authority, such authority should be sought from Congress.
8.3 ADDITIONAL WORK NEEDED
The committee recognizes that a number of important areas were outside the scope of this study. Two of these areas are described below:
• As noted in Chapter 2, the creation of an infrastructure (or infrastructures) to support user authentication is a central aspect of any widespread use of various forms of cryptography. The nature of these infrastructures is a matter of public policy; however, since the committee was concerned primarily with addressing issues related to cryptographic con-
fidentiality, it did not address infrastructure issues in the depth that would be necessary to provide detailed advice to federal decision makers.
• As noted in Chapter 7 and discussed in Appendix L, digital cash and electronic money pose many issues for public policy. These issues considerably transcend what could be examined within the scope of the current study.
Although the committee realized that these areas were important, an in-depth study in each would require a committee with a different membership, a different charge, and a different time line. Problems in these areas will become relevant in the near future, and policy makers may wish to anticipate them by commissioning additional examination.
The committee believes that its recommendations will lead to enhanced confidentiality and protection of information for individuals and companies, thereby reducing economic and financial crimes and economic espionage from both domestic and foreign sources. While the recommendations will to that extent contribute to the prevention of crime and enhance national security, the committee recognizes that the spread of cryptography will increase the burden of those in government charged with carrying out certain specific law enforcement and intelligence activities. It believes that widespread commercial and private use of cryptography in the United States and abroad is inevitable in the long run and that its advantages, on balance, outweigh its disadvantages. The committee concluded that the overall interests of the government and the nation would best be served by a policy that fosters a judicious transition toward the broad use of cryptography.