In an age of explosive worldwide growth of electronic data storage and communications, many vital national interests require the effective protection of information. When used in conjunction with other approaches to information security, cryptography is a very powerful tool for protecting information. Consequently, current U.S. policy should be changed to promote and encourage the widespread use of cryptography for the protection of the information interests of individuals, businesses, government agencies, and the nation as a whole, while respecting legitimate national needs of law enforcement and intelligence for national security and foreign policy purposes to the extent consistent with good information protection.
BASIC POLICY ISSUES
The Information Security Problem
Today's information age requires U.S. businesses to compete on a worldwide basis, sharing sensitive information with appropriate parties while protecting that information against competitors, vandals, suppliers,
Of the wide variety of information risks facing U.S. companies operating internationally, those resulting from electronic vulnerabilities appear to be the most significant. The National Counterintelligence Center (NACIC), an arm of the U.S. intelligence community established in 1994 by presidential directive, concluded that ''specialized technical operations (including computer intrusions, telecommunications targeting and intercept, and private-sector encryption weaknesses) account for the largest portion of economic and industrial information lost by U.S. corporations." Specifically, the NACIC noted that
[b]ecause they are so easily accessed and intercepted, corporate telecommunicationsparticularly international telecommunicationsprovide a highly vulnerable and lucrative source for anyone interested in obtaining trade secrets or competitive information. Because of the increased usage of these links for bulk computer data transmission and electronic mail, intelligence collectors find telecommunications intercepts cost-effective. For example, foreign intelligence collectors intercept facsimile transmissions through government-owned telephone companies, and the stakes are largeapproximately half of all overseas telecommunications are facsimile transmissions. Innovative "hackers" connected to computers containing competitive information evade the controls and access companies' information. In addition, many American companies have begun using electronic data interchange, a system of transferring corporate bidding, invoice, and pricing data electronically overseas. Many foreign government and corporate intelligence collectors find this information invaluable.
SOURCE: National Counterintelligence Center, Annual Report to Congress on Foreign Economic Collection and Industrial Espionage, July 1995, pp. 16-17.
customers, and foreign governments (Box ES.1). Private law-abiding citizens dislike the ease with which personal telephone calls can be tapped, especially those carried on cellular or cordless telephones. Elements of the U.S. civilian infrastructure such as the banking system, the electric power grid, the public switched telecommunications network, and the air traffic control system are central to so many dimensions of modern life that protecting these elements must have a high priority. The federal government has an important stake in assuring that its important and sensitive political, economic, law enforcement, and military information, both classified and unclassified, is protected from foreign governments or other parties whose interests are hostile to those of the United States.
Cryptographic Dimensions of Information Security Solutions
Information vulnerabilities cannot be eliminated through the use of any single tool. For example, it is impossible to prevent with technical means a party authorized to view information from improperly disclosing that information to someone else. However, as part of a comprehensive approach to addressing information vulnerabilities, cryptography is a powerful tool that can help to assure the confidentiality and integrity of information in transit and in storage and to authenticate the asserted identity of individuals and computer systems. Information that has been properly encrypted cannot be understood or interpreted by those lacking the appropriate cryptographic "key"; information that has been integrity-checked cannot be altered without detection. Properly authenticated identities can help to restrict access to information resources to those properly authorized individuals and to take fuller advantage of audit trails to track down parties who have abused their authorized access.
Law Enforcement and National Security Dilemmas Posed by Cryptography
For both law enforcement and national security, cryptography is a two-edged sword. The public debate has tended to draw lines that frame the policy issues as the privacy of individuals and businesses against the needs of national security and law enforcement. While such a dichotomy does have a kernel of truth, when viewed in the large, this dichotomy is misleading. If cryptography can protect the trade secrets and proprietary information of businesses and thereby reduce economic espionage (which it can), it also supports in a most important manner the job of law enforcement. If cryptography can help protect nationally critical information systems and networks against unauthorized penetration (which it can), it also supports the national security of the United States. Framing discussion about national cryptography policy in this larger law enforcement and national security context would help to reduce some of the polarization among the relevant stakeholders.
On the other hand, cryptography intended primarily to maintain the confidentiality of information that is available to the general public for legitimate purposes such as defending against information theft is also available for illegitimate purposes such as terrorism. Encryption thus does pose a threat to the capability that law enforcement authorities may seek under appropriate legal authorization to gain access to information for the purpose of investigating and prosecuting criminal activity. Encryption also poses a threat to intelligence gathering for national security
and foreign policy purposes, an activity that depends on access to information of foreign governments and other foreign entities.
Note that other applications of cryptographyfor purposes of assuring data integrity and authenticating identities of users and computer systemsdo not pose dilemmas for law enforcement and national security in the same way that confidentiality does.
National Cryptography Policy for the Information Age
For many years, concern over foreign threats to national security has been the primary driver of a national cryptography policy that has sought to maximize the protection of U.S. military and diplomatic communications while denying the confidentiality benefits of cryptography to foreign adversaries through the use of export controls on cryptography and related technical data. More recently, the U.S. government has aggressively promoted the domestic use of a certain kind of cryptographyescrowed encryptionthat would provide strong protection for legitimate uses but would permit access by law enforcement officials when authorized by law. Today, these and other dimensions of current national cryptography policy generate considerable controversy.
All of the various stakes are legitimate: privacy for individuals, protection of sensitive or proprietary information for businesses, ensuring the continuing reliability and integrity of nationally critical information systems and networks, law enforcement access to stored and communicated information for purposes of investigating and prosecuting crime, and national security access to information stored or communicated by foreign powers or other entities and organizations whose interests and intentions are relevant to the national security and the foreign policy interests of the United States. Informed public discussion of the issues must begin by acknowledging the legitimacy both of information gathering for law enforcement and national security purposes and of information security for law-abiding individuals and businesses.
The conduct of the debate regarding national cryptography policy has been complicated because a number of participants have often invoked classified information that cannot be made public. However, the cleared members of the National Research Council's Committee to Study National Cryptography Policy (13 of the 16 committee members) concluded that the debate over national cryptography policy can be carried out in a reasonable manner on an unclassified basis. Classified material is often important to operational matters in specific cases, but it is neither essential to the big picture of why cryptography policy is the way it is nor required for the general outline of how technology will and policy should evolve in the future.
Computing and communications were expensive and rare.
Computing and information acquisition, retrieval, and processing are inexpensive and ubiquitous. Rapid growth is evident in the development and deployment of diverse technology-enabled services.
Communications networks were analog and voice oriented; communications made heavy use of dedicated lines.
Communications networks are digital and oriented toward video and data transmissions.
Communications make heavy use of shared infrastructure and multiple channels of different media (e.g., satellites, wireless). Passive eavesdropping is thus harder to detect.
Telecommunications was controlled by a small number of players.
Telecommunications involves a large number of players.
The U.S. economy was unquestionably dominant in the world.
The U.S. economy is important but not dominant in the world, and it is increasingly interlinked with allies, customers, suppliers, vendors, and competitors all over the world.
The economy was oriented toward material production.
The economy is oriented toward information and services.
The security threat was relatively homogeneous (Soviet Union and Cold War).
Security threats are much more heterogenous than in the Cold War, both in origin and in nature.
Cryptography was used primarily for military and diplomatic purposes. Government had a relative monopoly on cryptographic expertise and capability.
Cryptography has important applications throughout all aspects of society. Non- governmental entities have significant expertise and capability built on an open, public, and expanding base of scientific and technical knowledge about cryptography.
The problems of information vulnerability, the legitimacy of the various national interests described above, and trends such as those outlined in Box ES.2 point to the need for a concerted effort to protect vital information assets of the United States. Cryptography is one important element of a comprehensive U.S. policy for better information security.
The committee believes that U.S. national policy should be changed to support the broad use of cryptography in ways that take into account competing U.S. needs and desires for individual privacy, international economic competitiveness, law enforcement, national security, and
world leadership. Because cryptography is an important tool for protecting information and because it is very difficult for governments to control, the committee believes that widespread nongovernment use of cryptography in the United States and abroad is inevitable in the long run. Accordingly, the proper role of national cryptography policy is to facilitate a judicious transition between today's world of high information vulnerability and a future world of greater information security, while to the extent possible meeting the legitimate needs of law enforcement and information gathering for national security and foreign policy purposes.
The committee found that current national cryptography policy is not adequate to support the information security requirements of an information society. Indeed, current policy discourages the use of cryptography, whether intentionally or not, and in so doing impedes the ability of the nation to use cryptographic tools that would help to remediate certain important vulnerabilities. National cryptography policy should support three objectives:
1. Broad availability of cryptography to all legitimate elements of U.S. society;
2. Continued economic growth and leadership of key U.S. industries and businesses in an increasingly global economy, including but not limited to U.S. computer, software, and communications companies; and
3. Public safety and protection against foreign and domestic threats.
Objectives 1 and 2 argue for a policy that places few government restrictions on the use of cryptography and actively promotes the use of cryptography on a broad front. Objective 3 argues that some kind of government policy role in the deployment and use of cryptography for confidentiality may continue to be necessary for public safety and national security reasons. These three objectives can be met within a framework recognizing that on balance, the advantages of more widespread use of cryptography outweigh the disadvantages.
The recommendations below address several critical policy areas. In the interests of brevity, only short rationales for the recommendations are given here. The reader is urged to read Chapter 8 of the report for essential qualifications, conditions, and explanations.
A FRAMEWORK FOR NATIONAL CRYPTOGRAPHY POLICY
The framework for national cryptography policy should provide coherent structure and reduce uncertainty for potential vendors and for nongovernment and government users of cryptography in ways that policy does not do today.
Recommendation 1: No law should bar the manufacture, sale, or use of any form of encryption within the United States. Specifically, a legislative ban on the use of unescrowed encryption would raise both technical and legal or constitutional issues. Technically, many methods are available to circumvent such a ban; legally, constitutional issues, especially those related to free speech, would be almost certain to arise, issues that are not trivial to resolve. Recommendation 1 is made to reinforce this particular aspect of the Administration's cryptography policy.
Recommendation 2: National cryptography policy should be developed by the executive and legislative branches on the basis of open public discussion and governed by the rule of law. Only a national discussion of the issues involved in national cryptography policy can result in the broadly acceptable social consensus that is necessary for any policy in this area to succeed. A consensus derived from such deliberations, backed by explicit legislation when necessary, will lead to greater degrees of public acceptance and trust, a more certain planning environment, and better connections between policy makers and the private sector on which the nation's economy and social fabric rest.
Recommendation 3: National cryptography policy affecting the development and use of commercial cryptography should be more closely aligned with market forces. As cryptography has assumed greater importance to nongovernment interests, national cryptography policy has become increasingly disconnected from market reality and the needs of parties in the private sector. Experience with technology deployment suggests that reliance on market forces is generally the most effective way to promote the widespread use of a new technology. Since the committee believes that widespread deployment and use of cryptography are in the national interest, it believes that national cryptography policy should align itself with user needs and market forces to the maximum feasible extent. Accordingly, national cryptography policy should emphasize the freedom of domestic users to determine cryptographic functionality, protection, and implementations according to their security needs as they see fit; encourage the adoption of cryptographic standards by the federal government and private parties that are consistent with prevailing industry practice; and support the use of algorithms, product designs, and product implementations that are open to public scrutiny.
For many years, the United States has controlled the export of cryptographic technologies, products, and related technical information as mu-
nitions (on the U.S. Munitions List administered by the State Department). However, the current export control regime for cryptography is an increasing impediment to the information security efforts of U.S. firms competing and operating in world markets, developing strategic alliances internationally, and forming closer ties with foreign customers and suppliers. Export controls also have had the effect of reducing the domestic availability of products with strong encryption capabilities. Looking to the future, both U.S. and foreign companies have the technical capability to integrate high-quality cryptographic features into their products and services. U.S. export controls may stimulate the growth of significant foreign competition for U.S. vendors to the detriment of both U.S. national security interests and U.S. business and industry.
Some relaxation of today's export controls on cryptography is warranted. Relaxation would create an environment in which U.S. and multinational firms and individuals could use the same security products in the United States and abroad, thereby supporting better information security for U.S. firms operating internationally. It would also increase the availability of good cryptography products in the United States. Finally, it would help to solidify U.S. leadership in a field critical to national security and economic competitiveness.
At the same time, cryptography is inherently dual-use in character, with important applications to both civilian and military purposes. Because cryptography is a particularly critical military application for which few technical alternatives are available, retention of some export controls on cryptography will mitigate the loss to U.S. national security interests in the short term, allow the United States to evaluate the impact of relaxation on national security interests before making further changes, and "buy time" for U.S. national security authorities to adjust to a new technical reality.
Recommendation 4: Export controls on cryptography should be progressively relaxed but not eliminated.
Recommendation 4.1Products providing confidentiality at a level that meets most general commercial requirements should be easily exportable.1Today, products with encryption capabilities that incorporate the 56-bit DES algorithm provide this level of confidentiality and
1 For purposes of Recommendation 4.1, a product that is "easily exportable" will automatically qualify for treatment and consideration (i.e., commodity jurisdiction, or CJ) under the Commerce Control List (CCL). Automatic qualification refers to the same procedure under which software products using RC2 or RC4 algorithms for confidentiality with 40-bit key sizes currently qualify for the CCL.
should be easily exportable. As a condition of export, vendors of products covered under this Recommendation 4.1 (and 4.2 below) would be required to provide to the U.S. government full technical specifications of their product and reasonable technical assistance upon request in order to assist the U.S. government in understanding the product's internal operations.
Recommendation 4.2Products providing stronger confidentiality should be exportable on an expedited basis to a list of approved companies if the proposed product user is willing to provide access to decrypted information upon legally authorized request. Firms on the list would agree to abide by a set of requirements described in Chapter 8 that would help to ensure the ability of the U.S. government to obtain the plaintext of encrypted information upon presentation of a proper law enforcement request. (Plaintext is the information that was initially encrypted.)
Recommendation 4.3The U.S. government should streamline and increase the transparency of the export licensing process for cryptography. Greater efforts in this area would reduce uncertainty regarding rules, time lines, and the criteria used in making decisions about the exportability of particular products. Chapter 8 describes specific possible steps that might be taken.
ADJUSTING TO NEW TECHNICAL REALITIES
As noted above, cryptography is helpful to some dimensions of law enforcement and national security and harmful to others. The committee accepts that the onset of an information age is likely to create many new challenges for public safety, among them the greater use of cryptography by criminal elements of society. If law enforcement authorities are unable to gain access to the encrypted communications and stored information of criminals, some criminal investigations and prosecutions will be significantly impaired. For these reasons, specific steps should be taken to mitigate these difficulties. In the realm of national security, new capabilities are needed to better cope with the challenges that cryptography presents.
Since 1993, the approach of the U.S. government to these problems has been an aggressive promotion of escrowed encryption (see Chapter 5) as a pillar of the technical foundation for national cryptography policy, primarily in response to the law enforcement concerns described above. Initiatives promoted by the U.S. government include the Escrowed Encryption Standard (a voluntary Federal Information Processing Standard
for secure voice telephony), the Capstone/Fortezza initiative that provides escrowed encryption capabilities for secure data storage and communications, and a recent proposal to liberalize export controls on certain encryption products if the keys are "properly escrowed."
The committee understands the Administration's rationale for promoting escrowed encryption but believes that escrowed encryption should be only one part of an overall strategy for dealing with the problems that encryption poses for law enforcement and national security. The committee's view of an appropriate overall strategy is described below, and escrowed encryption is the focus of Recommendation 5.3.
Recommendation 5: The U.S. government should take steps to assist law enforcement and national security to adjust to new technical realities of the information age. Over the past 50 years, both law enforcement and national security authorities have had to cope with a variety of changing technological circumstances. For the most part, they have coped with these changes quite well. Today, however, "business as usual" will not suffice to bring agencies responsible for law enforcement and national security into the information age. At the same time, both law enforcement and national security have demonstrated considerable adaptability to new environments; this record of adaptability provides considerable confidence that they can adapt to a future of digital communications and stored data as well.
The specific subrecommendations that follow attempt to build on this record. They are intended to support law enforcement and national security missions in their totalityfor law enforcement, in both crime prevention and crime prosecution and investigation; and for national security, in both the defense of nationally critical information systems and the collection of intelligence information.
Recommendation 5.1The U.S. government should actively encourage the use of cryptography in nonconfidentiality applications such as user authentication and integrity checks. These applications are particularly important in addressing vulnerabilities of nationally critical information systems and networks. Furthermore, these applications of cryptography are important crime-fighting measures. To date, national cryptography policy has not fully supported such nonconfidentiality uses. Some actions have been taken in this area, but these actions have sometimes conflicted with government concerns about confidentiality. As importantly, government has expressed considerably more concern in the public debate regarding the deleterious impact of widespread cryptography used for confidentiality than over the deleterious impact of not deploying cryptographic capabilities for user authentication and data integ-
rity. Chapter 8 provides a number of illustrative examples to demonstrate what specific actions government can take to promote nonconfidentiality applications of cryptography.
Recommendation 5.2The U.S. government should promote the security of the telecommunications networks more actively. At a minimum, the U.S. government should promote the link encryption of cellular communications2and the improvement of security at telephone switches. Such steps would not diminish government access for lawfully authorized wiretaps through the requirements imposed on carriers today to cooperate with law enforcement in such matters. Furthermore, by addressing public demands for greater security in voice communications that are widely known to be nonsecure through the telecommunications service providers, these measures would also reduce the demand for (and thus the availability of) devices used to provide end-to-end encryption of voice communications. Without a ready supply of such devices, a criminal user would have to go to considerable trouble to obtain a device that could thwart a lawfully authorized wiretap.
Recommendation 5.3To better understand how escrowed encryption might operate, the U.S. government should explore escrowed encryption for its own uses. To address the critical international dimensions of escrowed communications, the U.S. government should work with other nations on this topic. Escrowed encryption has both benefits and risks. The benefits for law enforcement and national security are that when escrowed encryption is properly implemented and widely deployed, law enforcement and national security authorities will be able to obtain access to escrow-encrypted data in specific instances when authorized by law. Escrowed encryption also enables end users to recover encrypted stored data to which access has been inadvertently lost. The risk to end users is that escrowed encryption provides a potentially lower degree of confidentiality because it is specifically designed to permit exceptional access by parties not originally intended to have access to the encrypted data.
Aggressive government promotion of escrowed encryption is not appropriate at this time for several reasons: the lack of operational experi-
2"Link encryption" refers to the practice of encrypting information being communicated in such a way that it is encrypted only in between the node from which it is sent and the node where it is received; while the information is at the nodes themselves, it is unencrypted. In the context of link encryption for cellular communications, a cellular call would be encrypted between the mobile handset and the ground station. When carried on the landlines of the telephone network, the call would be unencrypted.
ence with how a large-scale infrastructure for escrowed encryption would work; the lack of demonstrated evidence that escrowed encryption will solve the most serious problems that law enforcement authorities face; the likely harmful impact on the natural market development of applications made possible by new information services and technologies; and the uncertainty of the market response to such aggressive promotion. At the same time, many policy benefits can be gained by an operational exploration of escrowed encryption by the U.S. government for government applications; such exploration would enable the U.S. government to develop the base of experience on which to build a more aggressive promotion of escrowed encryption should circumstances develop in such a way that encrypted communications come to pose a significant problem for law enforcement.
Recommendation 5.4Congress should seriously consider legislation that would impose criminal penalties on the use of encrypted communications in interstate commerce with the intent to commit a federal crime. The purpose of such a statute would be to discourage the use of cryptography for illegitimate purposes, thus focusing the weight of the criminal justice system on individuals who were in fact guilty of criminal activity rather than on law-abiding citizens and criminals alike. Any statute in this area should be drawn narrowly.
Recommendation 5.5High priority should be given to research, development, and deployment of additional technical capabilities for law enforcement and national security for use in coping with new technological challenges. Such R&D should be undertaken during the time that it will take for cryptography to become truly ubiquitous. These new capabilities are almost certain to have a greater impact on future information collection efforts than will aggressive attempts to promote escrowed encryption to a resistant market.
THE POLICY RELATIONSHIP BETWEEN INFORMATION SECURITY AND CRYPTOGRAPHY
Although this report is concerned primarily with national cryptography policy, any such policy is only one component of a national information security policy. Without a forward-looking and comprehensive national information security policy, changes in national cryptography policy may have little operational impact on U.S. information security.
Recommendation 6: The U.S. government should develop a mechanism to promote information security in the private sector. As is widely
acknowledged, the U.S. government is not well organized to meet the challenges presented by an information society, and no government agency has the responsibility to promote information security in the private sector. Absent a coordinated approach to promoting information security, the needs of many stakeholders may well be given inadequate attention and notice; those who are pursuing enhanced information security and those who have a need for legal access to stored or communicated information must both be included in a robust process for managing the often-competing issues and interests that will inevitably arise over time. Government has an important role in actively promoting the security of information systems and networks critical to the nation's welfare (e.g., the banking and financial system, the public switched telecommunications network, the air traffic control system, the electric power grid). In other sectors of the economy, the role of the U.S. government should be limited to providing information and expertise. Chapter 8 provides some illustrative examples of what the government might do to promote information security in the private sector.
The committee believes that its recommendations will lead to enhanced confidentiality and protection of information for individuals and companies, thereby reducing economic and financial crimes and economic espionage from both domestic and foreign sources. In addition, they will result in improved security and assurance for the information systems and networks used by the nationa more secure national information infrastructure. While the recommendations will in these ways contribute to the prevention of crime and enhance national security, the committee recognizes that the spread of cryptography will increase the burden of those in government charged with carrying out certain specific law enforcement and intelligence activities. It believes that widespread commercial and private use of cryptography in the United States and abroad is inevitable in the long run and that its advantages, on balance, outweigh its disadvantages. Thus, the committee concluded that the overall interests of the government and the nation would best be served by a policy that fosters a judicious transition toward the broad use of cryptography.