4 Export Controls
Export controls on cryptography and related technical data have been a pillar of national cryptography policy for many years. Increasingly, they have generated controversy because they pit the needs of national security to conduct signals intelligence against the information security needs of legitimate U.S. businesses and the markets of U.S. manufacturers whose products might meet these needs. Chapter 4 describes the current state of export controls on cryptography and issues that these controls raise, including their effectiveness in achieving their stated objectives; negative effects that the export control regime has on U.S. businesses and U.S. vendors of information technology that must be weighed against the positive effects of reducing the use of cryptography abroad; the mismatch between vendor and government perceptions of export controls; and various other aspects of the export control process as it is experienced by those subject to it.
4.1 BRIEF DESCRIPTION OF CURRENT EXPORT CONTROLS
Many advanced industrialized nations maintain controls on exports of cryptography, including the United States. The discussion below focuses on U.S. export controls; Appendix G addresses foreign export control regimes on cryptography.
4.1.1 The Rationale for Export Controls
On the basis of discussion with senior government officials and its own deliberations, the committee believes that the current U.S. export
control regime on products with encryption capabilities for confidentiality is intended to serve two primary purposes:
• To delay the spread of strong cryptographic capabilities and the use of those capabilities throughout the world. Senior intelligence officials recognize that in the long run, the ability of intelligence agencies to engage in signals intelligence will inevitably diminish due to a variety of technological trends, including the greater use of cryptography.1
• To give the U.S. government a tool for monitoring and influencing the commercial development of cryptography. Since any U.S. vendor that wishes to export a product with encryption capabilities for confidentiality must approach the U.S. government for permission to do so, the export license approval process is an opportunity for the U.S. government to learn in detail about the capabilities of such products. Moreover, the results of the license approval process have influenced the cryptography that is available on the international market.
4.1.2 General Description2
Authority to regulate imports and exports of products with cryptographic capabilities to and from the United States derives from two items of legislation: the Arms Export Control Act (AECA) of 1949 (intended to regulate munitions) and the Export Administration Act (EAA; intended to regulate so-called dual-use products3). The AECA is the legislative basis for the International Traffic in Arms Regulations (ITAR), in which the U.S. Munitions List (USML) is defined and specified. Items on the USML are regarded for purposes of import and export as munitions, and the ITAR are administered by the Department of State. The EAA is the legislative basis for the Export Administration Regulations (EAR), which
1 Although the committee came to this conclusion on its own, it is consistent with that of the Office of Technology Assessment, Information Security and Privacy in Network Environments, U.S. Government Printing Office, Washington, D.C., September 1994.
2 Two references that provide detailed descriptions of the U.S. export control regime for products with encryption capability are a memorandum by Fred Greguras of the law firm Fenwick & West (Palo Alto, Calif.), dated March 6, 1995, and titled ''Update on Current Status of U.S. Export Administration Regulations on Software" (available at http://www. batnet.com:80/oikoumene/SftwareEU.html), and a paper by Ira Rubinstein, "Export Controls on Encryption Software," in Coping with U.S. Export Controls 1994, Commercial Law & Practice Course Handbook Series No. A-733, Practicing Law Institute, October 18, 1995. The Greguras memorandum focuses primarily on the requirements of products controlled by the Commerce Control List, while the Rubinstein paper focuses primarily on how to move a product from the Munitions List to the Commerce Control List.
3 A dual-use item is one that has both military and civilian applications.
define dual-use items on a list known as the Commerce Control List (CCL);4 the EAR are administered by the Department of Commerce. The EAA lapsed in 1994 but has been continued under executive order since that time. Both the AECA and the EAA specify sanctions that can be applied in the event that recipients of goods exported from the United States fail to comply with all relevant requirements, such as agreements to refrain from reexport (Box 4.1).
At present, products with encryption capabilities can be imported into the United States without restriction, although the President does have statutory authority to regulate such imports if appropriate. Exports are a different matter. Any export of an item covered by the USML requires a specific affirmative decision by the State Department's Office of Defense Trade Controls, a process that can be time-consuming and cumbersome from the perspective of the vendor and prospective foreign purchaser.
The ITAR regulate and control exports of all "cryptographic systems, equipment, assemblies, modules, integrated circuits, components or software with the capability of maintaining secrecy or confidentiality of information or information systems"; in addition, they regulate information about cryptography but not implemented in a product in a category known as "technical data."5
Until 1983, USML controls were maintained on all cryptography products. However, since that time, a number of relaxations in these controls have been implemented (Box 4.2), although many critics contend that such relaxation has lagged significantly behind the evolving marketplace. Today, the ITAR provide a number of certain categorical exemptions that allow for products in those categories to be regulated as dual-use items and controlled exclusively by the CCL. For products that do not fall into these categories and for which there is some question about whether it is the USML or the CCL that governs their export, the ITAR also provide for a procedure known as commodity jurisdiction,6 under which potential exporters can obtain judgments from the State Department about which list governs a specific product. A product granted commodity jurisdiction to the CCL falls under the control of the EAR and the Department of Commerce. Note that commodity jurisdiction to the CCL is generally granted for products with encryption capabilities using 40-bit keys regardless of the algorithm used, although these decisions are made on a
4 The CCL is also commonly known as the Commodity Control List.
5 However, encryption products intended for domestic Canadian use in general do not require export licenses.
6 Commodity jurisdiction is also often known by its acronym, CJ.
In general, a U.S. Munitions List (USML) license is granted to a U.S. exporter for the shipping of a product, technical data, or service covered by the USML to a particular foreign recipient for a set of specified end uses and subject to a number of conditions (e.g., restrictions on reexport to another nation, nontransfer to a third party). The full range of ITAR sanctions is available against the U.S. exporter and the foreign recipient outside the United States.
The ITAR specify that as a condition of receiving a USML license, the U.S. exporter must include in the contract with the foreign recipient language that binds the recipient to abide by all appropriate end-use restrictions. Furthermore, the U.S. exporter that does not take reasonable steps to enforce the contract is subject to ITAR criminal and civil sanctions. But how can end-use restrictions be enforced for a foreign recipient?
A number of sanctions are available to enforce the compliance of foreign recipients of USML items exported from the United States. The primary sanctions available are the criminal and civil liabilities established by the Arms Export Contril Act (AECA); the foreign recipient can face civil and/or criminal charges in U.S. federal courts for violating the AECA. Although different U.S. courts have diferent views on extraterritoriality claims asserted for U.S. law, a criminal conviction or a successful civil lawsuit could result in the imposition of criminal penalties on individuals involved and/or seizure of any U.S. assets of the foreign recipient. (When there are no U.S. assets, recovering fines or damages can be highly problematic, although some international agreements and treaties provide for cooperation in such cases.) Whether an individual could be forced to return to the United States for incarceration would depend on the existence of an appropriate extradition treaty between the United States and the foreign nation to whose jurisdiction the individual is subject.
A second avenue of enforcement is that the foreign recipient found to be in violation can be denied all further exports from the United States. In addition, the foreign violator can be denied permission to compete for contracts with the U.S. government. From time to time, proposals are made to apply sanctions against violators that would deny privileges for them to export products to the United States, though such proposals often create political controversy.
A third mechanism of enforcement may proceed through diplomatic channels. Depending on the nation to whose jurisdiction the foreign recipient is subject, the U.S. government may well approach the government of that nation to seek its assistance in persuading or forcing the recipient to abide by the relevant end-use restrictions.
A fourth mechanism of enforcement is the sales contract between the U.S. exporter and the foreign recipient, which provides a mechanism for civil action against the forein recipient. A foreign buyer who violates the end-use restrictions is in breach of contract with the U.S. exporter, who may then sue for damages incurred by the U.S. company. Depending on the language of the contract, the suit may be carried out in U.S. or foreign courts; alternatively, the firms may submit to binding arbitration.
The operation of these enforcement mechanisms can be cumbersome, uncertain, and slow. But they exist, and they are used. Thus, while some analysts believe that they do not provide sufficient protection for U.S. national security Interests, others defend them as a reasonable but not perfect attempt at defending those interests.
Prior to 1983, all cryptography exports required individual licenses from the State Department. Since then, a number of changes have been proposed and mostly implemented.
1983 Distribution licenses established allowing exports to multiple users under a single license
1987 Nonconfidentiality products moved to Department of Commerce (DOC) on a case-by-case basis
1990 International Traffic in Arms Regulations amendedall nonconfidentiality products under DOC jurisdiction
1990 Mass-market general-purpose software with encryption for confidentiality moved to DOC on case-by-case basis
1992 Software Publishers Association agreement providing for 40-bit RC2/RC4based products under DOC jurisdiction
1993 Mass-market hardware products with encryption capabilities moved to DOC on case-by-case basis
1994 Reforms to expedite license processing at Department of State
1995 Proposal to move to DOC software products with 64-bit cryptography for confidentiality with "properly escrowed" keys
1996 "Personal use" exemption finalized
SOURCE: National Security Agency.
product-by-product basis. In addition, when a case-by-case export licensing decision results in CCL jurisdiction for a software product, it is usually only the object code, which cannot be modified easily, that is transferred; the source code of the product (embedding the identical functionality but more easily modified) generally remains on the USML.
As described in Box 4.3, key differences between the USML and the CCL have the effect that items on the CCL enjoy more liberal export consideration than items on the USML. (This report uses the term "liberal export consideration" to mean treatment under the CCL.) Most importantly, a product controlled by the CCL is reviewed only once by the U.S. government, thus drastically simplifying the marketing and sale of the product overseas.
The most important of these explicit categorical exemptions to the USML for cryptography are described in Box 4.4. In addition, the current export control regime provides for an individual case-by-case review of USML licensing applications for products that do not fall under the jurisdiction of the CCL. Under current practice, USML licenses to acquire and
BOX 4.3 Important Differences Between the U.S. Munitions List and the Commerce Control List
For Items on U.S. Munitions List (USML)
For Items on Commerce Control List (CCL)
Department of State has broad leeway to take national security considerations into account in licensing decisions; indeed, national security and foreign policy considerations are the driving force behind the Arms Export Control Act
Department of Commerce may limit exports only to the extent that they would make "a significant contribution to the military potential of any other country which would prove detrimental to the national security of the United States" or "where necessary to further significantly the foreign policy of the United States." The history of the Export Administration Act strongly suggests that its national security purpose is to deny dual-use items to countries of Communist Bloc nations, nations of concern with respect to proliferation of weapons of mass destruction, and other rogue nations.
Items are included on the USML if the item is "inherently military in character"; the end use is irrelevant in such a determination. Broad categories of product are included.
Performance parameters rather than broad categories define included items.
Decisions about export can take as long as necessary.
Decisions about export must be completed within 120 days.
Export licenses can be denied on very general grounds (e.g., the export would be against the U.S. national interest).
Export licenses can be denied only on very specific grounds (e.g, high likelihood of diversion to proscribed nations).
Individually validated licenses are generally required, although distribution and bulk licenses are possible .1
General licenses are often issued, although general licenses do not convey blanket authority for export.2
Prior government approval is needed for export.
Prior government approval is generally not needed for export.
Licensing decisions are not subject to judicial review.
Licensing decisions are subject to judicial review by a federal judge or an administrative law judge.
Foreign availability may or may not be a consideration in granting a license at the discretion of the State Department.
Foreign availability of items that are substantially equivalent is, by law, a consideration in a licensing decision.
Items included on the USML are not subject to periodic review.
Items included on the CCL must be reviewed periodically.
A Shipper's Export Declaration (SED) is required in all instances.
A SED may be required, unless exemption from the requirement is granted under the Export Administration Regulations.
1 Bulk licenses authorize multiple shipments without requiring individual approval. Distribution licenses authorize multiple shipments to a foreign distributor. In each case, record-keeping requirements are imposed on the vendor. In practice, a distribution license shifts the burden of export restrictions from vendor to distributor. Under a distribution license, enforcement of restrictions on end use and on destination nations and post-shipment record-keeping requirements are the responsibility of the distributor; vendors need not seek an individual license for each specific shipment.
2 Even if an item is controlled by the CCL, U.S. exporters are not allowed to ship such an item if the exporter knows that it will be used directly in the production of weapons of mass destruction or ballistic missiles by a certain group of nations. Moreover, U.S. exports from the CCL are prohibited entirely to companies and individuals on a list of "Specially Designated Nationals" designated as agents of Cuba, Libya, Iraq, North Korea, or Yugoslavia or to a list of companies and individuals on the Bureau of Export Administration's Table of Denial Orders (including some located in the United States and Europe).
The International Traffic in Arms Regulations (ITAR) provide for a number of categorical exemptions, including:
• Mass-market software products that use 40-bit key lengths with the RC2 or RC4 algorithm for confidentiality.1
• Products with encryption capabilities for confidentiality (of any strength) that are specifically intended for use only in banking or money transactions. Products in this category may have encryption of arbitrary strength.
• Products that are limited in cryptographic functionality to providing capabilities for user authentication, access control, and data integrity. Products in these categories are automatically granted commodity jurisdiction to the Commerce Control List (CCL).
Informal Noncodified Exemptions
The current export control regime provides for an individual case-by-case review of U.S. Munitions List (USML) licensing applications for products that do not fall under the jurisdiction of the CCL. Under current practice, certain categories of firms will generally be granted a USML license through the individual review process to acquire and export for their own use products with encryption capabilities stronger than that provided by 40-bit RC2/RC4 encryption.2
• A U.S.-controlled firm (i.e., a U.S. firm operating abroad, a U.S.-controlled foreign firm, or a foreign subsidiary of a U.S. firm);
• Banks and financial institutions (including stock brokerages and insurance companies), whether U.S.-controlled or -owned or foreign-owned, if the products involved are intended for use in internal communications and communications with other banks even if these communications are not limited strictly to banking or money transactions.
1 The RC2 and RC4 algorithms are symmetric-key encryption algorithms developed by RSA Data Security Inc. (RSADSI). They are both proprietary algorithms, and manufacturers of products using these algorithms must enter into a licensing arrangement with RSADSI. RC2 and RC4 are also trademarks owned by RSADSI, although both algorithms have appeared on the Internet. A product with capabilities for confidentiality will be automatically granted commodity jurisdiction to the CCL if it meets a certain set of requirements, the most important of which are the following:
d. The key exchange used in the data encryption must be based on either a public-key algorithm with a key space less than or equal to a 512-bit modulus and/or a symmetrical algorithm with a key space less than or equal to 64 bits.
To ensure that the software has properly implemented the approved encryption algorithm(s), the State Department requires that the product pass a "vector test," in which the vendor receives test data (the vector) and a random key from the State Department, encrypts the vector with the product using the key provided, and returns the result to the State Department; if the product-computed result is identical to the known correct answer, the product automatically qualifies for jurisdiction under the CCL.
Note that the specific technical requirements described in this footnote are not contained in the Federal Register; rather, they were described in a State Department document, any change in which is not subject to an official procedure for public comment. (These conditions were first published in "Defense Trade News," Volume 3(4), October 1992, pp. 11-15. "Defense Trade News" is a newsletter published by the Office of Defense Trade Controls at the Department of State.)
2 See Footnote 7 in the main text of this chapter.
export for internal use products with encryption capabilities stronger than that provided by 40-bit RC2/RC4 encryption (hereafter in this chapter called "strong encryption"7) are generally granted to U.S.-controlled firms (i.e., U.S. firms operating abroad, U.S.-controlled foreign firms, or foreign subsidiaries of a U.S. firm). In addition, banks and financial institutions (including stock brokerages and insurance companies), whether U.S.-controlled or -owned or foreign-owned, are generally granted USML licenses for strong encryption for use in internal communications and communications with other banks even if these communications are not limited strictly to banking or money transactions.
In September 1994, the Administration promulgated regulations that provided for U.S. vendors to distribute approved products with encryption capabilities for confidentiality directly from the United States to foreign customers without using a foreign distributor and without prior
7 How much stronger than 40-bit RC2/RC4 is unspecified. Products incorporating the 56bit DES algorithm are often approved for these informal exemptions, and at times even products using larger key sizes have been approved. But the key size is not unlimited, as may be the case under the explicit categorical exemptions specified in the ITAR.
State Department approval for each export.8 It also announced plans to finalize a "personal use exemption" to allow license-free temporary exports of products with encryption capabilities when intended for personal use; a final rule on the personal use exemption was announced in early 1996 and is discussed below in Section 4.3.2. Lastly, it announced a number of actions intended to streamline the export control process to provide more rapid turnaround for certain "preapproved" products.
In August 1995, the Administration announced a proposal to liberalize export controls on software products with encryption capabilities for confidentiality that use algorithms with a key space of 64 or fewer bits, provided that the key(s) required to decrypt messages and files are "properly escrowed"; such products would be transferred to the CCL. However, since an understanding of this proposal requires some background in escrowed encryption, discussion of it is deferred to Chapter 5.
4.1.3 Discussion of Current Licensing Practices
The categorical exemptions described in Box 4.4 raise a number of issues:
• In the case of the 40-bit limitation, the committee was unable to find a specific analytical basis for this figure. Most likely, it was the result of a set of compromises that were politically driven by all of the parties involved.9 However, whatever the basis for this key size, recent success-
8 Prior to this rule, almost every encryption export required an individual license. Only those exports covered by a distribution arrangement could be shipped without an individual license. This distribution arrangement required a U.S. vendor of products with cryptographic capabilities to export to a foreign distributor that could then resell them to multiple end users. The distribution arrangement had to be approved by the State Department and included some specific language. Under the new rule, a U.S. vendor without a foreign distributor can essentially act as his own distributor, and avoid having to obtain a separate license for each sale. Exporters are required to submit a proposed arrangement identifying, among other things, specific items to be shipped, proposed end users and end use, and countries to which the items are destined. Upon approval of the arrangement, exporters are permitted to ship the specified products directly to end users in the approved countries based on a single license. See Bureau of Political-Military Affairs, Department of State, "Amendment to the International Traffic in Arms Regulations," Federal Register, September 2, 1994.
9 It is worth noting a common argument among many nongovernment observers that any level of encryption that qualifies for export (e.g., that qualifies for control by the CCL, or that is granted an export license under the USML) must be easily defeatable by NSA, or else
ful demonstrations of the ability to undertake brute-force cryptanalysis on messages encrypted with a 40-bit key (Box 4.5) have led to a widespread perception that such key sizes are inadequate for meaningful information security.
• In the case of products intended for use only in banking or money transactions, the exemption results from the recognition by national security authorities that the integrity of the world's financial system is worth protecting with high levels of cryptographic security. Given the primacy of the U.S. banking community in international financial markets, such a conclusion makes eminent sense. Furthermore, at the time this exemption was promulgated, the financial community was the primary customer for products with encryption capabilities.
This rationale for protecting banking and money transactions naturally calls attention to the possibilities inherent in a world of electronic commerce, in which routine communications will be increasingly likely to include information related to financial transactions. Banks (and retail shops, manufacturers, suppliers, end customers, and so on) will engage in such communications across national borders. In a future world of electronic commerce, connections among nonfinancial institutions may become as important as the banking networks are today. At least one vendor has been granted authority to use strong encryption in software intended for export that would support international electronic commerce (though under the terms of the license, strong encryption applies only to a small portion of the transaction message).10
• In the case of products useful only for user authentication, access control, and data integrity, the exemption resulted from a judgment that the benefits of more easily available technology for these purposes outweigh whatever costs there might be to such availability. Thus, in principle, these nonconfidentiality products from U.S. vendors should be available overseas without significant restriction.
In practice, however, this is not entirely the case. Export restrictions on confidentiality have some "spillover" effects that reduce somewhat
NSA would not allow it to leave the country. The subtext of this argument is that such a level of encryption is per force inadequate. Of course, taken to its logical conclusion, this argument renders impossible any agreement between national security authorities and vendors and users regarding acceptable levels of encryption for export.
10 "Export Approved for Software to Aid Commerce on Internet," New York Times, May 8, 1995, p. D7.
In the summer of 1995, a message encoded with the 40-bit RC4 algorithm was successfully decrypted without prior knowledge of the key by Damien Doligez of the INRIA organization in France. The message in question was a record of an actual submission of form data that was sent to Netscape's electronic shop order form in ''secure" mode (including a fictitious name and address). The challenge was posed to break the encryption and recover the name and address information entered in the form and sent securely to Netscape. Breaking the encryption was accomplished by a brute-force search on a network of about 120 workstations and a few parallel computers at INRIA, Ecole Polytechnique, and ENS. The key was found after scanning a little more than half the key space in 8 days, and the message was successfully decrypted. Doligez noted that many people have access to the amount of computing power that he used, and concluded that the exportable Secure Sockets Layer protocol is not strong enough to resist the attempts of amateurs to decrypt a "secure" message.
In January 1996, a Massachusetts Institute of Technology undergraduate student used a single $83,000 graphics computer to perform the same task in 8 days. Testing keys at an average rate of more than 830,000 keys per second, the program running on this computer would take 15 days to test every key.
the availability of products that are intended primarily for authentication. 11
Another spillover effect arises from a desire among vendors and users to build and use products that integrate multiple cryptographic capabilities (for confidentiality and for authentication/integrity) with general-
11 For example, Kerberos is an application designed to enhance operating system security by providing strong cryptographic authentication of users (and hence strong access control for system resources). As a secondary feature, Kerberos was designed with the capability to provide confidentiality, both as a subroutine library (called by application programmers) and as a set of user programs run by users (e.g., the remote-login program offers an option to encrypt the network connection involved). Typically, Kerberos is distributed in the United States in source code through the Internet to increase its usability on a wide range of platforms, to accommodate diverse user needs, and to increase maintainability; source code distribution is a common practice on the Internet.
Only a small amount of Kerberos code is used to support user-invocable confidentiality. However, in order to prevent running afoul of export regulations, most sites from which Kerberos is available strip out all of the cryptographic source code, including the DES module used as the cryptographic engine to support both the authentication and the confidentiality features and every system call to the module for either authentication or confidentiality purposes.
purpose functionality. In many instances, it is possible for cryptography for authentication/integrity and cryptography for confidentiality to draw on the same algorithm. Export control regulations may require that a vendor weaken or even eliminate the encryption capabilities of a product that also provides authentication/integrity capabilities, with all of the consequent costs for users and vendors (as described in Section 4.3).
Such spillover effects suggest that government actions that discourage capabilities for confidentiality may also have some negative impact on the development and use of products with authentication/integrity capabilities even if there is no direct prohibition or restriction on export of products with capabilities only for the latter.
Informal Noncodified Practices
As described above, it is current practice to grant USML licenses for exports of strong cryptography to firms in a number of categories described in Box 4.4. However, the fact that this practice is not explicitly codified contributes to a sense of uncertainty among vendors and users about the process and in practice leads to unnecessary delays in license processing.
In addition, there is uncertainty about whether or not a given foreign company is "controlled" by a U.S. firm. Specifically, vendors often do not know (and cannot find out in advance) whether a proposed sale to a particular foreign company falls under the protection of this unstated exemption. As a practical rule, the U.S. government has a specific set of
Thus, export controls on confidentiality have inhibited the use of Kerberos for its intended authentication purposes. However, because no one (to the committee's knowledge) has actually obtained a formal decision on the status of a source-code version of Kerberos without confidentiality capabilities but with authentication capabilities, it is an open question whether such a version would qualify for commodity jurisdiction to the CCL under the authentication exception.
A second example was provided in testimony to the committee from a company that had eliminated all cryptographic capabilities from a certain product because of its perceptions of the export control hurdles to be overcome. The capabilities eliminated included those for authentication. While it can be argued that the company was simply ignorant of the exemptions in the ITAR for products providing authentication capabilities, the fact remains that much of the vendor community is either not familiar with the exemptions or does not believe that they represent true "fast-track" or "automatic" exceptions.
Note: The committee appreciates John Gilmore's assistance in correcting the information provided about Kerberos in the prepublication version of this report.
guidelines that are used to make this determination.12But these rules require considerable interpretation and thus do not provide clear guidance for U.S. vendors.
A third issue that arises with current practice is that the lines between "foreign" and "U.S." companies are blurring in an era of transnational corporations, ad hoc strategic alliances, and close cooperation between suppliers and customers of all types. For example, U.S. companies often team with foreign companies in global or international ventures. It would be desirable for U.S. products with encryption capabilities to be used by both partners to conduct business related to such alliances without requiring a specific export licensing decision.13
In some instances, USML licenses have granted U.S. companies the authority to use strong encryption rather freely (e.g., in the case of a U.S. company with worldwide suppliers). But these licenses are still the result of a lengthy case-by-case review whose outcome is uncertain.
Finally, the State Department and NSA explicitly assert control over products without any cryptographic capability at all but developed with "sockets," or, more formally, cryptographic applications programming
12 Under Defense Department guidelines for determining foreign ownership, control, or influence (FOCI), a U.S. company is considered under FOCI "whenever a foreign interest has the power, direct or indirect, whether or not exercised, and whether or not exercisable through the ownership of the U.S. company's securities, by contractual arrangements or other means, to direct or decide matters affecting the management or operations of that company in a manner which may result in unauthorized access to classified information or may affect adversely the performance of classified contracts." A FOCI determination for a given company is made on the basis of a number of factors, including whether a foreign person occupies a controlling or dominant minority position and the identification of immediate, intermediate, and ultimate parent organizations. (See Department of Defense, National Industrial Security Program Operating Manual, DOD-5220.22-M, January 1995, pp. 23-1 to 2-3-2.) According to ITAR Regulation 122.2, "ownership" means that more than 50 percent of the outstanding voting securities of the firm are owned by one or more foreign persons. "Control" means that one or more foreign persons have the authority or ability to establish or direct the general policies or day-to-day operations of the firm. Control is presumed to exist where foreign persons own 25 percent or more of the outstanding voting securities if no U.S. persons control an equal or larger percentage. The standards for control specified in 22 CFR 60.2(c) also provide guidance in determining whether control in fact exists. Defense Department Form 4415, August 1990, requires answers to 11 questions in order for the Defense Department to make a FOCI determination for any given company.
13 In one instance reported to the committee, a major multinational company with customer support offices in China experienced a break-in in which Chinese nationals apparently copied paper documents and computer files. File encryption would have mitigated the impact associated with this "bag job." Then-current export restrictions hampered deployment of encryption to this site because the site was owned by a foreign (Chinese) company rather than a U.S.-controlled company and therefore not easily covered under then-current practice.
interfaces into which a user can insert his own cryptography. Such products are regarded as having an inherent cryptographic capability (although such capability is latent rather than manifest) and as such are controlled by the USML, even though the text of the ITAR does not mention these items explicitly.14 In general, vendors and users understand this to be the practice and do not challenge it, but they dislike the fact that it is not explicit.
4.2 EFFECTIVENESS OF EXPORT CONTROLS ON CRYPTOGRAPHY
One of the most contentious points in the debate over export controls on cryptography concerns their effectiveness in delaying the spread of strong cryptographic capabilities and the use of those capabilities throughout the world. Supporters of the current export control regime believe that these controls have been effective, and they point to the fact that encryption is not yet in widespread commercial use abroad and that a significant fraction of the traffic intercepted globally is unencrypted. Further, they argue that U.S. products with encryption capabilities dominate the international market to an extent that impeding the distribution of U.S. products necessarily affects worldwide usage.
Critics of current policy assert that export controls have not been effective in limiting the availability of cryptography abroad. For example, based on its ongoing survey of cryptography products worldwide (a study widely cited by critics of current policy), Trusted Information Systems Inc. has noted that
[w]e have now identified 1181 products worldwide [as of March 30, 1996], and we're continuing to learn about new products, both domestic and foreign, on a daily basis. We've also obtained numerous products from abroad and are examining these products to assess their functionality and security. The survey results show that cryptography is indeed widespread throughout the world. Export controls outside of the U.S.
14 Specifically, the ITAR place on the USML "cryptographic devices, software, and components specifically designed or modified therefor, including: cryptographic (including key management) systems, equipment, assemblies, modules, integrated circuits, components or software with the capability of maintaining secrecy or confidentiality of information or information systems." Note that these categories do not explicitly mention systems without cryptography but with the capability of accepting "plug-in" cryptography.
appear to be less restrictive. The quality of foreign products seems to be comparable to that of U.S. products.15
Furthermore, critics of U.S. export controls argue that sources other than U.S. commercial vendors (specifically foreign vendors, the in-house expertise of foreign users, Internet software downloads, and pirated U.S. software) are capable of providing very good cryptography that is usable by motivated foreign users.
In assessing the arguments of both supporters and critics of the current export control regime, it is important to keep in mind that the ultimate goal of export controls on cryptography is to keep strong cryptography out of the hands of potential targets of signals intelligence. Set against this goal, the committee believes that the arguments of both supporters and critics have merit but require qualification.
The supporters of the current export regime are right in asserting that U.S. export controls have had a nontrivial impact in retarding the use of cryptography worldwide. This argument is based on three linked factors:
• U.S. export controls on cryptography have clearly limited the sale of U.S. products with encryption capabilities in foreign markets; indeed, it is this fact that drives the primary objection of U.S. information technology vendors to the current export control regime on cryptography.
• Very few foreign vendors offer integrated products with encryption capabilities.16 U.S. information technology products enjoy a very high reputation for quality and usability, and U.S. information technology vendors, especially those in the mass-market software arena, have marketing and distribution skills that are as yet unparalleled by their foreign counterparts. As a result, foreign vendors have yet to fill the void left by an absence of U.S. products.
• U.S. information technology products account for a large fraction of global sales. For example, a recent U.S. International Trade Commission staff report points out that over half of all world sales in information
15 Available on-line from the TIS home page, http://www.tis.com; at the time of its presentation to the committee, TIS had identified 450 such products available from foreign nations. Testimony on this topic was first presented by Steven Walker, president of Trusted Information Systems, to the House Committee on Foreign Affairs, Subcommittee on Economic Policy, Trade, and Environment, on October 12, 1993. TIS briefed the study committee on December 15, 1994, and July 19, 1995. The survey mentioned in testimony to the committee continues, and regularly updated figures can be found on the TIS Web page (http://www.tis.com/crypto-survey).
16 The Department of Commerce and the National Security Agency found no generalpurpose software products with encryption capability from non-U.S. manufacturers. See Department of Commerce and National Security Agency, A Study of the International Market for Computer Software with Encryption, released January 11, 1996, p. 111-9.
technology come from the United States.17 Actions that impede the flow of U.S. products to foreign consumers are bound to have significant effects on the rate at which those products are purchased and used.
On the other hand, it is also true that some foreign targets of interest to the U.S. government today use encryption that is for all practical purposes unbreakable; major powers tend to use "home-grown" cryptography that they procure on the same basis that the United States procures cryptography for its own use, and export controls on U.S. products clearly cannot prevent these powers from using such cryptography.
Furthermore, the fact that cryptography is not being widely used abroad does not necessarily imply that export controls are effectiveor will be in the near futurein restraining the use of cryptography by those who desire the protection it can provide. The fact is that cryptography is not used widely either in the United States or abroad, and so it is unclear whether it is the lack of information security consciousness described in Chapter 2 or the U.S. export control regime for cryptography that is responsible for such non-use; most probably, it is some combination of these two factors.
Critics of the current export regime are right in asserting that foreign suppliers of cryptography are many and varied, that software products with encryption capabilities are quite easily available through the Internet (probably hundreds of thousands of individuals have the technical skill needed to download such products), and that cryptography does pose special difficulties for national authorities wishing to control such technology (Box 4.6). Yet, most products with encryption capabilities available on the Internet are not integrated products; using security-specific products is generally less convenient than using integrated products (as described in Chapter 2), and because such products are used less often, their existence and availability pose less of a threat to the collection of signals intelligence.
Furthermore, Internet products are, as a general rule, minimally supported and do not have the backing of reputable and established vendors.18 Users who download software from the Internet may or may not
17 Office of Industries, U.S. International Trade Commission, Global Competitiveness of the U.S. Computer Software and Service Industries, Staff Research Study #21, Washington, D.C., June 1995, executive summary.
18 Whether major vendors will continue to avoid the Internet as a distribution medium remains to be seen. Even today, a number of important products, including Adobe's Acrobat Reader, Microsoft's Word Viewer and Internet Assistant, and the Netscape Navigator are distributed through the Internet. Some vendors make products freely available in limited functionality versions as an incentive for users to obtain full-featured versions; others make software products freely available to all takers in order to stimulate demand for other products from that vendor for which customers pay.
Hardware products with encryption capabilities can be controlled on approximately the same basis as traditional munitions. But software products with encryption capabilities are a different matter. A floppy disk containing programs involving cryptography is visually indistinguishable from one containing any other type of program or data files. Furthermore, software products with encryption capabilities can be transported electronically, with little respect for physical barriers or national boundaries, over telephone lines and the Internet with considerable ease. Cryptographic algorithms, also controlled by the International Traffic in Arms Regulations as "technical data," represent pure knowledge that can be transported over national borders inside the heads of people or via letter.
As is true for all other software products, software products with encryption capabilities are infinitely reproducible at low cost and with perfect fidelity; hence, a controlled item can be replicated at a large number of points. This fact explains how vast amounts of software piracy can occur both domestically and abroad. In principle, one software product with encryption capabilities taken abroad can serve as the seed for an unlimited number of reproductions that can find their way to hostile parties. Finally, it can be argued that the rogue nations that pose the most important targets for U.S. signals intelligence collection are also the least likely to refrain from pirating U.S. software.
know exactly what code the product contains and may not have the capability to test it to ensure that it functions as described.19 Corporate customers, the primary driver for large-scale deployment of products, are unlikely to rely on products that are not sold and supported by reputable vendors, and it is products with a large installed base (i.e., those created by major software vendors) that would be more likely to have the highquality encryption that poses a threat to signals intelligence. Table 4.1 indicates the primary differences between commercial products and "freeware" available on the Internet.
The committee's brief survey of product literature describing foreign stand-alone security-specific products with encryption capabilities (Box 4.7) also indicated many implementations that were unsound from a security standpoint, even taking for granted the mathematical strength of the algorithms involved and the proper implementation of the indicated algorithms.20 The committee has no reason to believe that the stand-alone
19 Indeed, the lack of quality control for Internet-available software provides an opportunity for those objecting to the proliferation of good products with encryption capability to flood the market with their own products anonymously or pseudonymously; such products may include features that grant clandestine access with little effort.
20 The committee's analysis of foreign stand-alone products for cryptography was based on material provided to the committee by TIS, which TIS had collected through its survey.
TABLE 4.1 Key Differences Between Commercial Products and "Freeware"
Products from Major Commercial Vendors
Stake in reputation of product offerer
Scale of operation
Cost of distribution
Support for products
Role of profit-making motive
Ability to integrate cryptography into useful and sophisticated general-purpose software
Vulnerability to regulatory and legal constraints
Likelihood of market "staying power"
Likelihood of wide distribution and use
Financial liability for poor product performance
Cost of entry into markets
NOTE: All of the characterizations listed are tendencies rather than absolutes and are relative (i.e., determined by comparing products from major commercial vendors to "free-ware" products).
security-specific products with encryption capabilities made by U.S. vendors are on average better at providing security,21 although the large
This material was limited to product brochures and manuals that the committee believes put the best possible face on a product's quality. Thus, the committee's identification of security defects in these products is plausibly regarded as a minimum estimate of their weaknessesmore extensive testing (e.g., involving disassembly) would be likely to reveal additional weaknesses, since implementation defects would not be written up in a product brochure. Moreover, the availability of a product brochure does not ensure the availability of the corresponding product; TIS has brochures for all of the 800-plus products identified in its survey, but due to limited resources, it has been able to obtain physical versions (e.g., a disk, a circuit board) of fewer than 10 percent of the products described in those brochures.
21 An "amateur" review of encryption for confidentiality built into several popular U.S. mass-market software programs noted that the encryption facilities did not provide particularly good protection. The person who reviewed these programs was not skilled in cryptography but was competent in his understanding of programming and how the Macintosh manages files. By using a few commonly available programming tools (a file compare program, a "debugger" that allows the user to trace the flow of how a program executes, and a "disassembler" that turns object code into source code that can be examined), the reviewer was able to access in less than two hours the "protected'' files generated
• A British product manual notes that "a key can be any word, phrase, or number from 1 to 78 characters in length, though for security purposes keys shorter than six characters are not recommended." Only alphanumeric characters are used in the key, and alpha characters do not distinguish between upper and lower case. While the longer pass phrases can produce keys with the full 56 bits of uncertainty [changing "can" to "do" would require more extensive tests], passwords of even 6 characters are woefully inadequate. It is dangerous to allow users to enter such keys, much less the single-character keys allowed by this product.
• One British product is a DES implementation that recommends cipher block chaining but uses electronic codebook (ECB) mode as the default. The use of ECB as the default is dangerous because ECB is less secure than cipher block chaining.
• A Danish product uses DES with an 8-character key, but limits each character to alphanumeric and punctuation symbols. Hence the key is less than a full 56 bits long. With this restriction, many users are likely to use only upper or lower case alpha characters, resulting in a key less than 40 bits long.
• A foreign product uses the FEAL algorithm as well as a proprietary algorithm. Aside from the question of algorithm strength, the key is 1 to 8 characters long and does not distinguish between upper and lower case. The result is a ridiculously short key, a problem that is compounded by the recommendation in the manual to use a 6- to 8-letter artificial word as the key (e.g., it suggests that for the name Bill, "billbum" might be used as the key).
• A product from New Zealand uses DES plus a public-key system similar to RSA, but based on Lucas functions. The public-key portion limits the key size to 1,024 bits, but does not seem to have a lower bound, a potentially dangerous situation. The DES key can be 1 to 24 characters in length. If the key is 1 to 8 characters,
established software vendors in the United States do have reputations for providing relatively high quality in their products for features unrelated to security.22 Without an acceptable product certification service, most users have no reliable way of determining the quality of any given product for themselves.
by four out of eight programs. See Gene Steinbert, "False Security," MACWORLD, November 1995, pp. 118-121.
One well-publicized cryptographic security flaw found in the Netscape Corporation's Navigator Web browser is discussed in footnote 34 in Chapter 2. Because of a second flaw, Netscape Navigator could also enable a sophisticated user to damage information stored on the host computer to which Navigator is connected. (See Jared Sandberg, "Netscape Software for Cruising Internet Is Found to Have Another Security Flaw," Wall Street Journal, September 25, 1995, p. B12.)
22 In addition, a product with a large installed base is subject to a greater degree of critical examination than is a product with a small installed base, and hence flaws in the former are more likely to be noticed and fixed. Large installed bases are more characteristic of products produced by established vendors than of freeware or shareware products.
then single DES is used; otherwise triple DES is used. The lack of a lower bound on key length is dangerous.
• An Israeli product uses DES or QUICK, a proprietary algorithm. The minimum key length is user selectable between 0 and 8 characters. Allowing such small lower bounds on key length is dangerous. The product also has a "super-password" supplied by the vendor, another potentially dangerous situation. This product is available both in hardware and in software.
• A German hardware product has user-settable S-boxes, and the key can be entered either as 8 characters or 16 hexadecimal characters to yield a true 64-bit key (which will be reduced by the algorithm to 56 bits). The use of 16 hexadecimal character keys will result in higher security, but if the key can also be entered as 8 alphanumeric characters, many users are likely to do so, thus severely reducing the security level. User-selectable S-boxes can have advantages (if they are unknown to a cryptanalyst) and disadvantages (if they are poorly chosen and either are known to or can be guessed by a cryptanalyst). On balance, the danger is arguably greater than the advantage.
• A British product recommends one master key per organization so that files can be shared across personal computers. This practice is very dangerous.
To summarize, the defects in these products are related to poor key management practices, because they either employ or allow poor key management that would enable a determined and knowledgeable adversary to penetrate with relative ease the security they offer. As noted in Section 4.2 of the text, U.S. products are not necessarily more secure.
SOURCE: Committee examination and synthesis of materials provided by Trusted Information Systems Inc.
As a general rule, a potential user of cryptography faces the choice of buying commercially available products with encryption capabilities on the open market (perhaps custom-made, perhaps produced for a mass market) or developing and deploying those products independently. The arguments discussed above suggest that global dissemination of knowledge about cryptography makes independent development an option, but the problems of implementing knowledge as a usable and secure product drive many potential users to seek products available from reputable vendors. In general, the greater the resources available to potential users and the larger the stakes involved, the more likely they are to attempt to develop their own cryptographic resources. Thus, large corporations and First World governments are, in general, more likely than small corporations and Third World governments to develop their own cryptographic implementations.
Finally, the text of the ITAR seems to allow a number of entirely legal actions that could have results that the current export control regime is
Current export controls on cryptography can apparently be circumvented in a number of entirely legal and/or hard-to-detect ways. For example:
• A U.S. company can develop a product without encryption capabilities and then sell the source code of the product to a friendly foreign company that incorporates additional source code for encryption into the product for resale fron that foreign country (assuming that that country has no (or weaker) export controls on cryptography).
• A U.S. company possessing products with encryption capabilities can be bought by a foreign company; in general, no attempt is made to recover those products.
• A U.S. company can work with legally independent counterparts abroad that can incorporate cryptographic knowledge available worldwide into products.
intended to prevent (Box 4.8). For example, RSA Data Security Inc. has announced a partnership with the Chinese government to fund an effort by Chinese government scientists to develop new encryption software. This software may be able to provide a higher degree of confidentiality than software that qualifies today for liberal export consideration under the CCL.23
4.3 THE IMPACT OF EXPORT CONTROLS ON U.S. INFORMATION TECHNOLOGY VENDORS
U.S. export controls have a number of interrelated effects on the economic health of U.S. vendors and on the level of cryptographic protection available to U.S. firms operating domestically. (The impact of foreign import controls on U.S. vendors is discussed in Chapter 6 and Appendix G.)
4.3.1 De Facto Restrictions on the Domestic Availability of Cryptography
Current law and policy place no formal restrictions whatever on products with encryption capabilities that may be sold or used in the United States. In principle, the domestic market can already obtain any type of cryptography it wants. For stand-alone security-specific products, this principle is true in practice as well. But the largest markets are not for
23 See Don Clark, "China, U.S. Firm Challenge U.S. on Encryption-Software Exports," Wall Street Journal, February 8, 1996, p. A10.
stand-alone security-specific products, but rather for integrated products with encryption capabilities.
For integrated products with encryption capabilities, export controls do have an effect on domestic availability. For example:
• The Netscape Communications Corporation distributes a version of Netscape Navigator over the Internet and sells a version as shrinkwrapped software. Because the Internet version can be downloaded from abroad, its encryption capabilities are limited to those that will allow for liberal export consideration; the shrink-wrapped version is under no such limitation and in fact is capable of much higher levels of encryption.24 Because it is so much more convenient to obtain, the Internet version of Netscape Navigator is much more widely deployed in the United States than is the shrink-wrapped version, with all of the consequences for information security that its weaker encryption capability implies.
• The Microsoft Corporation recently received permission to ship Windows NT Version 4, a product that incorporates a cryptographic applications programming interface approved by the U.S. government for commodity jurisdiction to the CCL. However, this product is being shipped worldwide with a cryptographic module that provides encryption capabilities using 40-bit RC4.25 While domestic users may replace the default module with one providing stronger encryption capabilities, many will not, and the result is a weaker encryption capability for those users.
• A major U.S. software vendor distributes its major product in modular form in such a way that the end user can assemble a system configuration in accordance with local needs. However, since the full range of USML export controls on encryption is applied to modular products into which cryptographic modules may be inserted, this vendor has not been able to find a sensible business approach to distributing the product in such a way that it would qualify for liberal export consideration. The result has been that the encryption capabilities provided to domestic users of this product are much less than they would otherwise be in the absence of export controls.
What factors underlie the choices made by vendors that result in the
24 The shrink-wrapped version of Netscape Navigator sold within the United States and Canada supports several different levels of encryption, including 40-bit RC4, 128-bit RC4, 56-bit DES, and triple-DES. The default for a domestic client communicating with a domestic server is 128-bit RC4 (Jeff Weinstein, Netscape Communications Corporation, Mountain View, Calif., personal communication, February 1996).
25 See Jason Pontin, "Microsoft Encryption API to Debut in NT Workstation Beta," Infoworld, January 29, 1996, p. 25.
outcomes described above? At one level, the examples above are simply the result of market decisions and preferences. At a sufficiently high level of domestic market demand, U.S. vendors would find it profitable and appropriate to develop products for the domestic market alone. Similarly, given a sufficiently large business opportunity in a foreign country (or countries) that called for a product significantly different from that used by domestic users, vendors would be willing to develop a customized version of a product that would meet export control requirements. Furthermore, many other manufacturers of exportable products must cope with a myriad of different requirements for export to different nations (e.g., differing national standards for power, safety, and electromagnetic interference), as well as differing languages in which to write error messages or user manuals. From this perspective, export controls are simply one more cost of doing business outside the United States.
On the other hand, the fact that export controls are an additional cost of doing business outside the United States is not an advantage for U.S. companies planning to export products. A vendor incurs less expense and lower effort for a single version of a product produced for both domestic and foreign markets than it does when multiple versions are involved. While the actual cost of developing two different versions of a product with different key lengths and different algorithms is relatively small, a much larger part of the expense associated with multiple versions relates to marketing, manufacture, support, and maintenance of multiple product versions after the initial sale has been made.26
Since a vendor may be unable to export a given product with encryption capabilities to foreign markets, domestic market opportunities must be that much greater to warrant a domestic-only version. (Given that about half of all sales of U.S. information technology vendors are made to foreign customers,27 the loss of foreign markets can be quite damaging to a U.S. vendor.) When they are not, vendors have every incentive to develop products with encryption capabilities that would easily qualify
26 Note that development and support concerns are even more significant when a given product is intended for cross-platform use (i.e., for use in different computing environments such as Windows, Mac OS, Unix, and so on), as is the case for many high-end software products (such as database retrieval systems): when a product is intended for use on 50 different platforms, multiplying by a factor of two the effort required on the part of the vendor entails much more of an effort by the vendor than if the product were intended for use on only one platform.
27 See footnote 17.
for liberal export consideration. As a result, the domestic availability of products with strong encryption capability is diminished. While a sufficiently high level of domestic market demand would make it profitable for U.S. vendors to develop products for the domestic market alone, the "sufficiently" qualifier is a strong one indeed, given the realities of the market into which vendors must sell and compete, and one infrequently met in practice.
Users are also affected by an export control regime that forces foreign and domestic parties in communication with each other to use encryption systems based on different algorithms and/or key lengths. In particular, an adversary attempting to steal information will seek out the weakest point. If that weakest point is abroad because of the weak cryptography allowed for liberal export, then that is where the attack will be. In businesses with worldwide network connections, it is critical that security measures be taken abroad, even if key information repositories and centers of activity are located in the continental United States. Put differently, the use of weak cryptography abroad means that sensitive information communicated by U.S. businesses to foreign parties faces a greater risk of compromise abroad because stronger cryptography integrated into U.S. information technology is not easily available abroad.
Finally, the export licensing process can have a significant impact on how a product is developed. For example, until recently, products developed to permit the user to substitute easily his own cryptography module were subject to the USML and the ITAR.28 One vendor pointed out to the committee that its systems were designed to be assembled "out of the box" by end users in a modular fashion, depending on their needs and computing environment. This vendor believed that such systems would be unlikely to obtain liberal export consideration, because of the likelihood that a foreign user would be able to replace an "export-approved" cryptography module with a cryptography module that would not pass export review. Under these circumstances, the sensible thing from the export control perspective would be to deny exportability for the modu-
28 Note, however, that the use of object-oriented software technology can in general facilitate the use of applications programming interfaces that provide "hooks" to modules of the user's choosing. A number of vendors have developed or are developing general-purpose applications programming interfaces that will allow the insertion of a module to do almost anything. Since these programming interfaces are not specialized for cryptography, but instead enable many useful functions (e.g., file compression, backups), it is very difficult to argue the basis on which applications incorporating these interfaces should be denied export licenses simply because they could be used to support encryption.
A further discussion of recent developments involving cryptography modules and cryptographic applications programming interfaces is contained in Chapter 7.
larized product even if its capabilities did fall within the "safe harbor" provisions for products with encryption capabilities.
The considerations above led the committee to conclude that U.S. export controls have had a negative impact on the cryptographic strength of many integrated products with encryption capabilities available in the United States.29 Export controls tend to drive major vendors to a "lowest common denominator" cryptographic solution that will pass export review as well as sell in the United States. The committee also believes that export controls have had some impact on the availability of cryptographic authentication capabilities around the world. Export controls distort the global market for cryptography, and the product decisions of vendors that might be made in one way in the absence of export controls may well be made another way in their presence.
Some of the reasons for this vendor choice are explored in Section 4.3.2.
4.3.2 Regulatory Uncertainty Related to Export Controls
A critical factor that differentiates the costs of complying with export controls from other costs of doing business abroad is the unpredictability of the export control licensing process. (Other dimensions of uncertainty for vendors not related to export controls are discussed in Chapter 6.) A company must face the possibility that despite its best efforts, a USML export license or a commodity jurisdiction to the CCL will not be granted for a product. Uncertainties about the decisions that will emerge from the export control regime force vendors into very conservative planning scenarios. In estimating benefits and costs, corporate planners must take into account the additional costs that could be incurred in developing two largely independent versions of the same product or limit the size of the potential market to U.S. purchasers. When such planning requirements are imposed, the number of product offerings possible is necessarily reduced.
USML licensing is particularly unpredictable, because the reasons that a license is denied in any given instance are not necessarily made available to the applicant; in some cases, the rationale for specific licensing decisions is based on considerations that are highly classified and by law cannot be made available to an uncleared applicant. Since such ration-
29 A similar conclusion was reached by the FBI, whose testimony to the committee noted that "the use of export controls may well have slowed the speed, proliferation, and volume of encryption products sold in the U.S." (written statement, "FBI Input to the NRC's National Cryptographic Study Committee," received December 1, 1995).
ales cannot be discussed openly, an atmosphere of considerable uncertainty pervades the development process for vendors seeking to develop products for overseas markets. Furthermore, there is no independent adjudicating forum to which a negative licensing decision can be appealed.
Since USML licensing is undertaken on a case-by-case basis, it requires the exercise of judgment on the part of the regulatory authorities. A judgment-based approach has the disadvantage that it requires a considerable degree of trust between the regulated and the regulator.30 To the extent that an individual regulated party believes that the regulator is acting in the best interests of the entire regulated community, it is natural that it would be more willing to accept the legitimacy of the process that led to a given result. However, in instances in which those who are regulated do not trust the regulator, the judgments of the regulator are much more likely to be seen as arbitrary and capricious.31
This situation currently characterizes the relationship between cryptography vendors/users and national security authorities responsible for implementing the U.S. export control regime for cryptography. In input received by the committee, virtually all industry representatives, from large to small companies, testified about the unpredictability of the process. From the vendor point of view, the resulting uncertainty inhibits product development and allows negative decisions on export to be rendered by unknown forces and/or government agencies with neither explanation nor a reasonable possibility of appeal.
The need to stay far away from the vague boundaries of what might or might not be acceptable is clearly an inhibitor of technological progress and development. Vendor concerns are exacerbated in those instances in which export control authorities are unwilling to provide a specific reason for the denial of an export license or any assurance that a similarly but not identically configured product with encryption capabilities would pass export review. Even worse from the vendor perspective, product parameters are not the only determinant of whether a licensing decision
30 In contrast to a judgment-based approach, a clarity-based approach would start from the premise that regulations and laws should be as clear as possible, so that a party that may be affected knows with a high degree of certainty what is and is not permitted or proscribed. The downside of a clarity-based approach is that affected parties tend to go "right up to the line" of what is prohibited and may seek ways to "design around" any stated limitations. Furthermore, a clarity-based approach would require the specification, in advance, of all acts that are prohibited, even when it may not be possible to define in advance all acts that would be undesirable.
31 For example, critics of the uncertainty engendered by the export regime point out that uncertainty is helpful to policy makers who wish to retain flexibility to modify policy without the work or publicity required for a formal regulatory change.
will be favorable except in a very limited and narrow range of cryptographic functionality.
The uncertainty described above is not limited to new and inexperienced vendors encountering the U.S. export control regime for the first time; large and sophisticated institutions with international connections have also encountered difficulties with the current export control regime. For example, a representative from a major U.S. bank with many international branches reported that export controls affect internally developed bank software with encryption capabilities; a U.S. citizen who works on bank software with encryption capabilities in England may "taint" that software so that it falls under U.S. export control guidelines. Thus, despite the fact that the current export control regime treats banks and other financial institutions relatively liberally, major banks have still struggled under its limitations.
The situation is worse for smaller companies. While large companies have experience and legal staffs that help them to cope with the export control regime, small companies do not. New work on information technology often begins in garage-shop operations, and the export control regime can be particularly daunting to a firm with neither the legal expertise nor the contacts to facilitate compliance of a product with all of the appropriate regulations. These companies in particular are the ones most likely to decide in the end to avoid entirely the inclusion of cryptographic features due to concern about running afoul of the export control rules.
The following three examples illustrate how the unpredictability of the export control licensing process has affected U.S. vendors and their products.
As noted above, cryptographic applications programming interfaces that are directly and easily accessible to the user are in general subject to USML licensing. However, even "closed" interfaces that are not easily accessible to the user are sometimes perceived to pose a risk for the vendor. One major product vendor reported to the committee that it was reluctant to use modular development for fear that even an internal module interface could keep a product from passing export control review. Any software product that uses modular techniques to separate the basic product functionality from the cryptography has a well-defined interface between the two. Even when the software product is converted to object code, that interface is still present (though it is hidden from the casual user). However, the interface cannot in general be hidden from a person with strong technical skills, and such a person would be able to find it and
tamper with it in such a way that a different cryptography module could be used.32 A number of similar considerations apply for hardware products, in which the cryptographic capabilities might be provided by a ''plug-in" chip.
The alternative to the use of modular techniques in the development of integrated products would complicate the "swap-in/swap-out" of cryptographic capabilities: lines of code (if software) and wires (if hardware) that implemented cryptographic capabilities would be highly interwoven with lines of code and wires that implemented the primary capabilities of the product. On the other hand, this approach would be tantamount to the development of two largely distinct products with little overlap in the work that was required to produce them.
The NSA has spoken publicly about its willingness to discuss with vendors from the early stages of product design features and capabilities of proposed products with encryption capabilities for confidentiality so that the export license approval process can be facilitated, and also its willingness to abide by nondisclosure agreements to reassure vendors that their intellectual property rights will be protected.33 Nonetheless, the receipt of an export control license useful for business purposes is not guaranteed by such cooperation. For example, while decisions about commodity jurisdiction often provide CCL jurisdiction for object code and USML jurisdiction for source code (and thus need not inhibit modular product development if the product is to be distributed in object form only), the fact remains that such decisions are part of a case-by-case review whose outcome is uncertain. Different vendors are willing to tolerate different levels of risk in this regard, depending on the magnitude of the investments involved.
As a general rule, NSA does not appear willing to make agreements in advance that will assure licenses for a product that has not yet been instantiated or produced. Such a position is not unreasonable given NSA's stance toward products with encryption capabilities in general, and the fact that the true capabilities of a product may depend strongly on how it is actually implemented in hardware or software. Thus, vendors
32 Of course, such considerations obviously apply to software products with cryptographic capabilities that are designed to be shipped in source code; not only can the cryptographic module be easily identified and replaced, but it can also be pulled out and adapted to other purposes. This point was also raised in footnote 11 of this chapter.
33 For example, NSA representatives made comments to this effect at the RSA Data Security Conference in San Francisco in January 1995.
have no indemnification against the risk that a product might not be approved.34
The Definition of Export
There is uncertainty about what specific act constitutes the "export" of software products with encryption capabilities. It is reasonably clear that the act of mailing to a foreign country a disk with a product with encryption capabilities on it constitutes an export of that product. But if that product is uploaded to an Internet site located in the United States and is later downloaded by a user located in another country, is the act of export the upload or the download? What precautions must be taken by the uploader to remain on the legal side of the ITAR?
The committee has been unable to find any formal document that indicates answers to these questions. However, a March 1994 letter from the State Department's Office of Defense Trade Controls appears to indicate that a party could permit the posting of cryptographic software on an Internet host located in the United States if "(a) the host system is configured so that only people originating from nodes in the United States and Canada can access the cryptographic software, or (b) if the software is placed in a file or directory whose name changes every few minutes, and the name of the file or directory is displayed in a publicly known and readable file containing an explicit notice that the software is for U.S. and Canadian use only."35 Of course, such a letter does not provide formal guidance to parties other than the intended addressee (indeed, under the ITAR, advisory opinions provided to a specific party with a given set of circumstances are not binding on the State Department even with respect to that party), and so the issue remains murky.
The Speed of the Licensing Process
Uncertainty is also generated by a lengthy licensing process without time lines that allow vendors to make realistic schedules. Box 4.9 describes some of the problems reported to the committee. To summarize,
34 Although other industries also have to deal with the uncertainties of regulatory approval regarding products and services, the export control process is particularly opaque, because clear decisions and rationales for those decisions are often not forthcoming (and indeed are often classified and/or unrelated to the product per se).
35 Letter from Clyde Bryant, Office of Defense Trade Controls, U.S. Department of State, Washington, D.C., to Daniel Appelman, Heller, Ehrman, White & McAuliffe, dated March 11, 1994.
• Some foreign customers know it will take a long time to obtain a positive licensing decision and as a consequence do not bother to approach U.S. vendors at all.
• Products to market are delayed; even when export licenses are eventually granted, they are often granted too late to be useful, because the area of information technology is so fast-moving.
• Rapid decisions are not rendered. In one instance reported to the committee, a U.S. information technology company wanted permission to use its own software (with strong encryption capabilities) to communicate with its foreign offices. Such cases are in theory expedited because of a presumptive approval in these circumstances; this vendor's government contacts agreed that "such an application would be no problem" and that an approval would be a rapid "rubber-stamp" one, but in fact, this vendor is still awaiting a license after more than a year.
• System integrators intending to ship complete systems rather than individual products face particular difficulties in obtaining a speedy turnaround, because the task for national security authorities involves an assessment of the entire system into which a given product (or products) with encryption capabilities will be integrated, rather than an assessment of just the products with encryption capabilities alone.
• Even vendors that manufacture cryptographic software not intended for export are required to register with the State Department's Office of Defense Trade Controls, primarily "to provide the U.S. government with necessary information on who is involved in certain manufacturing and exporting activities."1
1 International Traffic in Arms Regulations, Section 122.1 (c).
the perceptions of many vendors about the excessive length of time it takes to obtain a license reflect the time required for discussions with NSA about a product before an application is formally submitted; the prospect of facing the export control process deters some vendors entirely from creating certain products. By contrast, NSA starts the clock only when it receives a formal application, and in fact the usual time between receipt of a formal application and rendering of a decision is relatively short (a few weeks). The reason that such a fast turnaround is possible is that by the time the application is received, enough is known about the product involved that processing is routine because there is no need for negotiation about how the product must be changed for a license to be approved.
In response to some of these concerns, the U.S. government has undertaken a number of reforms of the export control regime (described in Section 4.1) to reduce the hassle and red tape involved in obtaining export
licenses.36 These reforms are important. Nevertheless, the pace at which new information technology products develop and the increasing complexity of those products will complicate product review efforts in the future. Given relatively fixed staffing, these factors will tend to increase the length of time needed to conduct product reviews at a time when vendors are feeling pressures to develop and market products more rapidly.
One particular reform effort that deserves discussion is the "personal use" exemption. For many years, Americans traveling abroad were required under the ITAR to obtain "temporary export licenses" for products with encryption capabilities carried overseas for their personal use.37 The complexity of the procedure for obtaining such a license was a considerable burden for U.S. businesspeople traveling abroad, and these individuals were subject to significant criminal penalties for an act that was widely recognized to be harmless and well within the intent of the export control regime.
In February 1994, the Administration committed itself to promulgating regulations to support a personal-use exemption from the licensing requirement. Two years later, on February 16, 1996, the Federal Register contained a notice from the Department of State, Bureau of Political-Military Affairs, announcing final rule of an amendment to the ITAR allowing U.S. persons to temporarily export cryptographic products for personal use without the need for an export license.38
Some critics of government policy have objected to the particular formulation of the record-keeping requirement. All parties involved including senior Administration officialshave agreed that 2 years was far too long a period for promulgation of so simple a rule.
36 For example, according to NSA, the detailing of an NSA representative to work with the State Department Office of Defense Trade Controls has resulted in a considerable reduction in the time needed to process a license.
37 For a description of how this process worked in practice, see Matt Blaze, "My Life as an International Arms Courier," e-mail message circulated by Matt Blaze (mab@research. att.com) on January 6, 1995. A news article based on Blaze's story is contained in Peter H. Lewis, "Between a Hacker and a Hard Place: Data-Security Export Law Puts Businesses in a Bind," New York Times, April 10, 1995, p. D1.
38 According to the regulation, the product must not be intended for copying, demonstration, marketing, sale, re-export, or transfer of ownership or control. It must remain in the possession of the exporting person, which includes being locked in a hotel room or safe. While in transit, it must be with the person's accompanying baggage. Exports to certain countries are prohibitedcurrently Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria. The exporter must maintain records of each temporary export for 5 years. See Public Notice 2294, Federal Register, Volume 61(33), February 16, 1996, pp. 6111-6113.
4.3.3 The Size of the Affected Market for Cryptography
Since export controls on products with encryption capabilities constrain certain aspects of sales abroad, considerable public attention has focused on the size of the market that may have been affected by export controls. Vendors in particular raise the issue of market share with considerable force:
• "The only effect of the export controls is to cause economic harm to US software companies that are losing market share in the global cryptography market to companies from the many countries that do not have export controls."39
• "[The government's current policy on encryption] is anti-competitive. The government's encryption export policy jeopardizes the future of the software industry, one of the fastest growing and most successful industries. "40
The size of the market for products with encryption capabilities cuts across many dimensions of cryptography policy, but since it is raised most often in the context of the export control debate, it is addressed in this section.
Plausible arguments can be made that the market ranges from no more than the value of the security-specific products sold annually (i.e., several hundred million dollars per yeara low-end estimate)41 to the total value of all hardware and software products that might include encryption capabilities (many tens of billions of dollarsa high-end estimate).42 The committee was unable to determine the size of the informa-
39 Jim Hassert, Washington Connections, Software Publishers Association, Washington, D.C., Chapter 9. Available on-line at http://www.spa.org.
40 Business Software Alliance, Information and Data Security: The Encryption Update. Available on-line at http://www.bsa.org.
41 Department of Commerce and National Security Agency, A Study of the International Market for Computer Software with Encryption, released January 11, 1996, p. III-1. Note, however, that this report does not arrive at this estimate independently; rather, it cites other estimates made in the private sector.
42 Of course, it is a matter of speculation what fraction of the information technology market (on the order of $193 billion in 1993; see below) might usefully possess encryption capabilities; good arguments can be made to suggest that this fraction is very small or very large. A number of information technology trade organizations have also made estimates. The Software Publishers Association cited a survey by the National Computer Security Association that quoted a figure of $160 million in aggregate known losses in 1993 because of export controls; see "Written Testimony of the Software Publishers Association to the National Research Council," Washington, D.C., July 19, 1995. In 1993, the Business Software Alliance estimated that "approximately $6-9 billion in U.S. company revenues are
tion technology market directly affected by export controls on encryption to within a factor of more than 100, a range of uncertainty that renders any estimate of the market quite difficult to use as the basis for a public policy decision.
Nevertheless, although it is not large enough to be decisive in the policy debate, the floor of such estimatesa few hundred million dollars per yearis not a trivial sum. Furthermore, all trends point to growth in this number, growth that may well be very large and nonlinear in the near future. To the extent that both of these observations are valid, it is only a matter of a relatively short time before even the floor of any estimate will be quite significant in economic terms.
The next three subsections describe some of the factors that confound the narrowing of the large range of uncertainty in any estimate of the size of the market affected by export controls.
Defining a "Lost Sale"
A number of vendors have pointed to specific instances of lost sales as a measure of the harm done to vendors as a result of export controls on
currently at risk because of the inability of those companies to be able to sell world wide generally available software with encryption capabilities employing DES or other comparable strength algorithms"; see testimony of Ray Ozzie, president, Iris Associates, on behalf of the Business Software Alliance, "The Impact on America's Software Industry of Current U.S. Government Munitions Export Controls," before the Economic Policy, Trade, and Environment Subcommittee, House Committee on Foreign Affairs, Washington, D.C., October 12, 1993. The Computer Systems Policy Project (CSPP) estimated that in 2000, the potential annual revenue exposure for U.S. information technology vendors would range from $3 billion to $6 billion on sales of cryptographic products, including both hardware and software; CSPP also estimated $30 billion to $60 billion in potential revenue exposure on sales of associated computer systems; see William F. Hagerty IV, The Management Advisory Group, Computer Systems Policy Project, The Growing Need for Cryptography : The Impact of Export Control Policy on U.S. Competitiveness, Study Highlights (viewgraphs), Bethesda, Md., December 15, 1995.
The $193 billion figure is taken from Department of Commerce, U.S. Industrial Outlook, 1994, and includes computers and peripherals ($62.5 billion, p. 26-1), packaged software ($32.0 billion, p. 27-1), information services ($13.6 billion, p. 25-1), data processing and network services ($46.4 billion, p. 25-1), and systems integration/custom programming services ($38.7 billion, p. 25-5). Note that this figure does not include some other industry sectors that could, in principle, be affected by regulations regarding secure communications; in 1993, U.S. companies provided telecommunications services valued at $10.4 billion to foreign nations (p. 29-1) and shipped $17.5 billion (1987 dollars) in telephone equipment worldwide (p. 30-3).
cryptography.43 National security officials believe that these figures are considerably overstated. Administration officials and congressional staff have expressed considerable frustration in pinning down a reliable estimate of lost sales.
It is important to begin with the understanding that the concept of a "lost sale" is intrinsically soft. Trying to define the term "lost sales" raises a number of questions:
• What events count as a sale lost because of export restrictions? Several possibilities illustrate the complications:
A U.S. vendor is invited along with foreign vendors to bid on a foreign project that involves cryptography, but declines because the bid requirements are explicit and the U.S. vendor knows that the necessary export licenses will not be forthcoming on a time scale compatible with the project.
A U.S. vendor is invited along with foreign vendors to bid on a foreign project that involves cryptography. In order to expedite export licensing, the U.S. vendor offers a bid that involves 40-bit encryption (thus ignoring the bid requirements), and the bid is rejected.
A U.S. vendor is invited along with foreign vendors to bid on a foreign project that involves cryptography. A foreign vendor emerges as the winner. The sale is certainly a lost sale, but since customers often make decisions with a number of reasons in mind and may not inform losing vendors of their reasons, it is difficult to determine the relationship of export controls to the lost sale.
No U.S. vendor is invited to bid on a foreign project that involves cryptography. In such an instance, the potential foreign customer may have avoided U.S. vendors, recognizing that the cryptography would subject the sale to U.S. export control scrutiny, possibly compromising
43 For example, in a presentation to the committee on July 19, 1995, the Software Publishers' Association documented several specific instances in which a U.S. company had lost a sale of a product involving cryptography to a foreign firm. These instances included a company that lost one-third of its total revenues because export controls on DES-based encryption prevented sales to a foreign firm; a company that could not sell products with encryption capability to a European company because that company resold products to clients other than financial institutions; a U.S. company whose European division estimated at 50 percent the loss of its business among European financial institutions, defense industries, telecommunications companies, and government agencies because of inadequate key sizes; and a U.S. company that lost the sale of a DES-based system to a foreign company with a U.S. subsidiary (Software Publishers' Association, "Presentation on Impacts of Export Control on Encryption Before the NRC National Cryptography Policy Committee," July 19, 1995).
sensitive information or delaying contract negotiations inordinately. On the other hand, the potential customer may have avoided U.S. vendors for other reasons, e.g., because the price of the U.S. product was too high.
• What part of a product's value is represented by the cryptographic functionality that limits a product's sales when export controls apply? As noted in Chapter 2, stand-alone products with encryption capabilities are qualitatively different from general-purpose products integrated with encryption capabilities. A security-specific stand-alone product provides no other functionality, and so the value of the cryptography is the entire cost of the product. But such sales account for a very small fraction of information technology sales. Most sales of information technology products with encryption capabilities are integrated products. Many word processing and spreadsheet programs may have encryption capabilities, but users do not purchase such programs for those capabilitiesthey purchase them to enhance their ability to work with text and numbers. Integrated products intended for use in networked environments (e.g., "groupware") may well have encryption capability, but such products are purchased primarily to serve collaboration needs rather than encryption functions. In these instances, it is the cost of the entire integrated product (which may not be exportable if encryption is a necessary but secondary feature) that counts as the value lost.
• How does a vendor discover a "lost sale"? In some cases, a specific rejection counts as evidence. But in general there is no systematic way to collect reliable data on the number or value of lost sales.
• An often-unnoticed dimension of "lost sales" does not involve product sales at all, but rather services whose delivery may depend on cryptographic protection. For example, a number of U.S. on-line service providers (e.g., America Online, Compuserve, Prodigy) intend to offer or expand access abroad;44 the same is true for U.S. providers of telecommunications services.45 To the extent that maintaining the security of foreign interactions with these service providers depends on the use of strong cryptography, the ability of these companies to provide these services may be compromised by export restrictions and thus sales of service potentially reduced.
44 See, for example, Kara Swisher, "Old World, New Frontier in Cyberspace," Washington Post, December 12, 1995, p. C1; Victoria Shannon, "U.S. On-Line Services Fall Short on International Reach," Washington Post, April 3, 1995, Washington Business, p. 20. For more detail on AOL plans, see Elizabeth Cocoran, "America Online to Offer Access in Europe," Washington Post, May 19, 1995, p. F3.
45 See, for example, Office of Technology Assessment, U.S. Telecommunications Services in European Markets, OTA-TCT-548, U.S. Government Printing Office, Washington, D.C., August 1993.
Latent vs. Actual Demand
In considering the size of the market for cryptography, it is important to distinguish between "actual" demand and "latent" demand.
• Actual demand reflects what users spend on products with encryption capabilities. While the value of "the market for cryptography" is relatively well defined in the case of stand-alone security-specific products (it is simply the value of all of the sales of such products), it is not well defined when integrated products with encryption capabilities are involved. The reason is that for such products, there is no demand for cryptography per se. Rather, users have a need for products that do useful things; cryptography is a feature added by designers to protect users from outside threats to their work, but as a purely defensive capability, cryptography does not so much add functional value for the user as protect against reductions in the value that the user sees in the product. Lotus Notes, for example, would not be a viable product in the communications software market without its encryption capabilities, but users buy it for the group collaboration capabilities that it provides rather than for the encryption per se.
• Latent demand (i.e., inherent demand that users do not realize or wish to acknowledge but that surfaces when a product satisfying this demand appears on the market) is even harder to measure or assess. Recent examples include Internet usage and faxes; in these instances, the underlying technology has been available for many years, but only recently have large numbers of people been able to apply these technologies for useful purposes. Lower prices and increasing ease of use, prompted in part by greater demand, have stimulated even more demand. To the extent that there is a latent demand for cryptography, the inclusion of cryptographic features in integrated products might well stimulate a demand for cryptography that grows out of knowledge and practice, out of learning by doing.
Determining the extent of latent demand is complicated greatly by the fact that latent demand can be converted into actual demand on a relatively short time scale. Indeed, such growth curvesvery slow growth in use for a while and then a sudden explosion of demand characterize many critical mass phenomena: some information technologies (e.g., networks, faxes, telephones) are valuable only if some critical mass of people use them. Once that critical mass is reached, other people begin to use those technologies, and demand takes off. Linear extrapolations 5 or 10 years into the future based on 5 or 10 years in the past miss this very nonlinear effect.
Of course, it is difficult to predict a surge in demand before it actually occurs. In the case of cryptography, market analysts have been predicting
significantly higher demand for many years; today, growth rates are high, but demand for information security products including cryptography is not yet ubiquitous.
Two important considerations bearing directly on demand are increasing system complexity and the need for interoperability. Users must be able to count on a high degree of interoperability in the systems and software they purchase if they are to operate smoothly across national boundaries (as described in Chapter 1). Users understand that it is more difficult to make different products interoperate, even if they are provided by the same vendor, than to use a single product. For example, the complexity of a product generally rises as a function of the number of products with which it must interoperate, because a new product must interoperate with already-deployed products. Increased complexity almost always increases vulnerabilities in the system or network that connects those products. In addition, more complex products tend to be more difficult to use and require greater technical skill to maintain and manage; thus, purchasers tend to shy away from such products. This reluctance, in turn, dampens demand, even if the underlying need is still present.
From the supply side, vendors feel considerable pressure from users to develop interoperable products. But greater technical skills are needed by vendors to ensure interoperability among different product versions than to design a single product that will be used universally, just as they are for users involved in the operation and maintenance of these products. Requirements for higher degrees of technical skill translate into smaller talent pools from which vendors can draw and thus fewer products available that can meet purchasers' needs for interoperability.
Problems relating to interoperability and system complexity, as well as the size of the installed base, have contributed to the slow pace of demand to date for products with encryption capabilities.
Nevertheless, the committee believes it is only a matter of time until a surge occurs, at the same time acknowledging the similarity between this prediction and other previous predictions regarding demand. This belief is based on projections regarding the growth of networked applications46
46 For example, a survey by the International Data Corporation indicated that the installed base of users for work-group applications (involving communications among physically separated users) is expected to grow at a rate of about 74 percent annually between 1993 and 1998. See Ann Palermo and Darby Johnson, Analysts, International Data Corporation, Workgroup Applications Software: Market Review and Forecast, 1993-1998, Framingham, Mass., 1993. It is true that a considerable amount of remote collaboration is done via e-mail without cryptographic protection, but work-group applications provide much higher degrees of functionality for collaboration because they are specifically designed for that purpose. As these applications become more sophisticated (e.g., as they begin to process large assemblies of entire documents rather than the short messages for which e-mail is best suited), the demand for higher degrees of protection is likely to increase.
and the trends discussed in Chapter 1increasing demand for all kinds of information technology, increasing geographic dispersion of businesses across international boundaries, increasing diversity of parties wishing/ needing to communicate with each other, and increasing diversity in information technology applications and uses in all activities of a business. Further, the committee believes that computer users the world over have approximately the same computing needs as domestic users, and so domestic trends in computing (including demand for more information security) will be reflected abroad, though perhaps later (probably years later but not decades later).
A third issue in assessing the size of the market for cryptography is the extent to which judgments should be made on the basis of today's market conditions (which are known with a higher certainty) rather than markets that may be at risk tomorrow (which are known with a much lower degree of certainty).
The market for certain types of software tends to develop in a characteristic manner. In particular, the long-term success of infrastructure software (i.e., software that supports fundamental business operations such as operating systems or groupware) depends strongly on the product's market timing; once such software is integrated into the infrastructure of the installing organization, demands for backward-compatibility make it difficult for the organization to install any alternative.47 In other words, an existing software infrastructure inhibits technological change even if better software might be available. It is for this reason that in some software markets, major advantages accrue to the first provider of a reasonable product.
These pressures complicate life for government policy makers who would naturally prefer a more deliberate approach to policy making, because it is only during a small window of time that their decisions are relevantthe sooner they act, the better. The longer they wait, the higher will be the percentage of companies that have already made their technol-
47 Many products require backward-compatibility for marketplace acceptance. Demands for backward-compatibility even affect products intended for operation in a stand-alone environmentan institution with 2 million spreadsheet files is unlikely to be willing to switch to a product that is incompatible with its existing database unless the product provides reasonable translation facilities for migrating to the new product. Network components are even harder to change, because stations on a network must interoperate. For example, most corporate networks have servers deployed with workstations that communicate with those servers. Any change to the software for the servers must not render it impossible for those workstations to work smoothly with the upgrade.
ogy choices, and these companies will face large changeover costs if policy decisions entail incompatible alternatives to their currently deployed infrastructure. If the initial choices of companies involve putting non-U.S. software in place, U.S. vendors fear that they will have lost huge future market opportunities.48
4.3.4 Inhibiting Vendor Responses to User Needs
In today's marketing environment, volume sales (licensing) to large corporate or government customers, rather than purchases by individuals, tend to drive sales of business software products.49 Since corporate customers have large leverage in the marketplace (because one purchasing decision can result in thousands of product sales to a single corporation), major software vendors are much more responsive to the needs of corporate users. Of particular relevance to the export control debate are three perceptions of corporate users:
• Corporate users do not see that different levels of encryption strength (as indicated, for example, by the key length of foreign and domestic versions of a product) provide differential advantages. Put differently, the market reality is that users perceive domestic-strength versions as the standard and liberally exportable versions of cryptography as weak, rather than seeing liberally exportable versions of cryptography as the standard and domestic-strength versions as stronger.
• Corporate users weigh all features of a product in deciding whether or not to buy it. Thus, the absence of a feature such as strong encryption that is desired but not easily available because of U.S. export controls counts as a distinct disadvantage for a U.S. product. Although other features may help to compensate for this deficiency, the deficiency may pose enough of a barrier to a product's acceptance abroad that sales are significantly reduced.
• Corporate users see cryptographic strength as an important parameter in their assessments of the information security that products offer. It is true that cryptography is only one dimension of information
48 The deployment of Lotus Notes provides a good example. Lotus marketing data suggests fairly consistently that once Notes achieves a penetration of about 200 users in a given company, an explosion of demand follows, and growth occurs until Notes is deployed company-wide.
49 The Department of Commerce noted that ''civil use of software-based encryption will significantly increase in the next five years, with corporate customers dominating this new marketplace." See Department of Commerce and National Security Agency, A Study of the International Market for Computer Software with Encryption, released January 11, 1996, p. 111-2.
security, that export controls do not affect certain approaches to increasing overall information security, and that vendors often do not address these other approaches. But cryptography is a visible aspect of the information security problem, and vendors feel an obligation to respond to market perceptions even if these perceptions may not be fully justified by an underlying technical reality. Moreover, many of the information security measures that do not involve export controls are more difficult and costly than cryptography to implement, and so it is natural for vendors to focus their concerns on export controls on cryptography.
U.S. vendors that are unable to respond in a satisfactory manner to these perceptions have a natural disadvantage in competing against vendors that are able to respond.
4.4 THE IMPACT OF EXPORT CONTROLS ON U.S. ECONOMIC AND NATIONAL SECURITY INTERESTS
By affecting U.S. industries abroad that might use cryptography to protect their information interests and U.S. vendors of a critical technology (namely, information technology), export controls have a number of potentially negative effects on national security that policy makers must weigh against the positive effects of reducing the use of cryptography by hostile parties.
4.4.1 Direct Economic Harm to U.S. Businesses
While acknowledging the economic benefits to U.S. business from signals intelligence (as described in Chapter 3), the committee notes that protection of the information interests of U.S. industries is also a dimension of national security, especially when the threats emanate from foreign sources.
If the potential value of proprietary information is factored into the debate over export controls, it dominates all other figures of merit. A figure of $280 billion to $560 billion was placed by the Computer Systems Policy Project on the value of future revenue opportunities as the result of electronic distribution and commerce and future opportunities to reengineer business processes by 2000.50 Opponents of export controls on cryptography argue that if electronic channels and information systems
50 William F. Hagerty IV, The Growing Need for Cryptography: The Impact of Export Control Policy on U.S. Competitiveness, Study Highlights (viewgraphs), December 15, 1995.
are perceived to be vulnerable, businesses may well be discouraged from exploiting these opportunities, thereby placing enormous potential revenues at risk.
On the other hand, it is essentially impossible to ascertain with any degree of confidence what fraction of proprietary information would be at risk in any practical sense if businesses did move to exploit these opportunities. Current estimates of industrial and economic espionage provide little guidance. The most authoritative publication on the subject to date, the Annual Report to Congress on Foreign Economic Collection and Industrial Espionage,51 noted that
[i]n today's world in which a country's power and stature are often measured by its economic/industrial capability, foreign government ministriessuch as those dealing with finance and tradeand major industrial sectors are increasingly looked upon to play a more prominent role in their respective country's collection efforts.... An economic competitor steals a US company's proprietary business information or government trade strategies, [and] foreign companies and commercially oriented government ministries are the main beneficiaries of US economic information. The aggregate losses that can mount as a result of such efforts can reach billions of dollars per year, constituting a serious national security concern.
The report went on to say that "[t]here is no formal mechanism for determining the full qualitative and quantitative scope and impact of the loss of this targeted information. Industry victims have reported the loss of hundreds of millions of dollars, lost jobs, and lost market share."
Thus, even this report, backed by all of the counterintelligence efforts of the U.S. government, is unable to render a definitive estimate to within an order of magnitude. Of course, it may well be that these estimates of loss are low, because companies are reluctant to publicize occurrences of foreign economic and industrial espionage since such publicity can adversely affect stock values, customers' confidence, and ultimately competitiveness and market share, or also because clandestine theft of information may not be detected. Furthermore, because all business trends point to greater volumes of electronically stored and communicated information in the future, it is clear that the potential for information compromises will growthe value of information that could be compromised through electronic channels is only going to increase.
51 National Counterintelligence Center, Annual Report to Congress on Foreign Economic Collection and Industrial Espionage, Washington, D.C., July 1995.
4.4.2 Damage to U.S. Leadership in Information Technology
The strength of the U.S. information technology industry has been taken as a given for the past few decades. But as knowledge and capital essential to the creation of a strong information technology industry become more available around the world, such strength can no longer be taken for granted.52 If and when foreign products become widely deployed and well integrated into the computing and communications infrastructure of foreign nations, even better versions of U.S. products will be unable to achieve significant market penetration. One example of such a phenomenon may be the growing interest in the United States in personal communications systems based on GSM, the European standard for
52 Obviously, it is impossible to predict with certainty whether export controls will stimulate the growth of significant foreign competition for U.S. information technology vendors. But the historical evidence suggests some reason for concern. For example, a 1991 report (National Research Council, Finding Common Ground: U.S. Export Controls in a Changed Global Environment, National Academy Press, Washington, D.C., 1991) found that "unilateral embargoes on exports [of technologies for commercial aircraft and jet engines] to numerous countries not only make sales impossible but actually encourage foreign competitors to develop relationships with the airlines of the embargoed countries. By the time the U.S. controls are lifted, those foreign competitors may have established a competitive advantage" (p. 22). The same report also found that for computer technology, "marginal supplier disadvantages can lead to significant losses in market position, and it is just such marginal disadvantages that can be introduced by export controls" (p. 23). An earlier study (Charles Ferguson, ''High Technology Product Life Cycles, Export Controls, and International Markets," in Working Papers of the National Research Council report Balancing the National Interest, U.S. National Security Export Controls and Global Economic Competition, National Academy Press, Washington, D.C., 1987) pointed out that the emergence of strong foreign competition in a number of high-technology areas appeared in close temporal proximity to the enforcement of strong export controls in these areas for U.S. vendors. While the correlation does not prove that export controls necessarily influenced or stimulated the growth of foreign competition, the history suggests that they may have had some causal relationship. In the financial arena (not subject to export controls), U.S. financial controls associated with the Trading-with-the-Enemy Act may have led to the rise of the Eurodollar market, a set of foreign financial institutions, markets, and instruments that eroded the monopoly held on dollar-denominated instruments and dollar-dominated institutions by U.S. firms.
The likelihood of foreign competition being stimulated for cryptography may be larger than suggested by some of these examples, because at least in the software domain, product development and distribution are less capital intensive than in traditional manufacturing industries; lower capital intensiveness would mean that competitors would be more likely to emerge.
Finally, while it is true that some foreign nations also impose export controls on cryptography, those controls tend to be less stringent than those of the United States, as discussed in Appendix G. In particular, it is more difficult to export encryption from the United States to the United Kingdom than the reverse, and the U.S. market is an important market for foreign vendors. Further, it takes only one nation with weak or nonexistent controls to spawn a competitor in an industry such as software.
digital cellular voice communications. Further, as the example of Microsoft vis-à-vis IBM in the 1980s demonstrated, industry dominance once lost is quite difficult to recover in rapidly changing fields.
The development of foreign competitors in the information technology industry could have a number of disadvantageous consequences from the standpoint of U.S. national security interests:
• Foreign vendors, by assumption, will be more responsive to their own national governments than to the U.S. government. To the extent that foreign governments pursue objectives involving cryptography that are different from those of the United States, U.S. interests may be adversely affected. Specifically, foreign vendors could be influenced by their governments to offer for sale to U.S. firms products with weak or poorly implemented cryptography. If these vendors were to gain significant market share, the information security of U.S. firms could be adversely affected. Furthermore, the United States is likely to have less influence and control over shipments of products with encryption capabilities between foreign nations than it has over similar U.S. products that might be shipped abroad; indeed, many foreign nations are perfectly willing to ship products (e.g., missile parts, nuclear reactor technology) to certain nations in contravention to U.S. or even their own interests. In the long run, the United States may have even less control over the products with encryption capabilities that wind up on the market than it would have if it promulgated a more moderate export control regime.
• Detailed information about the workings of foreign products with encryption capabilities is much less likely to be available to the U.S. government than comparable information about similar U.S. products that are exported. Indeed, as part of the export control administration process, U.S. products with encryption capabilities intended for export are examined thoroughly by the U.S. government; as a result, large amounts of information about U.S. products with encryption capabilities are available to it.53
Export controls on cryptography are not the only factor influencing the future position of U.S. information technology vendors in the world market. Yet, the committee believes that these controls do pose a risk to their future position that cannot be ignored, and that relaxation of controls will help to ensure that U.S. vendors are able to compete with foreign vendors on a more equal footing.
53 For example, U.S. vendors are more likely than foreign vendors to reveal the source code of a program to the U.S. government (for purposes of obtaining export licenses). While it is true that the object code of a software product can be decompiled, decompiled object code is always much more difficult to understand than the original source code that corresponds to it.
4.5 THE MISMATCH BETWEEN THE PERCEPTIONS OF GOVERNMENT/NATIONAL SECURITY AND THOSE OF VENDORS
As the committee proceeded in its study, it observed what can only be called a disconnect between the perceptions of the national security authorities that administer the export control regulations on cryptography and the vendors that are affected by it. This disconnect was apparent in a number of areas:
• National security authorities asserted that export controls did not injure the interests of U.S. vendors in the foreign sales of products with encryption capabilities. U.S. vendors asserted that export controls had a significant negative effect on their foreign sales.
• National security authorities asserted that nearly all export license applications for a product with encryption capabilities are approved. Vendors told the committee that they refrained from submitting products for approval because they had been told on the basis of preliminary discussions that their products would not be approved for export.
• National security authorities presented data showing that the turnaround time for license decisions had been dramatically shortened (to a matter of days or a few weeks at most). Vendors noted that these data took into account only the time from the date of formal submission of an application to the date of decision, and did not take into account the much greater length of time required to negotiate product changes that would be necessary to receive approval. (See Section 4.3.2 for more discussion.)
• National security authorities asserted that they wished to promote good information security for U.S. companies, pointing out the current practice described in Section 4.1.2 that presumes the granting of USML licenses for stronger cryptography to U.S.-controlled companies and banking and financial institutions. Vendors pointed to actions taken by these authorities to weaken the cryptographic security available for use abroad, even in business ventures in which U.S. firms had substantial interests. Potential users often told the committee that even under presumptive approval, licenses were not forthcoming, and that for practical purposes, these noncodified categories were not useful.
• National security authorities asserted that they took into account foreign competition and the supply of products with encryption capabilities when making decisions on export licenses for U.S. products with encryption capabilities. Vendors repeatedly pointed to a substantial supply of foreign products with encryption capabilities.
• National security authorities asserted that they wished to maintain the worldwide strength and position of the U.S. information technology industry. Vendors argued that when they are prevented from exploiting
their strengthssuch as being the first to develop integrated products with strong encryption capabilitiestheir advantages are in fact being eroded.
The committee believes that to some extent these differences can be explained as the result of rhetoric by parties intending to score points in a political debate. But the differences are not merely superficial; they reflect significantly different institutional perspectives. For example, when national security authorities "take into account foreign supplies of cryptography," they focus naturally on what is available at the time the decision is being made. On the other hand, vendors are naturally concerned about incorporating features that will give their products a competitive edge, even if no exactly comparable foreign products with cryptography are available at the moment. Thus, different parties focus on different areas of concernnational security authorities on the capabilities available today, and vendors on the capabilities that might well be available tomorrow.
NSA perceptions of vendors and users of cryptography may well be clouded by an unwillingness to speak publicly about the full extent of vendor and user unhappiness with the current state of affairs. National security authorities asserted that their working relationships with vendors of products with encryption capabilities are relatively harmonious. Vendors contended that since they are effectively at the mercy of the export control regulators, they have considerable incentive to suppress any public expression of dissatisfaction with the current process. A lack (or small degree) of vendor outcry against the cryptography export control regime cannot be taken as vendor support for it. More specifically, the committee received input from a number of private firms on the explicit condition of confidentiality. For example:
• Companies with interests in cryptography affected by export control were reluctant to express fully their dissatisfaction with the current rules governing export of products with encryption capabilities or how these rules were actually implemented in practice. They were concerned that any explicit connection between critical comments and their company might result in unfavorable treatment of a future application for an export license for one of their products.
• Companies that had significant dealings with the Department of Defense (DOD) were reluctant to express fully their unhappiness with policy that strongly promoted classified encryption algorithms and government-controlled key-escrow schemes. These companies were concerned that expressing their unhappiness fully might result in unfavorable treatment in competing for future DOD business.
Many companies have expressed dissatisfaction publicly, although a very small number of firms did express to the committee their relative comfort with the way in which the current export control regime is managed. The committee did not conduct a systematic survey of all firms affected by export regulations, and it is impossible to infer the position of a company that has not provided input on the matter.54
4.6 EXPORT OF TECHNICAL DATA
The rules regarding "technical data" are particularly difficult to understand. A cryptographic algorithm (if described in a manner that is not machine-executable) is counted as technical data, whereas the same algorithm if described in machine-readable form (i.e., source or object code) counts as a product. Legally, the ITAR regulate products with encryption capabilities differently than technical data related to cryptography, although the differences are relatively small in nature. For example, technical data related to cryptography enjoys an explicit exemption when distributed to U.S.-controlled foreign companies, whereas products with encryption capabilities are in principle subject to a case-by-case review in such instances (although in practice, licenses for products with encryption capabilities under such circumstances are routinely granted).
Private citizens, academic institutions, and vendors are often unclear about the legality of actions such as:
• Discussing cryptography with a foreign citizen in the room;
• Giving away software with encryption capabilities over the Internet (see Section 4.8);
• Shipping products with encryption capabilities to a foreign company within the United States that is controlled but not owned by a U.S. company;
• Selling a U.S. company that makes products with strong encryption capabilities to a foreign company;
• Selling products with encryption capabilities to foreign citizens on U.S. soil;
• Teaching a course on cryptography that involves foreign graduate students;
54 The Department of Commerce study is the most systematic attempt to date to solicit vendors' input on how they have been affected by export controls, and the solicitation received a much smaller response than expected. See Department of Commerce and National Security Agency, A Study of the International Market for Computer Software with Encryption, released January 11, 1996.
• Allowing foreign citizens residing in the United States to work on the source code of a product that uses embedded cryptography.55
Box 4.10 provides excerpts from the only document known to the committee that describes the U.S. government explanation of the regulations on technical data related to cryptography. In practice, these and other similar issues regarding technical data do not generally pose problems because these laws are for the most part difficult to enforce and in fact are not generally enforced. Nevertheless, the vagueness and broad nature of the regulations may well put people in jeopardy unknowingly.56
55 For example, one vendor argues that because foreign citizens hired by U.S. companies bring noncontrolled knowledge back to their home countries anyway, the export control regulations on technical data make little sense as a technique for limiting the spread of knowledge. In addition, other vendors note that in practice the export control regulations on technical data have a much more severe impact on the employees that they may hire than on academia, which is protected at least to some extent by presumptions of academic freedom.
56 A suit filed in February 1995 seeks to bar the government from restricting publication of cryptographic documents and software through the use of the export control laws. The plaintiff in the suit is Dan Bernstein, a graduate student in mathematics at the University of California at Berkeley. Bernstein developed an encryption algorithm that he wishes to publish and to implement in a computer program intended for distribution, and he wants to discuss the algorithm and program at open, public meetings. Under the current export control laws, any individual or company that exports unlicensed encryption software may be in violation of the export control laws that forbid the unlicensed export of defense articles, and any individual who discusses the mathematics of cryptographic algorithms may be in violation of the export control laws that forbid the unlicensed export of "technical data." The lawsuit argues that the export control scheme as applied to encryption software is an "impermissible prior restraint on speech, in violation of the First Amendment" and that the current export control laws are vague and overbroad in denying people the right to speak about and publish information about cryptography freely. A decision by the Northern District Court of California on April 15, 1996, by Judge Marilyn Patel, denied the government's motion to dismiss this suit, and found that for the purposes of First Amendment analysis, source code should be treated as speech. The outcome of this suit is unknown at the time of this writing (spring 1996). The full text of this decision and other related documents can be found at http:/ /www.eff.org/pub/Legal/Cases /BernsteinDoS /Legal.
The constitutionality of export controls on technical data has not been determined by the U.S. Supreme Court. A ruling by the U.S. Ninth Circuit Court of Appeals held that the ITAR, when construed as "prohibiting only the exportation of technical data significantly and directly related to specific articles on the Munitions List, do not interfere with constitutionally protected speech, are not overbroad and the licensing provisions of the Act are not an unconstitutional prior restraint on speech." (See 579 F.2d 516, U.S. vs. Edler, U.S. Court of Appeals, Ninth Circuit, July 31, 1978.) Another suit filed by Philip Karn directly challenging the constitutionality of the ITAR was dismissed by the U.S. District Court for the District of Columbia on March 22, 1996. The issue at hand was the fact that Karn had been denied CCL jurisdiction for a set of floppy diskettes containing source code for cryptographic confidentiality identical to that contained in Bruce Schneier's book Applied Cryptography (which the State Department had determined was not subject to cryptographic export controls of any kind). See http:/ / www.qualcomm.com/people/pkarn/export/index.html
"Cryptologic technical data . . . refers . . . only [to] such information as is designed or intended to be used, or which reasonably could be expected to be given direct application, in the design, production, manufacture, repair, overhaul, processing, engineering, development, operation, maintenance or reconstruction of items in such categories. This interpretation includes, in addition to engineering and design data, information designed or reasonably expected to be used to make such equipment more effective, such as encoding or enciphering techniques and systems, and communications or signal security techniques and guidelines, as well as other cryptographic and cryptanalytic methods and procedures. It does not include general mathematical, engineering or statistical information, not purporting to have or reasonably expected to be given direct application to equipment in such categories. It does not include basic theoretical research data. It does, however, include algorithms and other procedures purporting to have advanced cryptologic application.
"The public is reminded that professional and academic presentations and informal discussions, as well as demonstrations of equipment, constituting disclosure of cryptologic technical data to foreign nationals are prohibited without the prior approval of this office. Approval is not required for publication of data within the United States as described in Section 125.11(a)(1). Footnote 3 to section 125.11 does not establish a prepublication review requirement.
"The interpretation set forth in this newsletter should exclude from the licensing provisions of the ITAR most basic scientific data and other theoretical research information, except for information intended or reasonably expected to have a direct cryptologic application. Because of concerns expressed to this office that licensing procedures for proposed disclosures of cryptologic technical data contained in professional and academic papers and oral presentations could cause burdensome delays in exchanges with foreign scientists, this office will expedite consideration as to the application of ITAR to such disclosures. If requested, we will, on an expedited basis provide an opinion as to whether any proposed disclosure, for other than commercial purposes, of information relevant to cryptology, would require licensing under the ITAR."
SOURCE: Office of Munitions Control, Department of State, ''Cryptography/ Technical Data," in Munitions Control Newsletter, Number 80, February 1980. (The Office of Munitions Control is now the Office of Defense Trade Controls.)
for the running story (Karn is appealing this decision); this Web page also contains the District Court's opinion on this lawsuit.) Some scholars argue to the contrary that export controls on technical data may indeed present First Amendment problems, especially if these controls are construed in such a way that they inhibit academic discussions of cryptography with foreign nationals or prevent academic conferences on cryptography held in the United States from inviting foreign nationals. See, for example, Allen M. Shinn, Jr., "First Amendment and Export Laws: Free Speech on Scientific and Technical Matters," George Washington Law Review, January 1990, pp. 368-403; and Kenneth J. Pierce, "Public Cryptography, Arms Export Controls, and the First Amendment: A Need for Legislation," Cornell International Law Journal, Volume 17(19), 1984, pp. 197-237.
4.7 FOREIGN POLICY CONSIDERATIONS
A common perception within the vendor community is that the National Security Agency is the sole "power behind the scenes" for enforcing the export control regime for cryptography. While NSA is indeed responsible for making judgments about the national security impact of exporting products with encryption capabilities, it is by no means the only player in the export license application process.
The Department of State plays a role in the export control process that is quite important. For example, makers of foreign policy in the U.S. government use economic sanctions as a tool for expressing U.S. concern and displeasure with the actions of other nations; such sanctions most often involve trade embargoes of various types. Violations of human rights by a particular nation, for example, represent a common issue that can trigger a move for sanctions. Such sanctions are sometimes based on presidential determinations (e.g., that the human rights record of country X is not acceptable to the United States) undertaken in accordance with law; in other cases, sanctions against specific nations are determined directly by congressional legislation; in still other cases, sanctions are based entirely on the discretionary authority of the President.
The imposition of sanctions is often the result of congressional action that drastically limits the discretionary authority of the State Department. In such a context, U.S. munitions or articles of war destined for particular offending nations (or to the companies in such nations) are the most politically sensitive, and in practice the items on the USML are the ones most likely to be denied to the offending nations. In all such cases, the State Department must determine whether a particular item on the USML should or should not qualify for a USML license. A specific example of such an action given to the committee in testimony involved the export of cryptography by a U.S. bank for use in a branch located in the People's Republic of China. Because of China's human rights record, the Department of State delayed the export, and the contract was lost to a Swiss firm. The sale of cryptographic tools that are intended to protect the interests of a U.S. company operating in a foreign nation was subject to a foreign policy stance that regarded such a sale as equivalent to supplying munitions to that nation.
Thus, even when NSA has been willing to grant an export license for a given cryptography product, the State Department has sometimes denied a license because cryptography is on the USML. In such cases, NSA takes the blame for a negative decision, even when it had nothing to do with it.
Critics of the present export control regime have made the argument that cryptography, as an item on the USML that is truly dual-use, should
not necessarily be included in such sanctions. Such an argument has some intellectual merit, but under current regulations it is impossible to separate cryptography from the other items on the USML.
4.8 TECHNOLOGY-POLICY MISMATCHES
Two cases are often cited in the cryptography community as examples of the mismatch between the current export control regime and the current state of cryptographic technology (Box 4.11). Moreover, they are often used as evidence that the government is harassing innocent, lawabiding citizens.
Taken by themselves and viewed from the outside, both of the cases outlined in Box 4.11 suggest an approach to national security with evident weaknesses. In the first instance, accepting the premise that programs for cryptography cannot appear on the Internet because a foreigner might download them seems to challenge directly the use of the Internet as a forum for exchanging information freely even within the United States. Under such logic (claim the critics), international telephone calls would also have to be shut down because a U.S. person might discuss cryptography with a foreign national on the telephone. In the second instance, the information contained in the book (exportable) is identical to that on the disk (not exportable). Since it is the information about cryptography that is technically at issue (the export control regulations make no mention of the medium in which that information is represented), it is hard to see why one would be exportable and the other not.
On the other hand, taking the basic assumptions of the national security perspective as a given, the decisions have a certain logic that is not only the logic of selective prosecution or enforcement.
•· In the case of Zimmermann, the real national security issue is not the program itself, but rather the fact that a significant PGP user base may be developing. Two copies of a good encryption program distributed abroad pose no plausible threat to national security. But 20 million copies might well pose a threat. The export control regulations as written do not mention potential or actual size of the user base, and so the only remaining leverage for the U.S. government is the broad language that brings cryptography under the export control laws.
• In the case of Schneier, the real national security issue relates to the nature of any scheme intended to deny capabilities to an adversary. Typing the book's source code into the computer is an additional step that an adversary must take to implement a cryptography program and a step at which an adversary could make additional errors. No approach to denial can depend on a single "silver bullet"; instead, denial rests on the erection
The Zimmermann PGP Case
Philip Zimmermann is the author of a software program known as PGP (for Pretty Good Privacy). PGP is a program that is used to encrypt mail messages end-to-end based on public-key cryptography. Most importantly, PGP includes a system for key management that enables two users who have never interacted to communicate securely based on a set of trusted intermediaries that certify the validity of a given public key. Across the Internet, PGP is one of the most widely used systems for secure e-mail communication.
Zimmermann developed PGP as a "freeware" program to be distributed via diskette. Another party subsequently posted PGP to a USENET newsgroup."1 (A commercial version licensed from but not supplied by Zimmermann has since emerged.) In 1993, it was determined that Zimmermann was the target of a criminal investiga tion probing possible violations of the export control laws.2 Zimmermann was careful to state that PGP was not to be used or downloaded outside the United States, but of course international connections to the Internet made for easy access to copies of PGP located within the United States. In January 1996, the U.S. Department of Justice closed its investigation of Zimmermann without filing charges against him.3
The Bruce Schneier-Appied Cryptography Case
Bruce Schneier wrote a book called Applied Cryptography4 that was well received in the cryptography community. It was also regarded as useful in a practical sense because it contained printed on its pages source code that could be entered into a computer and compiled into a working cryptography program. In addition, when distributed within the United States, the book contained a floppy disk that contained source code identical to the code found in the book. Howevet, when another party (Philip Karn) requested a ruling on the exportability of the book, he (Karn) received permission to export the book but not the disk. This decision has been greeted with considerable derision in the academic cryptography community, with comments such as "They think that terrorists can't type?" expressing the general dismay of the community.
1 A USENET newsgroup is in effect a mailing list to which individuals around the world may subscribe. Posting is thus an act of transmission to all list members.
2 John Schwartz, "Privacy Program: An On-Line Weapon?," Washington Post, April 3, 1995, p. A1.
3 Elizabeth Cocoran, "U.S. Closes Investigation in Computer Privacy Case,'' Washington Post, January 12, 1996, p. A11.
4 Bruce Schneier, Applied Cryptography, John Wiley & Sons, New York, 1994.
of multiple barriers, all of which taken together are expected to result in at least a partial denial of a certain capability. Moreover, if one begins from the premise that export controls on software encryption represent appropriate national policy, it is clear that allowing the export of the source code to Schneier's book would set a precedent that would make it very difficult to deny permission for the export of other similar software products with encryption capabilities. Finally, the decision is consistent with a history of commodity jurisdiction decisions that generally maintain USML controls on the source code of a product whose object code implementation of confidentiality has been granted commodity jurisdiction to the CCL.
These comments are not intended to excoriate or defend the national security analysis of these cases. But the controversy over these cases does suggest quite strongly that the traditional national security paradigm of export controls on cryptography (one that is biased toward denial rather than approval) is stretched greatly by current technology. Put differently, when the export control regime is pushed to an extreme, it appears to be manifestly ridiculous.
Current export controls on products with encryption capabilities are a compromise between (1) the needs of national security to conduct signals intelligence and (2) the needs of U.S. and foreign businesses operating abroad to protect information and the needs of U.S. information technology vendors to remain competitive in markets involving products with encryption capabilities that might meet these needs. These controls have helped to delay the spread of strong cryptographic capabilities and the use of those capabilities throughout the world, to impede the development of standards for cryptography that would facilitate such a spread, and to give the U.S. government a tool for monitoring and influencing the commercial development of cryptography. Export controls have clearly been effective in limiting the foreign availability of products with strong encryption capabilities made by U.S. manufacturers, although enforcement of export controls on certain products with encryption capabilities appears to have created many public relations difficulties for the U.S. government, and circumventions of the current regulations appear possible. The dollar cost of limiting the availability of cryptography abroad is hard to estimate with any kind of confidence, since even the definition of what counts as a cost is quite fuzzy. At the same time, a floor of a few hundred million dollars per year for the market affected by export controls on encryption seems plausible, and all indications are that this figure will only grow in the future.
A second consideration is the possibility that export controls on products with encryption capabilities may well have a negative impact on U.S. national security interests by stimulating the growth of important foreign competitors over which the U.S. government has less influence, and possibly by damaging U.S. competitive advantages in the use and development of information technology. In addition, the export control regime is clouded by uncertainty from the vendor standpoint, and there is a profound mismatch between the perceptions of government/national security and those of vendors on the impact of the export control regime. Moreover, even when a given product with encryption capabilities may be acceptable for export on national security grounds, nonnational security considerations may play a role in licensing decisions.
Partly in response to expressed concerns about export controls, the export regime has been gradually loosened since 1983. This relaxation raises the obvious question of how much farther and in what directions such loosening could go without significant damage to national security interests. This subject is addressed in Chapter 7.