[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
NYT on NRC Report
The New York Times, May 31, 1996, p. D2.
White House Challenged on Data Security
By John Markoff
The United States Government should immediately relax
export controls on electronic data coding products and
allow the computer, software and telecommunications
industries to set data security standards, a new report
urged yesterday.
The report, commissioned by Congress and prepared for the
National Research Council of the National Academy of
Sciences, stands in direct opposition to existing Clinton
Administration proposals for data security standards and
for linking the relaxation of export controls to the
adoption of such standards. The report calls for the
widespread commercial adoption of technologies used to
prevent illegal wiretapping of computer data, telephone,
cellular and other wireless communications. The National
Research Council provides science and technology advice
under a Congressional charter.
The report also states that despite creating potential
problems for law enforcement agencies by making it easier
for criminals to shield their communications from
Government wiretappers, cryptography would also help
prevent crime by sheltering communications and electronic
transactions from the prying eyes of electronic
interlopers.
"Without information security, computer crime in this
country will rise very rapidly," said Kenneth W. Dam, the
chairman of the panel that prepared the report. Mr. Dam,
Deputy Secretary of State during the Reagan Administration,
is also professor of American and foreign law at the
University of Chicago.
The report, industry executives said, is likely to become
a key weapon in the battle between the Federal Government
and industry and civil liberties groups.
"It echoes things we have been saying for some time," said
Jim Bidzos, chief executive of RSA Data Security Inc., a
developer of computer security software. "The next
battleground is going to be Capitol Hill because the
Administration isn't going to give up easily."
In particular, the report takes issue with Administration
efforts to force the use of data-scrambling systems using
"escrowed" keys that would let law enforcement and
intelligence agencies use built-in backdoors to read coded
information.
Cryptography, once used only by spies and the military, has
become an increasingly vital technology for insuring
security in electronic commerce and personal privacy. It
relies on the use of mathematical formulas to scramble
electronic information so that it cannot be read without
the proper digital "key."
Key escrow systems like those proposed by the
Administration in its Clipper chip program would split the
key and have trusted third parties like the Treasury
Department hold parts of it, making it possible for law
enforcement agencies to generate keys without consulting
the sources of the data.
As recently as two weeks ago, the Administration was
pushing for key escrow coding approaches to data
scrambling. A draft White.House policy paper has proposed
linking relaxation of export controls to systems that
included key escrowing. The recent paper also indicated
that the Government was willing to accept "self-escrow"
systems for some large corporations that would allow them
to to hold all parts of the keys.
Critics of key escrow management technology note that it
can be abused by agencies that wish to exceed their
surveillance authority and that the technology is
vulnerable to a single point of failure. If a so-called
master key is stolen, they say, the entire coding system
can be compromised.
Because strong cryptography would complicate the mission of
United States intelligence agencies, the Federal Government
currently places tight controls on the export of software
and hardware that offer stronger cryptographic protection
than 40-bit keys. Such keys are made up of a binary number
that is 40 digits long. Computer experts have shown that
40-bit keys are vulnerable to attacks.
The report released yesterday, "Cryptography's Role in
Securing the Information Society," calls for dropping stiff
export controls on products that use the Data Encryption
Standard, which relies on a 56-bit key and offers stronger
protection against computerized attacks than a 40-bit key.
[End]