[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
NSCP, PRZ Hit NRC Crypto Rec
Netscape (WSJ) and PRZ (Globe) say the NRC crypto
export recommendations don't go far enough.
----------
Wall Street Journal, May 31, 1996, p. B5.
U.S. Strategy Should Promote Computer Codes
Panel Says a Free Market Is Best Policy, Urges Easing of
Export Curbs
By John J. Fialka
Washington -- The federal government should promote rather
than discourage widespread commercial use of powerful codes
that can protect electronic communications, a panel
sponsored by the National Research Council recommended.
The government also should relax its export controls on
such codes, according to the 16-member panel, which
included a mix of business, academic and government
experts. The NRC is an affiliate of the National Academy of
Sciences, a private, nonprofit organization that advises
the government on scientific matters.
Encryption coding software scrambles computer data by using
mathematical formulas that can't be read if intercepted.
Only personnel with the correct "keys" can access the data.
More Study Needed
The NRC study, which took 18 months to complete, calls for
greater trust in freemarket demands for protection and less
reliance on the U.S. National Security Agency and the
Federal Bureau of Investigation to set the nation's code
policy. It said the two agencies' recent promotion of
"escrowed encryption," in which the government would hold
a mathematical key to unlock codes, requires further study
because it poses liability risks and introduces weakness
into information protection systems.
Kenneth W. Dam, a University of Chicago law professor who
headed the panel, said changes are needed to counter "an
explosion of computer-based crime" and other forms of
espionage that threaten U.S. companies' ability to protect
proprietary information, especially overseas.
By promoting the use of more-elaborate codes, U.S.
law-enforcement agencies would be better prepared to ward
off hacker or terrorist attacks on the nation's electric
power grid, banking and telecommunications systems and its
air-traffic control networks, he added.
Potential Problems
Mr Dam said the widespread use of encryption by private
business is "inevitable" and the government must "recognize
this changing reality."
The report noted that the FBI has argued for years that its
law-enforcement efforts would be hampered if drug cartels
and other organized criminals began using codes that
couldn't be deciphered. Courtordered wiretaps, a major tool
used to break organized-crime cases, could become useless,
the FBI has contended.
Edward Schmults, general counsel for GTE Corp. and a former
deputy attorney general during the Reagan administration,
said he and other panel members believe the FBI and other
law-enforcement agencies would be helped more than hurt if
legitimate businesses were better protected. "It's a
balancing issue," he said.
Spokesmen for the FBI and NSA referred questions to the
White House, where an official said the Clinton
administration disagrees with the panel's recommendation to
relax export controls and wants to continue to explore the
use of escrows by private industry to keep the keys to
powerful codes. "We have equities to protect that the
people who wrote the NRC report do not," he said.
The administration, he said, still wants to review the
export of more powerful codes on a case-by-case basis. The
use of private, third-party escrows, he said, might be one
way to protect the secrecy of companies while allowing
federal agents with court orders access to code keys.
New Markets Would Open
The panel called for the U.S. to permit the export of codes
containing a "56-bit" Data Encryption Standard algorithm.
The algorithm, or formula, was developed by the National
Bureau of Standards in 1975 and is 65,000 times tougher to
break than current "40-bit" codes that are permitted for
unlicensed exports.
The panel estimated its recommendations would open up new
markets for information security products, possibly
increasing software-industry revenue "many tens of billions
of dollars." Until now, export controls tended to set
industry standards for a level of protection because
companies were reluctant to use different systems for
domestic and international applications.
Jeffrey Treuhaft, director of security at Internet software
giant Netscape Communications Corp., welcomed the report,
but said exports shouldn't be limited to 56-bit keys. That
would still blunt the competitive edge of U.S. software
vendors, given that code-cracking computer power is
multiplying, he said.
"The U.S. has a lead right now and these arcane policies
from the Cold War are giving U.S. industry cement shoes to
compete with foreign competitors," Mr. Treuhaft said. "We
can't run as fast as they ean."
- Jared Sandberg in New York contributed to this article.
[End]
----------
The Boston Globe, May 31, 1996, p. 36
Panel criticizes US government's encryption stand
'Net, cell phone security at stake, National Research
Center says
By Hiawatha Bray
The Clinton administration's efforts to limit the sale of
software that generates coded messages, already unfire from
Congress and civil libertarians, is now facing criticism
from a committee of the National Academy Sciences.
The National Research Center, which gives science and
technology advice under a congressional charter, yesterday
said the government should promote the commercial use of
encryption software to help cut down on the theft of
computer data and other electronic communications.
Law enforcement officials and intelligence agencies are
worried about the development of cheap encryption grams,
for fear it could become impossible to intercept a
mobster's telephone call or read an enemy spy's electronic
mail messages.
But the center's report says that encryption software is
essential for businesses and individuals who need to
transmit confidential data using the Internet or cellular
telephones.
"On balance, the advantages of more widespread use of
cryptography outweigh the disadvantages," the report says.
Encrypted messages can easily be read by someone with the
correct code "key." Without this key, it can take centuries
of computer analysis to decode a message. The longer the
key, the tougher it is to break the code.
Under current federal law, US companies cannot export
encryption programs that use keys longer than 40 bits.
Computer experts say that 40-bit encryption systems are
easy to break, and provide little security.
As a result, many software companies that sell their
products worldwide do not build in sophisticated encryption
features. Industry experts say that this costs them
millions of dollars in sales, as customers in foreign
countries buy encryption software made outside the United
States.
The report urges a change in the federal law, to allow sale
of an encryption system called DES that uses 56-bit keys.
"Except in some very specialized situations, it gives
adequate security," said council chairman Kenneth Dam, a
law professor at the University of Chicago.
The report also urges the administration to abandon efforts
to force businesses and individuals to use "key escrowed"
encryption software. Under this plan, companies could use
encryption, keys of any length, but only if the keys were
held in escrow, and could be made available to the
government.
The council urges the federal government to adopt key
escrow to prove that the system is trustworthy. The report
argues that many businesses will voluntarily adopt such a
plan to guard against the loss of its encryption keys.
A prominent critic of encryption policy was less than
thrilled by-the council report. "It doesn't go far enough,"
said Philip Zimmermann, inventor of the Pretty Good Privacy
encryption program.
Zimmermann scoffed at the idea that DES encryption is
secure enough for use by businesses. "It can be broken in
seconds by the NSA [National Security Agency]," Zimmermann
said. "All major governments can break DES. In fact, any
Fortune 500 company can afford a machine that can break
DES."
But even if DES were secure enough, Zimmermann said he
opposes any restrictions on the export of encryption
software.
[End]