[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Newsweek on Crypto
Newsweek, June 10, 1996, pp. 49-55.
Scared Bitless
The arcane world of cryptography used to be the
exclusive realm of spies. Now it's everybody's business
-- to the chagrin of the government.
By Steven Levy
[Photo] Loosen up: Sen. Conrad Burns says the United
States should ease the export rules on crypto software
On the face of it, the issue of cryptography -- the
technology that employs secret codes to protect information
-- seems more suited to math class than "The McLaughlin
Group." Yet this once esoteric subject has wound up in the
center of a Beltway controversy, complete with
congressional infighting, lobbyists, entrenched government
agencies, blue-ribbon reports and even a bit of
presidential politics. This sudden spotlight on what was
previously the domain of deep-black spy stuff turns out to
be a good thing, because in the Information Age crypto
policy is more than an abstraction: it could provide the
difference between security and vulnerability, or even
between life and death. Unfortunately, choosing the right
policy is not a given, and there the controversy lies.
Here's the problem: we're increasingly entrusting
information to computers -- everything from confidential
medical records to business plans to money itself. But how
can we provide security so that these data will be
protected from eavesdroppers, thieves and saboteurs? The
answer hinges on cryptography. By scrambling the
information into digital codes, it allows only those
entrusted with the keys to decipher those files to see
them. Some hot-shot cryptographers have developed systems
that can provide all of us with unprecedented security,
automatically coding and decoding in such a way that we
won't have to know it's there. (We can even have our phone
calls encoded something Prince Charles might have
appreciated.) Silicon Valley would love to set such a
system in motion. It not only would generate revenues, but
would also address the main problem that's keeping the
Internet from fulfilling its potential as a center of
commerce: security.
Problem solved? Not quite. Law-enforcement and
national-security agencies view this prospect with dread.
Legal eavesdroppers, like FBI wiretappers and National
Security Agency snoopers, couldn't make sense of
intercepted transmissions. They warn that we could miss
indications of a terrorist act, like a nuke smuggled into
Manhattan. In addition, drug dealers, child pornographers
and garden-variety thugs could mask their activities with
a mere mouse click.
Even before the Clinton administration took office, the NSA
and FBI presented those nightmare scenarios to the
transition team. The Clintonites were scared bitless. They
vowed to make sure that the worst didn't happen. They
understood that cryptography should be put to general use
-- but only if it were altered in such a way that the
government could, if necessary, get access to secret
messages, using a new technology known as "key escrow." The
best-known of those schemes was the ill-fated Clipper Chip,
and subsequent systems haven't caught on. (Yet another was
presented two weeks ago.) Until then they would maintain
the strict export controls that treat crypto software as
powerful munitions. That's right -- Uncle Sam regards that
copy of Netscape you downloaded as sort of a Stinger
missile.
But now the government position of slowing down the flow of
crypto is under increasing attack. Software companies
complain that regulations cost them money and hold down
innovation. Privacy groups complain that the controls reek
of Orwell's "1984." Congress is demanding changes. Bob Dole
wants to make it an issue. And on Thursday came what Sen.
Conrad Burns, a Montana Republican, called "the nail in the
coffin" of the Clinton crypto policy: a report by the
National Research Council that clearly rebukes the
administration's position. Despite the Clinton-Gore attempt
to protect us against the abuse of cryptography, says the
Congress-commissioned report, our safety is at risk --
because the lack of cryptography has weakened our security.
Under particular attack are the regulations that limit the
strength of exported software like IBM's Lotus Notes,
mostly by mandating that the keys that encode and decipher
the information not exceed 40 bits (the longer the key, the
stronger the protection). Often, domestic users have to
settle for this crippled crypto: since software companies
are loath to release two versions of their products, they
simply choose to offer the weaker, approved-for-export
version.
Meanwhile, foreign companies have no such restrictions, and
U.S. companies maintain they are losing sales. Congress has
taken up their case; bills introduced by Sen. Patrick
Leahy, Rep. Bob Goodlatte and Burns all would relax the
export rules. "These bills are pro-privacy, pro-jobs and
pro-business," says Leahy. While prospects for passage are
slim, the fact that a sizable number of legislators are
defying intelligence and law-enforcement agencies is itself
significant.
Crypto policy is even finding its way into the presidential
campaign. On a visit to Silicon Valley, Bob Dole was
alerted to the problem by Netscape CEO Jim Barksdale. He
also saw a chance to chip away at Clinton's support in the
high-tech world. Dole not only cosponsored the Senate bills
but issued a neo-cypherpunk statement charging that "the
administration's big brother proposal will literally
destroy America's computer industry."
The NRC report, entitled "Cryptography's Role in Securing
the Information Society," stands as the most serious
challenge to current policy. It is drenched in credibility:
its 16 authors include former attorney general Benjamin
Civiletti, onetime NSA deputy director Ann Caracristi,
privacy expert Willis Ware and cryptographer Martin
Hellman. The panel was briefed by all sides of the issue,
including some classified sessions with government
officials. Despite the group's diversity, it reached
consensus: "Widespread commercial and private use of
cryptography is inevitable in the long run and ... its
advantages, on balance, outweigh its disadvantages."
The NRC made some specific recommendations. The government
should stop building a system around the umproven
Clipper-style technology. The export regulations should be
relaxed, specifically permitting free export of the
well-tested Data Encryption Standard, which uses a 56-bit
key. (While some argue for even bigger keys, this is a
significant jump. The increase in key size alone means that
theoretically it will be more than 65,000 times harder to
crack a code.) Perhaps the strongest rebuke came with the
rejection of the "if you only knew" defense. The committee
concluded that informed decisions on crypto could be made
without access to classified material.
If the NRC advice was followed, would criminals hide
nefarious activities behind a digital wall of gibberish?
Quite possibly, admits the committee -- but without action
to promote crypto, we are increasingly dependent on a
computer-controlled world with insufficient protection.
"We're encouraging a world that supports greater
confidentiality -- but we think it's worth the risk," says
panelist Ray Ozzie, creator of IBM's Lotus Notes. The
committee cited security breaches like the recent raid on
Citicorp by Russian hackers, and warned that without
crypto, we are more vulnerable to "information warfare"
threats -- endangering operations like the
air-traffic-control system.
The government's response? "We do care about the security
of information, but we need to do it in a way that does not
diminish law enforcement," says an administration official.
"People writing academic reports can take chances. But when
you are the policeman, you have to err on the side of
protecting people."
The question is, which approach provides the most
protection? The NRC report undercuts the government's
position at a time when many were already beginning to
question it. On May 21, 11 senators sat down in a bugproof
room for a classified briefing, presumably designed to make
them rethink their proposals. But, said Leahy, "no one
seemed to change their mind." Looks like they've cracked
the code.
[Two photos] 'Pro-privacy, pro-jobs, pro-business': Sen.
Patrick Leahy (right) and Lotus Notes creator Ray Ozzie
think strong codes will make a stronger economy
_________________________________________________________
[Box]
Sending Messages In Private
Cryptography makes it possible to turn intelligible words
into a hodgepodge of letters, numbers and symbols, keeping
them out of the hands of cybersnoops.
[Illustration: computer > key > encrypted message > key >
computer.]
To send a private message through a network, a cryptography
program is used to "lock" the message -- making it
unreadable to anyone who intercepts it.
The program generates a secret, digital key when it
scrambles the message. The receiver then uses the key to
translate the message back into plain text.
_________________________________________________________
[End]
Thanks to SL and Newsweek.