[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CRN on Crypto Roadblock
Computer Reseller News, 8-05-96, p. 51
Channel feels pinch of export limitations -- VARs Hit
Encryption Roadblock
By Charlotte Dunlap & Deborah Gage
Could 40 bits of code cost you that multimillion-dollar
bid?
Andrew Sheppard, president of Branford, Conn.-based Espion
Inc., just returned from a frustrating business trip to
Europe, where he said he lost a number of accounts with
financial institutions because he could not deliver
software with more than 40 bits of encryption key length.
Sheppard, who recently tried to sell his encryption wares
to clients in Europe, said he lost business to competitors
offering stronger encryption.
"There is a real demand for this type of product, and yet
I find myself thwarted at every single opportunity by this
stupid law, which everyone realizes is unnecessary,"
Sheppard said.
Sheppard said potential clients that turned him down during
his recent trip included Banco Santander, a Madrid-based
bank; the London office of Credit Suisse; Logica Systems of
London; and the financial reporting arm of Reuters' news
service in London.
As the trend toward networking-sensitive information grows,
woes tied to encryption export limitations are spreading to
the VAR community. The dilemma of shipping overseas
anything other than light versions of security software is
starting to sabotage the efforts of Internet resellers.
Because 40 bits of code is considered to be breakable by an
elementary hacker, major corporations with data to protect
are reluctant to trust U.S. technology. So, U.S. resellers
are being turned away while multinational corporations turn
to foreign technologies.
The debate between business and the U.S. government about
export limitations is getting increasingly heated with the
growth of the Internet. The Pro-Code Bill, which aims to
relax export restrictions, has just been introduced, and
prominent Silicon Valley executives are trekking to
Washington regularly to argue the case. Jim Bidzos,
president and chief executive of encryption market leader
RSA Data Security Inc., Redwood City, Calif., has spent a
lot of time in Washington.
"The big picture in terms of what's happening is all of our
communications and document storage is moving from paper
and filing cabinets to the Internet and disk drives. We
need crypto technology in order to protect this," he said.
But resellers are getting discouraged and do not see a
quick resolution with law makers. Meanwhile, they are
losing business at a staggering rate.
Norm Yamaguchi, director of sales for RSA master reseller
Secure Distribution Inc., said he could have tripled the
size of his million-dollar company this year if it were not
for U.S. export laws dictating a maximum 40-bit key
encryption length to his clients' international offices.
"To say this law is causing me problems is a massive
understatement," Yamaguchi said. The reseller currently is
in talks with Price Waterhouse to get them to standardize
on Oakland, Calif.-based Secure Distribution's security
products, but will likely lose the contract because of the
40-bit key length limitation.
Resellers' fear of losing business to foreign players is
not paranoia, either. The Business Software Alliance has
identified 500 encryption products that can be purchased in
foreign countries. Information about the stronger foreign
technology can be obtained easily through the Internet.
"The laws are punishing U.S. companies, and we're losing
business to foreign countries because they can offer the
same thing. The law is not holding back the flow of
encryption, it is just holding back U.S. companies from
making money," he added, calling it a "lose-lose
situation."
Reseller Al Hill, vice president of engineering for
Successful Systems Solutions, Rancho Cordova, Calif., has
to surrender part of his solutions services in order to
keep his foreign clients.
"We ship units to England, Hong Kong and Singapore, and we
have to downgrade the software [to 40 bits] on all of them.
They were rather upset but smart enough to realize they
could upgrade the security themselves," he said, adding
that he has lost business because he could not complete
projects himself.
"We have to make sure the APIs in the software are
available so people overseas can tie them into their
[security] applications," he said. Similarly, Dave Johnson,
senior account manager of Precision Computers Inc.,
Portland, Ore., said he lost an account with a
multinational company with offices in France because "it
became too troublesome for them to implement U.S. products
because of the legal problems."
Uncle Sam's View
U.S. companies and civil libertarians have been battling
the government since 1991, when the proposal of the Clipper
Chip first surfaced. At that time, the government proposed
splitting the encryption keys and holding a portion of them
in escrow, giving law enforcement officials with court
orders a back door through which to conduct electronic
surveillance. To date, the U.S. government has budged
little from its original idea.
The Clipper Chip idea was squelched, but the government
refuses to concede that strong encryption is not a munition
because it believes national security is at stake. In
recent weeks, Vice President Al Gore proposed a compromise:
The government would extend the types of software that
could be exported, perhaps to include healthcare or
insurance instead of just finance, and allow long keys if
countries where the United States has government-to-
government agreements could hold keys in escrow. A
24-member technical advisory committee is expected to
produce a blueprint for establishing the Federal Key
Management Infrastructure in September.
The Vendor's View
Software executives remain disgruntled with the
government's progress. "Do we really want government-
to-government agreements?" asked Eric Schmidt, Sun
Microsystems Inc.'s Chief Technology Officer. "The U.S. has
protections that other countries don't. France, for
example, is noted for industrial espionage."
Microsoft Corp. Senior Vice President Craig Mundie said an
escrow system would create an expensive bureaucracy,
adding: "This should really be described as a key-leasing
system. This will create a huge new business in extracting
keys from the public. If you want to make sure that your
key is not compromised by law enforcement officials, you're
going to need insurance. There will be a whole service
industry around keys."
Vendors also argue that the government's reasoning is not
legitimate. "The current controls do not keep encryption
out of the hands of the criminals. They keep it out of the
hands of individuals and corporations," said Sybase Inc.
Director of Data and Communications Security Development
Thomas Parenty.
Sun, Microsoft and other companies would like complete
deregulation of encryption. Three bills that would lift
government restrictions and prohibit mandatory key escrow
are working their way through Congress, although none are
likely to pass this year.
NEXT WEEK: Measuring the level of difficulty in cracking
code.
[End]
Thanks to LG.