[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
FT on Crypto Cloud
Financial Times, March 6, 1996, IT Section, p. V.
Network Security: Operating under a cloud of uncertainty
Companies face a complex web of technical, legal and
moral questions
The IT security threat has long been depicted in terms of
wild-eyed hackers hunched over terminals late into the
night. But while there is real cause for concern about
criminal activity over computer networks, large
corporations are very worried about another threat to their
use of electronic communications.
Meanwhile, government restrictions on the use of data
encryption codes in various countries are limiting the
ability of commercial organisations to protect themselves.
Cryptography is at the heart of this dilemma. Governments
all over the world rely on specialist intelligence units to
break down data transmissions from other nations and
individuals while encrypting their own messages.
The US National Security Agency and the UK's Government
Communications HQ are the best-known of these agencies.
The NSA is notorious for obsessive secrecy. Meanwhile, in
the UK, the GCHQ has lifted its traditional reticence in
recent years to offer advice to British companies concerned
with data security.
Mr Roger James, chairman of Cheshire-based communications
software specialist Boldon James, has worked with GCHQ to
define data standards for UK government departments. Mr
James plays down the cloak-and-dagger imagine of GCHQ, but
instead he describes his contact with its staff as
"horribly technical". He also portrays the Cheltenham
code-breakers as "very down-to-earth people".
There are two ways of looking at security, he says "one is
the practical approach, which means accepting that perfect
security is impossible to obtain. The other is the Ivory
Tower approach, which involves dreaming of a world in which
security is absolute. There are a lot of 'practicalists' in
GCHQ".
Mr James, whose clients include the Britannia Building
Society and the German Navy, is active in the European
Electronic Messaging Association. He is concerned at the
lack of a co-ordinated European policy on encryption. And
he fears that effective security measures could become
illegal with the advent of future legislation curbing the
availability of encryption software.
It is illegal at the moment to use strong cryptography
techniques in France without first depositing the key to
unlocking your codes with the French government. UK
companies developing sophisticated security programs find
their software classified as munitions and subject to tight
export restrictions, even within the EC.
In the US, the author of strong encryption program, called
'Pretty Good Privacy', found himself facing a Grand Jury
and possible charges of exporting prohibited technology.
The NSA has proposed that all personal computers made in
the US contain the Clipper Chip. This security feature
would give easy access to any data communications, however
the user chose to encode it. The proposal is currently
stalled, having met with ferocious opposition.
Both suppliers of information technology and industry at
large need to clear a path through this international maze.
The legal structure surrounding the use of encryption
technology is of particular concern to anyone working in
electronic commerce.
"The Clipper Chip debate raised a fundamental moral issue,"
says Mr James. "Software technology means that strong
encryption, previously available only to the military, can
now be obtained by the public. If governments then find
messages hard to break, it leads immediately to a conflict
of interest."
One company that has confronted this apparent conflict of
interest between state and commerce, with its attendant
uncertainty, is the Anglo-Dutch oil giant, Shell. Mr Nick
Mansfield, a Shell technical consultant specialising in
information security, says the company is enthusiastic
about the potential for eliminating paperwork across its
sprawling global operations -- "we are committed to
electronic trading," he says. "We have a vast
electronic-mail network. But there is still a section of
our business where we have to use paper".
Contract agreements are at issue here. Until security can
be absolutely guaranteed, bilateral agreements must be seen
to be tamper-proofed. Shell is about to deploy technology
to secure personal computers and PC servers across the
world. This e-mail security system will cost around L1m in
software purchasing plus L100,000 a year to run. It will
have 4,000 users.
Far from escalating costs, Mr Mansfield explains that
expenses are falling as security improves. Shell used to
run a secure telex network that cost L4m in technology and
required L200,000 a year to support 120 sites. This was
superseded by a secure fax network costing L1m in systems,
plus L100,000 in annual maintenance for 200 sites. The
latest system will expand secure messaging beyond the fax
network's remit.
But setting up this security system involved Shell in a
long and involved process. Its chosen security software is
subject to close scrutiny by the UK authorities, who worked
with Shell to customise the program before it could be
released for use overseas.
While Mr Mansfield is pleased that Shell's security system
is so strong, it required an export licence and he echoes
the concerns of EEMA's Mr James -- "it's a cart and horse
situation. Until governments agree on policy and relax some
restrictions, industry won't be encouraged to development
extreme standards of encryption".
There needs to be a broad European debate on this issue.
Until this complex web of technical, legal and moral
questions are resolved, secure commercial data networks
will be operating under a cloud of uncertainty.
Michael Dempsey
[End]
Note: Shell's Nick Mansfield was a speaker at the OECD
cryptography conference in Paris in December.
This issue of FT includes a 22-page special section on
Information Technology.