[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Brookings Inst. on crypto: "There are reasonable compromises"






---------- Forwarded message ----------
Date: Fri, 18 Jul 1997 09:17:52 -0700 (PDT)
From: Declan McCullagh <[email protected]>
To: [email protected]
Subject: Brookings Inst. on crypto: "There are reasonable compromises"

Morton's Steakhouse is a true Washington institution. Nestled
in the heart of lawyer country, between K and L streets, the
clientele are well-heeled lobbyists hungry for red meat. Which
is all you'll find at Morton's, where the menu lists a fine
selection of slabs, all thick, bloody, expensive.

I had lunch at Morton's yesterday with a colleague, a fellow
from the NSA, and a gentleman from the armed forces. We
talked Net-regulation, censorship, and hacking. Most of all
we talked encryption, and crypto-compromises. This is a theme
you'll see repeated in this recent policy paper from the
liberal Brookings Institution:

	There are reasonable compromises. A useful place to start
	is a national cryptography policy... rigorous oversight
	and accountability for government access to the keys
	needed to intercept and read coded data, negotiation of
	an agreement with our close allies on a global encryption
	standard, and formation of a government/private sector
	oversight body... the basic elements of a reasonable
	compromise are now in sight and may yet be achieved...

	Current initiatives that would allow export of any
	technological solution, of unlimited strength, subject
	only to the proviso that an acceptable key recovery
	system be maintained with a suitably defined and trusted
	party (including self-escrow), are headed in the right
	direction...

-Declan

------------------

no. 21
Deciphering the Cryptography Debate

July 1997
By Kenneth Flamm

FOR THE PAST FIVE YEARS, the U.S. government and
America's information industries-producers and users
of computers, communications systems, software,
information services-have been locked in a bitter and
highly technical battle over cryptography policy: the
rules of the game for techniques used to scramble and
unscramble data. Such encryption and decryption is
vital in maintaining the confidentiality of
information (whether business information, financial
transactions, personal medical records, or government
secrets) passing through the exploding web of computer
and communications links joining this nation together.
The hard fought and often arcane debate has come to an
inconclusive and unsatisfactory draw that does little
to deal effectively with any of the conflicting
objectives-civil liberties, economic competitiveness,
law enforcement, and national security-brought to the
bargaining table.

This does not have to be. There are reasonable
compromises. A useful place to start is a national
cryptography policy built around four key
elements-strong cryptography put into wide use, a
strengthened legal framework and electronic logging
system that provides rigorous oversight and
accountability for government access to the keys
needed to intercept and read coded data, negotiation
of an agreement with our close allies on a global
encryption standard, and formation of a
government/private sector oversight body to review
both the overall security of our national information
infrastructure and the voluntary testing and
certification of encryption and security products.



Why Is Cryptography Important?


UNTIL THE MIDDLE OF THIS CENTURY, codemaking and
codebreaking were primarily the concern of governments
protecting diplomatic and military communications.
World War II was a turning point for cryptography. The
first primitive electronic computers were built by the
United States and Britain during that war and used to
break German and Japanese codes. Using technology and
methods that remained closely guarded military secrets
until the late 1970s, the Allies succeeded in building
electronic machines to break the supposedly
unbreakable codes used to encrypt virtually all Axis
radio messages. This allowed the Allies, for example,
to read signals sent by German submarines as they
reported their locations, send forces to destroy them,
and win the vitally important battle for the North
Atlantic shipping lanes.

After the war, U.S. codebreakers continued to play a
central role in the development of the fastest
possible computers of the day, so-called
supercomputers. In the late 1960s, others in the
military funded research into damage-resistant digital
communications networks that gave us the first working
prototype of today's Internet.

As computers and network use also took hold within
business in the 1960s and 1970s, cryptography (mainly
the domain of government in earlier decades)
increasingly began to protect sensitive business
information stored in private sector computers. With
outside computer links through communications networks
growing, the dangers of unauthorized penetration into
sensitive computer databases through these external
ties also multiplied. The financial sector led these
technological changes. As global financial markets,
national banking systems, and local automated teller
machines all went electronic, cryptographic systems
were installed to protect sensitive data coursing
through the digital arteries of finance.

Today, we are teetering at the precipice of an even
wider transformation of the basic infrastructure for
commerce. Telecommunications services, retailing, and
the electric power grid are already organized around
vast computer networks. Multinational companies link
global operations over international networks. By
1999, all U.S. government benefits will be paid
electronically. Doctors will access data and
communicate remotely with patients, businesses will
buy services from consultants, contractors will sell
to government, researchers will provide policy advice,
seminars will be organized-all over computer networks.
Vast savings in time and resources and improvements in
business productivity seem possible. For this leap
forward in our economic infrastructure to be realized,
however, the information running through the system
will have to be authenticated, verified, protected
from unauthorized access, and guarded against witting
or unwitting corruption.

Equally profound changes are going on within the
military establishments whose investments initially
spurred the computer revolution. Our post-Desert Storm
military forces are as dependent on complex
computerized command, control, and communications
networks as commercial industry. The Defense
Department is today groping toward an information
technology-based Revolution in Military Affairs, a
future in which sensors, intelligence databases,
command and control systems, precision munitions, and
smart weapons platforms are seamlessly linked together
in real time to deliver measured military force
swiftly, surely, and over great distances.

In contrast to the situation of forty years ago,
enormous private sector investments are today driving
the engine of information technology, with the
military largely drawing on commercial technology for
its particular variant of the information revolution.
Commercial and military computer and communications
systems-like the core industrial infrastructure
underlying modern military power-are hopelessly
intermingled within the sinews of the U.S. information
economy. A new term, information warfare, explicitly
recognizes that an attack designed to disrupt our
military capability or will to fight is as likely to
target nominally civil infrastructure, like
telecommunications networks, the electric power grid,
the banking system, or air traffic control, as any
purely military system.

Widespread use of effective cryptography to secure and
protect the rivers of data flowing through computer
and communications systems is needed now to enable the
further development of the information infrastructure
for tomorrow's high-tech economy and to protect
military capabilities dependent on that same
information infrastructure.

What Are the Issues?


The heated debate over cryptography policy is
fundamentally driven by rapid technological change.
The price of computing power has been dropping 20 to
30 percent annually over decades now, an order of
magnitude greater than anything measured during the
first great Industrial Revolution of two centuries
ago.

Computing power is used to both make and break codes,
and as the cost of computing power plummets,
cryptographic systems that once offered adequate
protection for data become insecure. By the same
token, however, cheaper computers also make it cost
effective to encrypt data where once it would have
been uneconomic. Paradoxically, then, plummeting
computing costs have both enabled the widespread use
of encryption to defend information security and
increased the ability of moderate to large
organizations (in the private sector and governments)
to afford the computing resources needed to
successfully attack once-capable encryption systems.
To balance these shifting forces, the United States
must grapple with multiple and often conflicting
objectives.

First, there are constitutional issues. On the one
hand, the United States has a well-established
tradition of respect for privacy and civil liberties
that is a bedrock of our society. On the other hand,
there are few absolute rights-under court order,
communications can be legally intercepted, and private
homes may be entered and searched. Encryption-like
"speaking in tongues"-might even be interpreted as a
form of speech and offered the greater protection that
freedom of speech enjoys. Historically, the government
has not attempted to control the use of encryption
within domestic U.S. borders but instead limited its
export overseas. Similarly, court orders are required
to lawfully intercept domestic telephone
conversations, but not for foreign traffic. The legal
framework protecting data communications-including
encryption of data-has not changed to address the many
new channels for expression (and surveillance of
expression) opened up by the computer revolution. It
is now appropriate to establish an organized and
systematic legal framework for our information
society.

Second, we need to use strong cryptography to enable
electronic commerce on the burgeoning information
infrastructure that is going up all around us. The
potential economic benefits from moving forward
rapidly to locate our businesses on the information
superhighway seem large. Without ironclad security,
however, no business is going to drive its sensitive
data up the on-ramp. Strong cryptography is a small
but vital piece in the systems that will provide
information security.

Third, U.S. companies are world leaders in computers
and communications, where success in global markets is
an essential ingredient in maintaining competitive
advantage. But the market for information technology
is one in which capable foreign competitors stand
ready to pick up the baton of technological leadership
should American firms stumble. The economic
preeminence of U.S. information technology
companies-and the resulting benefits to the U.S.
economy-are arguably at risk should U.S. producers be
blocked from selling important technology that is
available from foreign competitors.

Law enforcement objectives, in contrast, argue for
controls on use of strong cryptography (while
recognizing that cryptography also protects against
electronic crimes). Since the dawn of the age of
telephony, lawful wiretapping has been viewed as an
essential tool for police, the legal extension of the
right to enter and search under warrant. In the
information age, with the proliferation of digital
technology, cryptography has the potential to deny
police the lawful access that they now enjoy to voice
and data communications.

National security has been another powerful argument
for limits on encryption. Though not often discussed
openly, interception of foreign communications traffic
is in all likelihood one of the most valuable and
reliable sources of intelligence for defense and
foreign policy purposes. Routine use of strong and
difficult-to-break cryptography in, say, the global
public telephone network would be a nightmare scenario
for both law enforcement and the intelligence
community.

But we should also recognize that while global
availability of strong encryption may limit our
offensive gathering of foreign intelligence and
perhaps in the future, offensive "information
warfare," the global economic success of U.S.
information technology producers also has a positive
value for offensive intelligence gathering. Even the
strongest encryption technology may be rendered
vulnerable by the way it is administered and used. A
global marketplace dominated by the products of the
United States and its allies-which will be well
understood by a substantial community of American
technologists-will be much more transparent to allied
intelligence gathering than a world market dominated
by the unfamiliar and poorly understood products of
others.

And strong encryption, even if pervasive and
unbreakable, will nonetheless have a positive national
security value in protecting U.S. information from the
snooping of adversaries, political and economic. It
will also have significant value as a defensive
rampart against the information warfare offensives of
adversaries. Arguably the United States, now reliant
on the most advanced and pervasive information
infrastructure in the world, is also the nation with
the most to lose to disruption by a successful
offensive attack.

Finally, we must acknowledge that as more and more
aspects of our personal and economic lives are
connected to, and accessible over, the information
superhighway-things like medical records, corporate
accounts, personal travel plans, even daily calendars
and diaries-the "wiretapping" metaphor for permitting
government access to electronic information begins to
break down. It is no strain to forecast a
not-too-distant digital future in which almost
everything-all sorts of personal information, records,
even art and music-is stored or communicated
electronically, connected to or accessible through
some computer network. As the Worldwide Web reaches
out to encompass all aspects of our lives, a
surreptitious government access hatch begins to
resemble a special door built into the basement of our
homes through which government can enter without our
knowledge or consent.

Our Constitution's protections against "unreasonable
searches and seizures" should be our guide as we chart
these deep and unknown waters. Government access to
private information should be governed by clear rules
that "we, the people" make after open debate. Even in
simpler times, there have been occasional but deeply
disturbing instances in which individuals in
government have abused powers granted for legitimate
law enforcement and national security purposes. As
pervasive electronic tendrils from the information
superhighway reach into the nooks and crannies of our
lives, the potential damage from poor judgment (or
worse yet, corruption) by some individual in
government will be enormous. It is vital that a system
with clear guidelines and strict accountability be put
into place to oversee our national encryption policy
as we strike a balance among the multiple, legitimate
objectives.

Where Are We Now?


In the late 1970s, industry, in collaboration with the
U.S. government, developed a Data Encryption Standard
(DES) based on coding keys (sequences of binary
digits, or bits) that were 56 bits long. Though widely
used today, steady advances in computer performance
now make this system vulnerable (commercial
supercomputers almost double in power every year,
sufficient to "break" a key that is one bit longer in
some given time). Much stronger encryption systems are
used within the military and other parts of the U.S.
government. Until 1996, the State Department did not
readily permit the export of encryption systems using
keys longer than 40 bits, which can be easily broken
today.

The Clinton administration, recognizing the need to
promote commercial use of stronger encryption,
unveiled such a system in April 1993 (actually
developed under previous administrations but not
publicly promoted). The system used special computer
circuitry dubbed the "Clipper" chip, with decoding
keys issued in two parts and held by two separate
government agencies-within the Treasury Department and
the Commerce Department. This Clipper chip initiative
championed the concept of "key escrow," with
government holding copies of the keys used to encrypt
data, and argued for its voluntary adoption by the
private sector as a solution to increasingly evident
data security problems.

Since only stronger encryption systems using the
Clipper chip, or similar technology, were likely to be
approved for export, critics argued that the system
was not really voluntary. No U.S. multinational
corporation would want to build and maintain two
separate computer and communications networks-one for
domestic use and one for international use.

There were other practical objections. It was unclear
how foreign governments would react to companies
operating in their nations giving the U.S. government
the keys to read encrypted communications, or even if
this would be required. There was suspicion that the
Clipper chip, with its proprietary
government-developed technology, was not as secure as
advertised and might even allow surreptitious
government interception without appropriate legal
safeguards. Even more important, there was concern
that a government-mandated technical solution was
being imposed on an industry that was far more capable
and responsive to continuing technological change than
any cobwebbed and inflexible government bureaucracy,
and that industry itself through market forces was
much better able to work out the best solutions to its
information security problems.

Furthermore, argued much of U.S. industry,
increasingly capable foreign producers were beginning
to market and sell encryption systems that were
stronger than what U.S. industry would be permitted to
sell in export markets. The net effect of
administration policy, in this case, would be to tie
the hands of U.S. industry and leave an important and
growing segment of the information industry to foreign
producers, free to sell any and all strong encryption
products to customers anywhere.

Stung by these criticisms, the Clinton administration
withdrew and regrouped. In mid-1994, it offered up a
new proposal in which "trusted third parties" within
the private sector, rather than the government itself,
would act as key escrow agents. This did little to
silence industry critics.

Finally, in 1996 the administration revealed a new
plan and made some important changes in the direction
of its policies. There would henceforth be no
restrictions on exports of cryptographic systems-based
on key length or technology-if those systems contained
so-called key recovery features. That is, if U.S.
exporters could demonstrate a viable plan in which
trusted third parties (possibly including
"self-escrow" within user organizations) would hold
(and supply to government when presented "appropriate
legal authority") information that would permit
recovery of code keys and decryption of data,
unrestricted export of such encryption systems would
be allowed. Over an interim period of two years,
exports of non-key recovery 56-bit cryptography
systems would be permitted by producers demonstrating
a commitment to develop viable key recovery systems.
Cryptographic systems would be reclassified as a
dual-use commercial product, rather than a munition,
and export controls transferred from the State
Department to the Commerce Department (though the
Department of Justice would now play a new advisory
role in the export licensing process). Finally, an
explicitly international framework would be sought,
with mutual access to national key recovery agents
negotiated with foreign governments through carefully
defined legal procedures.

Though some in the U..S. business community continued
to object, initial reaction was much more favorable
than with previous cryptography initiatives. The
government had worked with U.S. business in developing
the new initiative, and a number of major U.S.
computer and software companies voiced support for the
general principles outlined in the initiative. (A
system that enabled recovery of their own encrypted
business data, in fact, was actually useful to
companies in dealing with the risks of employee
turnover.) Others took a wait-and-see approach.

The wait was not a long one. Within months, a number
of the proposal's initial supporters had publicly or
privately defected as the details of its
implementation were revealed. One major sticking point
was the government's apparent desire to involve itself
in frequent and detailed reviews of proprietary
company business plans and progress in developing key
recovery systems, as a condition for continued
approval of interim exports of 56-bit systems.

By mid-1997, some additional problems had become
visible. A U.S. attempt at internationalizing the key
recovery principle met only limited success: a draft
policy from the Organization for Economic Cooperation
and Development (OECD) recommended only that the
issues be left to national discretion. While the
United States, Britain, and France publicly supported
the idea (and Japanese officials made it clear
privately that they too would cooperate), opinion in
Germany was divided, and other countries hesitated.
Dueling bills-establishing a legal framework for key
recovery, decontrolling cryptography export-were
debated on Capitol Hill. On the face of it, another
impasse was shaping up.

In fact, however, with a little more flexibility and
some degree of innovation, the basic elements of a
reasonable compromise are now in sight and may yet be
achieved. For the first time, the varied interests at
stake are close enough to a workable solution to make
establishment of a functioning and effective national
cryptography policy a real possibility.

Seeking Common Ground


Four basic elements make up the core of what a
national cryptography policy should do. First and
foremost, strong cryptography-strong enough to resist
the attacks that rapidly improving computer technology
will continue to breed-must be available for routine
business use. In an integrated global economy, this
also means that it must be usable and exportable
around the world. Current initiatives that would allow
export of any technological solution, of unlimited
strength, subject only to the proviso that an
acceptable key recovery system be maintained with a
suitably defined and trusted party (including
self-escrow), are headed in the right direction. This
will permit market forces to determine the most cost
effective and flexible technologies, build in the
ability to respond dynamically to continuing
innovations in computer and communications technology,
and yet maintain the ability of law enforcement and
national security authorities to gain lawful access to
encrypted communications when a critical national
interest makes such access imperative.

But the government should be more forthright in
presenting its case. Though it is true that no
constraints on domestic use of encryption are being
proposed, the only product likely to gain wide
acceptance in today's global economy is cryptography
that is exportable to one's foreign subsidiaries and
business partners. The government should be crystal
clear in acknowledging that this debate is in fact
about the encryption systems that will be used widely
within the domestic U.S. economy. Also, key recovery
remains an untried and untested system. It is entirely
possible that a better solution to the cryptography
problem may be discovered as computing technology
advances, and policy should be flexible enough to
adapt if this happens. The critical thing is the
principle: strong encryption, widely available, with
the potential for lawful decryption by accountable
authorities.

The government still must establish clear principles
and a transparent cryptography policy. The new export
regulations do not explicitly address a large number
of significant issues (for example, backwards
compatibility of key escrow with interim 56-bit
systems, length of time escrowed keys must be kept for
different types of data) that are now being defined in
a piecemeal and private fashion as individual
companies' key recovery product development plans are
submitted with license requests. Various "exceptions"
to the infant policy- permitting the export of
stronger encryption without key recovery, for example,
in specialized financial applications, or to banks and
foreign subsidiaries of U.S. companies- are announced
weekly. A "black box" process ("just submit it, and
we'll tell you if it's OK") that sets limits on
cryptography without open discussion and debate and
forces Americans to struggle to infer the policy from
the sparse and sometimes inaccurate details published
in the press is totally unacceptable in an area this
important to the nation.

A second core element of a new national policy-and one
that has yet to be carefully addressed by any broad
initiative-is the construction of a clear, up-to-date
legal framework for, and safeguards on, government
access to encrypted data and communications.
Government access is only tolerable in pursuing the
legitimate social objectives outlined earlier. The
legal framework defining privacy and freedom of speech
in electronic data and communications is currently a
crazy, patchwork quilt with many holes in it. The
administration's new rules specify that key recovery
agents must hand over keys to the government within
two hours after receiving "appropriate legal
authority" but nowhere define precisely what this
authority must be. Is a court order required, or
merely a signature from a political appointee, and
under what circumstances? Our laws should be debated
and updated to define the answers better and more
comprehensively, given current and foreseeable
technological realities.

Careful attention must also be paid to the potential
for abuse or corruption. Even after appropriate legal
authority is granted on paper for some narrow purpose,
there is typically substantial room for interpretation
as to what is "reasonable" in deciding how wide to
cast an electronic net in trapping suspicious
communications and how to deal with unexpected
discoveries that turn up. Most government officials
can be expected to behave in a responsible and lawful
way, but an excessively curious or aggressive, or even
corrupt, official using a legal interception to "surf"
through data or communications beyond its intended
scope creates a potential for damage that will grow
just as quickly as the information superhighway
itself. The same computer technology that makes
electronic communication so cheap and pervasive also
makes it possible to electronically record and log,
with a permanent and verifiable audit trail, any
government interception of electronic communications.
Just as financial services companies safeguard against
abuse by logging and taping telephone contacts with
customers, comprehensive logs and a verifiable audit
trail should be automatically recorded and stored
electronically in each and every instance that a
government official intercepts private data or
communications. In addition, tougher standards for
private abuse of personal data and illegal access to
private communications should be included in whatever
new legal framework is adopted, and significant
penalties should be defined.

Third, a national cryptography policy must recognize
that the problems-and solutions-outlined above are
inherently international in scope. Law enforcement,
national security, regulation and oversight of global
finance and trade are all areas that span national
boundaries today and require cooperation among
governments. Just as our private sector works with its
foreign partners to define standards that allow it to
operate easily and effectively in global markets, the
U.S. government must work with foreign governments to
define an international encryption policy that makes
the U.S. approach compatible with foreign systems.
U.S. requirements imposed on U.S.-based businesses
must be compatible with the foreign environments in
which they operate.

U.S. requirements should also be no more onerous than
those imposed by foreign governments on their business
communities. A level playing field, with common global
rules of the game, is needed to avoid giving economic
rivals competitive advantages over one another. The
administration made an important and correct decision
in seeking an international consensus on the key
recovery approach to strong encryption and must be
sure to continue to work hard in seeking this common
global approach. While it has yet to achieve such a
consensus within the OECD, many of the key players
with the technical capability to ship advanced
cryptography products and affect global
markets-Britain, France, and (quietly) Japan-are
supporting the U.S. approach, and if a few more (like
Germany and Israel) can be brought on board, the
critical mass around which the core of an
international agreement can be assembled will exist.

Finally, with cryptography set to play such a key role
in tomorrow's information infrastructure, some new
institution that provides a framework for business and
government to jointly examine both the overall
security of our information infrastructure and the
integrity of its individual parts is needed. At the
micro level, we must recognize that acquiring a
cryptographic product is not like buying a computer or
auto- simply testing or using it within an
organization gives insufficient insight into its
quality or utility. The essence of an effective
cryptography system is what the most capable and
potentially hostile forces outside a business or other
organization can do with the system. There are also
obvious economic benefits from some sort of
government-industry testing and certification process
that spares individual customers a costly and
duplicative investment in determining the
effectiveness of a cryptography product (and makes use
of sensitive information that may be available only to
the government). At the macro level, the integrity of
our power grid, banking system, and phone network are
clearly as vital to our national security as the
number of transport aircraft the U.S. Air Force buys,
and both government and industry have an obvious
interest in scrutinizing the entire information
infrastructure and taking steps to reduce weaknesses
and vulnerabilities. Government and the private sector
should form an oversight body tasked with both
reviewing the overall integrity and security of the
national information infrastructure and creating a
voluntary testing and certification process for the
information security products developed by the private
sector.

A national cryptography policy built around these four
elements- strong cryptography put into wide use, a
strengthened legal framework and electronic logging
system that provides rigorous oversight and
accountability for government access to the keys
needed to intercept and read coded data, negotiation
of an agreement with our close allies on a global
encryption standard, and formation of a
government/private sector oversight body to review
both the overall security of our national information
infrastructure and the voluntary testing and
certification of encryption and security products-will
leave many (maybe even most) participants in the
current debate unsatisfied. An absolute right to
privacy would not be created in the electronic realm.
The government would probably face greater constraints
in seeking lawful access to electronic communications,
and maintenance of auditable records probably will
create some additional costs. Business is being asked
to bear some burden in keeping the keys needed to
decrypt confidential communications for a time.
Intelligence and national security officials will be
more dependent than ever before on cooperation with
their allied counterparts. Cooperation on common rules
of the game for encryption at the international level
will have to be carefully negotiated. None of this
will be painless. But it must be done if we are to
balance an important and complex set of interests as
we enter the next century, the age of the information
society.

Kenneth Flamm is a senior fellow in the Brookings
Foreign Policy studies program and the author of
Mismanaged Trade? Strategic Policy and the
Semiconductor Industry (Brookings, 1996). The views
expressed in this Policy Brief are those of the author
and not necessarily those of the trustees, officers,
or other staff members of the Brookings Institution.


-------------------------
Declan McCullagh
Time Inc.
The Netly News Network
Washington Correspondent
http://netlynews.com/