[This document came from the Progress and Freedom Foundation,
http://www.pff.org.]
June 1996
THE COMPUTER REVOLUTION, ENCRYPTION AND TRUE THREATS TO NATIONAL SECURITY
by G. A. Keyworth, II, and David E. Colton, Esq. *
Americans take it for granted that when they a send package via
first class mail its contents are protected. We do not worry that
someone will open our envelopes and take our checking or credit card
account numbers, read our personal letters, or steal our business
ideas.
Yet our privacy could be threatened as we move to a digital economy,
where more and more information is shared electronically – over the
Internet, via fax machines or on wireless phones. Right now, the
Clinton Administration is proposing to restrict Americans’ ability
to use "encryption" tools that scramble digital communications so
that they cannot be read by anyone other than the intended receiver.
Today, basic encryption technology is utilized every time you punch
in your ATM code or use a password to protect files on your
computer. But better encryption tools are needed to protect the
assets of on-line banking customers, the rights of musicians selling
their songs in Cyberspace or the trade secrets of American companies
e-mailing documents to their overseas branches.
America currently leads the world in the development of computer
software – including encryption. Indeed, our current position as the
undisputed leader of the digital age derives from our overwhelming
success at winning the computer race. Start-ups that were born in
our garages and hobby clubs less than twenty years ago have created
a whole new economy, the $1.5 trillion digital industry. As a
result, the nexus of technological innovation and wealth creation
for this new economy is in Silicon Valley, not Tokyo, Paris or Bonn.
_______________________________________________________________
The Clinton Administration’s attempt to control encryption technology is one
of the most important examples of how outdated regulatory thinking threatens
America’s ability to compete and win in the digital era.
_______________________________________________________________
Yet a new contest is already underway: the race to generate wealth
by connecting computers into a global, digital communications
system. The rules for this competition are just now being set, and
the situation is very different from the computer race. The
government largely refrained from regulating the computer industry
(no one told Apple or Microsoft or Intel what markets they could
enter or what products they could sell). In the communications race,
America's regulatory apparatus (i.e., the FCC) – created in the
1930s, before television networks, cellular phones or e-mail – is a
huge handicap. America’s competitive lead in the communications race
could be squandered by the retarding forces of excessive regulation,
with immense consequences: lost technological leadership, fewer jobs
and lower standards of living.
While the Telecommunications Act of 1996 was an important first step
toward removing roadblocks in the creation of a digital
communications network, much work remains if America is to maintain
its international lead. Our most formidable opponent is not foreign
competition, but a misguided, overzealous Federal government. The
Administration’s attempt to control encryption technology is one of
the most important examples of how outdated regulatory thinking
threatens America’s ability to compete and win in the digital era.
Encryption: Protecting Your Valuables from Theft
The encryption concepts at issue are not complicated. In essence,
encryption technology empowers people to protect their digital
property from unauthorized use. Whether you are sending an e-mail to
a friend, your doctor is faxing your medical records to the
insurance company, you are ordering a take-out dinner over you
wireless phone (and using your credit card number to pay in
advance), or giving the plans for your latest product to your
business partner on a floppy disc, encryption tools allow you to
"scramble" your message. Only the intended recipient – who holds a
"key" – can access the information.
Encryption technology is based on strings of numbers (the "key").
The more numbers in the key, the "stronger" the encryption. For
instance, the standard ATM code of four numbers would be harder to
crack if it were ten numbers. The possible variations increase
dramatically each time a number is added to a key, and thus more
computing power is required to figure out all the possible
combinations.
There are two types of encryption. The first is known as single key,
in which the key to code and decode a transmission is the same. The
second encryption system, known as the public key approach, uses two
sets of keys. One key is publicly revealed, the other is known only
to the user. The keys are linked in such a manner that information
encrypted by the public key can only be deciphered by the
corresponding private key. Public key techniques are much more
secure than single key approaches. Such programs are available,
world-wide and generally free, through the Internet. It is these
public key programs that are the real focus of the Administration’s
attempt to restrict encryption tools.
The Administration seeks to retard development of encryption
technologies by allowing export only of mass market software with
"weak" encryption standards using 40-bit keys.1 Similar restrictions
apply to hardware and computer systems.2 The stated goal is to slow
development of encryption technologies abroad, so that the
intelligence community (CIA, FBI, NSA, etc.) will have easier access
to communications.
Are Encryption Controls Part of the American Spirit?
The Administration invokes "national security" concerns to justify
export control regulations that cripple development of sophisticated
U.S. encryption technologies. The government claims that it must
have the ability to monitor communications in the digital age in
order to protect Americans from terrorists, drug smugglers and other
nefarious types. To achieve this, the Administration argues, we must
control the terms and conditions by which individual Americans can
use sophisticated encryption technology both at home and abroad.3
Even at the height of the Cold War, the intelligence community never
seriously proposed such a massive and pervasive intrusion into the
lives of American citizens.
_______________________________________________________________
Even at the height of the Cold War, the intelligence community never
seriously proposed such a massive and pervasive intrusion into the lives of
American citizens.
_______________________________________________________________
How we handle this issue has profound implications for American
society in the digital age. The encryption debate raises serious
Constitutional questions. What is the role of the Fourth Amendment,
which reserves to the people the right "to be secure in their
persons, houses, papers and effects"? What constitutes an
unreasonable search and seizure in Cyberspace? What rights to
privacy can citizens expect in a digital era? These are major,
fundamental questions that the American people must resolve. No one
yet has the answers. Yet the Administration’s encryption proposals,
if enacted, would allow what are little more than bureaucratic
interests in the national security community to dictate the answers.
The outcome of the encryption debate will also shape the foundation
for U.S. economic prosperity in the digital age. A society of
connected computing and networking requires that all individuals
have confidence that their communications are secure and that
messages and data are authentic, not forgeries. Encryption is the
means to make that possible.
_______________________________________________________________
The Administration’s attempts to control encryption technology on national
security grounds would actually undermine America’s security in the digital
age.
_______________________________________________________________
But encryption technology is not just about privacy and secure
communications. It is also about protecting intellectual property.
For instance, with innovative encryption systems, the makers of
Jurassic Park II (for example) would be able to encrypt a digital
signal in the movie that prevents bootlegged copies of it being made
and sold on the black market. Before artists, entrepreneurs or
Fortune 500 companies will invest their resources in a new digital
product, they will demand assurances that it be secure from theft.
The best means of protection is self-defense. American companies
should be allowed to develop and use encryption tools to protect
their intellectual property and trade secrets before turning to
government for assistance. In that sense, encryption can be thought
of as the "barbed wire" of the digital age, allowing owners of
intellectual property to be their own first lines of defense against
theft and encroachment, just as barbed wire allowed farmers on
America's prairie to protect themselves against encroachment by
wayward cattle. Barbed wire was not an alternative to government
enforcement of property rights, but it allowed government to serve
as a backstop rather than as the first line of defense.4
Encryption Obsolescence at Hyper Speed
To maintain their competitive lead in the digitally connected
economy, American companies are continually creating encryption
technologies. Such rapid innovation makes the national security and
intelligence communities’ goals of controlling this technology
illusory. Governments can no longer dictate the pace and scope of
technological innovation.
The core concept of the computer revolution, Moore’s Law, states
that the power of a microprocessor doubles approximately every 18
months while its costs stay the same. Thus, in 1984, a desktop
computer could execute 2 million instructions per second, but by
1994, the same machine was capable of 256 million instructions per
second. By 1998, a desktop microprocessor will run more than 2
billion instructions per second. Such incredible advancement in
computer power guarantees that the intelligence community will fail
to control encryption technology.
Moore’s Law makes the focus on encryption key length irrelevant.
So-called strong encryption is only "strong" relative to available
computing power to crack the string of numbers that comprise the
key. As computing power doubles every 18 months, no encryption
scheme will remain strong for long; adding numbers to the key merely
forestalls the inevitable. Encryption will be rendered quickly weak
without constant innovation .
Yet the Administration proposes to enshrine in law a mandated
encryption standard based on today’s computing power – a standard
that would soon be rendered obsolete by advances in microprocessor
speed. This is not a theoretical prediction; it is hard fact.
Indeed, the government’s preferred 40-bit key has already been
compromised – in this case by two French graduate students using
their school’s computer to hack Netscape. Cheap and affordable chips
customized to break encryption keys are readily available. For
example, one "field programmable gate arrays" chip, costing as
little as $20, can crack the 40-bit key in about five hours. But
many such chips can be used together, in parallel, to break a 40-bit
key in about 24 seconds. Clearly, government encryption "standards"
would soon be overtaken by technology, leaving Americans handcuffed
in their ability to compete with foreigners.
The True Threat to National Security: Encryption Controls, Not
Encryption Technology
The Administration’s attempts to control encryption technology on
national security grounds would actually undermine America’s
security in the digital age. Export controls already are threatening
to drive America’s software industry off-shore. Allowed to continue,
this phenonemon eventually will deny America -- including the
intelligence community itself -- the latest in encryption
technology.
Among the many problems with export controls on encryption
technology, first and foremost is the fact that they are unworkable.
In the past, it was possible to contain specific technologies (e.g.
metallurgical science applied to design of submarines or "stealth"
airplanes) through export controls. These technologies focus on
specific capabilities and require significant infrastructure to be
of use. But digital technology can be taken out of the country
almost effortlessly by transmitting it over the Internet. And, of
course, nothing can prevent foreigners from coming to America,
legally purchasing encryption technology (at stores such as
Wal-Mart) and then (illegally) taking it home with them. Hackers try
to demonstrate the absurdity of export controls by noting that it
may be considered illegal to wear a t-shirt, when leaving the United
States, that has printed on it the code for an encryption key (the
t-shirt would be considered a munition).
It is also absurd to assume that, just because American encryption
technology is not legally for sale on the international market, that
foreign governments, companies and criminals will not be able to
encrypt their communications and intellectual property. Unlike, say,
nuclear weapons, which require amounts of difficult-to-obtain
materials to build, computer software design has virtually no
"barriers to entry." Joseph Schumpeter’s description of the
capitalist firm truly applies here: "Most new firms are founded with
an idea and definite purpose. The life goes out of them when that
idea or purpose has been fulfilled or has become obsolete or even
if, without having become obsolete, it has ceased to be new." This
is particularly apt for encryption technologies.5
_______________________________________________________________
Preventing America’s leading companies from selling their products around the
world denies America's software firms the chance to maintain their lead in
the global connected computing race.
_______________________________________________________________
No matter how stringent U.S. export controls, they can do nothing to
stop a bright mathematician in Tokyo or Bombay from creating new
means of encryption to fill the void left by American abdication of
the market. A recent survey of products employing cryptography both
within and outside the United States confirms the lack of barriers
to entry in encryption technology. 6 Companies from more than 28
countries sell almost 500 encryption products. If American
leadership stumbles, others are ready and eager to assume the
mantle. Today, the intelligence community is worried about
controlling the latest encryption technology developed in the United
States. With export controls in place, Americans may find in just a
few short years that the true national security problem is trying to
obtain the latest encryption software developed outside the United
States.
U.S. intelligence and law enforcement agencies – perhaps to present
Congress a fait accompli – have urged foreign governments to adopt
approaches to regulating encryption similar to those in America. But
even the adoption by other governments of proscriptive encryption
regulations would not alter our analysis. One individual, such as
the legendary Phil Zimmerman, can create an encryption system as
widely acclaimed as his PGP (Pretty Good Privacy) in just five
months in his cabin in Colorado. That program is now available
world-wide through the Internet. Digital technology and the lack of
barriers to entry mean that individuals from almost anywhere can
circumvent government-imposed limitations – regardless how many
governments impose them.
Export controls also hurt America’s high-tech industry. Many law
abiding international customers want to protect their communications
and intellectual property for the same reasons as Americans, and, as
noted above, they will develop the technology to do so themselves if
they cannot purchase it from the United States. The global demand
for secure computing continues to grow with the spread of connected
computing. After all, the international market for Internet
connectivity is 20 times what it is in the United States. 7 In this
burgeoning market, the highest demand over the next decade will be
for goods and services that incorporate the assurance of
confidentiality only encryption can provide.
Preventing America’s leading companies from selling their products
around the world denies America's software firms the chance to
maintain their lead in the global connected computing race. Already,
60 percent of American workers are knowledge workers, and eight of
ten new jobs are in information intensive sectors of the economy.
More Americans make computers than cars. More Americans make
semiconductors than build construction equipment, and people
processing data outnumber those refining petroleum. Should American
firms be foreclosed from competing to win in this market, the
immediate effect may be a 30 percent loss in market share for
computer systems alone. 8 The impact on the whole U.S. software
industry would be equally devastating and threatens the commanding
75 percent market share for mass market software enjoyed by American
companies today. 9 This is merely a short-term extrapolation. The
long-term effects could be even more pernicious: lost technological
leadership is rarely recovered.
Yet probably the greatest threat to Americans’ national security
from the encryption controls being proposed by the intelligence and
law enforcement agencies would be the loss of freedom on the part of
U.S. citizens. Seeking to retain some control over public key
encryption, the most recent Administration proposal seeks to have
Americans register their personal keys with a government-approved
third party. This is analogous to the government asking all
Americans to place a copy of their safe deposit box keys with a
government-approved third party. By coercing so-called "voluntary"
cooperation, the intelligence community asks that every American
leave themselves exposed before the State in the digital age.
Nothing could be more perverse than to turn the potential of the
digital era to empower individuals into a more invasive means of
government surveillance and control. We believe that the
Administration’s positions will not withstand Constitutional
challenge. The question to ask is why, in light of all we've learned
as America's competitiveness has resurged in this new digital
economy, should we waste our time and energy pursuing something
that, in a Jeffersonian sense, is so patently un-American and which,
in the practical sense of Moore's Law, is simply wrong. As Americans
hesitate, the window of opportunity for continuing our leadership of
the computer revolution is rapidly closing.
The Threat To American Intelligence and Law Enforcement Is
Overstated
Together with law enforcement agencies, America’s intelligence
community plays a vital role in safeguarding the nation. Moreover,
in many instances the resources they can bring to bear to battle
crime are without peer. The technical capabilities of the U.S.
intelligence community, for example, are the finest in the world.
The community has and will continue to have the technical and human
resources to meet its mission.
The National Security Agency (NSA) and its sister agencies have the
capacity to break current encryption systems, and there is little
reason to believe they will not have the capability to penetrate
future designs. Public estimates of the time the NSA requires to
break 40- and 56-bit key codes are conservative, for the agency has
truly massive parallel processing power for "brute force" attacks on
a given code. More importantly, NSA specialists are world-class, and
can often succeed in cracking an encryption system through "number
crunching." They often understand the inner workings of a given
program or code and can exploit these vulnerabilities, greatly
reducing the burdens of decryption. While in the short term
encryption controls might make the NSA’s task easier, in the long
run, as we have noted above, we as a nation would suffer greatly.
For the foreseeable future, the intelligence community can provide
time-urgent penetration of communications networks for collection
and counter-intelligence needs. Cracking an encrypted digital e-mail
may not be as easy as wire tapping an analog telephone. Nonetheless,
the United States currently has the technical capability needed for
security in the digital future. To most effectively utilize these
capabilities might require tasking and prioritizing resources in a
new way, something all bureaucracies, including the intelligence and
law enforcement agencies, naturally dislike because it upsets the
status quo. But, ultimately, the intelligence community relies on
the technical innovation and leadership of the America’s private
sector to keep it at the forefront of developments. Any decline in
U.S. leadership in the computer race, which controls on encryption
technology will lead to, will have repercussions on the NSA’s
abilities as well.
Domestic law enforcement can also pursue its public safety mission
without draconian invasions into the privacy of citizens through
mandatory key escrow systems. Clear thinking without emotion is
required. Allegations that encryption technology will result in
future New York City World Trade Tower-type terrorist incidents or
bombings of Federal buildings are irresponsible. Encryption
technologies, of course, had no connection at all to either
incident. (Indeed, it is worth recalling that the FBI’s own
informant tried to warn the Bureau – unsuccessfully – about the
impending attack in New York). Furthermore, it is just as easy to
plot a terrorist attack through almost completely secure first class
mail as it is via e-mail.
While there have been and certainly will be instances of law
enforcement agencies successfully averting a crime or catching
criminals due to the monitoring of communications, the FBI and other
police agencies must adjust the existing framework for traditional
wireline intercepts to the digital age. To do so, they must admit
one simple truth: organized crime and drug cartels – or anyone
seriously intending to violate the law – will attempt to buy the
best encryption technology available. Preventing American industry
from developing it simply means the illegal enterprises will buy the
capability from Japan, Bombay or Taiwan. They may even pay American
software writers to covertly develop code for them. Regardless of
the method, criminals will obtain encryption technology.
_______________________________________________________________
By coercing so-called "voluntary" cooperation, the intelligence community
asks that every American leave themselves exposed before the State in the
digital age.
_______________________________________________________________
The solution is thus not to "dumb down" the American economy and
industry. Rather, law enforcement must become more digitally savvy.
Upon obtaining court authorization for digital surveillance, law
enforcement must have access to sufficient resources in the
intelligence community should encryption issues arise. If it is a
question of sharing resources and capabilities among national
security agencies (who currently have among the best encryption
writing and cracking capabilities) and law enforcement agencies,
Congress can help this to occur by developing new coordination
mechanisms. Long standing bureaucratic rivalries between law
enforcement and intelligence agencies can (and should) be overcome.
If suitable cooperation is not forthcoming, law enforcement could be
permitted to develop its own cryptographic capabilities. That would
be a small price to pay to enable America to compete and win in the
digital era.
Controlling our Future in the Digital Age
We are in the midst of a profound revolution made possible by the
microprocessor. It is transforming our society more completely and
faster than did the printing press, the telephone or even the
television. By winning the first round of the computer race, we
reaped the rewards of economic growth and new goods, services and
social opportunities. We can win the race for connected computing as
well. This is the best means of providing for national security,
broadly defined.
What is called for in encryption is no less than an end to
government sponsored encryption standards, except for its own use.
Export controls on commercial digital technology, especially in the
consumer realm, should be terminated. Moreover, the Federal
government should be explicitly barred from placing restrictions on
the sale and use of encryption programs domestically, and mandatory
key escrows should be prohibited. These steps are necessary for two,
reinforcing reasons: The first is that such barriers to our future
wealth generating capacity are simply unaffordable; the second is
that such interventions will not work anyway.
In a more general sense, however, it is we citizens, not the
intelligence community, who should determine the nature of our
Constitutional heritage in the digital age.
_______________________________________________________________
Future Insight, a series of occasional papers issued by PFF, offer
replacement models for current regulatory agencies, departments and
laws designed at the height of the Industrial Era with organizations
better suited to meeting the needs of citizens in the Digital Age. A
private, non-profit, non-partisan idea center established in 1993,
The Progress & Freedom Foundation aims to create a positive vision
of the future founded in the historic principles of the American
Idea. It brings together a diverse group of thinkers and policy
experts and shares their work with the American people through
seminars, conferences, publications and electronic media of all
forms. Supported by tax deductible donations from corporations,
foundations and individuals, PFF does not engage in lobbying
activities or take positions on legislation. The views expressed
here are solely those of the author(s) and do not necessarily
represent the views of the Board, Officers or Staff of The Progress
& Freedom Foundation.
Permission granted to reproduce as long as acknowledgment is made.
Richard F. O’Donnell, Editor
The Progress & Freedom Foundation | 1301 K Street, N.W., Suite 650
West | Washington, DC 20005
voice: 202/289-8928 | fax: 202/289-6079 | e-mail: mail@pff.org |
internet: www.pff.org
Endnotes For The Computer Revolution, Encryption & True Threats to National
Security
_______________________________________________________________
* G.A. (Jay) Keyworth, II, is chairman of The Progress & Freedom
Foundation. He served as Science Advisor to President Reagan,
Director of the White House Office of Science and Technology Policy,
and as a member of the National Security Council.
David Colton, Esq., is an adjunct fellow at The Progress & Freedom
Foundation and a telecommunications attorney.
1 For banks and other institutions, the government has in the past
permitted selective exceptions using 56 bit keys.
2 To export more powerfulencryption products of 64 bit length, U.S.
industry must use a Government-approved escrow process. Although
there have been no formal limits on what technology is available for
domestic use, the Administration seeks to use export controls to
limit domestic technologies by skewing economies of scale and
incentive.
3 Achieving Privacy, Commerce, Security and Public Safety In the
Global Information Infrastructure (May 21, 1995).
4 An alternative, for example, would have been to station a cavalry
soldier at every milepost and start taking depositions every time a
steer wandered into a pasture. In the absence of expanding use of
encryption technology, the enforcement of intellectual property
rights in the future will be approximately this efficient.
5 J.A. Schumpeter, Business Cycles: A Theoretical Historical and
Statistical Analysis of the Capitalist Process 69 (1939).
6 Trusted Information Systems, Inc., Worldwide Survey of
Cryptographic Products (December 1995). A survey conducted by the
Commerce Department confirms the widespread availability of foreign
encryption technologies.
7 Morgan Stanley, The Internet Report (1996).
8 Management Advisory Group, The Impact of Export Control Policy on
U.S. Competitiveness (december 1995).
9 Siwek & Mikkelsen, U.S. Software Industry Trends, 1987-1994: A 20th
Century Business Success Story (1996) (noting that in 1994, for
example, the U.S. exported $26.3 billion in software, more than
double the $21.3 billion for telecommunications equipment).
