[Report Cover] [Header all report pages: May 30, 1996, Prepublication Copy Subject to Further Editorial Correction] Cryptography's Role in Securing the Information Society Kenneth Dam and Herbert Lin, Editors Committee to Study National Cryptography Policy Computer Science and Telecommunications Board Commission on Physical Sciences, Mathematics, and Applications National Research Council National Academy Press Washington, D.C. 1996 ____________________________________________________________ NOTICE: The project that is the subject of this report was approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committee responsible for the report were chosen for their special competences and with regard for appropriate balance. This report has been reviewed by a group other than the authors according to procedures approved by a Report Review Committee consisting of members of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Bruce Alberts is president of the National Academy of Sciences. The National Academy of Engineering was established in 1964, under the charter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. Harold Liebowitz is president of the National Academy of Engineering. The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy maKers pertaining to the health of the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Kenneth I. Shine is president of the Institute of Medicine. The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy's purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Bruce Alberts and Dr. Harold Liebowitz are chairman and vice chairman, respectively, of the National Research Council. Support for this project was provided by the Department of Defense (under contract number DASW01-94-C-0178) and the National Institute of Standards and Technology (under contract number 50SBNB4C8089). Any opinions, findings, conclusions, or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsors. Library of Congress Catalog Number 96-68943 International Standard Book Number 0-309-05475-3 Additional copies of this report are available from: National Academy Press 2101 Constitution Avenue, NW Box 285 Washington, DC 20055 800/624-6242 202/334-3313 (in the Washington Metropolitan Area) Copyright 1996 by the National Academy of Sciences. All rights reserved. Printed in the United States of America ____________________________________________________________ COMMITTEE TO STUDY NATIONAL CRYPTOGRAPHY POLICY KENNETH W. DAM, University of Chicago Law School, Chair W.Y. SMITH, Institute for Defense Analyses (retired), Vice Chair LEE BOLLINGER, Dartmouth College ANN CARACRISTI, National Security Agency (retired) BENJAMIN CIVILETTI, Venable, Baetjer, Howard and Civiletti COLIN CROOK, Citicorp SAMUEL H. FULLER, Digital Equipment Corporation LESLIE H. GELB, Council on Foreign Relations RONALD GRAHAM, AT&T Bell Laboratories MARTIN HELLMAN, Stanford University JULIUS KATZ, Hills & Company PETER G. NEUMANN, SRI International RAYMOND OZZIE, Iris Associates EDWARD SCHMULTS, General Telephone and Electronics (retired) ELLIOT M. STONE, Massachusetts Health Data Consortium WILLIS WARE, RAND Corporation Staff MARJORY S. BLUMENTHAL, Director HERBERT S. LIN, Study Director and Senior Staff Officer JOHN M. GODFREY, Research Associate FRANK PITTELLI, Consultant to CSTB GAIL E. PRITCHARD, Project Assistant ____________________________________________________________ COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD WILLIAM A. WULF, University of Virginia, Chair FRANCES E. ALLEN, IBM T.J. Watson Research Center DAVID CLARK, Massachusetts Institute of Technology JEFF DOZIER, University of California at Santa Barbara HENRY FUCHS, University of North Carolina CHARLES GESCHKE, Adobe Systems Incorporated JAMES GRAY, Microsoft Corporation BARBARA GROSZ, Harvard University JURIS HARTMANIS, Cornell University DEBORAH A. JOSEPH, University of Wisconsin BUTLER W. LAMPSON, Microsoft Corporation BARBARA LISKOV, Massachusetts Institute of Technology JOHN MAJOR, Motorola ROBERT L. MARTIN, AT&T Network Systems DAVID G. MESSERSCHMITT, University of California at Berkeley WILLIAM PRESS, Harvard University CHARLES L. SEITZ, Myricom Incorporated EDWARD SHORTLIFFE, Stanford University School of Medicine CASIMIR S. SKRZYPCZAK, NYNEX Corporation LESLIE L. VADASZ, Intel Corporation MARJORY S. BLUMENTHAL, Director HERBERT S. LIN, Senior Staff Officer PAUL D. SEMENZA, Staff Officer JERRY R. SHEEHAN, Staff Officer JEAN E. SMITH, Program Associate JOHN M. GODFREY, Research Associate LESLIE M. WADE, Research Assistant GLORIA P. BEMAH, Administrative Assistant GAIL E. PRITCHARD, Project Assistant ____________________________________________________________ COMMISSION ON PHYSICAL SCIENCES, MATHEMATICS, AND APPLICATIONS ROBERT J. HERMANN, United Technologies Corporation, Chair PETER M. BANKS, Environmental Research Institute of Michigan SYLVIA T. CEYER, Massachusetts Institute of Technology L. LOUIS HEGEDUS, W.R. Grace and Company (retired) JOHN E. HOPCROFT, Cornell University RHONDA J. HUGHES, Bryn Mawr College SHIRLEY A. JACKSON, U.S. Nuclear Regulatory Commission KENNETH I. KELLERMANN, National Radio Astronomy Observatory KEN KENNEDY, Rice University THOMAS A. PRINCE, California Institute of Technology JEROME SACKS, National Institute of Statistical Sciences L.E. SCRIVEN, University of Colorado LEON T. SILVER, California Institute of Technology CHARLES P. SLICHTER, University of Illinois at Urbana-Champaign ALVIN W. TRIVELPIECE, Oak Ridge National Laboratory SHMUEL WINOGRAD, IBM T.J. Watson Research Center CHARLES A. ZRAKET, MITRE Corporation (retired) NORMAN METZGER, Executive Director ____________________________________________________________ Preface INTRODUCTION For most of history, cryptography -- the art and science of secret writing -- has belonged to governments concerned about protecting their own secrets and about asserting their prerogatives for access to information relevant to national security and public safety. In the United States, cryptography policy has reflected the U.S. government's needs for effective cryptographic protection of classified and other sensitive communications as well as its needs to gather intelligence for national security purposes, needs that would be damaged by the widespread use of cryptography. National security concerns have motivated such actions as development of cryptographic technologies, development of countermeasures to reverse the effects of encryption, and control of cryptographic technologies for export. In the last 20 years, a number of developments have brought about what could be called the popularization of cryptography. First, some industries -- notably financial services -- have come to rely on encryption as an enabler of secure electronic funds transfers. Second, other industries have developed an interest in encryption for protection of proprietary and other sensitive information. Third, the broadening use of computers and computer networks has generalized the demand for technologies to secure communications down to the level of individual citizens and assure the privacy and security of their electronic records and transmissions. Fourth, the sharply increased use of wireless communications (e.g., cellular telephones) has highlighted the greater vulnerability of such communications to unauthorized intercept as well as the difficulty of detecting these intercepts. As a result, efforts have increased to develop encryption systems for private sector use and to integrate encryption with other information technology products. Interest has grown in the commercial market for cryptographic technologies and systems incorporating such technologies, and the nation has witnessed a heightened debate over individual need for and access to technologies to protect individual privacy. Still another consequence of the expectation of widespread use of encryption is the emergence of law enforcement concerns that parallel, on a civilian basis, some of the national security concerns. Law enforcement officials fear that wide dissemination of effective cryptographic technologies will impede their efforts to collect information necessary for pursuing criminal investigations. On the other side, civil libertarians fear that controls on cryptographic technologies will give government authorities both in the United States and abroad unprecedented and unwarranted capabilities for intrusion into the private lives of citizens. CHARGE OF THE COMMITTEE TO STUDY NATIONAL CRYPTOGRAPHY POLICY At the request of the U.S. Congress in November 1993, the National Research Council's Computer Science and Telecommunications Board (CSTB) formed the Committee to Study National Cryptography Policy. In accordance with its legislative charge (Box P.1), the committee undertook the following tasks: + Framing the problem. What are the technology trends with which national cryptography policy must keep pace? What is the political environment? What are the significant changes in the post-Cold War environment that call attention to the need for, and should have an impact on, cryptography policy? + Understanding the underlying technology issues and their expected development and impact on policy over time. What is and is not possible with current cryptographic (and related) technologies? How could these capabilities have an impact on various U.S. interests? + Describing current cryptography policy. To the committee's knowledge, there is no single document, classified or unclassified, within the U.S. government that fully describes national cryptography policy. + Articulating a framework for thinking about cryptography policy. The interests affected by national cryptography policy are multiple, varied, and related: they include personal liberties and constitutional rights, the maintenance of public order and national security, technology development, and U.S. economic competitiveness and markets. At a minimum, policy makers (and their critics) must understand how these interests interrelate, although they may decide that one particular policy configuration better serves the overall national interest than does another. + Identifying a range offeasible policy options. The debate over cryptography policy has been hampered by an incomplete analysis and discussion of various policy options -- both proponents of current policy and of alternative policies are forced into debating positions in which it is difficult or impossible to acknowledge that a competing view might have some merit. This report attempts to discuss fairly the pros and cons of a number of options. + Making recommendations regarding cryptography policy. No cryptography policy will be stable for all time. That is, it is unrealistic to imagine that this committee or any set of policy makers could craft a policy that would not have to evolve over time as the technological and political milieu itself changes. Thus, the committee's recommendations are framed in the context of a transition, from a world characterized by slowly evolving technology, well-defined enemies, and unquestioned U.S. technological, economic, and geopolitical dominance to one characterized by rapidly evolving technology, fuzzy lines between friend and foe, and increasing technological, economic, and political interdependencies between the United States and other nations of the world. ____________________________________________________________ BOX P.1 Legislative Charge to the National Research Council Public Law 103-160 Defense Authorization Bill for fiscal Year 1994 Signed November 30, 1993 SEC. 267. COMPREHENSIVE INDEPENDENT STUDY OF NATIONAL CRYPTOGRAPHY POLICY (a) Study by National Research Council. -- Not later than 90 days after the date of the enactment of this Act, the Secretary of Defense shall request the National Research Council of the National Academy of Sciences to conduct a comprehensive study of cryptographic technologies and national cryptography policy. (b) Matters To Be Assessed in Study. -- The study shall assess (1) the effect of cryptographic technologies on -- (A) national security interests of the United States Government (B) law enforcement interests of the United States Government (C) commercial interests of United States industry; and (D) privacy interests of United States citizens; and (2) the effect on commercial interests of United States industry of export controls on cryptographic technologies. (c) Interagency Cooperation With Study. -- The Secretary of Defense shall direct the National Security Agency, the Advanced Research Projects Agency, and other appropriate agencies of the Department of Defense to cooperate fully with the National Research Council in its activities in carrying out the study under this section. The Secretary shall request all other appropriate Federal departments and agencies to provide similar cooperation to the National Research Council. ____________________________________________________________ Given the diverse applications of cryptography, national cryptography policy involves a very large number of important issues. Important to national cryptography policy as well are issues related to the deployment of a large-scale infrastructure for cryptography and legislation and regulations to support the widespread use of cryptography for authentication and data integrity purposes (i.e., collateral applications of cryptography), even though these issues have not taken center stage in the policy debate. The committee focused its efforts primarily on issues related to cryptography for confidentiality, because the contentious problem that this committee was assembled to address at the center of the public policy debate relates to the use of cryptography in confidentiality applications. It also addressed issues of cryptography policy related to authentication and data integrity at a relatively high level, casting its findings and recommendations in these areas in fairly general terms. However, it notes that detailed consideration of issues and policy options in these collateral areas requires additional study at a level of detail and thoroughness comparable to that of this report. In preparing this report, the committee reviewed and synthesized relevant material from recent reports, took written and oral testimony from government, industry, and private individuals, reached out extensively to the affected stakeholders to solicit input, and met seven times to discuss the input from these sources as well as the independent observations and findings of the committee members themselves. In addition, this study built upon three prior efforts to examine national cryptography policy: the Association for Computing Machinery report *Codes, Keys, and Conflicts: Issues in US. Crypto Policy*,(1) the Office of Technology Assessment report *Information Security and Privacy in Network Environments*,(2) and the JASON encryption study.(3) A number of other examinations of cryptography and/or information security policy were also important to the committee's work.(4) --------- (1) Susan Landau et al., *Codes, Keys, and Conflicts: Issues in U.S. Crypto Policy*, Association for Computing Machinery Inc., New York, 1994. (2) U.S. Congress, Office of Technology Assessment, *Information Security and Privacy in Network Environments*, OTA-TCT-606, U.S. Govemment Printing Office, Washington, D.C., September 1994. (3) JASON Program Office, *JASON Encryption/Privacy Study*, Report JSR-93-520 (unpublished), MITRE Corporation, Reston, Va., August 18, 1993. (4) These works include *Global Information Infrastructure*, a joint report by the European Association of Manufacturers of Business Machines and Information Technology Industry, the U.S. Information Technology Industry Council, and the Japan Electronic Industry Development Association (EUROBIT-ITI-JEIDA), developed for the G-7 Summit on the Global Information Society, Gll Tripartite Preparatory Meeting, January 26-27, 1995, Brussels; the U.S. Council for International Business statement titled "Business Requirements for Encryption," October 10, 1994, New York; and the International Chamber of Commerce position paper "International Encryption Policy," Document No. 373/202 Rev. and No. 373-30/9 Rev., Paris, undated. Important source documents can be found in Lance J. Hoffman (ed.), *Building in Big Brother*, SpringerVerlag, New York, 1995; and in the cryptography policy source books published annually by the Electronic Privacy Information Center in Washington, D.C. ____________________________________________________________ WHAT THIS REPORT IS NOT The subject of national cryptography policy is quite complex, as it figures importantly in many areas of national interest. To keep the project manageable within the time, resources, and expertise available, the committee chose not to address in detail a number of issues that arose with some nontrivial frequency during the course of its study. + This report is not a comprehensive study of the grand trade-offs that might be made in other dimensions of national policy to compensate for changes in cryptography policy. For example, this report does not address matters such as relaxing exclusionary rules that govern the court admissibility of evidence or installing video cameras in every police helmet as part of a package that also eliminates restrictions on cryptography, though such packages are in principle possible. Similarly, it does not address options such as increasing the budget for counterterrorist operations as a quid pro quo for relaxations on export controls of cryptography. The report does provide information that would help to assess the impact of various approaches to cryptography policy, although how that impact should be weighed against the impact of policies related to other areas is outside the scope of this study and the expertise of the committee assembled for it. + This report is not a study on the future of the National Security Agency (NSA) in the post-Cold War era. A determination of what missions the NSA should be pursuing and/or how it should pursue those missions was not in the committee's charge. The report does touch lightly on technological trends that affect the ability to undertake the missions to which cryptography is relevant, but only to the extent necessary to frame the cryptography issue. At the same time, this report does address certain conditions of the political, social, and technological environment that will affect the answers that anyone would formulate to these questions, such as the potential impact on policy of a world that offers many users the possibilities of secure communications. + This report is not a study of computer and communications security, although of course cryptography is a key element of such security. Even the strongest cryptography is not very useful unless it is part of a secure *system*, and those responsible for security must be concerned about everything from the trustworthiness of individuals writing the computer programs to be used to the physical security of terminals used to access the system. A report that addressed system dimensions of computer security was the National Research Council report *Computers at Risk*,(5) this current study draws on that report and others to the extent relevant for its analysis, findings, and conclusions about cryptography policy. + This report is not a study of the many patent disputes that have arisen with respect to national cryptography policy in the past several years. While such disputes may well be a sign that the various holders expect cryptography to assume substantial commercial importance in the next several years, such disputes are in principle resolvable by the U.S. Congress, which could simply legislate ownership by eminent domain or by requiring compulsory licensing. Moreover, since many of the key patents will expire in any case in the relatively near future (i.e., before any infrastructure that uses them becomes widely deployed), the issue will become moot in any case. + This report is not exclusively a study of national policy associated with the Clipper chip. While the Clipper chip has received the lion's share of press and notoriety in the past few years, the issues that this study was chartered to address go far beyond those associated simply with the Clipper chip. This study addresses the larger context and picture of which the Clipper chip is only one part. ---------- (5) Computer Science and Telecommunications Board, National Research Council, *Computers at Risk: Safe Computing in the Information Age*, National Academy Press, Washington, D.C., 1991. ____________________________________________________________ ON SECRECY AND REPORT TIME LINE For most of history, the science and technologies associated with cryptography have been the purview of national governments and/or heads of state. It is only in the last 25 years that cryptographic expertise has begun to diffuse into the nongovernment world. Thus, it is not surprising that much of the basis and rationale underlying national cryptography policy has been and continues to be highly classified. Indeed, in a 1982 article. then-Deputy Director of the Central Intelligence Agency Bobby R. Imnan wrote that [o]ne sometimes hears the view that publication should not be restrained because "the government has not made its case," almost always referring to the absence of specific detail for public consumption. This reasoning is circular and unreasonable. It stems from a basic attitude that the government and its public servants cannot be trusted. Specific details about why information must be protected are more often than not even more sensitive than the basic technical information itself. Publishing examples, reasons and associated details would certainly damage the nation's interests. Public review and discussion of classified information which supports decisions is not feasible or workable.(6) Secrecy is a two-edged sword for a democratic nation -- on the one hand, secrecy has a legitimate basis in those situations in which fundamental national interests are at stake (e.g., the preservation of American lives during wartime). Moreover, the history of intelligence reveals many instances in which the revelation of a secret, whether intentional or inadvertent, has led to the compromise of an information source or the loss qf a key battle.(7) On the other hand, secrecy has sometimes been used to stifle public debate and conceal poorly conceived and ill-informed national policies, and mistrust is therefore quite common among many responsible critics of government policy. A common refrain by defenders of policies whose origins and rationales are secret is that "if you knew what we knew, you would agree with us." Such a position may be true or false, but it clearly does not provide much reassurance for those not privy to those secrets for one very simple reason: those who fear that government is hiding poorly-conceived policies behind a wall of secrecy are not likely to trust the government, yet in the absence of a substantive argument being called for, the government's claim is essentially a plea for trust. In pursuing this study, the committee has adopted the position that some secrets are still legitimate in today's global environment, but that its role is to illuminate as much as possible without compromising those legitimate interests. Thus, the committee has tried to act as a surrogate for well-intentioned and well-meaning people who fear that the worst is hiding behind the wall of secrecy -- it has tried to ask the questions that these people would have asked if they could have done so. Public Law 103-160 called for all defense agencies, including the National Security Agency, to cooperate fully with the National Research Council in this study. For obvious reasons, the committee cannot determine if it did not hear a particular piece of information because an agency withheld that information or because that piece of information simply did not exist. But for a number of reasons, the committee believes that to the best of its knowledge, the relevant agencies have complied with Public Law 103-160 and other agencies have cooperated with the committee. One important reason is that several members of the committee have had extensive experience (on a classified basis) with the relevant agencies, and these members heard nothing in the briefings held for the committee that was inconsistent with that experience. A second reason is that these agencies had every motivation and self-interest to make the best possible case for their respective positions on the issues before the committee. Thus, on the basis of agency assurances that the cornrnittee has indeed received all inforrnation relevant to the issue at hand, they cannot plausibly argue that "if the committee knew what Agency X knew, it would agree with Agency X's position." This unclassified report does not have a classified annex, nor is there a classified version of it. After receiving a number of classified briefings on material relevant to the subject of this study, the fully cleared members of the committee (13 out of the total of 16) agree that these details, while necessarily important to policy makers who need to decide tomorrow what to do in a specific case, are not particularly relevant to the larger issues of why policy has the shape and texture that it does today nor to the general outline of how technology will and policy should evolve in the future. For example, the committee was briefed on certain intelligence activities of various nations. Policy makers care that the activities of nation X (a friendly nation) fall into certain categories and that those of nation Y (an unfriendly nation) fall into other categories, because they must craft a policy toward nation X in one way and one toward nation Y in another way. But for analytical purposes, the exact names of the nations involved are much less relevant than the fact that there will always be nations friendly and unfriendly to the United States. Committee members are prepared to respond on a classified basis if necessary to critiques and questions that involve classified material.(8) As for the time line of this study, the committee was acutely aware of the speed with which the market and product technologies evolve. The legislation called for a study to be delivered within 2 years after the full processing of all necessary security clearances, and the study committee accelerated its work schedule to deliver a report in 18 months from its first meeting (and only 13 months from the final granting of the last clearance). The delivery date of this study was affected by the fact that the contract to fund this study was signed by the Department of Defense on September 30, 1994. ---------- (6) Bobby Inman, "Classifying Science: A Government Proposal ... ," *Aviation Week and Space Technology*, February 8, 1982, p. 10. (7) For example, following press reports of deciphered Libyan messages before and after a bombing in West Berlin in which an American soldier died, Libya changed its communications codes. A senior American official was quoted as saying that the subsequent Libyan purchase of advanced cryptographic equipment from a Swiss firm was "one of the prices [the United States is] paying for having revealed, in order to marshal support of our allies and public opinion, that intercepted communications traffic provided evidence that Libya was behind the bombing of the Berlin disco." See "Libyans Buy Message-Coding Equipment," *Washington Post*, April 22, 1986, p. A-8. (8) The point of contact within the National Research Council for such inquiries is the Computer Science and Telecommunications Board, National Research Council, 2101 Constitution Avenue, N.W., Washington, D.C. Telephone 202-334-2605 or e-mail CSTB@NAS.EDU. ____________________________________________________________ A NOTE FROM THE CHAIR The title of this report is *Cryptography's Role in Securing the Information Society*. The committee chose this title as one best describing our inquiry and report -- that is, the committee has tried to focus on the role that cryptography, as one of a number of tools and technologies, can play in providing security for an information age society through, among other means, preventing computer-enabled crimes and enhancing national security. At the same time, the committee is not unaware of the acronym for this report -- CRISIS -- and it believes that the acronym is apt. From my own standpoint as chair of the NRC Committee to Study National Cryptography Policy, I believe that the crisis is a policy crisis, rather than a technology crisis, an industry crisis, a law enforcement crisis, or an intelligence-gathering crisis. It is not a technology crisis because technologies have always been two-edged swords. All technologies -- cryptography included can be used for good or for ill. They can be used to serve society or to harm it, and cryptography will no doubt be used for both purposes by different groups. Public policy will determine in large measure not just the net balance of benefit and loss but also how much benefit will be derived from constructive uses of this remarkable technology. It is not an industry crisis, nor a law enforcement crisis, nor an intelligence-gathering crisis, because industry, law enforcement, and the intelligence establishment have all had to cope with rapid technological change, and for the most part the vitality of these enterprises within the nation is a testament to their successes in so coping. But a policy crisis is upon the nation. In the face of an inevitably growing use of cryptography, our society, acting as it must through our government as informed by the manifold forums of our free private processes, has been unable to develop a consensus behind a coherent national cryptography policy, neither within its own ranks nor with the private stakeholders throughout society -- the software industry, those concerned with computer security, the civil liberties community, and so on. Indeed, the committee could not even find a clear written statement of national cryptography policy that went beyond some very general statements. To be sure, a number of Administration proposals have seen the light of day. The best known of these proposals, the Clipper initiative, was an honest attempt to address some of the issues underlying national cryptography policy, but one of its primary effects was to polarize rather than bring together the various stakeholders, both public and private. On the other hand, it did raise public awareness of the issue. In retrospect, many Administration officials have wished that the discourse on national cryptography policy could have unfolded differently, but in fairness we recognize that the government's task is not easy in view of the deep cleavages of interest reviewed in this report. In this context, we therefore saw it as our task, commanded by our statutory charge, to analyze the underlying reasons for this policy crisis and the interests at stake, and then to propose an intelligent, workable and acceptable policy. The Committee to Study National Cryptography Policy is a group of 16 individuals with very diverse backgrounds, a broad range of expertise, and differing perspectives on the subject. The committee included individuals with extensive government service and also individuals with considerable skepticism about and suspicion of government; persons with great technical expertise in computers, communications, and cryptography; and persons with considerable experience in law enforcement, intelligence, civil liberties, national security, diplomacy, international trade, and other fields relevant to the formation of policy in this area. Committee members were drawn from industry, including telecommunications and computer hardware and software, and from users of cryptography in the for-profit and not-for-profit sectors; serving as well were academics and think-tank experts.(9) The committee was by design highly heterogeneous, a characteristic intended to promote discussion and synergy among its members. At first, we wondered whether these different perspectives would allow us to talk among ourselves at all, let alone come to agreement. But the committee worked hard. The full committee met for a total of 23 days in which we received briefings and argued various points; ad hoc subcommittees attended a dozen or so additional meetings to receive even more briefings; members of the committee and staff held a number of open sessions in which testimony from the interested public was sought and received (including a very well attended session at the Fifth Annual Conference on Computers, Freedom, and Privacy in San Francisco in early 1995 and an open session in Washington, D.C., in April 1995); and the committee reviewed nearly a hundred e-mail messages sent in response to its Internet call for input. The opportunity to receive not only written materials but also oral briefings from a number of government agencies, vendors, trade associations, and assorted experts, as well as to participate in the first-ever cryptography policy meeting of the Organization for Economic Cooperation and Development and of its Business Industry Advisory Council, provided the occasion for extended give-and-take discussions with government officials and private stakeholders. Out of this extended dialogue, we found that coming to a consensus among ourselves -- while difficult -- was not impossible. The nature of a consensus position is that it is invariably somewhat different from a position developed, framed, and written by any one committee member, particularly before our dialogue and without comments from other committee members. Our consensus is a result of the extended learning and interaction process through which we lived rather than any conscious effort to compromise or to paper over differences. The committee stands fully behind its analysis, findings, and recommendations. We believe that our report makes some reasonable proposals for national cryptography policy. But a proposal is just that -- a proposal for action. What is needed now is a public debate, using and not sidestepping the full processes of government, leading to a judicious resolution of pressing cryptography policy issues and including, on some important points, legislative action. Only in this manner will the policy crisis come to a satisfactory and stable resolution. ---------- (9) Note that the committee was quite aware of potential financial conflicts of interest among several of its members. In accordance with established National Research Council procedures, these potential financial conflicts of interest were thoroughly discussed by the committee; no one with a direct and substantial financial stake in the outcome of the report served on the committee. ____________________________________________________________ ACKNOWLEDGMENTS The full list of individuals (except for those who explicitly requested anonymity) who provided input to the cornmittee and the study project is contained in Appendix A. However, a number of individuals deserve special mention. Michael Nelson, Office of Science and Technology Policy, kept us informed about the evolution of Administration policy. Dorothy Denning of Georgetown University provided many useful papers concerning the law enforcement perspective on cryptography policy. Clinton Brooks and Ron Lee from the National Security Agency and Ed Roback and Raymond Kammer from the National Institute of Standards and Technology acted as agency liaisons for the committee, arranging briefings and providing other information. Marc Rotenberg from the Electronic Privacy Information Center and John Gilmore from Cygnus Support provided continuing input on a number of subjects as well as documents released under Freedom of Inforrnation Act requests. Rebecca Gould from the Business Software Alliance, Steve Walker from Trusted Information Systems, and Ollie Smoot from the Information Technology Industry Council kept the committee informed from the business perspective. Finally, the committee particularly acknowledges the literally hundreds of suggestions and criticisms provided by the reviewers of an early draft of this report. Those inputs helped the committee to sharpen its message and strengthen its presentation, but of course the content of the report is the responsibility of the committee. The committee also received a high level of support from the Nationai Research Council. Working with the Special Security Office of the Office of Naval Research, Kevin Hale and Kimberly Striker of the NRC's National Security Office had the complex task of facilitating the prompt processing of security clearances necessary to complete this study in a timely manner and otherwise managing these security clearances. Susan Maurizi worked under tight time constraints to provide editorial assistance. Acting as primary staff for the committee were Marjory Blumenthal, John Godfrey, Frank Pittelli, Gail Pritchard, and Herb Lin. Marjory Blumenthal directs the Computer Science and Telecommunications Board, the program unit within the National Research Council to which this congressional tasking was assigned. She sat with the committee during the great majority of its meetings, providing not only essential insight into the NRC process but also an indispensable long-term perspective on how this report could build on other CSTB work, most notably the 1991 NRC report *Computers at Risk*. John Godfrey, research associate for CSTB, was responsible for developing most of the factual material in most of the appendixes as well as for tracking down hundreds of loose ends, his prior work on a previous NRC report on standards also provided an important point of departure for the committee's discussion on standards as they apply to cryptography policy. Frank Pittelli is a consultant to CSTB, whose prior experience in computer and information security was invaluable in framing a discussion of technical issues in cryptography policy. Gail Pritchard, project assistant for CSTB, handled logistical matters for the committee with the utmost skill and patience as well as providing some research support to the committee. Finally, Herb Lin, senior staff officer for CSTB and study director on this project, arranged briefings, crafted meeting agendas, and turned the thoughts of committee members into drafts and then report text. It is fair to say that this study could not have been carried out nor this report written, especially on our accelerated schedule, without his prodigious energy and his extraordinary talents as study director, committee coordinator, writer, and editor. Kenneth Dam, Chair Committee to Study National Cryptography Policy Chicago, Illinois March 29, 1996 A Channel for Feedback CSTB will be glad to receive comments on this report. Please send them via Internet e-mail to CRYPTO@NAS.EDU, or via regular mail to CSTB, National Research Council. 2101 Constitution Avenue NW, Washington, DC 20418. [End Preface] ____________________________________________________________ Contents PREFACE Introduction Charge of the Committee to Study National Cryptography Policy What This Report Is Not On Secrecy and Report Time Line A Note from the Chair Acknowledgments EXECUTIVE SUMMARY A ROAD MAP THROUGH THIS REPORT PART I -- FRAMING THE POLICY ISSUES 1 GROWING VULNERABILITY IN THE INFORMATION AGE 1.1 The Technology Context of the Information Age 1.2 Transitions to an Information Society--Increasing Interconnections and Interdependence 1.3 Coping with Information Vulnerability 1.4 The Business and Economic Perspective 1.4.1 Protecting Important Business Information 1.4.2 Ensuring the Nation's Ability to Exploit Global Markets 1.5 Individual and Personal Interests in Privacy 1.5.1 Privacy in an Information Economy 1.5.2 Privacy for Citizens 1.6 Special Needs of Government 1.7 Recap 2 CRYPTOGRAPHY: ROLES, MARKET, AND INFRASTRUCTURE 2.1 Cryptography in Context 2.2 What Is Cryptography and What Can It Do? 2.3 How Cryptography Fits into the Big Security Picture 2.3.1 Technical Factors Inhibiting Access to Information 2.3.2 Factors Facilitating Access to Information 2.4 The Market for Cryptography 2.4.1 The Demand Side of the Cryptography Market 2.4.2 The Supply Side of the Cryptography Market 2.5 Infrastructure for Widespread Use of Cryptography 2.5.1 Key Management Infrastructure 2.5.2 Certificate Infrastructures 2.6 Recap 3 NEEDS FOR ACCESS TO ENCRYPTED INFORMATION 3.1 Terminology 3.2 Law Enforcement: Investigation and Prosecution 3.2.1 The Value of Access to Information for Law Enforcement 3.2.2 The Legal Framework Governing Surveillance 3.2.3 The Nature of Surveillance Needs of Law Enforcement 3.2.4 The Impact of Cryptography and New Media on Law Enforcement (Stored and Communicated Data) 3.3 National Security and Signals Intelligence 3.3.1 The Value of Signals Intelligence 3.3.2 The Impact of Cryptography on SIGINT 3.4 Similarities and Differences Between Foreign Policy/National Security and Law Enforcement Needs for Communications Monitoring 3.4.1 Similarities 3.4.2 Differences 3.5 Business and Individual Needs for Exceptional Access to Protected Information 3.6 Other Types of Exceptional Access to Protected Information 3.7 Recap PART II -- POLICY INSTRUMENTS 4 EXPORT CONTROLS 4.1 Brief Description of Current Export Controls 4.1.1 The Rationale for Export Controls 4.1.2 General Description 4.1.3 Discussion of Current Licensing Practices 4.2 Effectiveness of Export Controls on Cryptography 4.3 The Impact of Export Controls on U.S. Information Technology Vendors 4.3.1 De Facto Restrictions on the Domestic Availability of Cryptography 4.3.2 Regulatory Uncertainty Related to Export Controls 4.3.3 The Size of the Affected Market for Cryptography 4.3.4 Inhibiting Vendor Responses to User Needs 4.4 The Impact of Export Controls on U.S. Economic and National Security Interests 4.4.1 Direct Economic Harm to U.S. Businesses 4.4.2 Damage to U.S. Leadership in Information Technology 4.5 The Mismatch Between the Perceptions of Government/ National Security and Those of Vendors 4.6 Export of Technical Data 4.7 Foreign Policy Considerations 4.8 Technology-Policy Mismatches 4.9 Recap 5 ESCROWED ENCRYPTION AND RELATED ISSUES 5.1 What Is Escrowed Encryption? 5.2 Administration Initiatives Supporting Escrowed Encryption 5.2.1 The Clipper Initiative and the Escrowed Encryption Standard 5.2.2 The Capstone/Forteza (sic) Initiative 5.2.3 The Relaxation of Export Controls on Software Products Using "Properly Escrowed" 64-bit Encryption 5.2.4 Other Federal Initiatives in Escrowed Encryption 5.3 Other Approaches to Escrowed Encryption 5.4 The Impact of Escrowed Encryption on Information Security 5.5 The Impact of Escrowed Encryption on Law Enforcement 5.5.1 Balance of Crime Enabled vs. Crime Prosecuted 5.5.2 Impact on Law Enforcement Access to Information 5.6 Mandatory vs. Voluntary Use of Escrowed Encryption 5.7 Process Through Which Policy on Escrowed Encryption Was Developed 5.8 Affiliation and Number of Escrow Agents 5.9 Responsibilities and Obligations of Escrow Agents and Users of Escrowed Encryption 5.9.1 Partitioning Escrowed Information 5.9.2 Operational Responsibilities of Escrow Agents 5.9.3 Liabilities of Escrow Agents 5.10 The Role of Secrecy in Ensuring Product Security 5.10.1 Algorithm Secrecy 5.10.2 Product Design and Implementation Secrecy 5.11 The Hardware/Software Choice in Product Implementation 5.12 Responsibility for Generation of Unit Keys 5.13 Issues Related to the Administration Proposal to Exempt 64-bit Escrowed Encryption in Software 5.13.1 The Definition of "Proper Escrowing" 5.13.2 The Proposed Limitation of Key Lengths to 64 Bits or Less 5.14 Recap 6 OTHER DIMENSIONS OF NATIONAL CRYPTOGRAPHY POLICY 6.1 The Communications Assistance for Law Enforcement Act 6.1.1 Brief Description of and Stated Rationale for the CALEA 6.1.2 Reducing Resource Requirements for Wiretaps 6.1.3 Obtaining Access to Digital Streams in the Future 6.1.4 The CALEA Exemption of Information Service Providers and Distinctions Between Voice and Data Services 6.2 Other Levers Used in National Cryptography Policy 6.2.1 Federal Information Processing Standards 6.2.2 The Government Procurement Process 6.2.3 Implementation of Policy: Fear, Uncertainty, Doubt, Delay, Complexity 6.2.4 R&D Funding 6.2.5 Patents and Intellectual Property 6.2.6 Formal and Informal Arrangements with Various Other Governments and Organizations 6.2.7 Certification and Evaluation 6.2.8 Nonstatutory Influence 6.2.9 Interagency Agreements Within the Executive Branch 6.3 Organization of the Federal Government with Respect to Information Security 6.3.1 Role of National Security vis-a-vis Civilian Information Infrastructures 6.3.2 Other Government Entities with Influence on Information Security 6.4 International Dimensions of Cryptography Policy 6.5 Recap PART III--POLICY OPTIONS, FINDINGS, AND RECOMMENDATIONS 7 POLICY OPTIONS FOR THE FUTURE 7.1 Export Control Options for Cryptography 7.1.1 Dimensions of Choice for Controlling the Exportof Cryptography 7.1.2 Complete Elimination of Export Controls on Cryptography 7.1.3 Transferral of All Cryptography Products to the Commerce Control List 7.1.4 End-use Certification 7.1.5 Nation-by-Nation Relaxation of Controls and Harmonization of U.S. Export Control Policy on Cryptography with Export/Import Policies of Other Nations 7.1.6 Liberal Export for Strong Cryptography with Weak Defaults 7.1.7 Liberal Export for Cryptographic Applications Programming Interfaces 7.1.8 Liberal Export for Escrowable Products with Encryption Capabilities 7.1.9 Alternatives to Government Certification of Escrow Agents Abroad 7.1.10 Use of Differential Work Factors in Cryptography 7.1.11 Separation of Cryptography from Other Items on the U.S. Munitions List 7.2 Alternatives for Providing Government Exceptional Access to Encrypted Data 7.2.1 A Prohibition of the Use and Sale of Cryptography Lacking Features for Exceptional Access 7.2.2 Criminalization of the Use of Cryptography in the Commission of a Crime 7.2.3 Technical Non-Escrow Approaches for Obtaining Access to Information 7.2.4 Network-based Encryption 7.2.5 Distinguishing Between Encrypted Voice and Data Communications Services for Exceptional Access 7.2.6 A Centralized Decryption Facility for Government Exceptional Access 7.3 Looming Issues 7.3.1 The Adequacy of Various Levels of Encryption Against High-Quality Attack 7.3.2 Organizing the U.S. Government for Better Information Security on a National Basis 7.4 Recap 8 SYNTHESIS, FINDINGS, AND RECOMMENDATIONS 8.1 Synthesis and Findings 8.1.1 The Problem of Information Vulnerability 8.1.2 Cryptographic Solutions to Information Vulnerabilities 8.1.3 The Policy Dilemma Posed by Cryptography 8.1.4 National Cryptography Policy for the Information Age 8.2 Recommendations 8.3 Additional Work Needed 8.4 Conclusion APPENDIXES A Contributors to the NRC Project on National Cryptography Policy B Glossary C A Brief Primer on Cryptography D An Overview of Electronic Surveillance: History and Current Status E A Brief History of Cryptography Policy F A Brief Primer on Intelligence G The International Scope of Cryptography Policy H Summary of Important Requirements for a Public-Key Infrastructure I Industry-Specific Dimensions of Security J Examples of Risks Posed by Unprotected Information K Cryptographic Applications Programming Interfaces L Laws, Regulations, and Documents Relevant to Cryptography M Other Looming Issues Related to Cryptography Policy N Federal Information Processing Standards [End Contents] ____________________________________________________________ Executive Summary In an age of explosive worldwide growth of electronic data storage and communications, many vital national interests require the effective protection of information. When used in conjunction with other approaches to information security, cryptography is a very powerful tool for protecting information. Consequently, current U.S. policy should be changed to promote and encourage the widespread use of cryptography for the protection of the information interests of individuals, businesses, government agencies, and the nation as a whole, while respecting legitimate national needs of law enforcement and intelligence for national security and foreign policy purposes to the extent consistent with good information protection. BASIC POLICY ISSUES The Information Security Problem Today's information age requires U.S. businesses to compete on a worldwide basis, sharing sensitive information with appropriate parties while protecting that information against competitors, vandals, suppliers, customers, and foreign governments (Box ES.1). Private law-abiding citizens dislike the ease with which personal telephone calls can be tapped, especially those carried on cellular or cordless telephones. Elements of the U.S. civilian infrastructure such as the banking system, the electric power grid, the public switched telecommunications network, and the air traffic control system are central to so many dimensions of modern life that protecting these elements must have a high priority. The federal government has an important stake in assuring that its important and sensitive political, economic, law enforcement, and military information, both classified and unclassified, is protected from foreign governments or other parties whose interests are hostile to those of the United States. ____________________________________________________________ BOX ES.I The Foreign Threat to U.S. Business Ineerests Of the wide variety of information risks facing U.S. companies operating internationally, those resulting from electronic vulnerabilities appear to be the most significant. The National Counterintelligence Center (NACIC). an arm of the U.S. intelligence community established in 1994 by presidential directive, concluded that "specialized technical operations (including computer intrusions, telecommunications targeting and intercept, and private-sector encryption weaknesses) account for the largest portion of economic and industrial information lost by U.S. corporations." Specifically, the NACIC noted that [b]ecause they are so easily accessed and intercepted, corporate telecommunications --particularly international telecommunications -- provide a highly vulnerable and lucrative source for anyone interested in obtaining trade secrets or competitive information. Because of the increased usage of these links for bulk computer data transmission and electronic mail, intelligence collectors find telecommunications intercepts cost-effective. For example, foreign intelligence collectors intercept facsimile transmissions through government-owned telephone companies, and the stakes are large -- approximately half of all overseas telecommunications are facsimile transmissions. Innovative "hackers" connected to computers containing competitive information evade the controls and access companies' information. In addition, many American companies have begun using electronic data interchange, a system of transferring corporate bidding, invoice, and pricing data electronically overseas. Many foreign government and corporate intelligence collectors find this information invaluable. ---------- SOURCE: National Counterintelligence Center, Annual Report to Congress on Foreign Economic Collection and Industrial Espionage, July 1995, pages 16-17. ____________________________________________________________ Cryptographic Dimensions of Information Security Solutions Information vulnerabilities cannot be eliminated through the use of any single tool. For example, it is impossible to prevent with technical means a party authorized to view information from improperly disclosing that information to someone else. However, as part of a comprehensive approach to addressing information vulnerabilities, cryptography is a powerful tool that can help to assure the confidentiality and integrity of information in transit and in storage and to authenticate the asserted identity of individuals and computer systems. Information that has been properly encrypted cannot be understood or interpreted by those lacking the appropriate cryptographic "key"; information that has been integrity- checked cannot be altered without detection. Properly authenticated identities can help to restrict access to information resources to those properly authorized individuals and to take fuller advantage of audit trails to track down parties who have abused their authorized access. Law Enforcement and National Security Dilemmas Posed by Cryptography For both law enforcement and national security, cryptography is a two-edged sword. The public debate has tended to draw lines that frame the policy issues as the privacy of individuals and businesses against the needs of national security and law enforcement. While such a dichotomy does have a kernel of truth, when viewed in the large, this dichotomy is misleading. If cryptography can protect the trade secrets and proprietary information of businesses and thereby reduce economic espionage (which it can), it also supports in a most important manner the job of law enforcement. If cryptography can help protect nationally critical information systems and networks against unauthorized penetration (which it can), it also supports the national security of the United States. Framing discussion about national cryptography policy in this larger law enforcement and national security context would help to reduce some of the polarization among the relevant stakeholders. On the other hand, cryptography intended primarily to maintain the confidentiality of information that is available to the general public for legitimate purposes such as defending against information theft is also available for illegitimate purposes such as terrorism. Encryption thus does poses a threat to the capability that law enforcement authorities may seek under appropriate legal authorization to gain access to information for the purpose of investigating and prosecuting criminal activity. Encryption also poses a threat to intelligence gathering for national security and foreign policy purposes, an activity that depends on access to information of foreign governments and other foreign entities. Note that other applications of cryptography -- for purposes of assuring data integrity and authenticating identities of users and computer systems -- do not pose dilemmas for law enforcement and national security in the same way that confidentiality does. National Cryptography Policy for the Information Age For many years, concern over foreign threats to national security has been the primary driver of a national cryptography policy that has sought to maximize the protection of U.S. military and diplomatic communications while denying the confidentiality benefits of cryptography to foreign adversaries through the use of export controls on cryptography and related technical data. More recently, the U.S. government has aggressively promoted the domestic use of a certain kind of cryptography escrowed encryption -- that would provide strong protection for legitimate uses but would permit legally authorized access by law enforcement officials when authorized by law. Today, these and other dimensions of current national cryptography policy generate considerable controversy. All of the various stakes are legitimate: privacy for individuals, protection of sensitive or proprietary information for businesses, ensuring the continuing reliability and integrity of nationally critical information systems and networks, law enforcement access to stored and communicated information for purposes of investigating and prosecuting crime, and national security access to information stored or communicated by foreign powers or other entities and organizations whose interests and intentions are relevant to the national security and the foreign policy interests of the United States. Informed public discussion of the issues must begin by acknowledging the legitimacy both of information gathering for law enforcement and national security purposes and of information security for law-abiding individuals and businesses. The conduct of the debate regarding national cryptography policy has been complicated because a number of participants have often invoked classified information that cannot be made public. However, the cleared members of the National Research Council's Committee to Study National Cryptography Policy (13 of the 16 committee members) concluded that *the debate over national cryptography policy can be carried out in a reasonable manner on an unclassified basis*. Classified material is often important to operational matters in specific cases, but it is neither essential to the big picture of why cryptography policy is the way it is nor required for the general outline of how technology will and policy should evolve in the future. The problems of information vulnerability, the legitimacy of the various national interests described above, and trends such as those outlined in Box ES.2 point to the need for a concerted effort to protect vital information assets of the United States. Cryptography is one important element of a comprehensive U.S. policy for better information security. The committee believes that *U.S. national policy should be changed to support the broad use of cryptography in ways that take into account competing U.S. needs and desires for individual privacy, international economic competitiveness, law enforcement, national security, and world leadership*. Because cryptography is an important tool for protecting information and because it is very difficult for governments to control, the committee believes that the widespread nongovernment use of cryptography in the United States and abroad is inevitable in the long run. Accordingly, the proper role of national cryptography policy is to facilitate a judicious transition between today's world of high information vulnerability and a future world of greater information security, while to the extent possible meeting the legitimate needs of law enforcement and information gathering for national security and foreign policy purposes. The committee found that *current national cryptography policy is not adequate to support the information security requirements of an information society*. Indeed, current policy discourages the use of cryptography, whether intentionally or not, and in so doing impedes the ability of the nation to use cryptographic tools that would help to remediate certain important vulnerabilities. National cryptography policy should support three objectives: 1. Broad availability of cryptography to all legitimate elements of U.S. society; 2. Continued economic growth and leadership of key U.S. industries and businesses in an increasingly global economy, including but not limited to U.S. computer, software, and communications companies; and 3. Public safety and protection against foreign and domestic threats. Objectives 1 and 2 argue for a policy that places few government restrictions on the use of cryptography and actively promotes the use of cryptography on a broad front. Objective 3 argues that some kind of government policy role in the deployment and use of cryptography for confidentiality may continue to be necessary for public safety and national security reasons. These three objectives can be met within a framework recognizing that *on balance, the advantages of more widespread use of cryptography outweigh the disadvantages*. ____________________________________________________________ BOX ES.2 The Past and Future World Environment Past Future Trends _______________________ _________________________________ Computing and Computer and information communications networks acquisition, retrieval and were expensive and processing are inexpensive and rare. ubiquitious. Rapid growth is evident in the development and deployment of diverse technology- based services. Communications networks Communications networks are were analog and voice digital and oriented toward video oriented; and data trasnmissions. communications made Communications made heavy use of heavy use of dedicated shared infrastructure and lines. media (e.g., satellites, wireless). Passive eavesdropping is thus harder to detect. Telecommunications was Telecommunications involves a controlled by a small large number of players. number of players. The U.S. economy was The U.S. economy is important but unquestionably dominant not dominant in the world, and it in the world. is increasingly interlinked with allies, customers, suppliers, vendors, and competitors all over the world. The economy was The economy is oriented toward oriented toward information and services. material production. The security threat was Security threats are much more relatively homogeneous heterogeneous than in the Cold (Soviet Union and Cold War, both in origin and in War). nature. Cryptography was used Cryptography has important primarily for military applications throughout all and diplomatic aspects of society. purposes. Government Nongovernmental entities have had a relative monopoly significant expertise and on cryptographic capability built on an open, expertise and public, and expanding base of capability. scientific and technical knowledge about cryptography. ____________________________________________________________ The recommendations below address several critical policy areas. In the interests of brevity, only short rationales for the recommendations are given here. The reader is urged to read Chapter 8 of the report for essential qualifications, conditions, and explanations. A FRAMEWORK FOR NATIONAL CRYPTOGRAPHY POLICY The framework for national cryptography policy should provide coherent structure and reduce uncertainty for potential vendors and for nongovernment and government users of cryptography in ways that policy does not do today. *Recommendation 1: No law should bar the manufacture, sale, or use of any form of encryption within the United States*. Specifically, a legislative ban on the use of unescrowed encryption would raise both technical and legal or constitutional issues. Technically, many methods are available to circumvent such a ban; legally, constitutional issues, especially those related to free speech, would be almost certain to arise, issues that are not trivial to resolve. Recommendation 1 is made to reinforce this particular aspect of the Administration's cryptography policy. *Recommendation 2: National cryptography policy should be developed by the executive and legislative branches on the basis of open public discussion and governed by the rule of law*. Only a national discussion of the issues involved in national cryptography policy can result in the broadly acceptable social consensus that is necessary for any policy in this area to succeed. A consensus derived from such deliberations, backed by explicit legislation when necessary, will lead to greater degrees of public acceptance and trust, a more certain planning environment, and better connections between policy makers and the private sector on which the nation's economy and social fabric rest. *Recommendation 3: National cryptography policy affecting the development and use of commercial cryptography should be more closely aligned with market forces*. As cryptography has assumed greater importance to nongovernment interests, national cryptography policy has become increasingly disconnected from market reality and the needs of parties in the private sector. Experience with technology deployment suggests that reliance on market forces is generally the most effective way to promote the widespread use of a new technology. Since the committee believes that widespread deployment and use of cryptography are in the national interest, it believes that national cryptography policy should align itself with user needs and market forces to the maximum feasible extent. Accordingly, national cryptography policy should emphasize the freedom of domestic users to determine cryptographic functionality, protection, and implementations according to their security needs as they see fit; encourage the adoption of cryptographic standards by the federal government and private parties that are consistent with prevailing industry practice; and support the use of algorithms, product designs, and product implementations that are open to public scrutiny. EXPORT CONTROLS For many years, the United States has controlled the export of cryptographic technologies, products, and related technical information as munitions (on the U.S. Munitions List administered by the State Department). However, the current export control regime for cryptography is an increasing impediment to the information security efforts of U.S. firms competing and operating in world markets, developing strategic alliances internationally, and forming closer ties with foreign customers and suppliers. Export controls also have had the effect of reducing the domestic availability of products with strong encryption capabilities. Looking to the future, both U.S. and foreign companies have the technical capability to integrate high-quality cryptographic features into their products and services. U.S. export controls may stimulate the growth of significant foreign competition for U.S. vendors to the detriment of both U.S. national security interests and U.S. business and industry. Some relaxation of today's export controls on cryptography is warranted. Relaxation would create an environment in which U.S. and multinational firms and individuals could use the same security products in the United States and abroad, thereby supporting better information security for U.S. firms operating internationally. It would also increase the availability of good cryptography products in the United States. Finally, it would help to solidify U.S. leadership in a field critical to national security and economic competitiveness. At the same time, cryptography is inherently dual-use in character, with important applications to both civilian and military purposes. Because cryptography is a particularly critical military application for which few technical alternatives are available, retention of some export controls on cryptography will mitigate the loss to U.S. national security interests in the short term, allow the United States to evaluate the impact of relaxation on national security interests before making further changes, and "buy time" for U.S. national security authorities to adjust to a new technical reality. *Recommendation 4: Export controls on cryptography should be progressively relaxed but not eliminated*. *Recommendation 4.1 -- Products providing confidentiality at a level that meets most general commercial requirements should be easily exportable.(1) Today, products with encryption capabilities that incorporate the 56-bit DES algorithm provide this level of confidentiality and should be easily exportable*. As a condition of export, vendors of products covered under this recommendation 4.1 (and 4.2 below) would be required to provide to the U.S. government full technical specifications of their product and reasonable technical assistance upon request in order to assist the U.S. government in understanding the product's internal operations. *Recommendation 4.2 -- Products providing stronger confidentiality should be exportable on an expedited basis to a list of approved companies if the proposed product user is willing to provide access to decrypted information upon legally authorized request*. Firms on the list would agree to abide by a set of requirements described in Chapter 8 that would help to ensure the ability of the U.S. government to obtain the plaintext of encrypted information upon presentation of a proper law enforcement request. (Plaintext is the information that was initially encrypted.) *Recommendation 4.3 -- The U.S. government should streamline and increase the transparency of the export licensing process for cryptography*. Greater efforts in this area would reduce uncertainty regarding rules, time lines, and the criteria used in making decisions about the exportability of particular products. Chapter 8 describes specific possible steps that might be taken. ---------- (1) For purposes of Recommendation 4.1, a product that is "easily exportable" will automatically qualify for treatment and consideration (i.e., commodity jurisdiction, or CJ) under the CCL. Automatic qualification refers to the same procedure under which software products using RC2 or RC4 algorithms for confidentiality with 40-bit key sizes currently qualify for the CCL. ____________________________________________________________ ADJUSTING TO NEW TECHNICAL REALITIES As noted above, cryptography is helpful to some dimensions of law enforcement and national security and harmful to others. The committee accepts that the onset of an information age is likely to create many new challenges for public safety, among them the greater use of cryptography by criminal elements of society. If law enforcement authorities are unable to gain access to the encrypted communications and stored information of criminals, some criminal investigations and prosecutions will be significantly impaired. For these reasons, specific steps should be taken to mitigate these difficulties. In the realm of national security, new capabilities are needed to better cope with the challenges that cryptography presents. Since 1993, the approach of the U.S. government to these problems has been an aggressive promotion of escrowed encryption (see Chapter 5) as a pillar of the technical foundation for national cryptography policy, primarily in response to the law enforcement concerns described above. Initiatives promoted by the U.S. government include the Escrowed Encryption Standard (a voluntary Federal Information Processing Standard for secure voice telephony), the Capstone/Fortezza initiative that provides escrowed encryption capabilities for secure data storage and communications, and a recent proposal to liberalize export controls on certain encryption products if the keys are "properly escrowed." The committee understands the Administration's rationale for promoting escrowed encryption but believes that escrowed encryption should be only one part of an overall strategy for dealing with the problems that encryption poses for law enforcement and national security. The committee's view of an appropriate overall strategy is described below, and escrowed encryption is the focus of Recommendation 5.3. *Recommendation 5: The U.S. government should take steps to assist law enforcement and national security to adjust to new technical realities of the information age*. Over the past 50 years, both law enforcement and national security authorities have had to cope with a variety of changing technological circumstances. For the most part, they have coped with these changes quite well. Today, however, "business as usual" will not suffice to bring agencies responsible for law enforcement and national security into the information age. At the same time, both law enforcement and national security have demonstrated considerable adaptability to new environments; this record of adaptability provides considerable confidence that they can adapt to a future of digital communications and stored data as well. The specific subrecommendations that follow attempt to build on this record. They are intended to support law enforcement and national security missions in their totality -- for law enforcement, in both crime prevention and crime prosecution and investigation; for national security, in both defense of nationally critical information systems and the collection of intelligence information. *Recommendation 5.1 -- The U.S. government should actively encourage the use of cryptography in nonconfidentiality applications such as user authentication and integrity checks*. These applications are particularly important in addressing vulnerabilities of nationally critical information systems and networks. Furthermore, these applications of cryptography are important crime-fighting measures. To date, national cryptography policy has not fully supported such nonconfidentiality uses. Some actions have been taken in this area, but these actions have sometimes conflicted with government concerns about confidentiality. As importantly, government has expressed considerably more concern in the public debate regarding the deleterious impact of widespread cryptography used for confidentiality than over the deleterious impact of not deploying cryptographic capabilities for user authentication and data integrity. Chapter 8 provides a number of illustrative examples to demonstrate what specific actions government can take to promote nonconfidentiality applications of cryptography. *Recommendation 5.2 -- The U.S. government should promote the security of the telecommunications networks more actively. At a minimum, the U.S. government should promote the link encryption of cellular communications (2) and the improvement of security at telephone switches*. Such steps would not diminish government access for lawfully authorized wiretaps through the requirements imposed on carriers today to cooperate with law enforcement in such matters. Furthermore, by addressing public demands for greater security in voice communications that are widely known to be nonsecure through the telecommunications service providers, these measures would also reduce the demand for (and thus the availability of) devices used to provide end-to-end encryption of voice communications. Without a ready supply of such devices, a criminal user would have to go to considerable trouble to obtain a device that could thwart a lawfully authorized wiretap. *Recommendation 5.3 -- To better understand how escrowed encryption might operate, the U.S. government should explore escrowed encryption for its own uses. To address the critical international dimensions of escrowed communications, the U.S. government should work with other nations on this topic*. Escrowed encryption has both benefits and risks. The benefits for law enforcement and national security are that when escrowed encryption is properly implemented and widely deployed, law enforcement and national security authorities will be able to obtain access to escrow-encrypted data in specific instances when authorized by law. Escrowed encryption also enables end users to recover encrypted stored data to which access has been inadvertently lost. The risk to end users is that escrowed encryption provides a potentially lower degree of confidentiality because it is specifically designed to permit exceptional access by parties not originally intended to have access to the encrypted data. Aggressive government promotion of escrowed encryption is not appropriate at this time for several reasons: the lack of operational experience with how a large-scale infrastructure for escrowed encryption would work; the lack of demonstrated evidence that escrowed encryption will solve the most serious problems that law enforcement authorities face; the likely harmful impact on the natural market development of applications made possible by new information services and technologies; and the uncertainty of the market response to such aggressive promotion. At the same time, many policy benefits can be gained by an operational exploration of escrowed encryption by the U.S. government for government applications; such exploration would enable the U.S. government to develop the base of experience on which to build a more aggressive promotion of escrowed encryption should circumstances develop in such a way that encrypted communications come to pose a significant problem for law enforcement. *Recommendation 5.4 -- Congress should seriously consider legislation that would impose criminal penalties on the use of encrypted communications in interstate commerce with the intent to commit a federal crime*. The purpose of such a statute would be to discourage the use of cryptography for illegitimate purposes, thus focusing the weight of the criminal justice system on individuals who were in fact guilty of criminal activity rather than on law-abiding citizens and criminals alike. Any statute in this area should be drawn narrowly. *Recommendation 5.5 -- High priority should be given to research, development, and deployment of additional technical capabilities for law enforcement and national security to cope with new technological challenges. Such R&D should be undertaken during the time that it will take for cryptography to become truly ubiquitous. These new capabilities are almost certain to have a greater impact on future information collection efforts than will aggressive attempts to promote escrowed encryption to a resistant market. ---------- (2) "Link encryption" refers to the practice of encrypting information being communicated in such a way that it is encrypted only in between the node from which it is sent and the node where it is received; while the information is at the nodes themselves, it is unencrypted. In the context of link encryption for cellular communications, a cellular call would be encrypted between the mobile handset and the ground station. When carried on the landlines of the telephone network, the call would be unencrypted. ____________________________________________________________ THE POLICY RELATIONSHIP BETWEEN INFORMATION SECURITY AND CRYPTOGRAPHY Although this report is concerned primarily with national cryptography policy, any such policy is only one component of a national information security policy. Without a forward-looking and comprehensive national information security policy, changes in national cryptography policy may have little operational impact on U.S. information security. *Recommendation 6: The U.S. government should develop a mechanism to promote information security in the private sector*. As is widely acknowledged, the U.S. government is not well organized to meet the challenges presented by an information society, and no government agency has the responsibility to promote information security in the private sector. Absent a coordinated approach to promoting information security, the needs of many stakeholders may well be given inadequate attention and notice; those who are pursuing enhanced information security and those who have a need for legal access to stored or communicated information must both be included in a robust process for managing the often-competing issues and interests that will inevitably arise over time. Government has an important role in actively promoting the security of information systems and networks critical to the nation's welfare (e.g., the banking and financial system, the public switched telecommunications network, the air traffic control system, the electric power grid). In other sectors of the economy, the role of the U.S. government should be limited to providing information and expertise. Chapter 8 provides some illustrative examples of what the government might do to promote information security in the private sector. CONCLUSION The committee believes that its recommendations will lead to enhanced confidentiality and protection of information for individuals and companies, thereby reducing economic and financial crimes and economic espionage from both domestic and foreign sources. In addition, they will result in improved security and assurance for the information systems and networks used by the nation -- a more secure national information infrastructure. While the recommendations will in these ways contribute to the prevention of crime and enhance national security, the committee recognizes that the spread of cryptography will increase the burden of those in government charged with carrying out certain specific law enforcement and intelligence activities. It believes that widespread commercial and private use of cryptography in the United States and abroad is inevitable in the long run and that its advantages, on balance, outweigh its disadvantages. Thus, the committee concluded that the overall interests of the government and the nation would best be served by a policy that fosters a judicious transition toward the broad use of cryptography. [End Executive Summary] ____________________________________________________________ A Road Map Through This Report This report responds to a request made in the Defense Authorization Act of FY 1994 by the U.S. Congress for the National Research Council to conduct a comprehensive study of national cryptography policy, a subject that has generated considerable controversy in the past few years. This report is organized into three parts. Part I frames the policy issues. Chapter 1 outlines the problem of growing information vulnerability and the need for technology and policy to mitigate this problem. Chapter 2 describes possible roles for cryptography in reducing information vulnerability and places cryptography into context as one element of an overall approach to ensuring information security. Chapter 3 discusses nongovernment needs for access to encrypted information and related public policy issues, specifically those related to information gathering for law enforcement and national security purposes. Part II of this report describes the instruments and goals of current U.S. cryptography policy and some of the issues raised by current policy. Chapter 4 is concerned primarily with export controls on cryptography, a powerful tool that has long been used in support of national security objectives but whose legitimacy has come under increasing fire in the last several years. Chapter 5 addresses escrowed encryption, an approach aggressively promoted by the federal government as a technique for balancing national needs for information security with those of law enforcement and national security. Chapter 6 discusses other dimensions of national cryptography policy, including the Digital Telephony Act of 1995 (aka the Communications Assistance for Law Enforcement Act) and a variety of other levers used in national cryptography policy that do not often receive much attention in the debate. Part III has two goals enlarging the space of possible policy options, and offering findings and recommendations. Chapter 7 discusses a variety of options for cryptography policy, some of which have been suggested or mentioned in different forums (e.g., in public and/or private input received by the committee, or by various members of the committee). These policy options include alternative export control regimes for cryptography and alternatives for providing third-party access capabilities when necessary. In addition, Chapter 7 addresses several issues related to or affected by cryptography that will appear on the horizon in the foreseeable future. Chapter 8 describes the committee's findings and recommendations. A set of appendixes provides more detail where needed. [End Road Map] ____________________________________________________________ [Head note all pages: May 30, 1996, Prepublication Copy Subject to Further Editorial Correction] Part I Framing the Policy Issues Part I is intended to explicate the fundamental issues underlying national cryptography policy. Chapter 1 outlines basic elements of a critical problem facing the nation -- the increasing vulnerability of information, a commodity that has become essential to national well-being and future opportunity. This vulnerability results from a number of trends, including the explosive growth of digital communications and data storage, the increasingly international dimensions of business, and the growing dependence of the nation on a number of critical information systems and networks. Chapter 2 describes how cryptography can play an important role in reducing the information vulnerability of the nation, of businesses, and of private individuals. Chapter 2 also places cryptography into context, as one element of an overall approach to information security, as a product that responds to factors related to both supply and demand, and as a technology whose largescale use requires a supporting infrastructure. Chapter 3 discusses public policy issues raised by the need for access to encrypted information. The prospect of near-absolute confidentialty of information -- a prospect enabled by modern cryptography -- is reassuring to some and quite disturbing to others. Important public policy issues are raised by law enforcement authorities, who regard the ability to obtain information surreptitiously but legally as essential to their crime-fighting abilities, and by national security authorities, who place a high value on the ability to monitor the communications of potential adversaries. Even private individuals, who might wish to encrypt records securely, may face the need to recover their data as though they were outsiders if they have forgotten how to gain "legitimate" access; the same is true for businesses in some situations. ____________________________________________________________ 1 Growing Vulnerability in the Information Age Chapter 1 frames a fundamental problem facing the United States today -- the need to protect against the growing vulnerability of information to unauthorized access and/or change as the nation makes the transition from an industrial age to an information age. Society's reliance on a changing panoply of information technologies and technology-enabled services, the increasingly global nature of commerce and business, and the ongoing desire to protect traditional freedoms as well as to ensure that government remains capable of fulfilling its responsibilities to the nation all suggest that future needs for information security will be large. These factors make clear the need for a broadly acceptable national cryptography policy that will help to secure vital national interests. 1.1 THE TECHNOLOGY CONTEXT OF THE INFORMATION AGE The information age is enabled by computing and communications technologies (collectively known as information technologies) whose rapid evolution is almost taken for granted today. Computing and communications systems appear in virtually every sector of the economy and increasingly in homes and other locations. These systems focus economic and social activity on information -- gathering, analyzing, storing, presenting, and disseminating information in text, numerical, audio, image, and video formats -- as a product itself or as a complement to physical or tangible products.(1) Today's increasingly sophisticated information technologies cover a wide range of technical progress: + *Microprocessors and workstations* are increasingly important to the computing infrastructure of companies and the nation. Further increases in speed and computational power today come from parallel or distributed processing with many microcomputers and processors rather than faster supercomputers. + *Special-purpose electronic hardware* is becoming easier to develop. Thus, it may make good sense to build specialized hardware optimized for performance, speed, or security with respect to particular tasks; such specialized hardware will in general be better adapted to these purposes than general-purpose machines applied to the same tasks. + *Media* for transporting digital information are rapidly becoming faster (e.g., fiber optics instead of coaxial cables), more flexible (e.g., the spread of wireless communications media), and less expensive (e.g., the spread of CD-ROMs as a vehicle for distributing digital information). Thus, it becomes feasible to rely on the electronic transmission of larger and larger volumes of information and on the storage of such volumes on ever-smaller physical objects. + *Convergence* of technologies for communications and for computing. Today, the primary difference between communications and computing is the distance traversed by data flows: in communications, the traversed distance is measured in miles (e.g., two people talking to each other), while in computing the traversed distance is measured in microns (e.g., between two subcomponents on a single integrated circuit). A similar convergence affects companies in communications and in computing -- their boundaries are blurring, their scopes are changing, and their production processes overlap increasingly. + *Software* is increasingly carrying the burden of providing functionality in information technology. In general, software is what gives hardware its functional capabilities, and different software running on the same hardware can change the functionality of that hardware entirely. Since software is intangible, it can be deployed widely on a very short time scale compared to that of hardware. Box 1.1 contains more discussion of this point. As these examples suggest, information technologies are ever more affordable and ubiquitous. In all sectors of the economy, they drive demand for information systems; such demand will continue to be strong and experience significant growth rates. High-bandwidth and/or wireless media are becoming more and more common. Interest in and use of the Internet and similar public networks will continue to experience very rapid growth. ---------- (1) Citations to a variety of press accounts can be found in Computer Science and Telecommunications Board (CSTB), National Research Council, *Information Technology and Manufacturing: A Research Agenda*, National Academy Press, Washington, D.C., 1993; CSTB, *Information Technology in the Service Society: A Twenty-First Century Lever*, 1993; CSTB, *Realizing the Information Future: The Internet and Beyond*, 1994; CSTB, *Keeping the Computer and Communications Industry Competitive: Convergence of Computing, Communications, and Entertainment*, 1995; and CSTB, *The Unpredictable Certainty: Information Infrastructure Through 2000*, 1996. ____________________________________________________________ 1.2 TRANSITION TO AN INFORMATION SOCIETY -- INCREASING INTERCONNECTIONS AND INTERDEPENDENCE As the availability and use of computer-based systems grow, so, too, does their interconnection. The result is a shared infrastructure of information, computing, and communications resources that facilitates collaboration at a distance, geographic dispersal of operations, and sharing of data. With the benefits of a shared infrastructure also come costs. Changes in the technology base have created more vulnerabilities, as well as the potential to contain them. For example, easier access for users in general implies easier access for unauthorized users. The design, mode of use, and nature of a shared infrastructure create vulnerabilities for all users. For national institutions such as banking, new risks arise as the result of greater public exposure through such interconnections. For example, a criminal who penetrates one bank interconnected to the world's banking system can steal much larger amounts of money than are stored at that one bank. (Box 1.2 describes a recent electronic bank robbery.) Reducing vulnerability to breaches of security will depend on the ability to identify and authenticate people, systems, and processes and to assure with high confidence that information is not improperly manipulated, corrupted, or destroyed. Although society is entering an era abounding with new capabilities, many societal practices today remain similar to those of the 1960s and 1970s, when computing was dominated by large, centralized mainframe computers. In the 1980s and 1990s, they have not evolved to reflect the introduction of personal computers, portable computing, and increasingly ubiquitous communications networks. Thus, people continue to relinquish control over substantial amounts of personal information through credit card transactions, proliferating uses of Social Security numbers, and participation in frequent-buyer programs with airlines and stores. Organizations implement trivial or no protection for proprietary data and critical systems, trusting policies to protect portable storage media or relying on simple passwords to protect information. These practices have endured against a backdrop of relatively modest levels of commercial and individual risk; for example, the liability of a credit-card owner for credit card fraud perpetrated by another party is limited by law to $50. Yet most computer and communications hardware and software systems are subject to a wide range of vulnerabilities, as described in Box 1.3. Moreover, information on how to exploit such vulnerabilities is often easy to obtain. As a result, a large amount of information that people say they would like to protect is in fact available through entirely legal channels (e.g., purchasing a credit report on an individual) or in places that can be accessed improperly through technical attacks requiring relatively modest effort. Today, the rising level of familiarity with computer-based systems is combining with an explosion of experimentation with information and communications infrastructure in industry, education, health care, government, and personal settings to motivate new uses of and societal expectations about the evolving infrastructure. A key feature of the new environment is connection or exchange: organizations are connecting internal private facilities to external public ones; they are using public networks to create virtual private networks, and they are allowing outsiders such as potential and actual customers, suppliers, and business allies to access their systems directly. One vision of a world of electronic commerce and what it means for interconnection is described in Box 1.4. Whereas a traditional national security perspective might call for keeping people out of sensitive stores of information or communications networks, national economic and social activity increasingly involves the exact opposite: inviting people from around the world to come in -- with varying degrees of recognition that all who come in may not be benevolent. Box 1.5 describes some of the tensions between security and openness. Such a change in expectations and perspective is unfolding in a context in which controls on system access have typically been deficient, beginning with weak operating system security. The distributed and internetworked communications systems that are emerging raise questions about protecting information regardless of the path traveled (end-to-end security), as close to the source and destination as possible. The international dimensions of business and the growing importance of competitiveness in the global marketplace complicate the picture further. Although "multinationals" have long been a feature of the U.S. economy, the inherently international nature of communications networks and the growing capabilities for distributing and accessing information worldwide are helping many activities and institutions to transcend national boundaries. (See Box 1.6.) At the same time, export markets are at least as important as domestic U.S. markets for a growing number of goods and service producers, including producers of information technology products as well as a growing variety of high- and low-technology products. The various aspects of globalization -- identifying product and merchandising needs that vary by country; establishing and maintaining employment, customer, supplier, and distribution relationships by country; coordinating activities that may be dispersed among countries but result in products delivered to several countries; and so on -- place new demands on U.S.based and U.S.-owned information, communication, organizational, and personal resources and systems. 1.3 COPING WITH INFORMATION VULNERABILITY Solutions to cope with the vulnerabilities described above require both appropriate technology and user behavior and are as varied as the needs of individual users and organizations. Cryptography -- a technology described more fully in Chapter 2 and Appendix C -- is an important element of many solutions to information vulnerability that can be used in a number of different ways. National cryptography policy -- the focus of this report -- concerns how and to what extent government affects the development, deployment, and use of this important technology. To date, public discussion of national cryptography policy has focused on one particular application of cryptography, namely its use in protecting the confidentiality of information and communications. Accordingly, consideration of national cryptography policy must take into account two fundamental issues: + If the public information and communications infrastructure continues to evolve with very weak security throughout, reflecting both deployed technology and user behavior, the benefits from cryptography for confidentiality will be significantly less than they might otherwise be. + The vulnerabilities implied by weak security overall affect the ability of specific mechanisms such as cryptography to protect not only confidentiality but also the integrity of information and systems and the availability of systems for use when sought by their users. Simply protecting (e.g., encrypting) sensitive information from disclosure can still leave the rest of a system open to attacks that can undermine the encryption (e.g., the lack of access controls that could prevent the insertion of malicious software) or destroy the sensitive information. Cryptography thus must be considered in a wider context. It is not a panacea, but it is extremely important to ensuring security and can be used to counter several vulnerabilities. Recognition of the need for system and infrastructure security and demand for solutions are growing. Although demand for solutions has yet to become widespread, the trend is away from a marketplace in which the federal government (2) was the only meaningful customer. Growing reliance on a shared information and communications infrastructure means that all individuals and organizations should be, and the committee believes will become, the dominant customers for better security. That observation is inherent in the concept of infrastructure as something on which people rely. What may be less obvious is that as visions of ubiquitous access and interconnection are increasingly realized, individual, organizational, and governmental needs may become aligned. Such an alignment would mark a major change from the past. Again, sharing of a common infrastructure is the cause: everyone, individual or organization, public or private sector, is a user. As significantly, all of these parties face a multitude of threats to the security of information (Box 1.7). Consideration of the nation's massive dependence on the public switched telecommunications network, which is one of many components of the information and communications infrastructure, provides insight into the larger set of challenges posed by a more complex infrastructure (Box 1.8). To illustrate the broad panorama of stakeholder interests in which national cryptography policy is formulated, the next several sections examine different aspects of society from the standpoint of needs for information security. ---------- (2) The more general statement is that the market historically involved national governments in several countries as the principal customers. ____________________________________________________________ 1.4 THE BUSINESS AND ECONOMIC PERSPECTIVE For purposes of this report, the relationship of U.S. businesses to the information society has two main elements. One element is that of protecting information important to the success of U.S. businesses in a global marketplace. The second element is ensuring the nation's continuing ability to exploit U.S. strengths in information technology on a worldwide basis. 1.4.1 Protecting Important Business Information A wide range of U.S. companies operating internationally are threatened by foreign information-collection efforts. The National Counterintelligence Center (NACIC) reports that "the U.S. industries that have been the targets in most cases of economic espionage and other foreign collection activities include biotechnology; aerospace; telecommunications; computer hardware/software, advanced transportation and engine technology; advanced materials and coatings; energy research; defense and armaments technology; manufacturing processes; and semiconductors."(3) Foreign collectors target proprietary business information such as bid, contract, customer. and strategy information, as well as corporate financial and trade data. Of all of the information vulnerabilities facing U.S. companies internationally (Box 1.7), electronic vulnerabilities appear to be the most significant. For example, the NACIC concluded that "specialized technical operations (including computer intrusions, telecommunications targeting and intercept, and private-sector encryption weaknesses) account for the largest portion of economic and industrial information lost by U.S. corporations." The NACIC noted, Because they are so easily accessed and intercepted, corporate telecommunications -- particularly international telecommunications -- provide a highly vulnerable and lucrative source for anyone interested in obtaining trade secrets or competitive information. Because of the increased usage of these links for bulk computer data transmission and electronic mail, intelligence collectors find telecommunications intercepts cost-effective. For example, foreign intelligence collectors intercept facsimile transmissions through government-owned telephone companies, and the stakes are large -- approximately half of all overseas telecommunications are facsimile transmissions. Innovative "hackers" connected to computers containing competitive information evade the controls and access companies' information. In addition, many American companies have begun using electronic data interchange, a system of transferring corporate bidding, invoice, and pricing data electronically overseas. Many foreign government and corporate intel]igence collectors find this information invaluable.(4) Why is electronic information so vulnerable? The primary reason is that it is computer-readable and thus much more vulnerable to automated search than are intercepted voice or postal mail transmissions. Once the information is collected (e.g., through an existing wiretap or a protocol analyzer on an Internet router), it is relatively simple for computers to search streams of electronic information for word combinations of interest (e.g., "IBM," "research," and "superconductivity" in the same message). As the cost of computing drops, the cost of performing such searches drops.(5) The threat posed by automated search, coupled with the sensitivity of certain communications that are critical for nongovernment users, is at the root of nongovernment demand for security.(6) Note that solutions for coping with information-age vulnerabilities may well create new responsibilities for businesses. For example, businesses may have to ensure that the security measures they take are appropriate for the information they are protecting, and/or that the information they are protecting remains available for authorized use. Failure to discharge these responsibilities properly may result in a set of liabilities that these businesses currently do not face. Appendix I of this report elaborates issues of information vulnerability in the context of key induskies such as banking and financial services, health care, manufacturing, the petroleum industry, pharmaceuticals, the entertainment industry, and government. ---------- (3) National Counterintelligence Center, *Annual Report to Congress on Foreign Economic Collection and Industrial Espionage*, Washington, D.C., July 1995, p. 15. (4) From the National Counterintelligence Center, *Annual Report to Congress on Foreign Economic Collection and Industrial Espionage*, Washington, D.C., July 1995. Further, intelligence collections by foreign powers are facilitated when a hostile government interested in eavesdropping controls the physical environment in which a U.S. company may be operating. For example, the U.S. company may be in a nation in which the telecommunications system is under the direct control of the government. When a potentially hostile government controls the territory on which a company must operate, many more compromises are possible. (5) As a rough rule of thumb, Martin Hellman estimates that 10 billion (10^10) words can be searched for $1. This estimate is based on an experiment in which Hellman used the Unix utility program "fgrep" to search a 1 million (10^6) character file for a specific string of 10 characters known to be at the end of the file and nowhere else. It took the NeXT workstation on which this experiment was run approximately 1 second to find these last 10 characters. Since there are approximately 10^5 seconds in a day and 10^3 days (about 3 years) in the useful life of the workstation, it can search roughly 10^13 over its life. Since such a workstation is worth on the order of $1,000 today, this works out to 10^10 words searched for $1. (With the use of specialized hardware, this cost could be reduced significantly. For example, in the 1976 Book IV of the Senate Select Committee on Intelligence Report, R.L. Garwin describes the use of "match registers" to efficiently implement queries against a database.) (6) Other noncomputer-based technology for the clandestine gathering of information is widely available on the retail market. In recent years, concern over the ready availability of such equipment has grown. See, for example, Ross E. Milloy, "Spying Toys for Adults or Supplies for Crimes?," *New York Times*, August 28, 1995, p. A-10; Pam Belluck, "A Shadow over the Spy-Shop Business," *New York Times*, September 22, 1995, p. B-3; and James C. McKinley, Jr., "U.S. Agents Raid Stores in 24 Cities to Seize Spy Gear," *New York Times*, April 6, 1995, p. A-1. ____________________________________________________________ 1.4.2 Ensuring the Nation's Ability to Exploit Global Markets With the increasing globalization of business operations, information technology plays a key role in maintaining the competitive strengths of U.S. business. In particular, U.S. businesses have proven adept at exploiting information and information technologies to create new market niches and expand old ones. This pattern has deep roots. For example, beginning in the 1960s, American Airlines pioneered in computerized reservations systems and extended use of the information captured and stored in such systems, generating an entire new business that is more profitable than air kansport services. More recently, creative uses of information technology have advanced U.S. leadership in the production of entertainment products (e.g., movies and videos, recorded music, on-line services) for the world. U.S. innovation in using information technology reflects in part the economic vitality that makes new technology affordable. It also reflects proximity to the research and production communities that supply key information technology products, communities with which a variety of U.S. industries have successfully exchanged talent, communicated their needs as customers, and collaborated in the innovation process. In other words, it is not an accident that innovation in both use and production of information technology has blossomed in the United States. The business advantages enjoyed by U.S. companies that use information technology are one important reason that the health of U.S. computer, telecommunications, and information industries is important to the economy as a whole. A second important reason is the simple fact that the U.S. information technology sector (the set of industries that supply information technology goods and services) is the world's strongest.(7) The industry has an impressive record of product innovation; key U.S. products are de facto world standards; U.S. marketing and distribution capabilities for software products are unparalleled; and U.S. companies have considerable strengths in the manufacture of specialized semiconductor technologies and other key components. A strong information technology sector makes a significant contribution to the U.S. balance of payments and is responsible for large numbers of high-paying jobs. These strengths establish a firm foundation for continued growth in sales for U.S. information technology products and services as countries worldwide assimilate these technologies into their economies. Finally, because of its technological leadership the United States should be better positioned to extend that lead, even if the specific benefits that may result are not known in advance. The head start in learning how to use information technology provides a high baseline on which U.S. individuals and organizations can build. The committee believes that information technology is one of a few high-technology areas (others might include aerospace and electronics) that play a special role in the economic health of the nation, and that leadership in this area is one important factor underlying U.S. economic strength in the world today.(8) To the extent that this belief is valid, the economic dimension of national security and perhaps even traditional national security itself may well depend critically on a few key industries that are significant to military capabilities, the industrial base, and the overall economic health of the nation. Policy that acts against the health and global viability of these industries or that damages the ability of the private sector to exploit new markets and identify niches globally thus deserves the most careful scrutiny. Because it is inevitable that other countries will expand their installed information technology bases and develop their own innovations and entrepreneurial strengths, U.S. leadership is not automatic. Already, evidence of such development is available, as these nations build on the falling costs of underlying technologies (e.g., microprocessors, aggregate communications bandwidth) and worldwide growth in relevant skills. The past three decades of information technology history provide enough examples of both successful first movers and strategic missteps to suggest that U.S. leadership can be either reinforced or undercut: leadership is an asset, and it is sensitive to both public policy and private action. Public and private factors affecting the competitive health of U.S. information technology producers are most tightly coupled in the arena of foreign trade.(9) U.S. producers place high priority on ease of access to foreign markets. That access reflects policies imposed by U.S. and foreign governments, including governmental controls on what can be exported to whom. Export controls affect foreign trade in a variety of hardware, software, and communications systems.(10) They are the subject of chronic complaints from industry, to which government off1cials often respond by pointing to other, industry-centered explanations (e.g., deficiencies in product design or merchandising) for observed levels of foreign sales and market shares. Chapter 4 addresses export controls in the context of cryptography and national cryptography policy. ---------- (7) For example, a staff study by the U.S. International Trade Commission found that 8 of the world's top ten applications software vendors, 7 of the world's top ten systems software vendors, the top 5 systems integration firms, and 8 of the top ten custom programming firms are U.S. firms; the top nine global outsourcing firms have headquarters in the U.S. See Office of Industries, U.S. International Trade Commission, *Global Competitiveness of the U.S. Computer Software and Service Industries*, Staff Research Study #21, Washington, D.C., June 1995, Chapter 5. (8) The committee acknowledges that there is a wide range of judgment among responsible economists on this matter. Some argue that the economy is so diverse that the fate of a single industry or even a small set of industries has a relatively small effect on broader economic trends. Others argue that certain industries are important enough to warrant subsidy or industrial policy to promote their interests. The committee discussed this specific issue to a considerable extent and found a middle ground between these two extremes -- that information technology is one important industry among others, and that the health and well-being of that industry are important to the nation. This position is also supported by the U.S. government, which notes that telecommunications and computer hardware/software are among a number of industries that are of "strategic interest to the United States ... because they produce classified products for the government, produce dual use technology used in both the public and private sectors, and are responsible for leading-edge technologies critical to maintaining U.S. economic security." National Counterintelligence Center, *Annual Report to Congress on Foreign Economic Collection and Industrial Espionage*, Washington, D.C., July 1995, p. 15. (9) Of course, many intrafirm and intraindustry factors shape competitive strength, such as good management, adequate financing, good fit between products and consumer preferences, and so on. (10) See, for example, John Harvey et al, *A Common-Sense Approach to High-Technology Export Controls*, Center for International Security and Arms Control, Stanford University, Stanford, California, March 1995; National Research Council, *Finding Common Ground: US. Export Controls in a Changed Global Environment*, National Academy Press, Washington, D.C., 1991; Computer Science and Telecommunications Board, National Research Council, *Global Trends in Computer Technology and Their Impact on Export Control*, National Academy Press, Washington, D.C., 1988. ____________________________________________________________ 1.5 INDIVIDUAL AND PERSONAL INTERESTS IN PRIVACY The emergence of the information age affects individuals as well as businesses and other organizations. As numerous reports argue, the nation's information infrastructure promises many opportunities for self-education, social exchange, recreation, personal business, cost-effective delivery of social programs, and entrepreneurship.(11) Yet the same technologies that enable such benefits may also convey unwanted side effects. Some of those can be considered automated versions of problems seen in the paper world; others are either larger in scale or different in kind. For individuals, the area relevant to this report is privacy and the protection of personal information. Increasing reliance on electronic commerce and the use of networked communication for all manner of activities suggest that more information about more people will be stored in network-accessible systems and will be communicated more broadly and more often, thus raising questions about the security of that information. Privacy is generally regarded as an important American value, a right whose assertion has not been limited to those "with something to hide." Indeed, assertion of the right to privacy as a matter of principle (rather than as all instrumental action) has figured prominently in U.S. political and social history; it is not merely abstract or theoretical. In the context of an information age, an individual's privacy can be affected on two levels: privacy in the context of personal transactions (with businesses or other institutions and with other individuals), and privacy vis-a-vis governmental units. Both levels are affected by the availability of tools, such as cryptography in the context of information and communications systems, that can help to preserve privacy. Today's information security technology, for example, makes it possible to maintain or even raise the cost of collecting information about individuals. It also provides more mechanisms for government to help protect that information. The Clinton Administration has recognized concerns about the need to guard individual privacy, incorporating them into the security and privacy guidelines of its Information Infrastructure Task Force.(12) These guidelines represent an important step in the process of protecting individual privacy. ---------- (11) See, for example, Comnputer Science and Telecommunications Board (CSTB), National Research Council, *The Unpredictable Certainty: Information Infrastructure Through 2000*, National Academy Press, Washington, D.C., 1996; and CSTB, *The Unpredictable Certainty: Companion Volume of White Papers*, 1996; CSTB, *The Changing Nature of Telecommunications/Information Infrastructure*, National Academy Press, Washington, D.C., 1995. (12) Information Infrastructure Task Force, National Information Infrastructure Security Issues Forum, *NII Security: The Federal Role*, Washington, D.C., June 5, 1995. ____________________________________________________________ 1.5.1 Privacy in an Information Economy Today, the prospect for easier and more widespread collection and use of personal data as a byproduct of ordinary activities raises questions about inappropriate activities by industry, nosy individuals, and/or criminal elements in society. Criminals may obtain sensitive financial information to defraud individuals (credit card fraud, for example, amounts to approximately $20 per card per year). Insurance companies may use health data collected on individuals to decide whether to provide or deny health insurance -- putting concerns about business profitability in possible conflict with individual and public health needs. On the other hand, much of the personal data in circulation is willingly divulged by individuals for specific purposes; the difficulty is that once shared, such information is available for additional uses. Controlling the further dissemination of personal data is a function both of procedures for how information should be used and of technology (including but not limited to cryptography) and procedures for restricting access to those authorized. Given such considerations, individuals in an information age may wish to be able to: + Keep specific information private. Disclosure of information of a personal nature that could be embarrassing if known, whether or not such disclosure is legal, is regarded as an invasion of privacy by many people. A letter to Ann Landers from a reader described his inadvertent eavesdropping on some very sensitive financial transactions being conducted on a cordless telephone.(13) A staff member of this study committee has heard broadcasts of conversations that apparently emanate from a next-door baby monitor whose existence has been forgotten. Home banking services using telephone lines or network connections and personal computers will result in the flow on public networks of large amounts of personal information regarding finances. Even the ad copy in some of today's consumer catalogues contains references to information security threats.(14) + Ensure that a party with whom they are transacting business is indeed the party he or she claims to be. Likewise, they may seek to authenticate their own identity with confidence that such authentication will be accepted by other parties, and that anyone lacking such authentication will be denied the ability to impersonate them.(15) Such a capability is needed to transfer money among mutual funds with a telephone call or to minimize unauthorized use of credit card accounts.(16) In an electronic domain without face-to-face communications or recognizable indicators such as voices and speech patterns (as used today in telephone calls), forgery of identity becomes increasingly easy. + Prevent the false repudiation of agreed-to transactions. It is undesirable for a party to a transaction to be able to repudiate (deny) his agreement to the terms of the transaction. For example, an individual may agree to pay a certain price for a given product; he or she should not then be able to deny having made that agreement (as he or she might be tempted to do upon finding a lower price elsewhere). + Communicate anonymously (i.e., carry out the opposite of authenticated communication). Individuals may wish to communicate anonymously to criticize the government or a supervisor, report illegal or unethical activity without becoming further involved, or obtain assistance for a problem that carries a social stigma. In other instances, they may simply wish to speak freely without fear of social reprisal or for the entertainment value of assuming a new digital identity in cyberspace. + Ensure the accuracy of data that is relevant to them. Many institutions such as banks, financial institutions, and hospitals keep records on individuals. These individuals often have no personal control of these records, even though the integrity of the data in these records can be of crucial significance. Occasional publicity attests to instances of the inaccuracy of such data (e.g., credit records) and to the consequences for individuals. Practical safeguards for privacy such as those outlined above may be more compelling than abstract or principled protection of a right to privacy. ---------- (13) Ann Landers. "Ann Landers," *Washington Post*, Creators Syndicate, October 20, 1995, p. D-5. (14) For example, a catalogue from Comtrad Industries notes that "burglars use 'Code Grabbers' to open electric garage doors and break into homes," defining "code grabbers" as "devices that can record and play back the signal produced from your garage door remote control." Comtrad Industries, (p. 20, catalogue from 1995). The Herrington catalogue advertises the "Enigma" phone scrambler by noting that "[a] recent Wall Street Journal article documents the increasing acceptance and prevalence of industrial espionage" and mentions as an "example of the alarming intrusion of the federal government into citizens' private lives" the fact that "the FBI petitioned Congress to further expand its wiretapping authority." Herrington, Winter 1996, p. 13. Note that both of these mail-order firms cater to mainstream consumer sentiment. (15) Is For example, a journalist that had reported on the trafficking of illegally copied software on America Online was the victim of hackers that assumed his on-line identity, thereby intercepting his e-mail messages and otherwise impersonating him. See Peter Lewis, "Security Is Lost in Cyberspace," *New York Times*, February 22, 1995, p. D-1. Other cases of "stolen identities" have been reported in the press, and while these cases remain relatively isolated, they are still a matter of public concern. Thieves forge signatures and impersonate identities of law-abiding citizens to steal money from bank accounts and to obtain credit cards in the name of those citizens; see Charles Hall, "A Personal Approach to Stealing," *Washington Post*, April 1, 1996, p. A-1. (16) For example, a recent press article calls attention to security concerns raised by the ease of access to 401(k) retirement accounts (for which there is no cap on the liability incurred if a third party with unauthorized access to it transfers funds improperly). See Timothy Middleton, "Will Thieves Crack Your Automated Nest Egg?," *New York Times*, March 10, 1996, Business Section, p. 10. Another article describes a half-dozen easy-to-apply methods that can be used by criminals to undertake fraud. See Albert Crenshaw, "Creative Credit Card Crooks Draw High-Tech Response," *Washington Post*, August 6, 1995, Business Section, p. H-1. ____________________________________________________________ 1.5.2 Privacy for Citizens Public protection of privacy has been less active in the United States than in other countries, but the topic is receiving increasing attention. In particular, it has become an issue in the political agenda of people and organizations that have a wide range of concerns about the role and performance of government at all levels; it is an issue that attracts advocates from across the spectrum of political opinion. The politicization of privacy may inhibit the orderly consideration of relevant policy, including cryptography policy, because it revolves around the highly emotional issue of trust in government. The trust issue surfaced in the initial criticisms of the Clipper chip initiative proposal in 1993 (Chapter 5) and continues to color discussion of privacy policy generally and cryptography policy specifically. To many people, freedom of expression and association, protection against undue governmental, commercial, or public intrusion into their personal affairs, and fair treatment by various authorities are concems shaped by memories of highly publicized incidents in which such rights were flouted.(17) It can be argued that such incidents were detectable and correctable precisely because they involved government units that were obligated to be publicly accountable -- and indeed, these incidents prompted new policies and procedures as well as greater public vigilance. It is also easy to dismiss them as isolated instances in a social system that for the most part works well. But where these episodes involve government, many of those skeptical about government believe that they demonstrate a capacity of government to violate civil liberties of Americans who are exercising their constitutional rights.(18) This perception is compounded by attempts to justify past incidents as having been required for purposes of national security. Such an approach both limits public scrutiny and vitiates policy-based protection of personal privacy. It is hard to determine with any kind of certainty the prevalence of the sentiments described in this section. By some measures, over half of the public is skeptical about government in general,(19) but whether that skepticism translates into widespread public concem about government surveillance is unclear. The committee believes that most people acting as private individuals feel that their electronic communications are secure and do not generally consider it necessary to take special precautions against threats to the confidentiality of those communications. These attitudes reflect the fact that most people, including many who are highly knowledgeable about the risks, do not give much conscious thought to these issues in their day-to-day activities. At the same time, the committee acknowledges the concerns of many law-abiding individuals about government surveillance. It believes that such concerns and the questions they raise about individual rights and government responsibilities must be taken seriously. It would be inappropriate to dismiss such individuals as paranoid or overly suspicious. Moreover, even if only a minority is worried about government surveillance, it is an important consideration, given the nation's history as a democracy,(20) for determining whether and how access to and use of cryptography may be considered a citizen's right (Chapter 7). ---------- (17) Some incidents that are often cited include the surveillance of political dissidents, such as Martin Luther King, Jr., Malcolm X, and the Student Non-Violent Coordinating Committee in the mid to late 1960s; the activities of the Nixon "plumbers" in the late 1960s, including the harassment and surveillance of sitting and fommer govemment officials and joumalists and their associates in the name of preventing leaks of sensitive national security information; U.S. intelligence surveillance of the intemational cable and telephone communications of U.S. citizens from the early 1940s through the early 1970s in support of FBI and other domestic law enforcement agencies; and the creation of FBI dossiers on opponents of the Vietnam War in the mid-1960s. The description of these events is taken largely from Frank J. Donner, *The Age of Surveillance*, Alfred A. Knopf, Inc., New York, 1980 (surveillance of political dissidents, pp. 244-248; plumbers, pp. 248-252; FBI dossiers on antiwar protesters, pp. 252-256; NSA surveillance, pp. 276-277.) Donner's book documents many of these events. See also *Final Report of the Senate Select Committee to Study Governmental Operations with respect to Intelligence Activities*, Book II, April 26, 1974, U.S. Govemment Printing Office, Washington, D.C., p. 12. (18) For example, at the 4th Conference on Computers, Freedom, and Privacy in Chicago, Illinois, held in 1994, a government speaker asked the audience if they were more concerned about govemment abuse and harassment or about criminal activity that might be directed at them. An overwhelming majority of the audience indicated greater concern about the first possibility. For recent accounts that give the flavor of concerns about malfeasance by law enforcement officials, see Ronald Smothers, "Atlanta Holds Six Policemen In Crackdown," *New York Times*, September 7, 1995, p. 9; George James, "Police Officer Is Arrested on Burglary Charges in Sting Operation," *New York Times*, September 7, 1995, p. B-5; Kenneth B. Noble, "Many Complain of Bias in Los Angeles Police," *New York Times*, September 4, 1995, p. 11; Kevin Sack, "Racism of a Rogue Officer Casts Suspicion on Police Nationwide," *New York Times*, September 4, 1995, p. 1; Gordon Witkin, "When the Bad Guys are Cops," *U.S. News & World Report*, September 11, 1995, p. 20; Barry Tarlow, "Doing the Fuhrman Shuffle," *Washington Post*, August 27, 1995, p. C-2; David W. Dunlap, "F.B.I. Kept Watch on AIDS Group During Protest Years," *New York Times*, May 16, 1995, p. B3. (19) For example, a national Harris poll in January 1994 asked "Which type of invasions of privacy worry you the most in America today -- activities of government agencies or businesses?" Fifty-two percent said that government agencies were their greater worry, while 40% selected business. See Center for Social and Legal Research, *Privacy & American Business*, Volume 1(3), Hackensack, New Jersey, 1994, p. 7. (20) Protecting communications from government surveillance is a time-honored technique for defending against tyranny. A most poignant example is the U.S. insistence in 1945 that the postwar Japanese constitution include protection against government surveillance of the communications of Japanese citizens. In the aftermath of the Japanese surrender in World War II, the United States drafted a constitution for Japan. The initial U.S. draft contained a provision saying that "[n]o censorship shall be maintained, nor shall the secrecy of any means of communication be violated." The Japanese response to this provision was a revised provision stating that "[t]he secrecy of letter and other means of communication is guaranteed to all of the people, provided that necessary measures to be taken for the maintenance of public peace and order, shall be provided by law." General Douglas MacArthur, who was supervising the drafting of the new Japanese constitution, insisted that the original provision regarding communications secrecy and most other provisions of the original U.S. draft be maintained. The Japanese agreed, this time requesting only minor changes in the U.S. draft, and accepting fully the original U.S. provision on communications secrecy. See Osamu Nishi, *Ten Days Inside General Headquarters (GHQ): How the Original Draft of the Japanese Constitution Was Written in 1946*, Seibundo Publishing Co. Ltd., Tokyo, 1989. ____________________________________________________________ 1.6 SPECIAL NEEDS OF GOVERNMENT Government encompasses many functions that generate or depend on information, and current efforts to reduce the scope and size of government depend heavily on information technology. In many areas of government, the information and information security needs resemble those of industry (see Appendix I). Government also has important responsibilities beyond those of industry, including those related to public safety. For two of the most important and least understood in detail, law enforcement and national security, the need for strong information security has long been recognized. Domestic law enforcement authorities in our society have two fundamental responsibilities: preventing crime and prosecuting individuals that have committed crimes. Crimes committed and prosecuted are more visible to the public than crimes prevented (see Chapter 3). The following areas relevant to law enforcement require high levels of information security: + *Prevention of information theft from businesses and individuals*, consistent with the transformation of economic and social activities outlined above. + *Tactical law enforcement communications*. Law enforcement officials working in the field need secure communications. At present, police scanners available at retail electronics stores can monitor wireless communications channels used by police; criminals eavesdropping on such communications can receive advance warning of police responding to crimes that they may be committing. + *Efficient use by law enforcement officials of the large amounts of information compiled on criminal activity*. Getting the most use from such information implies that it be remotely accessible and not be improperly modified (assuming its accuracy and proper context, a requirement that in itself leads to much controversy (21) ). + *Reliable authentication of law enforcement officials*. Criminals have been known to impersonate law enforcement officials for nefarious purposes, and the information age presents additional opportunities. In the domain of national security, traditional missions involve protection against military threats originating from other nation-states and directed against the interests of the United States or its friends and allies. These traditional missions require strong protection for vital information. + U.S. military forces require secure communications. Without cryptography and other information security technologies in the hands of friendly forces, hostile forces can monitor the operational plans of friendly forces to gain an advantage.(22) + Force planners must organize and coordinate flows of supplies, personnel, and equipment. Such logistical coordination involves databases whose integrity and confidentiality as well as remote access must be maintained. + Sensitive diplomatic communications between the United States and its representatives or allies abroad. and/or between critical elements of the U.S. government, must be protected as part of the successful conduct of foreign affairs, even in peacetime.(23) In addition, the traditional missions of national security have expanded in recent years to include protection against terrorists (24) and international criminals, especially drug cartels.(25) Furthermore, recognition has been growing that in an information age, economic security is part of national security. More broadly, there is a practical convergence under way among protection of individual liberties, public safety, economic activity, and military security. For example, the nation is beginning to realize that critical elements of the U.S. civilian infrastructure -- including the banking system, the air traffic control system, and the electric power grid -- must be protected against the threats described above, as must the civilian information infrastructure that supports the conduct of sensitive government communications. Because civilian infrastructure provides a significant degree of functionality on which the military and defense sector depends, traditional national security interests are at stake as well, and concerns have grown about the implications of what has come to be known as information warfare (Box 1.9). More generally, the need for more secure systems, updated security policies, and effective procedural controls is taking on truly nationwide dimensions. ---------- (21) See for example, U.S. General Accounting Office, *National Crime Information Center: Legislation Needed to Deter Misuse of Criminal Justice Information*, GAO/T-GGD-93-41, 1993. (22) For example, the compromise of the BLACK code used by Allied military forces in World War Il enabled German forces in Africa in 1942, led by General Erwin Rommel, to determine the British order of battle (quantities, types, and locations of forces), estimate British supply and morale problems, and know the tactical plans of the British. For example, the compromise of one particular message enabled Rommel to thwart a critical British counterattack. In July of that year, the British switched to a new code, thus denying Rommel an important source of strategic intelligence. Rommel was thus surprised at the Battle of Alamein, widely regarded as a turning point in the conflict in the African theater. See David Kahn, *The Codebreakers: The Story of Secret Writing*, MacMillan, New York, 1967, pp. 472-477. (23) An agreement on Palestinian self-rule was reached in September 1995. According to public reports, the parties involved, Yasir Arafat (leader of the Palestinian Liberation Organization) and Shimon Peres (then Foreign Minister of Israel), depended heavily on the telephone efforts of Dennis Ross, a U.S. negotiator, in mediating the negotiations that led to the agreement. Obviously, in such circumstances, the security of these telephone efforts was critical. See Steven Greenhouse, "Twist to Shuttle Diplomacy: U.S. Aide Mediated by Phone," *New York Times*, September 25, 1995, p. 1. (24) Terrorist threats generally emanate from nongovernmental groups, though at times involving the tacit or implicit (but publicly denied) support of sponsoring national governments. Furthermore, the United States is regarded by many parties as a particularly important target for political reasons by virtue of its prominence in world affairs. Thus, terrorists in confrontation with a U.S. ally may wish to make a statement by attacking the United States directly rather than its ally. (25) See. for example, Phil Williams, "Transnational Criminal Organizations and International Security," *Survival*, Volume 36(1), Spring 1994, pp. 96-113. ____________________________________________________________ 1.7 RECAP Chapter 1 underscores the need for attention to protecting vital U.S. interests and values in an information age characterized by a number of trends: + The world economy is in the midst of a transition from an industrial to an information age in which information products are extensively bought and sold, information assets provide leverage in undertaking business activities, and communications assume evergreater significance in the lives of ordinary citizens. At the same time, national economies are increasingly interlinked across national borders, with the result that international dimensions of public policy are important. + Trends in information technology suggest an ever-increasing panoply of technologies and technology-enabled services characterized by high degrees of heterogeneity, enormous computing power, and large data storage and transmission capabilities. + Given the transition to a global information society and trends in information technology, the future of individuals and businesses alike is likely to be one in which information of all types plays a central role. Electronic commerce in particular is likely to become a fundamental underpinning of the information future. + Government has special needs for information security that arise from its role in society, including the protection of classified information and its responsibility for ensuring the integrity of information assets on which the entire nation depends. Collectively, these trends suggest that future needs for information security will be large. Threats to information security will emerge from a variety of different sources, and they will affect the confidentiality and integrity of data and the reliable authentication of users; these threats do and will affect businesses, government, and private individuals. Chapter 2 describes how cryptography may help to address all of these problems. ____________________________________________________________ BOX 1.1 Communications and Computing Devices and the Role of Software Communications and computing devices can be dedicated to a single purpose or may serve multiple purposes. Dedicated single-purpose devices are usually (though not always) hardware devices whose functionality cannot be easily altered. Examples include unprogrammable pocket calculators, traditional telephones, walkie-talkies, pagers, fax machines, and ordinary telephone answering machines. A multipurpose device is one whose functionality can be altered by the end user. In some instances, a hardware device may be "reprogrammed" to perform different functions simply by the physical replacement of a single chip by another chip or by the addition of a new circuit board. Open bus architectures and standard hardware interfaces such as the PC Card are intended to facilitate multipurpose functionality. Despite such interfaces and architectures for hardware, software is the primary means for implementing multipurpose functionality in a hardware device. With software, physical replacement of a hardware component is unnecessary -- a new software program is simply loaded and executed. Examples include personal computers (which do word processing or mathematical calculations, depending on what software the user chooses to run), programmable calculators (which solve different problems, depending on the programming given to them), and even many modern telephones (which can be programmed to execute functions such as speed dialing). In these instances, the software is the medium in which the expectations of the user are embedded. Today, the lines between hardware and software are blurring. For example, some "hardware" devices are controlled by programs stored in semi-permanent read-only memory. "Read-only memory" (ROM) originally referred to memory for storing instructions and data that could never be changed, but this characteristic made ROM-controlled devices less flexible. Thus, the electronics industry responded with "read-only" memory whose contents take special effort to change (such as exposing the memory chip to a burst of ultraviolet light or sending only a particular signal to a particular pin on the chip). The flexibility and cheapness of today's electronic devices make them ubiquitous. Most homes now have dozens of microprocessors in coffee makers, TVs, refrigerators, and virtually anything that has a control panel. ____________________________________________________________ BOX 1.2 An Attempted Electronic Theft from Citicorp Electronic money transfers are among the most closely guarded activities in banking. In 1994, an international group of criminals penetrated Citicorp's computerized electronic transfer system and moved about $12 million from legitimate customer accounts to their own accounts in banks around the world. According to Citicorp, this is the first time its computerized cash-management system has been breached. Corporate customers access the system directly to transfer funds for making investments, paying bills, and extending loans, among other purposes. The Citicorp system moves about $500 billion worldwide each day. Authority to access the system is verified with a cryptographic code that only the customer knows. The case began in June 1994, when Vladimir Levin of St. Petersburg, Russia, allegedly accessed Citicorp computers in New York through the international telephone network, posing as one of Citicorp's customers. He moved some customer funds to a bank account in Finland, where an accomplice withdrew the money in person. In the next few months, Levin moved various Citicorp customers' funds to accomplices' personal or business accounts in banks in St. Petersburg, San Francisco, Tel Aviv, Rotterdam, and Switzerland. Accomplices had withdrawn a total of about $400,000 by August 1994. By that time, bank officials and their customers were on alert. Citicorp detected subsequent transfers quickly enough to warn the banks into which funds were moved to freeze the destination accounts. (Bank officials noted they could have blocked some of these transfers, but they permitted and covertly monitored them as part of the effort to identify the perpetrators.) Other perpetrators were arrested in Tel Aviv and Rotterdam; they revealed that they were working with someone in St. Petersburg. An examination of telephone-company records in St. Petersburg showed that Citicorp computers had been accessed through a telephone line at AO Saturn, a software company. A person arrested after attempting to make a withdrawal from a frozen account in San Francisco subsequently identified Levin, who was an AO Saturn employee. Russia has no extradition treaty with the United States; however, Levin traveled to Britain in March 1995 and was arrested there. As of September 1995, proceedings to extradite him for trial in the United States were in progress. Levin allegedly penetrated Citicorp computers using customers' user identifications and passwords. In each case, Levin electronically impersonated a legitimate customer, such as a bank or an investment capital firm. Some investigators suspect that an accomplice inside Citicorp provided Levin with necessary information; otherwise, it is unclear how he could have succeeded in accessing customer accounts. He is believed to have penetrated Citicorp's computers 40 times in all. Citicorp says it has upgraded its system's security to prevent future break-ins. ---------- SOURCES: William Carley and Timothy O'Brien, "Cyber Caper: How Citicorp System Was Raided and Funds Moved Around World," *Wall Street Journal*, September 12, 1995, p. A-1; Saul Hansell, "A $10 Million Lesson in the Risks of Electronic Banking," *New York Times*, August 19, 1995, p. 31. ____________________________________________________________ BOX 1.3 Vulnerabilities in Information Systems and Networks Information systems and networks can be subject to four generic vulnerabilities: 1. Eavesdropping or data browsing. By surreptitiously obtaining the confidential data of a company or by browsing a sensitive file stored on a computer to which one has obtained improper access, an adversary could be in a position to undercut a company bid, learn company trade secrets (e.g., knowledge developed through proprietary company research) that would eliminate a competitive advantage of the company, or obtain the company's client list in order to steal customers. Moreover, stealth is not always necessary for damage to occur -- many companies would be damaged if their sensitive data were disclosed, even if they knew that such a disclosure had occurred. 2. Clandestine alteration of data. By altering a company's data clandestinely, an adversary could destroy the confidence of the company's customers in the company, disrupt internal operations of the company, or subject the company to shareholder litigation. 3. Spoofing. By illicitly posing as a company, an adversary could place false orders for services, make unauthorized commitments to customers, defraud clients, and cause no end of public relations difficulties for the company. Similarly, an adversary might pose as a legitimate customer, and a company -- with an interest in being responsive to user preferences to remain anonymous under a variety of circumstances -- could then find itself handicapped in seeking proper confirmation of the customer's identity. 4. Denial of service. By denying access to electronic services, an adversary could shut down company operations, especially time-critical ones. On a national scale, critical infrastructures controlled by electronic networks (e.g., the air traffic control system, the electrical power grid) involving many systems linked to each other are particularly sensitive. ____________________________________________________________ BOX 1.4 Electronic Commerce and the Implications for Interconnectivity A number of reports have addressed the potential nature and impact of electronic commerce.(1) Out of such reports, several common elements can be distilled: + The interconnection of geographically dispersed units into a "virtual" company. + The linking of customers, vendors, and suppliers through videoconferencing, electronic data interchange, and electronic networks. + The creation of temporary or more permanent strategic alliances for business purposes. + A vastly increased availability of information and information products on line, both free and for a fee, that is useful to individuals and organizations. + The electronic transaction of retail business, beginning with today's toll-free catalog shopping and extending to electronic network applications that enable customers to: -- apply for bank loans; -- order tangible merchandise (e.g., groceries) for later physical delivery; -- order intangible merchandise (e.g. music, movies) for electronic delivery; -- obtain information and electronic documents (e.g., official documents such as driver's licenses and birth certificates). + The creation of a genuinely worldwide marketplace that matches buyers to sellers largely without intermediaries. + New business opportunities for small entrepreneurs that could sell low-value products to the large numbers of potential customers that an electronic marketplace might reach. In general, visions of electronic commerce writ large attempt to leverage the competitive edge that information technologies can provide for commercial enterprises. Originally used exclusively to facilitate internal communications, information technology is now used by corporations to connect directly with their suppliers and business partners.(2) In the future, corporate networks will extend all the way to customers, enabling improvements in customer service and more direct channels for customer feedback. Furthermore, information technologies will facilitate the formation of ad hoc strategic alliances among diverse enterprises and even among competitors on a short time scale, driven by changes in business conditions that demand prompt action. This entire set of activities is already well under way. In the delivery of services, the more effective use and transmission of information has had dramatic effects. Today's air transportation system would not exist without rapid and reliable information flows regarding air traffic control, sales, marketing, maintenance, safety, and logistics planning. Retailers and wholesalers depend on the rapid collection and analysis of sales data to plan purchasing and marketing activities, to offer more differentiated services to customers, and to reduce operational costs. The insurance industry depends on rapid and reliable information flows to its sales force and to customize policies and manage risks. (See Computer Science and Telecommunications Board, National Research Council, *Information Technology in the Service Society,: A Twenty-First Century Lever*, National Academy Press, Washington, D.C., 1994.) ---------- (1) See for example, Cross-Industry Working Team, *Electronic Cash, Tokens, and Payments in the National Information Infrastructure*, Corporation for National Research Initiatives, 1895 Preston White Drive, Suite 100, Reston, Virginia 22091-5434 (Internet: info-xiwt@cnri.reston.va.us; Tel: 703/620-8990), 1994; Office of Technology Assessment, *Electronic Enterprises: Looking to the Future*, U.S. Government Printing Office, Washington, D.C., July 1994. (2) For example, in manufacturing, collaborative information technologies can help to improve the quality of designs and reduce the cost and time needed to revise designs; product designers will be able to create a "virtual" product, make extensive computer simulations of its behavior without supplying all of its details, and "show" it to the customer for rapid feedback. Networks will enable the entire manufacturing enterprise to be integrated all along the supply chain, from design shops to truck fleets that deliver the finished products. (See Computer Science and Telecommunications Board, National Research Council, *Information Technology and Manufacturing: A Research Agenda*, National Academy Press, Washington, D.C., 1995.) ____________________________________________________________ BOX 1.5 Tensions Between Security and Openness Businesses have long been concerned about the tension between openness and security. An environment that is open to everyone is not secure, while an environment that is closed to everyone is highly secure but not useful. A number of trends in business today tend to exacerbate this conflict. For example: + Modern competitive strategies emphasize openness to interactions with potential customers and suppliers. For example, such strategies would demand that a bank present itself as willing to do business with anyone, everywhere, and at any time. However, such strategies also offer potential adversaries a greater chance of success, because increasing ease of access often facilitates the penetration of security measures that may be taken. + Many businesses today emphasize decentralized management that pushes decision-making authority toward the customer and away from the corporate hierarchy. Yet security often has been (and is) approached from a centralized perspective. (For example, access controls are necessarily hierarchical (and thus centralized) if they are to be maintained uniformly.) + Many businesses rely increasingly on highly mobile individuals. When key employees were tied to one physical location, it made sense to base security on physical presence, e.g., to have a user present a photo ID card to an operator at the central corporate computer center. Today, mobile computing and communications are common, with not even a physical wire to ensure that the person claiming to be an authorized user is accessing a computer from an authorized location or to prevent passive eavesdropping on unencrypted transmissions with a radio scanner. ____________________________________________________________ BOX 1.6 International Dimensions of Business and Commerce Today U.S. firms increasingly operate in a global environment, obtaining goods and services from companies worldwide, participating in global virtual corporations, and working as part of international strategic alliances. One key dimension of increasing globalization has been the dismantling of barriers to trade and investment. In the past 40 years, tariffs among developed countries have been reduced by more than two-thirds. After the Uruguay Round reductions are phased-in, tariffs in these countries will be under 4%, with 43% of current trade free of any customs duties. While tariffs of developing countries are at higher levels, they have recently begun to decline substantially. After the Uruguay Round, tariffs in these countries will average 12.3% by agreement and will be even lower as a result of unilateral reductions. In response to the reductions in trade barriers, trade has grown rapidly. From 1950 to 1993, U.S. and world trade grew at an average compound rate of 10% annually. Investment has also grown rapidly in recent years, stimulated by the removal of restrictions and by international rules that provide assurances to investors against discriminatory or arbitrary treatment. U.S. foreign direct investment also has grown at almost 10% annually during the past 20 years and now totals about half a trillion dollars. Foreign direct investment in the United States has risen even faster over the same period -- at almost 19% annually -- and now also totals almost $500 billion. The expansion of international trade and investment has resulted in a much more integrated and interdependent world economy. For the United States, this has meant a much greater dependence on the outside world. More than a quarter of the U.S. gross domestic product is now accounted for by trade in goods and services and returns on foreign investment. Over 11 million jobs are now directly or indirectly related to our merchandise trade. Because the U.S. economy is mature, the maintenance of a satisfactory rate of economic growth requires that the United States compete vigorously for international markets, especially in the faster growing regions of the world. Many sectors of our economy are now highly dependent on export markets. This is particularly the case for, but is not limited to, high-technology goods, as indicated in the table below. A second international dimension is the enormous growth in recent years of multinational enterprises. Such firms operate across national boundaries, frequently in multiple countries. According to the 1993 World Investment Report of the United Nations, transnational corporations (TNCs) with varying degrees of integration account for about a third of the world's private sector productive assets. The number of TNCs has more than tripled in the last 20 years. At the outset of this decade, about 37,000 U.S. firms had a controlling equity interest in some 170,000 foreign affiliates. This does not include nonequity relationships, such as management contracts, subcontracting, franchising or strategic alliances. There are some 300 TNCs based in the United States and almost 15,000 foreign affiliates, of which some 10,000 are nonbank enterprises. The strategies employed by TNCs vary among firms. They may be based on trade in goods and services alone or, more often, involve more complex patterns of integrated production, outsourcing, and marketing. One measure of the extent of integration by U.S. firms is illustrated by the U.S. Census Bureau, which reported that in 1994, 46% of U.S. imports and 32% of U.S. exports were between related firms. Of U.S. exports to Canada and Mexico, 44% were between related parties; for the European Union and Japan, the share was 37%. With respect to imports, the shares of related-party transactions were 75.5% for Japan, 47.2% for the European Union, 44.6% for Canada and 69.2% for Mexico. Among those sectors with the highest levels of interparty trade are data processing equipment, including computers, and parts and telecommunications equipment, ranging from 50% to 90%. ____________________________________________________________ Exports As Area of Export a Percentage of U.S. Output _____________________________________________________________ Electronic computing and parts 52 Semiconductors and related devices 47 Magnetic and optical recording media (includes software products) 40 ---------- SOURCE: U.S. Department of Commerce, Commerce News. August 9, 1995. ____________________________________________________________ BOX 1.7 Threat Sources + *Foreign national agencies (including intelligence services)*. Foreign intelligence operations target key U.S. businesses. For example, two former directors of the French intelligence service have confirmed publicly that the French intelligence service collects economic intelligence information, including classified government information and information related to or associated with specific companies of interest.(1) Foreign intelligence agencies may break into facilities such as the foreign offices of a U.S. company or the hotel suite of a U.S. executive and copy computer files from within that facility (e.g., from a laptop computer in a hotel room, a desktop computer connected to a network in an office).(2) Having attained such access, they can also insert malicious code that will enable future information theft. + *Disgruntled or disloyal employees that work "from the inside."* Such parties may collude with outside agents. Threats involving insiders are particularly pernicious because they are trusted with critical infommation that is not available to outsiders. Such information is generally necessary to understand the meaning of various data flows that may have been intercepted, even when those data flows are received in the clear. + *Network hackers and electronic vandals* that are having fun or making political statements through the destruction of intellectual property without the intent of theft. Information terrorists may threaten to bring down an information network unless certain demands are met; extortionists may threaten to bring down an information network unless a ransom is paid. Disgruntled customers seeking revenge on a company also fall into this category. + *Thieves* attempting to steal money or resources from businesses. Such individuals may be working for themselves or acting as part of a larger conspiracy (e.g., in association with organized crime). The spreading of electronic commerce will increase the opportunities for new and different types of fraud, as illustrated by the large increase in fraud seen as the result of increased electronic filing to the Internal Revenue Service. Even worse, customers traditionally regarded as the first line of defense against fraud (because they check their statements and alert the merchants or banks involved to problems) may become adversaries as they seek to deny a signature on a check or alter the amount of a transaction. It is difficult to know the prevalence of such threats, because many companies do not discuss for the record specific incidents of information theft. In some cases, they fear stockholder ire and losses in customer confidence over security breaches; in others, they are afraid of inspiring "copy-cat" attacks or revealing security weaknesses. In still other cases, they simply do not know that they have been the victim of such theft. Finally, only a patchwork of state laws applies to the theft of trade secrets and the like (and not all states have such laws). There is no federal statute that protects trade secrets or that address commercial information theft, and federal authorities probing the theft of commercial information must rely on proving violations of other statutes, such as the wire and mail fraud laws, interstate transport of stolen property, conspiracy, or computer fraud and abuse laws; as a result, documentation of what would be a federal offense if such a law were present is necessarily spotty. For all of these reasons, what is known on the public record about economic losses from information theft almost certainly understates the true extent of the problem. ---------- (1) Two former directors of the DGSE (the French intelligence service), have publicly stated that one of the DGSE's top priorities was to collect economic intelligence. During a September 1991 NBC news program, Pierre Marion, former DGSE Director, revealed that he had initiated an espionage program against US businesses for the purpose of keeping France internationally competitive. Marion justified these actions on the grounds that the United States and France, although political and military allies, are economic and technological competitors. During an interview in March 1993, then DGSE Director Charles Silberzahn stated that political espionage was no longer a real priority for France but that France was interested in economic intelligence, "a field which is crucial to the world's evolution." Silberzahn advised that the French had some success in economic intelligence but stated that much work is still needed because of the growing global economy. Silberzahn advised during a subsequent interview that theft of classified information, as well as information about large corporations, was a long-term French Government policy. These statements were seemingly corroborated by a DGSE targeting document prepared in late 1989 and leaked anonymously to the US Government and the press in May 1993. It alleged that French intelligence had targeted numerous US Government agencies and corporations to collect economic and industrial information. Industry leaders such as Boeing, General Dynamics, Hughes Aircraft, Lockheed, McDonnell Douglas, and Martin Marietta all were on the list. Heading the US Government listing was the Office of the US Trade Representative. This unclassified paragraph can be found in the secret version of the report, National Counterintelligence Center, *Annual Report to Congress on Foreign Economic Collection and Industrial Espionage*, Washington, D.C., July 1995. (2) According to a report from the National Communications System, countries that currently have significant intelligence operations against the United States for national security and/or economic purposes include Russia, the People's Republic of China, Cuba, France, Taiwan, South Korea, India, Pakistan, Israel, Syria, Iran, Iraq, and Libya. "All of the intelligence organizations listed [above] have the capability to target telecommunications and information systems for information or clandestine attacks. The potential for exploitation of such systems may be significantly larger." See National Communications System (NCS), *The Electronic Intrusion Threat to National Security and Emergency Preparedness Telecommunications. An Awareness Document*, 2nd ed., NCS, Alexandria, Va., December 5, 1994, pp. 2-20. ____________________________________________________________ BOX 1.8 Vulnerability of the Public Switched Telecommunications Network The nation's single most critical national-level component of information infrastructure vulnerable to compromise is the public switched telecommunications network (PSTN). The PSTN provides information transport services for geographically dispersed and national assets such as the banking system and financial markets,(1) and the air traffic control system.(2) Even the traditional military (3) is highly dependent on the PSTN. Parties connected to the PSTN are therefore vulnerable to failure of the PSTN itself and to attacks transmitted over the PSTN. The fundamental characteristic of the PSTN from the standpoint of information vulnerability is that it is a highly interconnected network of heterogeneously controlled and operated computer-based switching stations. Network connectivity implies that an attacker -- which might range from a foreign government to a teen-aged hacker -- can in principle connect to any network site (including sites of critical importance for the entire network) from any other network site (which may be geographically remote and even outside the United States).(4) The sites of critical importance for the PSTN are the switching nodes that channel the vast majority of telecommunications traffic in the United States. Access to these critical nodes, and to other switching facilities, is supposed to be limited to authorized personnel, but in practice these nodes are often vulnerable to penetration. Once in place on a critical node, hostile and unauthorized users are in a position to disrupt the entire network. The systemic vulnerabilities of the PSTN are the result of many factors. One is the increasing accessibility of network software to third parties other than the common carriers, resulting from the Federal Communications Commission requirement that the PSTN support open, equal access for third-party providers of enhanced services as well as for the common carriers; such accessibility offers intruders many opportunities to capture user information, monitor traffic, and remotely manipulate the network. A second reason is that service providers are allowing customers more direct access to network elements, in order to offer customer-definable services such as call forwarding. A third reason is that advanced services made possible by Signaling System 7 are dependent on a common, out-of-band signaling system for control of calls through a separate packet-switched data network that adds to network vulnerability.(5) Finally, space-based PSTN components (i.e., satellites) have few control centers, are susceptible to electronic attack, and generally do not encrypt their command channels, making the systems vulnerable to hackers copying their commands and disrupting service.(6) These conditions imply that the PSTN is a system that would benefit from better protection of system integrity and availability. Threats to the PSTN affect all national institutions whose ability to function fully and properly depends on being able to communicate, be it through telephony, data transmission, video, or all of these. Indeed, many data networks operated "privately" by large national corporations or national institutions such as those described above are private only in the sense that access is supposed to be limited to corporate purposes; in fact, national institutions or corporations generally use all forms of communications, including those physically carried by the PSTN.(7) However, the physical and computational infrastructure of these networks is in general owned by the telecommunications service provider, and this infrastructure is part of the larger PSTN infrastructure. Thus, like the Internet, the "private" data network of a national corporation, is in general not physically independent of the PSTN. Similarly, it is dependence on the PSTN that has led to failures in the air traffic control system and important financial markets: + In January 1991, the accidental severing of an AT&T fiber-optic cable in Newark, New Jersey, led to the disruption of FAA air traffic control communications in the Boston-Washington corridor and the shutdown of the New York Mercantile Exchange and several commodities exchanges. In May 1991, the severing of a fiber-optic cable led to the shutdown of four of the Federal Aviation Administration's 20 major air traffic control centers with "massive operational impact."(8) + The 1991 failure of a PSTN component in New York caused the loss of connectivity between a major securities house and the Securities Industry Automation Corporation, resulting in an inability to settle the day's trades over the network.(9) Examples of small-scale activities by the computer "underground" against the PSTN demonstrate capabilities that, if coupled to an intent to wage serious information warfare against the United States, pose a serious threat to the U.S. information infrastructure: + In 1990, several members of the Legion of Doom's Atlanta branch were charged with penetrating and disrupting telecommunications network elements. They were accused of planting "time bomb" programs in network elements in Denver, Atlanta, and New Jersey; these were designed to shut down major switching hubs, but were defused by telephone carriers before causing damage.(10) + Members of a group known as MOD (various spell-outs) were indicted July 8, 1992, on 11 accounts. It is significant that they appear to have worked in a team. Among their alleged activities were developing and unleashing "programmed attacks" (see below) on telephone company computers and accessing telephone company computers to create new circuits and add services with no billing records."(11) + Reported (but not well documented) is a growing incidence of "programmed attacks."(12) These have been detected in several networks and rely on customized software targeting specific types of computers or network elements. They are rarely destructive, but rather seek to add or modify services. "The capability illustrated by this category of attacks has not fully matured. However, if a coordinated attack using these types of tools were directed at the PSTN with a goal of disrupting national security/emergency preparedness (NS/EP) telecommunications, the result could be significant."(13) (The same point probably applies to the goal of disrupting other kinds of telecommunications beyond those used for NS/EP.) A number of reports and studies (14) have called attention to the vulnerability of components of the national telecommunications infrastructure. ---------- (1) These private networks for banking include Fedwire (operated by the Federal Reserve banks), the Clearinghouse for Interbank Payment Systems (CHIPS; operated by New York Clearinghouse, an association of money center banks), the Society for Worldwide Interbank Financial Telecommunication (SWIFT; an intemational messaging system that carries instructions for wire transfers between pairs of correspondent banks), and the Automated Clearing House (ACH) systems for domestic transfers, typically used for routine smaller purchases and payments. In the 1980s, several U.S. banks aggressively developed global networks with packet switches, routers, and so on, to interconnect their local and wide area networks; or, they used third-party service providers to interconnect. In the 1990s, there are signs that U.S. international banks are moving to greater use of carrier- provided or hybrid networks because of the availability of virtual private networks from carriers. Carrier-provided networks are more efficient than networks built on top of dedicated leased lines, because they can allocate demand dynamically among multiple customers. (2) The air traffic control system uses leased lines to connect regional air traffic control centers. (3) Over 95 percent of U.S. military and intelligence community voice and data communications are carried over facilities owned by public carriers. (See Joint Security Commission, *Redefining Security: A Report to the Secretary of Defense and the Director of Central Intelligence*, February 28, 1994, Chapter 8.) Of course, the 95% figure includes some non-critical military communications; however, only 30 percent of the telecommunications networks that would be used during wartime operate in the classified environment (and are presumably more secure), while the other 70 percent are based on the use of unclassified facilities of public carriers. See Richard Powers, *Information Warfare: A CSI Special Report*, Computer Security Institute, Washington, D.C., Fall 1995. (4) Clifford Stoll, *The Cuckoo's Egg*, Pocket Books, New York, 1989. (5) National Research Council, *Growing Vulnerability of the Public Switched Networks: Implications for National Security and Emergency Preparedness*, National Academy Press, Washington, D.C., 1989), page 36; Reliability and Vulnerability Working Group, Telecommunications Policy Committee, Information Infrastructure Task Force, *Reliability and Vulnerability of the NII: Capability Assessments*, from the National Communications Svstem home page on WWW, http://64.117.147.223/nc-ia/html. (6) Reliability and Vulnerability Working Group, Telecommunications Policy Committee, Information Infrastructure Task Force, *Reliability and Vulnerability of the NII: Capability Assessments*, from the National Communications System home paoe on WWW, http://164.117.147.223/nc-ia/html. (7) Both shared circuits and private networks are expected to grow dramatically in the next several years. See for example, Michael Csenger, "Private lines dead? Don't buy those flowers just yet," *Network World*, May 1, 1995, p. 1. (8) *Software Engineering Notes*, Volume 17, January 1992, as cited in Peter J. Neumann, *Computer Related Risks*, Addison-Wesley, New York, 1995, p. 17. (9) See Office of Technology Assessment, U.S. Congress, *U.S. Banks and International Telecommunications -- Background Paper*, OTA-BP-TCT-100, U.S. Government Printing Office, Washington, D.C., September 1992, pp. 32-,3. (10) National Communications System (NCS), *The Electronic Intrusion Threat to National Security and Emergency Preparedness Telecommunications: An Awareness Document*, 2nd ed., NCS, Alexandria, Va., December 5, 1994, p. 2-5. (11) NCS, *The Electronic Intrusion Threat to National Security and Emergency Preparedness Telecommunications*, 1994, pp. 2-8 to 2-9. (12) NCS, *The Electronic Intrusion Threat to National Security and Emergency Preparedness Telecommunications*, 1994, p. 2-6. (13) NCS, *The Electronic Intrusion Threat to National Security and Emergency Preparedness Telecommunications*, 1994, p. 2-6. (14) Joint Security Commission, *Redefining Security: A Report to the Secretary of Defense and the Director of Central Intelligence*, Washington, D.C., February 28, 1994; National Research Council, *Growing Vulnerability of the Public Switched Networks: Implications for National Security and Emergency Preparedness*, National Academy Press, Washington, D.C., 1989; NCS, *The Electronic Intrusion Threat to National Security and Emergency Preparedness Telecommunications*, 1994; Reliability and Vulnerability Working Group, Telecommunications Policy Committee, Information Infrastructure Task Force, *Reliability and Vulnerability of the NII: Capability Assessments*, from the National Communications System home page on WWW, http://164.117.147.223/nc-ia/html. ____________________________________________________________ BOX 1.9 Information Warfare "Information warfare" is a term used in many different ways. Of most utility for this report is the definition of information warfare (IW) as hostile action that targets the information systems and information infrastructure of an opponent (i.e., offensive actions that attack an opponent's communications, weapon systems, command and control systems, intelligence systems, information components of the civil and societal infrastructure such as the power grid and banking system) coupled with simultaneous actions seeking to protect U.S. and allied systems and infrastructure from such attacks. Other looser uses of the term information warfare" include the following: + The use of information and tactical intelligence to apply weapon systems more effectively. IW may be used in connection with information-based suppression of enemy air defenses or "smart" weapons using sensor data to minimize the volume of ordnance needed to destroy a target. + The targeting of companies' information systems for IW attacks. As industrial espionage spreads and/or international competitiveness drives multinational corporations into military-like escapades, the underlying notion of information-based probing of and attack on a competitor's information secrets could take on a flavor of intergovernment military or intelligence activities. + The fight against terrorism, organized crime, and even street crime, which might be characterized as IW to the extent that information about these subjects is used to prosecute the battle. This usage is not widespread, although it may develop in the future. Usage of the term has shifted somewhat as federal agencies, notably the Department of Defense, struggle to fully appreciate this new domain of warfare (or low-intensity conflict) and to create relevant policy and doctrine for it. Conversely, there is some discussion of the vulnerabilities of the U.S. civil information infrastructure to such offense. The ranoe of activities that can take place in information warfare is broad: + Physical destruction of information-handling facilities to destroy or degrade functionality; + Denial of use of an opponent's important information systems; + Degradation of effectiveness (e.g., accuracy, speed of response) of an opponent's information systems; + Insertion of spurious, incorrect, or otherwise misleading data into an opponent's information systems (e.g., to destroy or modify data, or to subvert software processes via improper data inputs); + Withdrawal of significant tactical or strategic data from an opponent's information systems; + Insertion of malicious software into an opponent's system to affect its intended behavior in various ways, and perhaps, to do so at a time controlled by the aggressor; and + Subversion of an opponent's software and/or hardware installation to make it an in-place selfreporting mole for intelligence purposes. As an operational activity, information warfare is clearly related closely to, but yet distinct from, intelligence functions that are largely analytical. IW is also related to information security, since its techniques are pertinent both to prosecutisn of offensive IW and to protection for defensive IW. ____________________________________________________________ [End Chapter 1] ____________________________________________________________ [Head note all pages: May 30, 1996, Prepublication Copy Subject to Further Editorial Correction] 2 Cryptography: Roles, Market, and Infrastructure Cryptography is a technology that can play important roles in addressing certain types of information vulnerability, although it is not sufficient to deal with all threats to information security. As a technology, cryptography is embedded into products that are purchased by a large number of users; thus, it is important to examine various aspects of the market for cryptography. Chapter 2 describes cryptography as a technology used in products, as a product within a larger market context, and with reference to the infrastructure needed to support its large-scale use. 2.1 CRYPTOGRAPHY IN CONTEXT Computer-system security, and its extension network security, are intended to achieve many purposes. Among them are safeguarding physical assets from damage or destruction and ensuring that resources such as computer time, network connections, and access to databases are available only to individuals -- or to other systems or even software processes -- authorized to have them.(1) Overall information security is dependent on many factors, including various technical safeguards, trustworthy and capable personnel, high degrees of physical security, competent administrative oversight, and good operational procedures. Of the available technical safeguards, cryptography has been one of the least utilized to date.(2) In general, the many security safeguards in a system or network not only fulfill their principal task but also act collectively to mutually protect one another. In particular, the protection or operational functionality that can be afforded by the various cryptographic safeguards treated in this report will inevitably require that the hardware or software in question be embedded in a secure environment. To do otherwise is to risk that the cryptography might be circumvented, subverted, or misused -- hence leading to a weakening or collapse of its intended protection. As individual starld-alone computer systems have been incorporated into ever larger networks (e.g., local-area networks, wide-area networks, the Internet), the requirements for cryptographic safeguards have also increased. For example, users of the earliest computer systems were almost always clustered in one place and could be personally recognized as authorized individuals, and communications associated with a computer system usually were contained within a single building. Today, users of computer systems can be connected with one another worldwide, through the public switched telecommunications network, a local area network, satellites, microwave towers, and radio transmitters. Operationally, an individual or a software process in one place can request service from a system or a software process in a far distant place. Connectivity among systems is impromptu and occurs on demand; the Internet has demonstrated how to achieve it. Thus, it is now imperative for users and systems to identify themselves to one another with a high degree of certainty and for distant systems to know with certainty what privileges for accessing databases or software processes a remote request brings. Protection that could once be obtained by geographic propinquity and personal recognition of users must now be provided electronically and with extremely high levels of certainty. ---------- (1) The terms "information security" or shortened versions such as INFOSEC, COMPSEC, and NETSEC are also in use. (2) Other safeguards, in particular software safeguards, are addressed in various standard texts and reports. See, for example, National Institute of Standards and Technology, *An Introduction to Computer Security*, NIST Special Publication 800-12, Department of Commerce, October 1995; *Trusted Computer System Evaluation Criteria*, Department of Defense, August 15, 1983; Computer Science and Telecommunications Board (CSTB), National Research Council, *Computers at Risk: Safe Computing in the Information Age*, National Academy Press, Washington, D.C., 1991. ____________________________________________________________ 2.2 WHAT IS CRYPTOGRAPHY AND WHAT CAN IT DO? The word "cryptography" is derived from Greek words that mean secret writing. Historically, cryptography has been used to hide information from access by unauthorized parties, especially during communications when it would be most vulnerable to interception. By preserving the secrecy, or confidentiality, of information, cryptography has played a very important role over the centuries in military and national affairs.(3) In the traditional application of cryptography for confidentiality, an originator (the first party) creates a message intended for a recipient (the second party), protects (encrypts) it by a cryptographic process, and transmits it as ciphertext. The receiving party decrypls the received ciphertext message to reveal its true content, the plaintext. Anyone else (the third party) who wishes undetected and unauthorized access to the message must penetrate (by cryptanalysis) the protection afforded by the cryptographic process. In the classical use of cryptography to protect communications, it is necessary that both the originator and recipient(s) have common knowledge of the cryptographic process (the algorithm or cryptographic algorithm) and that both share a secret common element -- typically, the key or cryptographic key, which is a piece of information, not a material object. In the encryption process, the algorithm transforms the plaintext into the ciphertext, using a particular key, the use of a different key results in a different ciphertext. In the decryption process, the algorithm transforms the ciphertext into the plaintext, using the key that was used to encrypt (4) the original plaintext. Such a scheme, in which both communicating parties must have a common key, is now called *symmetric cryptography* or *secret-key cryptography*; it is the kind that has been used for centuries and written about widely.(5) It has the property, usually an operational disadvantage, of requiring a safe method of distributing keys to relevant parties (*key distribution* or *key management*). It can be awkward to arrange for symmetric and secret keys to be available to all parties with whom one might wish to communicate, especially when the list of parties is large. However, a scheme called *asymmetric cryptography* (or, equivalently, *public-key cryptography*), developed in the mid-1970s, helps to mitigate many of these difficulties through the use of different keys for encryption and decryption.(6) Each participant actually has two keys. The public key is published, is freely available to anyone, and is used for encryption; the private key is held in secrecy by the user and is used for decryption.(7) Because the two keys are inverses, knowledge of the public key enables the derivation of the private key in theory. However, in a well-designed public-key system, it is computationally infeasible in any reasonable length of time to derive the private key from knowledge of the public key. A significant operational difference between symmetric and asymmetric cryptography is that with asymmetric cryptography anyone who knows a given person's public key can send a secure message to that person. With symmetric cryptography, only a selected set of people (those who know the private key) can communicate. While it is not mathematically provable, all known asymmetric cryptographic systems are slower than their symmetric cryptographic counterparts, and the more public nature of asymmetric systems lends credence to the belief that this will always be true. Generally, symmetric cryptography is used when a large amount of data needs to be encrypted or when the encryption must be done within a given time period; asymmetric cryptography is used for short messages, for example, to protect key distribution for a symmetric cryptographic system. Regardless of the particular approach taken, the applications of cryptography have gone beyond its historical roots as secret writing; today, cryptography serves as a powerful tool in support of system security. Cryptography can provide many useful capabilities: + *Confidentiality* -- the characteristic that information is protected from being viewed in transit during communications and/or when stored in an information system. With cryptographically provided confidentiality, encrypted information can fall into the hands of someone not authorized to view it without being compromised. It is almost entirely the confidentiality aspect of cryptography that has posed public policy dilemmas. The other capabilities, described below, can be considered collectively as nonconfidentiality or collateral uses of cryptography: + *Authentication* -- cryptographically based assurance that an asserted identity is valid for a given person (or computer system). With such assurance, it is difficult for an unauthorized party to impersonate an authorized one. + *Integrity check* -- cryptographically based assurance that a message or computer file has not been tampered with or altered.(8) With such assurance, it is difficult for an unauthorized party to alter data. + *Digital signature* -- cryptographically based assurance that a message or file was sent or created by a given person. A digital signature cryptographically binds the identity of a person with the contents of the message or file, thus providing nonrepudiation -- the inability to deny the authenticity of the message or file. The capability for nonrepudiation results from encrypting the digest (or the message or file itself) with the private key of the signer. Anyone can verify the signature of the message or file by decrypting the signature using the public key of the sender. Since only the sender should know his or her own private key, assurance is provided that the signature is valid and the sender cannot later repudiate the message. If a person divulges his or her private key to any other party, that party can impersonate the person in all electronic transactions. + *Digital date/time stamp* -- cryptographically based assurance that a message or file was sent or created at a given date and time. Generally, such assurance is provided by an authoritative organization that appends a date/time stamp and digitally signs the message or file. These cryptographic capabilities can be used in complementary ways. For example, authentication is basic to controlling access to system or network resources. For example, a person may use a password to authenticate his own identity; only when the proper password has been entered will the system allow the user to "log on" and obtain access to files, email, and so on.(9) But passwords have many limitations as an access control measure (e.g., people tell others their passwords or a password is learned via eavesdropping), and cryptographic authentication techniques can provide much better and more effective mechanisms for limiting system or resource access to authorized parties. Access controls can be applied at many different points within a system. For example, the use of a dial-in port on an information system or network can require the use of cryptographic access controls to ensure that only the proper parties can use the system or network at all. Many systems and networks accord privileges or access to resources depending on the specific identity of a user; thus, a hospital information system may grant physicians access that allows entering orders for patient treatment, whereas laboratory technicians may not have such access. Authentication mechanisms can also be used to generate an audit trail identifying those who have accessed particular data, thus facilitating a search for those known to have compromised confidential data. In the event that access controls are successfully bypassed, the use of encryption on data stored and communicated in a system provides an extra layer of protection. Specifically, if an intruder is denied easy access to stored files and communications, he may well find it much more difficult to understand the internal workings of the system and thus be less capable of causing damage or reading the contents of encrypted inactive data files that may hold sensitive information. Of course, when an application opens a data file for processing, that data is necessarily unencrypted and is vulnerable to an intruder that might be present at that time. Authentication and access control can also help to protect the privacy of data stored on a system or network. For example, a particular database application storing data files in a specific format could allow its users to view those files. If the access control mechanisms are set up in such a way that only certain parties can access that particular database application, access to the database files in question can be limited, and thus the privacy of data stored in those databases protected. On the other hand, an unauthorized user may be able to obtain access to those files through a different, uncontrolled application, or even through the operating system itself. Thus, encryption of those files is necessary to protect them against such "back-door" access.(10) The various cryptographic capabilities described above may be used within a system in order to accomplish a set of tasks. For example, a banking system may require confidentiality and integrity assurances on its communications links, authentication assurances for all major processing functions, and integrity and authentication assurances for high-value transactions. On the other hand, merchants may need only digital signatures and date/time stamps when dealing with external customers or cooperating banks when establishing contracts. Furthermore, depending on the type of capability to be provided, the underlying cryptographic algorithms may or may not be different. Finally, when considering what cryptography can do, it is worth making two practical observations. First, the initial deployment of any technology often brings out unanticipated problems, simply because the products and artifacts embodying that technology have not had the benefit of successive cycles of failure and repair. Similarly, human procedures and practices have not been tested against the demands of real-life experience. Cryptography is unlikely to be any different, and so it is probable that early large-scale deployments of cryptography will exhibit exploitable vulnerabilities.(11) The second point is that against a determined opponent that is highly motivated to gain unauthorized access to data, the use of cryptography may well simply lead that opponent to exploit some other vulnerability in the system or network on which the relevant data is communicated or stored, and such an exploitation may well be successful. But the use of cryptography can help to raise the cost of gaining improper access to data and may prevent a resource-poor opponent from being successful at all. More discussion of cryptography can be found in Appendix C. ---------- (3) The classic work on the history of cryptography is David Kahn, *The Codebreakers*, MacMillan, New York, 1967. (4) This report uses the term "encrypt" to describe the act of using an encryption algorithm with a given key to transform one block of data, usually plaintext, into another block, usually ciphertext. (5) Historical perspective is provided in David Kahn, *Kahn on Codes*, MacMillan, New York, 1983; F.W. Winterbotham, *The Ultra Secret*, Harper & Row, New York, 1974; and Ronald Lewin, *Ultra Goes to War*, Hutchinson & Co., London, 1978. A classic reference on the fundamentals of cryptography is Dorothy Denning, *Cryptography and Data Security*, Addison-Wesley, Reading, Mass., 1982. (6) Gustavus J. Simmons (ed.), *Contemporary Cryptology. The Science of Information Integrity*, IEEE Press, Piscataway, New Jersey, 1992; Whitfield Diffie, "The First Ten Years of Public-Key Cryptography," *Proceedings of the IEEE*, Vol. 76, 1988, pp. 560-577. (7) The seminal paper on public-key cryptography is Whitfield Diffie and Martin Hellman, "New Directions in Cryptography," *IEEE Transactions on Information Theory*, Volume IT-22, 1976, pp. 644-654. (8) Digital signatures and integrity checks use a condensed form of a message or file -- called a digest -- which is created by passing the message or file through a one-way hash function. The digest is of fixed length and is independent of the size of the message or file. The hash function is designed to make it highly unlikely that different messages (or files) will yield the same digest, and to make it computationally very difficult to modify a message (or file) but retain the same digest. (9) An example more familiar to many is that the entry of an appropriate personal identification number into an automatic teller machine (ATM) gives the ATM user access to account balances or cash. (10) The measure-countermeasure game can continue indefinitely. In response to file encryption, an intruder can insert into an operating system a Trojan horse program that waits for an authorized user to access the encrypted database. Since the user is authorized, the database will allow the decryption of the relevant file and the intruder can simply "piggy-back" on that decryption. Thus, those responsible for system security must provide a way to check for Trojan horses, and so the battle goes round. (11) For a discussion of this point, see Ross Anderson, "Why Cryptosystems Fail," *Communications of the ACM*, Volume 37(11), November, 1994, pp. 32-40. ____________________________________________________________ 2.3 HOW CRYPTOGRAPHY FITS INTO THE BIG SECURITY PICTURE In the context of confidentiality, the essence of information security is a battle between information protectors and information interceptors. Protectors -- who may be motivated by "good" reasons (if they are legitimate businesses) or "bad" reasons (if they are criminals) -- wish to restrict access to information to a group that they select. Interceptors -- who may also be motivated by "bad" reasons (if they are unethical business competitors) or "good" reasons (if they are law enforcement agents investigating serious crimes) -- wish to obtain access to the information being protected whether or not they have the permission of the information protectors. It is this dilemma that is at the heart of the public policy controversy and is addressed in greater detail in Chapter 3. From the perspective of the information interceptor, encryption is only one of the problems to be faced. In general, the complexity of today's information systems poses many technical barriers (Section 2.3.1). On the other hand, the information interceptor may be able to exploit product features or specialized techniques to gain access (Section 2.3.2). 2.3.1 Technical Factors Inhibiting Access to Information (12) Compared to the task of tapping an analog telephone line, obtaining access to the content of a digital information stream can be quite difficult. With analog "listening" (traditional telephony or radio interception), the technical challenge is obtaining access to the communications channel. When communications are digitized, gaining access to the charmel is only the first step: one must then unravel the digital format, a task that can be computationally very complex. Furthermore, the complexity of the digital format tends to increases over time, because more advanced information technology generally implies increased functionality and a need for more efficient use of available communications capacity. Increased complexity is reflected in particular in the interpretation of the digital stream that two systems might use to communicate with each other or the format of a file that a system might use to store data. Consider, for example, one particular sequence of actions used to cormnunicate information. The original application in the sending system might have started with a plaintext message, and then compressed it (to make it smaller); encrypted it (to conceal its meaning); and appended error-control bits to the compressed, encrypted message (to prevent errors from creeping in during transmission).(13) Thus, a party attempting to intercept a communication between the sender and the receiver could be faced with a data stream that would represent the combined output of many different operations that transform the data stream in some way. The interceptor would have to know the error-control scheme and the decompression algorithms as well as the key and the algorithm used to encrypt the message. When an interceptor moves onto the lines that carry bulk traffic, isolating the bits associated with a particular communication of interest is itself quite difficult.(14) A high-bandwidth line (e.g., a long-haul fiber-optic cable) typically carries hundreds or thousands of different communications; any given message may be broken into distinct packets and intermingled with other packets from other contemporaneously operating applications.(15) The traffic on the line may be encrypted "in bulk" by the line provider, thus providing an additional layer of protection against the interceptor. Moreover, since a message traveling from point A to point B may well be broken into packets that traverse different physical paths en route, an interceptor at any given point in between A and B may not even see all of the packets pass by. Another factor inhibiting access to information is the use of technologies that facilitate anonymous communications. For the most part, intercepted communications are worthless if the identity of the communicating parties is not known. In telephony, call forwarding and pager callbacks from pay telephones have sometimes frustrated the efforts of law enforcement officials conducting wiretaps. In data communications, so-called anonymous remailers can strip out all identifying information from an Internet e-mail message sent from person A to person B in such a way that person B does not know the identity of person A. Some remailers even support return communications from person B to person A without the need for person B to know the identity of person A. Access is made more difficult because an information protector can switch communications from one medium to another very easily without changing end-user equipment. Some forms of media may be easily accessed by an interceptor (e.g. conventional radio), whereas other forms may be much more challenging (e.g. fiber-optic cable, spread-spectrum radio). The proliferation of different media that can interoperate smoothly even at the device level will continue to complicate the interceptor's attempts to gain access to communications. Finally, obtaining access also becomes more difficult as the number of service providers increases (Box 2.1). In the days when AT&T held a monopoly on voice communications and criminal communications could generally be assumed to be carried on AT&T-operated lines, law enforcement and national security authorities needed only one point of contact with whom to work. As the telecommunications industry becomes increasingly heterogenous, law enforcement authorities may well be uncertain about what company to approach about implementing a wiretap request. ---------- (12) This section addresses technical factors that inhibit access to information. But technical measures are only one class of techniques that can be used to improve information security. For example, statutory measures can help contribute to information security. Laws that impose criminal penalties for unauthorized access to computer systems have been used to prosecute intruders. Such laws are intended to deter attacks on information systems, and to the extent that individuals do not exhibit such behavior, system security is enhanced. (13) Error control is a technique used both to detect errors in transmission and sometimes to correct them as well. (14) This point is made independently in a report that came to the attention of the committee as this report was going to press. A staff study of the Permanent Select Committee on Intelligence, House of Representatives concluded that "the ability to filter through the huge volumes of data and to extract the information from the layers of formatting, multiplexing, compression, and transmission protocols applied to each message is the biggest challenge of the future, [while] increasing amounts and sophisitication of encryption add another layer of complexity." *IC21 Intelligence Community in the 21st Century*, p. 121. (15) Paul Haskell and David G. Messerschmitt, "In Favor of an Enhanced Network Interface for Multimedia Services," submitted to *IEEE Multimedia Magazine*. ____________________________________________________________ 2.3.2 Factors Facilitating Access to Information System or Product Design Unauthorized access to protected information can inadvertently be facilitated by product or system features that are intended to provide legitimate access but instead create unintentional loopholes or weaknesses that can be exploited by an interceptor. Such points of access that may be deliberately incorporated into product or system designs include the following: + *Maintenance and monitoring ports*.(16) For example, many telephone switches and computer systems have dial-in ports that are intended to facilitate monitoring and remote maintenance and repair by off-site technicians. + *Master keys*. A product can have a single master key that allows its possessor to decrypt all ciphertext produced by the product. + *Mechanisms for key escrow or key backup*. A third party, for example, may store an extra copy of a private key or a master key. Under appropriate circumstances, the third party releases the key to the appropriate individual(s), who is (are) then able to decrypt the ciphertext in question. This subject is discussed at length in Chapter 5. + *Weak encryption defaults*. A product capable of providing very strong encryption may be designed in such a way that users invoke those capabilities only infrequently. For example, encryption on a secure telephone may be designed so that the use of encryption depends on the user pressing a button at the start of a telephone call. The requirement to press a button to invoke encryption is an example of a weak default, because the telephone could be designed so that encryption is invoked automatically when a call is initiated; when weak defaults are designed into systems, many users will forget to press the button. Despite the good reasons for designing systems and products with these various points of access (e.g., facilitating remote access through maintenance ports to eliminate travel costs of system engineers), any such point of access can be exploited by unauthorized individuals as well. Methods Facilitating Access to Information Surreptitious access to communications can also be gained by methods such as the following: + *Interception in the ether*. Many point-to-point communications make use of a wireless (usually radio) link at some point in the process. Since it is impossible to ensure that a radio broadcast reaches only its intended receiver(s), communications carried over wireless links -- such as those involving cellular telephones and personal pagers -- are vulnerable to interception by unauthorized parties. + *Use of pen registers*. Telephone communications involve both the content of a call and call-setup information such as numbers called, originating number, time and length of call and so on. Setup information is often easily accessible, some of it even to end users. + *Wiretapping*. To obtain the contents of a call carried exclusively by nonwireless means, the information carried on a circuit (actually, a replica of the information) is sent to a monitoring station. A call can be wiretapped when an eavesdropper picks up an extension on the same line, hooks up a pair of alligator clips to the right set of terminals, or obtains the cooperation of telephone company officials in monitoring a given call at a chosen location. + *Exploitation of related data*. A great deal of useful information can be obtained by examining in detail a digital stream that is associated with a given communication. For example, people have developed communications protocol analyzers that examine traffic as it flows by a given point for passwords and other sensitive information. + *Reverse engineering*. Decompilation or disassembly of software can yield deep understanding of how that software works. One implication is that any algorithm built into software cannot be assumed to be secret for very long, since disassembly of the software will inevitably reveal it to a technically trained individual. + *Cryptanalysis* (discussed in greater detail in Appendix C). Cryptanalysis is the task of recovering the plaintext corresponding to a given ciphertext without knowledge of the decrypting key. Successful cryptanalysis can be the result of: -- *Inadequately-sized keys*. A product with encryption capabilities that implements a strong cryptographic algorithm with an inadequately sized key is vulnerable to a "brute-force" attack.(18) Box 2.2 provides more detail. -- *Weak encryption algorithms or poorly designed products*. Some encryption algorithms and products have weaknesses that, if known to an attacker, require the testing of only a small fraction of the keys that could in principle be the proper key. + *Product penetration*. Like weak encryption, certain design choices such as limits on the maximum size of a password, the lack of a reasonable lower bound on the size of a password, or use of a random-number generator that is not truly random may lead to a product that presents a work factor for an attacker that is much smaller than the theoretical strength implied by the algorithm it uses.(19) + *Monitoring of electronic emissions*. Most electronic communications devices emit electromagnetic radiation that is highly correlated with the information carried or displayed on them. For example, the contents of an unshielded computer display or terminal can in principle be read from a distance (estimates range from tens of meters to hundreds of meters) by equipment specially designed to do so. Coined by a U.S. government program, TEMPEST is the name of a class of techniques to safeguard against monitoring of emissions. + *Device penetration*. A software-controlled device can be penetrated in a number of ways. For example, a virus may infect it, making a clandestine change. A message or a file can be sent to an unwary recipient who activates a hidden program when the message is read or the file is opened; such a program, once active, can record the keystrokes of the person at the keyboard, scan the mass storage media for sensitive data and transmit it, or make clandestine alterations to stored data. + *Infrastructure penetration*. The infrastructure used to carry communications is often based on software-controlled devices such as routers. Router sohware can be modified as described above to copy and forward all (or selected) traffic to an unauthorized interceptor. The last two techniques can be categorized as invasive, because they alter the operating environment in order to gather or modify information. In a network environment, the most common mechanisms of invasive attacks are called viruses and Trojan horses. A virus gains access to a system, hides within that system, and replicates itself to infect other systems. A Trojan horse exploits a weakness from within a system. Either approach can result in intentional or unintentional denial of services for the host system.(20) Modern techniques for combining both techniques to covertly exfiltrate data from a system are becoming increasingly powerful and difficult to detect.(21) Such attacks will gain in popularity as networks become more highly interconnected. ---------- (16) A port is a point of connection to a given information system to which another party (another system, an individual) can connect. (17) "Caller ID," a feature that identifies the number of the calling party, makes use of call-setup information carried on the circuit. (18) A brute-force attack against an encryption algorithm is a computer-based test of all possible keys for that algorithm undertaken in an effort to discover the key that actually has been used. Hence, the difficulty and time to complete such attacks increase markedly as the key length grows (specifically, the time doubles for every bit added to the key length). (19) Work factor is used in this report to mean a measure of the difficulty of undertaking a brute-force test of all possible keys against a given ciphertext (and known algorithm). A 40-bit work factor means that a brute-force attack must test at most 2^40 keys to be certain that the corresponding plaintext message is retrieved. In the literature, the term "work factor" is also used to mean the ratio of work needed for brute-force cryptanalysis of an encrypted message to the work needed to encrypt that message. (20) On November 2, 1988, Robert T. Morris, Jr., released a "worm" program that spread itself throughout the Internet over the course of the next day. At trial, Morris maintained that he had not intended to cause the effects that had resulted, a belief held by many in the Internet community. Morris was convicted on a felony count of unauthorized access. See Peter G. Neumann, *Computer Related Risks*, Addison Wesley, Reading, Mass., 1995, p. 133. (21) The popular World Wide Web provides an environment in which an intruder can act to steal data. For example, an industrial spy wishing to obtain data stored on the information network of a large aerospace company can set up a Web page containing information of interest to engineers at the aerospace company (e.g., information on foreign aerospace business contracts in the making), thereby making the page an attractive site for those engineers to visit through the Web. Once an engineer from the company has visited the spy's Web page, a channel is set up by which the Web page could send back a Trojan horse (TH) program for execution on the workstation being used to look at the page. The TH could be passed as part of any executable program (Java and Postscript provide two such vehicles) that otherwise did useful things but on the side collected data resident on that workstation (and any other computers to which it might be connected). Once the data was obtained, it could be sent back to the spy's Web page during the same session, or e-mailed back, or sent during the next session used to connect to that Web page. Furthermore, because contacts with a Web page by design provide the specific address from which the contact is coming, the TH could be sent only to the aerospace company (and to no one else), thus reducing the likelihood that anyone else would stumble upon it. Furthermore, the Web page contact also provides information about the workstation that is making the contact, thus permitting a customized and specially debugged TH to be sent to that workstation. ____________________________________________________________ 2.4 THE MARKET FOR CRYPTOGRAPHY Cryptography is a product as well as a technology. Products offering cryptographic capabilities can be divided into two general classes: + *Security-specific or stand-alone* products that are generally add-on items (often hardware, but sometimes software) and often require that users perform an operationally separate action to invoke the encryption capabilities. Examples include an add-on hardware board that encrypts messages or a program that accepts a plaintext file as input and generates a ciphertext file as output. + *Integrated* (often "general-purpose") products in which cryptographic functions have been incorporated into some software or hardware application package as part of its overall functionality. An integrated product is designed to provide a capability that is useful in its own right, as well as encryption capabilities that a user may or may not use. Examples include a modem with on-board encryption or a word processor with an option for protecting (encrypting) files with passwords.(22) In addition, an integrated product may provide sockets or hooks to user-supplied modules or components that offer additional cryptographic functionality. An example is a software product that can call upon a user-supplied package that performs certain types of file manipulation such as encryption or file compression. Cryptographic sockets are discussed in Chapter 7 as cryptographic applications programming interfaces. A product with cryptographic capabilities can be designed to provide data confidentiality, data integrity, and user authentication in any combination; a given commercial cryptographic product may implement functionality for any or all of these capabilities. For example, a PC-Card may integrate cryptographic functionality for secure authentication and for encryption onto the same piece of hardware, even though the user may choose to invoke these functions independently. A groupware program for remote collaboration may implement cryptography for confidentiality (by encrypting messages sent between users) and cryptography for data integrity and user authentication (by appending a digital signature to all messages sent between users). Further, this program may be implemented in a way that these features can operate independently (either, both, or neither may be operative at the same time). Because cryptography is usable only when it is incorporated into a product, whether integrated or security-specific, issues of supply and demand affect the use of cryptography. The remainder of this section addresses both demand and supply perspectives on the cryptography market. ---------- (22) From a system design perspective, it is reasonable to assert that word processing and database applications do not have an intrinsic requirement for encryption capabilities and that such capabilities could be better provided by the operating system on which these applications operate. But as a practical matter, operating systems often do not provide such capabilities, and so vendors have significant incentives to provide encryption capabilities that are useful to customers who want better security. ____________________________________________________________ 2.4.1 The Demand Side of the Cryptography Market Chapter 1 discussed vulnerabilities that put the information assets of businesses and individuals at risk. But despite the presence of such risks, many organizations do not undertake adequate information security efforts, whether those efforts involve cryptography or any other tool. This section explores some of the reasons for this behavior. Lack of Security Awareness (and/or Need) Most people who use electronic communications behave as though they regard their electronic communications as confidential. Even though they may know in some sense that their communications are vulnerable to compromise, they fail to take precautions to prevent breaches in communications security. Even criminals aware that they may be the subjects of wiretaps have been overheard by law enforcement officials to say, "This call is probably being wiretapped, but ... ," after which they go on to discuss incriminating topics.(23) The impetus for thinking seriously about security is usually an event that is widely publicized and significant in impact.(24) An example of responding to publicized problems is the recent demand for encryption of cellular telephone communications. In the past several years, the public has been made aware of a number of instances in which traffic carried over cellular telephones was monitored by unauthorized parties (Appendix J). In addition, cellular telephone companies have suffered enormous financial losses as the result of "cloning," an illegal practice in which the unencrypted ID numbers of cellular telephones are recorded off the air and placed into cloned units, thereby allowing the owner of the cloned unit to masquerade as the legitimate user.(25) Even though many users today are aware of such practices and have altered their behavior somewhat (e.g., by avoiding discussion of sensitive information over cellular telephone lines), more secure systems such as GSM (the European standard for mobile telephones) have gained only a minimal foothold in the U.S. market. A second area in which people have become more sensitive to the need for information security is in international commerce. Many international business users are concerned that their international business communications are being monitored, and indeed such concerns motivate a considerable amount of today's demand for secure communications. It is true that the content of the vast majority of telephone communications in the United States (e.g., making a dinner date, taking an ordinary business call) and data communications (e.g., transferring a file from one computer to another, sending an e-mail message) is simply not valuable enough to attract the interest of most eavesdroppers. Moreover, most communications links for point-to-point communications in the United States are hard wired (e.g., fiber-optic cable) rather than wireless (e.g., microwave); hardwired links are much more secure than wireless links.26 In some instances, compromises of information security do not directly damage the interests of the persons involved. For example, an individual whose credit card number is improperly used by another party (who may have stolen his wallet or eavesdropped on a conversation) is protected by a legal cap on the liability for which he is responsible. --------- (23) A case in point is that the officers charged in the Rodney King beating used their electronic communications system as though it were a private telephone line, even though they had been warned that all traffic over that system was recorded. In 1992, Rodney King was beaten by members of the Los Angeles Police Department. A number of transcripts of police radio conversations describing the incident were introduced as evidence at the trial. Had they been fully cognizant at the moment of the fact that all conversations were being recorded as a matter of department policy, the police officers in question most likely would not have said what they did. Personal communication, Sara Kiesler, Carnegie Mellon University, 1993. (24) It is widely believed that only a few percent of computer break-ins are detected. See for example, Jane Bird, "Hunting Down the Hackers," *Management Today*, July, 1994, p. 64 (reports that 1% of attacks are detected); Bob Brewin, "Info Warfare Goes on Attack," *Federal Computer Week*, Volume 9(31), October 23, 1995, p. 1 (reports 2% detection); and Gary Anthes, "Hackers Try New Tacks", *ComputerWorld*, January 30, 1995, p. 12 (reports 5% detection). (25) See for example, Bryan Miller, "Web of Cellular Phone Fraud Widens," *New York Times*, July 20, 1995, p. C-1; and George James, "3 Men Accused of Stealing Cellular Phone ID Numbers," *New York Times*, October 19, 1995, p. B-3. ____________________________________________________________ Other Barriers Influencing Demand for Cryptography Even when a user is aware that communications security is threatened and wishes to take action to forestall the threat, a number of practical considerations can affect the decision to use cryptographic protection. These considerations include the following: + *Lack of critical mass*. A secure telephone is not of much use if only one person has it. Ensuring that communications are secure requires collective action -- some critical mass of interoperable devices is necessary in order to stimulate demand for secure communications. To date, such a critical mass has not yet been achieved. + *Uncertainties over government policy*. Policy often has an impact on demand. A number of government policy decisions on cryptography have introduced uncertainty, fear, and doubt into the marketplace and have made it difficult for potential users to plan for the future. Seeing the controversy surrounding policy in this area, potential vendors are reluctant to bring to market products that support security, and potential users are reluctant to consider products for security that may become obsolete in the future in an unstable legal and regulatory environment. + *Lack of a supporting infrastructure*. The mere availability of devices is not necessarily sufficient. For some applications such as secure interpersonal communications, a national or international infrastructure for managing and exchanging keys could be necessary. Without such an infrastructure, encryption may remain a niche feature that is usable only through ad hoc methods replicating some of the functions that an infrastructure would provide and for which demand would thus be limited. Section 2.5 describes some infrastructure issues in greater detail. + *High cost*. To date, hardware-based cryptographic security has been relatively expensive, in part, becaus of the high cost of stand-alone products made in relatively small numbers. A user that initially deploys a system without security features and subsequently wants to add them can be faced with a very high cost barrier, and consequently there is a limited market for security add-on products. On the other hand, the marginal cost of implementing cryptographic capabilities in software at the outset is rapidly becoming a minor part of the overall cost, and so cryptographic capabilities are likely to appear in all manner and types of integrated software products where there might be a need. + *Reduced performance*. The implementation of cryptographic functions often consumes computational resources (e.g., time, memory). In some cases, excessive consumption of resources makes encryption too slow or forces the user to purchase additional memory. If encrypting the communications link over which a conversation is carried delays that conversation by more than a few tenths of a second, users may well choose not to use the encryption capability. + *A generally insecure environment*. A given network or operating system may be so inherently insecure that the addition of cryptographic capabilities would do little to improve overall security. Moreover, retrofitting security measures atop an inherently insecure system is generally difficult. + *Usability*. A product's usability is a critical factor in its market acceptability. Products with encryption capabilities that are available for use but are in fact unused do not increase information security. Such products may be purchased but not used for the encryption they provide because such use is too inconvenient in practice, or they may not be purchased at all because the capabilities they provide are not aligned well with the needs of their users. In general, the need to undertake even a modest amount of extra work or to tolerate even a modest inconvenience for cryptographic protection that is not directly related to the primary function of the device is likely to discourage the use of such protection.(27) When cryptographic features are well integrated in a way that does not demand case-bycase user intervention, i.e., when such capabilities can be invoked transparently to the average user, demand may well increase. + *Lack of independent certification or evaluation of products*. Certification of a product's quality is often sought by potential buyers who lack the technical expertise to evaluate product quality or who are trying to support certain required levels of security (e.g., as the result of bank regulations). Many potential users are also unable to detect failures in the operation of such products.(28) With one exception discussed in Chapter 6, independent certification for products with integrated encryption capabilities is not available, leading to market uncertainty about such products. + *Electronic commerce*. An environment in which secure communications were an essential requirement would do much to increase the demand for cryptographic security.(29) However, the demand for secure communications is currently nascent. + *Uncertainties arising from intellectual property issues*. Many of the algorithms that are useful in cryptography (especially public-key cryptography) are protected by patents. Some vendors are confused by the fear, uncertainty, and doubt caused by existing legal arguments among patent holders. Moreover, even when a patent on a particular algorithm is undisputed, many users may resist its use because they do not wish to pay the royalties.(30) + *Lack of interoperability and standards*. For cryptographic devices to be useful, they must be interoperable. In some instances, the implementation of cryptography can affect the compatibility of systems that may have interoperated even though they did not conform strictly to interoperability standards. In other instances, the specific cryptographic algorithm used is yet another function that must be standardized in order for two products to interoperate. Nevertheless, an algorithm is only one piece of a cryptographic device, and so two devices that implement the same cryptographic algorithm may still not interoperate.(31) Only when two devices conform fully to a single interoperability standard (e.g., a standard that would specify how keys are to be exchanged, the formatting of the various data streams, the algorithms to be used for encryption and decryption, and so on) can they be expected to interoperate seamlessly. An approach gaining favor among product developers is protocol negotiation,(32) which calls for two devices or products to mutually negotiate the protocol that they will use to exchange information. For example, the calling device may query the receiving device to determine the right protocol to use. Such an approach frees a device from having to conform to a single standard and also facilitates the upgrading of standards in a backward-compatible manner. + *The heterogeneity of the communications infrastructure*. Communications are ubiquitous, but they are implemented through a patchwork of systems and technologies and communications protocols rather than according to a single integrated design. In some instances, they do not conform completely to the standards that would enable full interoperability. In other instances, interoperability is achieved by intermediate conversion from one data format to another. The result can be that transmission of encrypted data across interfaces interferes with achieving connectivity among disparate systems. Under these circumstances, users may be faced with a choice of using unencrypted communications or not being able to communicate with a particular other party at all.(33) ---------- (26) A major U.S. manufacturer reported to the committee that in the late 1980s, it was alerted by the U.S. government that its microwave communications were vulnerable. In response, this manufacturer took steps to increase the capacity of its terrestrial communication links, thereby reducing its dependence on microwave communications. A similar situation was faced by IBM in the 1970s. See William Broad, "Evading the Soviet Ear at Glen Cove," *Science*, Volume 217(3), 1982, pp. 910-911. (27) For example, experience with current secure telephones such as the STU-III suggests that users of such phones may be tempted, because of the need to contact many people, to use them in a nonsecure mode more often than not. (28) Even users who do buy security products may still be unsatisfied with them. For example, in two consecutive surveys in 1993 and 1994, a group of users reported spending more and being less satisfied with the security products they were buying. See Dave Powell, "Annual Infosecurity Industry Survey," *Infosecurity News*, March/April, 1995, pp. 20-27. (29) AT&T plans to take a non-technological approach to solving some of the security problems associated with retail Internet commerce. AT&T has announced that it will insure its credit-card customers against unauthorized charges, as long as those customers were using AT&T's service to connect to the Internet. This action was taken on the theory that the real issue for consumers is the fear of unauthorized charges, rather than fears that confidential data per se would be compromised. See Thomas Weber, "AT&T Will Insure Its Card Customers on Its Web Service," *Wall Street Journal*, February 7, 1996, pp. B-5. (30) See for example, James Bennett, "The Key to Universal Encryption," *Strategic Investment*, December 20, 1995, pp. 12-13. (31) Consider the Data Encryption Standard (DES) as an example. DES is a symmetric encryption algorithm, first published in 1975 by the U.S. govemment, that specifies a unique and well-defined transformation when given a specific 56-bit key and a block of text, but the various details of operation within which DES is implemented can lead to incompatibilities with other systems that include DES, with stand-alone devices incorporating DES, and even with software-implemented DES. Specifically, how the infommation is prepared prior to being encrypted (e.g., how it is blocked into chunks) and after the encryption (how the encrypted data is modulated on the communications line) will affect the interoperability of communications devices that may both use DES. In addition, key management may not be identical for DES-based devices developed independently. DES-based systems for file encryption generally require a user-generated password to generate the appropriate 56-bit DES key, but since the DES standard does not specify how this aspect of key management is to be performed, the same password used on two independently developed DES-based systems may not result in the same 56-bit key. For these and similar reasons, independently developed DES-based systems cannot necessarily be expected to interoperate. (32) Transmitting a digital bit stream requires that the hardware carrying that stream be able to interpret it. Interpretation means that regardless of the content of the communications (e.g., voice, pictures), the hardware must know what part of the bit stream represents information useful to the ultimate receiver and what part represents information useful to the carrier. A communications protocol is an agreed-upon convention about how to interpret any given bit stream and includes the specification of any encryption algorithm that may be used as part of that protocol. (33) An analogous example is the fact that two Internet users may find it very difficult to use e-mail to transport a binary file between them, because the e-mail systems on either end may well implement standards for handling binary files differently, even though they may conform to all relevant standards for carrying ASCII text. ____________________________________________________________ 2.4.2 The Supply Side of the Cryptography Market The supply of products with encryption capabilities is inherently related to the demand for them. Cryptographic products result from decisions made by potential vendors and users as well as standards determined by industry and/or government. Use depends on availability as well as other important factors such as user motivation, relevant learning curves, and other nontechnical issues. As a general rule, the availability of products to users depends on decisions made by vendors to build or not to build them, and all of the considerations faced by vendors of all type of products are relevant to products with encryption capabilities. In addition to user demand, vendors need to consider the following issues before deciding to develop and market a product with encryption capabilities: + *Accessibility of the basic knowledge underlying cryptography*. Given that various books, technical articles, and government standards on the subject of cryptography have been published widely over the past 20 years, the basic knowledge needed to design and implement cryptographic systems that can frustrate the best attempts of anyone (including government intelligence agencies) to penetrate them is available to government and nongovernment agencies and parties both here and abroad. For example, because a complete description of DES is available worldwide, it is relatively easy for anyone to develop and implement an encryption system that involves multiple uses of DES to achieve much stronger security than that provided by DES alone. + *The skill to implement basic knowledge of cryptography*. A product with encryption capabilities involves much more than a cryptographic algorithm. An algorithm must be implemented in a system, and many design decisions affect the quality of a product even if its algorithm is mathematically sound. Indeed, efforts by multiple parties to develop products with encryption capabilities based on the same algorithm could result in a variety of manufactured products with varying levels of quality and resistance to attack. For example, although cryptographic protocols are not part and parcel of a cryptographic algorithm per se, these protocols specify how critical aspects of a product will operate. Thus, weaknesses in cryptographic protocols -- such as a key generation protocol specifying how to generate and exchange a specific encryption key for a given message to be passed between two parties or a key distribution protocol specifing how keys are to be distributed to users of a given product can compromise the confidentiality that a real product actually provides, even though the cryptographic algorithm and its implementation are flawless.(34) + *The skill to integrate the cryptography into a usable product*. Even a product that implements a strong cryptographic algorithm in a competent manner is not valuable if the product is unusable in other ways. For integrated products with encryption capabilities, the noncryptographic functions of the product are central, because the primary purpose of an integrated product is to provide some useful capability to the user (e.g., word processing, database management, communications) that does not involve cryptography per se; if cryptography interferes with this primary functionality, it detracts from the product's value. In this area, U.S. software vendors and system integrators have distinct strengths, (35) even though engineering talent and cryptographic expertise are not limited to the United States. For example, foreign vendors do not market integrated products with encryption capabilities that are sold as mass-market software, whereas many such U.S. products are available.(36) + *The cost of developing maintaining, and upgrading an economically viable product with encryption capabilities*. The technical aspects of good encryption are increasingly well understood. As a result, the incremental cost of designing a software product so that it can provide cryptographic functionality to end users is relatively small. As cost barriers to the inclusion of cryptographic functionality are reduced dramatically, the long-term likelihood increases that most products that process digital information will include some kinds of cryptographic functionality. + *The suitability of hardware vs. software* as a medium in which to implement a product with encryption capabilities. The duplication and distribution costs for software are very low compared to those for hardware, and yet, trade secrets embedded in proprietary hardware are easier to keep than those included in software. Moreover, software cryptographic functions are more easily disabled. + *Nonmarket considerations and export controls*. Vendors may withhold or alter their products at government request. For example, a well-documented instance is the fact that AT&T voluntarily deferred the introduction of its 3600 Secure Telephone Unit (STU) at the behest of government (see Appendix E on the history of current cryptography policy and Chapter 6 on government influence.) Export controls also affect decisions to make products available even for domestic use, as described in Chapter 4. ---------- (34) An incident that demonstrates the importance of the nonalgorithm aspects of a product is the failure of the key-generation process for the Netscape Navigator Web browser that was discovered in 1995; a faulty random number generation used in the generation of keys would enable an intruder exploiting this flaw to limit a brute-force search to a much smaller number of keys than would generally be required by the 40-bit key length used in this product. See John Markoff, "Security Flaw Is Discovered in Software Used in Shopping," *New York Times*, September 19, 1995, p. A1. A detailed discussion of protocol failures can be found in Gustavus Simmons, "Cryptanalysis and Protocol Failures," *Communications of the ACM*, Volume 37(11), 1994, pp. 56-65. (35) Computer Science and Telecommunications Board (CSTB), National Research Council, *Keeping the U.S. Computer Industry Competitive: Systems Integration*, National Academy Press, Washington, D.C., 1992. (36) For example, the Department of Commerce and the National Security Agency found no general-purpose software products with encryption capability from non-U.S. manufacturers. See Department of Commerce and National Security Agency, *A Study of the International Market for Computer Software with Encryption*, January 11, 1996, p. III-9. ____________________________________________________________ 2.5 INFRASTRUCTURE FOR WIDESPREAD USE OF CRYPTOGRAPHY The widespread use of cryptography requires a support infrastructure that can service organizational or individual user needs with regard to cryptographic keys. 2.5.1 Key Management Infrastructure In general, to enable use of cryptography across an enterprise, there must be a mechanism that: + Periodically supplies all participating locations with keys (typically designated for use during a given calendar or time period -- the crypto-period) for either stored materials or communications; or + Permits any given location to generate keys for itself as needed (e.g., to protect stored files); or + Can securely generate and transmit keys among communicating parties (e.g., for data transmissions, telephone conversations). In the most general case, any given location will have to perform all three functions. With symmetric systems, the movement of keys from place to place obviously must be done securely and with a level of protection adequate to counter the threats of concern to the using parties. Whatever the distribution system, it clearly must protect the keys with appropriate safeguards and must be prepared to identify and authenticate the source. The overall task of securely assuring availability of keys for symmetric applications is often called key management. If all secure communications take place within the same corporation or among locations under a common line of authority, key management is an internal or possibly a joint obligation. For parties that communicate occasionally or across organizational boundaries, mutual arrangements must be formulated for managing keys. One possibility might be a separate trusted entity whose line of business could be to supply keys of specified length and format, on demand and for a fee. With asymmetric systems, the private keys are usually self-generated, but they may also be generated from a central source, such as a corporate security office. In all cases, however, the handling of private keys is the same for symmetric and asymmetric systems, they must be guarded with the highest levels of security. Although public keys need not be kept secret, their integrity and association with a given user are extremely important and should also be supported with extremely robust measures. The costs of a key management infrastructure for national use are not known at this time. One benchmark figure is that the cost of the Defense Department infrastructure needed to generate and distribute keys for approximately 320,000 STU-III telephone users is somewhere in the range of $10 million to $13 million per year.(37) ---------- (37) William Crowell, deputy director, National Security Agency, personal communication, April 1995. ____________________________________________________________ 2.5.2 Certificate Infrastructures The association between key information (such as the name of a person and the related public key) and an individual or organization is an extremely important aspect of a cryptographic system. That is, it is undesirable for one person to be able to impersonate another. To guard against impersonation, two general types of solutions have emerged: an organization-centric approach consisting of certificate authorities and a user-centric approach consisting of a web of trust. A certificate authority serves to validate information that is associated with a known individual or organization. Certificate authorities can exist within a single organization, across multiple related organizations, or across society in general. Any number of certificate authorities can coexist, and they may or may not have agreements for crosscertification, whereby if one authority certifies a given person, then another authority will accept that certification within its own structure. Certificate authority hierarchies are defined in the Internet RFCs 1421-1424, the X.509 standard, and other emerging commercial standards, such as that proposed by MasterCar/Visa. A number of private certificate authorities, such as VeriSign, have also begun operation to service secure massmarket software products, such as the Netscape Navigator Web browser. Among personal acquaintances validation of public keys can be passed along from person to person or organization to organization, thus creating a web of trust in which the entire ensemble is considered to be trusted based on many individual instances of trust. Such a chain of trust can be established between immediate parties, or from one party to a second to establish the credentials of a third. This approach has been made popular by the Pretty Good Privacy (PGP) software product; all users maintain their own "key-ring," which holds the public keys of everyone with whom they want to communicate. Importantly, it should be noted that both the certificate authority approach and the web of trust approach replicate the pattern of trust that already exists among participating parties in societal and business activities. In a sense, the certificate infrastructure for cryptography simply formalizes and makes explicit what society and its institutions are already accustomed to. At some point, banks, corporations, and other organizations already generally trusted by society will start to issue certificates. At that time, individuals especially may begin to feel more comfortable about the cryptographic undergirding of society's electronic infrastructure, at which point the webs of trust can be expected to evolve according to individual choices and market forces. However, it should be noted that different certificates will be used for different functions, and it is unlikely that a single universal certificate infrastructure will satisfy all societal and business needs. For example, because an infrastructure designed to support electronic commerce and banking may do no more than identify valid purchasers, it may not be useful for providing interpersonal communication or corporate access control. Certificate authorities already exist within some businesses, especially those that have moved vigorously into an electronic way of life. Generally, there is no sense of a need for a legal framework to establish relationships among organizations, each of which operates its own certificate function. Arrangements exist for them to cross-certify one another; in general, the individual(s) authorizing the arrangement will be a senior officer of the corporation, and the decision will be based on the existence of other legal agreements already in place, notably, contracts that define the relationships and obligation among organizations. For the general business world in which any individual or organization wishes to conduct a transaction with any other individual or organization, such as the sale of a house, a formal certificate infrastructure has yet to be created. There is not even one to support just a digital signature application within government. Hence, it remains to be seen how, in the general case, individuals and organizations will make the transition to an electronic society. Certificate authorities currently operate within the framework of contractual law. That is, if some problem arises as the result of improper actions on the part of the certification authority, its subscribers would have to pursue a civil complaint. As certificate authorities grow in size and service a greater part of society, it will probably be necessary to regulate their actions under law, much like those of any major societal institutions.(38) It is interesting to observe that the legal and operational environment that will have to exist for certificate organizations involves the same set of issues that are pertinent to escrow organizations (as discussed in Chapter 5). ---------- (38) Shimshon Berkovits et al., *Public Key Infrastructure Study: Final Report*, National Institute of Standards and Technology, Gaithersburg, Maryland, April 1994. Performed under contract to MITRE, this study is summarized in Appendix H. ____________________________________________________________ 2.6 RECAP Cryptography provides important capabilities that can help deal with the vulnerabilities of electronic information. Cryptography can help to assure the integrity of data, to authenticate the identity of specific parties, to prevent individuals from plausibly denying that they have signed something, and to preserve the confidentiality of information that may have improperly come into the possession of unauthorized parties. At the same time, cryptography is not a silver bullet, and many technical and human factors other than cryptography can improve or detract from information security. In order to preserve information security, attention must be given to all of these factors. Moreover, people can use cryptography only to the extent that it is incorporated into real products and systems; unimplemented cryptographic algorithms cannot contribute to information security. Many factors other than raw mathematical knowledge contribute to the supply of and demand for products with cryptographic functionality. Most importantly, the following aspects influence the demand for cryptographic functions in products: + Critical mass in the marketplace, + Government policy, + Supporting infrastructure, + Cost, + Performance, + Overall security environment, + Usability, + Quality certification and evaluation, and + Interoperability standards. Finally, any large-scale use of cryptography, with or without key escrow (discussed later in Chapter 5), depends on the existence of a substantial supporting infrastructure, the deployment of which raises a different set of problems and issues. ____________________________________________________________ BOX 2.1 The Evolution of the Telecommunications Industry Prior to 1984, the U.S. telecommunications industry was dominated by one primary player -- AT&T. An elaborate regulatory structure had evolved in the preceding decades to govern what had become an essential national service on which private citizens, govemment, and business had come to rely. By contrast, the watchword in telecommunications a mere decade later has become competition. AT&T is still a major player in the field, but the regional Bell operating companies (RBOCs), separated from AT&T as part of the divestiture decision of 1984, operate entirely independently, providing local services. Indeed, the current mood in Congress toward deregulation is already causing increasingly active competition and confrontation among all of the players involved, including cable TV companies, cellular and mobile telephone companies, the long-distance telecommunications companies (AT&T, MCI, Sprint, and hundreds of others), the RBOCs and other local exchange providers, TV and radio broadcast companies, entertainment companies, and satellite communications companies. Today, all of these players compete for a share of the telecommunications pie in the same geographic area; even railroads and gas companies (which own geographic rights of way along which transmission lines can be laid) and power companies (which have wires going to every house) have dreams of profiting from the telecommunications boom. The playing field is even further complicated by the fact of reselling -- institutions often buy telecommunications services from "primary" providers in bulk to serve their own needs and resell the excess to other customers. In short, today's telecommunications industry is highly heterogeneous and widely deployed with multiple public and private service providers, and will become more so in the future. ____________________________________________________________ BOX 2.2 Fundamentals of Cryptographic Strength Cryptographic strength depends on two factors: the size of the key, and the mathematical structure of the algorithm itself. For well-designed symmetric cryptographic systems, "brute-force" exhaustive search -- trying all possible keys with a given decryption algorithm until the (meaningful) plaintext appears -- is the best publicly known cryptanalytic method. For such systems the work factor (i.e., the time to cryptanalyze) grows exponentially with key size. Hence, with a sufficiently long key, even an eavesdropper with very extensive computing resources would have to take a very long time (longer than the age of the universe) to test all possible combinations. Adding one binary digit (bit) to the length of a key doubles the length of time it takes to undertake a brute-force attack while adding only a very small increment to the time it takes to encrypt the plaintext. How long is a "long" key? To decipher by brute force a message encrypted with a 40-bit key requires 2^40 (approximately 10^12) tests. If each test takes 10^-6 seconds to conduct, 1 million seconds of testing time on a single computer are required to conduct a brute-force attack, or about 11.5 days. A 56-bit key increases this time by a factor of 2^16, or 65,536; under the same assumptions, a brute-force attack on a message encrypted with a 56-bit key would take over 2,000 years. Two important considerations mitigate the bleakness of this conclusion from the perspective of the interceptor. One is that computers can be expected to grow more powerful over time. Speed increases in the underlying silicon technology have exhibited a predictable pattern for the past 50 years -- computational speed doubles every 18 months (Moore's law), equivalent to increasing by a factor of 10 every 5 years. Thus, if a single test takes 10^-6 seconds today, in 15 years, it can be expected to take 10^-9 seconds. Additional speedup is possible using parallel processing. Some supercomputers use tens of thousands of microprocessors in parallel, and cryptanalytic problems are particularly well-suited to parallel processing. Even 1,000 processors working in parallel, each using the underlying silicon technology of 15 years hence, would be able to decrypt a single 56-bit encrypted message in 18 hours. As for the exploitation of alternatives to brute-force search, all known asymmetric (i.e., public-key) cryptographic systems allow shortcuts to exhaustive search. Because more information is public in such systems, it is also likely that shortcut attacks will exist for any new systems invented. Shortcut attacks also exist for poorly designed symmetric systems. Newly developed shortcut attacks constitute unforeseen breakthroughs, and so by their very nature introduce an unpredictable "wild card" into the effort to set a reasonable key size. Because such attacks are applicable primarily to public-key systems, larger key sizes and larger safety margins are needed for such systems than for symmetric cryptographic systems. For example, factoring a 512-bit number by exhaustive search would take 2^256 tests (since at least one factor must be less than 2^256); known shortcut attacks would allow such numbers to be factored in approximately 2^65 operations, a number on the order of that required to undertake a brute-force exhaustive search of a message encrypted with a 64-bit symmetric cryptographic system. While symmetric 64-bit systems are considered relatively safe, fear of future breakthroughs in cryptanalyzing public-key systems has led many cryptographers to suggest a minimum key size of 1,024 bits for public-key systems, thereby providing in key length a factor-of-two safety margin over the safety afforded by 512-bit keys. More discussion of this topic can be found in Appendix C. [End Chapter 2] ____________________________________________________________ [Head note all pages: May 30, 1996, Prepublication Copy Subject to Further Editorial Correction] 3 Needs for Access to Encrypted Information Information protected for confidentiality (i.e., encrypted information) is stored or communicated for later use by certain parties with the authorization of the original protector. However, it may happen for various legitimate and lawfully authorized reasons that other parties may need to recover this information as well. This chapter discusses needs for access to encrypted information under exceptional circumstances for legitimate and lawfully authorized purposes from the perspectives of businesses, individuals, law enforcement, and national security. Businesses and individuals may want access to encrypted data or communications for their own purposes, and thus may cooperate in using products to facilitate such access, while law enforcement and national security authorities may want access to the encrypted data or communications of criminals and parties hostile to the United States. 3.1 TERMINOLOGY It is useful to conceptualize data communications and data storage using the language of transactions. For example, one individual may telephone another; the participants in the transaction are usually referred to as the calling party and the called party. Or, a person makes a purchase; the participants are called the buyer and seller. Or, a sender mails something to the recipient. Adopting this construct, consider communications in which the first party (Party A) sends a message and the second party (Party B) receives it. "Party" does not necessarily imply a person; a "party" can be a computer system, a communication system, a software process. In the case of data storage, Party A stores the data, while Party B retrieves it. Note that Party A and Party B can be the same party (as is the case when an individual stores a file for his or her own later use). Under some circumstances, a third party may be authorized for access to data stored or being communicated. For example, law enforcement authorities may be granted legal authorization to obtain surreptitious access to a telephone conversation or a stored data file or record without the knowledge of Parties A or B. The employer of Party A may have the legal right to read all data files for which Party A is responsible or to monitor all communications in which Party A participates. Party A might inadvertently lose access to a data file and wish to recover that access. In cases when the data involved is unencrypted, the procedures needed to obtain access can be as simple as identifying the relevant file name or as complex as seeking a court order for legal authorization. But when the data involved is encrypted, the procedures needed to obtain access will require the possession of certain critical pieces of information, such as the relevant cryptographic keys. Third-party access has many twists and turns. When it is necessary for clarity of exposition or meaning, this report uses the phrase "exceptional access" to stress that the situation is not one that was included within the intended bounds of the original transaction, but is an unusual subsequent event. Exceptional access refers to situations in which an authorized party needs and can obtain the plaintext of encrypted data (for storage or communications). The word "exceptional" is used in contrast to the word "routine" and connotes something unusual about the circumstances under which access is required. Exceptional access can be divided into three generic categories: + *Government exceptional access* refers to the case in which government has a need for access to information under specific circumstances authorized by law. For example, a person might store data files that law enforcement authorities need to prosecute or investigate a crime. Alternatively, two people may be communicating with each other in the planning or commission of a serious crime. Government exceptional access thus refers to the government's need to obtain the relevant information under circumstances authorized by law, and requires a court order (for access to voice or data communications) or a subpoena or search warrant (for access to stored records). Government exceptional access is the focus of Section 3.2. + *Employer (or corporate) exceptional access* refers to the case in which an employer (i.e., the corporate employer) has the legal right to access to information encrypted by an employee. If an employee who has encrypted a file is indisposed on a certain day, for example, the company may need exceptional access to the contents of the file. Alternatively, an employee may engage in communications whose content the company may have a legitimate need to know (e.g., the employee may be leaking proprietary information). Employer exceptional access would then refer to the company's requirement to obtain the key necessary to obtain the contents of the file or communications, and may require the intervention of another institutional entity. Employer or corporate exceptional access is the focus of Section 3.5. + *End-user exceptional access* refers to the case in which the parties primarily intended to have access to plaintext have lost the means to obtain such access. For example, a single user may have stored a file for later retrieval, but encrypted it to ensure that no other party would have access to it while it was in storage. However, the user might also lose or forget the key used to encrypt that file. End-user exceptional access refers to such a user's requirement to obtain the proper key, and may require that the individual who has lost a key prove his identify to a party holding the backup key and verify his authorization to obtain a duplicate copy of his key. End-user exceptional access is also discussed in Section 3.5. The need for exceptional access when the information stored or communicated is encrypted has led to an examination of a concept generically known as escrowed encryption (the subject of Chapter 5), which, loosely speaking, uses agents other than the parties participating in the communication or data storage to hold copies of or otherwise have access to relevant cryptographic keys "in escrow" so that needs for end-user, corporate, and government exceptional access can be met; these agents are called escrow agents. 3.2 LAW ENFORCEMENT: INVESTIGATION AND PROSECUTION Obtaining information (both evidence and intelligence) has always been a central element in the conduct of law enforcement investigations and prosecutions. Accordingly, criminals have always wished to protect the information relevant to their activities from law enforcement authorities. 3.2.1 The Value of Access to Information for Law Enforcement Many criminals keep records related to their activities; such records can be critical to the investigation and prosecution of criminal activity. For example, criminals engaged in white-collar crimes such as fraud often leave paper trails that detail fraudulent activities; drug dealers often keep accounting records of clients, drop-offs, supplies, and income. Reconstruction of these paper trails is often a critical element in building a case against these individuals. The search-and-seizure authority of law enforcement to obtain paper records is used in a large fraction of criminal cases. Law enforcement officials believe that wiretapping is a crucial source for information that could not be obtained in any other way or obtained only at high risk (Box 3.2). For example, the FBI has testified that [w]ithout law enforcement's ability to effectively execute court orders for electronic surveillance, the country would be unable to protect itself against foreign threats, terrorism, espionage, violent crime, drug trafficking, kidnapping, and other crimes. We may be unable to intercept a terrorist before he sets off a devastating bomb; unable to thwart a foreign spy before he can steal secrets that endanger the entire country; and unable to arrest drug traffickers smuggling in huge amounts of drugs that will cause widespread violence and death. Court-approved electronic surveillance is of immense value, and often is the only way to prevent or solve the most serious crimes facing today's society.(1) Criminals often discuss their past criminal activity and plans for future criminal activity with other parties. Obtaining "inside information" on such activities is often a central element of building a case against the perpetrators. A defendant that describes in his own words how he committed a crime or the extent to which he was involved in it gives prosecutors a powerful weapon that juries tend to perceive as fair.(2) Other methods of obtaining "inside information" have significant risks associated with them: + Informants are often used to provide inside information. However, the credibility of informants is often challenged in court, either because the informants have shady records themselves or because they may have made a deal with prosecutors by agreeing to serve as informants in return for more lenient treatment.(3) By contrast, challenges to evidence obtained through wiretaps are far more frequently based on their admissibility in court rather than their intrinsic credibility. Informants may also be more difficult to find when a criminal group is small in size. + Surreptitiously planted listening devices are also used to obtain inside information. However, they generally obtain only one side of a conversation (use of a speaker-phone presents an exception). Further, since listening devices require the use of an agent to plant them, installation of such devices is both highly intrusive (arguably more so than wiretapping) for the subject of the device and risky for the planting agent. Requests for the use of such devices are subject to the same judicial oversight and review as wiretaps. This discussion is not intended to suggest that wiretaps are a perfect source of information and always useful to law enforcement. An important difficulty in using wiretaps is that context is often difficult for listeners to establish when they are monitoring a telephone conversation that assumes shared knowledge between the communicators.(4) Because of the legal framework regulating wiretaps, and the fact that communications are by definition transient whereas records endure, wiretapping is used in far fewer criminal cases than is seizure of records. Although the potential problems of denying law enforcement access to communications has been the focus of most of the public debate, encryption of data files in a way that denies law enforcement authorities access to data files relevant to criminal activity arguably presents a much larger threat to their capabilities. ---------- (1) Statement of James K. Kallstrom, Special Agent in Charge, Special Operations Division, New York Field Division, Federal Bureau of Investigation on "Security Issues in Computers and Communications," before the Subcommittee on Technology, Environment, and Aviation of the Committee on Science, Space, and Technology, U.S. House of Representatives, May 3, 1994. (2) For example, see Edward Walsh, "Reynolds Guilty on All Counts," *Washington Post*, August 23, 1995, p. 1. (3) See for example, Sharon Walsh, "Whistle-Blower Quandry: Will Testimony Fly?," *Washington Post*, August 23, 1995, p. F-3; Richard Perez-Pena, "An Informer's Double Life: Blows Come from 2 Sides," *New York Times*, October 15, 1995, p. 35; Joseph P. Fried, "Undermining a Bomb-Trial Witness," *New York Times*, April 9, 1995, p. 42; and Stephen Labaton, "The Price Can Be High for Talk That's Cheap," *New York Times*, Week in Review, April 2, 1995, p. 3. (4) Indeed, in some instances, wiretap evidence has been used to *exculpate* defendants. See for example, Peter Marks, "When the Best Defense is the Prosecution's Own Tapes," *New York Times*, June 30, 1995, p. D-20. According to Roger Shuy, professor of linguistics at Georgetown University, there are many difficulties in ascribing meaning to particular utterances that may be captured on tape recordings of conversations. See Roger Shuy, *Language Crimes*, Blackwell Publishers, Cambridge, Mass., 1993. Shuy's book is mostly focused on tapes made by "wires" carried by informants or "bugs" placed near a subject, but the basic principle is the same. ____________________________________________________________ 3.2.2 The Legal Framework Governing Surveillance An evolving legal framework governs the authority of government authorities to undertake surveillance of communications that take place within the United States or that involve U.S. persons. Surveillance within the United States is authorized only for certain legislatively specified purposes: the enforcement of certain criminal statutes and the collection of foreign intelligence. A more extended description of this framework (with footnoted references) is contained in Appendix D. Domestic Communications Surveillance for Domestic Law Enforcement Purposes Communications surveillance can involve surveillance for traffic analysis and/or surveillance for content; these separate activities are governed by different laws and regulations. Traffic analysis, a technique that establishes patterns of connections and communications, is performed with the aid of pen registers that record the numbers dialed from a target telephone, and trap-and-trace devices that identify the numbers of telephones from which calls are placed to the target telephone. Orders for the use of these devices may be requested by any federal attorney and granted by any federal district judge or magistrate, and are granted on a more or less pro forma basis. Surveillance of communications for content for purposes of domestic law enforcement is governed by Title 18, United States Code, Sections 2510-2521 concerning "wire and electronic communications interceptions and interception of all communications," generally known as Title III. These sections of the U.S. code govern the use of listening devices (usually known as "bugs"); wiretaps of communications involving human speech (called "oral communications" in Title III) carried over a wire or wire-like cable, including optical fiber; and other forms of electronically transmitted communication, including various forms of data, text, and video that may be communicated between or among people as well as computers or communications devices. Under Title III, only certain federal crimes may be investigated (e.g., murder, kidnapping, child molestation, racketeering, narcotics offenses) through the interception of oral communications. In addition, 37 states have passed laws that are similar to Title III, but they include such additional restrictions as allowing only a fixed number of interceptions per year (Connecticut) or only for drugrelated crimes (California). State wiretaps account for the majority of wiretaps in the United States. Surveillance of oral communications governed under Title III in general requires a court order (i.e., a warrant) granted at the discretion of a judge.(5) Because electronic surveillance of oral communications is both inherently intrusive and clandestine, the standards for granting a warrant for such surveillance are more stringent than those required by the Fourth Amendment. These additional requirements are specified in Title III and are enforced by criminal and civil penalties applicable to law enforcement officials or private citizens, and by a statutory exclusionary rule that violations of the central features of requirements may lead to suppression of evidence in a later trial, even if such evidence meets the relevant Fourth Amendment test. Because of the resources required, the administrative requirements for the application procedure, and the legal requirement that investigators exhaust other means of obtaining information, wiretaps are not often used. Approximately 1,000 orders (both federal and state) are authorized yearly (a number small compared to the number of felonies investigated, even if such felonies are limited to those specified in Title III as eligible for investigation with wiretaps).(6) About 2,500 conversations are intercepted per order, and the total number of conversations intercepted is a very small fraction of the annual telephone traffic in the United States. Surveillance of nonvoice communications, including fax and electronic communications, is also governed by Title III.(7) The standard for obtaining an intercept order for electronic communications is less stringent than that for intercepting voice communications. For example, any federal felony may be investigated through electronic interception. In addition, the statutory exclusionary rule of Title III for oral and wire communications does not apply to electronic communications. Despite the legal framework outlined above, it is nevertheless possible that unauthorized or unlawful surveillance, whether undertaken by rogue law enforcement officials or overzealous private investigators, also occurs. Concerns over such activity are often expressed by critics of the current administration policy, and they focus on two scenarios: + With current telephone technology, it is sometimes technically possible for individuals (e.g., private investigators, criminals, rogue law enforcement personnel) to undertake wiretaps on their own initiative (e.g., by placing alligator clips on the proper terminals in the telephone box of an apartment building). Such wiretaps would subject the personnel involved to Title III criminal penalties, but detection of such wiretaps might well be difficult. On the other hand, it is highly unlikely that such a person could obtain the cooperation of major telephone service providers without a valid warrant or court order, and so these wiretaps would have to be conducted relatively close to the target's telephone, and not in a telephone switching office. + Information obtained through a wiretap in violation of Title III can be suppressed in court, but such evidence may still be useful in the course of an investigation. Specifically, such evidence may cue investigators regarding specific areas that would be particularly fruitful to investigate, and if the illegal wiretap is never discovered, a wiretap that provides no court-admissible evidence may still prove pivotal to an investigation.(8) (Even if it is discovered, different judges apply the doctrine of discarding "the fruit of the poisonous tree" with different amounts of rigor.) The extent to which these and similar scenarios actually occur is hard to determine. Information provided by the FBI to the committee indicates a total of 187 incidents of various types (including indictment/complaints and convictions/ pretrial diversions) involving charges of illegal electronic surveillance (whether subsequently confimed or not) over the past 5 fiscal years (1990 through 1994).(9) ---------- (5) Emergency intercepts may be performed without a warrant in certain circumstances, such as physical danger to a person or conspiracy against the national security. There has been "virtually no use" of the emergency provision, and its constitutionality has not been tested in court. Wayne R. LaFave and Jerold H. Israel, *Criminal Procedure*, West Publishing Company, St. Paul, Minnesota, 1992, p. 254. (6) Some analysts critical of the U.S. government position on wiretaps have suggested that the actual distribution of crimes investigated under Title Ill intercept or surveillance orders may be somewhat inconsistent government claims of the high value of such orders. (See, for example, testimony of David B. Kopel, Cato Institute, "Hearings on Wiretapping and Other Terrorism Proposals," Committee on the Judiciary, U.S. Senate, May 24, 1995, also available on line at http://www.cato.org/ct5-24-5.html.) For example, Table D.3 in Appendix D indicates that no cases involving arson, explosives, or weapons were investigated using Title III wiretaps in 1988. The majority of Title III orders have involved drug and gambling crimes. (7) Note that when there is no reasonable expectation of privacy, law enforcement officials are not required to undertake any special procedure to monitor such communications. For example, a law enforcement official participating in an on line "chat" group is not required to identify himself as such, nor must he obtain any special permission at all monitor the traffic in question. However, as a matter of policy, the FBI does not systematically monitor electronic forums such as Internet relay chats. (8) Such concerns are raised by reports of police misconduct as described in Chapter 1. (9) The committee recognizes the existence of controversy over the question of whether such reports should be taken at face value. For example, critics of the U.S. government who believe that law enforcement authorities are capable of systematically abusing wiretap authority argue that law enforcement authorities would not be expected to report figures that reflected such abuse. Alternatively, it is also possible that cases of improper wiretaps are in fact more numerous than reported and have simply not come to the attention of the relevant authorities. The committee discussed such matters and concluded that it had no reason to believe that the information it received on this subject from law enforcement authorities was in any way misleading. ____________________________________________________________ Domestic Communications Surveillance for Foreign Intelligence Purposes The statute governing interception of electronic communications for purposes of protecting national security is known as the Foreign Intelligence Surveillance Act (FISA), which has been codified as Sections 1801 to 1811 in Title 18 of the U.S. Code. Passed in 1978, FISA was an attempt to balance Fourth Amendment rights against the constitutional responsibility of the executive branch to maintain national security. FISA is relevant only to communications occurring at least partly within the United States (wholly, in the case of radio communications), although listening stations used by investigating officers may be located elsewhere, and FISA surveillance may be performed only against foreign powers or their agents. Interception of communications, when the communications occur entirely outside the United States, whether or not the participants include U.S. persons, is not governed by FISA, Title III, or any other statute. However, when a U.S. person is outside the United States, Executive Order 12333 governs any communications intercepts targeted against such individuals. The basic framework of FISA is similar to that of Title III, with certain important differences, among which are the following: + The purpose of FISA surveillance is to obtain foreign intelligence information, defined in terms of U.S. national security, including defense against attack, sabotage, terrorism, and clandestine intelligence activities, among others. The targeted communications need not relate to any crime or be relevant as evidence in court proceedings. + In most instances, a FISA surveillance application requires a warrant based on probable cause that foreign intelligence information will be collected.(10) Surveillance of a U.S. person (defined as a U.S. citizen, U.S. corporation or association, or legal resident alien) also requires probable cause showing that the person is acting as a foreign agent. Political and other activities protected by the First Amendment may not serve as the basis for treating a U.S. person as a foreign agent. + Targets of FISA surveillance might never be notified that communications have been intercepted. Since 1979, there have been an average of over 500 FISA orders per year. In 1992, 484 were issued. Other information about FISA intercepts is classified. ---------- (10) Surveillance may take place without a court order for up to 1 year if the Attorney General certifies that there is very little likelihood of intercepting communications involving U.S. persons and that the effort will target facilities used exclusively by foreign powers. Under limited circumstances, emergency surveillance may be performed before a warrant is obtained. Clifford S. Fishman, *Wiretapping and Eavesdropping: Cumulative Supplement*, Clark Boardman Callaghan, Deerfield, Ill., November 1994 sections 361, 366. ____________________________________________________________ 3.2.3 The Nature of Surveillance Needs of Law Enforcement In cooperation with the National Technical Investigators Association, the FBI has articulated a set of requirements for its electronic surveillance needs (Box 3.3). Of course, access to surveillance that does not meet all of these requirements is not necessarily useless. For example, surveillance that does not meet the transparency requirement may still be quite useful in certain cases (e.g., if the subjects rationalize the lack of transparency as "static on the line"). The basic point is that these requirements constitute a set of continuous metrics by which the quality of a surveillance capability can be assessed, rather than a list that defines what is or is not useful surveillance. Of these requirements, the real-time requirement is perhaps the most demanding. The FBI has noted that [s]ome encryption products put at risk efforts by federal, state and local law enforcement agencies to obtain the contents of intercepted communications by precluding real-time decryption. Real-time decryption is often essential so that law enforcement can rapidly respond to criminal activity and, in many instances, prevent serious and life-threatening criminal acts.(11) Real-time surveillance is generally less important for crimes that are prosecuted or investigated than for crimes that are prevented because of the time scales involved. Prosecutions and investigations take place on the time scales of days or more, whereas prevention may take place on the time scale of hours. In some instances, the longer time scale is relevant: because Title III warrants can be issued only when "probable cause" exists that a crime has been committed, the actual criminal act is committed before the warrant is issued, and thus prevention is no longer an issue. In other instances, information obtained under a valid Title III warrant issued to investigate a specific criminal act can be used to prevent a subsequent criminal act, in which case the shorter time scale may be relevant. The situation is similar under FISA, in which warrants need not necessarily be obtained in connection with any criminal activity. A good example is terrorism cases, in which it is quite possible that real-time surveillance could provide actionable information useful in thwarting an imminent terrorist act. ---------- (11) Statement of James K. Kallstrom, Special Agent in Charge, Special Operations Division, New York Field Division, Federal Bureau of Investigation on "Security Issues in Computers and Communications," before the Subcommittee on Technology, Environment, and Aviation of the Committee on Science, Space, and Technology, U.S. House of Representatives, May 3, 1994. An illustrative example is an instance in which the FBI was wiretapping police officers who were allegedly guarding a drug shipment. During that time, the FBI overheard a conversation between the police chief and several other police officials that the FBI believes indicated a plot to murder a certain individual who had previously filed a police brutality complaint against the chief. (However, the FBI was unable to decode the police chief's "street slang and police jargon" in time to prevent the murder.) See Paul Keegan, "The Thinnest Blue Line," *New York Times Magazine*, March 31, 1996, pp. 32-35. ____________________________________________________________ 3.2.4 The Impact of Cryptography and New Media on Law Enforcement (Stored and Communicated Data) Cryptography can affect information collection by law enforcement officials in a number of ways. However, for perspective, it is important to keep in mind a broader context -- namely that advanced information technologies (of which cryptography is only one element) have potential impacts across many different dimensions of law enforcement; Box 3.4 provides some discussion of this point. Encrypted Communications As far as the committee has been able to determine, criminal use of digitally encrypted voice communications has not presented a significant problem to law enforcement to date.(12) On rare occasions, law enforcement officials conducting a wiretap have encountered "unknown signals" that could be encrypted traffic or simply a data stream that was unrecognizable to the intercept equipment. (For example, a high-speed fax transmission might be transported on a particular circuit; a monitoring agent might be unable to distinguish between the signal of the fax and an encrypted voice signal with the equipment available to him.) The lack of criminal use of encryption in voice communications most likely reflects the lack of use of encryption by the general public. Moreover, files are more easily encrypted than communications, simply because the use of encrypted communications presumes an equally sophisticated partner, whereas only one individual must be knowledgeable to encrypt files. As a general rule, criminals are most likely to use what is available to the general public, and the encryption available to and usable by the public has to date been minimal. At the same time, sophisticated and wealthy criminals (e.g., those associated with drug cartels) are much more likely to have access to and to use cryptography.(13) In data communications, one of the first publicized instances of law enforcement use of a Title III intercept order to monitor a suspect's electronic mail occurred in December 1995, when the customer of an on-line service provider was the subject of surveillance during a criminal investigation.(14) E-mail is used for communications; a message is composed at one host, sent over a communications link, and stored at another host. Two opportunities exist to obtain the contents of an e-mail message -- the first while the message is in transit over the communications link, and the second while it is resident on the receiving host. From a technical perspective, it is much easier to obtain the message from the receiving host, and this is what happened in the December 1995 instance. (Appendix D contains more detail on how electronic communications are treated under Title III.) Federal law enforcement authorities believe that encryption of communications (whether voice or data) will be a significant problem in the future. FBI Director Louis Freeh has argued that "unless the issue of encryption is resolved soon, criminal conversations over the telephone and other communications devices will become indecipherable by law enforcement. This, as much as any issue, jeopardizes the public safety and national security of this country. Drug cartels, terrorists, and kidnappers will use telephones and other communications media with impunity knowing that their conversations are immune from our most valued investigative technique." l5 In addition, the initial draft of the digital telephony bill called for telephone service providers to deliver the plaintext of any encrypted communications they carried, a provision that was dropped in later drafts of the bill.(16) ---------- (12) In this regard, it is important to distinguish between "voice scramblers" and encrypted voice communications. Voice scramblers are a relatively old and widely availab]e technology for concealing the contents of a voice communication; they transform the analog waveform of a voice and have nothing to do with encryption per se. True encryption is a transformation of digitally represented data. Voice scramblers have been used by criminals for many years, whereas devices for digital encryption remain rare. (13) For example, police raids in Colombia on offices of the Cali cartel resulted in the seizure of advanced communications devices, including radios that distort voices, videophones to provide visual authentication of callers' identities, and devices for scrambling computer modem transmissions. The Colombian defense minister was quoted as saying that the CIA had told him that the technological sophistication of the Cali cartel was about equal to that of the KGB at the time the Soviet Union's collapse. See James Brooke, "Crackdown Has Cali Drug Cartel on the Run," *New York Times*, June 27, 1995, p. A-1. (14) See Gautam Naik, "U.S., Using E-Mail Tap, Charges Three with Operating Cellular-Fraud Ring," *Wall Street Journal*, January 2, 1996, p. B-16. (15) See the Prepared Statement of Louis J. Freeh, Director, Federal Bureau of Investigation, for the Federal Drug Law Enforcement Hearing before the House Judiciary Committee, Subcommittee on Crime, U.S. House of Representatives, March 30, 1995. (16) The final bill provides that "a telecommunications carrier shall not be responsible for decrypting, or ensuring the government's ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication." ____________________________________________________________ Encrypted Data Files Encryption by criminals of computer-based records that relate to their criminal activity is likely to pose a significant problem for law enforcement in the future. FBI Director Freeh has noted publicly(17) two instances in which encrypted files have already posed a problem for law enforcement authorities: a terrorist case in the Philippines involving a plan to blow up a U.S. airliner as well as a plan to assassinate the Pope in late 1994,(18) and the "Innocent Images" child pornography case of 1995 in which encrypted images stood in the way of grand jury access procedures.(19) Furthermore, Director Freeh told the committee that the use of stored records in criminal prosecutions and investigations was much more frequent than the use of wiretaps. The problem of encrypted data files is similar to the case in which a criminal keeps books or records in a code or a language that renders them unusable to anyone else -- in both instances, the cooperation of the criminal (or someone else with access to the key) is necessary to decipher the records. The physical records as well as any recorded version of the key, if such a record exists, are available through a number of standard legal mechanisms, including physical search warrants and subpoenas. On the other hand, while the nature of the problem itself is the same in both instances, the ease and convenience of electronic encryption, especially if performed automatically, may increase the frequency with which encryption is encountered and/or the difficulties faced by law enforcement in cryptanalyzing the material in question without the cooperation of the criminal. Finally, the problem of exceptional access to stored encrypted information is more easily solved than the problem of exceptional access to encrypted communications. The reason is that for file decryption, the time constraints are generally less stringent. A file may have existed for many days or weeks or even years, and the time within which decryption is necessary (e.g., to build a criminal case) is measured on the time scale of investigatory activities; by contrast, the relevant time scale in the case of decrypting communications may be the time scale of operations, which might be as short as minutes or hours. ---------- (17) Speech of FBI Director Louis Freeh, before the International Cryptography Institute, Washington, D.C., September 21, 1995. (18) A general discussion of this case is found in Phillip Shenon, "World Trade Center Suspect Linked to Plan to Blow Up 2 Planes," *New York Times*, March 26, 1995, p. 37. (19) A general discussion of the Innocent Images case is found in Kara Swisher, "On-Line Child Pornography Charged As 12 Are Arrested," *Washington Post*, September 14, 1995, p. 1. ____________________________________________________________ 3.3 NATIONAL SECURITY AND SIGNALS INTELLIGENCE(20) Cryptography is a two-edged sword for U.S. national security interests. Cryptography is important in maintaining the security of U.S. classified information (Appendix I), and the U.S. government has developed its own cryptographic systems to meet these needs. At the same time, the use of cryptography by foreign adversaries also hinders U.S. acquisition of communications intelligence. This section discusses the latter. (Appendix F contains a short primer on intelligence.) 3.3.1 The Value of Signals Intelligence(21) Signals intelligence (SIGINT) is a critically important arm of U.S. intelligence, along with imagery intelligence (IMINT) and intelligence information collected directly by people, i.e., human intelligence (HUMINT). SIGINT also provides timely tip-off and guidance to IMINT and HUMINT collectors and is, in turn, tipped off by them. As in the case of law enforcement, the information contained in a communications channel treated by an opponent as secure is likely to be free of intentional deception. The committee has received both classified and unclassified assessments of the current value of SIGINT and finds that the level of reporting reflects a continuing capability to produce both tactical and strategic information on a wide range of topics of national intelligence interest. SIGINT production is responding to the priorities established by Presidential Decision Directive 35. As publicly described by President Bill Clinton in remarks made to the staff of the CIA and Intelligence Community, the priorities are as follows: + "First, the intelligence need of our military during an operation ..., + Second, political, economic and military intelligence about countries hostile to the United States. We must also compile all-source information on major political and economic powers with weapons of mass destruction who are potentially hostile to us, + Third, intelligence about specific trans-national threats to our security, such as weapons proliferation, terrorism, drug trafficking, organized crime, illicit trade practices and environmental issues of great gravity."(22) SIGINT is one valuable component of the overall U.S. intelligence capability. It makes important contributions to ensure an informed, alert, and secure environment for U.S. war fighters and policy makers. ---------- (20) One note on terminology: In the signals intelligence community, the tenn "access" is used to refer to obtaining the desired signals, whether those signals are encrypted or not. This use conflicts with the usage adopted in this report, in which "access" generally means obtaining the information contained in a signal (or message or file). (21) This report deals only with the communications intelligence (COMINT) aspects of SIGINT; see Appendix F for a discussion of electronic intelligence (ELINT) and its relationship to COMINT. (22) Office of the Press Secretary, The White House, "Remarks by the President to Staff of the CIA and Intelligence Community," Central Intelligence Agency, McLean, Virginia, July 14, 1995. ____________________________________________________________ SIGINT Support of Military Operations SIGINT is important to both tactical and strategic intelligence. Tactical intelligence provides operational support to forces in the field, whether these forces are performing military missions or international law enforcement missions (e.g., as in drug eradication raids in Latin America conducted in cooperation with local authorities). The tactical dimensions were most recently demonstrated in the Gulf War through a skillfully orchestrated interaction of SIGINT, IMINT, and HUMINT that demonstrated the unequaled power of U.S. intelligence. SIGINT produced timely command and control intelligence and specific signal information to support electronic warfare; IMINT provided precise locating information to permit precision bombing, together with HUMINT; SIGINT and IMINT provided the field commands with an unprecedented degree of battlefield awareness. History also demonstrates many instances in which SIGINT has proven decisive in the conduct of tactical military operations. These instances are more easily identified now because the passage of time has made the information less sensitive. + The American naval victory at the Battle of Midway and the destruction of Japanese merchant shipping resulted, in part, from Admiral C.W. Nimitz's willingness to trust the SIGINT information he received from his intelligence staff. General George Marshall wrote that as the result of this SIGINT information, "we were able to concentrate our limited forces to meet [the Japanese] naval advance on Midway when otherwise we almost certainly would have been some 3,000 miles out of place."(23) + The shoot-down in April 1943 of the commander-in-chief of the Japanese Navy, Admiral Isoroku Yamamoto, was the direct result of a signals intercept that provided his detailed itinerary for a visit to the Japanese front lines.(24) + The U.S. Navy was able to compromise the operational code used by German U-boats in the Atlantic in 1944, with the result that large numbers of such boats were sunk.(25) + Allied intercepts of German army traffic were instrumental in the defense of the Anzio perimeter in Italy in February 1944, a defense that some analysts believe was a tuming point in the Italian campaign; these intercepts provided advance knowledge of the German timing, direction, and weight of assault, and enabled Allied generals to concentrate their resources in the appropriate places.(26) While these examples are 50 years old, the nature of warfare is not so different today as to invalidate the utility of successful SIGINT. A primary difference between then and now is that the speed of warfare has increased substantially, placing a higher premium on real-time or near-real-time intercepts. Since the end of World War II, SIGINT has provided tactical support to every military operation involving U.S. forces. Other types of tactical intelligence to which SIGINT can contribute include indications and warning efforts (detecting an adversary's preparations to undertake armed hostilities); target identification, location, and prioritization (what targets should be attacked, where they are, and how important they are); damage assessment (how much damage an attacked target sustained); and learning the enemy's rules of engagement (under what circumstances an adversary is allowed to engage friendly forces). ---------- (23) A good discussion of these topics is given in Kahn, *The Codebreakers*, 1967, pp. 561-573 (Midway) and pp. 593-594 (merchant shipping). (24) See Kahn, *The Codebreakers*, 1967, pp. 595-601. (25) Kahn, *The Codebreakers*, 1967, pp 504-507. (26) See Ralph Bennett, *Ultra and Mediterranean Strategy*, William Morrow and Company, New York, 1989, pp. 265-269. (27) See Kahn. *The Codebreakers*, 1967, pp. 358-359. ____________________________________________________________ SIGINT Support of Strategic Intelligence Strategic (or national) intelligence is intended to provide analytical support to senior policy makers, rather than field commanders. In this role, strategic or national intelligence serves foreign policy, national security, and national economic objectives. Strategic intelligence focuses on foreign political and economic events and trends, as well as on strategic military concerns such as plans, doctrine, scientific and technical resources, weapon system capabilities, and nuclear program development. History also demonstrates the importance of SIGINT in a diplomatic, counter-intelligence, and foreign policy context: + In the negotiations following World War I over a treaty to limit the tonnage of capital ships (the Washington Conference on Naval Arms Limitations), the U.S. State Department was able to read Japanese diplomatic traffic instructing its diplomats. One particular decoded intercept provided the bottom line in the Japanese position, information that was useful in gaining Japanese concessions.(27) + Recently Director of Central Intelligence John Deutch unveiled the so-called VENONA material, decrypted Soviet intelligence service messages of the mid-1940s that revealed Soviet espionage against the U.S. atomic program.(28) Intelligence about the Cuban missile crisis has been released. Although primarily a story about U-2 photography, the role of SIGINT is included as well. + Decrypted intercepts of allied communications in the final months of World War II played a major role in assisting the United States to achieve its goals at the conference called to decide on the United Nations charter. American policy makers knew the negotiating positions of nearly all of the participating nations and thus were able to control the debate to a considerable degree.(29) + During the Cold War, SIGINT provided information about adversary military capabilities, weapons production, command and control, force structure and operational planning, weapons testing, and activities of missile forces and civil defense. In peacetime as in combat, each of the intelligence disciplines can contribute critical information in support of national policy. Former Director of Central Intelligence Admiral Stansfield Turner has pointed out that "[e]lectronic intercepts may be even more useful [than human agents] in discerning intentions. For instance, if a foreign official writes about plans in a message and the United States intercepts it, or if he discusses it and we record it with a listening device, those verbatim intercepts are likely to be more reliable than second-hand reports from an agent."(30) He also noted that "as we increase emphasis on securing economic intelligence, we will have to spy on the more developed countries -- our allies and friends with whom we compete economically -- but to whom we turn first for political and military assistance in a crisis. This means that rather than instinctively reaching for human, on-site spying, the United States will want to look to those impersonal technical systems, primarily satellite photography and intercepts."(31) Today, the United States conducts the largest SIGINT operation in the world in support of information relevant to conventional military threats; the proliferation of weapons of mass destruction; terrorism; enforcement of international sanctions; protection of U.S. economic and trade interests; and political and economic developments abroad. + U.S. intelligence has been used to uncover unfair trade practices (as determined by U.S. law and custom) of other nations whose industries compete with U.S. businesses, and has helped the U.S. government to ensure the preservation of a level economic playing field. According to the NSA, the economic benefits of SIGINT contributions to U.S. industry taken as a whole have totaled tens of billions of dollars over the last several years. + In sanctions-monitoring and enforcement, intelligence intercepts of Serbian communications are reported to have been the first indication for U.S. authorities that an F-16 pilot enforcing a no-fly zone over Serbia and shot down in June 1995 was in fact alive,(32) and an important element in his rescue. If the pilot had indeed been captured, U.S. options in Serbia could have been greatly constrained. + SIGINT that has been made public or that has been tacitly acknowledged includes information about the shoot-down of the Korean airliner KAL 007 on September 1, 1983, and the bombing of La Belle Discotheque in West Berlin ordered by Libya in April 1986. + In foreign policy, accurate and timely intelligence has been, and remains vital to, U.S. efforts to avert conflicts between nations. + In September 1988, President Ronald Reagan made the decision to disclose NSA decrypts of Iraqi military communications "to prove that, despite their denials, Iraqi armed forces had used poison gas against the Kurds."(33) The information provided by SIGINT has helped to produce information on weapons proliferation, providing indications of violations of treaties or embargo requirements. SIGINT has collected information on international terrorism and foreign drug trafficking, thereby assisting in the detection of drug shipments intended for delivery to the United States. Similarly, such information will continue to be a source of important economic intelligence. In conducting these intelligence-gathering operations, a wide variety of sources may be targeted, including the communications of governments, nongovernment institutions, and individuals. For example, banking is an international enterprise, and the U.S. government may need to know about flows of money for purposes of counter-terrorism or sanctions monitoring. Although the value of SIGINT to military operations and to law enforcement is generally unquestioned, senior decision makers have a wide range of opinions on the value of strategic and/or political intelligence. Some decision makers are voracious consumers of intelligence reports. They believe that the reports they receive provide advance notice of another party's plans and intentions, and that their own decisions are better for having such information. These decision makers find that almost no amount of information is too much, and any given piece of information has the potential to be helpful. To illustrate the value of SIGINT to some senior policy makers, it is helpful to recall President Clinton's remarks to the intelligence community on July 14, 1995, at the CIA: he said that "in recent months alone you warned us when Iraq massed its troops against the Kuwaiti border. You provided vital support to our peacekeeping and humanitarian missions in Haiti and Rwanda. You helped to strike a blow at a Colombian drug cartel. You uncovered bribes that would have cheated American companies out of billions of dollars." On a previous occasion, then-President George Bush gave his evaluation of SIGINT when he said that "... over the years I've come to appreciate more and more the full value of SIGINT. As President and Commander-in-Chief, I can assure you, signals intelligence is a prime factor in the decision making process by which we chart the course of this nation's foreign affairs."(34) Some policy makers, generally less senior than the President, have stated that while intelligence reports are occasionally helpful, they do not in general add much to their decision-making ability because they contribute to information overload, are not sufficiently timely in the sense that the information is revealed shortly in any event, lack necessary context-setting information, or do not provide much information beyond that available from open sources. Even among the members of the committee who have served in senior government positions, this range of opinion is represented.(35) The perceived value of strategic SIGINT (as with many other types of intelligence) depends largely on the judgment and position of the particular individuals whom the intelligence community is serving. These individuals change over time as administrations come and go, but intelligence capabilities are built up over a time scale longer than the election cycle. The result is that the intelligence community gears itself to serve those decision makers who will demand the most from it, and is loath to surrender sources and/or capabilities that may prove useful to decision makers. Since the benefits of strategic intelligence are so subjective, formal cost-benefit analysis caImot be used to justify a given level of support for intelligence. Rather, intelligence tends to be supported on a "level-of-effort" basis, that is, a political judgment about what is "reasonable," given other defense and nondefense pressures on the overall national budget. ---------- (28) Center for Cryptologic History, National Security Agency, *Introductory History of VENONA and Guide to the Translations*, Fort George G. Meade, Maryland, undated. VENONA material is also available from the Web site of the National Security Agency at http://www.nsa.gov:8080/docs/venona/venona.html. (29) Stephen Schlesinger, "Cryptanalysis for Peacetime: Codebreaking and the Birth and Structure of the United Nations," *Cryptologia*, Volume 19(3), July 1995, pp. 217-235. (30) Stansfield Turner, "Intelligence for a New World Order," *Foreign Affairs*, Fall 1991, pp. 150-166. (31) Turner, "Intelligence for a New World Order," 1991, pp. 150-166. (32) Daniel Williams, "'I'm Ready to Get the Hell Out of Here,"' *Washington Post*, July 9, 1995, p. A-1. (33) Christopher Andrew, *For the President's Eyes Only*, HarperCollins, New York, 1995. (34) *Public Papers of the Presidents*, U.S. Government Printing, Office, Washington, D.C., 1991, as quoted by Andrew in *For the President's Eyes Only*, 1995, p. 526. (35) For an open-source report on the value of intelligence as perceived by different policy makers, see David E. Sanger, "Emerging Role for the C.l.A.: Economic Spy," *New York Times*, October 15, 1995, p. 1; David E. Sanger, "When Spies Look Out for the Almighty Buck," *New York Times*, October 22, 1995, p. 4. ____________________________________________________________ 3.3.2 The Impact of Cryptography on SIGINT Cryptography poses a threat to SIGINT for two separate but related reasons: + Strong cryptography can prevent any given message from being read or understood. Strong cryptography used primarily by foreign governments with the discipline to use those products on a regular and consistent basis presents the United States with a formidable challenge. Some encrypted traffic regularly intercepted by the United States is simply undecipherable by any known means. + Even weak cryptography, if practiced on a widespread basis by foreign governments or other entities, increases the cost of exploitation dramatically.(36) When most messages that are intercepted are unencrypted, the cost to determine whether an individual message is interesting is quite low. However, if most intercepted messages are encrypted, each one has to be cryptanalyzed individually, because the interceptor does not know if it is interesting or not.(37) According to administration officials who testified to the committee, the acquisition and proper use of cryptography by a foreign adversary could impair the national security interests of the United States in a number of ways: + Cryptography used by adversaries on a wide scale would significantly increase the cost and difficulty of intelligence gathering across the full range of U.S. national security interests. + Cryptography used by governments and foreign companies can increase an adversary's capability to conceal the development of missile delivery systems and weapons of mass destruction. + Cryptography can improve the ability of an adversary to maintain the secrecy of its military operations to the detriment of U.S. or allied military forces that might be similarly engaged. The above comments suggest that the deployment of strong cryptography that is widely used will diminish the capabilities of those responsible for SIGINT. Today, there is a noticable trend toward better and cheaper encryption that is steadily closing the window of exploitation of unencrypted communications. The growth of strong encryption will reduce the availability of such intelligence. Using capabilities and techniques developed during the Cold War, the SIGINT system will continue its efforts to collect against countries and other entities newly hostile to the United States. Many governments and parties in those nations, however, will be potential customers for advanced cryptography as it becomes available on world markets. In the absence of improved cryptanalytic methods, cooperative arrangements with foreign governments, and new ways of approaching the information collection problem, it is likely that losses in traditional SIGINT capability would result in a diminished effectiveness of the U.S. intelligence community. ---------- (36) This point is echoed in Susan Landau et al., *Codes, Keys, and Conflicts: Issues in U.S. Crypto Policy*, 1994, p. 25. (37) For example, assume that 1 out of every 1,000 messages is interesting, and the cost of intercepting a message is X and the cost of decrypting a message is Y. Thus, each interesting message is acquired at a cost of 1,000 X + Y. However, if every message is encrypted, the cost of each interesting message is 1,000 (X + Y), which is approximately 1,000 Y larger. In other words, the cryptanalyst must do 1,000 times more work for each interesting message. ____________________________________________________________ 3.4 SIMILARITIES IN AND DIFFERENCES BETWEEN FOREIGN POLICY/NATIONAL SECURITY AND LAW ENFORCEMENT NEEDS FOR COMMUNICATIONS MONITORING It is instructive to consider the similarities in and differences between national security and law enforcement needs for communications monitoring. 3.4. 1 Similarities + *Secrecy*. Both foreign policy and law enforcement authorities regard surreptitiously intercepted communications as a more reliable source than information produced through other means. Surveillance targets usually believe (however falsely) that their communications are private; therefore, eavesdropping must be surreptitious and the secrecy of monitoring maintained. Thus, the identity and/or nature of specific SIGINT sources are generally very sensitive pieces of information, and are divulged only for good cause. + *Timeliness*. For support of tactical operations, near-real-time information may be needed (e.g., when a crime or terrorist operation is imminent, when hostile forces are about to be engaged). + *Resources available to targets*. Many parties targeted for electronic surveillance for foreign policy reasons or by law enforcement authorities lack the resources to develop their own security products, and are most likely to use what they can purchase on the commercial market. + *Allocation of resources for collection*. The size of the budget allocated to law enforcement and to the U.S. intelligence community is not unlimited. Available resources constrain both the amount of surveillance law enforcement officials can undertake and the ability of the U.S. SIGINT system to respond to the full range of national intelligence requirements levied upon it. -- Electronic surveillance, although in many cases critical, is only one of the tools available to U.S. law enforcement. Because it is manpower intensive, it is a tool used sparingly; thus, it represents a relatively small percentage of the total investment. The average cost of a wiretap order is $57,000 (see Appendix D) or approximately one-half of a full-time-equivalent agent-year. -- The U.S. SIGINT system is a major contributor to the overall U.S. intelligence collection capability and represents a correspondingly large percentage of the foreign intelligence budget. Although large, the U.S. system is by no means funded to "vacuum clean" the world's communications. It is sized to gather the most potentially lucrative foreign signals and targeted very selectively to collect and analyze only those communications most likely to yield information relating to highest priority intelligence needs. + Perceptions of the problem. The volume of electronic traffic and the use of encryption are both expected to grow, but how the growth of one will compare to that of the other is unclear at present. If the overall growth in the volume of unencrypted electronic traffic lags the growth in the use of cryptography, those conducting surveillance for law enforcement or foreign policy reasons may perceive a loss in access because the fraction of intercepts available to them will decrease, even if the absolute amount of information intercepted has increased as the result of larger volumes of information. Of course, if the communicating parties take special care to encrypt their sensitive communications, the absolute amount of useful information intercepted may decrease as well. 3.4.2 Differences + *Protection of sources*. While the distinction is not hard and fast, law enforcement authorities conducting an electronic surveillance are generally seeking specific items of evidence that relate to a criminal act and that can be presented in open court, which implies that the source of such information (i.e., the wiretap) will be revealed (and possibly challenged for legal validity). By contrast, national security authorities are usually seeking a body of intelligence information over a longer period of time and are therefore far more concerned with preserving the secrecy of sources and methods. + *Definition of interests*. There is a consensus, expressed in law, about the specific types of domestic crimes that may be investigated through the use of wiretapping. Even internationally, there is some degree of consensus about what activities are criminal; the existence of this consensus enables a considerable amount of law enforcement cooperation on a variety of matters. National security interests are defined differently and are subject to refinement in a changing world, and security interests often vary from nation to nation. However, a community of interest among NATO allies and between the United States and the major nations of the free world makes possible fruitful intelligence relationships, even though the United States may at times target a nation that is both ally and competitor. + *Volume of potentially relevant communications*. The volume of communications of interest to law enforcement authorities is small compared to the volume of interest to national security authorities. + *Legal framework*. Domestic law enforcement authorities are bound by constitutional protections and legislation that limit their ability to conduct electronic surveillance. National security authorities operate under far fewer legal constraints in monitoring the communications of foreign parties located outside the United States. + *Perceptions of vulnerability to surveillance*. Parties targeted by national security authorities are far more likely to take steps to protect their communications than are most criminals. 3.5 BUSINESS AND INDIVIDUAL NEEDS FOR EXCEPTIONAL ACCESS TO PROTECTED INFORMATION As noted above in Section 3.1, an employer may need access to data that has been encrypted by an employee. Corporations that use cryptography for confidentiality must always be concerned with the risk that keys will be lost, corrupted, required in some emergency situation, or otherwise be unavailable, and they have a valid interest in defending their interests in the face of these eventualities.(38) Cryptography can present problems for companies attempting to satisfy their legitimate business interests in access to stored and communicated information: + *Stored data*. For entirely legitimate business reasons, an employee might encrypt business records, but due to circumstances such as vacation or sick leave, the employer might need to read the contents of these records without the employee's immediate assistance. Then again, an employee might simply forget the relevant password to an encrypted file, or an employee might maliciously refuse to provide the key (e.g., if he has a grudge against his employer), or might keep records that are related to improper activities but encrypt them to keep them private; a business undertaking an audit to uncover or investigate these activities might well need to read these records without the assistance of the employee. For example, in a dispute over alleged wrongdoing of his superiors, a Washington, D.C., financial analyst changed the password on the city's computer and refused to share it.(39) In another incident, the former chief financial officer of an insurance company, Golden Eagle Group Ltd, installed a password known only to himself and froze out operations. He demanded a personal computer that he claimed was his, his final paycheck, a letter of reference, and a $100 fee -- presumably for revealing the password.(40) While technical fixes for these problems are relatively easy, they do demonstrate the existence of motivation to undertake such actions. Furthermore, it is poor management practice that allows a single employee to control critical data, but that is beyond the scope of this study. + Communications. A number of corporations provided input to the committee indicating that for entirely legitimate business reasons (e.g., for resolution of a dispute between the corporation and a customer), an employer might need to learn about the content of an employee's communications. Alternatively, an employee might use company communications facilities as a means for conducting improper activities (e.g., leaking company-confidential information, stealing corporate assets, engaging in kickback or fraud schemes, inappropriately favoring one supplier over another). A business undertaking an audit to uncover or investigate these activities might well need to monitor these communications without the consent of the employee (Box 3.1)(41) but would be unable to do so if the communications were encrypted. In other instances, a comparly might wish to assist law enforcement officials in investigating information crimes against it(42) but would not be able to do so if it could not obtain access to unsanctioned employee-encrypted files or communications. Many, though certainly not all, businesses require prospective employees to agree as a condition of employment that their communications are subject to employer monitoring under various circumstallces.(43) It is a generally held view among businesses that provisions for corporate exceptional access to stored data are more important than such provisions for communications.(44) For individuals, the distinction is even sharper. Private individuals as well as businesses have a need to retrieve encrypted data that is stored and for which they may have lost or forgotten the key. For example, a person may have lost the key to an encrypted will or financial statement and wish to retrieve the data. However, it is much more difficult to imagine circumstances under which a person might have a legitimate need for the real-time monitoring of communications. ---------- (38) While users may lose or corrupt keys used for user authentication, the procedures needed in this event are different than if the keys in question are for encryption. For example, a lost authentication key creates a need to revoke the key, so that another party that comes into possession of the authentication key cannot impersonate the original owner. By contrast, an encryption key that is lost creates a need to recover the key. (39) Peter G. Neumann, *Computer-Related Risks*, Addison-Wesley, New York, 1995, p. 154. (40) Neumann, *Computer-Related Risks*, 1995, p. 154. (41) For example, employees with Internet access may spend so much time on nonwork-related Internet activities that their productivity is impaired. Concerns such problems have about led some companies to monitor the Internet activities of their employees, and spawned products that covertly monitor and record Internet use. See Laurie Flynn, "Finding On-Line Distractions, Employers Strive to Keep Workers in Line," *New York Times*, November 6, 1995, p. D-5. (42) A number of examples of such cooperation can be found in Peter Schweizer, *Friendly Spies*, The Atlantic Monthly Press, New York, 1993. (43) The legal ramifications of employer access to on-thejob communications of employees are interesting, though outside the scope of this report. For example, a company employee may communicate with another company employee using cryptography that denies employer access to the content of those communications; such use may be contrary to explicit company policy. May an employee who has violated company policy in this manner be discharged legally? In general, employer access to on-thejob communications raises many issues of ethics and privacy, even if such access is explicitly permitted by contract or policy. (44) This distinction becomes somewhat fuzzy when considering technologies such as e-mail that serve the purpose of communications but that also involve data storage. Greater clarity is possible if one distinguishes between the electronic bits of a message in transit (e.g., on a wire) and the same bits that are at rest (e.g., in a file). With e-mail, the message is sent and then stored; thus, e-mail can be regarded as a stored communication. These comments suggest that a need for exceptional access to e-mail is much more similar to that for storage than for communications, because it is much more likely that a need will arise to read an e- mail message after it has been stored than while it is in transit. A likely scenario of exceptional access to email is that a user may receive e-mail encrypted with a public key for which he no longer has the corresponding private key (that would enable him to decrypt incoming messages). While this user could in principle contact the senders and inform them of a new public key, an alternative would be to develop a system that would permit him to obtain exceptional access without requiring such actions. ____________________________________________________________ 3.6 OTHER TYPES OF EXCEPTIONAL ACCESS TO PROTECTED INFORMATION The discussion of exceptional access above involves only the question of encryption for confidentiality. While it is possible to imagine legitimate needs for exceptional access to encrypted data (for purposes of ensuring secrecy), it is nearly impossible to imagine a legitimate need for exceptional access to cryptography used for the purposes of user authentication, data integrity, or nonrepudiation. In a business context, these cryptographic capabilities implement or support long-standing legal precepts that are essential to the conduct of commerce. + Without unforgeable digital signatures, the concept of a binding contract is seriously weakened. + Without trusted digitally notarized documents, questions of time precedence might not be legally resolvable. + Without unforgeable integrity checks, the notion of a certifiably accurate and authentic copy of digital documents is empty. + Without strong authentication and unquestionable nonrepudiation, the analog of registered delivery in postal systems is open to suspicion.(45) With exceptional access to the cryptography implementing such features or to the private keys associated with them, the legal protection that such features are intended to provide might well be called into question. At a minimum, there would likely be a questioning of the validity or integrity of the protective safeguards, and there might be grounds for legal challenge. A businessperson might have to demonstrate, for example, that he has properly and adequately protected the private keys used to digitally sign his contracts to the satisfaction of a court or jury. It is conceivable that the government, for national security purposes, might seek exceptional access to such capabilities for offensive information warfare (see Chapter 2); however, public policy should not promote these capabilities, because such access could well undermine public confidence in such cryptographic mechanisms. --------- (45) In fact, digital signatures and nonrepudiation provide a stronger guarantee than does registered delivery; the former can be used to assure the delivery of the contents of an "envelope," whereas postal registered delivery can only be used to assure the delivery of the envelope. ____________________________________________________________ 3.7 RECAP In general, cryptography for confidentiality involves a party undertaking an encryption (to protect information by generating ciphertext from plaintext) and a party authorized by the encryptor to decrypt the ciphertext and thus recover the original plaintext. In the case of information that is communicated, these parties are in general different individuals. In the case of information that is stored, the first party and the second party are in general the same individual. However, circumstances can and do arise in which third parties (i.e., decrypting parties that are not originally authorized or intended by the encrypting party to recover the information involved) may need access to such information. These needs for exceptional access to encrypted information may arise from businesses, individuals, law enforcement, and national security, and these needs are different depending on the parties in question. Encryption that renders such information confidential threatens the ability of these third parties to obtain the necessary access. How the needs for confidentiality and exceptional access are reconciled in a policy context is the subject of Part II. ____________________________________________________________ BOX 3.1 Examples of Business Needs for Exceptional Access to Communications + A major Fortune 1000 corporation was the subject of various articles in the relevant trade press. These articles described conditions within the corporation (e.g., employee morale) that were based on information supplied by employees of this corporation acting in an unauthorized manner and contrary to company policy; moreover, these articles were regarded by corporate management as being highly embarrassing to the company. The employees responsible were identified through a review of tapes of all their telephone conversations in the period immediately preceding publication of the damaging articles, and were summarily dismissed. As a condition of employment, these employees had given their employer permission to record their telephone calls. + Executives at a major Fortune 1000 corporation had made certain accommodations in settling the accounts of a particular client that, while legal, materially distorted an accounting audit of the books of that client. A review of the telephone conversations in the relevant period indicated that these executives had done so knowingly, and they were dismissed. As a condition of employment, these executives had given their employer permission to record their telephone calls. + Attempting to resolve a dispute about the specific terms of a contract to sell oil at a particular price, a multinational oil company needed to obtain all relevant records. Given the fact that oil prices fluctuate significantly on a minute-by-minute basis, most such trades are conducted and agreed to by telephone. All such calls are recorded, in accordance with contracts signed by traders as a condition of employment. Review of these voice records provided sufficient information to resolve the dispute. + A multinational company was notified by a law enforcement agency in Nation A regarding its suspicions that an employee of the company was committing fraud against the company. This employee was a national of Nation B. The company began an investigation of this individual in cooperation with law enforcement authorities in Nation B, and in due course, legal authorization for a wiretap on this individual using company facilities was obtained. The company cooperated with these law enforcement authorities in the installation of the wiretap. ---------- SOURCE: Anonymous testimony to the committee. ____________________________________________________________ BOX 3.2 Examples of the Utility of Wiretapping + The El Rukn Gang in Chicago, acting as a surrogate for the Libyan government and in support of terrorism, planned to shoot down a commercial airliner within the United States using a stolen military weapon. This act of terrorism was prevented through the use of telephone wiretaps. + The 1988 "Ill Wind" public corruption and defense department fraud investigation relied heavily on court-ordered telephone wiretaps. To date, this investigation has resulted in the conviction of 65 individuals and more than a quarter of a billion dollars in fines, restitutions, and recoveries. + Numerous drug trafficking and money laundering investigations, such as the "Polar Cap" and "Pizza Connection" cases, utilized extensive telephone wiretaps in the successful prosecution of large-scale national and international drug trafficking organizations. "Polar Cap" resulted in the arrest of 33 subjects and the recovery of $50 million in assets seized. Additionally, in a 1992 Miami raid, which directly resulted from wiretaps, agents confiscated 15,000 pounds of cocaine and arrested 22 subjects. + The investigation of convicted spy Aldrich Ames relied heavily on wiretaps ordered under FISA authority. + In a 1990 "Sexual Exploitation of Children" investigation, the FBI relied heavily on wiretaps to prevent violent individuals from abducting, torturing, and murdering a child in order to make a "Snuff Murder" film. ---------- SOURCE: Federal Bureau of Investigation. ____________________________________________________________ BOX 3.3 Law Enforcement Requirements for the Surveillance of Electronic Communications + Prompt and expeditious access both to the contents of the electronic communications and "setup" information necessary to identify the calling and called parties. + Real-time, full-time monitoring capability for intercepts. Such capability is particularly important in an operational context, in which conversations among either criminal conspirators (e.g., regarding a decision to take some terrorist action) or criminals and innocent third parties (e.g.. regarding a purchase order for explosives from a legitimate dealer) may have immediate significance. + Delivery of intercepted communications to specified monitoring facilities. + Transparent access to the communications, i.e., access that is undetectable to all parties to the communications (except to the monitoring parties) and implementation of safeguards to restrict access to intercept information. + Verification that the intercepted communications are associated with the intercept subject. + Capabilities for some number of simultaneous intercepts to be determined through a cooperative industry/law enforcement effort. + Reliability of the services supporting the intercept at the same (or higher) level of the reliability of the communication services provided to the intercept subject. + A quality of service for the intercept that complies with the performance standards of the service providers. ---------- SOURCE: Law Enforcement Requirements for the Surveillance of Electronic Communications*, FBI in cooperation with the National Technical Investigators Association, June 1994. ____________________________________________________________ BOX 3.4 How Noncryptography Applications of Information Technology Could Benefit Law Enforcement As acknowledged elsewhere in the main text, encryption in ubiquitous use would create certain difficulties for law enforcement. Nevertheless, it is important to place into context the overall impact on law enforcement of the digital information technologies that enable encryption and other capabilities that are not the primary subject of this report. Chapter 2 suggested how encryption capabilities can be a positive force for more effective law enforcement (e.g., secure police communications). But information technology is increasingly ubiquitous and could appear in a variety of other applications less obvious than encryption. For example: + Video technology has become increasingly inexpensive. Thus, it is easy to imagine police cruisers with video cameras that are activated upon request when police are responding to an emergency call. Monitoring those cameras at police headquarters would provide a method for obtaining timely information regarding the need of the responding officers for backup. Equipping individual police officers with even smaller video cameras attached to their uniforms and recording such transmissions would provide objective evidence to corroborate (or refute) an officer's description of what he saw at a crime scene. + The number of users of cellular telephones and wide-area wireless communications services will grow rapidly. As such technologies enable private citizens to act as responsible eyes and ears that observe and report emergencies in progress, law enforcement officials will be able to respond more quickly. (See, for example, Chana Schoenberger, "The Pocket-Size Protector; Feeling Safe, not Stylish, with Cellular Phones," *Washington Post*, August 29, 1995, page B-5.) + Electronically mediated sting operations help to preserve cover stories of law enforcement officials. For example, the Cybersnare sting operation resulted in the arrest of six individuals who allegedly stole cellular telephone numbers en masse from major companies, resulting in millions of dollars of industry losses. Cybersnare was based on an underground bulletin board that appealed to cellular telephone and credit card thieves. Messages were posted offering for sale cellular telephone "cloning" equipment and stolen cellular telephone numbers, and included contact telephone numbers that were traced to the individuals in question. (See Gautam Naik, "Secret Service Agents Arrest Six Hackers in Cellular-Phone Sting in Cyberspace," *Wall Street Journal*, September 12, 1995, page B6.) + The locations of automobiles over a metropolitan area could be tracked automatically, either passively or actively. An active technique might rely on a coded beacon that would localize the position of the automobile on which it was mounted. A passive technique might rely on automatic scanning for license plates that were mounted on the roofs of cars. As an investigative technique, the ability to track the location of a particular automobile over a period of time could be particularly important. Even today, information technology enables law enforcement officials to conduct instant background checks for handgun purchases and arrest records when a person is stopped for a traffic violation. Retail merchants guard against fraud by using information technology to check driving records when cars are rented and credit checks for big purchases. The Department of the Treasury uses sophisticated information technology to detect suspicious patterns that might indicate large-scale money laundering by organized crime. All such possibilities involve important social as well as technical issues. For example, the first two examples featured above seem relatively benign, while the last two raises serious entrapment and privacy issues. Even the "instant background checks" of gun buyers have generated controversy. The mention of these applications (potential and actual) is not meant as endorsement, recommendation, or even suggestion; they do, however, place into better context the potentialities of information technology in some overall sense to improve the capabilities of law enforcement while at the same time illustrating that concerns about excessive government power are not limited to the issue of cryptography. ____________________________________________________________ [End Chapter 3] [Head note all pages: May 30, 1996, Prepublication Copy Subject to Further Editorial Correction] Part II Policy Instruments To the best of the committee's knowledge, the goals of U.S. cryptography policy have not been explicitly formalized and articulated within the government. However, senior government officials have indicated that U.S. cryptography policy seeks to promote the following objectives: + Deployment of encryption adequate and strong enough to protect electronic commerce that may be transacted on the future information infrastructure; + Development and adoption of global (rather than national) standards and solutions; + Widespread deployment of capabilities into products with encryption capabilities for confidentiality that enables legal access for law enforcement and national security purposes; and + Avoidance of the development of de facto cryptography standards (either domestically or globally) that do not permit access for law enforcement and national security purposes, thus ensuring that the use of such products remains relatively limited. Many analysts believe that these goals are irreconcilable. To the extent that this is so, the U.S. government is thus faced with a policy problem requiring a compromise among these goals that is tolerable, though by assumption not ideal with respect to any individual goal. Such has always been the case with many issues that generate social controversy -- balancing product safety against the undesirability of burdensome regulation on product vendors, public health against the rights of individuals to refuse medical treatment, and so on. As this report is being written, U.S. cryptography policy is still evolving, and the particular laws, regulations, and other levers that govermnent uses to influence behavior and policy are under review or being developed. Chapter 4 is devoted to the subject of export controls, which dominate industry concerns about national cryptography policy. Many senior executives in the information technology industry perceive these controls as a major limitation on their ability to export products with encryption capabilities. Furthermore, because exports of products with encryption capabilities are governed by the regime applied to technologies associated with munitions, reflecting the importance of cryptography to national security, they are generally subject to more stringent controls than exports of other computer-related technologies. Chapter 5 addresses the subject of escrowed encryption. Escrowed eneryption is a form of encryption intended to provide strong protection for legitimate uses but also to permit exceptional access by government officials, by corporate employers, or by end users under specified circumstances. Since 1993, the Clinton Administation has aggressively promoted escrowed encryption as a basic pillar of national cryptography policy. Public concerns about escrowed encryption have focused on the possibilities for failure in the mechanisms intended to prevent improper access to encrypted information, leading to losses of confidentiality. Chapter 6 addresses a variety of other aspect of national cryptography policy and public concerns that these aspects have raised. ____________________________________________________________ 4 Export Controls Export controls on cryptography and related technical data have been a pillar of national cryptography policy for many years. Increasingly, they have generated controversy because they pit the needs of national security to conduct signals intelligence against the information security needs of legitimate U.S. businesses and the markets of U.S. manufacturers whose products might meet these needs. Chapter 4 describes the current state of export controls on cryptography and issues that these controls raise, including their effectiveness in achieving their stated objectives; negative effects that the export control regime has on U.S. businesses and U.S. vendors of information technology that must be weighed against the positive effects of reducing the use of cryptography abroad; the mismatch between vendor and government perceptions of export controls; and various other aspects of the export control process as it is experienced by those subject to it. 4.1 BRIEF DESCRIPTION OF CURRENT EXPORT CONTROLS Many advanced industrialized nations maintain controls on exports of cryptography, including the United States. The discussion below focuses on U.S. export controls; Appendix G addresses foreign export control regimes on cryptography. 4.1.1 The Rationale for Export Controls On the basis of discussion with senior government officials and its own deliberations, the committee believes that the current U.S. export control regime on products with encryption capabilities for confidentiality is intended to serve two primary purposes: + To delay the spread of strong cryptographic capabilities and the use of those capabilities throughout the world. Senior intelligence officials recognize that in the long run, the ability of intelligence agencies to engage in signals intelligence will inevitably diminish due to a variety of technological trends, including the greater use of cryptography.(1) + To give the U.S. government a tool for monitoring and influencing the commercial development of cryptography. Since any U.S. vendor that wishes to export a product with encryption capabilities for confidentiality must approach the U.S. government for permission to do so, the export license approval process is an opportunity for the U.S. government to learn in detail about the capabilities of such products. Moreover, the results of the license approval process have influenced the cryptography that is available on the international market. ---------- (1) Although the committee came to this conclusion on its own, it is consistent with that of the Office of Technology Assessment, *Information Security and Privacy in Network Environments*, Washington, D.C., September 1994. ____________________________________________________________ 4.1.2 General Description(2) Authority to regulate imports and exports of products with cryptographic capabilities to and from the United States derives from two items of legislation: the Arms Export Control Act (AECA) of 1949 (intended to regulate munitions) and the Export Administration Act (EAA; intended to regulate so-called dual-use products(3)). The AECA is the legislative basis for the International Traffic in Arms Regulations (ITAR), in which the U.S. Munitions List (USML) is defined and specified. Items on the USML are regarded for purposes of import and export as munitions, and the ITAR are administered by the Department of State. The EAA is the legislative basis for the Export Administration Regulations (EAR), which define dual-use items on a list known as the Commerce Control List (CCL)(4); the EAR are administered by the Department of Commerce. The EAA lapsed in 1994 but has been continued under executive order since that time. Both the AECA and the EAA specify sanctions that can be applied in the event that recipients of goods exported from the United States fail to comply with all relevant requirements, such as agreements to refrain from reexport (Box 4.1). At present, products with encryption capabilities can be imported into the United States without restriction, although the President does have statutory authority to regulate such imports if appropriate. Exports are a different matter. Any export of an item covered by the USML requires a specific affirmative decision by the State Department's Office of Defense Trade Controls, a process that can be time-consuming and cumbersome from the perspective of the vendor and prospective foreign purchaser. The ITAR regulate and control exports of all "cryptographic systems, equipment, assemblies, modules, integrated circuits, components or software with the capability of maintaining secrecy or confidentiality of information or information systems", in addition, they regulate information about cryptography but not implemented in a product in a category known as "technical data."(5) Until 1983, USML controls were maintained on all cryptography products. However, since that time, a number of relaxations in these controls have been implemented (Box 4.2), although many critics contend that such relaxation has lagged significantly behind the evolving marketplace. Today, the ITAR provide a number of certain categorical exemptions that allow for products in those categories to be regulated as dual-use items and controlled exclusively by the CCL. For products that do not fall into these categories and for which there is some question about whether it is the USML or the CCL that governs their export, the ITAR also provide for a procedure known as commodity jurisdiction,(6) under which potential exporters can obtain judgments from the State Department about which list governs a specific product. A product granted commodity jurisdiction to the CCL falls under the control of the EAR and the Department of Commerce. Note that commodity jurisdiction to the CCL is generally granted for products with encryption capabilities using 40-bit keys regardless of the algorithm used, although these decisions are made on a product-by- product basis. In addition, when a case-by-case export licensing decision results in CCL jurisdiction for a software product, it is usually only the object code, which cannot be modified easily, that is transferred, the source code of the product (embedding the identical functionality but more easily modified) generally remains on the USML. As described in Box 4.3, key differences between the USML and the CCL have the effect that items on the CCL enjoy more liberal export consideration than items on the USML. (This report uses the term "liberal export consideration" to mean treatment under the CCL.) Most importantly, a product controlled by the CCL is reviewed only once by the U.S. government, thus drastically simplifying the marketing and sale of the product overseas. The most important of these explicit categorical exemptions to the USML for cryptography are described in Box 4.4. In addition, the current export control regime provides for an individual case-by-case review of USML licensing applications for products that do not fall under the jurisdiction of the CCL. Under current practice, USML licenses to acquire and export for internal use products with encryption capabilities stronger than that provided by 40-bit RC2/RC4 encryption (hereafter in this chapter called "strong encryption"(7)) are generally granted to U.S.-controlled firms (i.e., U.S. firms operating abroad, a U.S.-controlled foreign firms, or foreign subsidiaries of a U.S. firm). In addition, banks and financial institutions (including stock brokerages and insurance companies), whether U.S.-controlled or owned or foreign-owned, are generally granted USML licenses for strong cryptography for use in internal communications and communications with other banks even if these communications are not limited strictly to banking or money transactions. In September 1994, the Administration promulgated regulations that provided for U.S. vendors to distribute approved products with encryption capabilities for confidentiality directly from the United States to foreign customers without using a foreign distributor and without prior State Department approval for each export.(8) It also announced plans to finalize a "personal use exemption" to allow license-free temporary exports of products with encryption capabilities when intended for personal use; a final rule on the personal use exemption was announced in early 1996 and is discussed below in Section 4.3.2. Lastly, it announced a number of actions intended to streamline the export control process to provide more rapid turnaround for certain "preapproved" products. In August 1995, the Administration announced a proposal to liberalize export controls on software products with encryption capabilities for confidentiality that use algorithms with a key space of 64 or fewer bits, provided that the key(s) required to decrypt messages and files are "properly escrowed"; such products would be transferred to the CCL. However, since an understanding of this proposal requires some background in escrowed encryption, discussion of it is deferred to Chapter 5. ---------- (2) Two references that provide detailed descriptions of the U.S. export control regime for products with encryption capability are a memorandum by Fred Greguras of the law firm Fenwick & West (Palo Alto, Calif.), dated March 6, 1995, and titled "Update on Current Status of U.S. Export Administration Regulations on Software" (available on http://www.batnet.com/oikoumene/SftwareEU.html), and a paper by Ira Rubenstein ("Export Controls on Encryption Software," in *Coping with U.S. Export Controls 1994*, October 18, 1995 (PLI Com. Law & Practice Course Handbook Series No. A-733, 1995).). The Greguras memorandum focuses primarily on the requirements of products controlled by the Commerce Control List, while the Rubenstein paper focuses primarily on how to move a product from the Munitions List to the Commerce Control List. (3) A dual-use item is one that has both military and civilian applications. (4) The CCL is also commonly known as the Commodity Control List. (5) However, all encryption products intended for domestic Canadian use in general do not require export licenses. (6) Commodity jurisdiction is also often known by its acronym, CJ. (7) How much stronger than 40-bit RC2/RC4 is unspecified. Products incorporating the 56-bit DES algorithm are often approved for these informal exemptions, and at times even products using larger key sizes have been approved. But the key size is not unlimited, as may be the case under the explicit categorical exemptions specified in the ITAR. (8) Prior to this rule, almost every encryption export required an individual license. Only those exports covered by a distribution arrangement could be shipped without an individual license. This distribution arrangement required a U.S. vendor of products with cryptographic capabilities to export to a foreign distributor that could then resell them to multiple end users. The distribution arrangement had to be approved by the State Department and included some specific language. Under the new rule, a U.S. vendor without a foreign distributor can essentially act as his own distributor, and avoid having to obtain a separate license for each sale. Exporters are required to submit a proposed arrangement identifying, among other things, specific items to be shipped, proposed end users and end use, and countries to which the items are destined. Upon approval of the arrangement, exporters are permitted to ship the specified products directly to end users in the approved countries based on a single license. See Bureau of Political-Military Affairs, Department of State, "Amendment to the International Traffic in Arms Regulations," *Federal Register*, September 2, 1994. ____________________________________________________________ 4.1.3 Discussion of Current Licensing Practices The Categorical Exemptions The categorical exemptions described in Box 4.4 raise a number of issues: + In the case of the 40-bit limitation, the committee was unable to find a specific analytical basis for this figure. Most likely, it was the result of a set of compromises that were politically driven by all of the parties involved.(9) However, whatever the basis for this key size, recent successful demonstrations of the ability to undertake brute-force cryptanalysis on messages encrypted with a 40-bit key (Box 4.5) have led to a widespread perception that such key sizes are inadequate for meaningful information security. + In the case of products intended for use only in banking or money transactions, the exemption results from the recognition by national security authorities that the integrity of the world's financial system is worth protecting with high levels of cryptographic security. Given the primacy of the U.S. banking community in international financial markets, such a conclusion makes eminent sense. Furthermore, at the time this exemption was promulgated, the financial community was the primary customer for products with encryption capabilities. This rationale for protecting banking and money transactions naturally calls attention to the possibilities inherent in a world of electronic commerce, in which routine communications will be increasingly likely to include information related to financial transactions. Banks (and retail shops, manufacturers, suppliers, end customers, and so on) will engage in such communications across national borders. In a future world of electronic commerce, connections among nonfinancial institutions may become as important as the banking networks are today. At least one vendor has been granted authority to use strong encryption in software intended for export that would support international electronic commerce (though under the terms of the license, strong encryption applies only to a small portion of the transaction message).(10) + In the case of products useful only for user authentication, access control, and data integrity, the exemption resulted from a judgment that the benefits of more easily available technology for these purposes outweigh whatever costs there might be to such availability. Thus, in principle, these nonconfidentiality products from U.S. vendors should be available overseas without significant restriction. In practice, however, this is not entirely the case. Export restrictions on confidentiality have some "spillover" effects that reduce somewhat the availability of products that are intended primarily for authentication.(11) Another spillover effect arises from a desire among vendors and users to build and use products that integrate multiple cryptographic capabilities (for confidentiality and for authentication/integrity) with general-purpose functionality. In many instances, it is possible for cryptography for authentication/integrity and cryptography for confidentiality to draw on the same algorithm. Export control regulations may require that a vendor weaken or even eliminate the encryption capabilities of a product that also provides authentication/integrity capabilities, with all of the consequent costs for users and vendors (as described in Section 4.3). Such spillover effects suggest that government actions that discourage capabilities for confidentiality may also have some negative impact on the development and use of products with authentication/integrity capabilities even if there is no direct prohibition or restriction on export of products with capabilities only for the latter. Informal Noncodified Practices As described above, it is current practice to grant USML licenses for exports of strong cryptography to firms in a number of categories described in Box 4.4. However, the fact that this practice is not explicitiy codified contributes to a sense of uncertainty among vendors and users about the process and in practice leads to unnecessary delays in license processing. In addition, there is uncertainty about whether or not a given foreign company is "controlled" by a U.S. firm. Specifically, vendors often do not know (and cannot find out in advance) whether a proposed sale to a particular foreign company falls under the protection of this unstated exemption. As a practical rule, the U.S. government has a specific set of guidelines that are used to make this determination.(12) But these rules require considerable interpretation and thus do not provide clear guidance for U.S. vendors. A third issue that arises with current practice is that the lines between "foreign" and "U.S." companies are blurring in an era of transnational corporations, ad hoc strategic alliances, and close cooperation between suppliers and customers of all types. For example, U.S. companies often team with foreign companies in global or international ventures. It would be desirable for U.S. products with encryption capabilities to be used by both partners to conduct business related to such alliances without requiring a specific export licensing decision.(13) In some instances, USML licenses have granted U.S. companies the authority to use strong encryption rather freely (e.g., in the case of a U.S. company with worldwide suppliers). But these licenses are still the result of a lengthy case-by-case review whose outcome is uncertain. Finally, the State Department and NSA explicitly assert control over products without any cryptographic capability at all but developed with "sockets," or more formally, cryptographic applications programming interfaces into which a user can insert his own cryptography. Such products are regarded as having an inherent cryptographic capability (although such capability is latent rather than manifest), and as such are controlled by the USML, even though the text of the ITAR does not mention these items explicitly.(14) In general, vendors and users understand this to be the practice and do not challenge it, but they dislike the fact that it is not explicit. ---------- (9) It is worth noting a common argument among many nongovernment observers that any level of encryption that qualifies for export (e.g., that qualifies for control by the CCL, or that is granted an export license under the USML) must be easily defeatable by NSA, or else NSA would not allow it to leave the country. The subtext of this argument is that such a level of encryption is per force inadequate. Of course, taken to its logical conclusion, this argument renders impossible any agreement between national security authorities and vendors and users regarding acceptable levels of encryption for export. (10) "Export Approved for Software to Aid Commerce on Internet," *New York Times*, May 8, 1995, p. D-7. " For example, the Kerberos operating system is designed to provide strong cryptographic authentication of users (and hence strong access control for system resources). Typically, Kerberos is distributed in the United States in source code through the Internet to increase its usability on a wide range of platforms, to accommodate diverse user needs, and to increase maintainability; source code distribution is a common practice on the Internet. However, since Kerberos uses the DES algorithm as the cryptographic engine to support its authentication features, the source code for Kerberos is controlled under the USML and is not available through the Internet to foreign end users. It is thus fair to say that Kerberos is less used by foreign users than it might be if there were no export controls on products with encryption capabilities, even though the primary purpose of Kerberos is authentication. Note that Kerberos is also designed with operating system calls that support confidentiality. These calls are stripped out of the exportable version of Kerberos, which is only available in object form in any event. A second example was provided in testimony to the committee from a company that had eliminated all cryptographic capabilities from a certain product because of its perceptions of the export control hurdles to be overcome. The capabilities eliminated included those for authentication. While it can be argued that the company was simply ignorant of the exemptions in the ITAR for products providing authentication capabilities, the fact remains that much of the vendor community is either not familiar with the exemptions or does not believe that they represent true "fast-track" or "automatic" exceptions. (12) Under Defense Department guidelines for determining foreign ownership, control, or influence (FOCI), a U.S. company is considered under FOCI "whenever a foreign interest has the power, direct or indirect, whether or not exercised, and whether or not exercisable through the ownership of the U.S. company's securities, by contractual arrangements or other means, to direct or decide matters affecting the management or operations of that company in a manner which may result in unauthorized access to classified information or may affect adversely the performance of classified contracts." A FOCI determination for a given company is made on the basis of a number of factors, including whether a foreign person occupies a controlling or dominant minority position; the identification of immediate, intermediate and ultimate parent organizations. (See Department of Defense, *National Industrial Security Program Operating Manual*, DOD-5220.22-M, January 1995, pp. 2-3-1 to 2-3-2.) According to ITAR Regulation 122.2, "ownership" means that more than 50 percent of the outstanding voting securities of the firm are owned by one or more foreign persons. "Control" means that one or more foreign persons have the authority or ability to establish or direct the general policies or day-to-day operations of the firm. Control is presumed to exist where foreign persons own 25 percent or more of the outstanding voting securities if no U.S. persons control an equal or larger percentage. The standards for control specified in 22 CFR 60.2(c) also provide guidance in determining whether control in fact exists. Defense Department Form 4415, August 1990, requires answers to 11 questions in order for the Defense Department to make a FOCI determination for any given company. (13) In one instance reported to the committee, a major multinational company with customer support offices in China experienced a break-in in which Chinese nationals apparently copied paper documents and computer files. File encryption would have mitigated the impact associated with this "bag job." Then-current export restrictions hampered deployment of encryption to this site because the site was owned by a foreign (Chinese) company rather than a U.S.-controlled company and therefore not easily covered under then-current practice. ____________________________________________________________ 4.2 EFFECTIVENESS OF EXPORT CONTROLS ON CRYPTOGRAPHY One of the most contentious points in the debate over export controls on cryptography concerns their effectiveness in delaying the spread of strong cryptographic capabilities and the use of those capabilities throughout the world. Supporters of the current export control regime believe that these controls have been effective, and they point to the fact that encryption is not yet in widespread commercial use abroad and that a significant fraction of the traffic intercepted globally is unencrypted. Further, they argue that U.S. products with encryption capabilities dominate the international market to an extent that impeding the distribution of U.S. products necessarily affects worldwide usage. Critics of current policy assert that export controls have not been effective in limiting the availability of cryptography abroad. For example, based on its ongoing survey of cryptography products worldwide (a study widely cited by critics of current policy), Trusted Information Systems Inc. has noted that: [w]e have now identified 1181 products worldwide [as of March 30, 1996], and we're continuing to learn about new products, both domestic and foreign, on a daily basis. We've also obtained numerous products from abroad and are examining these products to assess their functionality and security. The survey results show that cryptography is indeed widespread throughout the world. Export controls outside of the U.S. appear to be less restrictive. The quality of foreign products seems to be comparable to that of U.S. products.(15) Furthermore, critics of U.S. export controls argue that sources other than U.S. commercial vendors (specifically foreign vendors, the in-house expertise of foreign users, Internet software downloads, and pirated U.S. software) are capable of providing very good cryptography that is usable by motivated foreign users. In assessing the arguments of both supporters and critics of the current export control regime, it is important to keep in mind that the ultimate goal of export controls on cryptography is to keep strong cryptography out of the hands of potential targets of signals intelligence. Set against this goal, the committee believes that the arguments of both supporters and critics have merit but require qualification. The supporters of the current export regime are right in asserting that U.S. export controls have had a nontrivial impact in retarding the use of cryptography worldwide. This argument is based on three linked factors. + U.S. export controls on cryptography have clearly limited the sale of U.S. products with encryption capabilities in foreign markets; indeed, it is this fact that drives the primary objection of U.S. information technology vendors to the current export control regime on cryptography. + Very few foreign vendors offer integrated products with encryption capabilities.(16) U.S. information technology products enjoy a very high reputation for quality and usability, and U.S. information technology vendors, especially those in the mass-market software arena, have marketing and distribution skills that are as yet unparalleled by their foreign counterparts. As a result, foreign vendors have yet to fill the void left by an absence of U.S. products. + U.S. information technology products account for a large fraction of global sales. For example, a recent U.S. International Trade Commission staff report points out that over half of all world sales in information technology come from the United States.'' Actions that impede the flow of U.S. products to foreign consumers are bound to have significant effects on the rate at which those products are purchased and used. On the other hand, it is also true that some foreign targets of interest to the U.S. government today use encryption that is for all practical purposes unbreakable; major powers tend to use "home-grown" cryptography that they procure on the same basis that the United States procures cryptography for its own use, and export controls on U.S. products clearly cannot prevent these powers from using such cryptography. Furthermore, the fact that cryptography is not being widely used abroad does not necessarily imply that export controls are effective--or will be in the near future--in restraining the use of cryptography by those who desire the protection it can provide. The fact is that cryptography is not used widely either in the United States or abroad, and so it is unclear whether it is the lack of information security consciousness described in Chapter 2 or the U.S. export control regime for cryptography that is responsible for such non-use; most probably, it is some combination of these two factors. The critics of the current export regime are right in asserting that foreign suppliers of cryptography are many and varied, that software products with encryption capabilities are quite available through the Internet (probably hundreds of thousands of individuals have the technical skill needed to download such products), and that cryptography does pose special difficulties for national authorities wishing to control such technology (Box 4.6). Yet, most products with encryption capabilities available on the Internet are not integrated products; using security-specific products is generally less convenient than using integrated products (as described in Chapter 2), and because such products are used less often, their existence and availability pose less of a threat to the collection of signals intelligence. Furthermore, Internet products are, as a general rule, minimally supported and do not have the backing of reputable and established vendors.(18) Users who download software from the Internet may or may not know exactly what code the product contains and may not have the capability to test it to ensure that it functions as described.(19) Corporate customers, the primary driver for large-scale deployment of products, are unlikely to rely on products that are not sold and supported by reputable vendors, and it is products with a large installed base (i.e., those created by major software vendors) that would be more likely to have the high-quality encryption that poses a threat to signals intelligence. Box 4.7 describes the primary differences between commercial products and "freeware" available on the Internet. The committee's brief survey of product literature describing foreign stand-alone security-specific products with encryption capabilities (Box 4.8) also indicated many implementations that were unsound from a security standpoint, even taking for granted the mathematical strength of the algorithms involved and the proper implementation of the indicated algorithms.(20) The committee has no reason to believe that the stand-alone security-specific products with encryption capabilities made by U.S. vendors are on average better at providing security,(21) although the large established software vendors in the United States do have reputations for providing relatively high quality in their products for features unrelated to security.(22) Without an acceptable product certification service, most users have no reliable way of determining the quality of any given product for themselves. As a general rule, a potential user of cryptography faces the choice of buying commercially available products with encryption capabilities on the open market (perhaps custom-made, perhaps produced for a mass market) or developing and deploying those products independently. The arguments discussed above suggest that global dissemination of knowledge about cryptography makes independent development an option, but the problems of implementing knowledge as a usable and secure product drive many potential users to seek products available from reputable vendors. In general, the greater the resources available to potential users and the larger the stakes involved, the more likely they are to attempt to develop their own cryptographic resources. Thus, large corporations and First World governments are, in general, more likely than small corporations and Third World governments to develop their own cryptographic implementations. Finally, the text of the ITAR seems to allow a number of entirely legal actions that could have results that the current export control regime is intended to prevent (see Box 4.9). For example, RSA Data Security Inc. has announced a partnership with the Chinese government to fund an effort by Chinese government scientists to develop new encryption software. This software may be able to provide a higher degree of confidentiality than software that qualifies today for liberal export consideration under the CCL.(23) ---------- (14) Specifically, the ITAR place on the USML "cryptographic devices, software, and components specifically designed or modified therefor, including: cryptographic (including key management) systems, equipment, assemblies, modules, integrated circuits, components or software with the capability of maintaining secrecy or confidentiality of information or information systems." Note that these categories do not explicitly mention systems without cryptography but with the capability of accepting "plug-in" cryptography. (15) Available on line from the TIS home page, http://www.tis.com; at the time of its presentation to the committee, TIS had identified 450 such products available from foreign nations. Testimony on this topic was first presented by Steven Walker, president of Trusted Information Systems, to the House Committee on Foreign Affairs, Subcommittee on Economic Policy, Trade, and Environment, on October 12, 1993. TIS briefed the committee on December 15, 1994, and July 19, 1995. The survey mentioned in testimony to the committee continues, and regularly updated figures can be found on the TIS Web page (http://www.tis.com/crypto-survey). (16) The Department of Commerce and the National Security Agency found no general-purpose software products with encryption capability from non-U.S. manufacturers. See Department of Commerce and National Security Agency, *A Study of the International Market for Computer Software with Encryption*, January 11, 1996, p. 111-9. (17) Office of Industries, U.S. International Trade Commission, *Global Competitiveness of the U.S. Computer Software and Service Industries*. Staff Research Study #21, Washington, D.C., June 1995, executive summary. (18) Whether major vendors will continue to avoid the Internet as a distribution medium remains to be seen. Even today, a number of important products, including Adobe's Acrobat Reader, Microsoft's Word Viewer and Internet Assistant, and the Netscape Navigator are distributed through the Internet. Some vendors make products freely available in limited functionality versions as an incentive for users to obtain full-featured versions; others make software products freely available to all takers in order to stimulate demand for other products from that vendor for which customers pay. (19) Indeed, the lack of quality control for Internet-available software provides an opportunity for those objecting to the proliferation of good products with encryption capability to flood the market with their own products anonymously or pseudonymously; such products may include features that grant clandestine access with little effort.) (20) The committee's analysis of foreign stand-alone products for cryptography was based on material provided to the committee by TIS, which TIS had collected through its survey. This material was limited to product brochures and manuals, which the committee believes puts the best possible face on a product's quality. Thus, the committee's identification of security defects in these products is plausibly regarded as a minimum estimate of their weaknesses--more extensive testing (e.g., involving disassembly) would be likely to reveal additional weaknesses, since implementation defects would not be written up in a product brochure. Moreover, the availability of a product brochure does not ensure the availability of the corresponding product; TIS has brochures for all of the 800-plus products identified in its survey, but due to limited resources, it has been able to obtain physical versions (e.g., a disk, a circuit board) of fewer than 10 percent of the products described in those brochures. (21) An "amateur" review of encryption for confidentiality built into several popular U.S. mass-market software programs noted that the encryption facilities did not provide particularly good protection. The person who reviewed these programs was not skilled in cryptography but was competent in his understanding of programming and how the Macintosh manages files. By using a few commonly available programming tools (a file compare program, a "debugger" that allows the user to trace the flow of how a program executes, and a "disassembler" that turns object code into source code that can be examined), the reviewer was able to access in less than two hours the "protected" files generated by four out of eight programs. See Gene Steinbert, "False Security,"* MACWORLD*, November 1995, pp. 118-121. One well-publicized cryptographic security flaw found in the Netscape Corporation's Navigator Web browser is discussed in footnote 34 in Chapter 2. Because of a second flaw, Netscape Navigator could also enable a sophisticated user to damage information stored on the host computer to which Navigator is connected. (See Jared Sandberg, "Netscape Software for Cruising Internet Is Found to Have Another Security Flaw," *Wall Street Journal*, September 25, 1995, p. B-12.) (22) In addition, a product with a large installed base is subject to a greater degree of critical examination than a product with a small installed base, and hence flaws in the former are more likely to be noticed and fixed. Large installed bases are more characteristic for products produced by established vendors than of freeware or shareware producers. (23) See Don Clark, "China, U.S. Firm Challenge U.S. on Encryption-Software Exports," *Wall Street Journal*, February 8, 1996, p. A-10. ____________________________________________________________ 4.3 THE IMPACT OF EXPORT CONTROLS ON U.S. INFORMATION TECHNOLOGY VENDORS U.S. export controls have a number of interrelated effects on the economic health of U.S. vendors and on the level of cryptographic protection available to U.S. firms operating domestically. (The impact of foreign import controls on U.S. vendors is discussed in Chapter 6 and Appendix G.) 4.3.1 De Facto Restrictions on the Domestic Availability of Cryptography Current law and policy place no formal restrictions whatever on products with encryption capabilities that may be sold or used in the United States. In principle, the domestic market can already obtain any type of cryptography it wants. For stand-alone security-specific products, this principle is true in practice as well. But the largest markets are not for stand-alone security-specific products, but rather for integrated products with encryption capabilities. For integrated products with encryption capabilities, export controls do have an effect on domestic availability. For example, + The Netscape Communications Corporation distributes a version of Netscape Navigator over the Internet and sells a version as shrink-wrapped software. Because the Internet version can be downloaded from abroad, its encryption capabilities are limited to those that will allow for liberal export consideration, the shrink-wrapped version is under no such limitation and in fact is capable of much higher levels of encryption.(24) Because it is so much more convenient to obtain, the Internet version of Netscape Navigator is much more widely deployed in the United States than is the shrink-wrapped version, with all of the consequences for information security that its weaker encryption capability implies. + The Microsoft Corporation recently received permission to ship Windows NT Version 4, a product that incorporates a cryptographic applications programming interface approved by the U.S. government for commodity jurisdiction to the CCL. However, this product is being shipped worldwide with a cryptographic module that provides encryption capabilities using 40-bit RC4.25 While domestic users may replace the default module with one providing stronger encryption capabilities, many will not, and the result is a weaker encryption capability for those users. + A major U.S. software vendor distributes its major product in modular form in such a way that the end user can assemble a system configuration in accordance with local needs. However, since the full range of USML export controls on encryption is applied to modular products into which cryptographic modules may be inserted, this vendor has not been able to find a sensible business approach to distributing the product in such a way that it would qualify for liberal export consideration. The result has been that the encryption capabilities provided to domestic users of this product are much less than they would otherwise be in the absence of export controls. What factors underlie the choices made by vendors that result in the outcomes described above? At one level, the examples above are simply the result of market decisions and preferences. At a sufficiently high level of domestic market demand, U.S. vendors would find it profitable and appropriate to develop products for the domestic market alone. Similarly, given a sufficiently large business opportunity in a foreign country (or countries) that called for a product significantly different from that used by domestic users, vendors would be willing to develop a customized version of a product that would meet export control requirements. Furthermore, many other manufacturers of exportable products must cope with a myriad of different requirements for export to different nations (e.g., differing national standards for power, safety, and electromagnetic interference), as well as differing languages in which to write error messages or user manuals. From this perspective, export controls are simply one more cost of doing business outside the United States. On the other hand, the fact that export controls are an additional cost of doing business outside the United States is not an advantage for U.S. companies planning to export products. A vendor incurs less expense and lower effort for a single version of a product produced for both domestic and foreign markets than it does when multiple versions are involved. While the actual cost of developing two different versions of a product with different key lengths and different algorithms is relatively small, a much larger part of the expense associated with multiple versions relates to marketing, manufacture, support, and maintenance of multiple product versions after the initial sale has been made.(26) Since a vendor may be unable to export a given product with encryption capabilities to foreign markets, domestic market opportunities must be that much greater to warrant a domestic-only version. (Given that about half of all sales of U.S. information technology vendors are made to foreign customers, the loss of foreign markets can be quite damaging to a U.S. vendor.(27)) When they are not, vendors have every incentive to develop products with encryption capabilities that would easily qualify for liberal export consideration. As a result, the domestic availability of products with strong encryption capability is diminished. While a sufficiently high level of domestic market demand would make it profitable for U.S. vendors to develop products for the domestic market alone, the "sufficiently" qualifier is a strong one indeed, given the realities of the market into which vendors must sell and compete, and one infrequently met in practice. Users are also affected by an export control regime that forces foreign and domestic parties in communication with each other to use encryption systems based on different algorithms and/or key lengths. In particular, an adversary attempting to steal information will seek out the weakest point. If that weakest point is abroad because of the weak cryptography allowed for liberal export, then that is where the attack will be. In businesses with worldwide network connections, it is critical that security measures be taken abroad, even if key information repositories and centers of activity are located in the continental United States. Put differently, the use of weak cryptography abroad means that sensitive information communicated by U.S. businesses to foreign parties faces a greater risk of compromise abroad because stronger cryptography integrated into U.S. information technology is not easily available abroad. Finally, the export licensing process can have a significant impact on how a product is developed. For example, until recently, products developed to permit the user to substitute easily his own cryptography module were subject to the USML and the ITAR.(28) One vendor pointed out to the committee that its systems were designed to be assembled "out of the box" by end users in a modular fashion, depending on their needs and computing environment. This vendor believed that such systems would be unlikely to obtain liberal export consideration, because of the likelihood that a foreign user would be able to replace an "export-approved" cryptography module with a cryptography module that would not pass export review. Under these circumstances, the sensible thing from the export control perspective would be to deny exportability for the modularized product even if its capabilities did fall within the "safe harbor" provisions for products with encryption capabilities. The considerations above led the committee to conclude that U.S. export controls have had a negative impact on the cryptographic strength of many integrated products with encryption capabilities available in the United States.(29) Export controls tend to drive major vendors to a "least common denominator" cryptographic solution that will pass export review as well as sell in the United States. The committee also believes that export controls have had some impact on the availability of cryptographic authentication capabilities around the world. Export controls distort the global market for cryptography, and the product decisions of vendors that might be made in one way in the absence of export controls may well be made another way in their presence. Some of the reasons for this vendor choice are explored in the next section. ---------- (24) The shrink-wrapped version of Netscape Navigator sold within the United States and Canada supports several different levels of encryption, including 40-bit RC4, 128-bit RC4, 56-bit DES, and triple-DES. The default for a domestic client communicating with a domestic server is 128-bit RC4. Source: Jeff Weinstein, Netscape Communications Corporation, Mountain View, California, personal communication. (25) See Jason Pontin, "Microsoft Encryption API to Debut in NT Workstation Beta," *Infoworld*, January 29, 1996, p. 25. (26) Note that development and support concerns are even more significant when a given product is intended for cross-platform use (i.e., for use in different computing environments such as Windows, Mac OS, Unix, and so on), as is the case for many high-end software products (such as database retrieval systems): when a product is intended for use on 5O different platforms, multiplying by a factor of two the effort required on the part of the vendor entails much more of an effort by the vendor than if the product were intended for use on only one platform. (27) See footnote 17. (28) Note, however, that the use of object-oriented software technology can in general facilitate the use of applications programming interfaces that provide "hooks" to modules of the user's choosing. A number of vendors have developed or are developing general-purpose applications programming interfaces that will allow the insertion of a module to do almost anything. Since these programming interfaces are not specialized for cryptography, but instead enable many useful functions (e.g., file compression, backups), it is very difficult to argue the basis on which applications incorporating these interfaces should be denied export licenses simply because they *could* be used to support encryption. A further discussion of recent developments involving cryptography modules and cryptographic applications programming interfaces is contained in Chapter 7. (29) A similar conclusion was reached by the FBI, whose testimony to the committee noted that "the use of export controls may well have slowed the speed, proliferation, and volume of encryption products sold un the U.S." Written Statement of "FBI Input to the NRC's National Cryptographic Study Committee," received December 1, 1995. ____________________________________________________________ 4.3.2 Regulatory Uncertainty Related to Export Controls A critical factor that differentiates the costs of complying with export controls from other costs of doing business abroad is the unpredictability of the export control licensing process. (Other dimensions of uncertainty for vendors not related to export controls are discussed in Chapter 6.) A company must face the possibility that despite its best efforts, a USML export license or a commodity jurisdiction to the CCL will not be granted for a product. Uncertainties about the decisions that will emerge from the export control regime force vendors into very conservative planning scenarios. In estimating benefits and costs, corporate planners must take into account the additional costs that could be incurred in developing two largely independent versions of the same product or limit the size of the potential market to U.S. purchasers. When such planning requirements are imposed, the number of product offerings possible is necessarily reduced. USML licensing is particularly unpredictable, because the reasons that a license is denied in any given instance are not necessariiy made available to the applicant; in some cases, the rationale for specific licensing decisions is based on considerations that are highly classified and by law cannot be made available to an uncleared applicant. Since such rationales cannot be discussed openly, an atmosphere of considerable uncertainty pervades the development process for vendors seeking to develop products for overseas markets. Furthermore, there is no independent adjudicating forum to which a negative licensing decision can be appealed. Since USML licensing is undertaken on a case-by-case basis, it requires the exercise of judgment on the part of the regulatory authorities. A judgment-based approach has the disadvantage that it requires a considerable degree of trust between the regulated and the regulator.(30) To the extent that an individual regulated party believes that the regulator is acting in the best interests of the entire regulated community, it is natural that it would be more willing to accept the legitimacy of the process that led to a given result. However, in instances in which those that are regulated do not trust the regulator, judgments of the regulator are much more likely to be seen as arbitrary and capricious.(31) This situation currently characterizes the relationship between cryptography vendors/users and national security authorities responsible for implementing the U.S. export control regime for cryptography. In input received by the committee, virtually all industry representatives, from large to small companies, testified about the unpredictability of the process. From the vendor point of view, the resulting uncertainty inhibits product development and allows negative decisions on export to be rendered by unknown forces and/or government agencies with neither explanation nor a reasonable possibility of appeal. The need to stay far away from the vague boundaries of what might or might not be acceptable is clearly an inhibitor of technological progress and development. Vendor concerns are exacerbated in those instances in which export control authorities are unwilling to provide a specific reason for the denial of an export license or any assurance that a similarly but not identically configured product with encryption capabilities would pass export review. Even worse from the vendor perspective, product parameters are not the only determinant of whether a licensing decision will be favorable except in a very limited and narrow range of cryptographic functionality. The uncertainty described above is not limited to new and inexperienced vendors encountering the U.S. export control regime for the first time; large and sophisticated institutions with international connections have also encountered difficulties with the current export control regime. For example, a representative from a major U.S. bank with many international branches reported that export controls affect internally developed bank software with encryption capabilities; a U.S. citizen who works on bank software with encryption capabilities in England may "taint" that software so that it falls under U.S. export control guidelines. Thus, despite the fact that the current export control regime treats banks and other financial institutions relatively liberally, major banks have still struggled under the limitations of the export control regime. The situation is worse for smaller companies. While large companies have experience and legal staffs that help them to cope with the export control regime, small companies do not. New work on information technology often begins in garage-shop operations, and the export control regime can be particularly daunting to a firm with neither the legal expertise nor the contacts to facilitate compliance of a product with all of the appropriate regulations. These companies in particular are the ones most likely to decide in the end to avoid entirely the inclusion of cryptographic features due to concern of running afoul of the export control rules. The following three examples illustrate how the unpredictability of the export control licensing process has affected U.S. vendors and their products. Modularity As noted above, cryptographic applications programming interfaces that are directly and easily accessible to the user are in general subject to USML licensing. However, even "closed" interfaces that are not easily accessible to the user are sometimes perceived to pose a risk for the vendor. One major product vendor reported to the committee that it was reluctant to use modular development for fear that even an internal module interface could keep a product from passing export control review. Any software product that uses modular techniques to separate the basic product functionality from the cryptography has a well-defined interface between the two. Even when the software product is converted to object code, that interface is still present (though it is hidden from the casual user). However, the interface cannot in general be hidden from a person with strong technical skills, and such a person would be able to find it and tamper with it in such a way that a different cryptography module could be used.(32) A number of similar considerations apply for hardware products, in which the cryptographic capabilities might be provided by a "plug-in" chip. The alternative to the use of modular techniques in the development of integrated products would complicate the "swap-in/swap-out" of cryptographic capabilities: lines of code (if software) and wires (if hardware) that implemented cryptographic capabilities would be highly interwoven with lines of code and wires that implemented the primary capabilities of the product. On the other hand, this approach would be tantamount to the development of two largely distinct products with little overlap in the work that was required to produce them. The NSA has spoken publicly about its willingness to discuss with vendors from the early stages of product design features and capabilities of proposed products with encryption capabilities for confidentiality so that the export license approval process can be facilitated, and its willingness to abide by nondisclosure agreements to reassure vendors that their intellectual property rights will be protected.(33) Nonetheless, the receipt of an export control license useful for business purposes is not guaranteed by such cooperation. For example, while decisions about commodity jurisdiction often provide CCL jurisdiction for object code and USML jurisdiction for source code (and thus need not inhibit modular product development if the product is to be distributed in object form only), the fact remains that such decisions are part of a case-by-case review whose outcome is uncertain. Different vendors are willing to tolerate different levels of risk in this regard, depending on the magnitude of the investments involved. As a general rule, NSA does not appear willing to make agreements in advance that will assure licenses for a product that has not yet been instantiated or produced. Such a position is not unreasonable given NSA's stance toward products with encryption capabilities in general, and the fact that the true capabilities of a product may depend strongly on how it is actually implemented in hardware or software. Thus, vendors have no indemnification against the risk that a product might not be approved.(34) The Definition of Export There is uncertainty about what specific act constitutes the "export" of software products with encryption capabilities. It is reasonably clear that the act of mailing to a foreign country a disk with a product with encryption capabilities on it constitutes an export of that product. But if that product is uploaded to an Internet site located in the United States and is later downloaded by a user located in another country, is the act of export theupload or the download? What precautions must be taken by the uploader to remain on the legal side of the ITAR? The committee has been unable to find any formal document that indicates answers to these questions. However, a March 1994 letter from the State Department Office of Defense Trade Controls appears to indicate that a party could permit the posting of cryptographic software on an Internet host located in the United States if "(a) the host system is configured so that only people originating from nodes in the United States and Canada can access the cryptographic software, or (b) if the software is placed in a file or directory whose name changes every few minutes, and the name of the file or directory is displayed in a publicly known and readable file containing an explicit notice that the software is for U.S. and Canadian use only."(35) Of course, such a letter does not provide formal guidance to parties other than the intended addressee (indeed, under the ITAR, advisory opinions provided to a specific party with a given set of circumstances are not binding on the State Department even with respect to that party), and so the issue remains murky. The Speed of the Licensing Process Uncertainty is also generated by a lengthy licensing process without time lines that allow vendors to make realistic schedules. Box 4.10 describes some of the problems reported to the committee. To summarize, the perceptions of many vendors about the excessive length of time it takes to obtain a license reflects the time required for discussions with NSA about a product before an application is formally submitted; the prospect of facing the export control process deters some vendors entirely from creating certain products at all. By contrast, NSA starts the clock only when it receives a formal application, and in fact the usual time between receipt of a formal application and rendering of a decision is relatively short (a few weeks). The reason that such a fast turnaround is possible is that by the time the application is received, enough is known about the product involved that processing is routine because there is no need for negotiation about how the product must be changed for a license to be approved. In response to some of these concerns, the U.S. government has undertaken a number of reforms of the export control regime (described in Section 4.1) to reduce the hassle and red tape involved in obtaining export licenses.(36) These reforms are important. Nevertheless, the pace at which new information technology products develop and the increasing complexity of those products will complicate product review efforts in the future. Given relatively fixed staffing, these factors will tend to increase the length of time needed to conduct product reviews at a time when vendors are feeling pressures to develop and market products more rapidly. One particular reform effort that deserves discussion is the "personal use" exemption. For many years, Americans traveling abroad were required under the ITAR to obtain "temporary export licenses" for products with encryption capabilities carried overseas for their personal use.(37) The complexity of the procedure for obtaining such a license was a considerable burden for U.S. businesspeople traveling abroad, and these individuals were subject to significant criminal penalties for an act that was widely recognized to be harmless and well within the intent of the export control regime. In February 1994, the Administration committed itself to promulgating regulations to support a personal-use exemption from the licensing requirement. Two years later, on February 16, 1996, the *Federal Register* contained a notice from the Department of State, Bureau of Political Military Affairs, announcing final rule of an amendment to the International Traffic in Arms Regulation (ITAR) allowing U.S. persons to temporarily export cryptographic products for personal use without the need for an export license.(38) Some critics of government policy have objected to the particular formulation of the record-keeping requirement. All parties involved--including senior Administration officials--have agreed that 2 years was far too long a period for promulgation of so simple a rule. ---------- (30) In contrast to a judgment-based approach, a clarity-based approach would start from the premise that regulations and laws should be as clear as possible, so that a party that may be affected knows with a high degree of certainty what is and is not permitted or proscribed. The downside of a clarity-based approach is that affected parties tend to go "right up to the line" of what is prohibited and may seek ways to "design around" any stated limitations. Furthermore, a clarity-based approach would require the specification, in advance, of all acts that are prohibited, even when it may not be possible to define in advance all acts that would be undesirable. (31) For example, critics of the uncertainty engendered by the export regime point out that uncertainty is helpful to policy makers who wish to retain flexibility to modify policy without the work or publicity required for a formal regulatory change. (32) Of course, such considerations obviously apply to software products with cryptographic capabilities that are designed to be shipped in source code; not only can the cryptographic module be easily identified and replaced, but it can also be pulled out and adapted to other purposes. This point was also raised in footnote 11 of this chapter. (33) For example, NSA representatives made comments to this effect at the RSA Data Security Conference in San Francisco, California, in January 1995. (34) Although other industries also have to deal with the uncertainties of regulatory approval regarding products and services, the export control process is particularly opaque, because clear decisions and rationales for those decisions are often not forthcoming (and indeed are often classified and/or unrelated to the product per se). (35) Letter from Clyde Bryant, Office of Defense Trade Controls, U.S. Department of State, Washington, D.C., to Daniel Appelman, Heller, Ehrman, White & McAuliffe, dated March 11, 1994. (36) For example, according to NSA, the detailing of an NSA representative to work with the State Department Office of Defense- Trade Controls has resulted in a considerable reduction in the time needed to process a license. (37) For a description of how this process worked in practice, see Matt Blaze, *My Life As an International Arms Courier*, e-mail message circulated by Matt Blaze (mab@research.att.com) on January 6, 1995. A news article based on Blaze's story is contained in Peter H. Lewis, "Between a Hacker and a Hard Place: DataSecurity Export Law Puts Businesses in a Bind," *New York Times*, April 10, 1995, p. D-1. (38) According to the regulation, the product must not be intended for copying, demonstration, marketing, sale, re-export, or transfer of ownership or control. It must remain in the possession of the exporting person, which includes being locked in a hotel room or safe. While in transit, it must be with the person's accompanying baggage. Exports to certain countries are prohibited--currently Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria. The exporter must maintain records of each temporary export for 5 years. See *Federal Register*, Volume 61(33), Friday, February 16, 1996, Public Notice 2294, pp. 6111-6113. ____________________________________________________________ 4.3.3 The Size of the Affected Market for Cryptography Since export controls on products with encryption capabilities constrain certain aspects of sales abroad, considerable public attention has focused on the size of the market that may have been affected by export controls. Vendors in particular raise the issue of market share with considerable force: + "The only effect of the export controls is to cause economic harm to US software companies that are losing market share in the global cryptography market to companies from the many countries that do not have export controls."(39) + "[The government's current policy on encryption] is anti-competitive. The government's encryption export policy jeopardizes the future of the software industry, one of the fastest growing and most successful industries."(40) The size of the market for products with encryption capabilities cuts across many dimensions of cryptography policy, but since it is raised most often in the context of the export control debate, it is addressed in this section. Plausible arguments can be made that the market ranges from no more than the value of the security-specific products sold annually (i.e., several hundred million dollars per year--a low-end estimate)(41) to the total value of all hardware and software products that might include encryption capabilities (many tens of billions of dollars--a high-end estimate).(42) The committee was unable to determine the size of the information technology market directly affected by export controls on encryption to within a factor of more than 100, a range of uncertainty that renders any estimate of the market quite difficult to use as the basis for a public policy decision. Nevertheless, although it is not large enough to be decisive in the policy debate, the floor of such estimates--a few hundred million dollars per year--is not a trivial sum. Furthermore, all trends point to growth in this number, growth that may well be very large and nonlinear in the near future. To the extent that both of these observations are valid, it is only a matter of a relatively short time before even the floor of any estimate will be quite significant in economic terms. The next three subsections describe some of the factors that confound the narrowing of the large range of uncertainty in any estimate of the size of the market affected by export controls. Defining a "Lost Sale" A number of vendors have pointed to specific instances of lost sales as a measure of the harm done to the vendors as the result of export controls on cryptography.(43) National security officials believe that these figures are considerably overstated. Administration officials and congressional staff have expressed considerable frustration in pinning down a reliable estimate of lost sales. It is important to begin with the understanding that the concept of a "lost sale" is intrinsically soft. Trying to define the term "lost sales" raises a number of questions + What events count as a sale lost because of export restrictions? Several possibilities illustrate the complications: -- A U.S. vendor is invited along with foreign vendors to bid on a foreign project that involves cryptography, but declines because the bid requirements are explicit and the U.S. vendor knows that the necessary export licenses will not be forthcoming on a time scale compatible with the project. -- A U.S. vendor is invited along with foreign vendors to bid on a foreign project that involves cryptography. In order to expedite export licensing, the U.S. vendor offers a bid that involves 40-bit encryption (thus ignoring the bid requirements), and the bid is rejected. -- A U.S. vendor is invited along with foreign vendors to bid on a foreign project that involves cryptography. A foreign vendor emerges as the winner. The sale is certainly a lost sale, but since customers often make decisions with a number of reasons in mind and may not inform losing vendors of their reasons, it is difficult to determine the relationship of export controls to the lost sale. -- No U.S. vendor is invited to bid on a foreign project that involves cryptography. In such an instance, the potential foreign customer may have avoided U.S. vendors, recognizing that the cryptography would subject the sale to U.S. export control scrutiny, possibly compromising sensitive information or delaying contract negotiations inordinately. On the other hand, the potential customer may have avoided U.S. vendors for other reasons, e.g., because the price of the U.S. product was too high. + What part of a product's value is represented by the cryptographic functionality that limits a product's sales when export controls apply? As noted in Chapter 2, standalone products with encryption capabilities are qualitatively different from general-purpose products integrated with encryption capabilities. A security-specific stand-alone product provides no other functionality, and so the value of the cryptography is the entire cost of the product. But such sales account for a very small fraction of information technology sales. Most sales of information technology products with encryption capabilities are integrated products. Many word processing and spreadsheet programs may have encryption capabilities, but users do not purchase such programs for those capabilities -- they purchase them to enhance their ability to work with text and numbers. Integrated products intended for use in networked environments (e.g., "groupware") may well have encryption capability, but such products are purchased primarily to serve collaboration needs rather than encryption functions. In these instances, it is the cost of the entire integrated product (which may not be exportable if encryption is a necessary but secondary feature) that counts as the value lost. + How does a vendor discover a "lost sale"? In some cases, a specific rejection counts as evidence. But in general there is no systematic way to collect reliable data on the number or value of lost sales. + An often-unnoticed dimension of "lost sales" does not involve product sales at all, but rather services whose delivery may depend on cryptographic protection. For example, a number of U.S. on-line service providers (e.g., America Online, Compuserve, Prodigy) are intending to offer or expand access abroad;(44) the same is true for U.S. providers of telecommunications services.(45) To the extent that maintaining the security of foreign interactions with these service providers depends on the use of strong cryptography, the ability of these companies to provide these services may be compromised by export restrictions and thus sales of service potentially reduced. Latent vs. Actual Demand In considering the size of the market for cryptography, it is important to distinguish between "actual" demand and "latent" demand. + Actual demand reflects what users spend on products with encryption capabilities. While the value of "the market for cryptography" is relatively well defined in the case of stand-alone security-specific products (it is simply the value of all of the sales of such products), it is not well defined when integrated products with encryption capabilities are involved. The reason is that for such products, there is no demand for cryptography per se. Rather, users have a need for products that do useful things; cryptography is a feature added by designers to protect users from outside threats to their work, but as a purely defensive capability, cryptography does not so much add functional value for the user as protect against reductions in the value that the user sees in the product. Lotus Notes, for example, would not be a viable product in the communications software market without its encryption capabilities, but users buy it for the group collaboration capabilities that it provides rather than for the encryption per se. + Latent demand (i.e., inherent demand that users do not realize or wish to acknowledge but that surfaces when a product satisfying this demand appears on the market) is even harder to measure or assess. Recent examples include Internet usage and faxes; in these instances, the underlying technology has been available for many years, but only recently have large numbers of people been able to apply these technologies for useful purposes. Lower prices and increasing ease of use, prompted in part by greater demand, have stimulated even more demand. To the extent that there is a latent demand for cryptography, the inclusion of cryptographic features into integrated products might well stimulate a demand for cryptography that grows out of knowledge and practice, out of learning by doing. Determining the extent of latent demand is complicated greatly by the fact that latent demand can be converted into actual demand on a relatively short time scale. Indeed, such growth curves -- very slow growth in use for a while and then a sudden explosion of demand -- characterize many critical mass phenomena: some information technologies (e.g., networks, faxes, telephones) are valuable only if some critical mass of people use them. Once that critical mass is reached, other people begin to use those technologies, and demand takes off. Linear extrapolations 5 or 10 years into the future based on 5 or 10 years in the past miss this very nonlinear effect. Of course, it is difficult to predict a surge in demand before it actually occurs. In the case of cryptography, market analysts have been predicting significantly higher demand for many years; today, growth rates are high, but demand for information security products including cryptography is not yet ubiquitous. Two important considerations bearing directly on demand are increasing system complexity and the need for interoperability. Users must be able to count on a high degree of interoperability in the systems and software they purchase if they are to operate smoothly across national boundaries (as described in Chapter 1). Users understand that it is more difficult to make different products interoperate, even if they are provided by the same vendor, than to use a single product. For example, the complexity of a product generally rises as a function of the number of products with which it must interoperate, because a new product must interoperate with already-deployed products. Increased complexity almost always increases vulnerabilities in the system or network that connects those products. In addition, more complex products tend to be more difficult to use and require greater technical skill to maintain and manage; thus, purchasers tend to shy away from such products. This reluctance, in turn, dampens demand, even if the underlying need is still present. From the supply side, vendors feel considerable pressure from users to develop interoperable products. But greater technical skills are needed by vendors to ensure interoperability among different product versions than to design a single product that will be used universally, just as they are for users involved in operation and maintenance of these products. Requirements for higher degrees of technical skill translate into smaller talent pools from which vendors can draw and thus fewer products available that can meet purchasers' needs for interoperability. Problems relating to interoperability and system complexity, as well as the size of the installed base, have contributed to the slow pace of demand to date for products with encryption capabilities. Nevertheless, the committee believes it is only a matter of time until a surge occurs, at the same time acknowledging the similarity between this prediction and other previous predictions regarding demand. This belief is based on projections regarding the growth of networked applications(46) and the trends discussed in Chapter 1--increasing demand for all kinds of information technology, increasing geographic dispersion of businesses across international boundaries, increasing diversity of parties wishing/needing to communicate with each other, and increasing diversity in information technology applications and uses in all activities of a business. Further, the committee believes that computer users the world over have approximately the same computing needs as domestic users, and so domestic trends in computing (including demand for more information security) will be reflected abroad, though perhaps later (probably years later but not decades later). Market Development A third issue in assessing the size of the market for cryptography is the extent to which judgments should be made on the basis of today's market conditions (which are known with a higher certainty) rather than markets that may be at risk tomorrow (which are known with a much lower degree of certainty). The market for certain types of software tends to develop in a characteristic manner. In particular, the long-term success of infrastructure software (i.e., software that supports fundamental business operations such as operating systems or groupware) depends strongly on the product's market timing; once such software is integrated into the infrastructure of the installing organization, demands for backward-compatibility make it difficult for the organization to install any alternative.(47) In other words, an existing software infrastructure inhibits technological change even if better software might be available. It is for this reason that in some software markets, major advantages accrue to the first provider of a reasonable product. These pressures complicate life for government policy makers who would naturally prefer a more deliberate approach to policy making, because it is only during a small window of time that their decisions are relevant--the sooner they act, the better. The longer they wait, the higher will be the percentage of companies that have already made their technology choices, and these companies will face large changeover costs if policy decisions entail incompatible alternatives to their currently deployed infrastructure. If the initial choices of companies involve putting non-U.S. software in place, U.S. vendors fear that they will have lost huge future market opportunities.(48) ---------- (39) Jim Hassert, *Washington Connections*, Software Publishers Association, Washington, D.C., Chapter 9. Available on-line at http://www.spa.org. (40) Business Software Alliance, *Information and Data Security: The Encryption Update.* Available on-line from http://www.bsa.org. (41) U.S. Department of Commerce and National Security Agency, *A Study of the International Market for Computer Software with Encryption*, prepared for the Interagency Working Group on Encryption and Telecommunications Policy, Office of the Secretary of Commerce, January 11, 1996, p. III-I. Note, however, that this report does not arrive at this estimate independently; rather, it cites other estimates made in the private sector. (42) Of course, it is a matter of speculation what fraction of the information technology market (on the order of $193 billion in 1993; see below) might usefully possess encryption capabilities; good arguments can made to suggest that this fraction is very small or very large. A number of information technology trade organizations have also made estimates. The Software Publishers Association cited a survey by the National Computer Security Association that quoted a figure of $160 million in aggregate known losses in 1993 because of export controls; see "Written Testimony of the Software Publishers Association to the National Research Council," Washington, D.C., July 19, 1995. In 1993, the Business Software Alliance estimated that "approximately $6-9 billion in U.S. company revenues are currently at risk because of the inability of those companies to be able to sell world wide generally available software with encryption capabilities employing DES or other comparable strength algorithms;" see Testimony of Ray Ozzie, president, Iris Associates, on behalf of the Business Software Alliance, "The Impact on America's Software Industry of Current U.S. Government Munitions Export Controls," before the Economic Policy, Trade and Environment Subcommittee, House Committee on Foreign Affairs, Washington, D.C., October 12, 1993. The Computer Systems Policy Project (CSPP) estimated that in 2000, the potential annual revenue exposure for U.S. information technology vendors would range from $3 billion to $6 billion on sales of cryptographic products, including both hardware and software; CSPP also estimated $30 billion to 60 billion in potential revenue exposure on sales of associated computer systems; see The Computer Systems Policy Project, William F. Hagerty IV, The Management Advisory Group, *The Growing Need for Cryptography: The Impact of Export Control Policy on U.S. Competitiveness*, Study Highlights (viewgraphs), Bethesda, Maryland, December 15, 1995. The $193 billion figure is taken from Department of Commerce, *U.S. Industrial Outlook 1994*, and includes computers and peripherals ($62.5 billion, p. 26-1), packaged software ($32.0 billion, p. 27-1), information services ($13.6 billion, p. 25-1), data processing and network services ($46.4 billion, p. 25-1), and systems integration/custom programming services ($38.7 billion, p. 25-5). Note that this figure does not include some other industry sectors that could, in principle, be affected by regulations regarding secure communications; in 1993, U.S. companies provided telecommunications services valued at $10.4 billion to foreign nations (p. 29-1) and shipped $17.5 billion (1987 dollars) in telephone equipment worldwide (p. 30-3). (43) For example, in a presentation to the committee on July 19, 1995, the Software Publishers' Association documented several specific instances in which a U.S. company had lost a sale of a product involving cryptography to a foreign firm. These instances included a company that lost one-third of its total revenues because export controls on DES-based encryption prevented sales to a foreign firm; a company that could not sell products with encryption capability to a European company because that company re-sold products to clients other than financial institutions; a U.S. company whose European division estimated at 50 percent the loss of its business among European financial institutions, defense industries, telecommunications companies, and government agencies because of inadequate key sizes; and a U.S. company that lost the sale of a DESbased system to a foreign company with a U.S. subsidiary. Sofware Publishers' Association, "Presentation on Impacts of Export Control on Encryption before the NRC National Cryptography Policy Committee," July 19, 1995 . (44) See for example, Kara Swisher, "Old World, New Frontier in Cyberspace," *Washington Post*, December 12, 1995, p. C-1; Victoria Shannon, "U.S. On-Line Services Fall Short on International Reach," *Washington Post*, April 3, 1995, Washington Business, p. 20. For more detail on AOL plans, see Elizabeth Cocoran, "America Online to Offer Access in Europe," *Washington Post*, May 19, 1995, p. F-3. (45) See for example, U.S. Congress, Office of Technology Assessment, *U.S. Telecommunications Services in European Markets*, OTA-TCT-548, U S. Government Printing Office, Washington, D.C., August 1993. (46) For example, a survey by the International Data Corporation indicated that the installed base of users for work-group applications (involving communications among physically separated users) is expected to grow at a rate of about 74 percent annually between 1993 and 1998. See Ann Palermo and Darby Johnson, Analysts, International Data Corporation, *Workgroup ,Applications Software: Market Review and Forecast, 1993-1998*, Framingham, Massachusetts, (date). It is true that a considerable amount of remote collaboration is done via e-mail without cryptographic protection, but work-group applications provide much higher degrees of functionality for collaboration because they are specifically designed for that purpose. As these applications become more sophisticated (e.g., as they begin to process large assemblies of entire documents rather than the short messages for which e-mail is best suited), the demand for higher degrees of protection is likely to increase. (47) Many products require backward-compatibility for marketplace acceptance. Demands for backward-compatibility even affect products intended for operation in a stand-alone environment -- an institution with 2 million spreadsheet files is unlikely to be willing to switch to a product that is incompatible with that existing database unless the product provides reasonable translation facilities for migrating to the new product. Network components are even harder to change, because stations on a network must interoperate. For example, most corporate networks have servers deployed with workstations that communicate with those servers. Any change to the software for the servers must not render it impossible for those workstations to work smoothly with the upgrade. (48) The deployment of Lotus Notes provides a good example. Lotus marketing data suggests fairly consistently that once Notes achieves a penetration of about 200 users in a given company, an explosion of demand follows, and growth occurs until Notes is deployed company-wide. ____________________________________________________________ 4.3.4 Inhibiting Vendor Responses to User Needs In today's marketing environment, volume sales (licensing) to large corporate or government customers, rather than purchases by individuals, tend to drive sales of business software products.(49) Since corporate customers have large leverage in the marketplace (because one purchasing decision can result in thousands of product sales to a single corporation), major software vendors are much more responsive to the needs of corporate users. Of particular relevance to the export control debate are three perceptions of corporate users: + Corporate users do not see that different levels of encryption strength (as indicated, for example, by the key length of foreign and domestic versions of a product) provide differential advantages. Put differently, the market reality is that users perceive domestic-strength versions as the standard and liberally exportable versions of cryptography as weak, rather than seeing liberally exportable versions of cryptography as the standard and domestic-strength versions as stronger. + Corporate users weigh all features of a product in deciding whether or not to buy it. Thus, the absence of a feature such as strong encryption that is desired but not easily available because of U.S. export controls counts as a distinct disadvantage for a U.S. product. Although other features may help to compensate for this deficiency, the deficiency may pose enough of a barrier a product's acceptance abroad that sales are significantly reduced. + Corporate users see cryptographic strength as an important parameter in their assessments of the information security that products offer. It is true that cryptography is only one dimension of information security, that export controls do not affect certain approaches to increasing overall information security, and that vendors often do not address these other approaches. But cryptography is a visible aspect of the information security problem, and vendors feel an obligation to respond to market perceptions even if these perceptions may not be fully justified by an underlying technical reality. Moreover, many of the information security measures that do not involve export controls are more difficult and costly than cryptography to implement, and so it is natural for vendors to focus their concerns on export controls on cryptography. U.S. vendors that are unable to respond in a satisfactory manner to these perceptions have a natural disadvantage in competing against vendors that are able to respond. ---------- (49) The Department of Commerce noted that "civil use of software-based encryption will significantly increase in the next five years, with corporate customers dominating this new marketplace." See U.S. Department of Commerce and National Security Agency, *A Study of the International Market for Computer Software with Encryption*, prepared for the Interagency Working Group on Encryption and Telecommunications Policy, Office of the Secretary of Commerce, January 11, 1996, p. 111-2. ____________________________________________________________ 4.4 THE IMPACT OF EXPORT CONTROLS ON U.S. ECONOMIC AND NATIONAL SECURITY INTERESTS By affecting U.S. industries abroad that might use cryptography to protect their information interests and U.S. vendors of a critical technology (namely, information technology), export controls have a number of potentially negative effects on national security that policy makers must weigh against the positive effects of reducing the use of cry ptography by hostile parties. 4.4.1 Direct Economic Harm to U.S. Businesses While acknowledging economic benefits to U.S. business from signals intelligence (as described in Chapter 3), the committee notes that protection of the information interests of U.S. industries is also a dimension of national security, especially when the threats emanate from foreign sources. If the potential value of proprietary information is factored into the debate over export controls, it dominates all other figures of merit. A figure of $280 billion to $560 billion was placed by the Computer Systems Policy Project on the value of future revenue opportunities as the result of electronic distribution and commerce and future opportunities to reengineer business processes by 2000.(50) Opponents of export controls on cryptography argue that if electronic channels and information systems are perceived to be vulnerable, businesses may well be discouraged from exploiting these opportunities, thereby placing enormous potential revenues at risk. On the other hand, it is essentially impossible to ascertain with any degree of confidence what fraction of proprietary information would be at risk in any practical sense if businesses did move to exploit these opportunities. Current estimates of industrial and economic espionage provide little guidance. The most authoritative publication on the subject to date, the *Annual Report to Congress on Foreign Economic Collection and Industrial Espionage*,(51) noted that [i]n today's world in which a country's power and stature are often measured by its economic/industrial capability, foreign government ministries--such as those dealing with finance and trade--and major industrial sectors are increasingly looked upon to play a more prominent role in their respective country's collection efforts.... An economic competitor steals a US company's proprietary business information or government trade strategies, [and] foreign companies and commercially oriented government ministries are the main beneficiaries of US economic information. The aggregate losses that can mount as a result of such efforts can reach billions of dollars per year, constituting a serious national security concern. The report went on to say that "[t]here is no formal mechanism for determining the full qualitative and quantitative scope and impact of the loss of this targeted information. Industry victims have reported the loss of hundreds of millions of dollars, lost jobs, and lost market share." Thus, even this report, backed by all of the counterintelligence efforts of the U.S. government, is unable to render a definitive estimate to within an order of magnitude. Of course, it may well be that these estimates of loss are low, because companies are reluctant to publicize occurrences of foreign economic and industrial espionage as such publicity can adversely affect stock values, customers' confidence, and ultimately competitiveness and market share, or also because clandestine theft of information may not be detected. Furthermore, because all business trends point to greater volumes of electronically stored and communicated information in the future, it is clear that the potential for information compromises will grow--the value of information that could be compromised through electronic channels is only going to increase. ---------- (50) William F. Hagerty IV, The Management Advisory Group, Computer Systems Policy Project, *The Growing Need for Cryptography: The Impact of Export Control Policy on U.S Competitiveness*, Study Highlights (viewgraphs), Bethesda, Maryland, December 15, 1995. (51) National Counterintelligence Center, *Annual Report to Congress on Foreign Economic Collection and Industrial Espionage*, Washington, D.C., July 1995. ____________________________________________________________ 4.4.2 Damage to U.S. Leadership in Information Technology The strength of the U.S. information technology industry has been taken as a given for the past few decades. But as knowledge and capital essential to the creation of a strong information technology industry become more available around the world, such strength can no longer be taken for granted.(52) If and when foreign products become widely deployed and well integrated into the computing and communications infrastructure of foreign nations, even better versions of U.S. products will be unable to achieve significant market penetration. One example of such a phenomenon may be the growing interest in the United States in personal communications systems based on GSM, the European standard for digital cellular voice communications. Further, as the example of Microsoft vis-a-vis IBM in the 1980s demonstrated, industry dominance once lost is quite difficult to recover in rapidly changing fields. The development of foreign competitors in the information technology industry could have a number of disadvantageous consequences from the standpoint of U.S. national security interests: + Foreign vendors, by assumption, will be more responsive to their own national governments than to the U.S. government. To the extent that foreign governments pursue objectives involving cryptography that are different from those of the United States, U.S. interests may be adversely affected. Specifically, foreign vendors could be influenced by their governments to offer for sale to U.S. firms products with weak or poorly implemented cryptography. If these vendors were to gain significant market share, the information security of U.S. firms could be adversely affected. Furthermore, the United States is likely to have less influence and control over shipments of products with encryption capabilities between foreign nations than it has over similar U.S. products that might be shipped abroad; indeed, many foreign nations are perfectly willing to ship products (e.g., missile parts, nuclear reactor technology) to certain nations in contravention to U.S. or even their own interests. In the long run, the United States may have even less control over the products with encryption capabilities that wind up on the market than it would have if it promulgated a more moderate export control regime. + Detailed information about the workings of foreign products with encryption capabilities is much less likely to be available to the U.S. government than comparable information about similar U.S. products that are exported. Indeed, as part of the export control administration process, U.S. products with encryption capabilities intended for export are examined thoroughly by the U.S. government; as a result, large amounts of information about U.S. products with encryption capabilities are available to it.(53) Export controls on cryptography are not the only factor influencing the future position of U.S. information technology vendors in the world market. Yet, the committee believes that these controls do pose a risk to their future position that cannot be ignored, and that relaxation of controls will help to ensure that U.S. vendors are able to compete with foreign vendors on a more equal footing. ---------- (52) Obviously, it is impossible to predict with certainty whether export controls will stimulate the growth of significant foreign competition for U.S. information technology vendors. But the historical evidence suggests some reason for concern. For example, a 1991 report (National Research Council, *Finding Common Ground: U.S. Export Controls in a Changed Global Environment*, National Academy Press, 1991) found that "unilateral embargoes on exports [of technologies for commercial aircraft and jet engines] to numerous countries not only make sales impossible but actually encourage foreign competitors to develop relationships with the airlines of the embargoed countries. By the time the U.S. controls are lifted, those foreign competitors may have established a competitive advantage" (page 22). The same report also found that for computer technology, "marginal supplier disadvantages can lead to significant losses in market position, and it is just such marginal disadvantages that can be introduced by export controls" (page 23). An earlier study (Charles Ferguson, "High Technology Product Life Cycles, Export Controls, and International Markets," in *Working Papers* of the National Research Council report *Balancing the National Interest, U.S. National Security Export Controls and Global Economic Competition*, National Academy Press, 1987), pointed out that the emergence of strong foreign competition in a number of high-technology areas appeared in close temporal proximity to the enforcement of strong export controls in these areas for U.S. vendors. While the correlation does not prove that export controls necessarily influenced or stimulated the growth of foreign competition, the history suggests that they may have had some causal relationship. In the financial arena (not subject to export controls), U.S. financial controls associated with the Trading-with-the-Enemy Act may have led to the rise of the Eurodollar market, a set of foreign financial institutions, markets, and instruments that eroded the monopoly held on dollar-denominated instruments and dollar-dominated institutions by U.S. firms. The likelihood of foreign competition being stimulated for cryptography may be larger than suggested by some of these examples, because at least in the software domain, product development and distribution are less capital-intensive than in traditional manufacturing industries; lower capital intensity would mean that competitors would be more likely to emerge. Finally, while it is true that some foreign nations also impose export controls on cryptography, those controls tend to be less stringent than those of the United States as discussed in Appendix G. In particular, it is more difficult to export encryption from the United States to the United Kingdom than the reverse, and the U.S. market is an important market for foreign vendors. Further, it takes only one nation with weak or nonexistent controls to spawn a competitor in an industry such as software. (53) For example, U.S. vendors are more likely than foreign vendors to reveal source code of a program to the U.S. government (for purposes of obtaining export licenses). While it is true that the object code of a software product can be decompiled, decompiled object code is always much more difficult to understand than the original source code that corresponds to it. _____________________________________________________________ 4.5 THE MISMATCH BETWEEN THE PERCEPTIONS OF GOVERNMENT/NATIONAL SECURITY AND THOSE OF VENDORS As the committee proceeded in its study, it observed what can only be called a disconnect between the perceptions of the national security authorities that administer the export control regulations on cryptography and the vendors that are affected by it. This disconnect was apparent in a number of areas: + National security authorities asserted that export controls did not injure the interests of U.S. vendors in the foreign sales of products with encryption capabilities. U.S. vendors asserted that export controls had a significant negative effect on their foreign sales. + National security authorities asserted that nearly all export license applications for a product with encryption capabilities are approved. Vendors told the committee that they refrained from submitting products for approval because they had been told on the basis of preliminary discussions that their products would not be approved for export. + National security authorities presented data showing that the turnaround time for license decisions had been dramatically shortened (to a matter of days or a few weeks at most). Vendors noted that these data took into account only the time from the date of formal submission of an application to the date of decision, and did not take into account the much greater length of time required to negotiate product changes that would be necessary to receive approval. (See Section 4.3.2 for more discussion.) + National security authorities asserted that they wished to promote good information security for U.S. companies, pointing out the current practice described in Section 4.1.2 that presumes the granting of USML licenses for stronger cryptography to U.S.-controlled companies and banking and financial institutions. Vendors pointed to actions taken by these authorities to weaken the cryptographic security available for use abroad, even in business ventures in which U.S. firms had substantial interests. Potential users often told the committee that even under presumptive approval, licenses were not forthcoming, and that for practical purposes, these noncodified categories were not useful. + National security authorities asserted that they took into account foreign competition and the supply of products with encryption capabilities when making decisions on export licenses for U.S products with encryption capabilities. Vendors repeatedly pointed to a substantial supply of foreign products with encryption capabilities. + National security authorities asserted that they wished to maintain the worldwide strength and position of the U.S. information technology industry. Vendors argued that when they are prevented from exploiting their strengths--such as being the first to develop integrated products with strong encryption capabilities -- their advantages are in fact being eroded. The committee believes that to some extent, these differences can be explained as the result of rhetoric by parties intending to score points in a political debate. But the differences are not merely superficial; they reflect significantly different institutional perspectives. For example, when national security authorities "take into account foreign supplies of cryptography," they focus naturally on what is available at the time the decision is being made. On the other hand, vendors are naturally concerned about incorporating features that will give their products a competitive edge, even if no exactly comparable foreign products with cryptography are available at the moment. Thus, different parties focus on different areas of concern--national security authorities on the capabilities available today, and vendors on the capabilities that might well be available tomorrow. NSA perceptions of vendors and users of cryptography may well be clouded by an unwillingness to speak publicly about the full extent of vendor and user unhappiness with the current state of affairs. National security authorities asserted that their working relationships with vendors of products with encryption capabilities are relatively harmonious. Vendors contended that since they are effectively at the mercy of the export control regulators, they have considerable incentive to suppress any public expression of dissatisfaction with the current process. A lack (or small degree) of vendor outcry against the cryptography export control regime cannot be taken as vendor support for it. More specifically, the committee received input from a number of private firms on the explicit condition of confidentiality. For example: + Companies with interests in cryptography affected by export control were reluctant to express fully their dissatisfaction with the current rules governing export of products with encryption capabilities or how these rules were actually implemented in practice. They were concerned that any explicit connection between critical comments and their company might result in unfavorable treatment of a future application for an export license for one of their products. + Companies that had significant dealings with the Department of Defense were reluctant to express fully their unhappiness with policy that strongly promoted classified encryption algorithms and government-controlled key-escrow schemes. These companies were concerned that expressing their unhappiness fully might result in unfavorable treatment in competinG for future DOD business. Many companies have expressed dissatisfaction publicly, although a very small number of firms did express to the committee their relative comfort with the way in which the current export control regime is managed. The committee did not conduct a systematic survey of all firms affected by export regulations, and it is impossible to infer the position of a company that has not provided input on the matter.(54) ---------- (54) The Department of Commerce study is the most systematic attempt to date to solicit vendors' input on how they have been affected by export controls, and the solicitation received a much smaller response than expected. See U.S. Department of Commerce and National Security Agency, *A Study of the International Market for Computer Software with Encryption*, prepared for the Interagency Working Group on Encryption and Telecommunications Policy, Office of the Secretary of Commerce, January 11, 1996. ____________________________________________________________ 4.6 EXPORT OF TECHNICAL DATA The rules regarding "technical data" are particularly difficult to understand. A cryptographic algorithm (if described in a manner that is not machine-executable) is counted as technical data, whereas the same algorithm if described in machine-readable form (i.e., source or object code) counts as a product. Legally, the ITAR regulate products with encryption capabilities differently than technical data related to cryptography, although the differences are relatively small in nature. For example, technical data related to cryptography enjoys an explicit exemption when distributed to U.S.-controlled foreign companies, whereas products with encryption capabilities are in principle subject to a case by-case review in such instances (although in practice, licenses for products with encryption capabilities under such circumstances are routinely granted). Private citizens and academic institutions and vendors are often unclear about the legality of actions such as: + Discussing cryptography with a foreign citizen in the room; + Giving away software with encryption capabilities over the Internet (see Section 4.8); + Shipping products with encryption capabilities to a foreign company within the United States that is controlled but not owned by a U.S. company; + Selling a U.S. company that makes products with strong encryption capabilities to a foreign company; + Selling products with encryption capabilities to foreign citizens on U.S. soil; + Teaching a course on cryptography that involves foreign graduate students; + Allowing foreign citizens residing in the United States to work on the source code of a product that uses embedded cryptography.(55) Box 4.11 provides excerpts from the only document known to the committee that describes the U.S. government explanation of the regulations on technical data related to cryptography. In practice, these and other similar issues regarding technical data do not generally pose problems because these laws are for the most part difficult to enforce and in fact are not generally enforced. Nevertheless, the vagueness and broad nature of the regulations may well put people in jeopardy and unknowingly.(56) ---------- (55) For example, one vendor argues that because foreign citizens hired by U.S. companies bring noncontrolled knowledge back to their home countries anyway, the export control regulations on technical data make little sense as a technique for limiting the spread of knowledge. In addition, other vendors note that in practice the export control regulations on technical data have a much more severe impact on the employees that they may hire than on academia, which is protected at least to some extent by presumptions of academic freedom (56) A suit filed in February 1995 seeks to bar the government from restricting publication of cryptographic documents and software through the use of the export control laws. The plaintiff in the suit is Dan Bernstein, a graduate student in mathematics at the University of California at Berkeley. Bernstein developed an encryption algorithm that he wishes to publish and to implement in a computer program intended for distribution, and he wants to discuss the algorithm and program at open, public meetings. Under the current export control laws, any individual or company that exports unlicensed encryption software may be in violation of the export control laws that forbid the unlicensed export of defense articles, and any individual that discusses the mathematics of cryptographic algorithms may be in violation of the export control laws that forbid the unlicensed export of "technical data." The lawsuit argues that the export control scheme as applied to encryption software is an "impermissible prior restraint on speech, in violation of the First Amendment" and that the current export control laws are vague and overbroad in denying people the right to speak about and publish information about cryptography freely. A decision by the Northern District Court of California on April 15, 1996, by Judge Marilyn Patel, denied the government's motion to dismiss this suit, and found that for the purposes of First Amendment analysis, source code should be treated as speech. The outcome of this suit is unknown as the time of this writing (spring 1996). The full text of this decision and other related documents can be found at http://www.eff.org/pub/Legal/Cases/Bernstein_v_DoS/Legal/. The constitutionality of export controls on technical data has not been determined by the U.S. Supreme Court. A ruling by the U.S. Ninth Circuit Court of Appeals held that the ITAR, when construed as "prohibiting only the exportation of technical data significantly and directly related to specific articles on the Munitions List, do not interfere with constitutionally protected speech, are not overbroad and the licensing provisions of the Act are not an unconstitutional prior restraint on speech." (See 579 F.2d 516, U.S. vs. Edler, United States Court of Appeals, Ninth Circuit, July 31, 1978.) Another suit filed by Philip Karn directly challenging the constitutionality of the ITAR was dismissed by the U.S. District Court for the District of Columbia on March 22, 1996. (The issue at hand was the fact that Karn had been denied CCL jurisdiction for a set of floppy diskettes containing source code for cryptographic confidentiality identical to that contained in Schneier's book (which had received CCL jurisdiction). See http://www.qualcomm.com/people/ pkarn/export/index.html for the running story (Karn is appealing this decision); this Web page also contains the District Court's opinion on this lawsuit.) Some scholars argue to the contrary that export controls on technical data may indeed present First Amendment problems, especially if these controls are construed in such a way that they inhibit academic discussions of cryptography with foreign nationals or prevent academic conferences on cryptography held in the United States from inviting foreign nationals. See, for example, Allen M. Shinn, Jr., "First Amendment and Export Laws: Free Speech on Scientific and Technical Matters," *The George Washington Law Review*, January 1990, pp. 368-403, and Kenneth J. Pierce, "Public Cryptography, Arms Export Controls, and the First Amendment: A Need for Legislation," *Cornell International Law Journal*, Volume 17(19), pp. 197-237. ____________________________________________________________ 4.7 FOREIGN POLICY CONSIDERATIONS A common perception within the vendor community is that the National Security Agency is the sole "power behind the scenes" for enforcing the export control regime for cryptography. While NSA is indeed responsible for making judgments about the national security impact of exporting products with encryption capabilities, it is by no means the only player in the export license application process. The Department of State plays a role in the export control process that is quite important. For example, makers of foreign policy in the U.S. government use economic sanctions as a tool for expressing U.S. concern and displeasure with the actions of other nations; such sanctions most often involve trade embargoes of various types. Violations of human rights by a particular nation, for example, represent a common issue that can trigger a move for sanctions. Such sanctions are sometimes based on presidential determinations (e.g., that the human rights record of country X is not acceptable to the United States) undertaken in accordance with law; in other cases, sanctions against specific nations are determined directly by congressional legislation; in still other cases, sanctions are based entirely on the discretionary authority of the President. The imposition of sanctions is often the result of congressional action that drastically limits the discretionary authority of the State Department. In such a context, U.S. munitions or articles of war destined for particular offending nations (or to the companies in such nations) are the most politically sensitive, and in practice the items on the USML are the ones most likely to be denied to the offending nations. In all such cases, the State Department must determine whether a particular item on the USML should or should not qualify for a USML license. A specific example of such an action given to the committee in testimony involved the export of cryptography by a U.S. bank for use in a branch located in the People's Republic of China. Because of China's human rights record, the Department of State delayed the export, and the contract was lost to a Swiss firm. The sale of cryptographic tools that are intended to protect the interests of a U.S. company operating in a foreign nation was subject to a foreign policy stance that regarded such a sale as equivalent to supplying munitions to that nation. Thus, even when NSA has been willing to grant an export license for a given cryptography product, the State Department has sometimes denied a license because cryptography is on the USML. In such cases, NSA takes the blame for a negative decision, even when it had nothing to do with it. Critics of the present export control regime have made the argument that cryptography, as an item on the USML that is truly dual-use, should not necessarily be included in such sanctions. Such an argument has some intellectual merit, but under current regulations it is impossible to separate cryptography from the other items on the USML. 4.8 TECHNOLOGY-POLICY MISMATCHES Two cases are often cited in the cryptography community as examples of the mismatch between the current export control regime and the current state of cryptographic technology (Box 4.12). Moreover, they are often used as evidence that the government is harassing innocent law-abiding citizens. Taken by themselves and viewed from the outside, both of the cases outlined in Box 4.12 suggest an approach to national security with evident weaknesses. In the first instance, accepting the premise that programs for cryptography cannot appear on the Internet because a foreigner might download them seems to challenge directly the use of the Internet as a forum for exchanging information freely even within the United States. Under such logic (claim the critics), international telephone calls would also have to be shut down because a U.S. person might discuss cryptography with a foreign national on the telephone. In the second instance, the information contained in the book (exportable) is identical to that on the disk (not exportable). Since it is the information about cryptography that is technically at issue (the export control regulations make no mention of the medium in which that information is represented), it is hard to see why one would be exportable and the other not. On the other hand, taking the basic assumptions of the national security perspective as a given, the decisions have a certain logic that is not only the logic of selective prosecution or enforcement. + In the case of Zimmermann, the real national security issue is not the program itself, but rather the fact that a significant PGP user base may be developing. Two copies of a good encryption program distributed abroad pose no plausible threat to national security. But 20 million copies might well pose a threat. However, the export control regulations as written do not mention potential or actual size of the user base, and so the only remaining leverage is the broad language that brings cryptography under the export control laws. + In the case of Schneier, the real national security issue relates to the nature of any scheme intended to deny capabilities to an adversary. Typing the book's source code into the computer is an additional step that an adversary must take to implement a cryptography program and a step at which an adversary could make additional errors. No approach to denial can depend on a single "silver bullet"; instead, denial rests on the erection of multiple barriers, all of which taken together are expected to result in at least a partial denial of a certain capability. Moreover, if one begins from the premise that export controls on software encryption represent appropriate national policy, it is clear that allowing the export of the source code to Schneier's book would set a precedent that would make it very difficult to deny permission for the export of other similar software products with encryption capabilities. Finally, the decision is consistent with a history of commodity jurisdiction decisions that generally maintains USML controls on the source code of a product whose object code implementation of confidentiality has been granted commodity jurisdiction to the CCL. These comments are not intended to excoriate or defend the national security analysis of these cases. But the controversy over these cases does suggest quite strongly that the traditional national security paradigm of export controls on cryptography (one that is biased toward denial rather than approval) is stretched greatly by current technology. Put differently, when the export control regime is pushed to an extreme, it appears to be manifestly ridiculous. 4.9 RECAP Current export controls on products with encryption capabilities are a compromise between (1) the needs of national security to conduct signals intelligence and (2) the needs of U.S. and foreign businesses operating abroad to protect information and the needs of U.S. information technology vendors to remain competitive in markets involving products with encryption capabilities that might meet these needs. These controls have helped to delay the spread of strong cryptographic capabilities and use of those capabilities throughout the world, to impede the development of standards for cryptography that would facilitate such a spread, and to give the U.S. government a tool for monitoring and influencing the commercial development of cryptography. Export controls have clearly been effective in limiting the foreign availability of products with strong encryption capabilities made by U.S. manufacturers, although enforcement of export controls on certain products with encryption capabilities appears to have created many public relations difficulties for the U.S. government, and circumventions of the current regulations appear possible. The dollar cost of limiting the availability of cryptography abroad is hard to estimate with any kind of confidence, since even the definition of what counts as a cost is quite fuzzy. At the same time, a floor of a few hundred million dollars per year for the market affected by export controls on encryption seems plausible, and all indications are that this figure will only grow in the future. A second consideration is the possibility that export controls on products with encryption capabilities may well have a negative impact on U.S. national security interests by stimulating the growth of important foreign competitors over which the U.S. government has less influence, and possibly by damaging U.S. competitive advantages in the use and development of information technology. In addition, the export control regime is clouded by uncertainty from the vendor standpoint, and there is a profound mismatch between the perceptions of government/national security and those of vendors on the impact of the export control regime. Moreover, even when a given product with encryption capabilities may be acceptable for export on national security grounds, nonnational security considerations may play a role in licensing decisions. Partly in response to expressed concerns about export controls, the export regime has been gradually loosened since 1983. This relaxation raises the obvious question of how much farther and in what directions such loosening could go without significant damage to national security interests. This subject is addressed in Chapter 7. ____________________________________________________________ BOX 4.1 Enforcing Compliance with End-Use Agreements In general, a U.S. Munitions List (USML) license is granted to a U.S. exporter for the shipping of a product, technical data, or service covered by the USML to a particular foreign recipient for a set of specified end uses and subject to a number of conditions (e.g., restrictions on reexport to another nation, nontransfer to a third party). The full range of ITAR sanctions is available against the U.S. exporter and the foreign recipient outside the United States. The ITAR specify that as a condition of receiving a USML license, the U.S. exporter must include in the contract with the foreign recipient language that binds the recipient to abide by all appropriate end-use restrictions. Furthermore, the U.S. exporter that does not take reasonable steps to enforce the contract is subject to ITAR criminal and civil sanctions. But how can end-use restrictions be enforced for a foreign recipient? A number of sanctions are available to enforce the compliance of foreign recipients of USML items exported from the United States. The primary sanctions available are the criminal and civil liabilities established by the Arms Export Control Act (AECA); the foreign recipient can face civil and/or criminal charges in U.S. federal courts for violating the AECA. Although different U.S. courts have different views on extraterritoriality claims asserted for U.S. Iaw, a criminal conviction or a successful civil lawsuit could result in the imposition of criminal penalties on individuals involved and/or seizure of any U.S. assets of the foreign recipient. (When there are no U.S. assets, recovering fines or damages can be highly problematic, although some international agreements and treaties provide for cooperation in such cases.) Whether an individual could be forced to return to the United States for incarceration would depend on the existence of an appropriate extradition treaty between the United States and the foreign nation to whose jurisdiction the individual is subject. A second avenue of enforcement is that the foreign recipient found to be in violation can be denied all further exports from the United States. In addition, the foreign violator can be denied permission to compete for contracts with the U.S. government. From time to time, proposals are made to apply sanctions against violators that would deny privileges for them to export products to the United States, though such proposals often create political controversy. A third mechanism of enforcement may proceed through diplomatic channels. Depending on the nation to whose jurisdiction the foreign recipient is subject, the U.S. government may well approach the government of that nation to seek its assistance in persuading or forcing the recipient to abide by the relevant end-use restrictions. A fourth mechanism of enforcement is the sales contract between the U.S. exporter and the foreign recipient, which provides a mechanism for civil action against the foreign recipient. A foreign buyer who violates the end-use restrictions is in breach of contract with the U.S. exporter, who may then sue for damages incurred by the U.S. company. Depending on the language of the contract, the suit may be carried out in U.S. or foreign courts; alternatively, the firms may submit to binding arbitration. The operation of these enforcement mechanisms can be cumbersome, uncertain, and slow. But they exist, and they are used. Thus, while some analysts believe that they do not provide sufficient protection for U.S. national security interests, others defend them as a reasonable but not perfect attempt at defending those interests. ____________________________________________________________ BOX 4.2 Licensing Relaxations on Cryptography: A Short History Prior to 1983, all cryptography exports required individual license from the State Department. Since then, a number of changes have been proposed and mostly implemented. Year Change _____________________________________________________________ 1983 Distribution licenses established allowing exports to multiple users under a single license 1987 Nonconfidentiality products moved to Department of Commerce (DOC) on a case-by-case basis 1990 ITAR amended -- all nonconfidentiality products under DOC jurisdiction 1990 Mass-market general-purpose software with encryption for confidentiality moved to DOC on case-by-case basis 1992 Software Publishers Association agreement providing for 40-bit RC2/RC4-based products under DOC jurisdiction 1993 Mass-market hardware products with encryption capabilities moved to DOC on case-by-case basis 1994 Reforms to expedite license processing at Department of State 1995 Proposal to move to DOC software products with 64-bit cryptography for confidentiality with "properly escrowed" keys 1996 "Personal use" exemption finalized __________ SOURCE: National Security Agency. ____________________________________________________________ BOX 4.3 Important Differences Between the U.S. Munitions List and the Commodity Control List ____________________________________________________________ For Items on U.S. For Items of Commerce Munitions List (USML): Control List (CCL): ____________________________________________________________ Department of State has Department of Commerce may broad leeway to take limit exports only to the national security extent that they would make "a considerations into significant contribution to the account in licensing military potential of any other decisions; indeed, national country which would prove security and foreign detrimental to the national policy considerations security of the United States." are the driving force or "where necessary to further behind the Arms Export significantly the foreign policy Control Act. of the United States." The history of the Export Administration Act strongly suggests that its national security purpose is to deny dual- use items to countries of Communist Block nations, nations of concern with respect to proliferation of weapons of mass destruction, and other rogue nations. Items are included on the Performance parameters rather USML if the item is than broad categories define "inherently military in included items. character"; the end use is irrelevant in such a determination. Broad categories of product are included. Decisions about export can Decisions about export must be take as long as necessary. completed within 120 days. Export licenses can be Export licenses can be denied denied on very general only on very specific grounds (e.g., the export grounds (e.g., high would be against the U.S. likelihood of diversion to national interest). proscribed nations). Individually validated General licenses are often licenses are generally issued, although general required, although licenses do not convey distribution and bulk blanket authority for export licenses are possible (see Note 2 below). (see Note I below). Prior government approval Prior government approval is is needed for export. generally not needed for export. Licensing decisions are not Licensing decisions are subject subject to judicial review. to judicial review by a federal judge or an administrative law judge. Foreign availability may Foreign availability of items or may not be a that are substantially consideration in granting equivalent is, by law, a license at the discretion a consideration in a licensing of the State Department. decision. Items included on the Items included on the CCL must USML are not subject be reviewed periodically. to periodic review. A Shipper's Export An SED may be required, unless Declaration (SED) exemption from the requirement is required in all is granted under the Export instances. Administration Regulations. ____________________________________________________________ Note 1: Bulk licenses authorize multiple shipments without requiring individual approval. Distribution licenses authorize multiple shipments to a foreign distributor. In each case, record-keeping requirements are imposed on the vendor. In practice, a distribution license shifts the burden of export restrictions from vendor to distributor. Under a distribution license, enforcement of restrictions on end use and on destination nations and post-shipment record-keeping requirements are the responsibility of the distributor; vendors need not seek an individual license for each specific shipment. Note 2: Even if an item is controlled by the CCL, U.S. exporters are not allowed to ship such items if the exporter knows that it will be used directly in the production of weapons of mass destruction or ballistic missiles by a certain group of nations. Moreover, U.S. exports from the CCL are prohibited entirely to companies and individuals on a list of "Specially Designated Nationals" designated as agents of Cuba, Libya, Iraq, North Korea, or Yugoslavia or to a list of companies and individuals on the Bureau of Export Administration's Table of Denial Orders (including some located in the United States and Europe). ____________________________________________________________ BOX 4.4 Categorical Exceptions on the USML for Products Incorporating Cryptography and Informal Practices Governing Licensing Categorical Exemptions The ITAR provide for a number of categorical exemptions, including: + Mass-market software products that use 40-bit key lengths with the RC2 or RC4 algorithm for confidentiality. (See Note I below.) + Products with encryption capabilities for confidentiality (of any strength) that are specifically intended for use only in banking or money transactions. Products in this category may have encryption of arbitrary strength. + Products that are limited in cryptographic functionality to providing capabilities for user authentication, access control, and data integrity. Products in these categories are automatically granted commodity jurisdiction to the Commerce Control List (CCL). Informal Noncodified Exemptions The current export control regime provides for an individual case-by-case review of USML licensing applications for products that do not fall under the jurisdiction of the CCL. Under current practice, certain categories of firm will generally be granted a USML license through the individual review process to acquire and export for its own use products with encryption capabilities stronger than that provided by 40-bit RC2/RC4 encryption (see Note 2 below): + A U.S.-controlled firm (i.e., a U.S. firm operating abroad, a U.S.-controlled foreign firm, or a foreign subsidiary of a U.S. firm); + Banks and financial institutions (including stock brokerages and insurance companies), whether U.S.-controlled or owned or foreign-owned, if the products involved are intended for use in internal communications and communications with other banks even if these communications are not limited strictly to banking or money transactions. ---------- Note 1: The RC2 and RC4 algorithms are symmetric-key encryption algorithms developed by RSA Data Security Inc. (RSADSI). They are both proprietary algorithms, and manufacturers of products using these algorithms must enter into a licensing arrangement with RSADSI. RC2 and RC4 are also trademarks owned by RSADSI, although both algorithms have appeared on the Internet. A product with capabilities for confidentiality will be automatically granted commodity jurisdiction to the CCL if it meets a certain set of requirements the most important of which are the following: a. The software includes encryption for data confidentiality and uses the RC4 and/or RC2 algorithms with a key space of 40 bits. b. If both RC4 and RC2 are used in the same software, their functionality must be separate; that is, no data can be operated on by both routines. c. The software must not allow the alteration of the data encryption mechanism and its associated key spaces by the user or by any other program. d. The key exchange used in the data encryption must be based on either a public-key algorithm with a key space less than or equal to a 512-bit modulus and/or a symmetrical algorithm with a key space less than or equal to 64 bits. e. The software must not allow the alteration of the key management mechanism and its associated key space by the user or any other program. To ensure that the software has properly implemented the approved encryption algorithm(s), the State Department requires that the product pass a "vector test," in which the vendor receives test data (the vector) and a random key from the State Department, encrypts the vector with the product using the key provided, and returns the result to the State Department; if the product-computed result is identical to the known correct answer, the product automatically qualifies for jurisdiction under the CCL. Note that the specific technical requirements described in this footnote are not contained in the *Federal Register*; rather, they were described in a State Department document whose change is not subject to an official procedure for public comment. (These conditions were first published in "Defense Trade News," Volume 3(4), October 1992, pages 11-15. "Defense Trade News" is a newsletter published by the Office of Defense Trade Controls at the Department of State.) Note 2: How much stronger than 40-bit RC2/RC4 is unspecified. Products incorporating the 56-bit DES algorithm are often approved for these informal exemptions, and at times even products using larger key sizes have been approved. But the key size is not unlimited, as may be the case under the explicit categorical exemptions specified in the ITAR. ____________________________________________________________ BOX 4.5 Successful Challenges to 40-bit Encryption In the summer of 1995, a message encoded with the 40-bit RC4 algorithm was successfully decrypted without prior knowledge of the key by Damien Doligez of the INRIA organization in France. The message in question was a record of an actual submission of form data that was sent to Netscape's electronic shop order form in "secure" mode (including a fictitious name and address). The challenge was posed to break the encryption and recover the name and address information entered in the forrn and sent securely to Netscape. Breaking the encryption was accomplished by a brute-force search on a network of about 120 workstations and a few parallel computers at INRIA, Ecole Polytechnique, and ENS. The key was found after scanning a little more than half the key space in 8 days, and the message was successfully decrypted. Doligez noted that many people have access to the amount of computing power that he used, and concluded that the exportable Secure Sockets Layer protocol is not strong enough to resist the attempts of amateurs to decrypt a "secure" message. In January 1996, an MIT undergraduate student used a single $83,000 graphics computer to perform the same task in 8 days. Testing keys at an average rate of more than 830,000 keys per second, the program running on this computer would take 15 days to test every key. ____________________________________________________________ BOX 4.6 Difficulties in Controlling Cryptography Hardware products with encryption capabilities can be controlled on approximately the same basis as traditional munitions. But software products with encryption capabilities are a different matter. A floppy disk containing programs involving cryptography is visually indistinguishable from one containing any other type of program or data files. Furthermore, software products with encryption capabilities can be transported electronically, with little respect for physical barriers or national boundaries, over telephone lines and the Internet with considerable ease. Cryptographic algorithms, also controlled by the International Traffic in Arms Regulations as "technical data," represent pure knowledge that can be transported over national borders inside the heads of people or via letter. As is true for all other software products, software products with encryption capabilities are infinitely reproducible at low cost and with perfect fidelity; hence, a controlled item can be replicated at a large number of points. This fact explains how vast amounts of software piracy can occur both domestically and abroad. In principle, one software product with encryption capabilities taken abroad can serve as the seed for an unlimited number of reproductions that can find their way to hostile parties. Finally, it can be argued that the rogue nations that pose the most important targets for U.S. signals intelligence collection are also the least likely to refrain from pirating U.S. software. ____________________________________________________________ BOX 4.7 Key Differences Between Commercial Products and "Freeware" _____________________________________________________________ Products from Major Commercial "Freeware" Vendors Products ____________________________________________________________ Stake of reputation of Higher Lower product offer Scale of operation Larger Smaller Cost of distribution Higher Lower Support for products Greater Lesser Role of profit-making motive Higher Lower Ability to integrate cryptography Greater Lesser into useful and sophisticated general-purpose software Vulnerablity to regulatory and Higher Lower legal constraints Likelihood of market Higher Lower "staying power" Likelihood of wide distribution Higher Lower and use Financial liability for Higher Lower poor product performance Cost of entry into markets Higher Lower ____________________________________________________________ NOTE: All of the characterizations listed are tendencies rather than absolutes, and are relative (i.e. determined by comparing products from major commercial vendors to freeware). ____________________________________________________________ BOX 4.8 A Partial Survey of Foreign Encryption Products on the TIS Survey + A British product manual notes that "a key can be any word, phrase, or number from 1 to 78 characters in length, though for security purposes keys shorter than six characters are not recommended." Only alphanumeric characters are used in the key, and alpha characters do not distinguish between upper and lower case. While the longer pass phrases can produce keys with the full 56 bits of uncertainty [changing "can" to "do" would require more extensive tests], passwords of even six characters are woefully inadequate. It is dangerous to allow users to enter such keys, much less the single-character keys allowed by this product. + One British product is a DES implementation that recommends cipher block chaining, but uses electronic codebook (ECB) mode as the default. The use of ECB as the default is dangerous because ECB is less secure than cipher block chaining. + A Danish product uses DES with an 8-character key, but limits each character to alphanumeric and punctuation symbols. Hence the key is less than a full 56 bits long. With this restriction, many users are likely to use only upper or lower case alpha characters, resulting in a key less than 40 bits long. + A foreign product uses the FEAL algorithm as well as a proprietary algorithm. Aside from the question of algorithm strength, the key is 1 to 8 characters long and does not distinguish between upper and lower case. The result is a ridiculously short key, a problem that is compounded by the recommendation in the manual to use a 6- to 8-letter artificial word as the key (e.g., it suggests that for the name Bill, "billbum" might be used as the key). + A product from New Zealand uses DES plus a public-key system similar to RSA, but based on Lucas functions. The public-key portion limits the key size to 1,024 bits, but does not seem to have a lower bound, a potentially dangerous situation. The DES key can be 1 to 24 characters in length. If the key is 1 to 8 characters, then single DES is used, otherwise triple DES is used. The lack of a lower bound on key length is dangerous. + An Israeli product uses DES or QUICK, a proprietary algorithm. The minimum key length is user selectable between 0 and 8 characters. Allowing such small lower bounds on key length is dangerous. The product also has a "super-password" supplied by the vendor, another potentially dangerous situation. This product is available both in hardware and in software. + A German hardware product has user-settable S-boxes, and the key can be entered either as 8 characters or 16 hexadecimal characters to yield a true 64-bit key (which will be reduced by the algorithm to 56 bits). The use of 16 hexadecimal character keys will result in higher security, but if the key can also be entered as 8 alphanumeric characters, many users are likely to do so, thus severely reducing the security level. User-selectable S-boxes can have advantages (if they are unknown to a cryptanalyst) and disadvantages (if they are poorly chosen and either are known to or can be guessed by a cryptanalyst). On balance, the danger is arguably greater than the advantage. + British product recommends one master key per organization so that files can be shared across personal computers. This practice is very dangerous. To summarize, the defects in these products are related to poor key management practices, because they either employ or allow poor key management that would enable a determined and knowledgeable adversary to penetrate the security they offer with relative ease. As noted in Section 4.2 of the text, U.S. products are not necessarily more secure. ---------- SOURCE: Committee examination and synthesis of materials provided by Trusted Information Systems Inc. ____________________________________________________________ BOX 4.9 Circumventions of the ITAR Current export controls on cryptography can apparently be circumvented in a number of entirely legal and/or hard-to-detect ways. For example: + U.S. company can develop a product without encryption capabilities and then sell the source code of the product to a friendly foreign company that incorporates additional source code for encryption into the product for resale from that foreign country (assuming that that country has no (or weaker) export controls on cryptography). + A U.S. company possessing products with encryption capabilities can be bought by a foreign company; in general, no attempt is made to recover those products. + A U.S. company can work with legally independent counterparts abroad that can incorporate cryptographic knowledge available worldwide into products. ____________________________________________________________ BOX 4.10 Problems Arising from a Lengthy Export Licensing Process + Some foreign customers know it will take a long time to obtain a positive licensing decision, and as a consequence do not bother to approach U.S. vendors at all. + Products to market are delayed; even when export licenses are eventually granted, they are often granted too late to be useful, because the area of information technology is so fast-moving. + Rapid decisions are not rendered. In one instance reported to the committee, a U.S. information technology company wanted permission to use its own software (with strong encryption capabilities) to communicate with its foreign offices. Such cases are in theory expedited because of a presumptive approval in these circumstances; this vendor's government contacts agreed that "such an application would be no problem"' and that an approval would be a rapid "rubber-stamp" one, but in fact, this vendor is still awaiting a license after more than a year. + System integrators intending to ship complete systems rather than individual products face particular difficulties in obtaining a speedy turnaround, because the task for national security authorities involves an assessment of the entire system into which a given product (or products) with encryption capabilities will be integrated, rather than an assessment of just the products with encryption capabilities alone. + Even vendors that manufacture cryptographic software not intended for export are required to register with the State Department Office of Defense Trade Controls, primarily "to provide the U.S. government with necessary information on who is involved in certain manufacturing and exporting activities."(1) ---------- (1) International Traffic in Arms Regulations, Section 122.1 (c). ____________________________________________________________ BOX 4.11 On The Export of Technical Data Related to Cryptography "Cryptologic technical data ... refers ... only [to] such information as is designed or intended to be used, or which reasonably could be expected to be given direct application, in the design, production, manufacture, repair, overhaul, processing, engineering, development, operation, maintenance or reconstruction of items in such categories. This interpretation includes, in addition to engineering and design data, information designed or reasonably expected to be used to make such equipment more effective, such as encoding or enciphering techniques and systems, and communications or signal security techniques and guidelines, as well as other cryptographic and cryptanalytic methods and procedures. It does not include general mathematical, engineering or statistical information, not purporting to have or reasonably expected to be given direct application to equipment in such categories. It does not include basic theoretical research data. It does, however, include algorithms and other procedures purporting to have advanced cryptologic application. "The public is reminded that professional and academic presentations and informal discussions, as well as demonstrations of equipment, constituting disclosure of cryptologic technical data to foreign nationals are prohibited without the prior approval of this office. Approval is not required for publication of data within the United States as described in Section 125.11(a)(1). Footnote 3 to section 125.11 does not establish a prepublication review requirement. "The interpretation set forth in this newsletter should exclude from the licensing provisions of the ITAR most basic scientific data and other theoretical research information, except for information intended or reasonably expected to have a direct cryptologic application. Because of concerns expressed to this office that licensing procedures for proposed disclosures of cryptologic technical data contained in professional and academic papers and oral presentations could cause burdensome delays in exchanges with foreign scientists, this office will expedite consideration as to the application of ITAR to such disclosures. If requested, we will, on an expedited basis provide an opinion as to whether any proposed disclosure, for other than commercial purposes, of information relevant to cryptology, would require licensing under the ITAR." ---------- SOURCE: Office of Munitions Control, Department of State, "Cryptography/Technical Data," in *Munitions Control Newsletter*, Number 80, February 1980. (The Office of Munitions Control is now the Office of Defense Trade Controls.) ____________________________________________________________ BOX 4.12 Two Export Control Cases The Zimmermann PGP Case Philip Zimmermann is the author of a software program known as PGP (for Pretty Good Privacy). PGP is a program that is used to encrypt mail messages end-to-end based on public-key cryptography. Most importantly, PGP includes a system for key management that enables two users who have never interacted to communicate securely based on a set of trusted intermediaries that certify the validity of a given public key. Across the Internet, PGP is one of the most widely used systems for secure e-mail communication. Zimmermann developed PGP as a "freeware" program to be distributed via diskette. Another party subsequently posted PGP to a USENET newsgroup.(1) (A commercial version licensed from but not supplied by Zimmermann has since emerged.) In 1993, Zimmermann was determined to be the target of a criminal investigation probing possible violations of the export control laws.(2) Zimmermann was careful to state that PGP was not to be used or downloaded outside the United States, but of course international connections to the Internet made for easy access to copies of PGP located within the United States. In January 1996, the U.S. Department of Justice closed its investigation of Zimmermann without filing charges against him.(3) The Bruce Schneier-*Applied Cryptography* Case Bruce Schneier wrote a book called *Applied Cryptography*(4) that was well received in the cryptography community. It was also regarded as useful in a practical sense because it contained printed on its pages source code that could be entered into a computer and compiled into a working cryptography program. In addition, when distributed within the United States, the book contained a floppy disk that contained source code identical to the code found in the book. However, when another party (Philip Karn) requested a ruling on the exportability of the book, he (Karn) received permission to export the book but not the disk. This decision has been greeted with considerable derision in the academic cryptography community, with comments such as "They think that terrorists can't type?" expressing the general dismay of the community. ---------- (1) A USENET newsgroup is in effect a mailing list to which individuals around the world may subscribe. Posting is thus an act of transmission to all list members. (2) John Schwartz, "Privacy Program: An On-Line Weapon?," *Washington Post*, April 3, 1995, p. A-l. (3) Elizabeth Cocoran, "U.S. Closes Investigation in Computer Privacy Case," *Washington Post*, January 12, 1996, p. A-11. (4) Bruce Schnier, *Applied Cryptography*, John Wiley and Sons, 1994. ____________________________________________________________ [End Chapter 4] [Head note all pages: May 30, 1996, Prepublication Copy Subject to Further Editorial Correction] 5 Escrowed Encryption and Related Issues Chapter 5 describes a tool escrowed encryption -- that responds to the needs described in Chapter 3 for exceptional access to encrypted information. Escrowed encryption is the basis for a number of Administration proposals that seek to reconcile needs for information security against the needs of law enforcement and to a lesser extent national security. As in the case of export controls, escrowed encryption generates considerable controversy. 5.1 WHAT IS ESCROWED ENCRYPTION? The term "escrow," as used conventionally, implies that some item of value (e.g., a trust deed, money, real property, other physical object) is delivered to an independent trusted party that might be a person or an organization (i.e., an escrow agent) for safekeeping, and is accompanied by a set of rules provided by the parties involved in the transaction governing the actions of the escrow agent. Such rules typically specify what is to be done with the item, the schedule to be followed, and the list of other events that have to occur. The underlying notion is that the escrow agent is a secure haven for temporary ownership or possession of the item, is legally bound to comply with the set of rules for its disposition, functions as a disinterested extratransaction party, and bears legal liability for malfeasance or mistakes. Usually, the rules stipulate that, all conditions set forth in the escrow rules having been fulfilled, there will eventually be delivery of the item to a specified party (e.g., possibly the original depositing party, an estate, a judicial officer for custody, one or more individuals or organizations). In any event, the salient point is that all terms and conditions and functioning of an escrow process are, or can be, visible to the parties involved; moreover, the behavior and performance of formal escrow agents are governed by legally established obligations. As it applies to cryptography, the term "escrow" was introduced by the government's April 1993 Clipper initiative in the context of encryption keys. Prior to this time, the term "escrow" had not been widely associated with cryptography, although the underlying concepts had been known for some time (as described below). The Clipper initiative promoting escrowed encryption was intended "to improve the security and privacy of telephone communications while meeting the legitimate needs of law enforcement."(1) In this original context, the term "escrowed encryption" had a very specific and narrow meaning: escrowed encryption was a mechanism that would assure law enforcement access to the voice communications underlying encrypted intercepts from wiretaps. However, during 3 years of public debate and dialogue, "escrow," "key escrow," and "escrowed encryption" have become terms with a much broader meaning. Indeed, many different schemes for "escrowed encryption" are quite different from "escrowed encryption" as the term was used in the Clipper initiative. As is so often the case in computer-related matters, terminology for escrowed systems is today not clearly established and can be confusing or misleading. While new terminology could be introduced in an effort to clarify meaning, the fact is that the present policy and public and technical dialogues all use "escrow" and "escrowed encryption" in a very generic and broad sense. It is no longer the very precise restricted concept embodied in the Clipper initiative and described in Section 5.2.1. Escrow as a concept now applies not only to the initial purpose of assuring law enforcement access to encrypted materials, but also to possible end-user or organizational requirements for a mechanism to protect against lost, corrupted, or unavailable keys. It can also mean that some process such as authority to decrypt a header containing a session key is escrowed with a trusted party, or it can mean that a corporation is ready to cooperate with law enforcement to access encrypted materials. This report conforms to current usage, considering escrowed encryption as a broad concept that can be implemented in many ways; Section 5.3 addresses forms of escrowed encryption other than that described in the Clipper initiative. Also, escrowed encryption is only one of several approaches to providing exceptional access to encrypted information; nonescrow approaches to providing exceptional access are discussed in Chapter 7.2. Finally, the relationship between "strong encryption" and "escrowed encryption" should be noted. As stated above, escrowed encryption refers to an approach to encryption that enables exceptional access to plaintext without requiring a third party (e.g., government acting with legal authorization, a corporation acting in accordance with its contractual rights vis-a-vis its employees, an individual who has lost an encryption key) to perform a cryptanalytic attack. At the same time, escrowed encryption can involve cryptographic algorithms that are strong or weak and keys that are long or short. Some participants in the public debate appear to believe that escrowed encryption is necessarily equivalent to weak encryption, because it does not prevent third parties from having access to the relevant plaintext. But this is a mischaracterization of the intent behind escrowed encryption, since all escrowed encryption schemes proposed to date are intended to provide very strong cryptographic confidentiality (strong algorithms, relatively long keys) for users against unauthorized third parties, but no confidentiality at all against third parties who have authorized exceptional access. ---------- (1) See Statement by the Press Secretary, The White House, April 16, 1993. Reprinted in David Banisar (ed.). 1994. "Statement by the Press Secretary, The White House, April 16, 1993," *1994 Cryptography and Privacy Sourcebook*, Electronic Privacy Information Center, Diane Publishing, Upland, Pennsylvania, Part II. The name "Clipper" initially selected as the name of this effort proved later to be a trademark whose holder relinquished it to public use. (2) In the more general meaning of escrowed encryption, exceptional access refers to access to plaintext by a party other than the originator and the recipient of encrypted communications. For the case of stored information, exceptional access may refer to access to the plaintext of an encrypted file by someone not designated by the original encryptor of the file to decrypt it or even by persons so designated who have forgotten how to do so. See also Chapter 3. Contrast the meaning of third-party access in the original Clipper context, in which third-party access refers to assured access, under proper court authorization, by law enforcement to the plaintext of an encrypted voice conversation. The Clipper initiative was intended to support a system that provided a technically convenient means to assure fulfillment of such a requirement. Note that this meaning is much narrower than the use of the more general term "exceptional access" described in the previous paragraph. ____________________________________________________________ 5.2 ADMINISTRATION INITIATIVES SUPPORTING ESCROWED ENCRYPTION Since inheriting the problem of providing law enforcement access to encrypted telephony from the outgoing Bush Administration in late 1992, Clinton Administration officials have said that as they considered the not-so-distant future of information technology and information security along with the stated needs of law enforcement and national security for access to information, they saw three alternatives.(3) + To do nothing, resulting in the possible proliferation of products with encryption capabilities that would seriously weaken, if not wholly negate, the authority to wiretap embodied in the Wiretap Act of 1968 (Title III) and damage intelligence collection for national security and foreign policy reasons; + To support an approach based on weak encryption, likely resulting in poor security and cryptographic confidentiality for important personal and business information; and + To support an approach based on strong but escrowed encryption. If widely adopted and properly implemented, escrowed encryption could provide legitimate users with high degrees of assurance that their sensitive information would remain secure but nevertheless enable law enforcement and national security authorities to obtain access to escrow-encrypted data in specific instances when authorized under law. Moreover, the Administration hoped that by meeting legitimate demands for better information security, escrowed encryption would dampen the market for unescrowed encryption products that would deny access to law enforcement and national security authorities even when they sought access for legitimate and lawfully authorized purposes. The Administration chose the last, and since April 1993, the U.S. government has advanced a number of initiatives to support the insertion of key escrow features into products with encryption capabilities that will become available in the future. These include the Clipper initiative and the Escrowed Encryption Standard, the Capstone/Fortezza initiative, and the proposal to liberalize export controls on products using escrowed encryption. These initiatives raise a number of important issues that are the focus of Sections 5.3 to 5.13. ----------- (3) See, for example, statement of Raymond Kammer, deputy director, National Institute of Standards and Technology, before the Committee on the Judiciary, U.S. Senate, May 3, 1994. Available on line from http://www.nist.gov/item/testimony/may94/encryp.html. ____________________________________________________________ 5.2.1 The Clipper Initiative and the Escrowed Encryption Standard As noted above, the Clipper initiative was conceived as a way for providing legal access by law enforcement authorities to encrypted telephony.(4) The Escrowed Encryption Standard (EES; a Federal Information Processing Standard, FIPS-185) was promulgated in February 1994 as the key technological component of the Clipper initiative (Box 5.1). Specifically, the EES called for the integration of special microeleckonic integrated circuit chips (called "Clipper chips") into devices used for voice communications, these chips, as one part of an overall system, provide voice confidentiality for the user and exceptional access to law enforcement authorities. To provide these functions, the Clipper chip was designed with a number of essential characteristics: + Confidentiality would be provided by a classified algorithm known as Skipjack. Using an 80-bit key, the Skipjack algorithm would offer considerably more protection against brute-force attacks than the 56-bit DES algorithm (FIPS 46-1). The Skipjack algorithm was reviewed by several independent experts, all with the necessary security clearances. In the course of an investigation limited by time and resources, they reported that they did not find short-cuts that would significantly reduce the time to perform a cryptanalytic attack below what would be required by brute force.(5) + The chip would be protected against reverse engineering and other attempts to access its technical details. + The chip would be factory-programmed with a chip-unique secret key, the "unit key" or "device key,"(6) at the time of fabrication. Possession of this key would enable one to decrypt all communications sent to and from the telephone unit in which the chip was integrated. + A law enforcement access field (LEAF) would be a required part of every transmission and would be generated by the chip. The LEAF would contain two items: (a) the current session key,(7) encrypted with a combination of the device-unique unit key, and (b) the chip serial number. The entire LEAF would itself be encrypted by a different but secret "family key" also permanently embedded in the chip. The family key would be the same in all Clipper chips produced by a given manufacturer; in practice, all Clipper chips regardless of manufacturer are programmed today by the Mykotronx Corporation with the same family key. To manage the use of the LEAF, the U.S. government would undertake a number of actions: + The unit key, known at the time of manufacture and unchangeable for the life of chip, would be divided into two components, each of which would be deposited with and held under high security by two trusted governm