June 1996
THE COMPUTER REVOLUTION, ENCRYPTION AND TRUE THREATS TO NATIONAL SECURITY
by G. A. Keyworth, II, and David E. Colton, Esq. *
Americans take it for granted that when they a send package via first class mail its contents are protected. We do not worry that someone will open our envelopes and take our checking or credit card account numbers, read our personal letters, or steal our business ideas.Yet our privacy could be threatened as we move to a digital economy, where more and more information is shared electronically – over the Internet, via fax machines or on wireless phones. Right now, the Clinton Administration is proposing to restrict Americans’ ability to use "encryption" tools that scramble digital communications so that they cannot be read by anyone other than the intended receiver. Today, basic encryption technology is utilized every time you punch in your ATM code or use a password to protect files on your computer. But better encryption tools are needed to protect the assets of on-line banking customers, the rights of musicians selling their songs in Cyberspace or the trade secrets of American companies e-mailing documents to their overseas branches.
America currently leads the world in the development of computer software – including encryption. Indeed, our current position as the undisputed leader of the digital age derives from our overwhelming success at winning the computer race. Start-ups that were born in our garages and hobby clubs less than twenty years ago have created a whole new economy, the $1.5 trillion digital industry. As a result, the nexus of technological innovation and wealth creation for this new economy is in Silicon Valley, not Tokyo, Paris or Bonn.
The Clinton Administration’s attempt to control encryption technology is one of the most important examples of how outdated regulatory thinking threatens America’s ability to compete and win in the digital era.
Yet a new contest is already underway: the race to generate wealth by connecting computers into a global, digital communications system. The rules for this competition are just now being set, and the situation is very different from the computer race. The government largely refrained from regulating the computer industry (no one told Apple or Microsoft or Intel what markets they could enter or what products they could sell). In the communications race, America's regulatory apparatus (i.e., the FCC) – created in the 1930s, before television networks, cellular phones or e-mail – is a huge handicap. America’s competitive lead in the communications race could be squandered by the retarding forces of excessive regulation, with immense consequences: lost technological leadership, fewer jobs and lower standards of living. While the Telecommunications Act of 1996 was an important first step toward removing roadblocks in the creation of a digital communications network, much work remains if America is to maintain its international lead. Our most formidable opponent is not foreign competition, but a misguided, overzealous Federal government. The Administration’s attempt to control encryption technology is one of the most important examples of how outdated regulatory thinking threatens America’s ability to compete and win in the digital era.
Encryption: Protecting Your Valuables from Theft
The encryption concepts at issue are not complicated. In essence, encryption technology empowers people to protect their digital property from unauthorized use. Whether you are sending an e-mail to a friend, your doctor is faxing your medical records to the insurance company, you are ordering a take-out dinner over you wireless phone (and using your credit card number to pay in advance), or giving the plans for your latest product to your business partner on a floppy disc, encryption tools allow you to "scramble" your message. Only the intended recipient – who holds a "key" – can access the information.Encryption technology is based on strings of numbers (the "key"). The more numbers in the key, the "stronger" the encryption. For instance, the standard ATM code of four numbers would be harder to crack if it were ten numbers. The possible variations increase dramatically each time a number is added to a key, and thus more computing power is required to figure out all the possible combinations.
There are two types of encryption. The first is known as single key, in which the key to code and decode a transmission is the same. The second encryption system, known as the public key approach, uses two sets of keys. One key is publicly revealed, the other is known only to the user. The keys are linked in such a manner that information encrypted by the public key can only be deciphered by the corresponding private key. Public key techniques are much more secure than single key approaches. Such programs are available, world-wide and generally free, through the Internet. It is these public key programs that are the real focus of the Administration’s attempt to restrict encryption tools.
The Administration seeks to retard development of encryption technologies by allowing export only of mass market software with "weak" encryption standards using 40-bit keys.1 Similar restrictions apply to hardware and computer systems.2 The stated goal is to slow development of encryption technologies abroad, so that the intelligence community (CIA, FBI, NSA, etc.) will have easier access to communications.
Are Encryption Controls Part of the American Spirit?
The Administration invokes "national security" concerns to justify export control regulations that cripple development of sophisticated U.S. encryption technologies. The government claims that it must have the ability to monitor communications in the digital age in order to protect Americans from terrorists, drug smugglers and other nefarious types. To achieve this, the Administration argues, we must control the terms and conditions by which individual Americans can use sophisticated encryption technology both at home and abroad.3 Even at the height of the Cold War, the intelligence community never seriously proposed such a massive and pervasive intrusion into the lives of American citizens. Even at the height of the Cold War, the intelligence community never seriously proposed such a massive and pervasive intrusion into the lives of American citizens.
How we handle this issue has profound implications for American society in the digital age. The encryption debate raises serious Constitutional questions. What is the role of the Fourth Amendment, which reserves to the people the right "to be secure in their persons, houses, papers and effects"? What constitutes an unreasonable search and seizure in Cyberspace? What rights to privacy can citizens expect in a digital era? These are major, fundamental questions that the American people must resolve. No one yet has the answers. Yet the Administration’s encryption proposals, if enacted, would allow what are little more than bureaucratic interests in the national security community to dictate the answers.
The outcome of the encryption debate will also shape the foundation for U.S. economic prosperity in the digital age. A society of connected computing and networking requires that all individuals have confidence that their communications are secure and that messages and data are authentic, not forgeries. Encryption is the means to make that possible.
The Administration’s attempts to control encryption technology on national security grounds would actually undermine America’s security in the digital age.
But encryption technology is not just about privacy and secure communications. It is also about protecting intellectual property. For instance, with innovative encryption systems, the makers of Jurassic Park II (for example) would be able to encrypt a digital signal in the movie that prevents bootlegged copies of it being made and sold on the black market. Before artists, entrepreneurs or Fortune 500 companies will invest their resources in a new digital product, they will demand assurances that it be secure from theft. The best means of protection is self-defense. American companies should be allowed to develop and use encryption tools to protect their intellectual property and trade secrets before turning to government for assistance. In that sense, encryption can be thought of as the "barbed wire" of the digital age, allowing owners of intellectual property to be their own first lines of defense against theft and encroachment, just as barbed wire allowed farmers on America's prairie to protect themselves against encroachment by wayward cattle. Barbed wire was not an alternative to government enforcement of property rights, but it allowed government to serve as a backstop rather than as the first line of defense.4
Encryption Obsolescence at Hyper SpeedTo maintain their competitive lead in the digitally connected economy, American companies are continually creating encryption technologies. Such rapid innovation makes the national security and intelligence communities’ goals of controlling this technology illusory. Governments can no longer dictate the pace and scope of technological innovation.
The core concept of the computer revolution, Moore’s Law, states that the power of a microprocessor doubles approximately every 18 months while its costs stay the same. Thus, in 1984, a desktop computer could execute 2 million instructions per second, but by 1994, the same machine was capable of 256 million instructions per second. By 1998, a desktop microprocessor will run more than 2 billion instructions per second. Such incredible advancement in computer power guarantees that the intelligence community will fail to control encryption technology.
Moore’s Law makes the focus on encryption key length irrelevant. So-called strong encryption is only "strong" relative to available computing power to crack the string of numbers that comprise the key. As computing power doubles every 18 months, no encryption scheme will remain strong for long; adding numbers to the key merely forestalls the inevitable. Encryption will be rendered quickly weak without constant innovation .
Yet the Administration proposes to enshrine in law a mandated encryption standard based on today’s computing power – a standard that would soon be rendered obsolete by advances in microprocessor speed. This is not a theoretical prediction; it is hard fact. Indeed, the government’s preferred 40-bit key has already been compromised – in this case by two French graduate students using their school’s computer to hack Netscape. Cheap and affordable chips customized to break encryption keys are readily available. For example, one "field programmable gate arrays" chip, costing as little as $20, can crack the 40-bit key in about five hours. But many such chips can be used together, in parallel, to break a 40-bit key in about 24 seconds. Clearly, government encryption "standards" would soon be overtaken by technology, leaving Americans handcuffed in their ability to compete with foreigners.
The True Threat to National Security: Encryption Controls, Not Encryption TechnologyThe Administration’s attempts to control encryption technology on national security grounds would actually undermine America’s security in the digital age. Export controls already are threatening to drive America’s software industry off-shore. Allowed to continue, this phenonemon eventually will deny America -- including the intelligence community itself -- the latest in encryption technology.
Among the many problems with export controls on encryption technology, first and foremost is the fact that they are unworkable. In the past, it was possible to contain specific technologies (e.g. metallurgical science applied to design of submarines or "stealth" airplanes) through export controls. These technologies focus on specific capabilities and require significant infrastructure to be of use. But digital technology can be taken out of the country almost effortlessly by transmitting it over the Internet. And, of course, nothing can prevent foreigners from coming to America, legally purchasing encryption technology (at stores such as Wal-Mart) and then (illegally) taking it home with them. Hackers try to demonstrate the absurdity of export controls by noting that it may be considered illegal to wear a t-shirt, when leaving the United States, that has printed on it the code for an encryption key (the t-shirt would be considered a munition).
It is also absurd to assume that, just because American encryption technology is not legally for sale on the international market, that foreign governments, companies and criminals will not be able to encrypt their communications and intellectual property. Unlike, say, nuclear weapons, which require amounts of difficult-to-obtain materials to build, computer software design has virtually no "barriers to entry." Joseph Schumpeter’s description of the capitalist firm truly applies here: "Most new firms are founded with an idea and definite purpose. The life goes out of them when that idea or purpose has been fulfilled or has become obsolete or even if, without having become obsolete, it has ceased to be new." This is particularly apt for encryption technologies.5
Today, the intelligence community is worried about controlling the latest encryption technology developed in the United States. With export controls in place, Americans may find in just a few short years that the true national security problem is trying to obtain the latest encryption software developed outside the United States.
Preventing America’s leading companies from selling their products around the world denies America's software firms the chance to maintain their lead in the global connected computing race.
No matter how stringent U.S. export controls, they can do nothing to stop a bright mathematician in Tokyo or Bombay from creating new means of encryption to fill the void left by American abdication of the market. A recent survey of products employing cryptography both within and outside the United States confirms the lack of barriers to entry in encryption technology. 6 Companies from more than 28 countries sell almost 500 encryption products. If American leadership stumbles, others are ready and eager to assume the mantle. U.S. intelligence and law enforcement agencies – perhaps to present Congress a fait accompli – have urged foreign governments to adopt approaches to regulating encryption similar to those in America. But even the adoption by other governments of proscriptive encryption regulations would not alter our analysis. One individual, such as the legendary Phil Zimmerman, can create an encryption system as widely acclaimed as his PGP (Pretty Good Privacy) in just five months in his cabin in Colorado. That program is now available world-wide through the Internet. Digital technology and the lack of barriers to entry mean that individuals from almost anywhere can circumvent government-imposed limitations – regardless how many governments impose them.
Export controls also hurt America’s high-tech industry. Many law abiding international customers want to protect their communications and intellectual property for the same reasons as Americans, and, as noted above, they will develop the technology to do so themselves if they cannot purchase it from the United States. The global demand for secure computing continues to grow with the spread of connected computing. After all, the international market for Internet connectivity is 20 times what it is in the United States. 7 In this burgeoning market, the highest demand over the next decade will be for goods and services that incorporate the assurance of confidentiality only encryption can provide.
Preventing America’s leading companies from selling their products around the world denies America's software firms the chance to maintain their lead in the global connected computing race. Already, 60 percent of American workers are knowledge workers, and eight of ten new jobs are in information intensive sectors of the economy. More Americans make computers than cars. More Americans make semiconductors than build construction equipment, and people processing data outnumber those refining petroleum. Should American firms be foreclosed from competing to win in this market, the immediate effect may be a 30 percent loss in market share for computer systems alone. 8 The impact on the whole U.S. software industry would be equally devastating and threatens the commanding 75 percent market share for mass market software enjoyed by American companies today. 9 This is merely a short-term extrapolation. The long-term effects could be even more pernicious: lost technological leadership is rarely recovered.
Yet probably the greatest threat to Americans’ national security from the encryption controls being proposed by the intelligence and law enforcement agencies would be the loss of freedom on the part of U.S. citizens. Seeking to retain some control over public key encryption, the most recent Administration proposal seeks to have Americans register their personal keys with a government-approved third party. This is analogous to the government asking all Americans to place a copy of their safe deposit box keys with a government-approved third party. By coercing so-called "voluntary" cooperation, the intelligence community asks that every American leave themselves exposed before the State in the digital age.
Nothing could be more perverse than to turn the potential of the digital era to empower individuals into a more invasive means of government surveillance and control. We believe that the Administration’s positions will not withstand Constitutional challenge. The question to ask is why, in light of all we've learned as America's competitiveness has resurged in this new digital economy, should we waste our time and energy pursuing something that, in a Jeffersonian sense, is so patently un-American and which, in the practical sense of Moore's Law, is simply wrong. As Americans hesitate, the window of opportunity for continuing our leadership of the computer revolution is rapidly closing.
The Threat To American Intelligence and Law Enforcement Is OverstatedTogether with law enforcement agencies, America’s intelligence community plays a vital role in safeguarding the nation. Moreover, in many instances the resources they can bring to bear to battle crime are without peer. The technical capabilities of the U.S. intelligence community, for example, are the finest in the world. The community has and will continue to have the technical and human resources to meet its mission.
The National Security Agency (NSA) and its sister agencies have the capacity to break current encryption systems, and there is little reason to believe they will not have the capability to penetrate future designs. Public estimates of the time the NSA requires to break 40- and 56-bit key codes are conservative, for the agency has truly massive parallel processing power for "brute force" attacks on a given code. More importantly, NSA specialists are world-class, and can often succeed in cracking an encryption system through "number crunching." They often understand the inner workings of a given program or code and can exploit these vulnerabilities, greatly reducing the burdens of decryption. While in the short term encryption controls might make the NSA’s task easier, in the long run, as we have noted above, we as a nation would suffer greatly.
For the foreseeable future, the intelligence community can provide time-urgent penetration of communications networks for collection and counter-intelligence needs. Cracking an encrypted digital e-mail may not be as easy as wire tapping an analog telephone. Nonetheless, the United States currently has the technical capability needed for security in the digital future. To most effectively utilize these capabilities might require tasking and prioritizing resources in a new way, something all bureaucracies, including the intelligence and law enforcement agencies, naturally dislike because it upsets the status quo. But, ultimately, the intelligence community relies on the technical innovation and leadership of the America’s private sector to keep it at the forefront of developments. Any decline in U.S. leadership in the computer race, which controls on encryption technology will lead to, will have repercussions on the NSA’s abilities as well.
Domestic law enforcement can also pursue its public safety mission without draconian invasions into the privacy of citizens through mandatory key escrow systems. Clear thinking without emotion is required. Allegations that encryption technology will result in future New York City World Trade Tower-type terrorist incidents or bombings of Federal buildings are irresponsible. Encryption technologies, of course, had no connection at all to either incident. (Indeed, it is worth recalling that the FBI’s own informant tried to warn the Bureau – unsuccessfully – about the impending attack in New York). Furthermore, it is just as easy to plot a terrorist attack through almost completely secure first class mail as it is via e-mail.
While there have been and certainly will be instances of law enforcement agencies successfully averting a crime or catching criminals due to the monitoring of communications, the FBI and other police agencies must adjust the existing framework for traditional wireline intercepts to the digital age. To do so, they must admit one simple truth: organized crime and drug cartels – or anyone seriously intending to violate the law – will attempt to buy the best encryption technology available. Preventing American industry from developing it simply means the illegal enterprises will buy the capability from Japan, Bombay or Taiwan. They may even pay American software writers to covertly develop code for them. Regardless of the method, criminals will obtain encryption technology. By coercing so-called "voluntary" cooperation, the intelligence community asks that every American leave themselves exposed before the State in the digital age.
The solution is thus not to "dumb down" the American economy and industry. Rather, law enforcement must become more digitally savvy. Upon obtaining court authorization for digital surveillance, law enforcement must have access to sufficient resources in the intelligence community should encryption issues arise. If it is a question of sharing resources and capabilities among national security agencies (who currently have among the best encryption writing and cracking capabilities) and law enforcement agencies, Congress can help this to occur by developing new coordination mechanisms. Long standing bureaucratic rivalries between law enforcement and intelligence agencies can (and should) be overcome. If suitable cooperation is not forthcoming, law enforcement could be permitted to develop its own cryptographic capabilities. That would be a small price to pay to enable America to compete and win in the digital era.
Controlling our Future in the Digital AgeWe are in the midst of a profound revolution made possible by the microprocessor. It is transforming our society more completely and faster than did the printing press, the telephone or even the television. By winning the first round of the computer race, we reaped the rewards of economic growth and new goods, services and social opportunities. We can win the race for connected computing as well. This is the best means of providing for national security, broadly defined.
What is called for in encryption is no less than an end to government sponsored encryption standards, except for its own use. Export controls on commercial digital technology, especially in the consumer realm, should be terminated. Moreover, the Federal government should be explicitly barred from placing restrictions on the sale and use of encryption programs domestically, and mandatory key escrows should be prohibited. These steps are necessary for two, reinforcing reasons: The first is that such barriers to our future wealth generating capacity are simply unaffordable; the second is that such interventions will not work anyway.
In a more general sense, however, it is we citizens, not the intelligence community, who should determine the nature of our Constitutional heritage in the digital age.
Future Insight, a series of occasional papers issued by PFF, offer replacement models for current regulatory agencies, departments and laws designed at the height of the Industrial Era with organizations better suited to meeting the needs of citizens in the Digital Age. A private, non-profit, non-partisan idea center established in 1993, The Progress & Freedom Foundation aims to create a positive vision of the future founded in the historic principles of the American Idea. It brings together a diverse group of thinkers and policy experts and shares their work with the American people through seminars, conferences, publications and electronic media of all forms. Supported by tax deductible donations from corporations, foundations and individuals, PFF does not engage in lobbying activities or take positions on legislation. The views expressed here are solely those of the author(s) and do not necessarily represent the views of the Board, Officers or Staff of The Progress & Freedom Foundation.Permission granted to reproduce as long as acknowledgment is made. Richard F. O’Donnell, Editor
The Progress & Freedom Foundation | 1301 K Street, N.W., Suite 650 West | Washington, DC 20005
voice: 202/289-8928 | fax: 202/289-6079 | e-mail: mail@pff.org | internet: www.pff.org