NRC report urges shift in info security policies

The National Research Council, in a report likely to have a significant influence on the ongoing information security policy debate, is calling on the government to align its national cryptography policy more closely with industry trends.

The document was the second report released in May to recommend greater cooperation with industry on cryptography issues [FCW, May 27].

Although the administration already has signaled an interest in working more closely with industry, the NRC report includes other, more controversial, recommendations. For example, it recommends that the government encourage widespread use of encryption in the private and public sectors, a move that would be a sharp turn away from current administration policy.

"The idea is to use market forces rather than fight them" in developing cryptography policy, said Herb Lin, NRC's senior staff officer and director of the report.

The report, "Cryptography's Role in Securing the Information Society," calls the eventual widespread use of encryption "inevitable" and recommends a policy that encourages a "judicious transition" toward the wide use of encryption in the public and private sectors.

The report represents the first broad consensus of cryptography stakeholders in government, industry and academia. Members of the committee that compiled the report include retired National Security Agency deputy director Ann Caracristi, Stanford University professor and co-inventor of public key cryptography Martin Hellman, and Citicorp senior technology officer Colin Crook.

Government policies have hindered, not helped, the development of a cohesive national cryptography policy, according to the report.

"The government has tried to push policies and standards that have been unpopular in the marketplace," Lin said. "That has retarded the development of consensus" on issues of cryptography policy.

Specifically, the government has restricted the types of encryption federal agencies can use and heavily regulated commercial encryption export, he said.

Overall, the report promotes widespread use of cryptography in the public and private sectors, criticizes the government's role in shrouding cryptography policy in secrecy and discouraging encryption use in the public sector, and recommends that 56-bit, non-escrowed Data Encryption Standard encryption products should be exportable.

Further, it supports federal agency use of widely used off-the-shelf encryption products and suggests that federal law enforcement should put more resources into understanding how cryptography works than in limiting its use nationally.

An administration official who asked not to be named called the report "useful," saying the administration agrees with all the recommendations relating to increased federal agency use of encryption.

"We definitely agree with the report as it relates to federal use," the official said. "The government should put its money where its mouth is."

However, the official said the administration was less likely to adopt some of the other report recommendations.

Most controversial is the issue of key escrow. The administration has banned the export of strong encryption software unless law enforcement can obtain a set of "escrowed keys" that enable decryption with a court warrant.

The report calls this policy "premature." However, the report recommends the government become an early user of escrowed encryption.

"We think the government should use the working government as sort of a test bed for something that is as yet an unproven tool," Lin said.

Because government policy hinders the use of strong cryptography both within the government and in the private sector, according to the report, the government "is actually opening the nation up to malicious attacks on its information systems."

Current government policy "impedes" industry and government from using "cryptographic tools that would help remediate certain important vulnerabilities," according to the report, and that the advantages of more widespread use of cryptography "outweigh the disadvantages."