Former NSA exec Crowell joins Cylink battles on for public private encryption

As deputy director and lead cryptographer at the National Security Agency William Crowell had a unique vantage point from which to observe the federal government's evolving needs to secure data communications.

At the same time he was keenly aware of the demands from the private sector for technology to protect its data as he worked as a technical adviser to the Clinton administration to craft an encryption policy that was palatable to the public and private sectors.

Now as the new corporate vice president of product management and strategy for Sunnyvale Calif.-based Cylink Corp. he plans to work to improve the company's products to meet the needs of private- and public-sector customers in what he described as the "very volatile" information security market. In a recent interview with FCW Crowell— who retired from NSA earlier this year— said the feder al government market soon will begin moving very quickly to ramp up its use of sophisticated security technology because of the government's responsibility to protect public information.

The government market which makes up one-quarter of Cylink's revenue will most likely turn to commercial public-key encryption products that offer the best price for performance and the least risk to provide the security needed to exploit the power of the Internet in advanced applications such as electronic commerce he said.

However Crowell said industry must overcome the political obstacle to using public-key encryption before electronic commerce can become prevalent in the federal arena. Public-key encryption uses digital signatures and other methods to protect a transaction from tampering to authenticate the identity of the sender and to designate a third party— called a certification authority— to dole out the electronic certificates or "keys " necessary to open that document.

The biggest impediment t o network security in the federal government is the designation of that certification authority. In some versions of encryption policy that soon will be taken up by Congress the issue of the third-party certificate authority is tied to the government's demand for a means to recover encrypted data at the request of law enforcement agencies.

The government must get over this obstacle in order for encryption to be a viable solution Crowell said. "You have to have a certificate-based security structure to get much out of encryption " he said. "Who is going to be the certificate authority and how will it be managed? In industry it's easier whoever wants to use security will be their own certificate authority."

Cylink which has customers in the Army the Justice Department the Internal Revenue Service and the Federal Aviation Administration is working with the U.S. Postal Service to build an electronic commerce system that will authenticate identities for secure transactions.

The crucial need f or public-key encryption within the government has been highlighted by the problems the Social Security Administration and the IRS have had grappling with ways to allow electronic public interaction Crowell said. Under fire from Congress in 1996 inadequate security mechanisms forced SSA to shut down a World Wide Web site that allowed access to wage and benefit data. Similarly the IRS' plan to allow electronic filing of tax forms has been riddled with security problems.

"Just launching into electronic interchange without the proper authentication mechanisms is really problematical " he said. "We can't have the possibility of a hundred thousand transactions taking place that are fraudulent."

In addition to these infrastructure-related challenges widespread federal use of electronic commerce also has been hindered by the cost of information security technology Crowell said. With only a 2 percent market penetration in the United States security technology has yet to reach the critical mass it needs to drive down costs.

"You can imagine the first five people who owned a telephone they could only talk to [four other people] " he said. "That's the stage we are in now. It's kind of like the PC at some point the performance comes up with the cost coming down. But we haven't gotten there yet."