GITS Board seeks funds for second encryption tests

The Government Information Technology Services (GITS) Board is working to secure $11 million to fund a second round of tests of a controversial encryption technology that has a built-in mechanism to allow data to be unscrambled.

The board is seeking the funding to support 15 projects in 12 agencies to test key-recovery technology. Key-recovery technology allows a user who has lost a key, or a law enforcement agent who needs to unscramble data as evidence in an investigation, to unscramble encrypted data. Law enforcement agencies have strongly supported the technology, but privacy groups and some in the information technology industry have vigorously opposed it.

The first round of 13 projects demonstrated the use of key-recovery technology and was completed in 1997 for $7.8 million. The CIA, the National Security Agency, the Defense Department and the FBI funded those projects, and GITS has approached the same four agencies to fund the second round.

Some of the first-round agency tests included:

* The Energy Department Office of Energy Research's test of emerging security technologies for Internet-based electronic data interchange, focusing on processing electronic grant application requirements.

* The Social Security Administration and Pitney Bowes Inc. planned to conduct a demonstration project with a group of small businesses to securely submit annual W2/W3 data to SSA over the Internet using public-/private-key technology.

* The Information Exchange and Automation Working Group tested processing commercial transactions under the North American Free Trade Agreement. During the prototype, traders and brokers submitted common, standardized, commercial goods and transportation data to the Canadian, Mexican and U.S. governments via the Internet. The governments processed the submissions— which included proprietary information such as prices paid for merchandise and the declarations made to the governments for the payment (or refund) of import duties, taxes and fees— and returned the files to the trader or broker via the Internet.

* The Patent and Trademark Office developed the International Patent Document Exchange Project, which demonstrated the exchange of patent documents in secure electronic form between PTO, the European Patent Office, the Japanese Patent Office and the International Bureau of the World Intellectual Property Office to reduce processing costs and applicants' paperwork.

Half of the first projects would be expanded in the second phase of the project, said Richard Guida, GITS' champion for security and chairman of the Federal Public Key Infrastructure Steering Committee. Until funding has been finalized, Guida declined to name which projects or agencies are candidates to have their pilots beefed up during the second round. Eight new proj-ects also will be funded.

"We had a number of very successful projects and some we did not feel were worth spending more money on," he said.

While much of the key-recovery technology available in 1996, when the first round of projects was launched, was immature, Guida said the new round of pilots will have a wider variety of commercial products from which to choose for their programs.

Guida said agencies, including many that have taken the position that they must store encrypted data in the form it was received, support the business case for key recovery.

"You have to have the ability to recover your private key or else there may be information that is encrypted forever," he said. "Your private key is securely held...until it is needed. Key recovery is nothing more than a smart business decision."

The second round of proj-ects also will research interoperability of the key-recovery technology so that participating agencies will be encouraged to use public-key technology, which security experts often cite as being critical to securing electronic commerce.

"Interoperability is a very important element for agencies to accept the use of public-key technology," Guida said. "Agencies are naturally reluctant to step into the [public-key infrastructure] world...if their solution is going to be unique to that application. This is a good way to get public-key technology developed, focus on the interoperability piece and at the same time consider how business needs will be met."

The second round of projects also will test recovering keys to unscramble data during transmission. While recovering data during transmission has been a priority for law enforcement agencies, it is not something the private sector has expressed interest in, said Solveig Singleton, director of information studies at the Cato Institute, a public policy research institution. Singleton said the market for key-recovery products has not advanced quickly because of resistance to the technology from the private and public sectors. That reluctance stems from the contention that the products are expensive, cumbersome and present security problems, she said.

"Even within government agencies, adoption [of key-recovery products] has met with some amount of resistance," Singleton said. "These efforts have failed in the past. Pumping more money into this project is almost certainly not worthwhile."

Arnold Bresnick, associate chief information officer for policy at the Agriculture Department, said law enforcement should be in charge of lost or stolen keys because key recovery is vital to securing communications. ''As an [employee of an] agency, I certainly want to have my funds transferred securely, [and] as a citizen, I don't want to conduct business that is not encrypted," he said.