DOD: Encryption export troubling

To the dismay of various national security and industry experts, senior Defense and intelligence officials have drawn a line in the sand regarding the export of powerful encryption technology.

Testifying this month before the House Armed Services Committee, John Hamre, deputy secretary of Defense, and Barbara McNamara, deputy director of the National Security Agency, said the Security and Freedom through Encryption (SAFE) Act could make it easier for terrorists to obtain the tools they need to evade detection and could disrupt the government's move to electronic commerce.

The SAFE Act would remove most of the restrictions placed on exports of strong encryption technology, making it easier for anyone, including terrorists and criminal organizations that might plan acts of violence, to conceal electronic communications. The House Armed Services Committee plans to mark up the SAFE Act next week.

If passed into law, the SAFE Act would "undermine the government's ability to provide timely, critical intelligence data to our national leaders and warfighters," Hamre said. In addition, the SAFE Act's mandatory prohibition on key escrow - a concept describing the ability of federal law enforcement agencies to recover and view encrypted data - could have a negative impact on the government's planned use of encryption products for programs ranging from electronic commerce to internal messaging, Hamre said.

"For example, some of our Defense finance centers process over $40 million [worth] of transactions an hour," he said. "There is no way that I am going to allow such activities to proceed without a way to recover the data. To the extent that we wish to make further use of...commercial products, commercial certificate managers and other elements of the private sector, this bill will inhibit progress that could benefit business, government and citizens alike."

McNamara added that the SAFE Act would "ultimately result in the loss of essential intelligence reporting." She holds the No. 2 position at NSA, the Defense Department's intelligence arm that is responsible for the interception and analysis of electronic communications around the world.

However, a recent survey conducted by the Cyberspace Policy Institute at George Washington University, Washington, D.C., found that encryption technology is widely available. The survey identified 805 hardware and software products that use cryptography. Those products were developed in 35 countries, with the majority of new products aimed at communications encryption. In addition, the survey found that the available products overseas ran the gamut of capabilities, including up to and above 128-bit encryption key length.

"On average, the quality of foreign and U.S. products is comparable," the survey said. In fact, "in the face of continuing U.S. export controls on encryption products, technology and services, some American companies have financed the creation or growth of foreign cryptographic firms," it said. Other U.S. firms have purchased foreign companies and have left their cryptography experts in place rather than bringing the talent back to the United States, according to the report.

"With the expertise offshore, the relatively stringent U.S. export controls for cryptographic products can be avoided since products can be shipped from countries with less stringent controls," the survey said.One such company identified in the survey is Entrust Technologies Inc., which is a U.S. company that develops cryptographic products in Canada and exports them from there. Entrust also is a major supplier of digital certificate services and public-key infrastructure products to U.S. government financial organizations.

Brian O'Higgins, executive vice president and chief technology officer with Entrust, said e-commerce is the driving force behind the easing of export controls - a force that cannot be stopped. "The commercial market needs [strong encryption]; therefore, the need will be filled," O'Higgins said. "The rule of the Internet is that if something can happen, it will. The controls will disappear at some point; we just don't know when. You can't stop electronic commerce."

Likewise, Jari Puhakka, a spokesman for Data Fellows Corp. - another company listed in the survey, with main offices in San Jose, Calif., and Espoo, Finland - said strong encryption products already are widely available. "Our position has been from the outset that if strong encryption is outlawed, then only outlaws will have strong encryption," Puhakka said. "Far from hampering crime and terrorism, expansive restrictions on cryptography will serve only to create an environment in which crime and terrorism can flourish with impunity."

In a response to FCW's request for official clarification of DOD's policy, a spokesman said that although foreign availability of strong encryption products may have an impact on the sales of U.S. encryption products abroad, "basing U.S. policy on foreign availability would be reactionary and would decrease the [Clinton] administration's ability to address its national security needs."

Steven Aftergood, an intelligence specialist working on the Project on Government Secrecy at the Federation of American Scientists, said the global market in encryption is "converging on a situation where strong encryption is going to be in widespread use by the bad guys as well as the good guys - if we are not already there." However, the logic behind DOD's argument remains "elusive," he said.

"Many officials evidently believe that there is a net advantage to be gained from delaying the widespread availability of strong encryption," Aftergood said. "But even these officials must realize that, for better or for worse, current controls are not sustainable for long."