For the past five years, the U.S. government and America's information industries—producers and users of computers, communications systems, software, information services—have been locked in a bitter and highly technical battle over cryptography policy: the rules of the game for techniques used to scramble and unscramble data. Such encryption and decryption is vital in maintaining the confidentiality of information (whether business information, financial transactions, personal medical records, or government secrets) passing through the exploding web of computer and communications links joining this nation together. The hard fought and often arcane debate has come to an inconclusive and unsatisfactory draw that does little to deal effectively with any of the conflicting objectives—civil liberties, economic competitiveness, law enforcement, and national security—brought to the bargaining table.
This does not have to be. There are reasonable compromises. A useful place to start is a national cryptography policy built around four key elements—strong cryptography put into wide use, a strengthened legal framework and electronic logging system that provides rigorous oversight and accountability for government access to the keys needed to intercept and read coded data, negotiation of an agreement with our close allies on a global encryption standard, and formation of a government/private sector oversight body to review both the overall security of our national information infrastructure and the voluntary testing and certification of encryption and security products.
POLICY BRIEF #21
Until the middle of this century, codemaking and codebreaking were primarily the concern of governments protecting diplomatic and military communications. World War II was a turning point for cryptography. The first primitive electronic computers were built by the United States and Britain during that war and used to break German and Japanese codes. Using technology and methods that remained closely guarded military secrets until the late 1970s, the Allies succeeded in building electronic machines to break the supposedly unbreakable codes used to encrypt virtually all Axis radio messages. This allowed the Allies, for example, to read signals sent by German submarines as they reported their locations, send forces to destroy them, and win the vitally important battle for the North Atlantic shipping lanes.
After the war, U.S. codebreakers continued to play a central role in the development of the fastest possible computers of the day, so-called supercomputers. In the late 1960s, others in the military funded research into damage-resistant digital communications networks that gave us the first working prototype of today's Internet.
As computers and network use also took hold within business in the 1960s and 1970s, cryptography (mainly the domain of government in earlier decades) increasingly began to protect sensitive business information stored in private sector computers. With outside computer links through communications networks growing, the dangers of unauthorized penetration into sensitive computer databases through these external ties also multiplied. The financial sector led these technological changes. As global financial markets, national banking systems, and local automated teller machines all went electronic, cryptographic systems were installed to protect sensitive data coursing through the digital arteries of finance.
Today, we are teetering at the precipice of an even wider transformation of the basic infrastructure for commerce. Telecommunications services, retailing, and the electric power grid are already organized around vast computer networks. Multinational companies link global operations over international networks. By 1999, all U.S. government benefits will be paid electronically. Doctors will access data and communicate remotely with patients, businesses will buy services from consultants, contractors will sell to government, researchers will provide policy advice, seminars will be organized—all over computer networks. Vast savings in time and resources and improvements in business productivity seem possible. For this leap forward in our economic infrastructure to be realized, however, the information running through the system will have to be authenticated, verified, protected from unauthorized access, and guarded against witting or unwitting corruption.
Equally profound changes are going on within the military establishments whose investments initially spurred the computer revolution. Our post-Desert Storm military forces are as dependent on complex computerized command, control, and communications networks as commercial industry. The Defense Department is today groping toward an information technology-based Revolution in Military Affairs, a future in which sensors, intelligence databases, command and control systems, precision munitions, and smart weapons platforms are seamlessly linked together in real time to deliver measured military force swiftly, surely, and over great distances.
In contrast to the situation of forty years ago, enormous private sector investments are today driving the engine of information technology, with the military largely drawing on commercial technology for its particular variant of the information revolution. Commercial and military computer and communications systems—like the core industrial infrastructure underlying modern military powerȧare hopelessly intermingled within the sinews of the U.S. information economy. A new term, information warfare, explicitly recognizes that an attack designed to disrupt our military capability or will to fight is as likely to target nominally civil infrastructure, like telecommunications networks, the electric power grid, the banking system, or air traffic control, as any purely military system.
Widespread use of effective cryptography to secure and protect the rivers of data flowing through computer and communications systems is needed now to enable the further development of the information infrastructure for tomorrow's high-tech economy and to protect military capabilities dependent on that same information infrastructure.
What Are the Issues?
The heated debate over cryptography policy is fundamentally driven by rapid technological change. The price of computing power has been dropping 20 to 30 percent annually over decades now, an order of magnitude greater than anything measured during the first great Industrial Revolution of two centuries ago.
Computing power is used to both make and break codes, and as the cost of computing power plummets, cryptographic systems that once offered adequate protection for data become insecure. By the same token, however, cheaper computers also make it cost effective to encrypt data where once it would have been uneconomic. Paradoxically, then, plummeting computing costs have both enabled the widespread use of encryption to defend information security and increased the ability of moderate to large organizations (in the private sector and governments) to afford the computing resources needed to successfully attack once-capable encryption systems. To balance these shifting forces, the United States must grapple with multiple and often conflicting objectives.
First, there are constitutional issues. On the one hand, the United States has a well-established tradition of respect for privacy and civil liberties that is a bedrock of our society. On the other hand, there are few absolute rights—under court order, communications can be legally intercepted, and private homes may be entered and searched. Encryption—like "speaking in tongues"—might even be interpreted as a form of speech and offered the greater protection that freedom of speech enjoys. Historically, the government has not attempted to control the use of encryption within domestic U.S. borders but instead limited its export overseas. Similarly, court orders are required to lawfully intercept domestic telephone conversations, but not for foreign traffic. The legal framework protecting data communications—including encryption of data—has not changed to address the many new channels for expression (and surveillance of expression) opened up by the computer revolution. It is now appropriate to establish an organized and systematic legal framework for our information society.
Second, we need to use strong cryptography to eb>nable electronic commerce on the burgeoning information infrastructure that is going up all around us. The potential economic benefits from moving forward rapidly to locate our businesses on the information superhighway seem large. Without ironclad security, however, no business is going to drive its sensitive data up the on-ramp. Strong cryptography is a small but vital piece in the systems that will provide information security.
Third, U.S. companies are world leaders in computers and communications, where success in global markets is an essential ingredient in maintaining competitive advantage. But the market for information technology is one in which capable foreign competitors stand ready to pick up the baton of technological leadership should American firms stumble. The economic preeminence of U.S. information technology companies—and the resulting benefits to the U.S. economy—are arguably at risk should U.S. producers be blocked from selling important technology that is available from foreign competitors.
Law enforcement objectives, in contrast, argue for controls on use of strong cryptography (while recognizing that cryptography also protects against electronic crimes). Since the dawn of the age of telephony, lawful wiretapping has been viewed as an essential tool for police, the legal extension of the right to enter and search under warrant. In the information age, with the proliferation of digital technology, cryptography has the potential to deny police the lawful access that they now enjoy to voice and data communications.
National security has been another powerful argument for limits on encryption. Though not often discussed openly, interception of foreign communications traffic is in all likelihood one of the most valuable and reliable sources of intelligence for defense and foreign policy purposes. Routine use of strong and difficult-to-break cryptography in, say, the global public telephone network would be a nightmare scenario for both law enforcement and the intelligence community.
But we should also recognize that while global availability of strong encryption may limit our offensive gathering of foreign intelligence and perhaps in the future, offensive "information warfare," the global economic success of U.S. information technology producers also has a positive value for offensive intelligence gathering. Even the strongest encryption technology may be rendered vulnerable by the way it is administered and used. A global marketplace dominated by the products of the United States and its allies—which will be well understood by a substantial community of American technologists—will be much more transparent to allied intelligence gathering than a world market dominated by the unfamiliar and poorly understood products of others.
And strong encryption, even if pervasive and unbreakable, will nonetheless have a positive national security value in protecting U.S. information from the snooping of adversaries, political and economic. It will also have significant value as a defensive rampart against the information warfare offensives of adversaries. Arguably the United States, now reliant on the most advanced and pervasive information infrastructure in the world, is also the nation with the most to lose to disruption by a successful offensive attack.
Finally, we must acknowledge that as more and more aspects of our personal and economic lives are connected to, and accessible over, the information superhighway—things like medical records, corporate accounts, personal travel plans, even daily calendars and diaries—the "wiretapping" metaphor for permitting government access to electronic information begins to break down. It is no strain to forecast a not-too-distant digital future in which almost everything—all sorts of personal information, records, even art and music—is stored or communicated electronically, connected to or accessible through some computer network. As the Worldwide Web reaches out to encompass all aspects of our lives, a surreptitious government access hatch begins to resemble a special door built into the basement of our homes through which government can enter without our knowledge or consent.
Our Constitution's protections against "unreasonable searches and seizures" should be our guide as we chart these deep and unknown waters. Government access to private information should be governed by clear rules that "we, the people" make after open debate. Even in simpler times, there have been occasional but deeply disturbing instances in which individuals in government have abused powers granted for legitimate law enforcement and national security purposes. As pervasive electronic tendrils from the information superhighway reach into the nooks and crannies of our lives, the potential damage from poor judgment (or worse yet, corruption) by some individual in government will be enormous. It is vital that a system with clear guidelines and strict accountability be put into place to oversee our national encryption policy as we strike a balance among the multiple, legitimate objectives.
Where Are We Now?
In the late 1970s, industry, in collaboration with the U.S. government, developed a Data Encryption Standard (DES) based on coding keys (sequences of binary digits, or bits) that were 56 bits long. Though widely used today, steady advances in computer performance now make this system vulnerable (commercial supercomputers almost double in power every year, sufficient to "break" a key that is one bit longer in some given time). Much stronger encryption systems are used within the military and other parts of the U.S. government. Until 1996, the State Department did not readily permit the export of encryption systems using keys longer than 40 bits, which can be easily broken today.
The Clinton administration, recognizing the need to promote commercial use of stronger encryption, unveiled such a system in April 1993 (actually developed under previous administrations but not publicly promoted). The system used special computer circuitry dubbed the "Clipper" chip, with decoding keys issued in two parts and held by two separate government agencies—within the Treasury Department and the Commerce Department. This Clipper chip initiative championed the concept of "key escrow," with government holding copies of the keys used to encrypt data, and argued for its voluntary adoption by the private sector as a solution to increasingly evident data security problems.
Since only stronger encryption systems using the Clipper chip, or similar technology, were likely to be approved for export, critics argued that the system was not really voluntary. No U.S. multinational corporation would want to build and maintain two separate computer and communications networksȧone for domestic use and one for international use.
There were other practical objections. It was unclear how foreign governments would react to companies operating in their nations giving the U.S. government the keys to read encrypted communications, or even if this would be required. There was suspicion that the Clipper chip, with its proprietary government-developed technology, was not as secure as advertised and might even allow surreptitious government interception without appropriate legal safeguards. Even more important, there was concern that a government-mandated technical solution was being imposed on an industry that was far more capable and responsive to continuing technological change than any cobwebbed and inflexible government bureaucracy, and that industry itself through market forces was much better able to work out the best solutions to its information security problems.
Furthermore, argued much of U.S. industry, increasingly capable foreign producers were beginning to market and sell encryption systems that were stronger than what U.S. industry would be permitted to sell in export markets. The net effect of administration policy, in this case, would be to tie the hands of U.S. industry and leave an important and growing segment of the information industry to foreign producers, free to sell any and all strong encryption products to customers anywhere.
Stung by these criticisms, the Clinton administration withdrew and regrouped. In mid-1994, it offered up a new proposal in which "trusted third parties" within the private sector, rather than the government itself, would act as key escrow agents. This did little to silence industry critics.
Finally, in 1996 the administration revealed a new plan and made some important changes in the direction of its policies. There would henceforth be no restrictions on exports of cryptographic systems—based on key length or technology—if those systems contained so-called key recovery features. That is, if U.S. exporters could demonstrate a viable plan in which trusted third parties (possibly including "self-escrow" within user organizations) would hold (and supply to government when presented "appropriate legal authority") information that would permit recovery of code keys and decryption of data, unrestricted export of such encryption systems would be allowed. Over an interim period of two years, exports of non-key recovery 56-bit cryptography systems would be permitted by producers demonstrating a commitment to develop viable key recovery systems. Cryptographic systems would be reclassified as a dual-use commercial product, rather than a munition, and export controls transferred from the State Department to the Commerce Department (though the Department of Justice would now play a new advisory role in the export licensing process). Finally, an explicitly international framework would be sought, with mutual access to national key recovery agents negotiated with foreign governments through carefully defined legal procedures.
Though some in the U.S. business community continued to object, initial reaction was much more favorable than with previous cryptography initiatives. The government had worked with U.S. business in developing the new initiative, and a number of major U.S. computer and software companies voiced support for the general principles outlined in the initiative. (A system that enabled recovery of their own encrypted business data, in fact, was actually useful to companies in dealing with the risks of employee turnover.) Others took a wait-and-see approach.
The wait was not a long one. Within months, a number of the proposal's initial supporters had publicly or privately defected as the details of its implementation were revealed. One major sticking point was the government's apparent desire to involve itself in frequent and detailed reviews of proprietary company business plans and progress in developing key recovery systems, as a condition for continued approval of interim exports of 56-bit systems.
By mid-1997, some additional problems had become visible. A U.S. attempt at internationalizing the key recovery principle met only limited success: a draft policy from the Organization for Economic Cooperation and Development (OECD) recommended only that the issues be left to national discretion. While the United States, Britain, and France publicly supported the idea (and Japanese officials made it clear privately that they too would cooperate), opinion in Germany was divided, and other countries hesitated. Dueling bills—establishing a legal framework for key recovery, decontrolling cryptography export—were debated on Capitol Hill. On the face of it, another impasse was shaping up.
In fact, however, with a little more flexibility and some degree of innovation, the basic elements of a reasonable compromise are now in sight and may yet be achieved. For the first time, the varied interests at stake are close enough to a workable solution to make establishment of a functioning and effective national cryptography policy a real possibility.
Seeking Common Ground
Four basic elements make up the core of what a national cryptography policy should do. First and foremost, strong cryptography—strong enough to resist the attacks that rapidly improving computer technology will continue to breed—must be available for routine business use. In an integrated global economy, this also means that it must be usable and exportable around the world. Current initiatives that would allow export of any technological solution, of unlimited strength, subject only to the proviso that an acceptable key recovery system be maintained with a suitably defined and trusted party (including self-escrow), are headed in the right direction. This will permit market forces to determine the most cost effective and flexible technologies, build in the ability to respond dynamically to continuing innovations in computer and communications technology, and yet maintain the ability of law enforcement and national security authorities to gain lawful access to encrypted communications when a critical national interest makes such access imperative.
But the government should be more forthright in presenting its case. Though it is true that no constraints on domestic use of encryption are being proposed, the only product likely to gain wide acceptance in today's global economy is cryptography that is exportable to one's foreign subsidiaries and business partners. The government should be crystal clear in acknowledging that this debate is in fact about the encryption systems that will be used widely within the domestic U.S. economy. Also, key recovery remains an untried and untested system. It is entirely possible that a better solution to the cryptography problem may be discovered as computing technology advances, and policy should be flexible enough to adapt if this happens. The critical thing is the principle: strong encryption, widely available, with the potential for lawful decryption by accountable authorities.
The government still must establish clear principles and a transparent cryptography policy. The new export regulations do not explicitly address a large number of significant issues (for example, backwards compatibility of key escrow with interim 56-bit systems, length of time escrowed keys must be kept for different types of data) that are now being defined in a piecemeal and private fashion as individual companies' key recovery product development plans are submitted with license requests. Various "exceptions" to the infant policy—permitting the export of stronger encryption without key recovery, for example, in specialized financial applications, or to banks and foreign subsidiaries of U.S. companies—are announced weekly. A "black box" process ("just submit it, and we'll tell you if it's OK") that sets limits on cryptography without open discussion and debate and forces Americans to struggle to infer the policy from the sparse and sometimes inaccurate details published in the press is totally unacceptable in an area this important to the nation.
A second core element of a new national policy—and one that has yet to be carefully addressed by any broad initiative—is the construction of a clear, up-to-date legal framework for, and safeguards on, government access to encrypted data and communications. Government access is only tolerable in pursuing the legitimate social objectives outlined earlier. The legal framework defining privacy and freedom of speech in electronic data and communications is currently a crazy, patchwork quilt with many holes in it. The administration's new rules specify that key recovery agents must hand over keys to the government within two hours after receiving "appropriate legal authority" but nowhere define precisely what this authority must be. Is a court order required, or merely a signature from a political appointee, and under what circumstances? Our laws should be debated and updated to define the answers better and more comprehensively, given current and foreseeable technological realities.
Careful attention must also be paid to the potential for abuse or corruption. Even after appropriate legal authority is granted on paper for some narrow purpose, there is typically substantial room for interpretation as to what is "reasonable" in deciding how wide to cast an electronic net in trapping suspicious communications and how to deal with unexpected discoveries that turn up. Most government officials can be expected to behave in a responsible and lawful way, but an excessively curious or aggressive, or even corrupt, official using a legal interception to "surf" through data or communications beyond its intended scope creates a potential for damage that will grow just as quickly as the information superhighway itself. The same computer technology that makes electronic communication so cheap and pervasive also makes it possible to electronically record and log, with a permanent and verifiable audit trail, any government interception of electronic communications. Just as financial services companies safeguard against abuse by logging and taping telephone contacts with customers, comprehensive logs and a verifiable audit trail should be automatically recorded and stored electronically in each and every instance that a government official intercepts private data or communications. In addition, tougher standards for private abuse of personal data and illegal access to private communications should be included in whatever new legal framework is adopted, and significant penalties should be defined.
Third, a national cryptography policy must recognize that the problems—and solutions—outlined above are inherently international in scope. Law enforcement, national security, regulation and oversight of global finance and trade are all areas that span national boundaries today and require cooperation among governments. Just as our private sector works with its foreign partners to define standards that allow it to operate easily and effectively in global markets, the U.S. government must work with foreign governments to define an international encryption policy that makes the U.S. approach compatible with foreign systems. U.S. requirements imposed on U.S.-based businesses must be compatible with the foreign environments in which they operate.
U.S. requirements should also be no more onerous than those imposed by foreign governments on their business communities. A level playing field, with common global rules of the game, is needed to avoid giving economic rivals competitive advantages over one another. The administration made an important and correct decision in seeking an international consensus on the key recovery approach to strong encryption and must be sure to continue to work hard in seeking this common global approach. While it has yet to achieve such a consensus within the OECD, many of the key players with the technical capability to ship advanced cryptography products and affect global markets—Britain, France, and (quietly) Japan—are supporting the U.S. approach, and if a few more (like Germany and Israel) can be brought on board, the critical mass around which the core of an international agreement can be assembled will exist.
Finally, with cryptography set to play such a key role in tomorrow's information infrastructure, some new institution that provides a framework for business and government to jointly examine both the overall security of our information infrastructure and the integrity of its individual parts is needed. At the micro level, we must recognize that acquiring a cryptographic product is not like buying a computer or autoȧ simply testing or using it within an organization gives insufficient insight into its quality or utility. The essence of an effective cryptography system is what the most capable and potentially hostile forces outside a business or other organization can do with the system. There are also obvious economic benefits from some sort of government-industry testing and certification process that spares individual customers a costly and duplicative investment in determining the effectiveness of a cryptography product (and makes use of sensitive information that may be available only to the government). At the macro level, the integrity of our power grid, banking system, and phone network are clearly as vital to our national security as the number of transport aircraft the U.S. Air Force buys, and both government and industry have an obvious interest in scrutinizing the entire information infrastructure and taking steps to reduce weaknesses and vulnerabilities. Government and the private sector should form an oversight body tasked with both reviewing the overall integrity and security of the national information infrastructure and creating a voluntary testing and certification process for the information security products developed by the private sector.
A national cryptography policy built around these four elements—strong cryptography put into wide use, a strengthened legal framework and electronic logging system that provides rigorous oversight and accountability for government access to the keys needed to intercept and read coded data, negotiation of an agreement with our close allies on a global encryption standard, and formation of a government/private sector oversight body to review both the overall security of our national information infrastructure and the voluntary testing and certification of encryption and security products—will leave many (maybe even most) participants in the current debate unsatisfied. An absolute right to privacy would not be created in the electronic realm. The government would probably face greater constraints in seeking lawful access to electronic communications, and maintenance of auditable records probably will create some additional costs. Business is being asked to bear some burden in keeping the keys needed to decrypt confidential communications for a time. Intelligence and national security officials will be more dependent than ever before on cooperation with their allied counterparts. Cooperation on common rules of the game for encryption at the international level will have to be carefully negotiated. None of this will be painless. But it must be done if we are to balance an important and complex set of interests as we enter the next century, the age of the information society.