   The Washington Post, July 23, 1996, p. A17.


   The Cryptography Wars [Op-Ed]

   By Kenneth W. Dam and Herbert S. Lin


   The question of cryptography -- secret writing, as in
   codes, ciphers etc. -- and what government policy should be
   regarding its use is a matter both arcane and so
   contentious that it is sometimes referred to as the Bosnia
   of cyberspace. But in an information age it is critical.

   The problem is this: Individuals and businesses have a
   legitimate need to protect information from interlopers
   through the use of cryptography. But law enforcement
   officials fear that drug dealers and terrorists using
   cryptography will be able to thwart legally authorized
   surveillance and search warrants. National security
   officials are concerned that encrypted communications may
   frustrate intelligence collection against parties that
   might be building nuclear or biological weapons for use
   against the United States.

   But this conflict describes only part of the picture. After
   all, protecting a company's proprietary information against
   industrial spies is very much a part of law enforcement.
   Protecting critical national information systems and
   networks against unauthorized intruders is a key
   responsibility of national security. Thus, the use of
   cryptography can help law enforcement and national security
   as well as hinder them, as we pointed out in a recent
   report of the National Research Council (NRC).

   In a June 10 editorial ["Global Village Cops?"], The Post
   disagreed with that report, suggesting that law enforcement
   and national security interests require that current
   restrictions on cryptography be maintained. The Post
   asserted that it is "too soon" to accept that encryption
   can help law enforcement and national security.

   Reasonable people can disagree about the weights used in
   balancing cryptography's help vs. hindrance to law
   enforcement and national security. But arguing that it is
   premature to believe some uses of encryption do benefit law
   enforcement and national security simply denies reality. We
   emphatically reject The Post's implication that we
   "sacrificed" law enforcement and national security
   considerations in favor of economic interests.

   We also counsel against ineffective and self-defeating
   "solutions" sometimes proposed -- such as bans on the use
   of cryptography and stringent controls on exports of
   cryptography. A ban on encryption cannot be enforced, and
   it would put American companies at a significant
   disadvantage in a global information society.

   As for export controls on cryptography, they have for many
   years helped to deny the benefits of cryptography to
   foreign adversaries. But today's controls work to reduce
   the domestic availability of strong encryption and restrict
   U.S. sellers of technology from exporting products with
   such capabilities, even when foreign customers can buy them
   elsewhere. We believe export controls should be
   progressively relaxed, thereby strengthening the market
   leadership of U.S. vendors, itself important to our
   national security.

   To counter criminals and terrorists, the Clinton
   administration has pushed a plan whereby keys enabling
   messages to be read would be placed "in escrow" with a
   third party. In theory, this sort of "escrowed encryption"
   would allow legitimate users to protect their information
   while also giving law enforcement authorities the access
   they need. Critics feel this places the needs of law
   enforcement and national security authorities for
   information gathering and surveillance above the needs of
   businesses and individuals for information protection.

   Escrowed encryption seems to us to be a promising
   technology. But it is unproven: For now, government should
   view it as a tentative concept to be explored. Instead, the
   administration has sought in recent months to make the
   adoption of escrowed encryption the quid pro quo for a
   liberalization of export controls. We believe such linkage
   is unwarranted.

   Cryptography policy over the long term rests on four
   fundamentals: First, there is no cryptographic nirvana. The
   trade-offs between better information security and better
   government access to information are real. No politically
   feasible policy will fully satisfy all stakeholders.

   Second, individuals, business and government need a high
   degree of information security in today's world. Trade-offs
   that might have been appropriate in an information-poor
   society are not necessarily appropriate for an
   information-rich one.

   Third, government should help law enforcement and national
   security authorities adjust to the technical realities of
   the information age. Support for new technical capabilities
   will almost certainly help these authorities more than
   promoting escrowed encryption to a resistant market.

   Fourth, and perhaps most important, classified information
   is not necessary to carry out a rational discussion of
   national cryptography policy. The Post's editorial
   suggested that the law enforcement and national security
   cases for maintaining current restrictions on exports of
   cryptography depend on classified arguments. However, the
   cleared members of the NRC study committee (13 out of the
   16) were given access to this information, and concluded
   that the considerable strengths of the law enforcement and
   national security arguments on encryption can be
   demonstrated on the basis of information that is in the
   public domain. Indeed, only a fully open and inclusive
   public discussion can lead to the national consensus upon
   which any successful cryptography policy will depend.

   Acceptance of these principles could lead to a cease-fire
   among unhappy stakeholders. Such a cease-fire would be an
   important first step toward the national cryptography
   policy our nation needs so urgently.

   -----

   Kenneth W. Dam, a former deputy secretary of state,
   recently chaired the National Research Council Committee to
   Study National Cryptography Policy. Herbert S. Lin was
   study director for the committee.

   [End]







