Note: for index of full report see: http://jya.com/nrcindex.htm

---------

[Head note all pages: May 30, 1996, Prepublication Copy
Subject to Further Editorial Correction]


                           Part II

                     Policy Instruments


   To the best of the committee's knowledge, the goals of U.S.
cryptography policy have not been explicitly formalized and
articulated within the government. However, senior government
officials have indicated that U.S. cryptography policy seeks
to promote the following objectives:

   +    Deployment of encryption adequate and strong enough to
protect electronic commerce that may be transacted on the
future information infrastructure;

   +    Development and adoption of global (rather than
national) standards and solutions;

   +    Widespread deployment of capabilities into products
with encryption capabilities for confidentiality that enables
legal access for law enforcement and national security
purposes; and

   +    Avoidance of the development of de facto cryptography
standards (either domestically or globally) that do not permit
access for law enforcement and national security purposes,
thus ensuring that the use of such products remains relatively
limited.

   Many analysts believe that these goals are irreconcilable.
To the extent that this is so, the U.S. government is thus
faced with a policy problem requiring a compromise among these
goals that is tolerable, though by assumption not ideal with
respect to any individual goal. Such has always been the case
with many issues that generate social controversy -- balancing
product safety against the undesirability of burdensome
regulation on product vendors, public health against the
rights of individuals to refuse medical treatment, and so on.

   As this report is being written, U.S. cryptography policy
is still evolving, and the particular laws, regulations, and
other levers that govermnent uses to influence behavior and
policy are under review or being developed.

   Chapter 4 is devoted to the subject of export controls,
which dominate industry concerns about national cryptography
policy. Many senior executives in the information technology
industry perceive these controls as a major limitation on
their ability to export products with encryption capabilities.
Furthermore, because exports of products with encryption
capabilities are governed by the regime applied to
technologies associated with munitions, reflecting the
importance of cryptography to national security, they are
generally subject to more stringent controls than exports of
other computer-related technologies.

   Chapter 5 addresses the subject of escrowed encryption.
Escrowed eneryption is a form of encryption intended to
provide strong protection for legitimate uses but also to
permit exceptional access by government officials, by
corporate employers, or by end users under specified
circumstances. Since 1993, the Clinton Administation has
aggressively promoted escrowed encryption as a basic pillar of
national cryptography policy. Public concerns about escrowed
encryption have focused on the possibilities for failure in
the mechanisms intended to prevent improper access to
encrypted information, leading to losses of confidentiality.

   Chapter 6 addresses a variety of other aspect of national
cryptography policy and public concerns that these aspects
have raised.

____________________________________________________________


                              4

                       Export Controls


   Export controls on cryptography and related technical data
have been a pillar of national cryptography policy for many
years. Increasingly, they have generated controversy because
they pit the needs of national security to conduct signals
intelligence against the information security needs of
legitimate U.S. businesses and the markets of U.S.
manufacturers whose products might meet these needs. Chapter
4 describes the current state of export controls on
cryptography and issues that these controls raise, including
their effectiveness in achieving their stated objectives;
negative effects that the export control regime has on U.S.
businesses and U.S. vendors of information technology that
must be weighed against the positive effects of reducing the
use of cryptography abroad; the mismatch between vendor and
government perceptions of export controls; and various other
aspects of the export control process as it is experienced by
those subject to it.


      4.1 BRIEF DESCRIPTION OF CURRENT EXPORT CONTROLS

   Many advanced industrialized nations maintain controls on
exports of cryptography, including the United States. The
discussion below focuses on U.S. export controls; Appendix G
addresses foreign export control regimes on cryptography.


           4.1.1 The Rationale for Export Controls

   On the basis of discussion with senior government officials
and its own deliberations, the committee believes that the
current U.S. export control regime on products with encryption
capabilities for confidentiality is intended to serve two
primary purposes:

   +    To delay the spread of strong cryptographic
capabilities and the use of those capabilities throughout the
world. Senior intelligence officials recognize that in the
long run, the ability of intelligence agencies to engage in
signals intelligence will inevitably diminish due to a variety
of technological trends, including the greater use of
cryptography.(1)

   +    To give the U.S. government a tool for monitoring and
influencing the commercial development of cryptography. Since
any U.S. vendor that wishes to export a product with
encryption capabilities for confidentiality must approach the
U.S. government for permission to do so, the export license
approval process is an opportunity for the U.S. government to
learn in detail about the capabilities of such products.
Moreover, the results of the license approval process have
influenced the cryptography that is available on the
international market.

----------

   (1)  Although the committee came to this conclusion on its
own, it is consistent with that of the Office of Technology
Assessment, *Information Security and Privacy in Network
Environments*, Washington, D.C., September 1994.

____________________________________________________________


                4.1.2 General Description(2)

   Authority to regulate imports and exports of products with
cryptographic capabilities to and from the United States
derives from two items of legislation: the Arms Export Control
Act (AECA) of 1949 (intended to regulate munitions) and the
Export Administration Act (EAA; intended to regulate so-called
dual-use products(3)). The AECA is the legislative basis for
the International Traffic in Arms Regulations (ITAR), in which
the U.S. Munitions List (USML) is defined and specified. Items
on the USML are regarded for purposes of import and export as
munitions, and the ITAR are administered by the Department of
State. The EAA is the legislative basis for the Export
Administration Regulations (EAR), which define dual-use items
on a list known as the Commerce Control List (CCL)(4); the EAR
are administered by the Department of Commerce. The EAA lapsed
in 1994 but has been continued under executive order since
that time. Both the AECA and the EAA specify sanctions that
can be applied in the event that recipients of goods exported
from the United States fail to comply with all relevant
requirements, such as agreements to refrain from reexport (Box
4.1).

   At present, products with encryption capabilities can be
imported into the United States without restriction, although
the President does have statutory authority to regulate such
imports if appropriate. Exports are a different matter. Any
export of an item covered by the USML requires a specific
affirmative decision by the State Department's Office of
Defense Trade Controls, a process that can be time-consuming
and cumbersome from the perspective of the vendor and
prospective foreign purchaser.

   The ITAR regulate and control exports of all "cryptographic
systems, equipment, assemblies, modules, integrated circuits,
components or software with the capability of maintaining
secrecy or confidentiality of information or information
systems", in addition, they regulate information about
cryptography but not implemented in a product in a category
known as "technical data."(5)

   Until 1983, USML controls were maintained on all
cryptography products. However, since that time, a number of
relaxations in these controls have been implemented (Box 4.2),
although many critics contend that such relaxation has lagged
significantly behind the evolving marketplace. Today, the ITAR
provide a number of certain categorical exemptions that allow
for products in those categories to be regulated as dual-use
items and controlled exclusively by the CCL. For products that
do not fall into these categories and for which there is some
question about whether it is the USML or the CCL that governs
their export, the ITAR also provide for a procedure known as
commodity jurisdiction,(6) under which potential exporters can
obtain judgments from the State Department about which list
governs a specific product. A product granted commodity
jurisdiction to the CCL falls under the control of the EAR and
the Department of Commerce. Note that commodity jurisdiction
to the CCL is generally granted for products with encryption
capabilities using 40-bit keys regardless of the algorithm
used, although these decisions are made on a product-by-
product basis. In addition, when a case-by-case export
licensing decision results in CCL jurisdiction for a software
product, it is usually only the object code, which cannot be
modified easily, that is transferred, the source code of the
product (embedding the identical functionality but more easily
modified) generally remains on the USML.

   As described in Box 4.3, key differences between the USML
and the CCL have the effect that items on the CCL enjoy more
liberal export consideration than items on the USML. (This
report uses the term "liberal export consideration" to mean
treatment under the CCL.) Most importantly, a product
controlled by the CCL is reviewed only once by the U.S.
government, thus drastically simplifying the marketing and
sale of the product overseas.

   The most important of these explicit categorical exemptions
to the USML for cryptography are described in Box 4.4. In
addition, the current export control regime provides for an
individual case-by-case review of USML licensing applications
for products that do not fall under the jurisdiction of the
CCL. Under current practice, USML licenses to acquire and
export for internal use products with encryption capabilities
stronger than that provided by 40-bit RC2/RC4 encryption
(hereafter in this chapter called "strong encryption"(7)) are
generally granted to U.S.-controlled firms (i.e., U.S. firms
operating abroad, a U.S.-controlled foreign firms, or foreign
subsidiaries of a U.S. firm). In addition, banks and financial
institutions (including stock brokerages and insurance
companies), whether U.S.-controlled or owned or foreign-owned,
are generally granted USML licenses for strong cryptography
for use in internal communications and communications with
other banks even if these communications are not limited
strictly to banking or money transactions.

   In September 1994, the Administration promulgated
regulations that provided for U.S. vendors to distribute
approved products with encryption capabilities for
confidentiality directly from the United States to foreign
customers without using a foreign distributor and without
prior State Department approval for each export.(8) It also
announced plans to finalize a "personal use exemption" to
allow license-free temporary exports of products with
encryption capabilities when intended for personal use; a
final rule on the personal use exemption was announced in
early 1996 and is discussed below in Section 4.3.2. Lastly, it
announced a number of actions intended to streamline the
export control process to provide more rapid turnaround for
certain "preapproved" products.

   In August 1995, the Administration announced a proposal to
liberalize export controls on software products with
encryption capabilities for confidentiality that use
algorithms with a key space of 64 or fewer bits, provided that
the key(s) required to decrypt messages and files are
"properly escrowed"; such products would be transferred to the
CCL. However, since an understanding of this proposal requires
some background in escrowed encryption, discussion of it is 
deferred to Chapter 5.

----------

   (2)  Two references that provide detailed descriptions of
the U.S. export control regime for products with encryption
capability are a memorandum by Fred Greguras of the law firm
Fenwick & West (Palo Alto, Calif.), dated March 6, 1995, and
titled "Update on Current Status of U.S. Export Administration
Regulations on Software" (available on
http://www.batnet.com/oikoumene/SftwareEU.html), and a paper
by Ira Rubenstein ("Export Controls on Encryption Software,"
in *Coping with U.S. Export Controls 1994*, October 18, 1995
(PLI Com. Law & Practice Course Handbook Series No. A-733,
1995).). The Greguras memorandum focuses primarily on the
requirements of products controlled by the Commerce Control
List, while the Rubenstein paper focuses primarily on how to
move a product from the Munitions List to the Commerce Control
List.

   (3)  A dual-use item is one that has both military and
civilian applications.

   (4)  The CCL is also commonly known as the Commodity
Control List.

   (5)  However, all encryption products intended for domestic
Canadian use in general do not require export licenses.

   (6)  Commodity jurisdiction is also often known by its
acronym, CJ.

   (7)  How much stronger than 40-bit RC2/RC4 is unspecified.
Products incorporating the 56-bit DES algorithm are often
approved for these informal exemptions, and at times even
products using larger key sizes have been approved. But the
key size is not unlimited, as may be the case under the
explicit categorical exemptions specified in the ITAR.

   (8)  Prior to this rule, almost every encryption export
required an individual license. Only those exports covered by
a distribution arrangement could be shipped without an
individual license. This distribution arrangement required a
U.S. vendor of products with cryptographic capabilities to
export to a foreign distributor that could then resell them to
multiple end users. The distribution arrangement had to be
approved by the State Department and included some specific
language. Under the new rule, a U.S. vendor without a foreign
distributor can essentially act as his own distributor, and
avoid having to obtain a separate license for each sale.
Exporters are required to submit a proposed arrangement
identifying, among other things, specific items to be shipped,
proposed end users and end use, and countries to which the
items are destined. Upon approval of the arrangement,
exporters are permitted to ship the specified products
directly to end users in the approved countries based on a
single license. See Bureau of Political-Military Affairs,
Department of State, "Amendment to the International Traffic
in Arms Regulations," *Federal Register*, September 2, 1994.

____________________________________________________________


       4.1.3 Discussion of Current Licensing Practices


The Categorical Exemptions

   The categorical exemptions described in Box 4.4 raise a
number of issues:

   +    In the case of the 40-bit limitation, the committee
was unable to find a specific analytical basis for this
figure. Most likely, it was the result of a set of compromises
that were politically driven by all of the parties
involved.(9) However, whatever the basis for this key size,
recent successful demonstrations of the ability to undertake
brute-force cryptanalysis on messages encrypted with a 40-bit
key (Box 4.5) have led to a widespread perception that such
key sizes are inadequate for meaningful information security.

   +    In the case of products intended for use only in
banking or money transactions, the exemption results from the
recognition by national security authorities that the
integrity of the world's financial system is worth protecting
with high levels of cryptographic security. Given the primacy
of the U.S. banking community in international financial
markets, such a conclusion makes eminent sense. Furthermore,
at the time this exemption was promulgated, the financial
community was the primary customer for products with
encryption capabilities.

   This rationale for protecting banking and money
transactions naturally calls attention to the possibilities
inherent in a world of electronic commerce, in which routine
communications will be increasingly likely to include
information related to financial transactions. Banks (and
retail shops, manufacturers, suppliers, end customers, and so
on) will engage in such communications across national
borders. In a future world of electronic commerce, connections
among nonfinancial institutions may become as important as the
banking networks are today. At least one vendor has been
granted authority to use strong encryption in software
intended for export that would support international
electronic commerce (though under the terms of the license,
strong encryption applies only to a small portion of the
transaction message).(10)

   +    In the case of products useful only for user
authentication, access control, and data integrity, the
exemption resulted from a judgment that the benefits of more
easily available technology for these purposes outweigh
whatever costs there might be to such availability. Thus, in
principle, these nonconfidentiality products from U.S. vendors
should be available overseas without significant restriction.

   In practice, however, this is not entirely the case. Export
restrictions on confidentiality have some "spillover" effects
that reduce somewhat the availability of products that are
intended primarily for authentication.(11)

   Another spillover effect arises from a desire among vendors
and users to build and use products that integrate multiple
cryptographic capabilities (for confidentiality and for
authentication/integrity) with general-purpose functionality.
In many instances, it is possible for cryptography for
authentication/integrity and cryptography for confidentiality
to draw on the same algorithm. Export control regulations may
require that a vendor weaken or even eliminate the encryption
capabilities of a product that also provides
authentication/integrity capabilities, with all of the
consequent costs for users and vendors (as described in
Section 4.3).

   Such spillover effects suggest that government actions that
discourage capabilities for confidentiality may also have some
negative impact on the development and use of products with
authentication/integrity capabilities even if there is no
direct prohibition or restriction on export of products with
capabilities only for the latter.


Informal Noncodified Practices

   As described above, it is current practice to grant USML
licenses for exports of strong cryptography to firms in a
number of categories described in Box 4.4. However, the fact
that this practice is not explicitiy codified contributes to
a sense of uncertainty among vendors and users about the
process and in practice leads to unnecessary delays in license
processing.

   In addition, there is uncertainty about whether or not a
given foreign company is "controlled" by a U.S. firm.
Specifically, vendors often do not know (and cannot find out
in advance) whether a proposed sale to a particular foreign
company falls under the protection of this unstated exemption.
As a practical rule, the U.S. government has a specific set of
guidelines that are used to make this determination.(12) But
these rules require considerable interpretation and thus do
not provide clear guidance for U.S. vendors.

   A third issue that arises with current practice is that the
lines between "foreign" and "U.S." companies are blurring in
an era of transnational corporations, ad hoc strategic
alliances, and close cooperation between suppliers and
customers of all types. For example, U.S. companies often team
with foreign companies in global or international ventures. It
would be desirable for U.S. products with encryption
capabilities to be used by both partners to conduct business
related to such alliances without requiring a specific export
licensing decision.(13)

   In some instances, USML licenses have granted U.S.
companies the authority to use strong encryption rather freely
(e.g., in the case of a U.S. company with worldwide
suppliers). But these licenses are still the result of a
lengthy case-by-case review whose outcome is uncertain.
Finally, the State Department and NSA explicitly assert
control over products without any cryptographic capability at
all but developed with "sockets," or more formally,
cryptographic applications programming interfaces into which
a user can insert his own cryptography. Such products are
regarded as having an inherent cryptographic capability
(although such capability is latent rather than manifest), and
as such are controlled by the USML, even though the text of
the ITAR does not mention these items explicitly.(14) In
general, vendors and users understand this to be the practice
and do not challenge it, but they dislike the fact that it is
not explicit.

----------

   (9)  It is worth noting a common argument among many
nongovernment observers that any level of encryption that
qualifies for export (e.g., that qualifies for control by the
CCL, or that is granted an export license under the USML) must
be easily defeatable by NSA, or else NSA would not allow it to
leave the country. The subtext of this argument is that such
a level of encryption is per force inadequate. Of course,
taken to its logical conclusion, this argument renders
impossible any agreement between national security authorities
and vendors and users regarding acceptable levels of
encryption for export.

   (10) "Export Approved for Software to Aid Commerce on
Internet," *New York Times*, May 8, 1995, p. D-7. " For
example, the Kerberos operating system is designed to provide
strong cryptographic authentication of users (and hence strong
access control for system resources). Typically, Kerberos is
distributed in the United States in source code through the
Internet to increase its usability on a wide range of
platforms, to accommodate diverse user needs, and to increase
maintainability; source code distribution is a common practice
on the Internet. However, since Kerberos uses the DES
algorithm as the cryptographic engine to support its
authentication features, the source code for Kerberos is
controlled under the USML and is not available through the
Internet to foreign end users. It is thus fair to say that
Kerberos is less used by foreign users than it might be if
there were no export controls on products with encryption
capabilities, even though the primary purpose of Kerberos is
authentication. Note that Kerberos is also designed with
operating system calls that support confidentiality. These
calls are stripped out of the exportable version of Kerberos,
which is only available in object form in any event.

   A second example was provided in testimony to the committee
from a company that had eliminated all cryptographic
capabilities from a certain product because of its perceptions
of the export control hurdles to be overcome. The capabilities
eliminated included those for authentication. While it can be
argued that the company was simply ignorant of the exemptions
in the ITAR for products providing authentication
capabilities, the fact remains that much of the vendor
community is either not familiar with the exemptions or does
not believe that they represent true "fast-track" or
"automatic" exceptions.

   (12) Under Defense Department guidelines for determining
foreign ownership, control, or influence (FOCI), a U.S.
company is considered under FOCI "whenever a foreign interest
has the power, direct or indirect, whether or not exercised,
and whether or not exercisable through the ownership of the
U.S. company's securities, by contractual arrangements or
other means, to direct or decide matters affecting the
management or operations of that company in a manner which may
result in unauthorized access to classified information or may
affect adversely the performance of classified contracts." A
FOCI determination for a given company is made on the basis of
a number of factors, including whether a foreign person
occupies a controlling or dominant minority position; the
identification of immediate, intermediate and ultimate parent
organizations. (See Department of Defense, *National
Industrial Security Program Operating Manual*, DOD-5220.22-M,
January 1995, pp. 2-3-1 to 2-3-2.) According to ITAR
Regulation 122.2, "ownership" means that more than 50 percent
of the outstanding voting securities of the firm are owned by
one or more foreign persons. "Control" means that one or more
foreign persons have the authority or ability to establish or
direct the general policies or day-to-day operations of the
firm. Control is presumed to exist where foreign persons own
25 percent or more of the outstanding voting securities if no
U.S. persons control an equal or larger percentage. The
standards for control specified in 22 CFR 60.2(c) also provide
guidance in determining whether control in fact exists.
Defense Department Form 4415, August 1990, requires answers to
11 questions in order for the Defense Department to make a
FOCI determination for any given company.

   (13) In one instance reported to the committee, a major
multinational company with customer support offices in China
experienced a break-in in which Chinese nationals apparently
copied paper documents and computer files. File encryption
would have mitigated the impact associated with this "bag
job." Then-current export restrictions hampered deployment of
encryption to this site because the site was owned by a
foreign (Chinese) company rather than a U.S.-controlled
company and therefore not easily covered under then-current
practice.

____________________________________________________________


    4.2 EFFECTIVENESS OF EXPORT CONTROLS ON CRYPTOGRAPHY


   One of the most contentious points in the debate over
export controls on cryptography concerns their effectiveness
in delaying the spread of strong cryptographic capabilities
and the use of those capabilities throughout the world.
Supporters of the current export control regime believe that
these controls have been effective, and they point to the fact
that encryption is not yet in widespread commercial use abroad
and that a significant fraction of the traffic intercepted
globally is unencrypted. Further, they argue that U.S.
products with encryption capabilities dominate the
international market to an extent that impeding the
distribution of U.S. products necessarily affects worldwide
usage. Critics of current policy assert that export controls
have not been effective in limiting the availability of
cryptography abroad. For example, based on its ongoing survey
of cryptography products worldwide (a study widely cited by
critics of current policy), Trusted Information Systems Inc.
has noted that:

   [w]e have now identified 1181 products worldwide [as of
   March 30, 1996], and we're continuing to learn about new
   products, both domestic and foreign, on a daily basis.
   We've also obtained numerous products from abroad and are
   examining these products to assess their functionality and
   security. The survey results show that cryptography is
   indeed widespread throughout the world. Export controls
   outside of the U.S. appear to be less restrictive. The
   quality of foreign products seems to be comparable to that
   of U.S. products.(15)

   Furthermore, critics of U.S. export controls argue that
sources other than U.S. commercial vendors (specifically
foreign vendors, the in-house expertise of foreign users,
Internet software downloads, and pirated U.S. software) are
capable of providing very good cryptography that is usable by
motivated foreign users.

   In assessing the arguments of both supporters and critics
of the current export control regime, it is important to keep
in mind that the ultimate goal of export controls on
cryptography is to keep strong cryptography out of the hands
of potential targets of signals intelligence. Set against this
goal, the committee believes that the arguments of both
supporters and critics have merit but require qualification.

   The supporters of the current export regime are right in
asserting that U.S. export controls have had a nontrivial
impact in retarding the use of cryptography worldwide. This
argument is based on three linked factors.

   +    U.S. export controls on cryptography have clearly
limited the sale of U.S. products with encryption capabilities
in foreign markets; indeed, it is this fact that drives the
primary objection of U.S. information technology vendors to
the current export control regime on cryptography.

   +    Very few foreign vendors offer integrated products
with encryption capabilities.(16) U.S. information technology
products enjoy a very high reputation for quality and
usability, and U.S. information technology vendors, especially
those in the mass-market software arena, have marketing and
distribution skills that are as yet unparalleled by their
foreign counterparts. As a result, foreign vendors have yet to
fill the void left by an absence of U.S. products.

   +    U.S. information technology products account for a
large fraction of global sales. For example, a recent U.S.
International Trade Commission staff report points out that
over half of all world sales in information technology come
from the United States.'' Actions that impede the flow of U.S.
products to foreign consumers are bound to have significant
effects on the rate at which those products are purchased and
used.

   On the other hand, it is also true that some foreign
targets of interest to the U.S. government today use
encryption that is for all practical purposes unbreakable;
major powers tend to use "home-grown" cryptography that they
procure on the same basis that the United States procures
cryptography for its own use, and export controls on U.S.
products clearly cannot prevent these powers from using such
cryptography.

   Furthermore, the fact that cryptography is not being widely
used abroad does not necessarily imply that export controls
are effective--or will be in the near future--in restraining
the use of cryptography by those who desire the protection it
can provide. The fact is that cryptography is not used widely
either in the United States or abroad, and so it is unclear
whether it is the lack of information security consciousness
described in Chapter 2 or the U.S. export control regime for
cryptography that is responsible for such non-use; most
probably, it is some combination of these two factors.

   The critics of the current export regime are right in
asserting that foreign suppliers of cryptography are many and
varied, that software products with encryption capabilities
are quite available through the Internet (probably hundreds of
thousands of individuals have the technical skill needed to
download such products), and that cryptography does pose
special difficulties for national authorities wishing to
control such technology (Box 4.6). Yet, most products with
encryption capabilities available on the Internet are not
integrated products; using security-specific products is
generally less convenient than using integrated products (as
described in Chapter 2), and because such products are used
less often, their existence and availability pose less of a
threat to the collection of signals intelligence.

   Furthermore, Internet products are, as a general rule,
minimally supported and do not have the backing of reputable
and established vendors.(18) Users who download software from
the Internet may or may not know exactly what code the product
contains and may not have the capability to test it to ensure
that it functions as described.(19) Corporate customers, the
primary driver for large-scale deployment of products, are
unlikely to rely on products that are not sold and supported
by reputable vendors, and it is products with a large
installed base (i.e., those created by major software vendors)
that would be more likely to have the high-quality encryption
that poses a threat to signals intelligence. Box 4.7 describes
the primary differences between commercial products and
"freeware" available on the Internet.

   The committee's brief survey of product literature
describing foreign stand-alone security-specific products with
encryption capabilities (Box 4.8) also indicated many
implementations that were unsound from a security standpoint,
even taking for granted the mathematical strength of the
algorithms involved and the proper implementation of the
indicated algorithms.(20) The committee has no reason to
believe that the stand-alone security-specific products with
encryption capabilities made by U.S. vendors are on average
better at providing security,(21) although the large
established software vendors in the United States do have
reputations for providing relatively high quality in their
products for features unrelated to security.(22) Without an
acceptable product certification service, most users have no
reliable way of determining the quality of any given product
for themselves.

   As a general rule, a potential user of cryptography faces
the choice of buying commercially available products with
encryption capabilities on the open market (perhaps
custom-made, perhaps produced for a mass market) or developing
and deploying those products independently. The arguments
discussed above suggest that global dissemination of knowledge
about cryptography makes independent development an option,
but the problems of implementing knowledge as a usable and
secure product drive many potential users to seek products
available from reputable vendors. In general, the greater the
resources available to potential users and the larger the
stakes involved, the more likely they are to attempt to
develop their own cryptographic resources. Thus, large
corporations and First World governments are, in general, more
likely than small corporations and Third World governments to
develop their own cryptographic implementations.

   Finally, the text of the ITAR seems to allow a number of
entirely legal actions that could have results that the
current export control regime is intended to prevent (see Box
4.9). For example, RSA Data Security Inc. has announced a
partnership with the Chinese government to fund an effort by 
Chinese government scientists to develop new encryption
software. This software may be able to provide a higher degree
of confidentiality than software that qualifies today for
liberal export consideration under the CCL.(23)

----------

   (14) Specifically, the ITAR place on the USML
"cryptographic devices, software, and components specifically
designed or modified therefor, including: cryptographic
(including key management) systems, equipment, assemblies,
modules, integrated circuits, components or software with the
capability of maintaining secrecy or confidentiality of
information or information systems." Note that these
categories do not explicitly mention systems without
cryptography but with the capability of accepting "plug-in"
cryptography.

   (15) Available on line from the TIS home page,
http://www.tis.com; at the time of its presentation to the
committee, TIS had identified 450 such products available from
foreign nations. Testimony on this topic was first presented
by Steven Walker, president of Trusted Information Systems, to
the House Committee on Foreign Affairs, Subcommittee on
Economic Policy, Trade, and Environment, on October 12, 1993.
TIS briefed the committee on December 15, 1994, and July 19,
1995. The survey mentioned in testimony to the committee
continues, and regularly updated figures can be found on the 
TIS Web page (http://www.tis.com/crypto-survey).

   (16) The Department of Commerce and the National Security
Agency found no general-purpose software products with
encryption capability from non-U.S. manufacturers. See
Department of Commerce and National Security Agency, *A Study
of the International Market for Computer Software with
Encryption*, January 11, 1996, p. 111-9.

   (17) Office of Industries, U.S. International Trade
Commission, *Global Competitiveness of the U.S. Computer
Software and Service Industries*. Staff Research Study #21,
Washington, D.C., June 1995, executive summary.

   (18) Whether major vendors will continue to avoid the
Internet as a distribution medium remains to be seen. Even
today, a number of important products, including Adobe's
Acrobat Reader, Microsoft's Word Viewer and Internet
Assistant, and the Netscape Navigator are distributed through
the Internet. Some vendors make products freely available in
limited functionality versions as an incentive for users to
obtain full-featured versions; others make software products
freely available to all takers in order to stimulate demand
for other products from that vendor for which customers pay.

   (19) Indeed, the lack of quality control for
Internet-available software provides an opportunity for those
objecting to the proliferation of good products with
encryption capability to flood the market with their own
products anonymously or pseudonymously; such products may
include features that grant clandestine access with little
effort.)

   (20) The committee's analysis of foreign stand-alone
products for cryptography was based on material provided to
the committee by TIS, which TIS had collected through its
survey. This material was limited to product brochures and
manuals, which the committee believes puts the best possible
face on a product's quality. Thus, the committee's
identification of security defects in these products is
plausibly regarded as a minimum estimate of their
weaknesses--more extensive testing (e.g., involving
disassembly) would be likely to reveal additional weaknesses,
since implementation defects would not be written up in a
product brochure. Moreover, the availability of a product
brochure does not ensure the availability of the corresponding
product; TIS has brochures for all of the 800-plus products
identified in its survey, but due to limited resources, it has
been able to obtain physical versions (e.g., a disk, a circuit
board) of fewer than 10 percent of the products described in
those brochures.

   (21) An "amateur" review of encryption for confidentiality
built into several popular U.S. mass-market software programs
noted that the encryption facilities did not provide
particularly good protection. The person who reviewed these
programs was not skilled in cryptography but was competent in
his understanding of programming and how the Macintosh manages
files. By using a few commonly available programming tools (a
file compare program, a "debugger" that allows the user to
trace the flow of how a program executes, and a "disassembler"
that turns object code into source code that can be examined),
the reviewer was able to access in less than two hours the
"protected" files generated by four out of eight programs. See
Gene Steinbert, "False Security,"* MACWORLD*, November 1995,
pp. 118-121.

   One well-publicized cryptographic security flaw found in
the Netscape Corporation's Navigator Web browser is discussed
in footnote 34 in Chapter 2. Because of a second flaw,
Netscape Navigator could also enable a sophisticated user to
damage information stored on the host computer to which
Navigator is connected. (See Jared Sandberg, "Netscape
Software for Cruising Internet Is Found to Have Another
Security Flaw," *Wall Street Journal*, September 25, 1995, p.
B-12.)

   (22) In addition, a product with a large installed base is
subject to a greater degree of critical examination than a
product with a small installed base, and hence flaws in the
former are more likely to be noticed and fixed. Large
installed bases are more characteristic for products produced
by established vendors than of freeware or shareware
producers.

   (23) See Don Clark, "China, U.S. Firm Challenge U.S. on
Encryption-Software Exports," *Wall Street Journal*, February
8, 1996, p. A-10.

____________________________________________________________


              4.3 THE IMPACT OF EXPORT CONTROLS
           ON U.S. INFORMATION TECHNOLOGY VENDORS


   U.S. export controls have a number of interrelated effects
on the economic health of U.S. vendors and on the level of
cryptographic protection available to U.S. firms operating
domestically. (The impact of foreign import controls on U.S.
vendors is discussed in Chapter 6 and Appendix G.)


                 4.3.1 De Facto Restrictions
         on the Domestic Availability of Cryptography

   Current law and policy place no formal restrictions
whatever on products with encryption capabilities that may be
sold or used in the United States. In principle, the domestic
market can already obtain any type of cryptography it wants.
For stand-alone security-specific products, this principle is
true in practice as well. But the largest markets are not for
stand-alone security-specific products, but rather for
integrated products with encryption capabilities.

   For integrated products with encryption capabilities,
export controls do have an effect on domestic availability.
For example,

   +    The Netscape Communications Corporation distributes a
version of Netscape Navigator over the Internet and sells a
version as shrink-wrapped software. Because the Internet
version can be downloaded from abroad, its encryption
capabilities are limited to those that will allow for liberal
export consideration, the shrink-wrapped version is under no
such limitation and in fact is capable of much higher levels
of encryption.(24) Because it is so much more convenient to
obtain, the Internet version of Netscape Navigator is much
more widely deployed in the United States than is the
shrink-wrapped version, with all of the consequences for
information security that its weaker encryption capability
implies.

   +    The Microsoft Corporation recently received permission
to ship Windows NT Version 4, a product that incorporates a
cryptographic applications programming interface approved by
the U.S. government for commodity jurisdiction to the CCL.
However, this product is being shipped worldwide with a
cryptographic module that provides encryption capabilities
using 40-bit RC4.25 While domestic users may replace the
default module with one providing stronger encryption
capabilities, many will not, and the result is a weaker
encryption capability for those users.

   +    A major U.S. software vendor distributes its major
product in modular form in such a way that the end user can
assemble a system configuration in accordance with local
needs. However, since the full range of USML export controls
on encryption is applied to modular products into which
cryptographic modules may be inserted, this vendor has not
been able to find a sensible business approach to distributing
the product in such a way that it would qualify for liberal
export consideration. The result has been that the encryption
capabilities provided to domestic users of this product are
much less than they would otherwise be in the absence of
export controls.

   What factors underlie the choices made by vendors that
result in the outcomes described above? At one level, the
examples above are simply the result of market decisions and
preferences. At a sufficiently high level of domestic market
demand, U.S. vendors would find it profitable and appropriate
to develop products for the domestic market alone. Similarly,
given a sufficiently large business opportunity in a foreign
country (or countries) that called for a product significantly
different from that used by domestic users, vendors would be
willing to develop a customized version of a product that
would meet export control requirements. Furthermore, many
other manufacturers of exportable products must cope with a
myriad of different requirements for export to different
nations (e.g., differing national standards for power, safety,
and electromagnetic interference), as well as differing
languages in which to write error messages or user manuals.
From this perspective, export controls are simply one more
cost of doing business outside the United States.

   On the other hand, the fact that export controls are an
additional cost of doing business outside the United States is
not an advantage for U.S. companies planning to export
products. A vendor incurs less expense and lower effort for a
single version of a product produced for both domestic and
foreign markets than it does when multiple versions are
involved. While the actual cost of developing two different
versions of a product with different key lengths and different
algorithms is relatively small, a much larger part of the
expense associated with multiple versions relates to
marketing, manufacture, support, and maintenance of multiple
product versions after the initial sale has been made.(26)

   Since a vendor may be unable to export a given product with
encryption capabilities to foreign markets, domestic market
opportunities must be that much greater to warrant a
domestic-only version. (Given that about half of all sales of
U.S. information technology vendors are made to foreign
customers, the loss of foreign markets can be quite damaging
to a U.S. vendor.(27)) When they are not, vendors have every
incentive to develop products with encryption capabilities
that would easily qualify for liberal export consideration. As
a result, the domestic availability of products with strong
encryption capability is diminished.

   While a sufficiently high level of domestic market demand
would make it profitable for U.S. vendors to develop products
for the domestic market alone, the "sufficiently" qualifier is
a strong one indeed, given the realities of the market into
which vendors must sell and compete, and one infrequently met
in practice.

   Users are also affected by an export control regime that
forces foreign and domestic parties in communication with each
other to use encryption systems based on different algorithms
and/or key lengths. In particular, an adversary attempting to
steal information will seek out the weakest point. If that
weakest point is abroad because of the weak cryptography
allowed for liberal export, then that is where the attack will
be. In businesses with worldwide network connections, it is
critical that security measures be taken abroad, even if key
information repositories and centers of activity are located
in the continental United States. Put differently, the use of
weak cryptography abroad means that sensitive information
communicated by U.S. businesses to foreign parties faces a
greater risk of compromise abroad because stronger
cryptography integrated into U.S. information technology is
not easily available abroad.

   Finally, the export licensing process can have a
significant impact on how a product is developed. For example,
until recently, products developed to permit the user to
substitute easily his own cryptography module were subject to
the USML and the ITAR.(28) One vendor pointed out to the
committee that its systems were designed to be assembled "out
of the box" by end users in a modular fashion, depending on
their needs and computing environment. This vendor believed
that such systems would be unlikely to obtain liberal export
consideration, because of the likelihood that a foreign user
would be able to replace an "export-approved" cryptography
module with a cryptography module that would not pass export
review. Under these circumstances, the sensible thing from the
export control perspective would be to deny exportability for
the modularized product even if its capabilities did fall
within the "safe harbor" provisions for products with
encryption capabilities.

   The considerations above led the committee to conclude that
U.S. export controls have had a negative impact on the
cryptographic strength of many integrated products with
encryption capabilities available in the United States.(29)
Export controls tend to drive major vendors to a "least common
denominator" cryptographic solution that will pass export
review as well as sell in the United States. The committee
also believes that export controls have had some impact on the
availability of cryptographic authentication capabilities
around the world. Export controls distort the global market
for cryptography, and the product decisions of vendors that 
might be made in one way in the absence of export controls 
may well be made another way in their presence.

   Some of the reasons for this vendor choice are explored in 
the next section.

----------

   (24) The shrink-wrapped version of Netscape Navigator sold
within the United States and Canada supports several different
levels of encryption, including 40-bit RC4, 128-bit RC4,
56-bit DES, and triple-DES. The default for a domestic client
communicating with a domestic server is 128-bit RC4. Source:
Jeff Weinstein, Netscape Communications Corporation, Mountain
View, California, personal communication.

   (25) See Jason Pontin, "Microsoft Encryption API to Debut
in NT Workstation Beta," *Infoworld*, January 29, 1996, p. 25.

   (26) Note that development and support concerns are even
more significant when a given product is intended for
cross-platform use (i.e., for use in different computing
environments such as Windows, Mac OS, Unix, and so on), as is
the case for many high-end software products (such as database
retrieval systems): when a product is intended for use on 5O
different platforms, multiplying by a factor of two the effort
required on the part of the vendor entails much more of an
effort by the vendor than if the product were intended for use
on only one platform. 

   (27) See footnote 17.

   (28) Note, however, that the use of object-oriented
software technology can in general facilitate the use of
applications programming interfaces that provide "hooks" to
modules of the user's choosing. A number of vendors have
developed or are developing general-purpose applications
programming interfaces that will allow the insertion of a
module to do almost anything. Since these programming
interfaces are not specialized for cryptography, but instead
enable many useful functions (e.g., file compression,
backups), it is very difficult to argue the basis on which
applications incorporating these interfaces should be denied
export licenses simply because they *could* be used to support
encryption.

   A further discussion of recent developments involving
cryptography modules and cryptographic applications
programming interfaces is contained in Chapter 7.

   (29) A similar conclusion was reached by the FBI, whose
testimony to the committee noted that "the use of export
controls may well have slowed the speed, proliferation, and
volume of encryption products sold un the U.S." Written
Statement of "FBI Input to the NRC's National Cryptographic
Study Committee," received December 1, 1995.

____________________________________________________________


                4.3.2 Regulatory Uncertainty
                 Related to Export Controls

   A critical factor that differentiates the costs of
complying with export controls from other costs of doing
business abroad is the unpredictability of the export control
licensing process. (Other dimensions of uncertainty for
vendors not related to export controls are discussed in
Chapter 6.) A company must face the possibility that despite
its best efforts, a USML export license or a commodity
jurisdiction to the CCL will not be granted for a product.
Uncertainties about the decisions that will emerge from the
export control regime force vendors into very conservative
planning scenarios. In estimating benefits and costs,
corporate planners must take into account the additional costs
that could be incurred in developing two largely independent
versions of the same product or limit the size of the
potential market to U.S. purchasers. When such planning
requirements are imposed, the number of product offerings
possible is necessarily reduced.

   USML licensing is particularly unpredictable, because the
reasons that a license is denied in any given instance are not
necessariiy made available to the applicant; in some cases,
the rationale for specific licensing decisions is based on
considerations that are highly classified and by law cannot be
made available to an uncleared applicant. Since such
rationales cannot be discussed openly, an atmosphere of
considerable uncertainty pervades the development process for
vendors seeking to develop products for overseas markets.
Furthermore, there is no independent adjudicating forum to
which a negative licensing decision can be appealed.

   Since USML licensing is undertaken on a case-by-case basis,
it requires the exercise of judgment on the part of the
regulatory authorities. A judgment-based approach has the
disadvantage that it requires a considerable degree of trust
between the regulated and the regulator.(30) To the extent
that an individual regulated party believes that the regulator
is acting in the best interests of the entire regulated
community, it is natural that it would be more willing to
accept the legitimacy of the process that led to a given
result. However, in instances in which those that are
regulated do not trust the regulator, judgments of the
regulator are much more likely to be seen as arbitrary and
capricious.(31)

   This situation currently characterizes the relationship
between cryptography vendors/users and national security
authorities responsible for implementing the U.S. export
control regime for cryptography. In input received by the
committee, virtually all industry representatives, from large
to small companies, testified about the unpredictability of
the process. From the vendor point of view, the resulting
uncertainty inhibits product development and allows negative
decisions on export to be rendered by unknown forces and/or
government agencies with neither explanation nor a reasonable
possibility of appeal.

   The need to stay far away from the vague boundaries of what
might or might not be acceptable is clearly an inhibitor of
technological progress and development. Vendor concerns are
exacerbated in those instances in which export control
authorities are unwilling to provide a specific reason for the
denial of an export license or any assurance that a similarly
but not identically configured product with encryption
capabilities would pass export review. Even worse from the
vendor perspective, product parameters are not the only
determinant of whether a licensing decision will be favorable
except in a very limited and narrow range of cryptographic
functionality.

   The uncertainty described above is not limited to new and
inexperienced vendors encountering the U.S. export control
regime for the first time; large and sophisticated
institutions with international connections have also
encountered difficulties with the current export control
regime. For example, a representative from a major U.S. bank
with many international branches reported that export controls
affect internally developed bank software with encryption
capabilities; a U.S. citizen who works on bank software with
encryption capabilities in England may "taint" that software
so that it falls under U.S. export control guidelines. Thus,
despite the fact that the current export control regime treats
banks and other financial institutions relatively liberally,
major banks have still struggled under the limitations of the
export control regime.

   The situation is worse for smaller companies. While large
companies have experience and legal staffs that help them to
cope with the export control regime, small companies do not.
New work on information technology often begins in garage-shop
operations, and the export control regime can be particularly
daunting to a firm with neither the legal expertise nor the
contacts to facilitate compliance of a product with all of the
appropriate regulations. These companies in particular are the
ones most likely to decide in the end to avoid entirely the
inclusion of cryptographic features due to concern of running
afoul of the export control rules.

   The following three examples illustrate how the
unpredictability of the export control licensing process has
affected U.S. vendors and their products.


Modularity

   As noted above, cryptographic applications programming
interfaces that are directly and easily accessible to the user
are in general subject to USML licensing. However, even
"closed" interfaces that are not easily accessible to the user
are sometimes perceived to pose a risk for the vendor. One
major product vendor reported to the committee that it was
reluctant to use modular development for fear that even an
internal module interface could keep a product from passing
export control review. Any software product that uses modular
techniques to separate the basic product functionality from
the cryptography has a well-defined interface between the two.
Even when the software product is converted to object code,
that interface is still present (though it is hidden from the
casual user). However, the interface cannot in general be
hidden from a person with strong technical skills, and such a
person would be able to find it and tamper with it in such a
way that a different cryptography module could be used.(32) A
number of similar considerations apply for hardware products,
in which the cryptographic capabilities might be provided by
a "plug-in" chip.

   The alternative to the use of modular techniques in the
development of integrated products would complicate the
"swap-in/swap-out" of cryptographic capabilities: lines of
code (if software) and wires (if hardware) that implemented
cryptographic capabilities would be highly interwoven with
lines of code and wires that implemented the primary
capabilities of the product. On the other hand, this approach
would be tantamount to the development of two largely distinct
products with little overlap in the work that was required to
produce them.

   The NSA has spoken publicly about its willingness to
discuss with vendors from the early stages of product design
features and capabilities of proposed products with encryption
capabilities for confidentiality so that the export license
approval process can be facilitated, and its willingness to
abide by nondisclosure agreements to reassure vendors that
their intellectual property rights will be protected.(33)
Nonetheless, the receipt of an export control license useful
for business purposes is not guaranteed by such cooperation.
For example, while decisions about commodity jurisdiction
often provide CCL jurisdiction for object code and USML
jurisdiction for source code (and thus need not inhibit
modular product development if the product is to be
distributed in object form only), the fact remains that such
decisions are part of a case-by-case review whose outcome is
uncertain. Different vendors are willing to tolerate different
levels of risk in this regard, depending on the magnitude of
the investments involved.

   As a general rule, NSA does not appear willing to make
agreements in advance that will assure licenses for a product
that has not yet been instantiated or produced. Such a
position is not unreasonable given NSA's stance toward
products with encryption capabilities in general, and the fact
that the true capabilities of a product may depend strongly on
how it is actually implemented in hardware or software. Thus,
vendors have no indemnification against the risk that a
product might not be approved.(34)


The Definition of Export

   There is uncertainty about what specific act constitutes
the "export" of software products with encryption
capabilities. It is reasonably clear that the act of mailing
to a foreign country a disk with a product with encryption
capabilities on it constitutes an export of that product. But
if that product is uploaded to an Internet site located in the
United States and is later downloaded by a user located in
another country, is the act of export theupload or the
download? What precautions must be taken by the uploader to
remain on the legal side of the ITAR?

   The committee has been unable to find any formal document
that indicates answers to these questions. However, a March
1994 letter from the State Department Office of Defense Trade
Controls appears to indicate that a party could permit the
posting of cryptographic software on an Internet host located
in the United States if "(a) the host system is configured so
that only people originating from nodes in the United States
and Canada can access the cryptographic software, or (b) if
the software is placed in a file or directory whose name
changes every few minutes, and the name of the file or
directory is displayed in a publicly known and readable file
containing an explicit notice that the software is for U.S.
and Canadian use only."(35) Of course, such a letter does not
provide formal guidance to parties other than the intended
addressee (indeed, under the ITAR, advisory opinions provided
to a specific party with a given set of circumstances are not
binding on the State Department even with respect to that
party), and so the issue remains murky.


The Speed of the Licensing Process

   Uncertainty is also generated by a lengthy licensing
process without time lines that allow vendors to make
realistic schedules. Box 4.10 describes some of the problems
reported to the committee. To summarize, the perceptions of
many vendors about the excessive length of time it takes to
obtain a license reflects the time required for discussions
with NSA about a product before an application is formally
submitted; the prospect of facing the export control process
deters some vendors entirely from creating certain products at
all. By contrast, NSA starts the clock only when it receives
a formal application, and in fact the usual time between
receipt of a formal application and rendering of a decision is
relatively short (a few weeks). The reason that such a fast
turnaround is possible is that by the time the application is
received, enough is known about the product involved that
processing is routine because there is no need for negotiation
about how the product must be changed for a license to be
approved.

   In response to some of these concerns, the U.S. government
has undertaken a number of reforms of the export control
regime (described in Section 4.1) to reduce the hassle and red
tape involved in obtaining export licenses.(36) These reforms
are important. Nevertheless, the pace at which new information
technology products develop and the increasing complexity of
those products will complicate product review efforts in the
future. Given relatively fixed staffing, these factors will
tend to increase the length of time needed to conduct product
reviews at a time when vendors are feeling pressures to
develop and market products more rapidly.

   One particular reform effort that deserves discussion is
the "personal use" exemption. For many years, Americans
traveling abroad were required under the ITAR to obtain
"temporary export licenses" for products with encryption
capabilities carried overseas for their personal use.(37) The
complexity of the procedure for obtaining such a license was
a considerable burden for U.S. businesspeople traveling
abroad, and these individuals were subject to significant
criminal penalties for an act that was widely recognized to be
harmless and well within the intent of the export control
regime.

   In February 1994, the Administration committed itself to
promulgating regulations to support a personal-use exemption
from the licensing requirement. Two years later, on February
16, 1996, the *Federal Register* contained a notice from the
Department of State, Bureau of Political Military Affairs,
announcing final rule of an amendment to the International
Traffic in Arms Regulation (ITAR) allowing U.S. persons to
temporarily export cryptographic products for personal use
without the need for an export license.(38)

   Some critics of government policy have objected to the
particular formulation of the record-keeping requirement. All
parties involved--including senior Administration
officials--have agreed that 2 years was far too long a period
for promulgation of so simple a rule.

----------

   (30) In contrast to a judgment-based approach, a
clarity-based approach would start from the premise that
regulations and laws should be as clear as possible, so that
a party that may be affected knows with a high degree of
certainty what is and is not permitted or proscribed. The
downside of a clarity-based approach is that affected parties
tend to go "right up to the line" of what is prohibited and
may seek ways to "design around" any stated limitations.
Furthermore, a clarity-based approach would require the
specification, in advance, of all acts that are prohibited,
even when it may not be possible to define in advance all acts
that would be undesirable.

   (31) For example, critics of the uncertainty engendered by
the export regime point out that uncertainty is helpful to
policy makers who wish to retain flexibility to modify policy
without the work or publicity required for a formal regulatory
change.

   (32) Of course, such considerations obviously apply to
software products with cryptographic capabilities that are
designed to be shipped in source code; not only can the
cryptographic module be easily identified and replaced, but it
can also be pulled out and adapted to other purposes. This
point was also raised in footnote 11 of this chapter.

   (33) For example, NSA representatives made comments to this
effect at the RSA Data Security Conference in San Francisco,
California, in January 1995.

   (34) Although other industries also have to deal with the
uncertainties of regulatory approval regarding products and
services, the export control process is particularly opaque,
because clear decisions and rationales for those decisions are
often not forthcoming (and indeed are often classified and/or
unrelated to the product per se).

   (35) Letter from Clyde Bryant, Office of Defense Trade
Controls, U.S. Department of State, Washington, D.C., to
Daniel Appelman, Heller, Ehrman, White & McAuliffe, dated
March 11, 1994.

   (36) For example, according to NSA, the detailing of an NSA
representative to work with the State Department Office of
Defense- Trade Controls has resulted in a considerable
reduction in the time needed to process a license.

   (37) For a description of how this process worked in
practice, see Matt Blaze, *My Life As an International Arms
Courier*, e-mail message circulated by Matt Blaze
(mab@research.att.com) on January 6, 1995. A news article
based on Blaze's story is contained in Peter H. Lewis,
"Between a Hacker and a Hard Place: DataSecurity Export Law
Puts Businesses in a Bind," *New York Times*, April 10, 1995,
p. D-1.

   (38) According to the regulation, the product must not be
intended for copying, demonstration, marketing, sale,
re-export, or transfer of ownership or control. It must remain
in the possession of the exporting person, which includes
being locked in a hotel room or safe. While in transit, it
must be with the person's accompanying baggage. Exports to
certain countries are prohibited--currently Cuba, Iran, Iraq,
Libya, North Korea, Sudan, and Syria. The exporter must
maintain records of each temporary export for 5 years. See
*Federal Register*, Volume 61(33), Friday, February 16, 1996,
Public Notice 2294, pp. 6111-6113.

____________________________________________________________


            4.3.3 The Size of the Affected Market
                      for Cryptography

   Since export controls on products with encryption
capabilities constrain certain aspects of sales abroad,
considerable public attention has focused on the size of the
market that may have been affected by export controls. Vendors
in particular raise the issue of market share with
considerable force:

   +    "The only effect of the export controls is to cause
economic harm to US software companies that are losing market
share in the global cryptography market to companies from the
many countries that do not have export controls."(39)

   +    "[The government's current policy on encryption] is
anti-competitive. The government's encryption export policy
jeopardizes the future of the software industry, one of the
fastest growing and most successful industries."(40)

   The size of the market for products with encryption
capabilities cuts across many dimensions of cryptography
policy, but since it is raised most often in the context of
the export control debate, it is addressed in this section.

   Plausible arguments can be made that the market ranges from
no more than the value of the security-specific products sold
annually (i.e., several hundred million dollars per year--a
low-end estimate)(41) to the total value of all hardware and
software products that might include encryption capabilities
(many tens of billions of dollars--a high-end estimate).(42)
The committee was unable to determine the size of the
information technology market directly affected by export
controls on encryption to within a factor of more than 100, a
range of uncertainty that renders any estimate of the market
quite difficult to use as the basis for a public policy
decision.

   Nevertheless, although it is not large enough to be
decisive in the policy debate, the floor of such estimates--a
few hundred million dollars per year--is not a trivial sum.
Furthermore, all trends point to growth in this number, growth
that may well be very large and nonlinear in the near future.
To the extent that both of these observations are valid, it is
only a matter of a relatively short time before even the floor
of any estimate will be quite significant in economic terms.

   The next three subsections describe some of the factors
that confound the narrowing of the large range of uncertainty
in any estimate of the size of the market affected by export
controls.


Defining a "Lost Sale"

   A number of vendors have pointed to specific instances of
lost sales as a measure of the harm done to the vendors as the
result of export controls on cryptography.(43) National
security officials believe that these figures are considerably
overstated. Administration officials and congressional staff
have expressed considerable frustration in pinning down a
reliable estimate of lost sales. It is important to begin with
the understanding that the concept of a "lost sale" is
intrinsically soft. Trying to define the term "lost sales"
raises a number of questions

   +     What events count as a sale lost because of export
restrictions? Several possibilities illustrate the
complications:

        -- A U.S. vendor is invited along with foreign vendors
        to bid on a foreign project that involves
        cryptography, but declines because the bid
        requirements are explicit and the U.S. vendor knows
        that the necessary export licenses will not be
        forthcoming on a time scale compatible with the
        project.

        -- A U.S. vendor is invited along with foreign vendors
        to bid on a foreign project that involves
        cryptography. In order to expedite export licensing,
        the U.S. vendor offers a bid that involves 40-bit
        encryption (thus ignoring the bid requirements), and
        the bid is rejected.

        -- A U.S. vendor is invited along with foreign vendors
        to bid on a foreign project that involves
        cryptography. A foreign vendor emerges as the winner.
        The sale is certainly a lost sale, but since customers
        often make decisions with a number of reasons in mind
        and may not inform losing vendors of their reasons, it
        is difficult to determine the relationship of export
        controls to the lost sale.

        -- No U.S. vendor is invited to bid on a foreign
        project that involves cryptography. In such an
        instance, the potential foreign customer may have
        avoided U.S. vendors, recognizing that the
        cryptography would subject the sale to U.S. export
        control scrutiny, possibly compromising sensitive
        information or delaying contract negotiations
        inordinately. On the other hand, the potential
        customer may have avoided U.S. vendors for other
        reasons, e.g., because the price of the U.S. product
        was too high.

   +     What part of a product's value is represented by the
cryptographic functionality that limits a product's sales when
export controls apply? As noted in Chapter 2, standalone
products with encryption capabilities are qualitatively
different from general-purpose products integrated with
encryption capabilities. A security-specific stand-alone
product provides no other functionality, and so the value of
the cryptography is the entire cost of the product. But such
sales account for a very small fraction of information
technology sales. Most sales of information technology
products with encryption capabilities are integrated products.
Many word processing and spreadsheet programs may have
encryption capabilities, but users do not purchase such
programs for those capabilities -- they purchase them to
enhance their ability to work with text and numbers.
Integrated products intended for use in networked environments
(e.g., "groupware") may well have encryption capability, but
such products are purchased primarily to serve collaboration
needs rather than encryption functions. In these instances, it
is the cost of the entire integrated product (which may not be
exportable if encryption is a necessary but secondary feature)
that counts as the value lost.

   +     How does a vendor discover a "lost sale"? In some
cases, a specific rejection counts as evidence. But in general
there is no systematic way to collect reliable data on the
number or value of lost sales.

   +     An often-unnoticed dimension of "lost sales" does not
involve product sales at all, but rather services whose
delivery may depend on cryptographic protection. For example,
a number of U.S. on-line service providers (e.g., America
Online, Compuserve, Prodigy) are intending to offer or expand
access abroad;(44) the same is true for U.S. providers of
telecommunications services.(45) To the extent that
maintaining the security of foreign interactions with these
service providers depends on the use of strong cryptography,
the ability of these companies to provide these services may
be compromised by export restrictions and thus sales of
service potentially reduced.


Latent vs. Actual Demand

   In considering the size of the market for cryptography, it
is important to distinguish between "actual" demand and
"latent" demand.

   +     Actual demand reflects what users spend on products
with encryption capabilities. While the value of "the market
for cryptography" is relatively well defined in the case of
stand-alone security-specific products (it is simply the value
of all of the sales of such products), it is not well defined
when integrated products with encryption capabilities are
involved. The reason is that for such products, there is no
demand for cryptography per se. Rather, users have a need for
products that do useful things; cryptography is a feature
added by designers to protect users from outside threats to
their work, but as a purely defensive capability, cryptography
does not so much add functional value for the user as protect
against reductions in the value that the user sees in the
product. Lotus Notes, for example, would not be a viable
product in the communications software market without its
encryption capabilities, but users buy it for the group
collaboration capabilities that it provides rather than for
the encryption per se.

   +     Latent demand (i.e., inherent demand that users do
not realize or wish to acknowledge but that surfaces when a
product satisfying this demand appears on the market) is even
harder to measure or assess. Recent examples include Internet
usage and faxes; in these instances, the underlying technology
has been available for many years, but only recently have
large numbers of people been able to apply these technologies
for useful purposes. Lower prices and increasing ease of use,
prompted in part by greater demand, have stimulated even more
demand. To the extent that there is a latent demand for
cryptography, the inclusion of cryptographic features into
integrated products might well stimulate a demand for
cryptography that grows out of knowledge and practice, out of
learning by doing.

   Determining the extent of latent demand is complicated
greatly by the fact that latent demand can be converted into
actual demand on a relatively short time scale. Indeed, such
growth curves -- very slow growth in use for a while and then
a sudden explosion of demand -- characterize many critical
mass phenomena: some information technologies (e.g., networks,
faxes, telephones) are valuable only if some critical mass of
people use them. Once that critical mass is reached, other
people begin to use those technologies, and demand takes off.
Linear extrapolations 5 or 10 years into the future based on
5 or 10 years in the past miss this very nonlinear effect.

   Of course, it is difficult to predict a surge in demand
before it actually occurs. In the case of cryptography, market
analysts have been predicting significantly higher demand for
many years; today, growth rates are high, but demand for
information security products including cryptography is not
yet ubiquitous.

   Two important considerations bearing directly on demand are
increasing system complexity and the need for
interoperability. Users must be able to count on a high degree
of interoperability in the systems and software they purchase
if they are to operate smoothly across national boundaries (as
described in Chapter 1). Users understand that it is more
difficult to make different products interoperate, even if
they are provided by the same vendor, than to use a single
product. For example, the complexity of a product generally
rises as a function of the number of products with which it
must interoperate, because a new product must interoperate
with already-deployed products. Increased complexity almost
always increases vulnerabilities in the system or network that
connects those products. In addition, more complex products
tend to be more difficult to use and require greater technical
skill to maintain and manage; thus, purchasers tend to shy
away from such products. This reluctance, in turn, dampens
demand, even if the underlying need is still present.

   From the supply side, vendors feel considerable pressure
from users to develop interoperable products. But greater
technical skills are needed by vendors to ensure
interoperability among different product versions than to
design a single product that will be used universally, just as
they are for users involved in operation and maintenance of
these products. Requirements for higher degrees of technical
skill translate into smaller talent pools from which vendors
can draw and thus fewer products available that can meet
purchasers' needs for interoperability.

   Problems relating to interoperability and system
complexity, as well as the size of the installed base, have
contributed to the slow pace of demand to date for products
with encryption capabilities.

   Nevertheless, the committee believes it is only a matter of
time until a surge occurs, at the same time acknowledging the
similarity between this prediction and other previous
predictions regarding demand. This belief is based on
projections regarding the growth of networked applications(46)
and the trends discussed in Chapter 1--increasing demand for
all kinds of information technology, increasing geographic
dispersion of businesses across international boundaries,
increasing diversity of parties wishing/needing to communicate
with each other, and increasing diversity in information
technology applications and uses in all activities of a
business. Further, the committee believes that computer users
the world over have approximately the same computing needs as
domestic users, and so domestic trends in computing (including
demand for more information security) will be reflected
abroad, though perhaps later (probably years later but not 
decades later).


Market Development

   A third issue in assessing the size of the market for
cryptography is the extent to which judgments should be made
on the basis of today's market conditions (which are known
with a higher certainty) rather than markets that may be at
risk tomorrow (which are known with a much lower degree of
certainty).

   The market for certain types of software tends to develop
in a characteristic manner. In particular, the long-term
success of infrastructure software (i.e., software that
supports fundamental business operations such as operating
systems or groupware) depends strongly on the product's market
timing; once such software is integrated into the
infrastructure of the installing organization, demands for
backward-compatibility make it difficult for the organization
to install any alternative.(47) In other words, an existing
software infrastructure inhibits technological change even if
better software might be available. It is for this reason that
in some software markets, major advantages accrue to the first
provider of a reasonable product.

   These pressures complicate life for government policy
makers who would naturally prefer a more deliberate approach
to policy making, because it is only during a small window of
time that their decisions are relevant--the sooner they act,
the better. The longer they wait, the higher will be the
percentage of companies that have already made their
technology choices, and these companies will face large
changeover costs if policy decisions entail incompatible
alternatives to their currently deployed infrastructure. If
the initial choices of companies involve putting non-U.S.
software in place, U.S. vendors fear that they will have lost
huge future market opportunities.(48)

----------

   (39) Jim Hassert, *Washington Connections*, Software
Publishers Association, Washington, D.C., Chapter 9. Available
on-line at http://www.spa.org.

   (40) Business Software Alliance, *Information and Data
Security: The Encryption Update.* Available on-line from
http://www.bsa.org.

   (41)  U.S. Department of Commerce and National Security
Agency, *A Study of the International Market for Computer
Software with Encryption*, prepared for the Interagency
Working Group on Encryption and Telecommunications Policy,
Office of the Secretary of Commerce, January 11, 1996, p.
III-I. Note, however, that this report does not arrive at this
estimate independently; rather, it cites other estimates made
in the private sector.

   (42)  Of course, it is a matter of speculation what
fraction of the information technology market (on the order of
$193 billion in 1993; see below) might usefully possess
encryption capabilities; good arguments can made to suggest
that this fraction is very small or very large. A number of
information technology trade organizations have also made
estimates. The Software Publishers Association cited a survey
by the National Computer Security Association that quoted a
figure of $160 million in aggregate known losses in 1993
because of export controls; see "Written Testimony of the
Software Publishers Association to the National Research
Council," Washington, D.C., July 19, 1995. In 1993, the
Business Software Alliance estimated that "approximately $6-9
billion in U.S. company revenues are currently at risk because
of the inability of those companies to be able to sell world
wide generally available software with encryption capabilities
employing DES or other comparable strength algorithms;" see
Testimony of Ray Ozzie, president, Iris Associates, on behalf
of the Business Software Alliance, "The Impact on America's
Software Industry of Current U.S. Government Munitions Export
Controls," before the Economic Policy, Trade and Environment
Subcommittee, House Committee on Foreign Affairs, Washington,
D.C., October 12, 1993. The Computer Systems Policy Project
(CSPP) estimated that in 2000, the potential annual revenue
exposure for U.S. information technology vendors would range
from $3 billion to $6 billion on sales of cryptographic
products, including both hardware and software; CSPP also
estimated $30 billion to 60 billion in potential revenue
exposure on sales of associated computer systems; see The
Computer Systems Policy Project, William F. Hagerty IV, The
Management Advisory Group, *The Growing Need for Cryptography:
The Impact of Export Control Policy on U.S. Competitiveness*,
Study Highlights (viewgraphs), Bethesda, Maryland, December
15, 1995.

   The $193 billion figure is taken from Department of
Commerce, *U.S. Industrial Outlook 1994*, and includes
computers and peripherals ($62.5 billion, p. 26-1), packaged
software ($32.0 billion, p. 27-1), information services ($13.6
billion, p. 25-1), data processing and network services ($46.4
billion, p. 25-1), and systems integration/custom programming
services ($38.7 billion, p. 25-5). Note that this figure does
not include some other industry sectors that could, in
principle, be affected by regulations regarding secure
communications; in 1993, U.S. companies provided
telecommunications services valued at $10.4 billion to foreign
nations (p. 29-1) and shipped $17.5 billion (1987 dollars) in
telephone equipment worldwide (p. 30-3).

   (43)  For example, in a presentation to the committee on
July 19, 1995, the Software Publishers' Association documented
several specific instances in which a U.S. company had lost a
sale of a product involving cryptography to a foreign firm.
These instances included a company that lost one-third of its
total revenues because export controls on DES-based encryption
prevented sales to a foreign firm; a company that could not
sell products with encryption capability to a European company
because that company re-sold products to clients other than
financial institutions; a U.S. company whose European division
estimated at 50 percent the loss of its business among
European financial institutions, defense industries,
telecommunications companies, and government agencies because
of inadequate key sizes; and a U.S. company that lost the sale
of a DESbased system to a foreign company with a U.S.
subsidiary. Sofware Publishers' Association, "Presentation on
Impacts of Export Control on Encryption before the NRC
National Cryptography Policy Committee," July 19, 1995 .

   (44) See for example, Kara Swisher, "Old World, New
Frontier in Cyberspace," *Washington Post*, December 12, 1995,
p. C-1; Victoria Shannon, "U.S. On-Line Services Fall Short on
International Reach," *Washington Post*, April 3, 1995,
Washington Business, p. 20. For more detail on AOL plans, see
Elizabeth Cocoran, "America Online to Offer Access in Europe,"
*Washington Post*, May 19, 1995, p. F-3.

   (45) See for example, U.S. Congress, Office of Technology
Assessment, *U.S. Telecommunications Services in European
Markets*, OTA-TCT-548, U S. Government Printing Office,
Washington, D.C., August 1993.

   (46) For example, a survey by the International Data
Corporation indicated that the installed base of users for
work-group applications (involving communications among
physically separated users) is expected to grow at a rate of
about 74 percent annually between 1993 and 1998. See Ann
Palermo and Darby Johnson, Analysts, International Data
Corporation, *Workgroup ,Applications Software: Market Review
and Forecast, 1993-1998*, Framingham, Massachusetts, (date).
It is true that a considerable amount of remote collaboration
is done via e-mail without cryptographic protection, but
work-group applications provide much higher degrees of
functionality for collaboration because they are specifically
designed for that purpose. As these applications become more
sophisticated (e.g., as they begin to process large assemblies
of entire documents rather than the short messages for which
e-mail is best suited), the demand for higher degrees of
protection is likely to increase.

   (47) Many products require backward-compatibility for
marketplace acceptance. Demands for backward-compatibility
even affect products intended for operation in a stand-alone
environment -- an institution with 2 million spreadsheet files
is unlikely to be willing to switch to a product that is
incompatible with that existing database unless the product
provides reasonable translation facilities for migrating to
the new product. Network components are even harder to change,
because stations on a network must interoperate. For example,
most corporate networks have servers deployed with
workstations that communicate with those servers. Any change
to the software for the servers must not render it impossible
for those workstations to work smoothly with the upgrade.

   (48) The deployment of Lotus Notes provides a good example.
Lotus marketing data suggests fairly consistently that once
Notes achieves a penetration of about 200 users in a given
company, an explosion of demand follows, and growth occurs
until Notes is deployed company-wide.

____________________________________________________________


       4.3.4 Inhibiting Vendor Responses to User Needs

   In today's marketing environment, volume sales (licensing)
to large corporate or government customers, rather than
purchases by individuals, tend to drive sales of business
software products.(49) Since corporate customers have large
leverage in the marketplace (because one purchasing decision
can result in thousands of product sales to a single
corporation), major software vendors are much more responsive
to the needs of corporate users. Of particular relevance to
the export control debate are three perceptions of corporate
users:

   +     Corporate users do not see that different levels of
encryption strength (as indicated, for example, by the key
length of foreign and domestic versions of a product) provide
differential advantages. Put differently, the market reality
is that users perceive domestic-strength versions as the
standard and liberally exportable versions of cryptography as
weak, rather than seeing liberally exportable versions of
cryptography as the standard and domestic-strength versions as
stronger.

   +     Corporate users weigh all features of a product in
deciding whether or not to buy it. Thus, the absence of a
feature such as strong encryption that is desired but not
easily available because of U.S. export controls counts as a
distinct disadvantage for a U.S. product. Although other
features may help to compensate for this deficiency, the
deficiency may pose enough of a barrier a product's acceptance
abroad that sales are significantly reduced.

   +     Corporate users see cryptographic strength as an
important parameter in their assessments of the information
security that products offer. It is true that cryptography is
only one dimension of information security, that export
controls do not affect certain approaches to increasing
overall information security, and that vendors often do not
address these other approaches. But cryptography is a visible
aspect of the information security problem, and vendors feel
an obligation to respond to market perceptions even if these
perceptions may not be fully justified by an underlying
technical reality. Moreover, many of the information security
measures that do not involve export controls are more
difficult and costly than cryptography to implement, and so it
is natural for vendors to focus their concerns on export
controls on cryptography.

   U.S. vendors that are unable to respond in a satisfactory
manner to these perceptions have a natural disadvantage in
competing against vendors that are able to respond.


----------

   (49) The Department of Commerce noted that "civil use of
software-based encryption will significantly increase in the
next five years, with corporate customers dominating this new
marketplace." See U.S. Department of Commerce and National
Security Agency, *A Study of the International Market for
Computer Software with Encryption*, prepared for the
Interagency Working Group on Encryption and Telecommunications
Policy, Office of the Secretary of Commerce, January 11, 1996,
p. 111-2.


____________________________________________________________


              4.4 THE IMPACT OF EXPORT CONTROLS
      ON U.S. ECONOMIC AND NATIONAL SECURITY INTERESTS

   By affecting U.S. industries abroad that might use
cryptography to protect their information interests and U.S.
vendors of a critical technology (namely, information
technology), export controls have a number of potentially
negative effects on national security that policy makers must
weigh against the positive effects of reducing the use of cry
ptography by hostile parties.


        4.4.1 Direct Economic Harm to U.S. Businesses

   While acknowledging economic benefits to U.S. business from
signals intelligence (as described in Chapter 3), the
committee notes that protection of the information interests
of U.S. industries is also a dimension of national security,
especially when the threats emanate from foreign sources.

   If the potential value of proprietary information is
factored into the debate over export controls, it dominates
all other figures of merit. A figure of $280 billion to $560
billion was placed by the Computer Systems Policy Project on
the value of future revenue opportunities as the result of
electronic distribution and commerce and future opportunities
to reengineer business processes by 2000.(50) Opponents of
export controls on cryptography argue that if electronic
channels and information systems are perceived to be
vulnerable, businesses may well be discouraged from exploiting
these opportunities, thereby placing enormous potential
revenues at risk.

   On the other hand, it is essentially impossible to
ascertain with any degree of confidence what fraction of
proprietary information would be at risk in any practical
sense if businesses did move to exploit these opportunities.
Current estimates of industrial and economic espionage provide
little guidance. The most authoritative publication on the
subject to date, the *Annual Report to Congress on Foreign
Economic Collection and Industrial Espionage*,(51) noted that

   [i]n today's world in which a country's power and stature
   are often measured by its economic/industrial capability,
   foreign government ministries--such as those dealing with
   finance and trade--and major industrial sectors are
   increasingly looked upon to play a more prominent role in
   their respective country's collection efforts.... An
   economic competitor steals a US company's proprietary
   business information or government trade strategies, [and]
   foreign companies and commercially oriented government
   ministries are the main beneficiaries of US economic
   information. The aggregate losses that can mount as a
   result of such efforts can reach billions of dollars per
   year, constituting a serious national security concern.

   The report went on to say that "[t]here is no formal
mechanism for determining the full qualitative and
quantitative scope and impact of the loss of this targeted
information. Industry victims have reported the loss of
hundreds of millions of dollars, lost jobs, and lost market
share." Thus, even this report, backed by all of the
counterintelligence efforts of the U.S. government, is unable
to render a definitive estimate to within an order of
magnitude. Of course, it may well be that these estimates of
loss are low, because companies are reluctant to publicize
occurrences of foreign economic and industrial espionage as
such publicity can adversely affect stock values, customers'
confidence, and ultimately competitiveness and market share,
or also because clandestine theft of information may not be
detected. Furthermore, because all business trends point to
greater volumes of electronically stored and communicated
information in the future, it is clear that the potential for
information compromises will grow--the value of information
that could be compromised through electronic channels is only
going to increase.

----------

   (50) William F. Hagerty IV, The Management Advisory Group,
Computer Systems Policy Project, *The Growing Need for
Cryptography: The Impact of Export Control Policy on U.S
Competitiveness*, Study Highlights (viewgraphs), Bethesda,
Maryland, December 15, 1995.

   (51)  National Counterintelligence Center, *Annual Report
to Congress on Foreign Economic Collection and Industrial
Espionage*, Washington, D.C., July 1995.

____________________________________________________________


               4.4.2 Damage to U.S. Leadership
                  in Information Technology

   The strength of the U.S. information technology industry
has been taken as a given for the past few decades. But as
knowledge and capital essential to the creation of a strong
information technology industry become more available around
the world, such strength can no longer be taken for
granted.(52) If and when foreign products become widely
deployed and well integrated into the computing and
communications infrastructure of foreign nations, even better
versions of U.S. products will be unable to achieve
significant market penetration. One example of such a
phenomenon may be the growing interest in the United States in
personal communications systems based on GSM, the European
standard for digital cellular voice communications. Further,
as the example of Microsoft vis-a-vis IBM in the 1980s
demonstrated, industry dominance once lost is quite difficult
to recover in rapidly changing fields.

   The development of foreign competitors in the information
technology industry could have a number of disadvantageous
consequences from the standpoint of U.S. national security
interests:

   +     Foreign vendors, by assumption, will be more
responsive to their own national governments than to the U.S.
government. To the extent that foreign governments pursue
objectives involving cryptography that are different from
those of the United States, U.S. interests may be adversely
affected. Specifically, foreign vendors could be influenced by
their governments to offer for sale to U.S. firms products
with weak or poorly implemented cryptography. If these vendors
were to gain significant market share, the information
security of U.S. firms could be adversely affected.
Furthermore, the United States is likely to have less
influence and control over shipments of products with
encryption capabilities between foreign nations than it has
over similar U.S. products that might be shipped abroad;
indeed, many foreign nations are perfectly willing to ship
products (e.g., missile parts, nuclear reactor technology) to
certain nations in contravention to U.S. or even their own
interests. In the long run, the United States may have even
less control over the products with encryption capabilities
that wind up on the market than it would have if it
promulgated a more moderate export control regime.

   +     Detailed information about the workings of foreign
products with encryption capabilities is much less likely to
be available to the U.S. government than comparable
information about similar U.S. products that are exported.
Indeed, as part of the export control administration process,
U.S. products with encryption capabilities intended for export
are examined thoroughly by the U.S. government; as a result,
large amounts of information about U.S. products with
encryption capabilities are available to it.(53)

   Export controls on cryptography are not the only factor
influencing the future position of U.S. information technology
vendors in the world market. Yet, the committee believes that
these controls do pose a risk to their future position that
cannot be ignored, and that relaxation of controls will help
to ensure that U.S. vendors are able to compete with foreign
vendors on a more equal footing.

----------

   (52)  Obviously, it is impossible to predict with certainty
whether export controls will stimulate the growth of
significant foreign competition for U.S. information
technology vendors. But the historical evidence suggests some
reason for concern. For example, a 1991 report (National
Research Council, *Finding Common Ground: U.S. Export Controls
in a Changed Global Environment*, National Academy Press,
1991) found that "unilateral embargoes on exports [of
technologies for commercial aircraft and jet engines] to
numerous countries not only make sales impossible but actually
encourage foreign competitors to develop relationships with
the airlines of the embargoed countries. By the time the U.S.
controls are lifted, those foreign competitors may have
established a competitive advantage" (page 22). The same
report also found that for computer technology, "marginal
supplier disadvantages can lead to significant losses in
market position, and it is just such marginal disadvantages
that can be introduced by export controls" (page 23). An
earlier study (Charles Ferguson, "High Technology Product Life
Cycles, Export Controls, and International Markets," in
*Working Papers* of the National Research Council report
*Balancing the National Interest, U.S. National Security
Export Controls and Global Economic Competition*, National
Academy Press, 1987), pointed out that the emergence of strong
foreign competition in a number of high-technology areas
appeared in close temporal proximity to the enforcement of
strong export controls in these areas for U.S. vendors. While
the correlation does not prove that export controls
necessarily influenced or stimulated the growth of foreign
competition, the history suggests that they may have had some
causal relationship. In the financial arena (not subject to
export controls), U.S. financial controls associated with the
Trading-with-the-Enemy Act may have led to the rise of the
Eurodollar market, a set of foreign financial institutions,
markets, and instruments that eroded the monopoly held on
dollar-denominated instruments and dollar-dominated
institutions by U.S. firms.

   The likelihood of foreign competition being stimulated for
cryptography may be larger than suggested by some of these
examples, because at least in the software domain, product
development and distribution are less capital-intensive than
in traditional manufacturing industries; lower capital
intensity would mean that competitors would be more likely to
emerge.

   Finally, while it is true that some foreign nations also
impose export controls on cryptography, those controls tend to
be less stringent than those of the United States as discussed
in Appendix G. In particular, it is more difficult to export
encryption from the United States to the United Kingdom than
the reverse, and the U.S. market is an important market for
foreign vendors. Further, it takes only one nation with weak
or nonexistent controls to spawn a competitor in an industry
such as software.

   (53) For example, U.S. vendors are more likely than foreign
vendors to reveal source code of a program to the U.S.
government (for purposes of obtaining export licenses). While
it is true that the object code of a software product can be
decompiled, decompiled object code is always much more
difficult to understand than the original source code that
corresponds to it.

_____________________________________________________________


         4.5 THE MISMATCH BETWEEN THE PERCEPTIONS OF
      GOVERNMENT/NATIONAL SECURITY AND THOSE OF VENDORS


   As the committee proceeded in its study, it observed what
can only be called a disconnect between the perceptions of the
national security authorities that administer the export
control regulations on cryptography and the vendors that are
affected by it. This disconnect was apparent in a number of
areas:

   +     National security authorities asserted that export
controls did not injure the interests of U.S. vendors in the
foreign sales of products with encryption capabilities. U.S.
vendors asserted that export controls had a significant
negative effect on their foreign sales.

   +     National security authorities asserted that nearly
all export license applications for a product with encryption
capabilities are approved. Vendors told the committee that
they refrained from submitting products for approval because
they had been told on the basis of preliminary discussions
that their products would not be approved for export.

   +     National security authorities presented data showing
that the turnaround time for license decisions had been
dramatically shortened (to a matter of days or a few weeks at
most). Vendors noted that these data took into account only
the time from the date of formal submission of an application
to the date of decision, and did not take into account the
much greater length of time required to negotiate product
changes that would be necessary to receive approval. (See
Section 4.3.2 for more discussion.)

   +     National security authorities asserted that they
wished to promote good information security for U.S.
companies, pointing out the current practice described in
Section 4.1.2 that presumes the granting of USML licenses for
stronger cryptography to U.S.-controlled companies and banking
and financial institutions. Vendors pointed to actions taken
by these authorities to weaken the cryptographic security
available for use abroad, even in business ventures in which
U.S. firms had substantial interests. Potential users often
told the committee that even under presumptive approval,
licenses were not forthcoming, and that for practical
purposes, these noncodified categories were not useful.

   +     National security authorities asserted that they took
into account foreign competition and the supply of products
with encryption capabilities when making decisions on export
licenses for U.S products with encryption capabilities.
Vendors repeatedly pointed to a substantial supply of foreign
products with encryption capabilities.

   +     National security authorities asserted that they
wished to maintain the worldwide strength and position of the
U.S. information technology industry. Vendors argued that when
they are prevented from exploiting their strengths--such as
being the first to develop integrated products with strong
encryption capabilities -- their advantages are in fact being
eroded.

   The committee believes that to some extent, these
differences can be explained as the result of rhetoric by
parties intending to score points in a political debate. But
the differences are not merely superficial; they reflect
significantly different institutional perspectives. For
example, when national security authorities "take into account
foreign supplies of cryptography," they focus naturally on
what is available at the time the decision is being made. On
the other hand, vendors are naturally concerned about
incorporating features that will give their products a
competitive edge, even if no exactly comparable foreign
products with cryptography are available at the moment. Thus,
different parties focus on different areas of
concern--national security authorities on the capabilities
available today, and vendors on the capabilities that might
well be available tomorrow.

   NSA perceptions of vendors and users of cryptography may
well be clouded by an unwillingness to speak publicly about
the full extent of vendor and user unhappiness with the
current state of affairs. National security authorities
asserted that their working relationships with vendors of
products with encryption capabilities are relatively
harmonious. Vendors contended that since they are effectively
at the mercy of the export control regulators, they have
considerable incentive to suppress any public expression of
dissatisfaction with the current process. A lack (or small
degree) of vendor outcry against the cryptography export
control regime cannot be taken as vendor support for it. More
specifically, the committee received input from a number of
private firms on the explicit condition of confidentiality.
For example:

   +     Companies with interests in cryptography affected by
export control were reluctant to express fully their
dissatisfaction with the current rules governing export of
products with encryption capabilities or how these rules were
actually implemented in practice. They were concerned that any
explicit connection between critical comments and their
company might result in unfavorable treatment of a future
application for an export license for one of their products.

   + Companies that had significant dealings with the
Department of Defense were reluctant to express fully their
unhappiness with policy that strongly promoted classified
encryption algorithms and government-controlled key-escrow
schemes. These companies were concerned that expressing their
unhappiness fully might result in unfavorable treatment in
competinG for future DOD business.

   Many companies have expressed dissatisfaction publicly,
although a very small number of firms did express to the
committee their relative comfort with the way in which the
current export control regime is managed. The committee did
not conduct a systematic survey of all firms affected by
export regulations, and it is impossible to infer the position
of a company that has not provided input on the matter.(54)

----------

   (54) The Department of Commerce study is the most
systematic attempt to date to solicit vendors' input on how
they have been affected by export controls, and the
solicitation received a much smaller response than expected.
See U.S. Department of Commerce and National Security Agency,
*A Study of the International Market for Computer Software
with Encryption*, prepared for the Interagency Working Group
on Encryption and Telecommunications Policy, Office of the
Secretary of Commerce, January 11, 1996.

____________________________________________________________


                4.6 EXPORT OF TECHNICAL DATA


   The rules regarding "technical data" are particularly
difficult to understand. A cryptographic algorithm (if
described in a manner that is not machine-executable) is
counted as technical data, whereas the same algorithm if
described in machine-readable form (i.e., source or object
code) counts as a product. Legally, the ITAR regulate products
with encryption capabilities differently than technical data
related to cryptography, although the differences are
relatively small in nature. For example, technical data
related to cryptography enjoys an explicit exemption when
distributed to U.S.-controlled foreign companies, whereas
products with encryption capabilities are in principle subject
to a case by-case review in such instances (although in
practice, licenses for products with encryption capabilities
under such circumstances are routinely granted).

   Private citizens and academic institutions and vendors are
often unclear about the legality of actions such as:

   +     Discussing cryptography with a foreign citizen in the
room;

   +     Giving away software with encryption capabilities
over the Internet (see Section 4.8);

   +     Shipping products with encryption capabilities to a
foreign company within the United States that is controlled
but not owned by a U.S. company;

   +     Selling a U.S. company that makes products with
strong encryption capabilities to a foreign company;

   +     Selling products with encryption capabilities to
foreign citizens on U.S. soil;

   +     Teaching a course on cryptography that involves
foreign graduate students;

   +     Allowing foreign citizens residing in the United
States to work on the source code of a product that uses
embedded cryptography.(55)

   Box 4.11 provides excerpts from the only document known to
the committee that describes the U.S. government explanation
of the regulations on technical data related to cryptography.
In practice, these and other similar issues regarding
technical data do not generally pose problems because these
laws are for the most part difficult to enforce and in
fact are not generally enforced. Nevertheless, the vagueness
and broad nature of the regulations may well put people in 
jeopardy and unknowingly.(56)

----------

   (55) For example, one vendor argues that because foreign
citizens hired by U.S. companies bring noncontrolled knowledge
back to their home countries anyway, the export control
regulations on technical data make little sense as a technique
for limiting the spread of knowledge. In addition, other
vendors note that in practice the export control regulations
on technical data have a much more severe impact on the
employees that they may hire than on academia, which is
protected at least to some extent by presumptions of academic
freedom

   (56) A suit filed in February 1995 seeks to bar the
government from restricting publication of cryptographic
documents and software through the use of the export control
laws. The plaintiff in the suit is Dan Bernstein, a graduate
student in mathematics at the University of California at
Berkeley. Bernstein developed an encryption algorithm that he
wishes to publish and to implement in a computer program
intended for distribution, and he wants to discuss the
algorithm and program at open, public meetings. Under the
current export control laws, any individual or company that
exports unlicensed encryption software may be in violation of
the export control laws that forbid the unlicensed export of
defense articles, and any individual that discusses the
mathematics of cryptographic algorithms may be in violation of
the export control laws that forbid the unlicensed export of
"technical data." The lawsuit argues that the export control
scheme as applied to encryption software is an "impermissible
prior restraint on speech, in violation of the First
Amendment" and that the current export control laws are vague
and overbroad in denying people the right to speak about and
publish information about cryptography freely. A decision by
the Northern District Court of California on April 15, 1996,
by Judge Marilyn Patel, denied the government's motion to
dismiss this suit, and found that for the purposes of First
Amendment analysis, source code should be treated as speech.
The outcome of this suit is unknown as the time of this
writing (spring 1996). The full text of this decision and
other related documents can be found at
http://www.eff.org/pub/Legal/Cases/Bernstein_v_DoS/Legal/.

   The constitutionality of export controls on technical data
has not been determined by the U.S. Supreme Court. A ruling by
the U.S. Ninth Circuit Court of Appeals held that the ITAR,
when construed as "prohibiting only the exportation of
technical data significantly and directly related to specific
articles on the Munitions List, do not interfere with
constitutionally protected speech, are not overbroad and the
licensing provisions of the Act are not an unconstitutional
prior restraint on speech." (See 579 F.2d 516, U.S. vs. Edler,
United States Court of Appeals, Ninth Circuit, July 31, 1978.)
Another suit filed by Philip Karn directly challenging the
constitutionality of the ITAR was dismissed by the U.S.
District Court for the District of Columbia on March 22, 1996.
(The issue at hand was the fact that Karn had been denied CCL
jurisdiction for a set of floppy diskettes containing source
code for cryptographic confidentiality identical to that
contained in Schneier's book (which had received CCL
jurisdiction). See http://www.qualcomm.com/people/
pkarn/export/index.html for the running story (Karn is
appealing this decision); this Web page also contains the
District Court's opinion on this lawsuit.) Some scholars argue
to the contrary that export controls on technical data may
indeed present First Amendment problems, especially if these
controls are construed in such a way that they inhibit
academic discussions of cryptography with foreign nationals or
prevent academic conferences on cryptography held in the
United States from inviting foreign nationals. See, for
example, Allen M. Shinn, Jr., "First Amendment and Export
Laws: Free Speech on Scientific and Technical Matters," *The
George Washington Law Review*, January 1990, pp. 368-403, and
Kenneth J. Pierce, "Public Cryptography, Arms Export Controls,
and the First Amendment: A Need for Legislation," *Cornell
International Law Journal*, Volume 17(19), pp. 197-237.

____________________________________________________________


              4.7 FOREIGN POLICY CONSIDERATIONS


   A common perception within the vendor community is that the
National Security Agency is the sole "power behind the scenes"
for enforcing the export control regime for cryptography.
While NSA is indeed responsible for making judgments about the
national security impact of exporting products with encryption
capabilities, it is by no means the only player in the export
license application process.

   The Department of State plays a role in the export control
process that is quite important. For example, makers of
foreign policy in the U.S. government use economic sanctions
as a tool for expressing U.S. concern and displeasure with the
actions of other nations; such sanctions most often involve
trade embargoes of various types. Violations of human rights
by a particular nation, for example, represent a common issue
that can trigger a move for sanctions. Such sanctions are
sometimes based on presidential determinations (e.g., that the
human rights record of country X is not acceptable to the
United States) undertaken in accordance with law; in other
cases, sanctions against specific nations are determined
directly by congressional legislation; in still other cases,
sanctions are based entirely on the discretionary authority of
the President.

   The imposition of sanctions is often the result of
congressional action that drastically limits the discretionary
authority of the State Department. In such a context, U.S.
munitions or articles of war destined for particular offending
nations (or to the companies in such nations) are the most
politically sensitive, and in practice the items on the USML
are the ones most likely to be denied to the offending
nations. In all such cases, the State Department must
determine whether a particular item on the USML should or
should not qualify for a USML license. A specific example of
such an action given to the committee in testimony involved
the export of cryptography by a U.S. bank for use in a branch
located in the People's Republic of China. Because of China's
human rights record, the Department of State delayed the
export, and the contract was lost to a Swiss firm. The sale of
cryptographic tools that are intended to protect the interests
of a U.S. company operating in a foreign nation was subject to
a foreign policy stance that regarded such a sale as
equivalent to supplying munitions to that nation.

   Thus, even when NSA has been willing to grant an export
license for a given cryptography product, the State Department
has sometimes denied a license because cryptography is on the
USML. In such cases, NSA takes the blame for a negative
decision, even when it had nothing to do with it.

   Critics of the present export control regime have made the
argument that cryptography, as an item on the USML that is
truly dual-use, should not necessarily be included in such
sanctions. Such an argument has some intellectual merit, but
under current regulations it is impossible to separate
cryptography from the other items on the USML.


              4.8 TECHNOLOGY-POLICY MISMATCHES


   Two cases are often cited in the cryptography community as
examples of the mismatch between the current export control
regime and the current state of cryptographic technology (Box
4.12). Moreover, they are often used as evidence that the
government is harassing innocent law-abiding citizens.

   Taken by themselves and viewed from the outside, both of
the cases outlined in Box 4.12 suggest an approach to national
security with evident weaknesses. In the first instance,
accepting the premise that programs for cryptography cannot
appear on the Internet because a foreigner might download them
seems to challenge directly the use of the Internet as a forum
for exchanging information freely even within the United
States. Under such logic (claim the critics), international
telephone calls would also have to be shut down because a U.S.
person might discuss cryptography with a foreign national on
the telephone. In the second instance, the information
contained in the book (exportable) is identical to that on the
disk (not exportable). Since it is the information about
cryptography that is technically at issue (the export control
regulations make no mention of the medium in which that
information is represented), it is hard to see why one would
be exportable and the other not.

   On the other hand, taking the basic assumptions of the
national security perspective as a given, the decisions have
a certain logic that is not only the logic of selective
prosecution or enforcement.

   +    In the case of Zimmermann, the real national security
issue is not the program itself, but rather the fact that a
significant PGP user base may be developing. Two copies of a
good encryption program distributed abroad pose no plausible
threat to national security. But 20 million copies might well
pose a threat. However, the export control regulations as
written do not mention potential or actual size of the user
base, and so the only remaining leverage is the broad language
that brings cryptography under the export control laws.

   +     In the case of Schneier, the real national security
issue relates to the nature of any scheme intended to deny
capabilities to an adversary. Typing the book's source code
into the computer is an additional step that an adversary must
take to implement a cryptography program and a step at which
an adversary could make additional errors. No approach to
denial can depend on a single "silver bullet"; instead, denial
rests on the erection of multiple barriers, all of which taken
together are expected to result in at least a partial denial
of a certain capability. Moreover, if one begins from the
premise that export controls on software encryption represent
appropriate national policy, it is clear that allowing the
export of the source code to Schneier's book would set a
precedent that would make it very difficult to deny permission
for the export of other similar software products with
encryption capabilities. Finally, the decision is consistent
with a history of commodity jurisdiction decisions that
generally maintains USML controls on the source code of a
product whose object code implementation of confidentiality
has been granted commodity jurisdiction to the CCL.

   These comments are not intended to excoriate or defend the
national security analysis of these cases. But the controversy
over these cases does suggest quite strongly that the
traditional national security paradigm of export controls on
cryptography (one that is biased toward denial rather than
approval) is stretched greatly by current technology. Put
differently, when the export control regime is pushed to an
extreme, it appears to be manifestly ridiculous.


                          4.9 RECAP


   Current export controls on products with encryption
capabilities are a compromise between (1) the needs of
national security to conduct signals intelligence and (2) the
needs of U.S. and foreign businesses operating abroad to
protect information and the needs of U.S. information
technology vendors to remain competitive in markets involving
products with encryption capabilities that might meet these
needs. These controls have helped to delay the spread of
strong cryptographic capabilities and use of those
capabilities throughout the world, to impede the development
of standards for cryptography that would facilitate such a
spread, and to give the U.S. government a tool for monitoring
and influencing the commercial development of cryptography.
Export controls have clearly been effective in limiting the
foreign availability of products with strong encryption
capabilities made by U.S. manufacturers, although enforcement
of export controls on certain products with encryption
capabilities appears to have created many public relations
difficulties for the U.S. government, and circumventions of
the current regulations appear possible. The dollar cost of
limiting the availability of cryptography abroad is hard to
estimate with any kind of confidence, since even the
definition of what counts as a cost is quite fuzzy. At the
same time, a floor of a few hundred million dollars per year
for the market affected by export controls on encryption seems
plausible, and all indications are that this figure will only
grow in the future.

   A second consideration is the possibility that export
controls on products with encryption capabilities may well
have a negative impact on U.S. national security interests by
stimulating the growth of important foreign competitors over
which the U.S. government has less influence, and possibly by
damaging U.S. competitive advantages in the use and
development of information technology. In addition, the export
control regime is clouded by uncertainty from the vendor
standpoint, and there is a profound mismatch between the
perceptions of government/national security and those of
vendors on the impact of the export control regime. Moreover,
even when a given product with encryption capabilities may be
acceptable for export on national security grounds,
nonnational security considerations may play a role in
licensing decisions.

   Partly in response to expressed concerns about export
controls, the export regime has been gradually loosened since
1983. This relaxation raises the obvious question of how much
farther and in what directions such loosening could go without
significant damage to national security interests. This
subject is addressed in Chapter 7.

____________________________________________________________

                BOX 4.1 Enforcing Compliance 
                   with End-Use Agreements


   In general, a U.S. Munitions List (USML) license is granted
to a U.S. exporter for the shipping of a product, technical
data, or service covered by the USML to a particular foreign
recipient for a set of specified end uses and subject to a
number of conditions (e.g., restrictions on reexport to
another nation, nontransfer to a third party). The full range
of ITAR sanctions is available against the U.S. exporter and
the foreign recipient outside the United States.

   The ITAR specify that as a condition of receiving a USML
license, the U.S. exporter must include in the contract with
the foreign recipient language that binds the recipient to
abide by all appropriate end-use restrictions. Furthermore,
the U.S. exporter that does not take reasonable steps to
enforce the contract is subject to ITAR criminal and civil
sanctions. But how can end-use restrictions be enforced for a
foreign recipient?

   A number of sanctions are available to enforce the
compliance of foreign recipients of USML items exported from
the United States. The primary sanctions available are the
criminal and civil liabilities established by the Arms Export
Control Act (AECA); the foreign recipient can face civil
and/or criminal charges in U.S. federal courts for violating
the AECA. Although different U.S. courts have different views
on extraterritoriality claims asserted for U.S. Iaw, a
criminal conviction or a successful civil lawsuit could result
in the imposition of criminal penalties on individuals
involved and/or seizure of any U.S. assets of the foreign
recipient. (When there are no U.S. assets, recovering fines or
damages can be highly problematic, although some international
agreements and treaties provide for cooperation in such
cases.) Whether an individual could be forced to return to the
United States for incarceration would depend on the existence
of an appropriate extradition treaty between the United States
and the foreign nation to whose jurisdiction the individual is
subject.

   A second avenue of enforcement is that the foreign
recipient found to be in violation can be denied all further
exports from the United States. In addition, the foreign
violator can be denied permission to compete for contracts
with the U.S. government. From time to time, proposals are
made to apply sanctions against violators that would deny
privileges for them to export products to the United States,
though such proposals often create political controversy.

   A third mechanism of enforcement may proceed through
diplomatic channels. Depending on the nation to whose
jurisdiction the foreign recipient is subject, the U.S.
government may well approach the government of that nation to
seek its assistance in persuading or forcing the recipient to
abide by the relevant end-use restrictions.

   A fourth mechanism of enforcement is the sales contract
between the U.S. exporter and the foreign recipient, which
provides a mechanism for civil action against the foreign
recipient. A foreign buyer who violates the end-use
restrictions is in breach of contract with the U.S. exporter,
who may then sue for damages incurred by the U.S. company.
Depending on the language of the contract, the suit may be
carried out in U.S. or foreign courts; alternatively, the
firms may submit to binding arbitration.

   The operation of these enforcement mechanisms can be
cumbersome, uncertain, and slow. But they exist, and they are
used. Thus, while some analysts believe that they do not
provide sufficient protection for U.S. national security
interests, others defend them as a reasonable but not perfect
attempt at defending those interests.

____________________________________________________________

               BOX 4.2 Licensing Relaxations 
              on Cryptography: A Short History


   Prior to 1983, all cryptography exports required individual
license from the State Department. Since then, a number of
changes have been proposed and mostly implemented.


Year    Change 
_____________________________________________________________

1983    Distribution licenses established allowing exports to
        multiple users under a single license 1987
        Nonconfidentiality products moved to Department of
        Commerce (DOC) on a case-by-case basis 1990 ITAR
        amended -- all nonconfidentiality products under DOC
        jurisdiction

1990    Mass-market general-purpose software with encryption
        for confidentiality moved to DOC on case-by-case basis

1992    Software Publishers Association agreement providing
        for 40-bit RC2/RC4-based products under DOC
        jurisdiction

1993    Mass-market hardware products with encryption
        capabilities moved to DOC on case-by-case basis 

1994    Reforms to expedite license processing at Department
        of State

1995    Proposal to move to DOC software products with 64-bit
        cryptography for confidentiality with "properly
        escrowed" keys

1996    "Personal use" exemption finalized
__________

SOURCE: National Security Agency.

____________________________________________________________

           BOX 4.3 Important Differences Between 
                the U.S. Munitions List and 
                 the Commodity Control List

____________________________________________________________

For Items on U.S.            For Items of Commerce
Munitions List (USML):       Control List (CCL):
____________________________________________________________

Department of State has      Department of Commerce may
broad leeway to take         limit exports only to the
national security            extent that they would make "a
considerations into          significant contribution to the
account in licensing         military potential of any other
decisions; indeed, national  country which would prove
security and foreign         detrimental to the national
policy considerations        security of the United States."
are the driving force        or "where necessary to further
behind the Arms Export       significantly the foreign policy
Control Act.                 of the United States."
                             The history of the Export
                             Administration Act strongly
                             suggests that its national
                             security purpose is to deny dual-
                             use items to countries of
                             Communist Block nations, nations
                             of concern with respect to
                             proliferation of weapons of mass
                             destruction, and other rogue
                             nations.

Items are included on the    Performance parameters rather
USML if the item is          than broad categories define
"inherently military in      included items.
character"; the end use 
is irrelevant in such 
a determination. Broad 
categories of product are 
included.

Decisions about export can   Decisions about export must be
take as long as necessary.   completed within 120 days.

Export licenses can be       Export licenses can be denied
denied on very general       only on very specific
grounds (e.g., the export    grounds (e.g., high
would be against the U.S.    likelihood of diversion to
national interest).          proscribed nations).

Individually validated       General licenses are often
licenses are generally       issued, although general
required, although           licenses do not convey
distribution and bulk        blanket authority for export
licenses are possible        (see Note 2 below).
(see Note I below).

Prior government approval    Prior government approval is
is needed for export.        generally not needed for export.

Licensing decisions are not  Licensing decisions are subject
subject to judicial review.  to judicial review by a federal
                             judge or an administrative law
                             judge.

Foreign availability may     Foreign availability of items 
or may not be a              that are substantially
consideration in granting    equivalent is, by law,
a license at the discretion  a consideration in a licensing
of the State Department.     decision.

Items included on the        Items included on the CCL must 
USML are not subject         be reviewed periodically.
to periodic review.

A Shipper's Export           An SED may be required, unless 
Declaration (SED)            exemption from the requirement
is required in all           is granted under the Export
instances.                   Administration Regulations.

____________________________________________________________

   Note 1: Bulk licenses authorize multiple shipments without
requiring individual approval. Distribution licenses authorize
multiple shipments to a foreign distributor. In each case,
record-keeping requirements are imposed on the vendor. In
practice, a distribution license shifts the burden of export
restrictions from vendor to distributor. Under a distribution
license, enforcement of restrictions on end use and on
destination nations and post-shipment record-keeping
requirements are the responsibility of the distributor;
vendors need not seek an individual license for each specific
shipment.

   Note 2: Even if an item is controlled by the CCL, U.S.
exporters are not allowed to ship such items if the exporter
knows that it will be used directly in the production of
weapons of mass destruction or ballistic missiles by a certain
group of nations. Moreover, U.S. exports from the CCL are
prohibited entirely to companies and individuals on a list of
"Specially Designated Nationals" designated as agents of Cuba,
Libya, Iraq, North Korea, or Yugoslavia or to a list of
companies and individuals on the Bureau of Export
Administration's Table of Denial Orders (including some
located in the United States and Europe).

____________________________________________________________

               BOX 4.4 Categorical Exceptions
           on the USML for Products Incorporating 
            Cryptography and Informal Practices 
                     Governing Licensing


                   Categorical Exemptions

The ITAR provide for a number of categorical exemptions,
including:

   +     Mass-market software products that use 40-bit key
lengths with the RC2 or RC4 algorithm for confidentiality.
(See Note I below.)

   +    Products with encryption capabilities for
confidentiality (of any strength) that are specifically
intended for use only in banking or money transactions.
Products in this category may have encryption of arbitrary
strength.

   +    Products that are limited in cryptographic
functionality to providing capabilities for user
authentication, access control, and data integrity.

   Products in these categories are automatically granted
commodity jurisdiction to the Commerce Control List (CCL).


               Informal Noncodified Exemptions

   The current export control regime provides for an
individual case-by-case review of USML licensing applications
for products that do not fall under the jurisdiction of the
CCL. Under current practice, certain categories of firm will
generally be granted a USML license through the individual
review process to acquire and export for its own use products
with encryption capabilities stronger than that provided by
40-bit RC2/RC4 encryption (see Note 2 below):

   +    A U.S.-controlled firm (i.e., a U.S. firm operating
abroad, a U.S.-controlled foreign firm, or a foreign
subsidiary of a U.S. firm);

   +    Banks and financial institutions (including stock
brokerages and insurance companies), whether U.S.-controlled
or owned or foreign-owned, if the products involved are
intended for use in internal communications and communications
with other banks even if these communications are not limited
strictly to banking or money transactions.

----------

   Note 1: The RC2 and RC4 algorithms are symmetric-key
encryption algorithms developed by RSA Data Security Inc.
(RSADSI). They are both proprietary algorithms, and
manufacturers of products using these algorithms must enter
into a licensing arrangement with RSADSI. RC2 and RC4 are also
trademarks owned by RSADSI, although both algorithms have
appeared on the Internet. A product with capabilities for
confidentiality will be automatically granted commodity
jurisdiction to the CCL if it meets a certain set of
requirements the most important of which are the following:

   a. The software includes encryption for data
confidentiality and uses the RC4 and/or RC2 algorithms with a
key space of 40 bits.

   b. If both RC4 and RC2 are used in the same software, their
functionality must be separate; that is, no data can be
operated on by both routines.

   c. The software must not allow the alteration of the data
encryption mechanism and its associated key spaces by the user
or by any other program.

   d. The key exchange used in the data encryption must be
based on either a public-key algorithm with a key space less
than or equal to a 512-bit modulus and/or a symmetrical
algorithm with a key space less than or equal to 64 bits.

   e. The software must not allow the alteration of the key
management mechanism and its associated key space by the user
or any other program.

   To ensure that the software has properly implemented the
approved encryption algorithm(s), the State Department
requires that the product pass a "vector test," in which the
vendor receives test data (the vector) and a random key from
the State Department, encrypts the vector with the product
using the key provided, and returns the result to the State
Department; if the product-computed result is identical to the
known correct answer, the product automatically qualifies for
jurisdiction under the CCL.

   Note that the specific technical requirements described in
this footnote are not contained in the *Federal Register*;
rather, they were described in a State Department document
whose change is not subject to an official procedure for
public comment. (These conditions were first published in
"Defense Trade News," Volume 3(4), October 1992, pages 11-15.
"Defense Trade News" is a newsletter published by the Office
of Defense Trade Controls at the Department of State.)

   Note 2: How much stronger than 40-bit RC2/RC4 is
unspecified. Products incorporating the 56-bit DES algorithm
are often approved for these informal exemptions, and at times
even products using larger key sizes have been approved. But
the key size is not unlimited, as may be the case under the
explicit categorical exemptions specified in the ITAR.

____________________________________________________________

              BOX 4.5 Successful Challenges to 
                      40-bit Encryption


   In the summer of 1995, a message encoded with the 40-bit
RC4 algorithm was successfully decrypted without prior
knowledge of the key by Damien Doligez of the INRIA
organization in France. The message in question was a record
of an actual submission of form data that was sent to
Netscape's electronic shop order form in "secure" mode
(including a fictitious name and address). The challenge was
posed to break the encryption and recover the name and address
information entered in the forrn and sent securely to
Netscape. Breaking the encryption was accomplished by a
brute-force search on a network of about 120 workstations and
a few parallel computers at INRIA, Ecole Polytechnique, and
ENS. The key was found after scanning a little more than half
the key space in 8 days, and the message was successfully
decrypted. Doligez noted that many people have access to the
amount of computing power that he used, and concluded that the
exportable Secure Sockets Layer protocol is not strong enough
to resist the attempts of amateurs to decrypt a "secure"
message.

   In January 1996, an MIT undergraduate student used a single
$83,000 graphics computer to perform the same task in 8 days.
Testing keys at an average rate of more than 830,000 keys per
second, the program running on this computer would take 15
days to test every key.

____________________________________________________________

                  BOX 4.6 Difficulties in 
                  Controlling Cryptography


   Hardware products with encryption capabilities can be
controlled on approximately the same basis as traditional
munitions. But software products with encryption capabilities
are a different matter. A floppy disk containing programs
involving cryptography is visually indistinguishable from one
containing any other type of program or data files.
Furthermore, software products with encryption capabilities
can be transported electronically, with little respect for
physical barriers or national boundaries, over telephone lines
and the Internet with considerable ease. Cryptographic
algorithms, also controlled by the International Traffic in
Arms Regulations as "technical data," represent pure knowledge
that can be transported over national borders inside the heads
of people or via letter.

   As is true for all other software products, software
products with encryption capabilities are infinitely
reproducible at low cost and with perfect fidelity; hence, a
controlled item can be replicated at a large number of points.
This fact explains how vast amounts of software piracy can
occur both domestically and abroad. In principle, one software
product with encryption capabilities taken abroad can serve as
the seed for an unlimited number of reproductions that can
find their way to hostile parties. Finally, it can be argued
that the rogue nations that pose the most important targets
for U.S. signals intelligence collection are also the least
likely to refrain from pirating U.S. software.

____________________________________________________________

              BOX 4.7 Key Differences Between 
             Commercial Products and "Freeware"

_____________________________________________________________

                                     Products 
                                     from
                                     Major
                                     Commercial   "Freeware"
                                     Vendors       Products
____________________________________________________________

Stake of reputation of               Higher         Lower
product offer

Scale of operation                   Larger         Smaller

Cost of distribution                 Higher         Lower

Support for products                 Greater        Lesser

Role of profit-making motive         Higher         Lower

Ability to integrate cryptography    Greater        Lesser
into useful and sophisticated
general-purpose software

Vulnerablity to regulatory and       Higher         Lower 
legal constraints

Likelihood of market                 Higher         Lower 
"staying power"

Likelihood of wide distribution      Higher         Lower
and use

Financial liability for              Higher         Lower 
poor product performance

Cost of entry into markets           Higher         Lower
____________________________________________________________

NOTE: All of the characterizations listed are tendencies
rather than absolutes, and are relative (i.e. determined by
comparing products from major commercial vendors to freeware).

____________________________________________________________

                BOX 4.8 A Partial Survey of 
        Foreign Encryption Products on the TIS Survey


   +    A British product manual notes that "a key can be any
word, phrase, or number from 1 to 78 characters in length,
though for security purposes keys shorter than six characters
are not recommended." Only alphanumeric characters are used in
the key, and alpha characters do not distinguish between upper
and lower case. While the longer pass phrases can produce keys
with the full 56 bits of uncertainty [changing "can" to "do"
would require more extensive tests], passwords of even six
characters are woefully inadequate. It is dangerous to allow
users to enter such keys, much less the single-character keys
allowed by this product.

   +    One British product is a DES implementation that
recommends cipher block chaining, but uses electronic codebook
(ECB) mode as the default. The use of ECB as the default is
dangerous because ECB is less secure than cipher block
chaining.

   +    A Danish product uses DES with an 8-character key, but
limits each character to alphanumeric and punctuation symbols.
Hence the key is less than a full 56 bits long. With this
restriction, many users are likely to use only upper or lower
case alpha characters, resulting in a key less than 40 bits
long.

   +    A foreign product uses the FEAL algorithm as well as
a proprietary algorithm. Aside from the question of algorithm
strength, the key is 1 to 8 characters long and does not
distinguish between upper and lower case. The result is a
ridiculously short key, a problem that is compounded by the
recommendation in the manual to use a 6- to 8-letter
artificial word as the key (e.g., it suggests that for the
name Bill, "billbum" might be used as the key).

   +    A product from New Zealand uses DES plus a public-key
system similar to RSA, but based on Lucas functions. The
public-key portion limits the key size to 1,024 bits, but does
not seem to have a lower bound, a potentially dangerous
situation. The DES key can be 1 to 24 characters in length. If
the key is 1 to 8 characters, then single DES is used,
otherwise triple DES is used. The lack of a lower bound on key
length is dangerous.

   +    An Israeli product uses DES or QUICK, a proprietary
algorithm. The minimum key length is user selectable between
0 and 8 characters. Allowing such small lower bounds on key
length is dangerous. The product also has a "super-password"
supplied by the vendor, another potentially dangerous
situation. This product is available both in hardware and in
software.

   +    A German hardware product has user-settable S-boxes,
and the key can be entered either as 8 characters or 16
hexadecimal characters to yield a true 64-bit key (which will
be reduced by the algorithm to 56 bits). The use of 16
hexadecimal character keys will result in higher security, but
if the key can also be entered as 8 alphanumeric characters,
many users are likely to do so, thus severely reducing the
security level. User-selectable S-boxes can have advantages
(if they are unknown to a cryptanalyst) and disadvantages (if
they are poorly chosen and either are known to or can be
guessed by a cryptanalyst). On balance, the danger is arguably
greater than the advantage.

   +     British product recommends one master key per
organization so that files can be shared across personal
computers. This practice is very dangerous.

   To summarize, the defects in these products are related to
poor key management practices, because they either employ or
allow poor key management that would enable a determined and
knowledgeable adversary to penetrate the security they offer
with relative ease. As noted in Section 4.2 of the text, U.S.
products are not necessarily more secure.

----------

SOURCE: Committee examination and synthesis of materials
provided by Trusted Information Systems Inc.

____________________________________________________________

             BOX 4.9 Circumventions of the ITAR


   Current export controls on cryptography can apparently be
circumvented in a number of entirely legal and/or
hard-to-detect ways. For example:

   +     U.S. company can develop a product without encryption
capabilities and then sell the source code of the product to
a friendly foreign company that incorporates additional source
code for encryption into the product for resale from that
foreign country (assuming that that country has no (or weaker)
export controls on cryptography).

   +    A U.S. company possessing products with encryption
capabilities can be bought by a foreign company; in general,
no attempt is made to recover those products.

   +    A U.S. company can work with legally independent
counterparts abroad that can incorporate cryptographic
knowledge available worldwide into products.

____________________________________________________________

              BOX 4.10 Problems Arising from a 
              Lengthy Export Licensing Process


   +    Some foreign customers know it will take a long time
to obtain a positive licensing decision, and as a consequence
do not bother to approach U.S. vendors at all.

   +    Products to market are delayed; even when export
licenses are eventually granted, they are often granted too
late to be useful, because the area of information technology
is so fast-moving.

   +    Rapid decisions are not rendered. In one instance
reported to the committee, a U.S. information technology
company wanted permission to use its own software (with strong
encryption capabilities) to communicate with its foreign
offices. Such cases are in theory expedited because of a
presumptive approval in these circumstances; this vendor's
government contacts agreed that "such an application would be
no problem"' and that an approval would be a rapid
"rubber-stamp" one, but in fact, this vendor is still awaiting
a license after more than a year.

   +    System integrators intending to ship complete systems
rather than individual products face particular difficulties
in obtaining a speedy turnaround, because the task for
national security authorities involves an assessment of the
entire system into which a given product (or products) with
encryption capabilities will be integrated, rather than an
assessment of just the products with encryption capabilities
alone.

   +    Even vendors that manufacture cryptographic software
not intended for export are required to register with the
State Department Office of Defense Trade Controls, primarily
"to provide the U.S. government with necessary information on
who is involved in certain manufacturing and exporting 
activities."(1)

----------

   (1)  International Traffic in Arms Regulations, Section
122.1 (c).

____________________________________________________________

                 BOX 4.11 On The Export of 
           Technical Data Related to Cryptography


   "Cryptologic technical data ... refers ... only [to] such
information as is designed or intended to be used, or which
reasonably could be expected to be given direct application,
in the design, production, manufacture, repair, overhaul,
processing, engineering, development, operation, maintenance
or reconstruction of items in such categories. This
interpretation includes, in addition to engineering and design
data, information designed or reasonably expected to be used
to make such equipment more effective, such as encoding or
enciphering techniques and systems, and communications or
signal security techniques and guidelines, as well as other
cryptographic and cryptanalytic methods and procedures. It
does not include general mathematical, engineering or
statistical information, not purporting to have or reasonably
expected to be given direct application to equipment in such
categories. It does not include basic theoretical research
data. It does, however, include algorithms and other
procedures purporting to have advanced cryptologic
application.

   "The public is reminded that professional and academic
presentations and informal discussions, as well as
demonstrations of equipment, constituting disclosure of
cryptologic technical data to foreign nationals are prohibited
without the prior approval of this office. Approval is not
required for publication of data within the United States as
described in Section 125.11(a)(1). Footnote 3 to section
125.11 does not establish a prepublication review requirement.

   "The interpretation set forth in this newsletter should
exclude from the licensing provisions of the ITAR most basic
scientific data and other theoretical research information,
except for information intended or reasonably expected to have
a direct cryptologic application. Because of concerns
expressed to this office that licensing procedures for
proposed disclosures of cryptologic technical data contained
in professional and academic papers and oral presentations
could cause burdensome delays in exchanges with foreign
scientists, this office will expedite consideration as to the
application of ITAR to such disclosures. If requested, we
will, on an expedited basis provide an opinion as to whether
any proposed disclosure, for other than commercial purposes,
of information relevant to cryptology, would require licensing
under the ITAR."

----------

SOURCE: Office of Munitions Control, Department of State,
"Cryptography/Technical Data," in *Munitions Control
Newsletter*, Number 80, February 1980. (The Office of
Munitions Control is now the Office of Defense Trade
Controls.)

____________________________________________________________

             BOX 4.12 Two Export Control Cases 


                   The Zimmermann PGP Case

   Philip Zimmermann is the author of a software program known
as PGP (for Pretty Good Privacy). PGP is a program that is
used to encrypt mail messages end-to-end based on public-key
cryptography. Most importantly, PGP includes a system for key
management that enables two users who have never interacted to
communicate securely based on a set of trusted intermediaries
that certify the validity of a given public key. Across the
Internet, PGP is one of the most widely used systems for
secure e-mail communication.

   Zimmermann developed PGP as a "freeware" program to be
distributed via diskette. Another party subsequently posted
PGP to a USENET newsgroup.(1) (A commercial version licensed
from but not supplied by Zimmermann has since emerged.) In
1993, Zimmermann was determined to be the target of a criminal
investigation probing possible violations of the export
control laws.(2) Zimmermann was careful to state that PGP was
not to be used or downloaded outside the United States, but of
course international connections to the Internet made for easy
access to copies of PGP located within the United States. In
January 1996, the U.S. Department of Justice closed its
investigation of Zimmermann without filing charges against
him.(3)


       The Bruce Schneier-*Applied Cryptography* Case

   Bruce Schneier wrote a book called *Applied
Cryptography*(4) that was well received in the cryptography
community. It was also regarded as useful in a practical sense
because it contained printed on its pages source code that
could be entered into a computer and compiled into a working
cryptography program. In addition, when distributed within the
United States, the book contained a floppy disk that contained
source code identical to the code found in the book. However,
when another party (Philip Karn) requested a ruling on the
exportability of the book, he (Karn) received permission to
export the book but not the disk. This decision has been
greeted with considerable derision in the academic
cryptography community, with comments such as "They think that
terrorists can't type?" expressing the general dismay of the
community.

----------

   (1)  A USENET newsgroup is in effect a mailing list to
which individuals around the world may subscribe. Posting is
thus an act of transmission to all list members.

   (2)  John Schwartz, "Privacy Program: An On-Line Weapon?,"
*Washington Post*, April 3, 1995, p. A-l.

   (3)  Elizabeth Cocoran, "U.S. Closes Investigation in
Computer Privacy Case," *Washington Post*, January 12, 1996,
p. A-11.

   (4)  Bruce Schnier, *Applied Cryptography*, John Wiley and
Sons, 1994.

____________________________________________________________

[End Chapter 4]



