Note: for index of full report see: http://jya.com/nrcindex.htm

---------

[Head note all pages: May 30, 1996, Prepublication Copy
Subject to Further Editorial Correction]


                              6

      Other Dimensions of National Cryptography Policy


   In addition to export controls and escrowed encryption,
current national policy on cryptography is affected by
government use of a large number of levers available to it,
including the Communications Assistance for Law Enforcement
Act, the standards-setting process, R&D funding, procurement
practices, education and public jawboning, licenses and
certification, and arrangements both formal and informal with
various other governments (state, local, and foreign) and
organizations (e.g., specific private companies). All of these
are controversial because they embody judgments about how the
interests of law enforcement and national security should be
reconciled against the needs of the private sector. In
addition, the international dimensions of cryptography are
both critical (because cryptography affects communications and
communications are fundamentally international) and enormously
difficult (because national interests differ from government
to government).


              6.1 THE COMMUNICATIONS ASSISTANCE
                   FOR LAW ENFORCEMENT ACT


   The Communications Assistance for Law Enforcement Act
(CALEA) was widely known as the "digital telephony" bill
before its formal passage. The CALEA is not explicitly
connected to national cryptography policy, but it is an
important aspect of the political context in which national
cryptography policy has been discussed and debated.


                 6.1.1 Brief Description of 
             and Stated Rationale for the CALEA


General Description

   The Communications Assistance for Law Enforcement Act
(CALEA) was passed in October 1994. The act imposes on
telecommunications carriers four requirements in connection
with those services or facilities that allow customers to
originate, terminate, or direct communications:

   +    To expeditiously isolate and enable the government to
intercept, pursuant to court order or other lawful
authorization, all wire and electronic communications in the
carrier's control to or from the equipment, facilities, or
services of a subscriber, in real time or at any later time
acceptable to the government. Carriers are not responsible for
decrypting encrypted communications that are the subject of
court-ordered wiretaps, unless the carrier provided the
encryption and can decrypt it. Moreover, carriers are not
prohibited from deploying an encryption service for which it
does not retain the ability to decrypt communications for law
enforcement access.

   +    To expeditiously isolate and enable the government to
access, pursuant to court order or other lawful authorization,
reasonably available call-identifying information about the
origin and destination of communications. Access must be
provided in such a manner that the information may be
associated with the communication to which it pertains and is
provided to the government before, during, or immediately
after the communication's transmission to or from the
subscriber.

   +    To make intercepted communications and
call-identifying information available to government, pursuant
to court order or other lawful authorization, so that they may
be transmitted over lines or facilities leased or procured by
law enforcement to a location away from the carrier's
premises.

   +    To meet these requirements with a minimum of
interference with the subscriber's service and in such a way
that protects the privacy of communications and
call-identifying information that are not targeted by
electronic surveillance orders, and that maintains the
confidentiality of the government's interceptions.

   The CALEA also authorizes federal money for retrofitting
common carrier systems to comply with these requirements. As
this report is being written, no money has yet been
appropriated for this task.

   The CALEA requirements apply only to those services or
facilities that enable a subscriber to make, receive, or
direct calls. They do not apply to information services, such
as the services of electronic mail providers; on-line services
such as Compuserve or America Online; or Internet access
providers; or to private networks or services whose sole
purpose is to interconnect carriers. Furthermore, the CALEA
requires law enforcement authorities to use carrier employees
or personnel to activate a surveillance. The CALEA also
provides that a warrant is needed to tap a cordless telephone;
wiretaps on cellular telephones are already governed by Title
III or the Foreign Intelligence Surveillance Act.


The Stated Rationale for the CALEA

   Historically, telecommunications service providers have
cooperated with law enforcement officials in allowing access
to communications upon legal authorization. New
telecommunications services (e.g., call forwarding, paging,
cellular calls) and others expected in the future have
diminished the ability of law enforcement agencies to carry
out legally authorized electronic surveillance. The primary
impact of the CALEA is to ensure that within 4 years,
telecommunications service providers will still be able to
provide the assistance necessary to law enforcement officials
to conduct surveillance of wire and electronic communications
(both content and call-identifying information) controlled by
the carrier, regardless of the nature of the particular
services being offered.


      6.1.2 Reducing Resource Requirements for Wiretaps

   Once a surveillance order has been approved judicially, it
must be implemented. In practice, the implementation of a
surveillance order requires the presence of at least two
agents around the clock. Such a presence is required if
real-time minimization requirements are to be met.(1) As a
result, personnel requirements are the most expensive aspect
of electronic surveillance. The average cost of a wiretap
order is $57,000 (Appendix D), or approximately one-half of a
full-time-equivalent agent-year. Such costs are not incurred
lightly by law enforcement agencies.

   Under these circumstances, procedures and/or technologies
that could reduce the labor required to conduct wiretaps pose
a potential problem for individuals concerned about excessive
use of wiretaps. Specifically, these individuals are concerned
that the ability to route wiretapped calls to a central
location would enable a single team of agents to monitor
multiple conversations.(2) Such time sharing among monitoring
teams could lower wiretap costs significantly. From the
standpoint of law enforcement, these savings would could be
used for other law enforcement purposes, and they would have
the additional effect of eliminating an operational constraint
on the frequency with which wiretap authority is sought today.

   Technologies that would enable minimization without human
assistance are in their infancy today. For example, the
technology of speech recognition for the most part cannot cope
with speech that is speaker-independent and continuous, and
artificial intelligence programs today and for the foreseeable
future will be unable to distinguish between the criminally
relevant and nonrelevant parts of a conversation. Human agents
are an essential component of a wiretap, and law enforcement
officials have made three key points in response to the
concern raised above.

   +    Most importantly, today's wiretaps are performed
generally with law enforcement agencies paying
telecommunications service providers for delivering the
intercepted communications to a point of law enforcement's
choosing.

   +    From an operational standpoint, the real-time
minimization of wiretapped conversations requires agents that
are personally familiar with the details of the case under
investigation, so that they know when the subjects are engaged
in conversations related to the case -- agents exceed their
authority if they monitor unrelated conversations.

   +    Procedural rules require that all evidence be
maintained through a proper chain of custody and in a manner
such that the authenticity of evidence can be established. Law
enforcement officials believe that the use of one team to
monitor different conversations could call into question the
ability to establish a clear chain of custody.

----------

   (1)  Minimization refers to the practice, required by Title
III, of monitoring only those portions of a conversation that
are relevant to the crime under investigation. If a subject
discusses matters that are strictly personal, such discussions
are not subject to monitoring. In practice, a team of agents
operate a tape recorder on the wiretapped line. Minimization
requires agents to turn off the tape recorder and to cease
monitoring the conversation for a short period of time if they
overhear nonrelevant discussions. At the end of that time
period, they are permitted to resume monitoring. For obvious
reasons, this practice is conducted in real time. When agents
encounter a foreign language with which they are unfamiliar,
they are allowed to record the entire conversation; the tape
is then "minimized" after the fact of wiretapping. Additional
discussion of the requirements imposed on wiretapping by Title
III are contained in Appendix D.

   (2)  For example, such a concern was raised at the Fifth
Conference on Computers, Freedom, and Privacy held in San
Francisco in March 1995. The argument goes as follows. While
the CALEA authorizes $500 million to pay for existing in-place
telephone switch conversions to implement the capabilities
desired by law enforcement, this amount is intended as a
one-time cost; upgrades of switching systems are expected to
implement these capabilities without government subsidy.
(Moreover, the Congress has not yet appropriated this money.)
The point is that additional wiretap orders would not pose an
additional incremental cost (though the original cost of
$57,000 would still obtain), and the barrier of incremental
cost would not impede more wiretap orders. In short, critics
argue that it would make good economic sense to make
additional use of resources if such use can "piggy-back" on an
already-made investment.

____________________________________________________________


                 6.1.3 Obtaining Access to 
                Digital Streams in the Future

   In the conduct of any wiretap, the first technical problem
is simply gaining access to the relevant traffic itself,
whether encrypted or not. For law enforcement, products with
encryption capabilities and features that allow exceptional
access are useless without access to the traffic in question.
The CALEA was an initiative spearheaded by law enforcement to
deal with the access problem created by new telecommunications
services.

   The problems addressed by the CALEA will inevitably
resurface as newer communications services are developed and
deployed for use by common carriers and private entities
(e.g., corporations) alike. It is axiomatic that the
complexity of interactions among communications systems will
continually increase, both as a result of increased
functionality and the need to make more efficient use of
available bandwidth. Consequently, isolation of the digital
streams associated with the party or parties targeted by law
enforcement will become increasingly difficult if the
cooperation of the service provider is not forthcoming, for
all of the reasons described in Chapter 2. (It is for this
reason that the CALEA applies to parties that are not common
carriers today upon appropriate designation by the Federal
Communications Commission.)

   Moreover, even when access to the digital stream of an
application is assured, the structure of the digital stream
may be so complex that it would be extremely costly to
determine all of the information present without the
assistance of the application developer. Tools designed to
isolate the relevant portions of a given digital stream
transmitted on open systems will generally be less expensive
than tools for proprietary systems, but since both open and
proprietary systems will be present in any future
telecommunications environment, law enforcement authorities
will need tools for both. The development of such tools will
require considerable technical skill, skill that is most
likely possessed by the application developers; cooperation
with product developers may decrease the cost of developing
these tools.

   Finally, as the telecommunications system becomes more and
more heterogeneous, even the term "common carrier" will become
harder to define or apply. The routing of an individual data
communication through the "network" will be dynamic and may
take any one of a number of paths, decisions about which are
not under the user's control. While only one link in a given
route need be a common carrier for CALEA purposes, identifying
that common carrier in practice may be quite difficult.


          6.1.4 The CALEA Exemption of Information
             Service Providers and Distinctions 
               Between Voice and Data Services

   At present, users of data communications services access
networks such as the Internet either through private networks
(e.g., via their employers) or through Internet service
providers that provide connections for a variety of
individuals and organizations. Both typically make use of
lines owned and operated by telecommunications service
providers. In the former case, law enforcement access to the
digital stream is more or less the same problem as it is for
the employer (and law enforcement has access through the legal
process to the employer). In the latter case, the CALEA
requires the telephone service provider to provide to law
enforcement authorities a copy of the digital stream being
transported.

   The CALEA exempts on-line information service providers
such as America Online and Compuserve from its requirements.
In the future, other CALEA issues may arise as the
capabilities provided by advanced information technologies
grow more sophisticated. For example, the technological
capability exists to use Internet-based services to supply
real-time voice communications.(3) Even today, a number of
Internet and network service providers are capable of
supporting (or are planning to support) real-time
"push-to-talk" voice communications. The CALEA provides that
a party providing communications services that in the judgment
of the FCC are "a replacement for a substantial portion of the
local telephone exchange service" may be deemed a carrier
subject to the requirements of the CALEA. Thus, one possible
path along which telecommunications services may evolve could
lead to the imposition of CALEA requirements on information
service providers, even though they were exempted as an
essential element of a legislative compromise that enabled the
CALEA to pass in the first place.

   These possibilities are indicative of a more general
problem: the fact that lines between "voice" and "data"
services are being increasingly blurred. This issue is
addressed in greater detail in Chapter 7.

----------

   (3)  Fred Hapgood, "IPHONE," *Wired*, October 1995, p. 140;
and Lawrence M. Fisher, "Long-Distance Phone Calls in the
Internet," *New York Times*, March 14, 1995, p. D-6.

____________________________________________________________


                  6.2 OTHER LEVERS USED IN
                NATIONAL CRYPTOGRAPHY POLICY


   The government has a number of tools to influence the
possession and use of cryptography domestically and abroad.
How the government uses these tools in the context of national
cryptography policy reflects the government's view of how to
balance the interests of the various stakeholders affected by
cryptography.


       6.2.1 Federal Information Processing Standards

   Federal Information Processing Standards (FIPSs) are an
important element of national cryptography policy, and all
federal agencies are encouraged to cite FIPSs in their
procurement specifications. (Box 6.1 contains a brief
description of all FIPSs related to cryptography). The
National Institute of Standards and Technology (NIST) is
responsible for issuing FIPSs.

   FIPSs can have enormous significance to the private sector
as well, despite the face that the existence of a FIPS does
not legally compel a private party to adopt it. One reason is
that to the extent that a FIPS is based on existing
private-sector standards (which it often is), it codifies
standards of existing practice and contributes to a planning
environment of greater certainty. A second reason is that a
FIPS is often taken as a government endorsement of the
procedures, practices, and algorithms contained therein, and
thus a FIPS may set a de facto "best practices" standard for
the private sector. A third reason is related to procurements
that are FIPS-compliant as discussed in the next section.

   NIST has traditionally relied on private sector standards-
setting processes when developing FIPSs. Such practice
reflects NIST's recognition of the fact that the standards it
sets will be more likely to succeed -- in terms of reducing
procurement costs, raising quality, and influencing the
direction of information technology market development -- if
they are supported by private producers and users.(4)

   The existence of widely accepted standards is often an
enormous boon to interoperability of computers and
communication devices, and the converse is generally true as
well: the absence of widely accepted standards often impedes
the growth of a market.

   In the domain of cryptography, FIPSs have had a mixed
result. The promulgation of FIPS 46-1, the Data Encryption
Standard (DES) algorithm for encrypting data, was a boon to
cryptography and vendors of cryptographic products. On the
other hand, the two cryptography-related FIPSs most recently
produced by NIST (FIPS-185, the Escrowed Encryption Standard
(EES), and FIPS-186, the Digital Signature Standard (DSS))
have met with a less favorable response. Neither was
consistent with existing de facto industry standards or
practice, and both met with significant negative response from
private industry and users.(5)

   The promulgation of the EES and the DSS, as well as current
Administration plans to promulgate a modification of the EES
to accommodate escrowed encryption for data storage and
communications and another FIPS for key escrow to performance
requirements for escrow agents and for escrowed encryption
products, has generated a mixed market reaction. Some
companies see the promulgation of these standards as a market
opportunity, while others see these standards as creating yet
more confusion and uncertainty in pushing escrowed encryption
on a resistant market.

   Appendix N contains a general discussion of FIPSs and the
standards-setting process.

---------

   (4)  Cargill, *Information Technology Standardization*, p.
213.

   (5)  The story of resistance to the EES is provided in
Susan Landau et al., *Codes, Keys, and Conflicts*, Association
for Computing Machinery, Washington, D.C., June 1994, p. 48;
to DSS, in Landau et al., 1994, pp. 41-43. In the case of DSS,
a de facto industry standard had already emerged based on
RSA's public-key algorithm.

____________________________________________________________


          6.2.2 The Government Procurement Process

   Government procurement occurs in two domains. One domain is
special-purpose equipment and products, for which government
is the only consumer. Such products are generally classified
in certain ways; weapons and military-grade cryptography are
two examples. The other domain is procurement of products that
are useful in both the private and public sectors.

   Where equipment and products serve both government and
private sector needs, in some instances the ability of the
government to buy in bulk guarantees vendors a large enough
market to take advantage of mass production, thereby driving
down for all consumers the unit costs of a product that the
government was buying in bulk. Through its market power,
government has some ability to affect the price of products
that are offered for sale on the open market. Furthermore,
acceptance by the government is often taken as a "seal of
approval" for a given product that reassures potential buyers
in the private sector.

   History offers examples with variable success in promoting
the widespread public use of specific information technologies
through the use of government standards.

   +    The DES was highly successful. DES was first adopted
as a cryptographic standard for federal use in 1975. Since
then, its use has become commonplace in cryptographic
applications around the world, and many implementations of DES
now exist worldwide.

   +    A less successful standard is GOSIP, the Government
OSI Profile, FIPS-146.(6) The GOSIP was intended to specify
the details of an OSI configuration for use in the government
so that interoperable OSI network products could be procured
from commercial vendors and to encourage the market
development of products. GOSIP has largely failed in this
effort, and network products based on the TCP/IP protocols now
dominate the market.(7)

   In the case of the EES, the government chose not to seek
legislation outlawing cryptography without features for
exceptional access, but chose instead to use the EES to
influence the marketplace for cryptography. This point was
acknowledged by Administration officials to the committee on
a number of occasions. Specifically, the government hoped that
the adoption of the EES to ensure secure communications within
the government and for communications of other parties with
the federal government would lead to a significant demand for
EES-compliant devices, thus making possible production in
larger quantities and thereby driving unit costs down and
making EES-compliant devices more attractive to other users.
A secondary effect would be the fact that two nongovernmental
parties wishing to engage in secure communications would be
most likely to use EES-compliant devices if they already own
them rather than purchase other devices. As part of this
strategy to influence the market, the government persuaded
AT&T in 1992 to base a secure telephone on the EES.

   In the case of the Fortezza card, the large government
procurement for use with the Defense Messaging System may well
lower unit costs sufficiently that vendors of products
intended solely for the commercial nondefense market will
build support for the Fortezza card into their products.(8)
Given the wide availability of PC-Card slots on essentially
all notebook and laptop computers, it is not inconceivable
that the security advantages offered by hardware-based
authentication would find a wide commercial market. At the
same time, the disadvantages of hardware-based cryptographic
functionality discussed in Chapter 5 would remain as well.

----------

   (6)  OSI refers to Open Systems Interconnect, a
standardized suite of international networking protocols
developed and promulgated in the early 1980s.

   (7)  See CSTB, *Realizing the Information Future*, 1994,
Chapter 6.

   (8)  In a recent contract, a vendor agreed to provide
Fortezza cards at $69 per card. See Paul Constance, "After
Complaining $99 Was Too Low, Fortezza Vendors Come in at $69,"
*Government Computer News*, October 2, 1995, p. 6.

____________________________________________________________


               6.2.3 Implementation of Policy:
         Fear, Uncertainty, Doubt, Delay, Complexity

   The implementation of policy contributes to how those
affected by policy will respond to it. This important element
is often unstated, and it refers to the role of government in
creating a climate of predictability. A government that speaks
with multiple voices on a question of policy, or one that
articulates isolated elements of policy in a piecemeal
fashion, or one that leaves the stakeholders uncertain about
what is or is not permissible, creates an environment of fear,
uncertainty, and doubt that can inhibit action. Such an
environment can result from a deliberate choice on the part of
policy makers, or it can be inadvertent, resulting from
overlapping and/or multiple sources of authority that may have
at least partial responsibility for the policy area in
question. Decisions made behind closed doors and protected by
government security classifications tend to reinforce the
concerns of those who believe that fear, uncertainty, and
doubt are created deliberately rather than inadvertently.

   The committee observes that cryptography policy has indeed
been shrouded in secrecy for many years and that many agencies
have partial responsibility in this area. It also believes
that fear, uncertainty, and doubt are common in the
marketplace. For example, the introduction of nonmarket-driven
standards such as the DSS and the EES may have created market
uncertainty that impeded the rapid proliferation of
high-quality products with encryption capabilities both
internationally and domestically. Uncertainty over whether or
not the federal government would recertify the DES as a FIPS
has plagued the marketplace in recent years, because
withdrawal of the DES as a FIPS could cause considerable
consternation among some potential buyers that might suddenly
be using products based on a decertified standard, although in
fact the government has recertified the DES in each case. On
the other hand, the DES is also a standard of the American
National Standards Institute and the American Banking
Association, and if these organizations retain their
endorsement of the DES, the DES will arguably represents a
viable algorithm for a wide range of products.

   Many parties in industry believe that the complexity and
opacity of the decisionmaking process with respect to
cryptography are major contributors to this air of
uncertainty. Of course, the creation of uncertainty may be
desirable from the perspective of policy makers if their goal
is to retard action in a given area. Impeding the spread of
high-quality products with encryption capabilities
internationally is the stated and explicit goal of export
controls; on the domestic front, impeding the spread of
high-quality products with encryption capabilities has been a
desirable outcome from the standpoint of senior officials in
the law enforcement community.

   A very good example of the impact of fear, uncertainty, and
doubt on the marketplace for cryptography can be found in the
impact of government action (or more precisely, inaction) with
respect to authentication. As noted in Chapter 2, cryptography
supports digital signatures, a technology that provides high
assurance for both data integrity and user authentication.
However, federal actions in this area have led to considerable
controversy. One example is that the federal government failed
to adopt what was (and still is) the de facto commercial
standard algorithm on digital signatures, namely the RSA
algorithm. Government sources told the committee that the fact
that the RSA algorithm is capable of providing strong
confidentiality as well as digital signatures was one reason
that the government deemed it inappropriate for promulgation
as a FIPS.(9) Further, the government's adoption of the
Digital Signature Standard(10) in 1993 occurred despite
widespread opposition from industry to the specifics of that
standard.

____________________________________________________________


                      6.2.4 R&D Funding

   An agency that supports research (and/or conducts such
research on its own in-house) in a given area of technology is
often able to shape the future options from which the private
sector and policy makers will choose. For example, an agency
that wishes to maintain a monopoly of expertise in a given
area may not fund promising research proposals that originate
from outside. Multiple agencies active in funding a given area
may thus yield a broader range of options for future policy
makers.

   In the context of cryptography and computer and
communications security, it is relevant that the National
Security Agency (NSA) has been the main supporter and
performer of R&D in this area.(11) The NSA's R&D orientation
has been, quite properly, on technologies that would help it
to perform more effectively and efficiently its two basic
missions: (1) defending national security by designing and
deploying strong cryptography to protect classified
information and (2) performing signals intelligence against
potential foreign adversaries. In the information security
side of the operation, NSA-developed technology has
extraordinary strengths that have proven well suited to the
protection of classified information relevant to defense or
foreign policy needs.

   How useful such technologies will prove for corporate
information security remains to be seen. Increasing needs for
information security in the private sector suggest that NSA
technology may have much to offer, especially if such
technology can be made available to the private sector without
limitation. At the same time, the environment in which private
sector information security needs are manifested may be
different enough from the defense and foreign policy worlds
that these technologies may not be particularly relevant in
practice to the private sector. Furthermore, the rapid pace of
commercial developments in information technology may make it
difficult for the private sector to use technologies developed
for national security purposes in a less rapidly changing
environment.

   These observations suggest that commercial needs for
cryptographic technology may be able to draw on NSA
technologies for certain applications, and most certainly will
draw on nonclassified R&D work in cryptography (both in the
United States and abroad); even the latter will have a high
degree of sophistication. Precisely how the private sector
will draw on these two sources of technology will depends on
policy decisions to be made in the future. Finally, it is
worth noting that nonclassified research on cryptography
appearing in the open literature has been one of the most
important factors leading to the dilemma that policy makers
face today with respect to cryptography.

----------

   (9)  The specific concern was that widespread adoption of
RSA as a signature standard would result in an infrastructure
that could support the easy and convenient distribution of DES
keys. The two other reasons for the government's rejection of
RSA were the desire to promulgate an approach to digital
signatures that would be royalty-free (RSA is a patented
algorithm) and the desire to reduce overall system costs for
digital signatures. For a discussion of the intellectual
issues involved in the rejection of the RSA algorithm and the
concern over confidentiality, see Office of Technology
Assessment, *Information Security and Privacy in Network
Environments*, Washington, D.C., September 1994, pp. 167-168
and pp. 217-222.

   (10) The Digital Signature Standard (DSS) is based on an
unclassified algorithm known as the Digital Signature
Algorithm that does not explicitly support confidentiality.
However, the DSS and its supporting documentation do amount to
U.S. government endorsement of a particular one-way hash
function, and document in detail how to generate the
appropriate number-theoretic constants needed to implement it.
Given this standard, it is possible to design a
confidentiality standard that is as secure as the DSS. In
other words, the DSS is a road map to a confidentiality
standard, although it is not such a standard explicitly.
Whether an ersatz confidentiality standard would pass muster
in the commercial market remains to be seen.

   (11) It is important to distinguish between R&D undertaken
internally and externally to NSA. Internal R&D work can be
controlled and kept private to NSA; by contrast, it is much
more difficult to control the extent to which external R&D
work is disseminated. Thus, decisions regarding specific
external cryptography-related R&D projects could promote or
inhibit public knowledge of cryptography.

____________________________________________________________


           6.2.5 Patents and Intellectual Property

   A number of patents involving cryptography have been
issued. Patents affect cryptography because patent protection
can be used by both vendors and governments to keep various
patented approaches to cryptography out of broad use in the
public domain.(12)

   The DES, first issued in 1977, is an open standard, and the
algorithm it uses is widely known. According to NIST, devices
implementing the DES may be covered by U.S. and foreign
patents issued to IBM (although the original patents have by
now expired).(13) However, IBM granted nonexclusive,
royalty-free licenses under the patents to make, use, and sell
apparatus that complies with the standard.

   RSA Data Security Inc. (RSA) holds the licensing rights to
RC2, RC4, and RC5, which are variable-key-length ciphers
developed by Ronald Rivest.(14) RC2 and RC4 are not patented,
but rather, are protected as trade secrets (although their
algorithms have been published on the Internet without RSA's
approval). RSA has applied for a patent for RC5 and has
proposed it as a security standard for the Internet. Another
alternative for data encryption is IDEA, a block cipher
developed by James Massey and Xueija Lai of the Swiss Federal
Institute of Technology (ETH), Zurich. The patent rights to
IDEA are held by Ascom Systec AG, a Swiss firm. IDEA is
implemented in the software application, PGP.

   In addition to the above patents, which address
symmetric-key encryption technologies, there are several
important patent issues related to public-key cryptography.
The concept of public-key cryptography, as well as some
specific implementing methods, are covered by U.S. Patents
4,200,770 (M. Hellman, W. Diffie, and R. Merkle, 1980) and
4,218,582 (M. Hellman and R. Merkle, 1980), both of which are
owned by Stanford University. The basic patent for the RSA
public-key crypto-system, U.S. Patent 4,405,829 (R. Rivest, A.
Shamir, and L. Adleman, 1983), is owned by the Massachusetts
Institute of Technology. The -582 patent has counterparts in
several other countries. These basic public-key patents and
related ones have been licensed to many vendors worldwide.
With the breakup of the partnership that administered the
licensing of Stanford University's and MIT's patents, the
validity of the various patents has become the subject of
current litigation. In any event, the terms will expire in
1997 for the first two of the above patents and in 2000 for
the third.(15)

   In 1994, NIST issued the Digital Signature Standard, FIPS
186. The DSS uses the NIST-developed Digital Signature
Algorithm, which according to NIST is available for use
without a license. However, during the DSS's development,
concern arose about whether the DSS might infringe on the
public-key patents cited above, as well as a patent related to
signature verification held by Claus Schnorr of Goethe
University in Frankfurt, Germany.(16) NIST asserts that the
DSS does not infringe on any of these patents.(17) At the
least, U.S. government users have the right to use public-key
cryptography without paying a license fee for the Stanford and
MIT patents because the concepts were developed at these
universities with federal research support. However, there
remains some disagreement about whether commercial uses of the
DSS (for example, in a public-key infrastructure) will require
a license from one or more of the various patent holders.

   A potential patent dispute regarding the key-escrow
features of the EES may have been headed off by NIST's
negotiation of a nonexclusive licensing agreement with Silvio
Micali in 1994.(18) Micali has patents that are relevant to
dividing a key into components that can be separately
safeguarded (e.g., by escrow agents) and later combined to
recover the original key.

   A provision of the U.S. Code (Title 35, US Code 181) allows
the Patent and Trademark Office (PTO) to withhold a patent and
order that the invention be kept secret if publication of the
patent is detrimental to national security. Relevant to
cryptography is the fact that a patent application for the
Skipjack encryption algorithm was filed on February 7, 1994.
This application was examined and all of the claims allowed,
and notification of the algorithm's patentability was issued
on March 28, 1995. Based on a determination by NSA, the Armed
Services Patent Advisory Board issued a secrecy order for the
Skipjack patent application; the effect of the secrecy order
is that even though Skipjack can be patented, a patent will
not be issued until the secrecy order is rescinded. Since
applications are kept in confidence until a patent is issued,
no uninvolved party can find out any information concerning
the application. In this way, the patentability of the
algorithm has been established without having to disclose the
detailed information publicly.(19) Since Title 35 USC 181 also
provides that the PTO can rescind the secrecy order upon
notification that publication is no longer detrimental to
national security, compromise and subsequent public revelation
of the Skipjack algorithm (e.g., through reverse-engineering
of a Clipper chip) might well cause a patent to be issued for
Skipjack that would give the U.S. overnment control over its
subsequent use in products.

----------

   (12) See footnote 9.

   (13) National Institute of Standards and Technology, "FIPS
46-2: Announcing the Data Encryption Standard," December 30,
1993.

   (14) See RSA Data Security Inc., home page, at
http://www.rsa.com.

   (15) In 1994, Congress changed patent terms from 17 years
after issuance to 20 years from the date of filing the patent
application; however, applications for these patents were
filed in or before 1977, and so they will not be affected.

   (16) See Office of Technology Assessment, *Information
Security and Privacy in Network Environments*, September 1994,
p. 220.

   (17) National Institute of Standards and Technology,
"Digital Signature Standard," *Computer Systems Laboratory
(CSL) Bulletin*, NIST, Gaithersburg, Maryland, November 1994.
Available on line from http://csrc.ncsl.nist.gov/nistbul/
csl94-11.txt.

   (18) National Institute of Standards and Technology press
release, "Patent Agreement Removes Perceived Barrier to
Telecommunications Security System," NIST, Gaithersburg,
Maryland, July 11, 1994. Available on line from
gopher://rigel.nist.gov:7346/0/.docs/.releases/N94-28.REL.

   (19) Clinton C. Brooks, National Security Agency, provided
this information to the committee in an e-mail message dated
May 23, 1995.

____________________________________________________________


           6.2.6 Formal and Informal Arrangements
      with Various Other Governments and Organizations

   International agreements can be an important part of
national policy. For example, for many years the CoCom nations
cooperated in establishing a common export control policy on
militarily significant items with civilian purposes, including
cryptography (Appendix G has more details).

   International agreements can take a variety of different
forms. The most formal type of agreement is a treaty between
(or among) nations that specifies the pemmissible, required,
and prohibited actions of the various nations. Treaties
require ratification by the relevant national political bodies
as well as signature before entry into force. In the United
States treaties must be approved by the Senate by a two-thirds
vote. Sometimes treaties are self-executing, but often they
need to be followed by implementing legislation enacted by the
Congress in the normal manner for legislation.

   Another type of agreement is an executive agreement. In the
United States, executive agreements are, as the name implies,
entered into by the executive branch. Unlike the treaty, no
Senate ratification is involved, but the executive branch has
frequently sought approval by a majority of both houses of the
Congress. For all practical purposes executive agreements with
other countries bind the United States in international law
just as firmly as treaties do, although the treaty may carry
greater weight internally due to the concurrence by a
two-thirds vote of the Senate. Executive agreements can also
be changed with much greater flexibility than treaties.

   Finally, nations can agree to cooperate through diplomacy.
Even though cooperation is not legally required under such
arrangements, informal understandings can work very
effectively so long as relationships remain good and the
countries involved continue to have common goals. In fact,
informal understanding is the main product of much diplomacy
and is the form that most of the world's business between
governments takes. For example, although the United States
maintains formal mutual legal assistance treaties with a
number of nations, U.S. law enforcement agencies cooperate
(sometimes extensively) with foreign counterparts in a much
larger number of nations. Indeed, in some instances, such
cooperation is stronger, more reliable, and more extensive
than is the case with nations that are a party to a formal
mutual legal assistance treaty with the United States.

   Note that the more formal the agreement, the more public is
the substance of the agreement; such publicity often leads to
attention that may compromise important and very sensitive
matters, such as the extent to which a nation supports a given
policy position or the scope and nature of a nation's
capabilities. When informal arrangements are negotiated and
entered into force, they may not be known by all citizens or
even by all parts of the governments involved. Because they
are less public, informal arrangements also allow more
latitude for governments to make decisions on a case-by-case
basis. In conducting negotiations that may involve sensitive
matters or agreements that may require considerable
flexibility, governments are often inclined to pursue more
informal avenues of approach.


             6.2.7 Certification and Evaluation

   Analogous to Good Housekeeping seals of approval or "check
ratings" for products reviewed in Consumer Reports,
independent testing and certification of products can provide
assurance in the commercial marketplace that a product can
indeed deliver the services and functionality that it purports
to deliver. For example, the results of government crash tests
of automobiles are widely circulated as data relevant to
consumer purchases of automobiles. Government certification
that a commercial airplane is safe to fly provides significant
reassurance to the public about flight safety. At the same
time, while evaluation and certification would in principle
help users to avoid products that implement a sound algorithm
in a way that undermines the security offered by the
algorithm, the actual behavior of users demonstrates that
certification of a product is not necessarily a selling point.
Many of the DES products in the United States have never been
evaluated relative to FS-1027 or FIPS 140-1, and yet such
products are used by many parties.

   The government track record in the cryptography and
computer security domain is mixed. For example, a number of
DES products were evaluated with respect to FS-1027 (the
precursor to FIPS 140-1) over several years and a number of
products were certified by NSA. For a time, government
agencies purchased DES hardware only if it met FS-1027, or
FIPS-140. Commercial clients often required compliance because
it provided the only assurance that a product embodying DES
was secure in a broader sense. In this case, the alignment
between government and commercial security requirements seems
to have been reasonably good and thus this program had some
success. Two problems with this evaluation program were that
it addressed only hardware and that it lagged in allowing use
of public-key management technology in products (in the
absence of suitable standards).

   A second attempt to provide product evaluation was
represented by the National Computer Security Center (NCSC),
which was established by the Department of Defense for the
purpose of certifying various computer systems for security.
The theory underlying the center was that the government
needed secure systems but could not afford to build them. The
quid pro quo was that industry would design and implement
secure operating systems that the government would test and
evaluate at no cost to industry, systems meeting government
requirements would receive a seal of approval.

   Although the NCSC still exists, the security evaluation
program it sponsors, the Trusted Product Evaluation Program
(TPEP), has more or less lapsed into disuse. In the judgment
of many, the TPEP was a relative failure because of an
underlying premise that the information security problems of
the civil government and the private sector were identical to
those of the defense establishment. In fact, the private
sector has for the most part found a military approach to
computer security inadequate for its needs. A second major
problem was that the time scale of the evaluation process was
much longer than the private sector could tolerate, and
products that depended on NCSC evaluation would reach market
already on the road to obsolescence, perhaps superseded by a
new version to which a given evaluation would not necessarily
apply. In late 1995, articles in the trade press reported that
the Department of Defense was attempting to revive the
evaluation program in a way that would involved private
contractors.(20)

   A recent attempt to provide certification services is the
Cryptographic Module Validation Program (CMVP) to test
products for conformance to FIPS 140-1, *Security Requirements
for Cryptographic Modules*.(21) FIPS 140-1 provides a broad
framework for all NIST cryptographic standards, specifying
design, function, and documentation requirements for
cryptographic modules -- including hardware, software,
"firmware," and combinations thereof -- used to protect
sensitive, unclassified information in computer and
telecommunication systems.(22) The CMVP was established in
July 1995 by NIST and the Communications Security
Establishment of the government of Canada.

   The validation program is currently optional: agencies may
purchase products based on the vendor's written assurance of
compliance with the standard. However, beginning in 1997, U.S.
federal procurement will require cryptographic products to be
validated by an independent, third party. Under the program,
vendors will submit their product for testing by an
independent, NIST-accredited laboratory.(23)

   Such a laboratory evaluates both the product and its
associated documentation against the requirements in FIPS
140-1. NIST has also specified test procedures for all aspects
of the standard. Examples include attempting to penetrate
tamper-resistant coatings and casings, inspecting software
source code and documentation, attempting to bypass protection
of stored secret keys, and statistically verifying the
performance of random number generators.(24) The vendor sends
the results of independent tests to NIST, which determines
whether these results show that the tested product complies
with the standard and then issues validation certificates for
products that do. Time will tell whether the CMVP will prove
more successful than the NCSC.

----------

   (20) See for example, Paul Constance, "Secure Products List
Gets CPR," *Government Computing News*, November 13, 1995, p.
40.

   (21) National Institute of Standards and Technology press
release, "Cryptographic Module Validation Program Announced,"
NIST, Gaithersburg, Maryland, July 17, 1995.

   (22) National Institute of Standards and Technology,
*Federal Information Processing Standards Publication 140-1:
Security Requirements for Cryptographic Modules*, NIST,
Gaithersburg, Maryland, January 11, 1994.

   (23) As of September 1995, the National Institute of
Standards and Technology's National Voluntary Laboratory
Accreditation Program had accredited three U.S. companies as
competent to perform the necessary procedures: CygnaCom
Solutions Laboratory (McLean, Va.), DOMUS Software Limited
(Ottawa, Canada), and InfoGard Laboratories (San Luis Obispo,
Calif.). A current list of these companies is available from
http://csrc.ncsl.nist.gov/fips/1401labs.txt.

   (24) National Institute of Standards and Technology,
*Derived Test Requirements for FIPS PUB 140-1*, NIST,
Gaithersburg, Maryland, March 1995.

____________________________________________________________


                6.2.8 Nonstatutory Influence

   By virtue of its size and role in society, government has
considerable ability to influence public opinion and to build
support for policies. In many cases, this ability is not based
on specific legislative authority, but rather on the use of
the "bully pulpit." For example, the government can act in a
convening role to bring focus and to stimulate the private
sector to work on a problem.(25) The bully pulpit can be used
to convey a sense of urgency that is tremendously important in
how the private sector reacts, especially large companies that
try to be good corporate citizens and responsive to informal
persuasion by senior government officials. Both vendors and
users can be influenced by such authority.(26)

   In the security domain, the Clinton Administration has
sponsored several widely publicized public meetings to address
security dimensions of the national information infrastructure
(NII). These meetings were meetings of the NII Security Issues
Forum, held in 1994 and 1995.(27) They were announced in the
*Federal Register* and were intended to provide a forum in
which members of the interested public could air their
concerns about security.

   In the cryptography domain, the U.S. government has used
its convening authority to seek comments on various proposed
cryptographic starldards and to hold a number of workshops
related to key escrow (discussed in Chapter 5). Many in the
affected communities believe that these attempts at outreach
were too few and too late to influence anything more than the
details of a policy outline upon which government had already
decided. A second example demonstrating government's
nonstatutory influence was the successful government request
to AT&T to base the 3600 Secure Telephone Unit on the Clipper
chip instead of an unescrowed DES chip (as described in
Appendix E).

----------

   (25) One advantage of government's acting in this way is
that it may provide some assurance to the private sector that
any coordinated action they may take in response to government
calls for action will be less likely to be interpreted by
government as a violation of antitrust provisions.

   (26) For example, in responding favorably to a request by
President Clinton for a particular action in a labor dispute,
the chairman of American Airlines noted, "He [President
Clinton] is the elected leader of the country. For any citizen
or any company or any union to say 'No, I won't do that' to
the President requires an awfully good reason." See Gwen
Ifill, "Strike at American Airlines; Airline Strike Ends as
Clinton Steps In," *New York Times*, November 23, 1993, p. 1.

   (27) Office of Management and Budget press release,
"National Information Infrastructure Security Issues Forum
Releases 'NII Security: The Federal Role,' " Washington, D.C.,
June 14, 1995. The subjects of these meetings were "Commercial
Security on the NII," which focused on the need for
intellectual property rights protection in the entertainment,
software, and computer industries; "Security of Insurance and
Financial Information"; "Security of Health and Education
Information"; "Security of the Electronic Delivery of
Government Services and Information"; "Security for Intelligent
Transportation Systems and Trade Information"; and "The NII:
Will It Be There When You Need It?," addressing the
availability and reliability of the Internet, the public
switched telecommunicatins network, and cable, wireless, and
satellite communications services. Available on line from
gopher://ntiantl.ntia.doc.gov:70/00/iitf/security/files/
fedworld.txt

____________________________________________________________


                6.2.9 Interagency Agreements
                 Within the Executive Branch

   Given that one government agency may have expertise or
personnel that would assist another agency in doing its job
better, government agencies often conclude agreements between
them that specify the terms and nature of their cooperative
efforts. In the domain of cryptography policy, NSA's technical
expertise in the field has led to memorandums of understanding
with NIST and with the FBI (Appendix L).

   The memorandum of understanding (MOU) between NIST and NSA
outlines several areas of cooperation between the two agencies
that are intended to implement the Computer Security Act of
1987; joint NIST-NSA activities are described in Box 6.2. This
MOU has been the subject of some controversy, with critics
believing that the MOU and its implementation cede too much
authority to NSA and defenders believing that the MOU is
faithful to both the spirit and letter of the Computer
Security Act of 1987.(28)

   The MOU between the FBI and NSA, declassified for the
National Research Council, states that the NSA will provide
assistance to the FBI upon request, when the assistance is
consistent with NSA policy (including protection of sources
and methods), and in accordance with certain administrative
requirements. Furthermore, if the assistance requested is for
the support of an activity that may be conducted only pursuant
to a court order or with the authorization of the Attorney
General, the FBI request to the NSA must include a copy of
that order or authorization.

   In 1995, the National Security Agency, the Advanced
Research Projects Agency, and the Defense Information Systems
Agency signed a memorandum of agreement (MOA) to coordinate
research and development efforts in system security. This MOA
provides for the establishment of the Information System
Security Research Joint Technology Office (ISSR-JTO). The role
of the ISSR-JTO is "to optimize use of the limited research
funds available, and strengthen the responsiveness of the
programs to DISA, expediting delivery of technologies that
meet DISA's requirements to safeguard the confidentiality,
integrity, authenticity, and availability of data in
Department of Defense information systems, provide a robust
first line of defense for defensive information warfare, and
permit electronic commerce between the Department of Defense
and its contractors."(29)

---------

   (28) For more discussion of these critical perspectives,
see U.S. Congress, Office of Technology Assessment,
*Information Security and Privacy in Network Environments*,
OTA-TCT-606, U.S. Govemment Printing Office, Washington, D.C.,
September 1994, Box 4-8, pp. 164-171.

   (29) See "Memorandum of Agreement Between the Advanced
Research Projects Agency, the Defense Information Systems
Agency, and the National Security Agency Concerning the
Information Systems Security Research Joint Technology
Office"; MOA effective April 2, 1995. The full text of the MOA
is available from http://www.ito.darpa.mil/ResearchAreas/
Information_Survivability/MOA.html.

____________________________________________________________


         6.3 ORGANIZATION OF THE FEDERAL GOVERNMENT
            WITH RESPECT TO INFORMATION SECURITY


          6.3.1 Role of National Security vis-a-vis
            Civilian Information Infrastructures

   The extent to which the traditional national security model
is appropriate for an information infrastructure supporting
both civilian and military applications is a major point of
contention in the public debate. There are two schools of
thought on this subject:

   +    The traditional national security model should be
applied to the national information infrastructure, because
protecting those networks also protects services that are
essential to the military, and the role of the defense
establishment is indeed to protect important components of the
national infrastructure that private citizens and businesses
depend upon.(30)

   +    The traditional national security model should not be
applied to the national information infrastructure, because
the needs of civilian activities are so different from those
of the military, and the imposition of a national security
model would impose an unacceptable burden on the civilian
sector. Proponents of this view argue that the traditional
national security model of information security -- a top-down
approach to information security management -- would be very
difficult to scale up to a highly heterogeneous private sector
involving hundreds of millions of people and tens of millions
of computers in the United States alone.

   There is essential unanimity that the world of classified
information (both military and nonmilitary) is properly a
domain in which the DOD and NSA can and should exercise
considerable influence. But moving outside this domain raises
many questions that have a high profile in the public debate.
Specifically, what should the DOD and NSA role be in dealing
with the following categories of information:

   1.   Unclassified government information that is military
        in nature,

   2.   Unclassified government information that is
        nonmilitary in nature, and

   3.   Nongovernment information.

   To date, policy decisions have been made that give the DOD
jurisdiction in information security policy for category 1.
For categories 2 and 3, the debate continues. It is clear that
the security needs for business and for national security
purposes are both similar (Box 6.3) and different (Box 6.4).
In category 2, the argument is made that DOD and NSA have a
great deal of expertise in protecting information, and that
the government should draw on an enormous historical
investment in NSA expertise to protect all government
information. At the same time, NIST has the responsibility for
protecting such information under the Computer Security Act of
1987, with NSA's role being one of providing technical
assistance. Some commentators believe that NIST has not
received resources adequate to support its role in this
area.(31)

   In category 3, the same argument is made with respect to
nongovernment information on the grounds that the proper role
of government is to serve the needs of the entire nation. A
second argument is made that the military depends critically
on nongovernment information infrastructures (e.g., the public
switched telecommunications network) and that it is essential
to protect those networks not just for civilian use but also
for military purposes. (Note that NSA does not have broad
authority to assist private industry with information
security, although it does conduct for industry, upon request,
unclassified briefings related to foreign information security
threats; NSD-42 (text provided in Appendix L) also gives NSA
the authority to work with private industry when such work
involves national security information systems used by private
industry.)

----------

   (30) For example, the Joint Security Commission recommended
that "policy formulation for information systems security be
consolidated under a joint DoD/DCI security executive
committee, and that the committee oversee development of a
coherent network-oriented information systems security policy
for the DoD and the Intelligence Community that could also
serve the entire government." See Joint Security Commission,
*Redefining Security*, Washington, D.C., February 28, 1994, p.
107.

   (31) For example, the Office of Technology Assessment
stated that "the current state of government security practice
for unclassified information has been depressed by the chronic
shortage of resources for NlST's computer security activities
in fulfillment of its government-wide responsibilities under
the Computer Security Act of 1987. Since enactment of the
Computer Security Act, there has been no serious (i.e.,
adequately funded and properly staffed), sustained effort to
establish a center of information-security expertise and
leadership outside the defense/intelligence communities." See
U.S. Congress, Office of Technology Assessment, *Issue Update
on Information Security and Privacy in Network Environments*,
OTA-BP-ITC-147, U.S. Government Printing Office, Washington,
D.C., June 1995, p. 42. A similar conclusion was reached by
the Board on Assessment of NIST Programs of the National
Research Council, which wrote that "the Computer Security
Division is severely understaffed and underfunded given its
statutory security responsibilities, the growing national
recognition of the need to protect unclassified but sensitive
information, and the unique role the division can play in
fostering security in commercial architectures, hardware, and
software." See Board on Assessment of NIST Programs, National
Research Council, *An Assessment of the National Institute of
Standards and Technology*, Fiscal Year 1993, National Academy
Press, Washington, D.C., 1994, p. 228.

____________________________________________________________


            6.3.2 Other Government Entities with
              Influence on Information Security

   As noted above, NSA has primary responsibility for
information security in the classified domain, while NIST has
primary responsibility for information security in the
unclassified domain, but for government information only. No
organization or entity within the federal government has the
responsibility for promoting information security in the
private sector.(32)

   The Security Policy Board (SPB) does have a coordination
function. Specifically, the charge of the SPB is to consider,
coordinate, and recommend for implementation to the President
policy directives for U.S. security policies, procedures, and
practices, including those related to security for both
classified and unclassified government information. The SPB is
intended to be the principal mechanism for reviewing and
proposing legislation and executive orders pertaining to
security policy, procedures, and practices. The Security
Policy Advisory Board provides a nongovernmental perspective
on security policy initiatives to the SPB and independent
input on such matters to the President. The SPB does not have
operational responsibilities.

   Other entities supported by the federal government have
some influence over information security, though little actual
policy-making authority. These include:

   +    The Computer Emergency Response Team (CERT). CERT was
formed by the Defense Advanced Research Projects Agency
(DARPA) in November 1988 in response to the needs exhibited
during the Internet worm incident. CERT's charge is to work
with the Internet community to facilitate its response to
computer security events involving Internet hosts, to take
proactive steps to raise the community's awareness of computer
security issues, and to conduct research targeted at improving
the security of existing systems.(33) CERT offers
around-the-clock technical assistance for responding to
computer security incidents, educates users regarding product
vulnerability through technical documents and seminars, and
provides tools for users to undertake their own vulnerability
analyses.

   +    The Information Infrastructure Task Force's (IITF)
National Information Infrastructure Security Issues Forum. The
forum is charged with addressing institutional, legal, and
technical issues surrounding security in the NII. A draft
report issued by the forum proposes federal actions to address
these issues.(34) The intent of the report, and of the
Security Issues Forum more generally, is to stimulate a
dialogue on how the federal government should cooperate with
other levels of government and the private sector to ensure
that participants can trust the NII. The draft report proposes
a number of security guidelines (proposed NII security
tenets), the adoption of Organization of Economic Cooperation
and Development security principles for use on the NII, and a
number of federal actions to promote security.

   +    The Computer System Security and Privacy Advisory
Board (CSSPAB). CSSPAB was created by the Computer Security
Act of 1987 as a statutory federal public advisory committee.
The law provides that the board shall identify emerging
managerial, technical, administrative, and physical safeguard
issues relative to computer systems security and privacy;
advise the National Institute of Standards and Technology and
the secretary of commerce on security and privacy issues
pertaining to federal computer systems; and report its
findings to the secretary of commerce, the directors of the
Office of Management and Budget and the National Security
Agency, and the appropriate committees of the Congress. The
board's scope is limited to federal computer systems or those
operated by a contractor on behalf of the federal government
and which process sensitive but unclassified information. The
board's authority does not extend to private sector systems,
systems that process classified information, or DOD
unclassified systems related to military or intelligence
missions as covered by the Warner Amendment (10 USC 2315). The
activities of the board bring it into contact with a broad
cross section of the nondefense agencies and departments;
consequently, it often deals with latent policy considerations
and societal consequences of information technology.

   +    The National Counterintelligence Center (NACIC).
Established in 1994 by Presidential Decision Directive NSC-24,
NACIC is primarily responsible for coordinating national-level
counterintelligence activities, and it reports to the National
Security Council. Operationally, the NACIC works with private
industry through an industry council (consisting of senior
security officials or other senior officials of major U.S.
corporations) and sponsors counterintelligence training and
awareness programs, seminars, and conferences for private
industry. NACIC also produces coordinated national-level,
all-source, foreign intelligence threat assessments to support
private sector entities having responsibility for the
protection of classified, sensitive, or proprietary
information, as well as such assessments for government
use.(35)

   In addition, a number of private organizations (e.g., trade
or professional groups) are active in information security.

----------

   (32) This observation was also made in Computer Science and
Telecommunications Board (CSTB), National Research Council,
*Computers at Risk*, National Academy Press, Washington, D.C.,
1991, a report that proposed an Information Security
Foundation as the most plausible type of organization to
promote information security in the private sector.

   (33) Available on line at http://www.sei.cmu.edu/
technology/cert.faqintro.html.

   (34) Office of Management and Budget press release,
"National Information Infirastructure Security Issues Forum
Releases 'NII Security: The Federal Role,' " Washington, D.C.,
June 14, 1995. Available on line from gopher://ntiantl.
ntia.doc.gov:70/00/iitf/security/files/fedworld.txt.

   (35) National Counterintelligence Center,
*Counterintelligence News and Developments*, Issue No. 1,
NACIC, Washington, D.C. This newsletter can be obtained from
http://www.oss.net/oss.

____________________________________________________________

     6.4 INTERNATIONAL DIMENSIONS OF CRYPTOGRAPHY POLICY


   The cryptography policy of the United States must take into
account a number of international dimensions. Most
importantly, the United States does not have the unquestioned
dominance in the economic, financial, technological, and
political affairs of the world as it might have had at the end
of World War II. Indeed, the U.S. economy is increasingly
intertwined with that of other nations. To the extent that
these economically significant links are based on
communications that must be secure, cryptography is one aspect
of ensuring such security. Differing national policies on
cryptography that lead to difficulties in communicating
internationally work against overall national policies that
are aimed at opening markets and reducing commercial and trade
barriers.

   Other nations have the option to maintain some form of
export controls on cryptography, as well as controls on
imports and use of cryptography; such controls form part of
the context in which U.S. cryptography policy must be
formulated. Specifically, foreign export control regimes more
liberal than that of the United States have the potential to
undercut U.S. export control efforts to limit the spread of
cryptography. On the other hand, foreign controls on imports
and use of cryptography could vitiate relaxation of U.S.
export control laws; indeed, relaxation of U.S. export
controls laws might well prompt a larger number of nations to
impose additional barriers on the import and use of
cryptography within their borders. Finally, a number of other
nations have no explicit laws regarding the use of
cryptography, but nevertheless have tools at their disposal to
discourage its use; such tools include laws related to the
postal, telephone, and telegraph (PTT) system, laws related to
content carried by electronic media, laws related to the
protection of domestic industries that discourage the entry of
foreign products, laws related to classification of patents,
and informal arrangements related to licensing of businesses.

   As a first step in harmonizing cryptography policies across
national boundaries, the Organization for Economic Cooperation
and Development (OECD) held a December 1995 meeting in France
among member nations to discuss how these nations were
planning to cope with the public policy problems posed by
cryptography. What the Paris meeting made clear is that many
OECD member nations are starting to come to grips with the
public policy problems posed by encryption, but that the
dialog on harmonizing policies across national borders has not
yet matured. Moreover, national policies are quite fluid at
this time, with various nations considering different types of
regulation regarding the use, export, and import of
cryptography.

   Appendix G contains more discussion of international issues
relevant to national cryptography policy.


                          6.5 RECAP


   While export controls and escrowed encryption are
fundamental pillars of current national cryptography policy,
many other aspects of government action also have some bearing
on it: The Communications Assistance for Law Enforcement
(Digital Telephony) Act calls attention to the relationship
between access to a communications stream and government
access to the plaintext associated with that digital stream.
The former problem must be solved (and was solved, by the
CALEA for telephone communications) before the latter problem
is relevant.

   The government can influence the deployment and use of
cryptography in many ways. Federal Information Processing
Standards often set a "best practice" standard for the private
sector, even though they have no official standing outside
government use. By assuring large-volume sales when a product
is new, government procurement practices can reduce the cost
of preferred cryptography products to the private sector,
giving these products a price advantage over possible
competitors. Policy itself can be implemented in ways that
instill action-inhibiting uncertainty in the private sector.
Government R&D funding and patents on cryptographic algorithms
can narrow technical options to some degree. Formal and
informal arrangements with various other governments and
organizations can promote various policies or types of
cooperation. Product certification can be used to provide the
information necessary for a flourishing free market in
products with encryption capabilities. Convening authority can
help to establish the importance of a topic or approach to
policy.

   In some ways, the debate over national cryptography policy
reflects a tension in the role of the national security
establishment with respect to information infrastructures that
are increasingly important to civilian use. In particular, the
use of cryptography has been the domain of national security
and foreign policy for most of its history, a history that has
led to a national cryptography policy that today has the
effect of discouraging the use of cryptography in the private
sector.

____________________________________________________________

                BOX 6.1 Cryptography-related
          Federal Information Processing Standards

   FIPS 46, 46-1 and 46-2: Data Encryption Standard (DES).
Specification of DES algorithm and rules for implementing DES
in hardware. FIPS 46-1 recertifies DES and extends it for
software implementation. FIPS 46-2 reaffirms the Data
Encryption Standard algorithm until 1998 and allows for its
implementation in software, firmware or hardware. Several
other FlPSs address interoperability and security requirements
for using DES in the physical layer of data communications
(FIPS 139) and in fax machines (FIPS 141), guidelines for
implementing and using DES (FIPS 74), modes of operation of
DES (FIPS 81), and use of DES for authentication purposes
(FIPS 113).

   FIPS 180-1: Secure Hash Standard. This standard specifies
a Secure Hash Algorithm (SHA) that can be used to generate a
condensed representation of a message called a message digest.
The SHA is required for use with the Digital Signature
Algorithm (DSA) as specified in the Digital Signature Standard
(DSS) and whenever a secure hash algorithm is required for
federal applications. The SHA is used by both the transmitter
and intended receiver of a message in computing and verifying
a digital signature.

   FIPS 186: Digital Signature Standard. This standard
specifies a Digital Signature Algorithm (DSA) appropriate for
applications requiring a digital rather than a written
signature. The DSA digital signature is a pair of large
numbers represented in a computer as strings of binary digits.
The digital signature is computed using a set of rules (i.e.,
the DSA) and a set of parameters such that the identity of the
signatory and integrity of the data can be verified. The DSA
provides the capability to generate and verify signatures.

   FIPS 140-1: Security Requirements for Cryptographic
Modules. This standard provides specifications for
cryptographic modules which can be used within computer and
telecommunications systems to protect unclassified information
in a variety of different applications.

   FIPS 185: Escrowed Encryption Standard (see main text).

   FIPS 171: Key Management Using ANSI X9.17. This standard
specifies a selection of options for the automated distributed
of keying material by the federal government when using the
protocols of ANSI X9.17. The standard defines procedures for
the manual and automated management of keying materials and
contains a number of options. The selected options will allow
the development of cost-effective systems that will increase
the likelihood of interoperability.

   Other FlPSs address matters related more generally to
computer security.

   FIPS 48: Guidelines on Evaluation of Techniques for
Automated Personal Identification.

   FIPS 83: Guidelines on User Authentication Techniques for
Computer Network Access Control.

   FIPS 112: Password Usage.

   FIPS 113: Computer Data Authentication.

   FIPS 73: Guidelines for Security of Computer Applications.

____________________________________________________________


        BOX 6.2 Overview of Joint NIST-NSA Activities

   The National Security Agency provides technical advice and
assistance to the National Institute of Standards and
Technology in accordance with Public Law 100-235, the Computer
Security Act of 1987. An overview of NIST-NSA activities
follows.

   National conference. NIST and NSA jointly sponsor,
organize, and chair the prestigious National Computer Security
Conference, held yearly for the past 16 years. The conference
is attended by over 2,000 people from government and private
industry.

   Common criteria. NSA is providing technical assistance to
NIST for the development of computer security criteria that
would be used by both the civilian and defense sides of the
government. Representatives from Canada and Europe are joining
the United States in the development of the criteria.

   Product evaluations. NIST and NSA are working together to
perform evaluations of computer security products. In the
Trusted Technology Assessment Program, evaluations of some
computer security products will be performed by NIST and its
laboratories, while others will be performed by NSA. NIST and
NSA engineers routinely exchange information and experiences
to ensure uniformity of evaluations.

   Standards development. NSA supports NIST in the development
of standards that promote interoperability among security
products. Sample standards include security protocol
standards, digital signature standards, key management
standards, and encryption algorithm standards (e.g., the DES,
Skipjack).

   Research and development. Under the Joint R&D Technology
Exchange Program, NIST and NSA hold periodic technical
exchanges to share information on new and ongoing programs.
Research and development are performed in areas such as
security architectures, labeling standards, privilege
management, and identification and authentication. Test-bed
activities are conducted in areas related to electronic mail,
certificate exchange and management, protocol conformity, and
encryption technologies.

----------

SOURCE: National Security Agency, April 1994 (as printed in
U.S. Congress, Office of Technology Assessment, *Information
Security and Privacy in Network Environments*, OTA-TCT-606,
U.S. Government Printing Office, Washington D.C., September
1994, Box 4-8, p. 165).

____________________________________________________________

      BOX 6.3 Similarities in Commercial Security Needs
                 and National Security Needs

   +    Strong aversion to public discussion of security
breaches. Information about threats is regarded as highly
sensitive. Such a classification makes it very difficult to
conduct effective user education, because security awareness
depends on an understanding of the true scope and nature of a
threat.

   +    Need to make cost-benefit trade-offs in using security
technology. Neither party can afford the resources to protect
against an arbitrary threat model.

   +    Strong preference for self-reliance (government
relying on government, industry relying on industry) to meet
security needs.

   +    Strong need for high security. Both government and
industry need strong cryptography with no limitations for
certain applications. However, the best technology and tools
are often reserved for government and military use because
commercial deployment cannot be adequately controlled,
resulting in opportunities for adversaries to obtain and
examine the systems so that they can plan how to exploit them.

   +    Increasing reliance on commercial products in many
domains (business, Third-World nations).

   +    Increasing scale and sophistication of the security
threat for businesses, which is now approaching that posed by
foreign intelligence services and foreign governments.

   +    Possibility that exceptional access to encrypted
information and data may become important to commercial
entities.

____________________________________________________________

      BOX 6.4 Differences in Commercial Security Needs
                 and National Security Needs

   +    Business wants market-driven cryptographic technology;
government is apprehensive about such technology. For example,
standards are a critical element of market-driven
cryptography. Market forces and the need to respond to rapidly
evolving dynamic new markets demand an approach to
establishing cryptographic standards; businesses want
standards for interoperability, and they want to create market
critical mass in order to lower the cost of cryptography.

   +    By its nature, the environment of business must
include potential adversaries within its security perimeter.
Commercial enterprises now realize that electronic delivery of
their products and services to their customers will increase.
They must design systems and processes explicitly so that
customers can enter into transactions with considerable ease.
Business strategies of today empower the customer through
software and technology. Enterprise networks have value in
allowing the maximum number of people to be attached to the
network. Customers will choose which enterprise to enter in
order to engage in electronic commerce, and making it
difficult for the customer will result in loss of business.
But adversaries masquerading as customers (or who indeed may
be customers themselves) can enter as well. By contrast, the
traditional national security model keeps potential
adversaries outside the security perimeter, allowing access
only to those with a real need. However, to the extent that
U.S. military forces work in collaboration with forces of
other nations, the security perimeter for the military may
also become similarly blurred.

   +    Business paradigms value teamwork, openness, trust,
empowerment, and speed. Such values are often difficult to
sustain in the national security establishment. The cultures
of the two worlds are different and are reflected in, for
example, the unwillingness of business to use multilevel
security systems designed for military use. Such systems
failed the market test, although they met Defense Department
criteria for security.

   +    National security resources (personnel with
cryptographic expertise, funding) are much larger than the
resources in nondefense government sectors and in private
industry and universities. As a result, a great deal of
cryptographic knowledge resides within the world of national
security. Industry wants access to this knowledge to ensure
appropriate use of protocols and strong algorithms, and
development of innovative new products and services.

   +    National security places considerable emphasis on
confidentiality as well as on authentication and integrity.
Today's commercial enterprises stress authentication of users
and data integrity much more than they stress confidentiality
(although this balance may shift in the future). For example,
improperly denying a junior military officer access to a
computer facility may not be particularly important in a
military context, whereas improperly denying a customer access
to his bank account because of a faulty authentication can
pose enormous problems for the bank.

   +    While both businesses and national security
authorities have an interest in safeguarding secrets, the
tools available to businesses to discourage individuals from
disclosing secrets (generally civil suits) are less stringent
than those available to national security authorities
(criminal prosecution).

____________________________________________________________

[End Chapter 6]







