[Head note all pages: May 30, 1996, Prepublication Copy
Subject to Further Editorial Correction]


                              8

          Synthesis, Findings, and Recommendations



                 8.1 SYNTHESIS AND FINDINGS

   In an age of explosive worldwide growth of electronic data
storage and communications, many vital national interests
require the effective protection of information. Especially
when used in coordination with other tools for information
security, cryptography in all of its applications, including
data confidentiality, data integrity, and user authentication,
is a most powerful tool for protecting information.


       8.1.1 The Problem of Information Vulnerability

   Because digital representations of large volumes of
information are increasingly pervasive, both the benefits and
the risks of digital representation have increased. The
benefits are generally apparent to users of information
technology -- larger amounts of information, used more
effectively and acquired more quickly, can increase the
efficiency with which businesses operate, open up entirely new
business opportunities, and play an important role in the
quality of life for individuals.

   The risks are far less obvious. As discussed in Chapter 1,
one of the most significant risks of a digital information age
is the potential vulnerability of important information as it
is communicated and stored. When information is transmitted in
computer-readable form, it is highly vulnerable to
unauthorized disclosure or alteration:

   +    Many communications are carried over channels (e.g.,
satellites, cellular telephones, and local area networks) that
are easily tapped. Tapping wireless channels is almost
impossible to detect and to stop, and tapping local area
networks may be very hard to detect or stop as well. Other
electronic communications are conducted through data networks
that can be easily penetrated (e.g., the Internet).

   +    Approximately 10 billion words of information in
computer-readable form can be scanned for $1 today (as
discussed in Chapter 1), allowing intruders, the malicious, or
spies to separate the wheat from the chaff very inexpensively.
For example, a skilled person with criminal intentions can
easily develop a program that recognizes and records all
credit card numbers in a stream of unencrypted data
traffic.(1) The decreasing cost of computation will reduce
even further the costs involved in such search.

   +    Many users do not know about their vulnerabilities to
the theft or compromise of information; in some instances,
they are ignorant of or even complacent about them. Indeed,
the insecurity of computer networks today is much more the
result of poor operational practices on the part of users and
poor implementations of technology on the part of product
developers than of an inadequate technology base or a poor
scientific understanding.

   In the early days of computing, the problems caused by
information vulnerability were primarily the result of
relatively innocent trespasses of amateur computer hackers who
were motivated mostly by technical curiosity. But this is true
no longer, and has not been true for some time. The fact that
the nation is moving into an information age on a large scale
means that a much larger number of people are likely to have
strong financial, political, or economic motivations to
exploit information vulnerabilities that still exist. For
example, electronic interceptions and other technical
operations account for the largest portion of economic and
industrial information lost by U.S. corporations to foreign
parties, as noted in Chapter 1.

   Today, the consequences of large-scale information
vulnerability are potentially quite serious:

   +    U.S. business, governmental, and individual
communications are targets or potential targets for
intelligence organizations of foreign governments,
competitors, vandals, suppliers, customers, and organized
crime. Businesses send through electronic channels
considerable amounts of confidential infommation, including
items such as project and merger proposals, trade secrets,
bidding infommation, corporate strategies for expansion in
critical markets, research and development information
relevant to cost reduction or new products, product
specifications, and expected delivery dates. Most importantly,
U.S. businesses must compete on a worldwide basis.
Intemational exposure increases the vulnerability to
compromise of sensitive infommation. Helping to defend U.S.
business interests against such compromises of information is
an important function of law enforcement.

   +    American values such as personal rights to privacy are
at stake. Private citizens may conduct sensitive financial
transactions electronically or by telephone. Data on their
medical histories, including mental illnesses, addictions,
sexually transmitted diseases, and personal health habits, are
compiled in the course of providing medical care. Driving
records, spending pattems, credit histories, and other
financial infommation are available from multiple sources. All
such information warrants protection.

   +    The ability of private citizens to function in an
information economy is at risk. Even today, individuals suffer
as criminals take over their identities and run up huge credit
card bills in their name. Toll fraud on cellular telephones is
so large that some cellular providers have simply terminated
international connections in the areas that they serve.
Inaccuracies as the result of incorrectly posted information
ruin the credit records of some individuals. Protecting
individuals against such problems warrants public concern and
is again an area in which law enforcement and other government
authorities have a role to play.

   +    The federal government has an important stake in
assuring that its important and sensitive political, economic,
law enforcement, and military information, both classified and
unclassified, is protected from misuse by foreign governments
or other parties whose interests are hostile to those of the
United States.

   +    Elements of the U.S. civilian infrastructure such as
the banking system, the electric power grid, the public
switched telecommunications network (PSTN), and the air
traffic control system are central to so many dimensions of
modern life that protecting these elements must have a high
priority. Defending these assets against information warfare
and crimes of theft, misappropriation, and misuse potentially
conducted by hostile nations, terrorists, criminals, and
electronic vandals is a matter of national security and will
require high levels of information protection and strong
security safeguards.

----------

   (1)  The feasibility of designing a program to recognize
text strings that represent credit card numbers has been
demonstrated most recently by the First Virtual Corporation.
See press release of February 7, 1996, "First Virtual Holdings
Identifies Major Flaw in Software-Based Encryption of Credit
Cards; Numbers Easily Captured by Automated Program", First
Virtual Corporation, San Diego, California. Available from
http://www.fv.com/gabletxt/release2_7_96.html.

____________________________________________________________


              8.1.2 Cryptographic Solutions to
                 Information Vulnerabilities

   Cryptography does not solve all problems of information
security; for example, cryptography cannot prevent a party
authorized to view information from improperly disclosing that
information. Although it is not a silver bullet that can stand
by itself, cryptography is a powerful tool that can be used to
protect information stored and communicated in digital form:
cryptography can help to assure confidentiality of data, to
detect unauthorized alterations in data and thereby help to
maintain its integrity, and to authenticate the asserted
identity of an individual or a computer system (Chapter 2).
Used in conjunction with other information security measures,
cryptography has considerable value in helping law-abiding
citizens, businesses, and the nation as a whole defend their
legitimate interests against information crimes and threats
such as fraud, electronic vandalism, the improper disclosure
of national security information, or information warfare.

   Modern cryptographic techniques used for confidentiality
make it possible to develop and implement ciphers that are for
all practical purposes impossible for unauthorized parties to
penetrate but that still make good economic sense to use.

   +    Strong encryption is economically feasible today. For
example, many integrated circuit chips that would be used in
a computer or communications device can inexpensively
accommodate the extra elements needed to implement the DES
encryption algorithm. If implemented in software, the cost is
equally low, or even lower.

   +    Public-key cryptography can help to eliminate the
expense of using couriers, registered mail, or other secure
means for exchanging keys. Compared to a physical
infrastructure for key exchange, an electronic infrastructure
based on public-key cryptography to exchange keys will be
faster and more able to facilitate secure communications
between parties that have never interacted directly with each
other prior to the first communication. Public-key
cryptography also enables the implementation of the digital
equivalent of a written signature, enabling safer electronic
commerce.

   +    Encryption can be integrated by vendors into end-user
applications and hardware for the benefit of the large
majority of users who do not have the technical skill to
perform their own integration. Encryption can also be made
automatic and transparent in ways that require no extra action
on the part of the user, thus ensuring that cryptographic
protection will be present regardless of user complacency or
ignorance.


       8.1.3 The Policy Dilemma Posed by Cryptography

   The confidentiality of information that cryptography can
provide is useful not only for the legitimate purposes of
preventing information crimes (e.g., the theft of trade
secrets or unauthorized disclosure of sensitive medical
records) but also for illegitimate purposes (e.g., shielding
from law enforcement officials a conversation between two
terrorists planning to bomb a building). Although strong,
automatic encryption implemented as an integral part of data
processing and communications provides confidentiality for
"good guys" against "bad guys" (e.g., U.S. business protecting
information against economic intelligence efforts of foreign
nations), it unfortunately also protects "bad guys" against
"good guys" (e.g., terrorists evading law enforcement
agencies). Under appropriate legal authorization such as a
court order, law enforcement authorities may gain access to
"bad guy" information for the purpose of investigating and
prosecuting criminal activity. Similarly, intelligence
gathering for national security and foreign policy purposes
depends on having access to information of foreign governments
and other foreign entities. (See Chapter 3.) Because such
activities benefit our society as a whole (e.g., by limiting
organized crime and terrorist activities), "bad guy" use of
cryptography used for confidentiality poses a problem for
society as a whole, not just for law enforcement and national
security personnel.

   Considered in these terms, it is clear that the development
and widespread deployment of cryptography that can be used to
deny government access to information represents a challenge
to the balance of power between the government and the
individual. Historically, all governments, under circumstances
that further the common good, have asserted the right to
compromise the privacy of individuals (e.g., through opening
mail, tapping telephone calls, inspecting bank records);
unbreakable cryptography for confidentiality provides the
individual with the ability to frustrate assertions of that
right.

   The confidentiality that cryptography can provide thus
creates conflicts. Nevertheless, all of the stakes described
above -- privacy for individuals, protection of sensitive or
proprietary information for businesses and other organizations
in the prevention of information crimes, ensuring the
continuing reliability and integrity of nationally critical
information systems and networks, law enforcement access to
stored and communicated information for purposes of
investigating and prosecuting crime, and national security
access to information stored or communicated by foreign powers
or other entities and organizations whose interests and
intentions are relevant to the national security and the
foreign policy interests of the United States -- are
legitimate. Informed public discussion of the issues must
begin by acknowledging the legitimacy of both information
security for law-abiding individuals and businesses and
information gathering for law enforcement and national
security purposes.

   A major difficulty clouding the public policy debate
regarding cryptography has been that certain elements have
been removed from public view due to security classification.
However, for reasons noted in the preface, the cleared members
of the committee (13 of its 16 members) concluded that the
debate over national cryptography policy can be carried out in
a reasonable manner on an unclassified basis. Although many of
the details relevant to policy makers are necessarily
classified, these details are not central to making policy
arguments one way or the other. Classified material, while
important to operational matters in specific cases, is not
essential to the big picture of why policy has the shape and
texture that it does today nor to the general outline of how
technology will, and policy should, evolve in the future.

   To manage the policy dilemma created by cryptography, the
United States has used a number of tools to balance the
interests described above. For many years, concern over
foreign threats to national security has been the primary
driver of a national cryptography policy that has sought to
maximize the protection of U.S. military and diplomatic
communications while denying the confidentiality benefits of
cryptography to foreign adversaries through the use of
controls on the export of cryptographic technologies,
products, and related technical information (Chapter 4). More
recently, the U.S. government has aggressively promoted
escrowed encryption as the technical foundation for national
cryptography policy, both to serve domestic interests in
providing strong protection for legitimate uses while enabling
legally authorized access by law enforcement officials when
warranted and also as the basis for more liberal export
controls on cryptography (Chapter 5).

   Both escrowed encryption and export controls have generated
considerable controversy. Escrowed encryption has been
controversial because its promotion by the U.S. government
appears to some important constituencies to assert the primacy
of information access needs of law enforcement and national
security over the information security needs of businesses and
individuals. Export controls on cryptography have been
controversial because they pit the interests of U.S. vendors
and some U.S multinational corporations against some of the
needs of national security.


             8.1.4 National Cryptography Policy
                   for the Information Age

   In a world of ubiquitous computing and communications, a
concerted effort to protect the information assets of the
United States is critical. While cryptography is only one
element of a comprehensive approach to information security,
it is nevertheless an essential element. Given the committee's
basic charge to focus on national cryptography policy rather
than national policy for information security, the essence of
the committee's basic conclusion about policy is summarized by
the following principle:

   *Basic Principle: U.S. national policy should be changed to
support the broad use of cryptography in ways that take into
account competing U.S. needs and desires for individual
privacy, international economic competitiveness, law
enforcement, national security, and world leadership.*

   In practice, this principle suggests three basic objectives
for national cryptography policy:

   *1. Broad availability of cryptography to all legitimate
elements of U.S. society.* Cryptography supports the
confidentiality and integrity of digitally represented
information (e.g., computer data, software, video) and the
authentication of individuals and computer systems
communicating with other computer systems; these capabilities
are important in varying degrees to protecting the information
security interests of many different private and public
stakeholders, including law enforcement and national security.
Furthermore, cryptography can help to support law enforcement
objectives in preventing information crimes such as economic
espionage.

   *2. Continued economic growth and leadership of key U.S.
industries and businesses in an increasingly global economy,
including but not limited to U.S. computer, software, and
communications companies.* Such leadership is an integral
element of national security. U.S. companies in information
technology today have undeniable strengths in foreign markets,
but current national cryptography policy threatens to erode
these advantages. The largest economic opportunities for U.S.
firms in all industries lie in using cryptography to support
their critical domestic and international business activities,
including international, intrafirm and interfirm
communications with strategic partners, cooperative efforts
with foreign collaborators and researchers in joint business
ventures, and real-time connections to suppliers and
customers, rather than in selling information technology
(Chapter 4).

   *3. Public safety and protection against foreign and
domestic threats.* Insofar as possible, communications and
stored information of foreign parties whose interests are
hostile to those of the United States should be accessible to
U.S. intelligence agencies. Similarly, the communications and
stored information of criminal elements that are a part of
U.S. and global society should be available to law enforcement
authorities as authorized by law (Chapter 3).

   Objectives 1 and 2 argue for a policy that actively
promotes the use of strong cryptography on a broad front and
that places few restrictions on the use of cryptography.
Objective 3 argues that some kind of government role in the
deployment and use of cryptography may continue to be
necessary for public safety and national security reasons. The
committee believes that these three objectives can be met
within a framework recognizing that *on balance, the
advantages of more widespread use of cryptography outweigh the
disadvantages*.

   The committee concluded that cryptography is one important
tool for protecting information and that it is very difficult
for governments to control; it thus believes that the
widespread nongovernment use of cryptography in the United
States and abroad is inevitable in the long run. Cryptography
is important because when it is combined with other measures
to enhance information security, it gives end users
significant control over their information destinies. Even
though export controls have had a nontrivial impact on the
worldwide spread of cryptography in previous years, over the
long term cryptography is difficult to control because the
relevant technology diffuses readily through national
boundaries; export controls can inhibit the diffusion of
products with encryption capabilities but cannot contain the
diffusion of knowledge (Chapter 4). The spread of cryptography
is inevitable because in the information age the security of
information will be as important in all countries as other
attributes valued today, such as the reliability and ubiquity
of information.

   Given the inevitability that cryptography will become
widely available, policy that manages how cryptography becomes
available can help to mitigate the deleterious consequences of
such availability. Indeed, governments often impose
regulations on various types of technology that have an impact
on the public safety and welfare, and cryptography may well
fall into this category. National policy can have an important
effect on the rate and nature of the transition from today's
world to that of the long-term future. Still, given the
importance of cryptography to a more secure information future
and its consequent importance to various dimensions of
economic prosperity, policy actions that inhibit the use of
cryptography should be scrutinized with special care.

   The committee's policy recommendations are intended to
facilitate a judicious transition between today's world of
high information vulnerability and a future world of greater
information security, while to the extent possible meeting
government's legitimate needs for information gathering for
law enforcement, national security, and foreign policy
purposes. National cryptography policy should be expected to
evolve over time in response to events driven by an era of
rapid political, technological, and economic change.

   The committee recognizes that national cryptography policy
is intended to address only certain aspects of a much larger
information security problem faced by citizens, businesses,
and government. Nevertheless, the committee found that
*current national policy is not adequate to support the
information security requirements of an information society*.
Cryptography is an important dimension of information
security, but current policy discourages the use of this
important tool in both intentional and unintentional ways, as
described in Chapters 4 and 6. For example, through the use of
export controls, national policy has explicitly sought to
limit the use of encryption abroad but has also had the effect
of reducing the domestic availability of products with strong
encryption capabilities to businesses and other users.
Furthermore, government action that discourages the use of
cryptography contrasts sharply with national policy and
technological and commercial trends in other aspects of
information technology. Amidst enormous changes in the
technological environment in the past 20 years, today the
federal government actively pursues its vision of a national
information infrastructure, and the use of computer and
communications technology by private parties is growing
rapidly.

   The committee believes that a mismatch between the speed at
which the policy process moves and the speed with which new
products develop has had a profound impact on the development
of the consensus necessary with respect to cryptography policy
(Chapters 4 and 6). This mismatch has a negative impact on
both users and vendors. For example, both are affected by an
export control regime that sometimes requires many months or
even years to make case-by-case decisions on export licensing,
while high-value sales to these users involving integrated
products with encryption capabilities can be negotiated and
consummated on a time scale of days or weeks. Since the basic
knowledge underlying cryptography is well known, cryptographic
functionality can be implemented into new products on the time
scale of new releases of products (several months to a year).
Both users and vendors are affected by the fact that
significant changes in the export control regulations
governing cryptography have not occurred for 4 years (since
1992) at a time when needs for information security are
growing, a period that could have accommodated several product
cycles. Promulgation of cryptographic standards not based on
commercial acceptability (e.g., the Escrowed Encryption
Standard (FIPS 185), the Digital Signature Standard (FIPS
180-1)) raised significant industry opposition (from both
vendors and users) and led to controversy and significant
delays in or outright resistance to commercial adoption of
these standards.

   These examples suggest that the time scales on which
cryptography policy is made and is operationally implemented
are incompatible with the time scales of the marketplace. A
more rapid and market-responsive decision-making process would
leverage the strengths of U.S. businesses in the international
marketplace before significant foreign competition develops.
As is illustrated by the shift in market position from IBM to
Microsoft in the 1980s, the time scale on which significant
competition can arise is short indeed.

   Attempts to promote a policy regime that runs against
prevailing commercial needs, practice, and preference may
ultimately result in a degree of harm to law enforcement and
national security interests far greater than what would have
occurred if a more moderate regime had been promoted in the
first place. The reason is that proposed policy regimes that
attempt to impose market-unfriendly solutions will inevitably
lead to resistance and delay; whether desirable or not, this
is a political reality. Responsible domestic businesses,
vendors, and end users are willing to make some accommodations
to U.S. national interests in law enforcement and national
security, but cannot be expected to do so willingly when those
accommodations are far out of line with the needs of the
market. Such vendors and users are likely to try to move ahead
on their own -- and quickly so -- if they believe that
government requirements are not reasonable. Moreover, foreign
vendors may well attempt to step into the vacuum. The bottom
line is that the U.S. government may have only a relatively
small window of time in which to influence the deployment of
cryptography worldwide.

   The committee also notes that the public debate has tended
to draw lines that divide the policy issues in an overly
simplistic manner, i.e., setting the privacy of individuals
and businesses against the needs of national security and law
enforcement. As observed above, such a dichotomy does have a
kernel of truth. But viewed in the large, the dichotomy as
posed is misleading. If cryptography can protect the trade
secrets and proprietary information of businesses and thereby
reduce economic espionage (which it can), it also supports in
a most important manner the job of law enforcement. If
cryptography can help protect nationally critical information
systems and networks against unauthorized penetration (which
it can), it also supports the national security of the United
States. Framing national cryptography policy in this larger
context would help to reduce some of the polarization among
the relevant stakeholders.

   Finally, the national cryptography policy of the United
States is situated in an international context, and the
formulation and implementation of U.S. policy must take into
account international dimensions of the problem if U.S. policy
is to be successful. These international dimensions, discussed
in Chapter 6 and Appendix G, include the international scope
of business today; the possibility of significant foreign
competition in information technology; an array of foreign
controls on the export, import, and use of cryptography;
important similarities in the interests of the United States
and other nations in areas such as law enforcement and
antiterrorist activities; and important differences in other
areas such as the relationship between the government and the
governed.


                     8.2 RECOMMENDATIONS


   The recommendations below address several critical policy
areas. Each recommendation is cast in broad terms, with
specifically actionable items identified for each when
appropriate. In accordance with the committee's finding that
the broad picture of cryptography policy can be understood on
an unclassified basis, no findings or recommendations were
held back on the basis of classification, and this report is
unclassified in its entirety.

   *Recommendation 1: No law should bar the manufacture, sale,
or use of any form of encryption within the United States.*

   This recommendation is consistent with the position of the
Clinton Administration that legal prohibitions on the domestic
use of any kind of cryptography are inappropriate,(2) and the
committee endorses this aspect of the Administration's policy
position without reservation.

   For technical reasons described in Chapter 7, the committee
believes that a legislative ban on the use of unescrowed
encryption would be largely unenforceable. Products using
unescrowed encryption are in use today by millions of users,
and such products are available from many difficult-to-censor
Internet sites abroad. Users could pre-encrypt their data,
using whatever means were available, before their data were
accepted by an escrowed encryption device or system. Users
could store their data on remote computers, accessible through
the click of a mouse but otherwise unknown to anyone but the
data owner; such practices could occur quite legally even with
a ban on the use of unescrowed encryption. Knowledge of strong
encryption techniques is available from official U.S.
government publications and other sources worldwide, and
experts understanding how to use such knowledge might well be
in high demand from criminal elements. Even demonstrating that
a given communication or data file is "encrypted" may be
difficult to prove, as algorithms for data compression
illustrate. Such potential technical circumventions suggest
that even with a legislative ban on the use of unescrowed
cryptography, determined users could easily evade the
enforcement of such a law.

   In addition, a number of constitutional issues, especially
those related to free speech, would be almost certain to
arise. Insofar as a ban on the use of unescrowed encryption
would be treated (for constitutional purposes) as a limitation
on the "content" of communications, the government would have
to come forward with a compelling state interest to justify
the ban. These various considerations are difficult, and in
some cases impossible, to estimate in advance of particular
legislation as applied to a specific case, but the First
Amendment issues likely to arise with a ban on the use of
unescrowed encryption are not trivial. In addition, many
people believe with considerable passion that government
restrictions on the domestic use of cryptography would
threaten basic American values such as the right to privacy
and free speech. Even if the constitutional issues could be
resolved in favor of some type of ban on the use of unescrowed
encryption, these passions would surely result in a political
controversy that could divide the nation and at the very least
impede progress on the way to the full use of the nation's
information infrastructure.

   Finally, a ban on the use of any form of encryption would
directly challenge the principle that users should be
responsible for assessing and determining their own approaches
to meeting their security needs. This principle is explored in
greater detail in Recommendation 3.

----------

   (2)  For example, see *Questions and Answers About the
Clinton Administration's Encryption Policy*, Fehruary 4, 1994.
Reprinted in David sanisar (ed.), *1994 Cryptography and
Privacy Sourcebook*, Electronic Privacy Information center,
Washington, D.C., 1994.

____________________________________________________________


   *Recommendation 2: National cryptography policy should be
developed by the executive and legislative branches on the
basis of open public discussion and governed by the rule of
law.*

   In policy areas that have a direct impact on large segments
of the population, history demonstrates that the invocation of
official government secrecy often leads to public distrust and
resistance. Such a result is even more likely where many
members of society are deeply skeptical about government.

   Cryptography policy set in the current social climate is a
case in point. When cryptography was relevant mostly to
government interests in diplomacy and national security,
government secrecy was both necessary and appropriate. But in
an era in which cryptography plays an important role in
protecting information in all walks of life, public consensus
and government secrecy related to information security in the
private sector are largely incompatible. If a broadly
acceptable social consensus that satisfies the interests of
all legitimate stakeholders is to be found regarding the
nation's cryptographic future, a national discussion of the
issue must occur.

   The nation's best forum for considering multiple views
across the entire spectrum is the U.S. Congress, and only
comprehensive Congressional deliberation and discussion
conducted in the open can generate the public acceptance that
is necessary for policy in this area to succeed. In turn, a
consensus derived from such deliberations, backed by explicit
legislation when necessary, will lead to greater degrees of
public acceptance and trust, a more certain planning
environment, and better connections between policy makers and
the private sector on which the nation's economy and social
fabric rest. For these reasons, congressional involvement in
the debate over cryptography policy is an asset rather than a
liability. Moreover, some aspects of cryptography policy will
require legislation if they are to be properly implemented (as
discussed under Recommendation 5.3).

   This argument does not suggest that there are no legitimate
secrets in this area. However, in accordance with the
committee's conclusion that the broad outlines of national
cryptography policy can be analyzed on an unclassified basis,
the committee believes that the U.S. Congress can also debate
the fundamental issues in the open. Nor is the committee
arguing that *all* aspects of policy should be handled in
Congress. The executive branch is necessarily an important
player in the formulation of national cryptography policy, and
of course it must *implement* policy. Moreover, while working
with the Congress, the executive branch must develop a
coherent voice on the matter of cryptography policy -- one
that it does not currently have -- and establish a process
that is efficient, comprehensive, and decisive in bringing
together and rationalizing many disparate agency views and
interests.

   Instances in which legislation may be needed are found in
Recommendations 4, 5, and 6.


   *Recommendation 3: National cryptography policy affecting
the development and use of commercial cryptography should be
more closely aligned with market forces.*

   As cryptography has assumed greater importance to
nongovernment interests, national cryptography policy has
become increasingly disconnected from market reality and the
needs of parties in the private sector. As in many other
areas, national policy on cryptography that runs counter to
user needs and against market forces is unlikely to be
successful over the long term. User needs will determine the
large-scale demand for information security, and policy should
seek to exploit the advantages of market forces whenever and
wherever possible. Indeed, many decades of experience with
technology deployment suggest that reliance on user choices
and market forces is generally the most rapid and effective
way to promote the widespread utilization of any new and
useful technology. Since the committee believes that the
widespread deployment and use of cryptography will be in the
national interest, it believes that national cryptography
policy should align itself with user needs and market forces
to the maximum feasible extent.

   The committee recognizes that considerations of public
safety and national security make it undesirable to maintain
an entirely laissez-faire approach to national cryptography
policy. But it believes that government intervention in the
market should be carefully tailored to specific circumstances.
The committee describes a set of appropriate government
interventions in Recommendations 4, 5, and 6.

   A national cryptography policy that is aligned with market
forces would emphasize the freedom of domestic users to
determine cryptographic functionality, protection, and
implementations according to their security needs as they see
fit. Innovation in technologies such as escrowed encryption
would be examined by customers for their business fitness of
purpose. Diverse user needs would be accommodated; some users
will find it useful to adopt some form of escrowed encryption
to ensure their access to encrypted data, while others will
find that the risks of escrowed encryption (e.g., the dangers
of compromising sensitive information through a failure of the
escrowing system) are not worth the benefits (e.g., the
ability to access encrypted data to which keys have been lost
or corrupted). Since no single cryptographic solution or
approach will fit the business needs of all users, users will
be free to make their own assessments and judgments about the
products they wish to use. Such a policy would permit, indeed
encourage, vendors to implement and customers to use products
that have been developed within an already-existing framework
of generally accepted encryption methods and to choose key
sizes and management techniques without restriction.

   Standards are another dimension of national cryptography
policy with a significant impact on commercial cryptography
and the market (Chapter 6). Cryptographic standards that are
inconsistent with prevailing or emerging industry practice are
likely to encounter significant market resistance. Thus, to
the maximum extent possible, national cryptography policy that
is more closely aligned with market forces should encourage
adoption by the federal government and private parties of
cryptographic standards that are consistent with prevailing
industry practice.

   Finally, users in the private sector need confidence that
products with cryptographic functionality will indeed perform
as advertised. To the maximum degree possible, national
cryptography policy should support the use of algorithms,
product designs, and product implementations that are open to
public scrutiny. Information security mechanisms for
widespread use that depend on a secret algorithm or a secret
implementation invite a loss of public confidence, because
they do not allow open testing of the security, they increase
the cost of hardware implementations, and they may prevent the
use of software implementations as described below. Technical
work in cryptography conducted in the open can expose flaws
through peer review and assure the private sector user
community about the quality and integrity of the work
underlying its cryptographic protection (Chapter 5).

   Government classification of algorithms and product
implementations clearly inhibits public scrutiny, and for the
nongovernment sector, government classification in
cryptography is incompatible with most commercial and business
interests in information security. Moreover, the use of
classified algorithms largely precludes the use of software
solutions, since it is impossible to prevent a determined and
technically sophisticated opponent from reverse-engineering an
algorithm implemented in software. A similar argument applies
to unclassified company-proprietary algorithms and product
designs, although the concerns that arise with classified
algorithms and implementations are mitigated somewhat by the
fact that it is often easier for individuals to enter into the
nondisclosure agreements necessary to inspect proprietary
algorithms and product designs than to obtain U.S. government
security clearances. Legally mandated security requirements to
protect classified information also add to costs in a way that
protection of company-proprietary information does not.


   *Recommendation 4: Export controls on cryptography should
be progressively relaxed but not eliminated.*

   For many years, the United States has controlled the export
of cryptographic technologies, products, and related technical
information as munitions (on the U.S. Munitions List (USML)
administered by the State Department). These controls have
been used to deny potential adversaries access to U.S.
encryption technology that might reveal important
characteristics of U.S. information security products and/or
be used to thwart U.S. attempts at collecting signals
intelligence information. To date, these controls have been
reasonably effective in containing the export of U.S.
hardware-based products with encryption capabilities (Chapter
4). However, software-based products with encryption
capabilities and cryptographic algorithms present a more
difficult challenge because they can more easily bypass
controls and be transmitted across national borders. In the
long term, as the use of encryption grows worldwide, it is
probable that national capability to conduct traditional
signals intelligence against foreign parties will be
diminished (as discussed in Chapter 3).

   The current export control regime on strong cryptography is
an increasing impediment to the information security efforts
of U.S. firms competing and operating in world markets,
developing strategic alliances internationally, and forming
closer ties with foreign customers and suppliers. Some
businesses rely on global networks to tie together branch
offices and service centers across international boundaries.
Other businesses are moving from a concept of operations that
relies on high degrees of vertical integration to one that
relies on the "outsourcing" of many business functions and
activities. Consistent with rising emphasis on the
international dimensions of business (for both business
operations and markets), many U.S. companies must exchange
important and sensitive information with an often-changing
array of foreign partners, customers, and suppliers. Under
such circumstances, the stronger level of cryptographic
protection available in the United States is not meaningful
when an adversary can simply attack the protected information
through foreign channels.

   Export controls also have had the effect of reducing the
domestic availability of products with strong encryption
capabilities. As noted in Chapter 4, the need for U.S. vendors
(especially software vendors) to market their products to an
international audience leads many of them to weaken the
encryption capabilities of products available to the domestic
market, even though no statutory restrictions are imposed on
that market. Thus, domestic users face a more limited range of
options for strong encryption than they would in the absence
of export controls.

   Looking to the future, both U.S. and foreign companies have
the technical capability to integrate high-quality
cryptographic features into their products and services. As
demand for products with encryption capabilities grows
worldwide, foreign competition could emerge at a level
significant enough to damage the present U.S. world leadership
in this critical industry. Today, U.S. information technology
products are widely used in foreign markets because foreign
customers find the package of features offered by those
products to be superior to packages available from other
non-U.S. vendors, even though encryption capabilities of U.S.
products sold abroad are known to be relatively weak. However,
for growing numbers of foreign customers with high security
needs, the incremental advantage of superior nonencryption
features offered by U.S. products may not be adequate to
offset perceived deficiencies in encryption capability. Under
such circumstances, foreign customers may well turn to
non-U.S. sources that offer significantly better encryption
capabilities in their products.

   Overly restrictive export controls thus increase the
likelihood that significant foreign competition will step into
a vacuum left by the inability of U.S. vendors to fill a
demand for stronger encryption capabilities integrated into
general-purpose products. The emergence of significant foreign
competition for the U.S. information technology industry has
a number of possible long-term negative effects on U.S.
national and economic security that policy makers would have
to weigh against the contribution these controls have made to
date in facilitating the collection of signals intelligence in
support of U.S. national security interests (a contribution
that will probably decline over time). Stimulating the growth
of important foreign competitors would undermine a number of
important national interests:

   +    *The national economic interest*, which is supported
by continuing and even expanding U.S. world leadership in
information technology supports. Today, U.S. information
technology vendors have a window of opportunity to set
important standards and deploy an installed base of technology
worldwide, an opportunity that should be exploited to the
maximum degree possible. Conversely, strong foreign
competition would not be in the U.S. economic self-interest.

   +    *Traditional national security interests*, which are
supported by leadership by U.S. vendors in supplying products
with encryption capabilities to the world market. For example,
it is desirable for the U.S. government to keep abreast of the
current state of commercially deployed encryption technology,
a task that is much more difficult to accomplish when the
primary suppliers of such technology are foreign vendors
rather than U.S. vendors.

   +    *U.S. business needs for trustworthy information
protection*, which are supported by U.S. encryption products.
Foreign vendors could be influenced by their governments to
offer for sale to U.S. firms products with weak or poorly
implemented cryptography. If these vendors were to gain
significant market share, the information security of U.S.
firms could be adversely affected.

   +    *Influence over the deployment of cryptography
abroad*, which is supported by the significant impact of U.S.
export controls on cryptography as the result of the strength
of the U.S. information technology industry abroad. To the
extent that the products of foreign competitors are available
on the world market, the United States loses influence over
cryptography deployments worldwide.

   The committee believes that the importance of the U.S.
information technology industry to U.S. economic interests and
national security is large enough that some prudent risks can
be taken to hedge against the potential damage to that
industry, and some relaxation of export controls on
cryptography is warranted. In the long term, U.S. signals
intelligence capability is likely to decrease in any case.
Consequently, the committee believes that the benefits of
relaxation -- namely helping to promote better information
security for U.S. companies operating internationally and to
extend U.S. leadership in this critical industry -- are worth
the short-term risk that the greater availability of U.S.
products with stronger encryption capabilities will further
impede U.S. signals intelligence capability.

   Relaxation of export controls on cryptography is consistent
with the basic principle of encouraging the use of
cryptography in an information society for several reasons.
First, relaxation would encourage the use of cryptography by
creating an environment in which U.S. and multinational firms
and users are able to use the same security products in the
United States and abroad and thus to help promote better
information security for U.S. firms operating internationally.
Second, it would increase the availability of good
cryptography products in the United States. Third, it would
expand U.S. business opportunities overseas for information
technology sales incorporating stronger cryptography for
confidentiality by allowing U.S. vendors to compete with
foreign vendors on a more equal footing, thereby helping to
maintain U.S. leadership in fields critical to national
security and economic competitiveness (as described in Chapter
4).

   Some of these thoughts are not new. For example, in
referring to a decision to relax export controls on computer
exports, then-Deputy Secretary of Defense William Perry said
that "however much we want to control [computers] that are
likely to be available on retail mass markets, it will be
impractical to control them," and that "we have to recognize
we don't have any ability to control computers which are
available on the mass retail market from non-COCOM
countries."(3) He further noted that the U.S. government can
no longer "set the standards and specifications of computers.
They're going to be set in the commercial industry, and our
job is to adapt to those if we want to stay current in the
latest computer technology." The committee believes that
exports of information technology products with encryption
capabilities are not qualitatively different.

   At the same time, cryptography is inherently dual-use in
character (more so than most other items on the USML), with
important applications to both civilian and military purposes.
While this fact suggests to some that the export of all
cryptography should be regulated under the Commerce Control
List (CCL), the fact remains that cryptography is a
particularly critical military application for which few
technical alternatives are available. The USML is designed to
regulate technologies with such applications for reasons of
national security (as described in Chapters 3 and 4), and thus
the committee concluded that the current export control regime
on cryptography should be relaxed but not eliminated. The
committee believes that this action would have two major
consequences:

   +    Relaxation will achieve a better balance between U.S.
economic needs and the needs of law enforcement and national
security.

   +    Retention of some controls will mitigate the loss to
U.S. national security interests in the short term, allow the
United States to evaluate the impact of relaxation on national
security interests before making further changes, and "buy
time" for U.S. national security authorities to adjust to a
new technical reality.

   Consistent with Recommendation 3, the committee believes
that the export control regime for cryptography should be
better aligned with technological and market trends worldwide.
Recommendations 4.1 and 4.2 below reflect the committee's
judgments about how the present export control regime should
be relaxed expeditiously. However, it should be noted that
some explicit relaxations in the export control regime have
occurred over the last 15 years (see Chapter 4), although not
to an extent that has fully satisfied vendor interests in
liberalization. For example, under current export rules, the
USML governs the export of software applications without
cryptographic capabilities per se if they are designed with
"hooks" that would, among other things, make it easy to
interface a foreign-supplied, stand-alone cryptography module
to the application (turning it into an integrated product with
encryption capability so far as the user is concerned).
However, the U.S. government set a precedent in 1995 by
placing on the CCL the software product of a major vendor that
incorporates a cryptographic applications programming
interface (CAPI; as described in Chapter 7 and Appendix K).

   Recommendation 4.3 is intended to provide for other
important changes in the export control regime that would help
to close the profound gap described in Chapter 4 regarding the
perceptions of national security authorities vis-a-vis those
of the private sector, including both technology vendors and
users of cryptography; such changes would reduce uncertainty
about the export control licensing process and eliminate
unnecessary friction between the export control regime and
those affected by it.

   Recommendations 4.1 and 4.2 describe changes to the current
export control regime, and unless stated explicitly, leave
current regulations and proposals in place. However, the
committee believes that certain features of the current regime
are sufficiently desirable to warrant special attention here.
Specifically,

   +    Certain products with encryption capabilities are
subject to a more liberal export control regime by virtue of
being placed on the CCL rather than the USML; these products
include those providing cryptographic confidentiality that are
specially designed, developed, or modified for use in machines
for banking or money transactions and are restricted to use
only in such transactions; and products that are limited in
cryptographic functionality to providing capabilities for user
authentication, access control, and data integrity without
capabilities for confidentiality. Any change to the export
control regime for cryptography should maintain at least this
current treatment for these types of products.

   +    Since items on the CCL by definition have potential
military uses, they are subject to trade embargoes against
rogue nations. Thus, even products with encryption
capabilities that are on the CCL require individual licenses
and specific U.S. government approval if they are intended for
use by a rogue destination. Furthermore, U.S. vendors are
prohibited from exporting such products even to friendly
nations if they know that those products will be re-exported
to rogue nations. Maintaining the embargo of products with
encryption capabilities against rogue nations supports the
U.S. national interest and should not be relaxed now or in the
future.

   Finally, the committee notes that relaxation of export
controls is only the first step on the road to greater use of
cryptography around the world. As described in Chapter 6 and
Appendix G, foreign nations are sovereign entities with the
power and authority to apply import controls on products with
encryption capabilities. It is thus reasonable to consider
that a relaxation of U.S. export controls on cryptography may
well prompt other nations to consider import controls; in such
a case, U.S. vendors may be faced with the need to develop
products with encryption capabilities on a nation-by-nation
basis. Anticipating such eventualities as well as potential
markets for escrowed encryption in both the United States and
abroad, vendors may wish to develop families of "escrowable"
products (as discussed in Chapter 7) that could easily be
adapted to the requirements of various nations regarding key
escrow; however, none of the three recommendations below, 4.1
through 4.3, is conditioned on such development.

----------

   (3)  William J. Perry, deputy secretary of defense,
"Breakfast with Reporters, Friday, October 15, 1993, on
Computer Exports," transcript of an on-the-record briefing.

____________________________________________________________


   *Recommendation 4.1 -- Products providing confidentiality
at a level that meets most general commercial requirements
should be easily exportable.(4) Today, products with
encryption capabilities that incorporate the 56-bit DES
algorithm provide this level of confldentiality and should be
easily exportable.*

   A collateral requirement for products covered under
Recommendation 4.1 is that a product would have to be designed
so as to preclude its repeated use to increase confidentiality
beyond the acceptable level (i.e., today, it would be designed
to prevent the use of triple-DES). However, Recommendation 4.1
is intended to allow product implementations of layered
encryption (i.e., further encryption of already-encrypted
data, as might occur when a product encrypted a message for
transmission on an always-encrypted communications link).

   For secret keys used in products covered by Recommendation
4.1, public-key protection should be allowed that is at least
as strong as the cryptographic protection of message or file
text provided by those products, with appropriate safety
margins that protect against possible attacks on these
public-key algorithms.(5) In addition, to accommodate vendors
and users who may wish to use proprietary algorithms to
provide encryption capabilities, the committee believes that
products incorporating any combination of algorithm and key
size whose cryptographic characteristics for confidentiality
are substantially equivalent to the level allowed under
Recommendation 4.1 (today, 56-bit DES) should be granted
commodity jurisdiction to the CCL on a case-by-case basis.

   An important collateral condition for products covered
under Recommendation 4.1 (and 4.2 below) is that steps should
be taken to mitigate the potential harm to U.S.
intelligence-collection efforts that may result from the wider
use of such products. Thus, the U.S. government should require
that vendors of products with cryptographically provided
confidentiality features exported under the relaxed export
control regime of Recommendation 4.1 (and 4.2 below) must
provide to the U.S. government under strict nondisclosure
agreements (a) full technical specifications of their product,
including source code and wiring schematics if necessary, and
(b) reasonable technical assistance upon request in order to
assist the U.S. government in understanding the product's
internal operations. These requirements are consistent with
those that govern export licenses granted under the
case-by-case review procedure for CJ decisions today, and the
nondisclosure agreements would protect proprietary vendor
interests.

   These requirements have two purposes. First, they would
enable the U.S. government to validate that the product
complies with all of the conditions required for export
jurisdiction under the CCL. Second, they would allow more
cost-effective use of intelligence budgets for understanding
the design of exported cryptographic systems.

   Note that these requirements do not reduce the security
provided by well-designed cryptographic systems. The reason is
that a well-designed cryptographic system is designed on the
principle that all security afforded by the system must reside
in the secrecy of an easily changed, user-provided key, rather
than in the secrecy of the system design or implementation.
Because the disclosure of internal design and implementation
information does not entail the disclosure of cryptographic
keys, the security afforded by a well-designed cryptographic
systems is not reduced by these requirements.

   Finally, the level of cryptographic strength that
determines the threshold of easy exportability should be set
at a level that promotes the broad use of cryptography and
should be adjusted upward periodically as technology evolves.

   The committee believes that today, products that
incorporate 56-bit DES for confidentiality meet most general
commercial requirements and thus should be easily exportable.
The ability to use 56-bit DES abroad will significantly
enhance the confidentiality available to U.S. multinational
corporations conducting business overseas with foreign
partners, suppliers, and customers and will improve the choice
of products with encryption capabilities available to domestic
users, as argued in Chapter 4.

   Relaxation of export controls in the manner described in
Recommendation 4.1 will help the United States to maintain its
worldwide market leadership in products with encryption
capabilities. The committee believes that many foreign
customers unwilling to overlook the perceived weaknesses of
40-bit RC2/RC4 encryption, despite superior noncryptography
features in U.S. information technology products, are likely
to accept DES-based encryption as being adequate. Global
market acceptance of U.S. products incorporating DES-based
encryption is more conducive to U.S. national security
interests in intelligence collection than is market acceptance
of foreign products incorporating even stronger algorithm and
key size combinations that might emerge to fill the vacuum if
U.S. export controls were not relaxed.

   Why DES? The Data Encryption Standard (DES) was promulgated
by the National Bureau of Standards in 1975 as the result of
an open solicitation by the U.S. government to develop an open
encryption standard suitable for nonclassified purposes. Over
the last 20 years, DES has gained widespread acceptance as a
standard for secret-key cryptography and is currently being
used by a wide range of users, both within the United States
and throughout the world. This acceptance has come from a
number of very important aspects that make DES a unique
cryptographic solution. Specifically, DES provides the
following major benefits:

   +    DES provides a significantly higher level of
confidentiality protection than does 40-bit RC2 or RC4, the
key-size and algorithm combination currently granted automatic
commodity jurisdiction to the CCL. In the committee's
judgment, DES provides a level of confidentiality adequate to
promote broader uses of cryptography, whereas the public
perception that 40-bit RC2/RC4 is "weak" does not provide such
a level (even though the wide use of 40-bit RC2/RC4 would have
significant benefits for information security in practice).(6)

   +    Since its inception, DES has been certified by the
U.S. government as a highquality solution for nonclassified
security problems. Although future certification cannot be
assured, its historical status has made it a popular choice
for private sector purposes. Indeed, a large part of the
global financial infrastructure is safeguarded by products and
capabilities based on DES. Moreover, the U.S. government has
developed a process by which specific DES implementations can
be certified to function properly, increasing consumer
confidence in implementations so certified.

   +    The analysis of DES has been conducted in open forums
over a relatively long period of time (20 years). DES is one
of a handful of encryption algorithms that has had such public
scrutiny, and no flaws have been discovered that significantly
reduce the work factor needed to break it; no practical
shortcuts to exhaustive search for cryptanalytic attacks on
DES have been found.

   +    DES can be incorporated into any product without a
licensing agreement or fees. This means that any product
vendor can include DES in its products with no legal or
economic impact to its product lines.

   +    DES has nearly universal name recognition among both
product vendors and users. Users are more likely to purchase
DES-based products because they recognize the name.

   +    Since many foreign products are marketed as
incorporating DES, U.S. products incorporating DES will not
suffer a competitive market disadvantage with respect to
encryption features.

   These major benefits of DES are the result of the open
approach taken in its development and its long-standing
presence in the industry. The brute-force decryption of a
single message encrypted with a 40-bit RC4 algorithm has
demonstrated to information security managers around the world
that such a level of protection may be inadequate for
sensitive information, as described in Chapter 4. A message
encrypted with a 56-bit key would require about 2^16 (65,536)
times as long to break, and since a 40-bit decryption has been
demonstrated using a single workstation for about a week, it
is reasonable to expect that a major concerted effort,
including the cost of design, operation, and maintenance
(generally significantly larger than the cost of the hardware
itself), would be required for effective and efficient
exhaustive-search decryption with the larger 56-bit key (as
described in Chapter 7).

   As described in Chapter 7, the economics of DES make it an
attractive choice for providing protection within mass-market
products and applications intended to meet general commercial
needs. When integrated into an application, the cost to use
DES in practice is relatively small, whereas the cost to crack
DES is significantly higher. Since most information security
threats come from individuals within an enterprise or
individuals or small organizations outside the enterprise, the
use of DES to protect information will be sufficient to
prevent most problems. That is, DES is "good enough" for most
information security applications and is likely be good enough
for the next decade because only the most highly motivated and
well-funded organizations will be capable of sustaining
bruteforce attacks on DES during that time.

   Some would argue that DES is already obsolete and that what
is needed is a completely new standard that is practically
impossible to break for the foreseeable future. Since computer
processing speeds double every 1.5 years (for the same
component costs), the cost of an exhaustive search for
cryptographic keys becomes roughly 1,000 times easier every 15
years or so. Over time, any algorithm based on a fixed key
length (DES uses a 56-bit key) becomes easier to attack. While
the committee agrees that a successor to DES will be needed in
the not-so-distant future, only DES has today the record of
public scrutiny and practical experience that is necessary to
engender public confidence. Developing a replacement for DES,
complete with such a record, will take years by itself, and
waiting for such a replacement will leave many of today's
information vulnerabilities without a viable remedy. Adopting
DES as today's standard will do much to relieve pressures on
the export control regime stemming from commercial users
needing to improve security, and give the United States and
other nations time to formulate a long-term global solution,
which may or may not include provisions to facilitate
authorized government access to encrypted data, based on the
knowledge gained from emerging escrow techniques, digital
commerce applications, and certificate authentication systems,
which are all in their infancy today.

   Given that a replacement for DES will eventually be
necessary, product designers and users would be well advised
to anticipate the need to upgrade their products in the
future. For example, designers may need to design into the
products of today the ability to negotiate cryptographic
protocols with the products of tomorrow. Without this ability,
a transition to a new cryptographic standard in the future
might well be very expensive and difficult to achieve.

   The committee recognizes that the adoption of
Recommendation 4.1 may have a negative impact on the
collection of signals intelligence. Much of the general
intelligence produced today depends heavily on the ability to
monitor and select items of interest from the large volumes of
communications sent in the clear. If most of this traffic were
encrypted, even at the levels allowed for liberal export
today, the selection process would become vastly more
difficult. Increasing the threshold of liberal exportability
from 40-bit RC2/RC4 to 56-bit DES will not, in itself, add
substantially to the difficulties of message selection.
Foreign users of selected channels of high-interest
communications would, in many cases, not be expected to
purchase and use U.S. encryption products under any
circumstances and thus in these cases would not be affected by
a change in the U.S. export control regime. However, it is
likely that the general use of 56-bit DES abroad will make it
less likely that potentially significant messages can be
successfully decrypted.

   The overwhelming acceptance of DES makes it the most
natural candidate for widespread use, thereby significantly
increasing the security of most systems and applications. The
committee believes that such an increase in the "floor" of
information security outweighs the additional problems caused
to national security agencies when collecting information.
Since DES has been in use for 20 years, those agencies will at
least be facing a problem that has well-known and
well-understood characteristics. Recommendation 5 addresses
measures that should help national security authorities to
develop the capabilities necessary to deal with these
problems.

----------

   (4)  For purposes of Recommendation 4.1, a product that is
"easily exportable" will automatically qualify for treatment
and consideration (i.e., commodity jurisdiction, or CJ) under
the CCL. Automatic qualification refers to the same procedure
under which software products using RC2 or RC4 algorithms for
confidentiality with 40-bit key sizes currently qualify for
the CCL.

   (5)  For example, the committee believes that a
Rivest-Shamir-Adelman (RSA) or Diffie-Hellman key on the order
of 1,024 bits would be appropriate for the protection of a
56-bit DES key. The RSA and Diffie-Hellman algorithms are
asymmetric. Chapter 2 discusses why key sizes differ for
asymmetric and symmetric algorithms.

   (6)  In other words, the market reality is that a
side-by-side comparison of two products identical except for
their domestic vs. exportable encryption capabilities always
results in a market assessment of the stronger product as
providing a "baseline" level of security and the weaker one
being inferior, rather than the weaker product providing the
baseline and the stronger one being seen as superior.

____________________________________________________________


   *Recommendation 4.2 -- Products providing stronger
confidentiality should be exportable on an expedited basis to
a list of approved companies if the proposed product user is
willing to provide access to decrypted information upon
legally authorized request.*

   Recommendation 4.1 addresses the needs of most general
commercial users. However, some users for some purposes will
require encryption capabilities at a level higher than that
provided by 56-bit DES. The Administration's proposal to give
liberal export consideration to software products with 64-bit
encryption provided that those products are escrowed with a
qualified escrow agent is a recognition that some users may
need encryption capabilities stronger than those available to
the general commercial market.

   The philosophy behind the Administration's proposal is that
the wide foreign availability of strong encryption will not
significantly damage U.S. intelligence-gathering and law
enforcement efforts if the United States can be assured of
access to plaintext when necessary. Recommendation 4.2 builds
on this philosophy to permit liberal export consideration of
products with encryption capabilities stronger than that
provided by 56-bit DES to users that are likely to be
"trustworthy," i.e., willing to cooperate in providing access
to plaintext for U.S. law enforcement authorities when a
legally authorized request is made to those companies. (How
firms are designated as approved companies is described
below.) These approved firms will determine for themselves how
to ensure access to plaintext, and many of them may well
choose to use escrowed encryption products. A firm that
chooses to use escrowed encryption would be free to escrow the
relevant keys with any agent or agents of its own choosing,
including those situated within the firm itself.

   Note that while Recommendation 4.2 builds on the philosophy
underlying the Administration's current software encryption
proposal, it stands apart from it. In other words,
Recommendation 4.2 should not be regarded as a criticism of,
as a substitute for, or in contrast to the Administration
proposal.

   From the standpoint of U.S. law enforcement interests,
continued inclusion on the list of approved firms is a
powerful incentive for a company to abide by its agreement to
provide access to plaintext under the proper circumstances.
While Recommendation 4.2 does not stipulate that companies
must periodically requalify for the list, a refusal or
inability to cooperate when required might well result in a
company being dropped from the list and publicly identified as
a noncooperating company, and subject the parties involved to 
the full range of sanctions that are available today to
enforce compliance of product recipients with end-use
restrictions (as described in Chapter 4).

   Recommendation 4.2 also provides a tool with which the
United States can promote escrowed encryption in foreign
nations. Specifically, the presence of escrowed encryption
products that are in fact user-escrowed would help to deploy
a base of products on which the governments of the relevant
nations could build policy regimes supporting escrowed
encryption. It has the further advantage that it would speed
the deployment of escrowed encryption in other countries
because shipment of escrowed encryption products would not
have to wait for the completion of formal agreements to share
escrowed keys across international boundaries, a delay that
would occur under the current U.S. proposal on escrowed
encryption software products.

   U.S. vendors benefit from Recommendation 4.2 because the
foreign customers on the list of approved companies need not
wait for the successful negotiation of formal agreements.
Moreover, since Recommendation 4.2 allows approved companies
to establish and control their own escrow agents, it
eliminates the presence or absence of escrowing features as a
competitive disadvantage. A final benefit for the U.S. vendor
community is that Recommendation 4.2 reduces many bureaucratic
impediments to sales to approved companies on the list, a
benefit particularly valuable to smaller vendors that lack the
legal expertise to negotiate the export control regime.

   Customers choosing products covered under Recommendation
4.2 benefit because they retain the choice about how they will
provide access to decrypted information. Potential customers
objecting to Administration proposals on export of escrowed
encryption because their cryptographic keys might be
compromised can be reassured that keys to products covered by
Recommendation 4.2 could remain within their full control. If
these customers choose to use escrowed encryption products to
meet the need for access, they may use escrow agents of their
own choosing, which may be the U.S. government, a commercial
escrow agent as envisioned by the Administration's proposal,
or an organization internal to the customer company.

   Recommendation 4.2 is silent on how much stronger the
encryption capabilities of covered products would be as
compared to the capabilities of the products covered by
Recommendation 4.1. The Administration has argued that the
64-bit limit on its current proposal is necessary because
foreign parties with access to covered products might find a
way to bypass the escrowing features. However, Recommendation
4.2 covers products that would be used by approved firms that,
by assumption, would not be expected to tamper with products
in a way that would prevent access to plaintext when necessary
or would bypass the escrowing features of an escrowed
encryption product. (The risks inherent in this assumption are
addressed below in Requirements 1 through 3 for approved
companies.) In addition, the committee observes that providing
much stronger cryptographic confidentiality (e.g., 80 or 128
bits of key size rather than 56 or 64) would provide greater
incentives for prospective users to adopt these products.

   What firms constitute the list of approved companies? Under
current practice, it is generally the case that a
U.S.-controlled firm (i.e., a U.S. firm operating abroad, a
U.S.-controlled foreign firm, or a foreign subsidiary of a
U.S. firm) will be granted a USML license to acquire and
export for its own use products with encryption capabilities
skonger than that provided by 40-bit RC2/RC4 encryption. Banks
and financial institutions (including stock brokerages and
insurance companies), whether U.S.-controlled/owned or
foreign-owned, are also generally granted USML licenses for
stronger cryptography for use in internal communications and
communications with other banks even if these communications
are not limited strictly to banking or money transactions.
Such licenses are granted on the basis of an individual review
rather than through a categorical exemption from the USML.

   Building on this practice, the committee believes that this
category should be expanded so that a U.S.-controlled firm is
able to acquire and export products covered under
Recommendation 4.2 to its foreign suppliers and customers for
the purpose of regular communications with the U.S.-controlled
firm. A number of USML licenses for cryptography have
implemented just such an arrangement, but the purpose of
Recommendation 4.2 is to make these arrangements far more
systematic and routine.

   In addition, foreign firms specifically determined by U.S.
authorities to be major and trustworthy firms should qualify
for the list of approved companies. To minimize delay for U.S.
information technology vendors and to help assure their
competitiveness with foreign vendors, a list of these firms
eligible for purchasing U.S. products with encryption
capabilities and/or the criteria for inclusion on the list
should be made available upon request. Over time, it would be
expected that the criteria would grow to be more inclusive so
that more companies would qualify.

   All firms on this list of approved companies would agree to
certain requirements:

   +    *Requirement 1* -- The firm will provide an end-user
certification that the exported products will be used only for
intrafirm business or by foreign parties in regular
communications with the U.S. firms involved.
             +    *Requirement 2* -- The firm will take specific
measures to prevent the transfer of the exported products to
other parties.

   +    *Requirement 3* -- The firm agrees to provide the U.S.
government with plaintext of encrypted information when
presented with a properly authorized law enforcement request
and to prove, if necessary, that the provided plaintext does
indeed correspond to the encrypted information of interest.
The use of escrowed encryption products would not be required,
although many companies may find such products an appropriate
technical way to meet this requirement.

   The firms on the list of approved companies are likely to
have needs for information security products of the highest
strength possible for the environment in which they operate,
because they are more likely to be the targets of the major
concerted cryptanalytic effort described in Recommendation
4.1. On the other hand, some risks of diversion to unintended
purposes do remain, and a firm's obligation to abide by
Requirements 1 through 3 is a reasonable precaution that
protects against such risks. Note also that the approved
companies are defined in such a way as to increase the
likelihood that they will be responsible corporate citizens,
and as such responsive to relevant legal processes that may
invoked if access to plaintext data is sought. Further, they
are likely to have assets in the United States that could be
the target of appropriate U.S. legal action should they not
comply with any of the three requirements above.


   *Recommendation 4.3 -- The U.S. government should
streamline and increase the transparency of the export
licensing process for cryptography.*

   As discussed in Chapters 4 and 6, the committee found a
great deal of uncertainty regarding rules, time lines, and the
criteria used in making decisions about the exportability of
particular products. To reduce such uncertainty, as well as to
promote the use of cryptography by legitimate users, the
following changes in the export licensing process should
occur.

   *a. For cryptography submitted to the State Department for
export licensing, the presumptive decision should be for
approval rather than disapproval.* Licensing decisions
involving cryptography should be presumed to be approvable
unless there is a good reason to deny the license. The
committee understands that foreign policy considerations may
affect the granting of export licenses to particular nations,
but once national security concerns have been satisfied with
respect to a particular export, cryptography should not be
regarded for export control purposes as differing from any
other item on the CCL. Thus, if telephone switches were to be
embargoed to a particular nation for foreign policy reasons,
cryptography should be embargoed as well. But if telephone
switches are allowed for export, cryptography should be
allowed if national security concerns have been satisfied,
even if other items on the USML are embargoed.

   *b. The State Department licensing process for cryptography
exports should be streamlined to provide more expeditious
decision making.* A streamlined process would build on
procedural reforms already achieved and might further include
the imposition of specific deadlines (e.g., if a license
approved by NSA is not denied by the State Department within
14 days, the license is automatically approved) or the
establishment of a special desk within the State Department
specifically with the expertise for dealing with cryptography;
such a desk would consult with country or regional desks but
not be bound by their decisions or schedules for action. Such
streamlining would greatly reduce the friction caused by
exports determined to be consistent with U.S. national
security interests but denied or delayed for reasons unrelated
to national security.

   *c. The U.S. government should take steps to increase
vendor and user understanding of the export control regime*
with the intent of bridging the profound gap in the
perceptions of national security authorities and the private
sector, including both technology vendors and users of
cryptography. These steps would build on the efforts already
undertaken over the last several years in this area. Possible
additional steps that might be taken to reduce this gap
include:

   +    Sponsorship of an annual briefing regarding the rules
   and regulations governing the export of cryptography. While
   established information technology vendors have learned
   through experience about most of the rules and regulations
   and informal guidelines that channel decision making
   regarding export licenses, newer firms lack a comparable
   base of experience. The U.S. government should seek a
   higher degree of clarity regarding what exporting vendors
   must do to satisfy national security concems.

   +    Clarification of the rules regarding export of
   technical data. For example, foreign students attending
   U.S. universities can be exposed to any cryptographic
   source code without consequence, whereas U.S. vendors
   violate the law in developing products with encryption
   capabilities if they hire non-U.S. citizens to work as
   designers or implementors. For very complex products, it is
   very difficult if not impossible to "partition" the
   projects so that the non-U.S. citizen is unable to gain
   access to the cryptographic code. Such apparent
   inconsistencies should be reconciled, keeping in mind
   practicality and enforceability.


   *Recommendation 5: The U.S. government should take steps to
assist law enforcement and national security to adjust to new
technical realities of the information age.*

   For both law enforcement and national security,
cryptography is a two-edged sword. In the realm of national
security, the use of cryptography by adversaries impedes the
collection of signals intelligence. Managing the damage to the
collection of signals intelligence is the focus of export
controls, as discussed in Chapter 4 and in the text
accompanying Recommendation 4. At the same time, cryptography
can help to defend vital information assets of the United
States; the use of cryptography in this role is discussed in
Recommendations 5.1 and 5.2 below.

   From the standpoint of law enforcement, cryptography
provides tools to help to prevent crime, e.g., by helping
law-abiding businesses and individuals defend themselves
against information crimes, such as the theft of proprietary
information and the impersonation of legitimate parties by
illegitimate ones. Crime prevention is an important dimension
of law enforcement, especially when the crimes prevented are
difficult to detect. Nevertheless, the public debate to date
has focused primarily on the impact of cryptography on
criminal prosecutions and investigations.

   The committee accepts that the onset of an information age
is likely to create many new challenges for public safety,
among them the greater use of cryptography by criminal
elements of society. If law enforcement authorities are unable
to gain access to the encrypted communications and stored
information of criminals, some criminal prosecutions will be
significantly impaired, as described in Chapter 3.

   The Administration's response to this law enforcement
problem has been the aggressive promotion of escrowed
encryption as a pillar of the technical foundation for
national cryptography policy. The committee understands the
Administration's rationale for promoting escrowed encryption
but believes that escrowed encryption should be only one part
of an overall strategy for dealing with the problems that
encryption poses for law enforcement and national security.

   In the context of an overall strategy, it is important to
examine the specific problems that escrowed encryption might
solve. For example, Administration advocates of escrowed
encryption have argued that the private sector needs
techniques for recovering the plaintext of stored encrypted
data for which the relevant keys have been lost. To the extent
that this is true, the law enforcement need for access to
encrypted records could be substantially met by the exercise
of the government's compulsory process authority (including
search warrants and subpoenas) for information relevant to the
investigation and prosecution of criminal activity against
both the encrypted records and any relevant cryptographic
keys, whether held by outside escrow agents or by the targets
of the compulsory process. In this way, law enforcement needs
for access to encrypted files, records, and stored
communications such as e-mail are likely to be met by
mechanisms established to serve private sector needs.

   Communications (i.e., digital information in transit) pose
a different problem from that of data storage. Neither private
individuals nor businesses have substantial needs for
exceptional access to the plaintext of encrypted
communications. Thus, it is unlikely that users would
voluntarily adopt on a large scale measures intended to ensure
exceptional access to such communications. Law enforcement
authorities are understandably concemed that they will be
denied information vital for the investigation and prosecution
of criminal activity. At the same time, it is not clear that
encrypted digital communications will in fact be the most
important problem for law enforcement authorities seeking to
gain access to digital information.

   In the short term, voice communications are almost
certainly more important to law enforcement than are data
communications, a problem addressed through Recommendation
5.2. Over the longer term, the challenges to law enforcement
authorities from data communications are likely to grow as
data communications become more ubiquitous and as the
technical distinction between voice and data blurs. The
committee believes that advanced information technologies are
likely to lead to explosive increases in the amount of
electronic information being transmitted (e.g., e-mail); given
the likelihood that the spread of encryption capabilities will
be much slower than the rate at which the volume of electronic
communications increases, the opportunities for authorized law
enforcement exploitation of larger amounts of unprotected
computer-readable information may well increase in the short
run. Nevertheless, when encrypted data communications do
become ubiquitous, law enforcement may well face a serious
challenge. For this reason, Recommendation 5.3, dealing with
an exploration of escrowed encryption, sets into motion a
prudent "hedge" strategy against this eventuality;
Recommendation 5.4 begins the process of seeking to discourage
criminal use of cryptography; and Recommendation 5.5 addresses
the development of new technical capabilities to meet the
challenge of encryption.

   Against this backdrop, Recommendation 5.3 is only one part
of an overall strategy for dealing with the problems that
encryption poses for law enforcement and national security.


   *Recommendation 5.1 -- The U.S. government should actively
encourage the use of cryptography in nonconfidentiality
applications such as user authentication and integrity
checks.*

   The nonconfidentiality applications of cryptography (e.g.,
digital signatures, authentication and access controls,
nonrepudiation, secure time/date stamps, integrity checks) do
not directly threaten law enforcement or national security
interests and do not in general pose the same policy dilemma
as confidentiality does. Since the deployment of
infrastructures for the nonconfidentiality uses of
cryptography is a necessary (though not sufficient) condition
for the use of cryptography for confidentiality, the nation
may take large steps in this area without having to resolve
the policy dilemmas over confidentiality, confident that those
steps will be beneficial to the nation in their own right.
Policy can and should promote nonconfidentiality applications
of cryptography in all relevant areas.

   One of the most important of these areas concerns
protection against systemic national vulnerabilities. Indeed,
in areas in which confidence in and availability of a national
information network are most critical, nonconfidentiality uses
of cryptography are even more important than are capabilities
for confidentiality. For example, ensuring the integrity of
data that circulates in the air traffic control system is
almost certainly more important than ensuring its
confidentiality; ensuring the integrity (accuracy) of data in
the banking system is often more important than ensuring its
confidentiality.(7)

   Nonconfidentiality applications of cryptography support
reliable user authentication. Authentication of users is an
important crime-fighting measure, because authentication is
the antithesis of anonymity. Criminals in general seek to
conceal their identities; reliable authentication capabilities
can help to prevent unauthorized access and to audit improper
accesses that do occur. Nonconfidentiality applications of
cryptography support reliable integrity checks on data; used
properly, they can help to reduce crimes that result from the
alteration of data (such as changing the payable amount on a
check).

   To date, national cryptography policy has not fully
supported these nonconfidentiality uses. Some actions have
been taken in this area, but these actions have run afoul of
government concerns about confidentiality. For example, the
government issued a Federal Information Processing Standard
(FIPS) for the Digital Signature Standard in 1993, based on an
unclassified algorithm known as the Digital Signature
Algorithm. This FIPS was strongly criticized by industry and
the public, largely because it did not conform to the de facto
standard already in use at the time, namely one based on the
Rivest-Shamir-Adelman (RSA) algorithm. Government sources told
the committee that one reason the government deemed the RSA
algorithm inappropriate for promulgation as a FIPS was that it
is capable of providing strong confidentiality (and thus is
not freely exportable) as well as digital signature
capability. The two other reasons were the desire to
promulgate an approach to digital signatures that would be
royalty-free (RSA is a patented algorithm) and the desire to
reduce overall system costs for digital signatures.8 Export
controls on cryptography for confidentiality have also had
some spillover effect in affecting the foreign availability of
cryptography for authentication purposes, as described in
Chapter 4.

   Government has expressed considerably more concern in the
public debate regarding the deleterious impact of widespread
cryptography used for confidentiality than over the
deleterious impact of not deploying cryptographic capabilities
for user authentication and data integrity. Government has not
fully exercised the regulatory influence it does have over
certain sectors (e.g., telecommunications, air traffic
control) to promote higher degrees of information security
that would be met through the deployment of nonconfidentiality
applications of cryptography. Finally, the committee believes
that since today's trend among vendors and users is to build
and use products that integrate multiple cryptographic
capabilities (for confidentiality and for authentication and
integrity) with general-purpose functionality, government
actions that discourage capabilities for confidentiality also
tend to discourage the development and use of products with
authentication and integrity capabilities even if there is no
direct prohibition or restriction on products with only
capabilities for the latter (Chapter 4).

   What specific actions can government take to promote
nonconfidentiality applications of cryptography? For
illustrative purposes only, the committee notes that the
government could support and foster technical standards and/or
standards for business practices that encourage
nonconfidentiality uses based on de facto commercial
standards. One example would be the promulgation of a business
requirement that all data electronically provided to the
government be certified with an integrity check and a digital
signature. A second example would be enactment of legislation
and associated regulations setting standards to which all
commercial certification authorities should conform; greater
clarity regarding the liabilities, obligations, and
responsibilities for certificate authorities would undoubtedly
help to promote applications based on certification
authorities. A third example is that the U.S. government has
a great deal of expertise in the use of cryptography and other
technologies for authentication purposes; an aggressive
technology transfer effort in this domain would also help to
promote the use of reliable authentication methods.

   A final dimension of this issue is that keys used in
nonconfidentiality applications of cryptography, especially
ones that support established and essential business practices
or legal constructs (e.g., digital signatures, authentication,
integrity checks), must be controlled solely by the immediate
and intended parties to those applications. Without such
assurances, outside access to such keys could undermine the
legal basis and threaten the integrity of these practices
carried out in the electronic domain. Whatever benefits might
accrue to government authorities acting in the interests of
public safety or national security from being able to forge
digital signatures or alter digital data clandestinely would
pale by comparison to the loss of trust in such mechanisms
that would result from even a hint that such activities were
possible.

----------

   (7)  This is not to say that confidentiality plays no role
in protecting national information systems from unauthorized
penetration. As noted in Chapter 2, cryptographically provided
confidentiality can be one important (though secondary)
dimension of protecting information systems from unauthorized
penetration.

   (8)  For a discussion of the patent issues involved in the
decision regarding the Digital Signature Standard and the
concern over confidentiality, see U.S. Congress, Office of
Technology Assessment, *Information Security and Privacy in
Network Environments*, 1994, pp. 167-168 and pp. 217-222.

____________________________________________________________


   *Recommendation 5.2 -- The U.S. government should promote
the security of the telecommunications networks more actively.
At a minimum, the U.S. government should promote the link
encryption of cellular communications (9) and the improvement
of security at telephone switches.*

   As described in Chapter 1, the public switched
telecommunications network (PSTN) is both critical to many
sectors of the national economy and is undergoing rapid
evolution. While the U.S. government has taken some steps to
improve the security of the PSTN, much more could be done
based on the regulatory authority that the U.S. government has
in this area.

   The encryption of wireless voice communications would
prevent eavesdropping that is all too easy in today's largely
analog cellular telephone market. As wireless communications
shift from analog to digital modes of transport, encryption
will become easier even as the traffic itself becomes harder
to understand. A requirement to encrypt wireless
communications may also accelerate the shift to wireless modes
of digital transport. However, because of the cost of
retrofitting existing cellular services, this recommendation
is intended to apply only to the deployment of future cellular
services.

   Security in telephone switches could be improved in many
ways. For example, a requirement for adequate authentication
to access such switches would prevent unauthorized access from
maintenance ports; such ports often provide remote access to
all switch functions, a level of access equal to what could be
obtained by an individual standing in the control center. Yet
such ports are often protected with nothing more than a single
password. Telecommunications service providers could also
provide services for link encryption of traffic on wired land
lines (Chapter 7).

   By addressing through the telecommunications service
providers public demands for greater security in voice
communications (especially those such as cellular telephone
traffic) that are widely known to be nonsecure, government
would maintain law enforcement access for lawfully authorized
wiretaps through the requirements imposed on carriers today to
cooperate with law enforcement in such matters. For example,
a cellular telephone connects to the PSTN through a ground
station; since in general, the cellular telephone service
provider must feed its traffic to the PSTN in unencrypted
form, encrypted cellular telephone traffic from the mobile
handset would be decrypted at the ground station, at which
point law enforcement could gain authorized access. Thus,
legitimate law enforcement access would not, in general, be
impeded by link encryption of cellular traffic until
communications systems that bypass the PSTN entirely become
common.

   Recommendation 5.2 is an instance of a general philosophy
that link (or node) security provided by a service provider
offers more opportunities for providing law enforcement with
legally authorized access than does security provided by the
end user. In the case of voice communications, improved
security over the telecommunications network used for voice
communications and provided by the owners and operators of
that network -- a good thing in its own right and consistent
with the basic principle of this report -- would also reduce
the demand for (and thus the availability of) devices used to
provide end-to-end encryption of voice communications. Without
a ready supply of such devices, a criminal user would have to
go to considerable trouble to obtain a device that could
thwart a lawfully authorized wiretap.

   Recommendation 5.2 focuses on voice communications, given
that for the foreseeable future, voice is likely to be the
most common form of communication used by the general public
(and hence by criminals as well). The committee recognizes
that data communications will pose certain problems for law
enforcement, and this is the focus of Recommendation 5.3.

----------

   (9)  "Link encryption" refers to the practice of encrypting
information being communicated in such a way that it is
encrypted only in between the node from which it is sent and
the node where it is received; while the information is at the
nodes themselves, it is unencrypted. In the context of link
encryption for cellular communications, a cellular call would
be encrypted between the mobile handset and the ground
station. When carried on the landlines of the telephone
network, the call would be unencrypted.

____________________________________________________________


   *Recommendation 5.3 -- To better understand how escrowed
encryption might operate, the U.S. government should explore
escrowed encryption for its own uses. To address the critical
international dimensions of escrowed communications, the U.S.
government should work with other nations on this topic.*

   As described in Chapter 5, escrowed encryption (as a
generic concept, not limited to the Clipper/Capstone
initiatives of the U.S. government) has both benefits and
risks from a public policy standpoint. The purpose of
encryption is to provide users with high degrees of assurance
that their sensitive information will remain secure. The
primary benefit of escrowed encryption for law enforcement and
national security is that when properly implemented and widely
deployed, it provides such assurance but nevertheless enables
law enforcement and national security authorities to obtain
access to escrow-encrypted data in specific instances when
authorized by law. Escrowed encryption also enables businesses
and individuals to recover encrypted stored data to which
access has been inadvertently lost, and businesses to exercise
a greater degree of control over their encrypted
communications. Finally, by meeting demands for better
information security emanating from legitimate business and
private interests, escrowed encryption may dampen the market
for unescrowed encryption products that would provide similar
security but without features for government exceptional
access that law enforcement and national security authorities
could use for legitimate and lawfully authorized purposes.

   The risks of escrowed encryption are also considerable.
Escrowed encryption provides a potentially lower degree of
confidentiality than does properly implemented unescrowed
encryption, because escrowed encryption is specifically
designed to permit external access and then relies on
procedures and technical controls implemented and executed by
human beings to prevent unauthorized use of that access. While
policy makers have confidence that procedures can be
established and implemented without a significant reduction of
information security, skeptics place little faith in such
procedural safeguards. Maintaining system security is
difficult enough without the deliberate introduction of a
potential security hole, and the introduction of another route
of attack on procedures simply complicates the job of the
information defender. In addition, the widespread adoption of
escrowed encryption, even on a voluntary basis, would lay into
place mechanisms, procedures, and organizations that could be
used to promulgate and/or enforce more restrictive
cryptography policies. With such elements in place, some
critics of escrowed encryption fear that procedural safeguards
against government abuse that are administrative in nature, or
that rest on the personal assurances of government officials,
could be eviscerated by a future administration or Congress.

   The committee believes that many policy benefits can be
gained by an operational exploration of escrowed encryption by
the U.S. government, but also that aggressive promotion of the
concept is not appropriate at this time for four reasons.

   First, not enough is yet known about how best to implement
escrowed encryption on a large scale. The operational
complexities of a large-scale infrastructure are significant
(especially in an international context of cross-border
communications), and approaches proposed today for dealing
with those complexities are not based on real experience. A
more prudent approach to setting policy would be to develop a
base of experience that would guide policy decisions on how
escrowed encryption might work on a large scale in practice.

   Second, because of the ease with which escrowed encryption
can be circumvented technically, it is not at all clear that
escrowed encryption will be a real solution to the most
serious problems that law enforcement authorities will face.
Administration officials freely acknowledge that their various
initiatives promoting escrowed encryption are not intended to
address all criminal uses of encryption, but in fact those
most likely to have information to conceal will be motivated
to circumvent escrowed encryption products.

   Third, information services and technologies are undergoing
rapid evolution and change today, and nearly all technology
transitions are characterized by vendors creating new devices
and services. Imposing a particular solution to the encryption
dilemma at this time is likely to have a significant negative
impact on the natural market development of applications made
possible by new information services and technologies. While
the nation may choose to bear these costs in the future, it is
particularly unwise to bear them in anticipation of a
large-scale need that may not arise and in light of the
nation's collective ignorance about how escrowed encryption
would work on a large scale.

   Fourth and most importantly, not enough is yet known about
how the market will respond to the capabilities provided by
escrowed encryption, nor how it will prefer the concept to be
implemented, if at all. Given the importance of market forces
to the long term success of national cryptography policy, a
more prudent approach to policy would be to learn more about
how in fact the market will respond before advocating a
specific solution driven by the needs of government.

   For these reasons, the committee believes that a policy of
deliberate exploration of the concept of escrowed encryption
is better suited to the circumstances of today than is the
current policy of aggressive promotion. The most appropriate
vehicle for such an exploration is, quite naturally,
government applications. Such exploration would enable the
U.S. government to develop and document the base of experience
on which to build a more aggressive promotion of escrowed
encryption should circumstances develop in such a way that
encrypted communications come to pose a significant problem
for law enforcement. This base would include significant
operating experience, a secure but responsive infrastructure
for escrowing keys, and devices and products for escrowed
encryption whose unit costs have been lowered as the result of
large government purchases.

   In the future, when experience has been developed, the U.S.
government, by legislation and associated regulation, will
have to clearly specify the responsibilities, obligations, and
liabilities of escrow agents (Chapter 5). Such issues include
financial liability for the unauthorized release or negligent
compromise of keys, criminal penalties for the deliberate and
knowing release of keys to an unauthorized party, statutory
immunization of users of escrowed encryption against claims of
liability that might result from the use of such encryption,
and the need for explicit legal authorization for key release.
Such legislation (and regulations issued pursuant to such
legislation) should allow for and, when appropriate,
distinguish among different types of escrow agents, including
organizations internal to a user company, private commercial
firms for those firms unwilling or unable to support internal
organizations for key holding, and government agencies.

   Such government action is a necessary (but not sufficient)
condition for the growth and spread of escrowed encryption in
the private sector. Parties whose needs may call for the use
of escrowed encryption will need confidence in the supporting
infrastructure before they will entrust encryption keys to the
safekeeping of others. Moreover, if the government is to
actively promote the voluntary use of escrowed encryption in
the future, it will need to convince users that it has taken
into account their concerns about compromise and abuse of
escrowed information. The best way to convince users that
these agents will be able to live up to their responsibilities
is to point to a body of experience that demonstrates their
ability to do so. In a market-driven system, this body of
experience will begin to accrue in small steps -- some in
small companies, some in bigger ones -- rather than being
sprung fully formed across the country in every state and
every city. As this body of experience grows, government will
have the ability to make wise decisions about the appropriate
standards that should govern escrow agents.

   In addition, the U.S. government should pursue discussions
with other nations on how escrowed encryption might operate
internationally (Appendix G). The scope of business and law
enforcement today crosses national borders, and a successful
U.S. policy on cryptography will have to be coordinated with
policies of other nations. Given that the developed nations of
the world have a number of common interests (e.g., in
preserving authorized law enforcement access to
communications, in protecting information assets of their
domestic businesses), the process begun at the Organization
for Economic Cooperation and Development (OECD) in December
1995 is a promising forum in which these nations can bring
together representatives from business, law enforcement, and
national security to discuss matters related to cryptography
policy over national borders. Fruitful topics of discussion
might well include how to expand the network of Mutual Law
Enforcement Assistance Treaties that bind the United States
and other nations to cooperate on law enforcement matters.
Broader cooperation should contribute to the sharing of
information regarding matters that involve the criminal use of
encryption; national policies that encourage the development
and export of"escrowable" encryption products; understanding
of how to develop a significant base of actual experience in
operating a system of escrowed encryption for communications
across national borders; and the negotiation of sectorspecific
arrangements (e.g., a specific set of arrangements for banks)
that cross international boundaries.


   *Recommendation 5.4 -- Congress should seriously consider
legislation that would impose criminal penalties on the use of
encrypted communications in interstate commerce with the
intent to commit a federal crime.*

   The purpose of such a statute would be to discourage the
use of cryptography for illegitimate purposes. Criminalizing
the use of cryptography in this manner would provide sanctions
analogous to the existing mail fraud statutes, which add
penalties to perpetrators of fraud who use the mail to commit
their criminal acts. Such a law would focus the weight of the
criminal justice system on individuals who were in fact guilty
of criminal activity, whereas a mandatory prohibition on the
use of cryptography would have an impact on law-abiding
citizens and criminals alike.

   A concern raised about the imposition of penalties based on
a peripheral aspect of a criminal act is that it may be used
to secure a conviction even when the underlying criminal act
has not been accomplished. The statute proposed for
consideration in Recommendation 5.4 is not intended for this
purpose, although the committee understands that it is largely
the integrity of the judicial and criminal justice process
that will be the ultimate check on preventing its use for such
purposes.

   As suggested in Chapter 7, any statute that criminalizes
the use of encryption in the manner described in
Recommendation 5.4 should be drawn narrowly. The limitation of
Recommendation 5.4 to federal crimes restricts its
applicability to major crimes that are specifically designated
as such; it does not extend to the much broader class of
crimes that are based on common law. Under Recommendation 5.4,
federal jurisdiction arises from the limitation regarding the
use of communications in interstate commerce. The focus of
Recommendation 5.4 on encrypted communications recognizes that
private sector parties have significant incentives to escrow
keys used for encrypting stored data, as described in
Recommendation 5.3. A statute based on Recommendation 5.4
should also make clear that speaking in foreign languages
unknown to many people would not fall within its reach.
Finally, the use of "encrypted" communications should be
limited to communications encrypted for confidentiality
purposes, not for user authentication or data integrity
purposes. The drafters of the statute would also have to
anticipate other potential sources of ambiguity such as the
use of data compression techniques that also obscure the true
content of a communication and the lack of a common
understanding of what it means to "use encrypted
communications" when encryption may be a ubiquitous and
automatic feature in a communications product.

   Finally, the committee recognizes the existence of debate
over the effectiveness of laws targeted against the use of
certain mechanisms (e.g., mail, guns) to commit crimes. Such
a debate should be part of a serious consideration of a law
such as that described in Recommendation 5.4. However, the
committee is not qualified to resolve this debate, and the
committee takes no position on this particular issue.

   A second aspect of a statutory approach to controlling the
socially harmful uses of encryption could be to expand its
scope to include the criminalization of the intentional use of
cryptography in the concealment of a crime. With such an
expanded scope, the use of cryptography would constitute a
prima facie act of concealment, and thus law enforcement
officials would have to prove only that cryptography was used
intentionally to conceal a crime. On the other hand, its more
expansive scope might well impose additional burdens on
businesses and raise other concerns, and so the committee
takes no stand on the desirability of such an expansion of
scope.

   The committee notes the fundamental difference between
Recommendation 5.4 and Recommendation 1. Recommendation 1 says
that the use of any type of encryption within the United
States should be legal, but not that any use of encryption
should be legal. Recommendation 5.4 says that the nation
should consider legislation that would make illegal a specific
use of encryption (of whatever type), namely the use of
encrypted communications in interstate commerce with the
intent of committing a federal crime.


   *Recommendation 5.5 -- High priority should be given to
research, development, and deployment of additional technical
capabilities for law enforcement and national security for use
in coping with new technological challenges.*

   Over the past 50 years, both law enforcement and national
security authorities have had to cope with a variety of
changing technological circumstances. For the most part, they
have coped with these changes quite well. This record of
adaptability provides considerable confidence that they can
adapt to a future of digital communications and stored data as
well, and they should be strongly supported in their efforts
to develop new technical capabilities.

   Moreover, while the committee's basic thrust is toward a
wider use of cryptography throughout society, considerable
time can be expected to elapse before cryptography is truly
ubiquitous. For example, Recommendation 4.1 is likely to
accelerate the widespread use of DES, but market forces will
still have the dominant effect on its spread. Even if export
controls were removed tomorrow, vendors would still take time
to decide how best to proceed, and the use of DES across the
breadth of society will take even longer. Thus, law
enforcement and national security authorities have a window in
which to develop new capabilities for addressing future
challenges. Such development should be supported, because
effective new capabilities are almost certain to have a
greater impact on their future information collection efforts
than will aggressive attempts to promote escrowed encryption
to a resistant market.

   An example of such support would be the establishment of a
technical center for helping federal, state, and local law
enforcement authorities with technical problems associated
with new information technologies.(10) Such a center would of
course address the use by individuals of unescrowed encryption
in the commission of criminal acts, because capabilities to
deal with this problem will be necessary whether or not
escrowed encryption is widely deployed. Moreover, for reasons
of accessibility and specific tailoring of expertise to
domestic criminal matters, it is important for domestic law
enforcement to develop a source of expertise on the matter. A
second problem of concern to law enforcement authorities is
obtaining the digital stream carrying the targeted
communications. The task of isolating the proper digital
stream amidst multiple applications and multiplexed channels
will grow more complex as the sophistication of applications
and technology increases, and law enforcement authorities will
need to have (or procure) considerable technical skill to
extract useful information out of the digital streams
involved. These skills will need to be at least as good as
those possessed by product vendors.

   Compared to the use of NSA expertise, a technical center
for law enforcement would have a major advantage in being
dedicated to serving law enforcement needs, and hence its
activities and expertise relevant to prosecution would be
informed and guided by the need to discuss analytical methods
in open court without concern for classification. Moreover,
such a center could be quite useful to state and local law
enforcement authorities who currently lack the level of access
to NSA expertise accorded the FBI.

   National security authorities recognize quite clearly that
future capabilities to undertake traditional signals
intelligence will be severely challenged by the spread of
encryption and the introduction of new communications media.
In the absence of improved cryptanalytic methods, cooperative
arrangements with foreign governments, and new ways of
approaching the information collection problem, losses in
traditional SIGINT capability would likely result in a
diminished effectiveness of the U.S. intelligence community.
To help ensure the continuing availability of strategic and
tactical intelligence, efforts to develop alternatives to
traditional signals intelligence collection techniques should
be given high priority in the allocation of financial and
personnel resources before products covered by Recommendation
4.1 become widely used.

----------

   (10) This example is consistent with the FBI proposal for
a Technical Support Center (TSC) to serve as a central
national law enforcement resource to address problems related
to encryption and to technological problems with an impact on
access to electronic communications and stored information.
The FBI proposes that a TSC would provide law enforcement with
capabilities in signals analysis (e.g., protocol recognition),
mass media analysis (e.g., analysis of seized computer media),
and cryptanalysis on encrypted data communications or files.

____________________________________________________________


   *Recommendation 6: The U.S. government should develop a
mechanism to promote information security in the private
sector.*

   Although the committee was asked to address national
cryptography policy, any such policy is necessarily only one
component of a national information security policy. Without
a forward-looking and comprehensive national information
security policy, changes in national cryptography policy may
have little operational impact on U.S. information security.
Thus, the committee believes it cannot leave unaddressed the
question of a national information security policy, although
it recognizes that it was not specifically chartered with such
a broad issue in mind.

   The committee makes Recommendation 6 based on the
observation that the U.S. government itself is not well
organized to meet the challenges posed by an information
society. Indeed, no government agency has the responsibility
to promote information security in the private sector. The
information security interests of most of the private sector
have no formal place at the policy-making table: the National
Security Agency represents the classified government
community, while the charter of the National Institute of
Standards and Technology directs it to focus on the
unclassified needs of the government (and its budget is
inadequate to do more than that). Other organizations such as
the Information Infrastructure Task Force and the Office of
Management and Budget have broad influence but few operational
responsibilities. As a result, business and individual
stakeholders do not have adequate representation in the
development of information security standards and export
regimes.

   For these reasons, the nation requires a mechanism that
will provide accountability and focus for efforts to promote
information security in the private sector. The need for
information security cuts across many dimensions of the
economy and the national interest, suggesting that absent a
coordinated approach to promoting information security, the
needs of many stakeholders may well be given inadequate
attention and notice.

   The importance of close cooperation with the private sector
cannot be overemphasized. While the U.S. government has played
an important role in promoting information security in the
past (e.g., in its efforts to promulgate DES, its stimulation
of a market for information security products through the
government procurement process, its outreach to increase the
level of information security awareness regarding Soviet
collection attempts, and the stimulation of national debate on
this critical subject), information security needs in the
private sector in the information age will be larger than ever
before (as argued in Recommendation 3). Thus, close
consultations between government and the private sector are
needed before policy decisions are made that affect how those
needs can be addressed. Indeed, many stakeholders outside
government have criticized what they believe to be an
inadequate representation of the private sector at the
decision-making table. While recognizing that some part of
such criticism simply reflects the fact that these
stakeholders did not get all that they wanted from policy
makers, the committee believes that the policymaking process
requires better ways for representing broadly both government
and nongovernment interests in cryptography policy. Those who
are pursuing enhanced information security and those who have
a need for legal access to stored or communicated information
must both be included in a robust process for managing the
often-competing issues and interests that will inevitably
arise over time.

   How might the policy-making process include better
representation of nongovernment interests? Experiences in
trade policy suggest the feasibility of private sector
advisors, who are often needed when policy cuts across many
functional and organizational boundaries and interests both
inside and outside government. National policy on information
security certainly falls into this cross-cutting category, and
thus it might make sense for the government to appoint parties
from the private sector to participate in government policy
discussions relevant to export control decisions and/or
decisions that affect the information security interests of
the private sector. Despite the committee's conclusion that
the broad outlines of national cryptography policy can be
argued on an unclassified basis, classified information may
nevertheless be invoked in such discussions and uncleared
participants asked to leave the room. To preclude this
possibility, these individuals should have the clearances
necessary to engage as full participants in order to promote
an effective interchange of views and perspectives. While
these individuals would inevitably reflect the interests of
the organizations from which they were drawn, their essential
role would be to present to the government their best
technical and policy advice, based on their expertise and
judgment, on how government policy would best serve the
national interest.

   How and in what areas should the U.S. govermnent be
involved in promoting information security? One obvious
category of involvement is those areas in which the secure
operation of information systems is critical to the nation's
welfare -- information systems that are invested with the
public trust, such as those of the banking and financial
system, the public switched telecommunications network, the
air traffic control system, and extensively automated
utilities such as the electric power grid. Indeed, the U.S.
government is already involved to some extent in promoting the
security of these systems, and these efforts should continue
and even grow.

   In other sectors of the economy, the committee sees no
particular reason for government involvement in areas in which
businesses are knowledgeable (e.g., their own operational
practices, their own risk-benefit assessments), and the role
of the U.S. government is most properly focused on providing
information and expertise that are not easily available to the
private sector. Specifically, the government should build on
existing private-public partnerships and private sector
efforts in disseminating information (e.g., the Forums of
Incident Response and Security Teams (FIRST), the Computer
Emergency Response Team (CERT), the I-4 group, the National
Counterintelligence Center) to take a vigorous and proactive
role in collecting and disseminating information to promote
awareness of the information security threat. For illustrative
purposes only, some examples follow. The government might:

   +    Establish mechanisms in which the sharing of sanitized
security-related information (especially information related
to security breaches) could be undertaken without
disadvantaging the companies that reveal such information.
Such efforts might well build on efforts in the private sector
to do the same thing.

   +    Undertake a program to brief senior management in
industry on the information security threat in greater detail
than is usually possible in open forums but without formal
security clearances being required for those individuals. Such
briefings would mean that specific threat information might
have to be declassified or treated on a "for official use
only" basis.

   +    Expand the NIST program that accredits firms to test
products involving cryptography for conformance to various
Federal Information Processing Standards. As of this writing,
three private companies today have been accredited to evaluate
and certify compliance of products claiming to conform to FIPS
140-1, the FIPS for cryptographic modules; both the range of
FIPSs subject to such evaluation and the number of certifying
companies could be increased.

   +    Help industry to develop common understandings
regarding cryptography and information security standards that
would constitute fair defenses against damages. These common
understandings would help to reduce uncertainty over liability
and "responsible practice."

   +    Undertake technology transfer efforts that would help
the private sector to use powerful and capable authentication
technologies developed by government. As noted elsewhere in
this section, authentication is an application of cryptography
that poses a minimal public policy dilemma, and so the use of
such government-developed technology should not be
particularly controversial.

   Finally, in describing the need for a mechanism to promote
information security in the private sector, the committee does
not make a recommendation on its specific form because its
charter did not call for it to address the question of
government organization. Such a mechanism could be a new
coordinating office for information security in the Executive
Office of the President. It could be one or more existing
agencies or organizations with a new charter or set of
responsibilities. It could be a new government agency or
organization, although in the current political climate such
an agency would demand the most compelling justification. It
could be a quasi-governmental body or a governmentally
chartered private organization, examples of which are
described in Chapter 6. Because of NSA's role within the
defense and intelligence communities and its consequent
concern about defense and intelligence threats and systems,
the committee believes the NSA is not the proper agency to
assume primary responsibility for a mission that is primarily
oriented toward the needs of the private sector. At the same
time, experts from all parts of the U.S. government should be
encouraged to assist in analyzing vulnerabilities; if such
assistance requires new legislative authority, such authority
should be sought from Congress.


                 8.3 ADDITIONAL WORK NEEDED


   The committee recognizes that a number of important areas
were outside the scope of this studY. Two of these areas are
described below:

   +    As noted in Chapter 7, digital cash and electronic
money pose many issues for public policy. These issues
considerably transcend what could be examined within the scope
of the current study.

   +    As noted in Chapter 2, the creation of an
infrastructure (or infrastructures) to support user
authentication is a central aspect of any widespread use of
various forms of cryptography. The nature of these
infrastructures is a matter of public policy; however, since
the committee was concemed primarily with addressing issues
related to cryptographic confidentiality, it did not address
infrastructure issues in the depth that would be necessary to
provide detailed advice to federal decision makers.

   Although the committee realized that these areas were
important, an in-depth study in each would require a committee
with a different membership, a different charge, and a
different time line. Problems in these areas will become
relevant in the near future, and policy makers may wish to
anticipate them by commissioning additional examination.


                      8.4 CONCLUSION


   The committee believes that its recommendations will lead
to enhanced confidentiality and protection of information for
individuals and companies, thereby reducing economic and
financial crimes and economic espionage from both domestic and
foreign sources. While the recommendations will to that extent
contribute to the prevention of crime and enhance national
security, the committee recognizes that the spread of
cryptography will increase the burden of those in government
charged with carrying out certain specific law enforcement and
intelligence activities. It believes that widespread
commercial and private use of cryptography in the United
States and abroad is inevitable in the long run and that its
advantages, on balance, outweigh its disadvantages. The
committee concluded that the overall interests of the
government and the nation would best be served by a policy
that fosters a judicious transition toward the broad use of
cryptography.

____________________________________________________________

[End Chapter 8 and main body of text -- 14 Appendices follow]


Note: for index of full report see: http://jya.com/nrcindex.htm

---------





