The New York Times, April 7, 1997, pp. D1, D7.
By EDMUND L. ANDREWS
BOBLINGEN, Germany, April 3--Boris Anderer and his four partners have a message for the spy masters in America's national security establishment: thank you very, very much.
Mr. Anderer is the managing director for marketing at Brokat Informationssysteme G.m.b.H., a three-year-old software company here that is growing about as fast as it can hire computer programmers.
When America Online wanted to offer online banking and shopping services in Europe, it turned to Brokat for the software that encodes transactions and protects them from hackers and on-line bandits. When Netscape Communications and Microsoft wanted to sell Internet software to Germany's biggest banks, they had to team up with Brokat to deliver the security guarantees that the banks demanded.
But what is most remarkable is that Brokat's rapid growth stems in large part from the Alice in Wonderland working of American computer policy. Over the last two years, Brokat and a handful of other European companies have carved out a booming business, selling powerful encryption technology around the world that the United States Government prohibits American companies from exporting.
Mr. Anderer could not be happier. "The biggest limitation on our growth is finding enough qualified people," he said, as he strode past rooms filled with programmers dressed in T-shirts and blue jeans.
The company's work force has climbed to 110 from 30 in the last year, and the company wants to add another 40 by the end of the year.
"This company has grown so fast that I often don't know whether the people I see here have just started working or are just visitors," he said.
Encryption technology has become a big battleground in the evolution of electronic commerce and the Internet. As in the United States, European banks and corporations are racing to offer on-line financial services, and many of these services are built around Internet programs sold by American companies like Netscape and Microsoft.
Cryptography is crucial because it provides the only means for protecting customers and companies from electronic eavesdroppers.
Though the market for encryption software is in itself tiny, it is a key to selling technology in the broader market of electronic commerce. Encryption is the first line of defense against hackers eager to pry loose credit card information and raid bank accounts, so it plays a critical role in the sale of Internet servers and transaction-processing systems.
Brokat, which has revenues of about 10 million marks ($6 million), uses its cryptography as a door-opener to sell much more complicated software that securely links conventional bank computer systems to a bank's Internet gateways and on-line services. Netscape, Microsoft and computer equipment manufacturers all include encryption in the networking systems they sell to corporations.
But the United States Government blocks American companies from exporting advanced encryption programs, because agencies like the Federal Bureau of Investigation and the National Security Agency fear that they will lose their ability to monitor the communications of suspected terrorists and criminals.
Far from hindering the spread of powerful encryption programs, however, American policy has created a bonanza for alert entrepreneurs outside the United States. Brokat's hottest product is the Xpresso Security Package, a set of computer programs that bump up the relatively weak encryption capability of Internet browsers from Netscape and Microsoft.
Besides America Online, Brokat's customers include more than 30 big banking and financial institutions around Europe. Deutsche Bank A.G., Germany's biggest bank, uses Brokat's software at its on-line subsidiary, Bank 24. Hypo Bank of Munich uses Brokat in its on-line discount stock brokerage operation. The Swiss national telephone company and the Zurcher Kantonalbank are also customers.
Among Brokat's competitors, UK Web Ltd., based in London, is marketing an equally powerful encryption program in conjunction with a Silicon Valley company C2Net Software. Recently, UK Web and C2Net boasted of selling "full-strength" cryptography developed entirely outside the United States.
"We don't believe in using codes so weak that foreign governments, criminals or bored college students can break them," the two companies said in a statement, in a stinging swipe at the American export restrictions.
Bigger companies are starting to jump into the fray as well. Siemens-Nixdorf, the computer arm of Siemens A.G., recently began marketing a high-security Internet server program that competes with products from Netscape. Companies can download the software from Siemens computers in Ireland.
There is nothing illegal or even surprising about this. The basic building blocks for advanced encryption technology, a series of mathematical algorithms or formulas, are all publicly available over the Internet. American companies like Netscape sell strong encryption programs within the United States, and companies like Brokat are even allowed to export their product to customers in the United States.
For many computer executives, the real mystery is why the United States Government continues to restrict the export of encryption technology. "The genie is out of the bottle," said Peter Harter, global public policy counsel at Netscape, who complained that American policy thwarts his company's ability to compete.
"I have a good product, and I can sell it to Citibank, but l can't sell it to Deutsche Bank," Mr. Harter said. "It doesn't make any sense. Why shouldn't they be able to buy the same product as Citibank? It makes them mad, and it makes us mad."
In response to industry complaints, American officials have repeatedly relaxed the restrictions on encryption over the last several years, and they did so again last November. But because the speed of computers has increased so rapidly codes that seemed impenetrable just a few years ago can be cracked within a few hours.
In a policy announced last fall, the Clinton Administration announced that it would allow American companies to freely export cryptography that used "keys" up to 40 bits in length. The longer the key, the more difficult a code is to crack. But banking and computer executives say that 40-bit codes are no longer safe and can be cracked in as little as a few hours by skilled computer hackers. The minimum acceptable code, according to many bank executives, must have keys that are 128 bits long.
"From our point of view, there is at least the possibility that a 40-bit encryption program can be broken, and that means there is a danger that our transaction processing could be compromised," said Bernd Erlingheuser, a managing director at the Bank 24 unit of Deutsche Bank. Bank 24 has about 110,000 customers in Germany who gain access to banking services over the Internet using either the Netscape Navigator or Microsoft's Internet Explorer.
Anette Zinsser, a spokeswoman for Hypo Bank, concurred. "Forty bits is just too low," she said. Hypo Bank offers Internet-based banking and discount brokerage services to about 28,000 customers.
In a country not known for high-technology start-ups, Brokat jumped at the opportunity. Mr. Anderer, a former consultant at McKinsey & Company in Germany, teamed up three years ago with two fraternity friends, Michael Janssen and Stefan Roever, and two seasoned computer experts, Achim Schlumpberger and Michael Schumacher.
The group originally conceived of building a company around modular software components that were designed for the banking industry, and they financed the company for nearly two years through the money they earned from consulting projects. But they were quickly drawn to the area of encryption, and developed a series of programs around the Java technology of Sun Microsystems.
The Xpresso encryption package is installed primarily on the central "server" computers that on-line services use to send material to individual personal computers. Customers who want to connect to a bank's server download a miniature program, or applet, that meshes with their Internet browser program and allows the customer's computer to set up an encrypted link with the server. The effect is to upgrade the 40-bit encryption program to a 128-bit program, which is extremely difficult for outsiders to crack.
Now, in another step through the looking glass of encryption policy, Brokat is trying to export to the United States. There is no law against that, but American laws would theoretically prohibit a company that used Brokat's technology from sending the applets to their online customers overseas. So the company is now negotiating with the National Security Agency for permission to let American companies send their software overseas, which is where it started from in the first place.
If Brokat convinces the spy masters, the precedent could help American software rivals. "This could open a new opportunity that would benefit American companies if they understand the implications," Mr. Anderer said.
The five managing partners and founders of fast-growing
Brokat Informationssysteme are (left to right) Boris Anderer,
Michael Janssen, Achim Schlumpberger,
Michael Schumacher and Stefan Roever.