21 May 1998
Thanks to RH
Investor's Business Daily NATIONAL ISSUE THE ENCRYPTION EXPORT DEBATE U.S. Controls On Technology Could Cost $9 Billion Date: 5/21/98 Author: Reinhardt Krause Is the Clinton administration finally ready to relax controls on exports of computer-security technology? Signs that the White House is rethinking its policy is stirring some hope in the high-tech industry, after more than five years of frustration. Others warn, however, that the White House is leaving the door open to imposing tighter encryption controls within the U.S., as well as restricting exports. Encryption scrambles computer data to provide security and privacy. It plays a key role in electronic commerce over the Internet by protecting digital communications - such as corporate e-mail and credit- card and bank-account data - from tampering. Computer companies want the U.S. to ease export controls on advanced encryption hardware and software so they can take part in the booming market in global e-commerce. That stance puts them at odds with law enforcement agencies. They say rolling back controls could let criminals, terrorists or computer hackers conceal illegal activities. It's high time to hammer out a compromise, Commerce Department Secretary William Daley said last month. "While our policy goal - balance -is the right one, our implementation has been a failure," Daley said. "The global market is rendering our (encryption) policy obsolete. And I fear that will soon make our products obsolete as well." U.S. firms could lose out on $9 billion in encryption-product sales over the next five years if export policy isn't revised, says a study released last month by the Economic Strategy Institute in Washington. It pegs overall cost to the economy at a minimum of $35 billion through 2002. The government now restricts U.S. companies to selling what many experts regard as low-level encryption. For high-level encryption sales, the policy requires the use of ''key recovery'' systems. These systems give law enforcement agencies access to special keys -through third parties - that unscramble data so they can be read. If you look at encrypted, or protected, data, all you see is a soup of letters, numbers and symbols. To make sense of it, you need a set of instructions called a key. The longer the key, the stronger the encryption. A strong encryption key is 128 digital bits long. It's virtually impossible for government agents to break, which is why the administration wants to control its sale and use. But in March, Vice President Al Gore left some wriggle room in a letter to Sen. Tom Daschle, D-S.D., the Democratic leader in the Senate. "The administration is not wedded to any single technology solution," Gore wrote. The high-tech industry hopes Daley's frank admission that encryption policy isn't working and Gore's letter point to new flexibility. But some leading encryption firms are wary. "The National Security Agency and Federal Bureau of Investigation are still orchestrating the administration's position behind the scenes," said Jim Bidzos, president of RSA Data Security, a Redwood City, Calif.- based unit of Security Dynamics Technologies Inc. Administration officials "continually play this game of offering some meaningless relief, promising more and never delivering," Bidzos added. "They're gridlocked. When pressed to make concessions, the NSA and FBI never find any compromises acceptable." Still, Congress is set to review several encryption bills this year. And a new high-tech-backed group, Americans for Computer Privacy, plans to spend several million dollars on lobbying and ads to change encryption policy. "We need a more creative approach," said ACP's executive director, Ed Gillespie. "The policy is outdated and ineffective. You're not going to stop demand for encryption technology or its spread." The computer industry has been let down before, says Kenneth Dam, a University of Chicago law professor. He headed a study released by the National Research Council two years ago that urged the government to relax its export controls on encryption products. "There's been no leadership at the center of the government to resolve this," Dam said. "There hasn't been enough high-level staff attention to knock heads together and get a resolution. The administration doesn't have a really clear position." In '93, the administration's "clipper chip" proposal would have required every computer to include an encryption chip whose keys - or code to unlock encrypted data - would have been held by the government. That proposal fell flat with civil libertarians. Two years later, the administration proposed that a third party control the keys to encrypted data and the government could gain access to them with proper warrants. There are basically two ways to set up third- party control. One is similar to giving a neighbor a copy of a house key. The other is like giving parts of a treasure map to different people. Often, the third parties are makers of encryption products. The Justice Department went further last year, pushing for the use of key recovery systems within the U.S. And Sens. John McCain, R-Ariz., and Robert Kerrey, D-Neb., drafted bills for tighter domestic controls over encryption products. In March of this year, Justice appeared to soften its stance. Gore's letter, though, implies that the administration may yet support domestic encryption controls if a new compromise isn't reached, warn some in the high-tech industry. "We're dead set against domestic controls," said Aaron Cross, public policy director at International Business Machines Corp. "We need to get a new dialogue started," Cross added. "As long as there is posturing by law enforcement on one side and people advocating total freedom to use and export strong encryption on the other, you're going to end up in this area of paralysis." To make matters worse, U.S. firms stand to lose business to foreign rivals that are able to sell advanced encryption products with no strings attached. "Our policy encourages the growth of foreign producers at the same time it retards growth here," said Commerce's Daley. The Economic Strategy Institute figures that at the end of '97, 653 encryption products were being made in 29 countries outside the U.S. Major producers are in Germany, Ireland, Canada, Israel and Great Britain. "Encryption policy is severely hampering the competitiveness of U.S. companies, especially software suppliers," said Carl Howe, an analyst at consultancy Forrester Research Inc. in Cambridge, Mass. "We need to relax our export policy, or see that business go overseas." Manufacturers second that. "The driving force (behind loosening export limits) is electronic commerce, which creates a demand for encryption technology," said Douglas McGowan, Hewlett-Packard Co.'s director of Internet business development. "We have customers overseas that want access to the same kind of technology our U.S. customers can buy. That's why it's an important issue to us." Many other high-tech companies also have a stake in the encryption debate. Encryption code is embedded in much software used in e-commerce and Net browser software to protect engineering diagrams and proprietary data. [End]