29 April 1998

[Note: This is taken from a thread on the UK's recent issue of documents
on electronic commerce and encryption policy, a strand of which deals with
the government's premise that tight controls on strong encryption are
required to prevent its use by criminals.]

To: ukcrypto@maillist.ox.ac.uk
Subject: Crypto, drugs and the NSA (was: Criminals and strong encryption) 
Date: Wed, 29 Apr 1998 10:33:22 +0100
From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>

Carl Ellison:

> Perhaps because this is a UK list, I'm reminded of Miss Marple who was fond 
> of saying one should ignore the words and look at the actual events.  What 
> if we assume that your statement is equally obvious to the proponents of 
> GAK.  That would imply that the real targets of these proposals aren't 
> criminals but rather the law abiding.  If that were true, a number of 
> apparent illogical things would melt away

No need for a conspiracy theory, Carl. It's quite straightforward:

(1) The NSA knows that once systems are fielded, security upgrades are
so expensive that they are almost never done. The GSM network will
remain vulnerable to recently published attacks, not because they are
difficult to prevent but because 80 million units have been deployed.
The global ATM network will remain vulnerable to some of the attacks
described in `Why Cryptosystems Fail' because replacing 400,000 cash
machines at $70,000 each would cost more than the fraud does.

(2) The NSA observes that we are probably at the peak of networked
system design and deployment. Protocols such as SSL and SET, as well
as more specialised stuff like SWIFT and CREST, are likely to be
around for a long time. Even standards for cordless phones, wireless
LANs, domestic appliance control and burglar alarms are of interest to
the NSA, whose leaders see the present time as one of `unprecedented 
opportunity'. (Source: Bob Morris' invited talk at Crypto 96.)

(3) Current developments also mean that only large agencies will be
able to keep up; small countries' spooks are being steadily dealt out
of the game. (Source: conversation with a small country spook.)

(4) The NSA concludes that almost any investment made in introducing
vulnerabilities in systems today will bring enormous returns in the
future, both in absolute terms and in terms of its competitive
advantage over FAPSI, SCSSI, etc. The economics are made especially
attractive by the fact that most of the costs can be externalised.

(5) In the past, vulnerabilities were introduced automatically by
designers who didn't know what they were doing. All that was necessary
was to humour these guys and keep them at it. (I know of cases.)

(6) Once designers stopped being completely clueless, pressure was
brought on them to introduce trapdoors deliberately. This could be a
condition of export licensing, or of research funding, or even of
ITSEC approval. (See the trapdoor in Sesame; there are others.)

(7) However most design work is now being done outside the cozy
complex of phone companies and defence contractors, so other means are
needed. GAK is one of those other means. Every year that GAK pressure
can be kept up means maybe twenty or thirty networks that will be
accessible for generations - and not usually through escrow agents; in
many cases the designers just say `to hell with it, use 40 bits'.

(8) Seen in this light, everything makes sense. NSA doesn't care that
Barbara Roche makes a fool of herself: that's a neatly externalised
cost. NSA doesn't care if the deployment of e-commerce is held up; they
reckon (maybe correctly) that this is a lot of hype. The real target
is the hundreds of embedded and specialised systems that use most of
the deployed crypto and which provide most of the sexy targets.

(9) In any case, US crypto policy is now the result of several years
of politicking between the NSA and the US IT industry, so is getting
optimised to serve US commercial as well as defence interests.  For
example, the export controls on CAPI prevent European software houses
from competing with US ones. Crypto export controls also mean that it
makes more sense for NEC to have its non-Japanese research lab at
Princeton, NJ, rather than Cambridge, England.

(10) Y2K will also have some curious effects. For example, although BT
is spending 500 million on Y2K, most Asian phone companies are
spending nothing. They can't both be right. Motorola reckons it will
clean up, as its `Iridium' satellite phone system will be what people
in many Asian countries will have to use once the land network breaks.
So Motorola gets its $7 a minute, and when the Malaysian attorney
general wants to know what a colleague is saying on the phone, she
will have to grovel to the US embassy for a transcript of the traffic.

(11) This seems all hunky-dory for the USA but there's a problem which
should be clear to any Brit (or Frenchman or Spaniard or Turk). If you
design the global infrastructure to the advantage of the top dog
country, then once you are no longer the top dog country you will get
shafted by it. So watch out for China in (say) 2020.

(12) For Britain to help the American GAK effort also harms our trade
interests, our defence interests, our consumers, the independence of
our professions, and the resistance of the public generally to state
power grabs under the banner of `lawn order'. It is significant that
the cover traffic chosen by Labour for its U-turn was a gabfest on
drugs.  Anyone who has read Gibbon on how the late Roman Empire
suffered from increasing civil service power and corruption which
people embraced as they became steadily more docile and risk averse,
would oppose GAK on this ground alone,