Back to index
Levy, Steven. Scared bitless: the arcane world of cryptography used to
be the exclusive realm of spies. Now its everybody's business -
to the chagrin of the government. In Newsweek June 10 1996,
v127, n24, p49(3).
The arcane world of cryptography used to be exclusive realm of spies.
Now it's everybody's business--to the chagrin of th government.
ON THE FACE OF IT, THE ISSUE of cryptography--the technology that
employs secret codes to protect information--seems more suited to
math class than "The McLaughlin Group." Yet this once esoteric
subject has wound up in the center of a Beltway controversy, complete
with congressional infighting, lobbyists, entrenched government
agencies, blue-ribbon reports and even a bit of presidential
politics. This sudden spotlight on what was previously the domain of
deep-black spy stuff turns out to be a good thing, because in the
Information Age crypto policy is more than an abstraction: it could
provide the difference between security and vulnerability, or even
between life and death. Unfortunately, choosing the right policy is
not a given the controversy lies.
Here's the problem: we're increasingly entrusting information to
computers--everything from confidential medical records to business
plans to money itself. But how can we provide security so that these
data will be protected from eavesdroppers, thieves and saboteurs? The
answer hinges on cryptography. By scrambling the information into
digital codes, it allows only those entrusted with the keys to
decipher those files to see them. Some hot-shot cryptographers have
developed systems that can provide all of us with unprecedented
security, automatically coding and decoding in such a way that we
won't have to know it's there. (We can even have our phone calls
encoded, something Prince Charles might have appreciated.) Silicon
Valley would love to set such a system in motion. It not only would
generate revenues, but would also address the main problem that's
keeping the Internet from fulfilling its potential as a center of
commerce: security.
Problem solved? Not quite. Law-enforcement and national-security
agencies view this prospect with dread. Legal eavesdroppers, like FBI
wiretappers and National Security Agency snoopers, couldn't make
sense of intercepted transmissions. They warn that we could miss
indications of a terrorist act, like a nuke smuggled into Manhattan.
In addition, drug dealers, child pornographers and garden-variety
thugs could mask their activities with a mere mouse click.
Even before the Clinton administration took office, the NSA and FBI
presented those nightmare scenarios to the transition team. The
Clintonites were scared bitless. They vowed to make sure that the
worst didn't happen. They understood that cryptography should be pout
to general use--but only if it were altered in such a way that the
government could, if necessary, get access to secret messages, using
a new technology known as "key escrow." The best-known of those
schemes was the ill-fated Clipper Chip, and subsequent systems
haven't caught on. (Yet another was presented two weeks ago.) Until
then they would maintain the strict export controls that treat crypto
software as powerful munitions. That's right--Uncle Sam regards that
copy of Netscape you downloaded as sort of a Stinger missile.
But now the government position of slowing down the flow of crypto is
under increasing attack. Software companies complain that regulations
cost them money and hold down innovation. Privacy groups complain
that the controls reek of Orwell's "1984." Congress is demanding
changes. Bob Dole wants to make it an issue. And on Thursday came
what Sen. Conrad Burns, a Montana Republican, called "the nail in the
coffin" of the Clinton crypto policy: a report by the National
Research Council that clearly rebukes the administration's position.
Despite the Clinton-Gore attempt to protect us against the abuse of
cryptography, says the Congress-commissioned report, our safety is at
risk--because the lack of cryptography has weakened our security.
Under particular attack are the regulations that limit the strength
of exported software like IBM's Lotus Notes, mostly by mandating that
the keys that encode and decipher the information not exceed 40 bits
(the longer the key, the stronger the protection). Often, domestic
users have to settle for this crippled crypto: since software
companies are loath to release two versions of their products, they
simply choose to offer the weaker, approved-for-export version.
Meanwhile, foreign companies have no such restrictions, and U.S.
companies maintain they are losing sales. Congress has taken up their
case; bills introduced by Sen. Patrick Leahy, Rep. Bob Goodlatte and
Burns all would relax the export rules. "These bills are pro-privacy,
pro-jobs and pro-business," says Leahy. While prospects for passage
are slim, the fact that a sizable number of legislators are defying
intelligence and law-enforcement agencies is itself significant.
Crypto policy is even finding its way into the presidential campaign.
On a visit to Silicon Valley, Bob Dole was alerted to the problem by
Netscape CEO Jim Barksdale. He also saw a chance to chip away at
Clinton's support in the high-tech world. Dole not only cosponsored
the Senate bills but issued a neo-cypherpunk statement charging that
"the administration's big brother proposal will literally destroy
America's computer industry."
The NRC report, entitled "Cryptography's Role in Securing the
Information Society," stands as the most serious challenge to current
policy. It is drenched in credibility: its 16 authors include former
attorney general Benjamin Civiletti, onetime NSA deputy director Ann
Caracristi, privacy expert Willis Ware and cryptographer Martin
Hellman. The panel was briefed by all sides of the issue, including
some classified sessions with government officials. Despite the
group's diversity, it reached consensus: "Widespread commercial and
private use of cryptography is inevitable in the long run and ... its
advantages, on balance, outweigh its disadvantages."
The NRC made some specific recommendations. The government should
stop building a system around the unproven Clipper-style technology.
The export regulations should be relaxed, specifically permitting
free export of the well-tested Data Encryption Standard, which uses a
56-bit key. (While some argue for even bigger keys, this is a
significant jump. The increase in key size alone means that
theoretically it will be more than 65,000 times harder to crack a
code.) Perhaps the strongest rebuke came with the rejection of the
"if you only knew" defense. The committee concluded that informed
decisions on crypto could be made without access to classified
material.
If the NRC advice was followed, would criminals hide nefarious
activities behind a digital wall of gibberish? Quite possibly, admits
the committee--but without action to promote crypto, we are
increasingly dependent on a computer-controlled world with
insufficient protection. "We're encouraging a world that supports
greater confidentiality--but we think it's worth the risk," says
panelist Ray Ozzie, creator of IBM's Lotus Notes. The committee cited
security breaches like the recent raid on Citicorp by Russian
hackers, and warned that without crypto, we are more vulnerable to
"information warfare" threats--endangering operations like the
air-traffic-control system.
The government's response? "We do care about the security of
information, but we need to do it in a way that does not diminish law
enforcement," says an administration official. "People writing
academic reports can take chances. But when you are the policeman,
you have to err on the side of protection people."
The question is, which approach provides the most protection? The NRC
report undercuts the government's position at a time when many were
already beginning to question it. On May 21, 11 senators sat down in
a bugproof room for a classified briefing, presumably designed to
make them rethink their proposals. But, said Leahy, "no one seemed to
change their mind." Looks like they've cracked the code.
COPYRIGHT Newsweek Inc. 1996