September 17, 1999
Just Like That, the War's Over
On the Encryption Battlefield
By JASON FRY and MEGAN DOSCHER
THE WALL STREET JOURNAL INTERACTIVE EDITION
For years, export controls on encryption software has been the issue that
the libertarians of Silicon Valley point to in painting the government as a
dinosaur that's out of touch with reality.
For years, the government placed restrictions on exports of encryption
technology, branding such software as munitions, allowing companies to
send them overseas only after lengthy reviews and only allowing them to
export lower-strength software with shorter "key lengths." All this while
foreign competitors gleefully hawked software with longer key lengths to
companies and while high-powered encryption software could be
downloaded by anyone with a phone line to the Internet. Meanwhile, the
government played a cynical shell game in the courts, moving responsibility
for encryption from agency to agency in an effort to head off legal
challenges to its policies.
Even when the government did yield, things weren't much better. In early
1997, the White House began allowing the export of 56-bit encryption
software, but added a controversial provision: Software makers had to
agree to develop a "key-recovery" system that would allow
law-enforcement officials with court permission to use a "back door" to
decrypt information encrypted by that software. Key-recovery demands
were eventually dropped for firms in certain industries. But by then, 56-bit
encryption schemes had already been cracked by researchers, and
encryption experts generally agreed that 128-bit key lengths were the
minimum level needed to ensure safety.
The government's position, through all this,
was that national-security and
law-enforcement efforts would be devastated
by the widespread adoption of encryption,
leaving terrorists, spies, child pornographers
and a host of other villains free to perform
their evil without any chance of being caught.
Whenever congressional efforts to liberalize
encryption policy gained ground,
law-enforcement officials would herd member
of Congress into closed-door briefings in
which dire secrets were shared. The
half-joking line on Capitol Hill, after such
briefings, was "I'd tell you why I can't vote for
your bill, but I'd have to kill you."
Then, on Sept. 16, everything changed.
The new policy adopted by the Clinton administration permits the export,
without a license, of any encryption commodity or software following a
"technical review," with the only recipients specifically prohibited are
countries accused by the State Department of sponsoring terrorism. Sales
to foreign governments are permitted but must still be licensed. But that
was about it -- those parameters aside, there are no limit on key lengths,
no key-recovery schemes, no nothing.
Attorney General Janet Reno and others refused to admit that encryption
restriction were being relaxed, but they clearly were. What
national-security and law-enforcement officials did was make sure that they
can monitor the sale and spread of encryption commodities overseas. In
press briefings, that was portrayed as a compromise, but full-scale retreat
would be a better description. Ms. Reno let some of the old mindset show
through when she groused that "we must recognize that the policy the
administration is announcing today will result in greater availability of
encryption, which will mean that more terrorists and criminals will use
encryption."
Meanwhile, one questioner noted that in appearances before Congress,
Deputy Defense Secretary John Hamre had frequently outlined "the exact
scenarios that the Attorney General says will now come to pass, and said
they were unspeakable dangers that should be avoided."
"Now," the questioner continued, "this policy is called a 'balanced' policy.
What's shifted in the last few months?"
What shifted -- dramatically -- was the political calculus, which finally
forced the administration to face reality.
Jim Bidzos, vice chairman of RSA Security Inc. and a 15-year veteran of
the encryption wars, sees a number of factors that gradually came to exert
more and more pressure. The first came to the fore about five years ago,
as foreign firms started waking up to the opportunity that U.S. export
controls posed for their sales teams. The second factor, in his thinking, was
the tremendous contribution technology has made to the economy. A third
came about 18 months ago, when the administration tried -- and failed --
to get other nations to take a hard line on encryption policy. Then this year,
a bill to liberalize export policy attracted more than half of the House's
members as co-sponsors -- and survived the usual national-security
machinations aimed at derailing it.
Then, of course, there's the fact that there's an election coming up.
"The cynic in me wants to say there's politics at work here, too -- the
Democrats don't want to hand this issue to the Republicans," says Mr.
Bidzos.
One stop that no candidate can overlook on the campaign fund-raising
trail, he notes, is Silicon Valley -- and that's one well-moneyed area where
Vice President Gore has been granted a chilly reception compared with
those given to George W. Bush and former senator Bill Bradley. Now,
Mr. Gore has done a tremendous amount to revive his standing in techie
circles and taken an issue away from his rivals.
After a battle so lengthy and hard-fought, some in the high-tech world have
to be wondering if what was announced Thursday could really be true.
And there are some loopholes that the administration's doubters will be
watching: The government still gets a one-time review of products, and
must approve the licensing of products to foreign governments. Details
about how long those processes will take -- a key point -- have yet to
emerge. (A Defense Department official said this week that "we're not
interested in a lengthy process," but added that "companies have to come
in with more than just a brochure.")
"There are substantially attractive features of this new policy, but as usual,
the devil is in the details," Mr. Bidzos said. "A one-time review that takes
18 months isn't very helpful."
But it doesn't seem likely that those loopholes will be exploited, given the
new rules and the stated support of law-enforcement and national-security
officials for the new policy. It seems safe to say -- albeit with considerable
surprise -- that the encryption wars are history.
|
