By Rachel Chalmers
In a relaxation of a 50-year ban, the White House has finally granted US companies permission to sell strong encryption to most foreign companies and governments, subject to a one-time technical review and other conditions. Vendors must report the identity of buyers to the government, and sales are not permitted to the seven states that are considered by the US government to be supporters of terrorism: Iran, Iraq, Libya, Syria, Sudan, North Korea and Cuba.
With cryptography classified as a munition after playing a key role in World War II, US IT vendors were allowed to sell strong encryption only to customers in specific industries, such as finance. Everyone else had to make do with 56-bit encryption, which by today’s standards is as weak as water. At the last RSA Conference, the Electronic Frontier Foundation cracked 56-bit DES in 22 hours and 15 minutes. Not surprisingly, the US export ban proved a bonanza for high-tech sectors outside America, particularly in Australia, Ireland and Israel.
In regulating cryptography, the Clinton Administration faces something of a Catch-22. As loudly as the domestic IT vendors protest losing market leadership in computer security to offshore competitors, the FBI and Department of Justice have cried louder still at the prospect of putting strong encryption into the hands of terrorists and child pornographers. You’d think the use of Phil Zimmerman’s Pretty Good Privacy was routine in modern mafia communications, but that’s not exactly the case.
The truth is that since the end of WW2 – not coincidentally, for the entire period the export ban has been in place – the US National Security Agency (NSA) and its counterparts in the UK, Canada, New Zealand and Australia have apparently been monitoring all electronic communications under the auspices of Project Echelon. Widespread availability of strong encryption threatens to put a significant dent in the large-scale surveillance these allies conduct, reportedly for economic as well as diplomatic advantage.
So what gives? Not the NSA or its allies. The national security establishment – the Department of Defense, the intelligence community – strongly supports this strategy, said deputy secretary of defense John Hamre at the press conference announcing the relaxed export regime. Indeed, we created the first draft of this strategy and presented it to our colleagues in the interagency process.
Far from being a defeat for America’s military and intelligence agencies, then, the eased export laws are pay-dirt for the DoD. In exchange for this sop to Silicon Valley’s leaders, the administration has promised $500m to the Department of Defense to develop new and improved surveillance techniques. And that may be just the beginning. It’s going to require significant investment on the part of the Department of Defense and the intelligence community to put all the pieces in place, Hamre warned. We will have to develop new tools to be able to do our job. We will resources that appropriately in the budget that we’ve prepared…
In other words, the Clinton administration has paid off the opponents of encryption export. In return, the DoD and the NSA have compromised so far, but no further. Important conditions are attached. There’s the one-time review, which gives the NSA a chance to look closely at products intended for export. There’s the obligation for vendors to report exactly which foreign nationals are buying their products. And there’s a new technical support center within the FBI. This center will be developing new technologies for extracting evidence from miscreants. Under the new regime, it will be protected from having to disclose what those techniques are.
Hamre made it clear that there will be no negotiation over these conditions. I too would like to say that there are – there continues to be pressure for legislation in Congress that would strip away any controls over encryption products, he said, adding in a burst of Cold war rhetoric: One of the bills is called the SAFE [Security And Freedom through Encryption] act. The only person who would be safe, if that were passed, would be spies.
In summary, the new status quo will see the powers of the NSA expanded while its accountability is diminished. The justification: US company profits were being hurt. These regulatory changes basically open the entire commercial sector as a market for strong US encryption products, explained secretary of commerce William Daley. I believe that in adopting this policy, the government has fundamentally altered the encryption debate, added attorney general Janet Reno. It’s certainly changed, but for the better?