Forwarded From: Stuart Sabel <stuarts@seanet.com>
January 16, 1999
U.S. Officials Try to Sell Encryption Policy in Valley
By PETER WAYNER, NY Times
CUPERTINO, Calif. -- The Clinton Administration's campaign against
exporting strong secret computer codes took to the road on Friday as the
President's Export Council Subcommittee on Encryption held a meeting in
Silicon Valley to try and build bridges between the computer industry and
the government.
Little harmony emerged, however, as the industry representatives turned a
cold eye to the Administration's recent proposals and complained that
increased foreign competition was in danger of surpassing American
companies.
The Administration's campaign to restrict cryptography seemed to lose
momentum this week as some foreign executives suggested that changes in a
new international agreement announced last year might have little effect
in practice. The new rules, which are in a diplomatic agreement between
the United States and 32 other Western countries, would require each
country to require special permits before allowing the export of
mass-market software containing encryption. Some executives now suggest
that some countries may simply satisfy this requirement by issuing blanket
permits that do little to contain encryption technology.
The Administration's position was further complicated by an announcement
by Representative Zoe Lofgren, a California Democrat, who told the
attendees at the meeting on Friday that she would plan to re-introduce
legislation to liberalize export controls. Earlier versions of the bill
were the basis of a strong battle in Congress that ended in a stalemate.
She suggested that she would push for liberalization of export rules once
Congress finishes determining the fate of President Clinton's impeachment.
"I frankly think that all of this mess in Washington heightens people
awareness," she said. "Grandma and grandpa are e-mailing their grandkids.
They're not hiding anything."
The committee itself is made up of representatives from the major
government bodies like that National Security Agency, major corporations
like Motorola and IBM, universities and the legal profession. The first
discussions of the morning centered on identifying which tasks the
committee would undertake given that most admitted that little agreement
was likely.
The battle over the United States' control over the export of encryption
software has always been between the arms of the government associated
with defending national security and the computer industry. The government
agencies like the National Security Agency and the Federal Bureau of
Investigation feel that strong secret codes make it possible for
terrorists, criminals and foreign countries to shield their actions from
scrutiny. The computer industry suggests that average people also need
codes to protect the confidentiality of their personal and financial
information.
In recent years, the Clinton Administration has turned to a relatively
informal mechanism for trying to convince the outside countries to adopt
U.S.-style rules intended to stem the flow of secret code software. The
new international pact on encryption, called the Wassenaar agreement, is
not a treaty, but a diplomatic arrangement binding many of the Western
countries that once united to fight the Soviet Union. It sets goals for
restricting all sorts of weaponry like armored cars and includes software
under this umbrella.
The first major speaker of the meeting was William A. Reinsch, the
official responsible for leading the Commerce Department's Bureau of
Export Affairs. He began by announcing that he had little to say, in part
because his bureau was "in a cleanup period right now" trying to solve
unintended problems caused by the new regulations issued in December. He
promised that his bureau was also working on more new regulations that
would bring the U.S. regulations in compliance with the Wassenaar
agreement.
The new version of the Wassenaar agreement states that there would be no
need for regulation of software that protected information with encryption
algorithms with no more than 64 bits. This was portrayed as a
liberalization because previous U.S. rules drew the line at 56 bits. Ira
Rubenstein, a senior corporate lawyer from Microsoft, who attended the
meeting, suggested that this was not really liberalization since the
mass-market software was not controlled at all by the Wassenaar agreement.
In fact, this lack of control was cited by Canada last year when it
decided to let the Canadian subsidiary of Entrust Technologies freely
export its full-strength security software throughout the world. The
Wassenaar agreement was expected to hamper this push by a Canadian company
because the company would be required to get a permit.
There are new indications that the Canadians may simply issue blanket
permits. John Ryan, the president of Entrust Technologies, said in a
telephone interview earlier this week that the Canadian government was
very pro-industry and he expected little real problem. "When you net it
all out, we don't think there will be a significant change," he said. "We
actually believe that most countries will just issue blanket permits." He
added, "The effect of the change will be very modest, if any."
In fact, the effects may even be more liberal. France, one of the few
European countries with stiff regulations on encryption, may be loosening
its grip in order to foster electronic commerce. The French publication
Liberation on Thursday reported that the Finance Minister, Dominique
Strauss-Khan, said that the French were at the mercy of "large ears" who
did not care about personal privacy. This may simply be a reference to
credit card thieves who snag account numbers through illicit wiretaps or
it could be a veiled reference to United States spy agencies, which are
often believed to eavesdrop on a significant fraction of the telephone and
Internet traffic in Europe. The article reported that she said, "I want to
make cryptography widely available."
Several people at the meeting suggested that the Clinton Administration
often stretched and even violated the spirit of the Wassenaar by
permitting the export of high quality encryption devices to countries like
China. When this happens, other countries sometimes view the regulations
as just a cynical ploy to help U.S. industry instead of a sincere effort.
The Clinton Administration faces further problems convincing non-Western
countries to follow its lead. This week in India, the Defense Research and
Development Organization warned Indians to avoid American-made encryption
software, saying that the U.S. government only allowed the export of
software that was easy to break in order to facilitate espionage.
Ryan contends that this worry is often a problem for Entrust's sales
force. He said, "The No. 1 pitch of our competitors is 'The cryptographic
work was done in Europe so you can trust it.'"
In fact, many other countries are quickly becoming centers of
cryptographic excellence. The American company RSA Data Security based in
San Mateo, Calif., recently hired two Australian programmers to help
solidify its offerings in Web security. The two programmers had gained
notice for distribution one of the most widely used versions of SSL, one
of the most common forms of security used to protect credit card purchases
on the Internet. All purchases at Amazon.com, for instance, are shielded
by SSL-based technology.
The meeting on Friday itself just marks the beginning of many
security-related events in the San Fransisco Bay Area. Next week, the
annual RSA Data Security conference will begin in San Jose and many
companies will be announcing new products and initiatives.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
Received on Thu Mar 11 17:00:59 1999