New York Times
Thursday, May 6, 1993
Page D1, Business Day
Big Brother and the Computer Age
By John Markoff
Can the nation trust its secrets to its spies?
That question underpins a fierce debate over a recently
disclosed plan by the Clinton Administration to secure the
privacy of the nation's phone calls and computer data with a
standard set of computer codes.
The system was designed by scientists from the United States'
most secretive intelligence organization, the National Security
Agency. And newly disclosed memorandums, obtained under a legally
enforceable request under the Freedom of Information Act, show
that the agency waged a long and ultimately successful campaign
within the Government to insure that the technical details of
such a system would remain secret.
The inner workings of the system would be in tamper-proof
computer chips that could not be opened without being destroyed.
That means that citizens and businesses could use the encoding
technique to protect the privacy of their wireless phone calls or
the transmissions of corporate computer files, but that
independent computer experts would have no way to assure that the
system was secure enough to keep savvy computer hackers from
unscrambling messages. Nor, some computer experts say, can
anyone be certain that the National Security Agency has not built
in a "trap door" that could allow unauthorized Government
eavesdropping.
"This plan creates the ears of Big Brother, just as Orwell
warned," said Eric Hughes, an independent software designer in
Berkeley, Calif.
Over the years, the N.S.A. has been the Government's
communications policeman, with the job of protecting the
sensitive telephone and computer networks used by the military,
the State Department and other Federal agencies. It also operates
a world-wide electronic-surveillance system, monitoring foreign
communications in the name of national security.
But the recently announced encoding plan would give the agency an
unprecedented role in domestic civilian corporate communications.
"The N.S.A. is split between the need to provide security and the
fear that if information about cryptography gets out, it won't be
able to perform its other job, which is intercepting and
resolving codes." said David Kahn, author of "The Codebreakers,"
a history of the science of encryption. "It's an unresolvable
problem."
The Clinton Administration inherited the new project from the
Bush Administration, and has embraced it. The goal is a national
voice- and data-security standard intended to provide privacy for
Government, civilian and corporate users of telephone and
computer communications, while also assuring that law enforcement
agencies can continue to eavesdrop on or wiretap voice and data
conversations after obtaining warrants.
For authorized wiretapping, the law enforcement agency must
obtain special code keys held in escrow by two independent
organizations. What computer experts fear is a secret trap door
that would not require use of these legally obtained keys.
Custodian of Security
The agency has a long history of resisting industry efforts to
develop such technology on the ground that any codes not
breakable by the N.S.A. might compromise national security.
But people like John Gage, director of the science office at Sun
Microsystems in Mountain View, Calif., the maker of high-powered
computer work stations, are uncomfortable with that line of
reasoning. "These decisions can't be left solely to the gods of
encryption, the N.S.A.," Mr. Gage said. "We need privacy for the
world of business."
He testified last week at a hearing by the House Commerce
subcommittee on telecommunications and finance, which is studying
computer encryption and the National Security Agency's role in
it.
Concerns about the agency's influence on civilian communications
have been raised before. Last year, for instance, a number of
cellular-telephone executives said that an industry standards
committee had been pressed by N.S.A. officials to weaken the
security of a coding scheme that cellular phone makers are
planning to build into the next generation of phones.
Although the agency denied the assertion, computer researchers
who analyzed the industry committee's cellular coding scheme say
that it would be simple to subvert by anyone with computer-
programming skills.
Written Response
With the new plan, N.S.A. officials insist that they have no
motive to undermine the security of the coding plan, which was
originally developed to protect Government information.
The agency routinely refuses requests for on-the-record
interviews, but the agency's director of policy, Michael A.
Smith, responded in writing to a reporter's questions.
"N.S.A. states unequivocally there is no trap door built into the
algorithm." he wrote, referring to the mathematical instructions
on which the encoding system is based. "A trap door would be a
vulnerability in the system, and would defeat the purpose of
assuring the system provides U.S. citizens with excellent
security."
In resisting the N.S.A.'s effort to impose a secret standard,
communications and computer-industry executives point out that
various unofficial coding systems are already in use in this
country and abroad, whether for legitimate purposes or to conceal
criminal conspiracies.
Among those criticizing the agency's effort to keep a lid on
encryption is Representative Edward J. Markey, Democrat of
Massachusetts, chairman of the House telecommunications
subcommittee.
What Power Do opponents Have?
"There are many ways the N.S.A. is trying to put the
cryptography genie back in the bottle, but it's already available
for everyone openly," said Mr. Markey, who plans to conduct
further hearings on the agency's role in the new system. The
Clinton Administration plans to hold its own private review in
coming months to study the nation's cryptography policies and
consider public comment.
It is not yet clear whether mounting controversy over the
National Security Agency's role could derail the plan.
The new technology is the result of the Computer Security Act of
1987. It called for creation of a national standard for computer
encryption and assigned the task to the main Federal
standards-setting body, now known as the National Institute for
Standards and Technology.
A 1989 memo by a technical working group from the institute
detailed the goal for an encryption standard that would be open
to public use and scrutiny. "The algorithms that we use must be
public, unclassified implementable in both hardware or software,
usable by Federal agencies and U.S.-based multinational
corporations," the memo reads in part.
The institute turned to the N.S.A. for technical assistance.
"The act says we can draw on N.S.A.," said Raymond Kammer, who
was at the institute at the time and is now deputy director.
"They're the pre-eminent scientists in cryptography in the world.
We asked the agency to design a technology to fit the needs of
the civilian community."
Memos Detail Opposition
But previously classified Government memos, obtained last week
through a Freedom of information filing by Computer Professional
for Social Responsibility, a public-interest group, indicate that
the agency used the process of technical working groups to wear
down opposition by institute scientists who wanted to keep the
standard open to scrutiny.
A January 1990 memo by a National Institute scientist to a
colleague expressed frustration. Referring to his own group by
its acronym, he wrote, "It is increasingly evident that it is
difficult, if not impossible, to reconcile the concerns of
N.S.A., N.I.S.T. and the general public using this approach."
The N.S.A. also largely ignored the public advisory group that
Congress mandated in the 1987 law. That group, composed of
industry and Government computer experts, plans a public hearing
meeting next month to put forth its concerns.
"This all happened within the N.S.A.," said a member of the
advisory group, Stephen Walker, president of Trusted Information
Systems, a computer security company in Glenwood, Md. "Then it
was brought forward as an accomplished fact. This doesn't solve
any of our problems relative to getting good cryptography for the
American people."
The new coding system, if adopted, would first be used for
Government electronic communications. It is then expected to
quickly spread to business and even to household use, as
hardware and software makers incorporate the technology into
their products.
Export Process Is Slow
Various types of encryption systems are in use today, but the
standard approach in the United States is a 15-year-old system
known as the Data Encryption Standard. Based on outdated
technology, this system is not the best available for modern
electronic commerce. And the Government has refused to authorize
export of hardware and software containing it, except on a
time-consuming case-by-case basis.
The Clinton Administration is studying whether to allow the
general export of products based on the new N.S.A.-designed
coding system, although industry executives say they doubt that
foreign buyers, especially foreign Governments, would want to use
codes designed by American spy masters.
When Congress passed the Computer Security Act, it recognized the
need to update privacy laws and wiretapping regulations to modern
digital communication, which, particularly in the case of
cellular phone calls and other emerging forms of over-the-air
technology, can be easily monitored either by those authorized
to do so, or those who are not.
To demonstrate just how easy unauthorized use might be, Mr. Gage,
the Sun Microsystems executive, brought a computer hacker with
him to the recent House hearing.
Punching a special code into a standard cellular phone, the
hacker quickly converted the phone into a scanner capable of
eavesdropping on all the cellular channels being used on or near
Capitol Hill. The intercepted snatches of innocuous conversation
were amplified to the amusement and discomfort of those in the
subcommittee hearing room -- including a woman in the audience
who had her own cellular phone at her side.
"This demonstration," Mr. Gage said, "shows it's not really safe
to talk on the phone."
Paul Ferguson | Uncle Sam wants to read
Network Integrator | your e-mail...
Centreville, Virginia USA | Just say "NO" to the Clipper
fergp(a)sytex.com | Chip...
-------------------------------+------------------------------
I love my country, but I fear it's government.