Computer Reseller News, 8-05-96, p. 51 Channel feels pinch of export limitations -- VARs Hit Encryption Roadblock By Charlotte Dunlap & Deborah Gage Could 40 bits of code cost you that multimillion-dollar bid? Andrew Sheppard, president of Branford, Conn.-based Espion Inc., just returned from a frustrating business trip to Europe, where he said he lost a number of accounts with financial institutions because he could not deliver software with more than 40 bits of encryption key length. Sheppard, who recently tried to sell his encryption wares to clients in Europe, said he lost business to competitors offering stronger encryption. "There is a real demand for this type of product, and yet I find myself thwarted at every single opportunity by this stupid law, which everyone realizes is unnecessary," Sheppard said. Sheppard said potential clients that turned him down during his recent trip included Banco Santander, a Madrid-based bank; the London office of Credit Suisse; Logica Systems of London; and the financial reporting arm of Reuters' news service in London. As the trend toward networking-sensitive information grows, woes tied to encryption export limitations are spreading to the VAR community. The dilemma of shipping overseas anything other than light versions of security software is starting to sabotage the efforts of Internet resellers. Because 40 bits of code is considered to be breakable by an elementary hacker, major corporations with data to protect are reluctant to trust U.S. technology. So, U.S. resellers are being turned away while multinational corporations turn to foreign technologies. The debate between business and the U.S. government about export limitations is getting increasingly heated with the growth of the Internet. The Pro-Code Bill, which aims to relax export restrictions, has just been introduced, and prominent Silicon Valley executives are trekking to Washington regularly to argue the case. Jim Bidzos, president and chief executive of encryption market leader RSA Data Security Inc., Redwood City, Calif., has spent a lot of time in Washington. "The big picture in terms of what's happening is all of our communications and document storage is moving from paper and filing cabinets to the Internet and disk drives. We need crypto technology in order to protect this," he said. But resellers are getting discouraged and do not see a quick resolution with law makers. Meanwhile, they are losing business at a staggering rate. Norm Yamaguchi, director of sales for RSA master reseller Secure Distribution Inc., said he could have tripled the size of his million-dollar company this year if it were not for U.S. export laws dictating a maximum 40-bit key encryption length to his clients' international offices. "To say this law is causing me problems is a massive understatement," Yamaguchi said. The reseller currently is in talks with Price Waterhouse to get them to standardize on Oakland, Calif.-based Secure Distribution's security products, but will likely lose the contract because of the 40-bit key length limitation. Resellers' fear of losing business to foreign players is not paranoia, either. The Business Software Alliance has identified 500 encryption products that can be purchased in foreign countries. Information about the stronger foreign technology can be obtained easily through the Internet. "The laws are punishing U.S. companies, and we're losing business to foreign countries because they can offer the same thing. The law is not holding back the flow of encryption, it is just holding back U.S. companies from making money," he added, calling it a "lose-lose situation." Reseller Al Hill, vice president of engineering for Successful Systems Solutions, Rancho Cordova, Calif., has to surrender part of his solutions services in order to keep his foreign clients. "We ship units to England, Hong Kong and Singapore, and we have to downgrade the software [to 40 bits] on all of them. They were rather upset but smart enough to realize they could upgrade the security themselves," he said, adding that he has lost business because he could not complete projects himself. "We have to make sure the APIs in the software are available so people overseas can tie them into their [security] applications," he said. Similarly, Dave Johnson, senior account manager of Precision Computers Inc., Portland, Ore., said he lost an account with a multinational company with offices in France because "it became too troublesome for them to implement U.S. products because of the legal problems." Uncle Sam's View U.S. companies and civil libertarians have been battling the government since 1991, when the proposal of the Clipper Chip first surfaced. At that time, the government proposed splitting the encryption keys and holding a portion of them in escrow, giving law enforcement officials with court orders a back door through which to conduct electronic surveillance. To date, the U.S. government has budged little from its original idea. The Clipper Chip idea was squelched, but the government refuses to concede that strong encryption is not a munition because it believes national security is at stake. In recent weeks, Vice President Al Gore proposed a compromise: The government would extend the types of software that could be exported, perhaps to include healthcare or insurance instead of just finance, and allow long keys if countries where the United States has government-to- government agreements could hold keys in escrow. A 24-member technical advisory committee is expected to produce a blueprint for establishing the Federal Key Management Infrastructure in September. The Vendor's View Software executives remain disgruntled with the government's progress. "Do we really want government- to-government agreements?" asked Eric Schmidt, Sun Microsystems Inc.'s Chief Technology Officer. "The U.S. has protections that other countries don't. France, for example, is noted for industrial espionage." Microsoft Corp. Senior Vice President Craig Mundie said an escrow system would create an expensive bureaucracy, adding: "This should really be described as a key-leasing system. This will create a huge new business in extracting keys from the public. If you want to make sure that your key is not compromised by law enforcement officials, you're going to need insurance. There will be a whole service industry around keys." Vendors also argue that the government's reasoning is not legitimate. "The current controls do not keep encryption out of the hands of the criminals. They keep it out of the hands of individuals and corporations," said Sybase Inc. Director of Data and Communications Security Development Thomas Parenty. Sun, Microsoft and other companies would like complete deregulation of encryption. Three bills that would lift government restrictions and prohibit mandatory key escrow are working their way through Congress, although none are likely to pass this year. NEXT WEEK: Measuring the level of difficulty in cracking code. [End] Thanks to LG.