New York Times Thursday, May 6, 1993 Page D1, Business Day Big Brother and the Computer Age By John Markoff Can the nation trust its secrets to its spies? That question underpins a fierce debate over a recently disclosed plan by the Clinton Administration to secure the privacy of the nation's phone calls and computer data with a standard set of computer codes. The system was designed by scientists from the United States' most secretive intelligence organization, the National Security Agency. And newly disclosed memorandums, obtained under a legally enforceable request under the Freedom of Information Act, show that the agency waged a long and ultimately successful campaign within the Government to insure that the technical details of such a system would remain secret. The inner workings of the system would be in tamper-proof computer chips that could not be opened without being destroyed. That means that citizens and businesses could use the encoding technique to protect the privacy of their wireless phone calls or the transmissions of corporate computer files, but that independent computer experts would have no way to assure that the system was secure enough to keep savvy computer hackers from unscrambling messages. Nor, some computer experts say, can anyone be certain that the National Security Agency has not built in a "trap door" that could allow unauthorized Government eavesdropping. "This plan creates the ears of Big Brother, just as Orwell warned," said Eric Hughes, an independent software designer in Berkeley, Calif. Over the years, the N.S.A. has been the Government's communications policeman, with the job of protecting the sensitive telephone and computer networks used by the military, the State Department and other Federal agencies. It also operates a world-wide electronic-surveillance system, monitoring foreign communications in the name of national security. But the recently announced encoding plan would give the agency an unprecedented role in domestic civilian corporate communications. "The N.S.A. is split between the need to provide security and the fear that if information about cryptography gets out, it won't be able to perform its other job, which is intercepting and resolving codes." said David Kahn, author of "The Codebreakers," a history of the science of encryption. "It's an unresolvable problem." The Clinton Administration inherited the new project from the Bush Administration, and has embraced it. The goal is a national voice- and data-security standard intended to provide privacy for Government, civilian and corporate users of telephone and computer communications, while also assuring that law enforcement agencies can continue to eavesdrop on or wiretap voice and data conversations after obtaining warrants. For authorized wiretapping, the law enforcement agency must obtain special code keys held in escrow by two independent organizations. What computer experts fear is a secret trap door that would not require use of these legally obtained keys. Custodian of Security The agency has a long history of resisting industry efforts to develop such technology on the ground that any codes not breakable by the N.S.A. might compromise national security. But people like John Gage, director of the science office at Sun Microsystems in Mountain View, Calif., the maker of high-powered computer work stations, are uncomfortable with that line of reasoning. "These decisions can't be left solely to the gods of encryption, the N.S.A.," Mr. Gage said. "We need privacy for the world of business." He testified last week at a hearing by the House Commerce subcommittee on telecommunications and finance, which is studying computer encryption and the National Security Agency's role in it. Concerns about the agency's influence on civilian communications have been raised before. Last year, for instance, a number of cellular-telephone executives said that an industry standards committee had been pressed by N.S.A. officials to weaken the security of a coding scheme that cellular phone makers are planning to build into the next generation of phones. Although the agency denied the assertion, computer researchers who analyzed the industry committee's cellular coding scheme say that it would be simple to subvert by anyone with computer- programming skills. Written Response With the new plan, N.S.A. officials insist that they have no motive to undermine the security of the coding plan, which was originally developed to protect Government information. The agency routinely refuses requests for on-the-record interviews, but the agency's director of policy, Michael A. Smith, responded in writing to a reporter's questions. "N.S.A. states unequivocally there is no trap door built into the algorithm." he wrote, referring to the mathematical instructions on which the encoding system is based. "A trap door would be a vulnerability in the system, and would defeat the purpose of assuring the system provides U.S. citizens with excellent security." In resisting the N.S.A.'s effort to impose a secret standard, communications and computer-industry executives point out that various unofficial coding systems are already in use in this country and abroad, whether for legitimate purposes or to conceal criminal conspiracies. Among those criticizing the agency's effort to keep a lid on encryption is Representative Edward J. Markey, Democrat of Massachusetts, chairman of the House telecommunications subcommittee. What Power Do opponents Have? "There are many ways the N.S.A. is trying to put the cryptography genie back in the bottle, but it's already available for everyone openly," said Mr. Markey, who plans to conduct further hearings on the agency's role in the new system. The Clinton Administration plans to hold its own private review in coming months to study the nation's cryptography policies and consider public comment. It is not yet clear whether mounting controversy over the National Security Agency's role could derail the plan. The new technology is the result of the Computer Security Act of 1987. It called for creation of a national standard for computer encryption and assigned the task to the main Federal standards-setting body, now known as the National Institute for Standards and Technology. A 1989 memo by a technical working group from the institute detailed the goal for an encryption standard that would be open to public use and scrutiny. "The algorithms that we use must be public, unclassified implementable in both hardware or software, usable by Federal agencies and U.S.-based multinational corporations," the memo reads in part. The institute turned to the N.S.A. for technical assistance. "The act says we can draw on N.S.A.," said Raymond Kammer, who was at the institute at the time and is now deputy director. "They're the pre-eminent scientists in cryptography in the world. We asked the agency to design a technology to fit the needs of the civilian community." Memos Detail Opposition But previously classified Government memos, obtained last week through a Freedom of information filing by Computer Professional for Social Responsibility, a public-interest group, indicate that the agency used the process of technical working groups to wear down opposition by institute scientists who wanted to keep the standard open to scrutiny. A January 1990 memo by a National Institute scientist to a colleague expressed frustration. Referring to his own group by its acronym, he wrote, "It is increasingly evident that it is difficult, if not impossible, to reconcile the concerns of N.S.A., N.I.S.T. and the general public using this approach." The N.S.A. also largely ignored the public advisory group that Congress mandated in the 1987 law. That group, composed of industry and Government computer experts, plans a public hearing meeting next month to put forth its concerns. "This all happened within the N.S.A.," said a member of the advisory group, Stephen Walker, president of Trusted Information Systems, a computer security company in Glenwood, Md. "Then it was brought forward as an accomplished fact. This doesn't solve any of our problems relative to getting good cryptography for the American people." The new coding system, if adopted, would first be used for Government electronic communications. It is then expected to quickly spread to business and even to household use, as hardware and software makers incorporate the technology into their products. Export Process Is Slow Various types of encryption systems are in use today, but the standard approach in the United States is a 15-year-old system known as the Data Encryption Standard. Based on outdated technology, this system is not the best available for modern electronic commerce. And the Government has refused to authorize export of hardware and software containing it, except on a time-consuming case-by-case basis. The Clinton Administration is studying whether to allow the general export of products based on the new N.S.A.-designed coding system, although industry executives say they doubt that foreign buyers, especially foreign Governments, would want to use codes designed by American spy masters. When Congress passed the Computer Security Act, it recognized the need to update privacy laws and wiretapping regulations to modern digital communication, which, particularly in the case of cellular phone calls and other emerging forms of over-the-air technology, can be easily monitored either by those authorized to do so, or those who are not. To demonstrate just how easy unauthorized use might be, Mr. Gage, the Sun Microsystems executive, brought a computer hacker with him to the recent House hearing. Punching a special code into a standard cellular phone, the hacker quickly converted the phone into a scanner capable of eavesdropping on all the cellular channels being used on or near Capitol Hill. The intercepted snatches of innocuous conversation were amplified to the amusement and discomfort of those in the subcommittee hearing room -- including a woman in the audience who had her own cellular phone at her side. "This demonstration," Mr. Gage said, "shows it's not really safe to talk on the phone." Paul Ferguson | Uncle Sam wants to read Network Integrator | your e-mail... Centreville, Virginia USA | Just say "NO" to the Clipper fergp@sytex.com | Chip... -------------------------------+------------------------------ I love my country, but I fear it's government.