Netscape (WSJ) and PRZ (Globe) say the NRC crypto export recommendations don't go far enough. ---------- Wall Street Journal, May 31, 1996, p. B5. U.S. Strategy Should Promote Computer Codes Panel Says a Free Market Is Best Policy, Urges Easing of Export Curbs By John J. Fialka Washington -- The federal government should promote rather than discourage widespread commercial use of powerful codes that can protect electronic communications, a panel sponsored by the National Research Council recommended. The government also should relax its export controls on such codes, according to the 16-member panel, which included a mix of business, academic and government experts. The NRC is an affiliate of the National Academy of Sciences, a private, nonprofit organization that advises the government on scientific matters. Encryption coding software scrambles computer data by using mathematical formulas that can't be read if intercepted. Only personnel with the correct "keys" can access the data. More Study Needed The NRC study, which took 18 months to complete, calls for greater trust in freemarket demands for protection and less reliance on the U.S. National Security Agency and the Federal Bureau of Investigation to set the nation's code policy. It said the two agencies' recent promotion of "escrowed encryption," in which the government would hold a mathematical key to unlock codes, requires further study because it poses liability risks and introduces weakness into information protection systems. Kenneth W. Dam, a University of Chicago law professor who headed the panel, said changes are needed to counter "an explosion of computer-based crime" and other forms of espionage that threaten U.S. companies' ability to protect proprietary information, especially overseas. By promoting the use of more-elaborate codes, U.S. law-enforcement agencies would be better prepared to ward off hacker or terrorist attacks on the nation's electric power grid, banking and telecommunications systems and its air-traffic control networks, he added. Potential Problems Mr Dam said the widespread use of encryption by private business is "inevitable" and the government must "recognize this changing reality." The report noted that the FBI has argued for years that its law-enforcement efforts would be hampered if drug cartels and other organized criminals began using codes that couldn't be deciphered. Courtordered wiretaps, a major tool used to break organized-crime cases, could become useless, the FBI has contended. Edward Schmults, general counsel for GTE Corp. and a former deputy attorney general during the Reagan administration, said he and other panel members believe the FBI and other law-enforcement agencies would be helped more than hurt if legitimate businesses were better protected. "It's a balancing issue," he said. Spokesmen for the FBI and NSA referred questions to the White House, where an official said the Clinton administration disagrees with the panel's recommendation to relax export controls and wants to continue to explore the use of escrows by private industry to keep the keys to powerful codes. "We have equities to protect that the people who wrote the NRC report do not," he said. The administration, he said, still wants to review the export of more powerful codes on a case-by-case basis. The use of private, third-party escrows, he said, might be one way to protect the secrecy of companies while allowing federal agents with court orders access to code keys. New Markets Would Open The panel called for the U.S. to permit the export of codes containing a "56-bit" Data Encryption Standard algorithm. The algorithm, or formula, was developed by the National Bureau of Standards in 1975 and is 65,000 times tougher to break than current "40-bit" codes that are permitted for unlicensed exports. The panel estimated its recommendations would open up new markets for information security products, possibly increasing software-industry revenue "many tens of billions of dollars." Until now, export controls tended to set industry standards for a level of protection because companies were reluctant to use different systems for domestic and international applications. Jeffrey Treuhaft, director of security at Internet software giant Netscape Communications Corp., welcomed the report, but said exports shouldn't be limited to 56-bit keys. That would still blunt the competitive edge of U.S. software vendors, given that code-cracking computer power is multiplying, he said. "The U.S. has a lead right now and these arcane policies from the Cold War are giving U.S. industry cement shoes to compete with foreign competitors," Mr. Treuhaft said. "We can't run as fast as they ean." - Jared Sandberg in New York contributed to this article. [End] ---------- The Boston Globe, May 31, 1996, p. 36 Panel criticizes US government's encryption stand 'Net, cell phone security at stake, National Research Center says By Hiawatha Bray The Clinton administration's efforts to limit the sale of software that generates coded messages, already unfire from Congress and civil libertarians, is now facing criticism from a committee of the National Academy Sciences. The National Research Center, which gives science and technology advice under a congressional charter, yesterday said the government should promote the commercial use of encryption software to help cut down on the theft of computer data and other electronic communications. Law enforcement officials and intelligence agencies are worried about the development of cheap encryption grams, for fear it could become impossible to intercept a mobster's telephone call or read an enemy spy's electronic mail messages. But the center's report says that encryption software is essential for businesses and individuals who need to transmit confidential data using the Internet or cellular telephones. "On balance, the advantages of more widespread use of cryptography outweigh the disadvantages," the report says. Encrypted messages can easily be read by someone with the correct code "key." Without this key, it can take centuries of computer analysis to decode a message. The longer the key, the tougher it is to break the code. Under current federal law, US companies cannot export encryption programs that use keys longer than 40 bits. Computer experts say that 40-bit encryption systems are easy to break, and provide little security. As a result, many software companies that sell their products worldwide do not build in sophisticated encryption features. Industry experts say that this costs them millions of dollars in sales, as customers in foreign countries buy encryption software made outside the United States. The report urges a change in the federal law, to allow sale of an encryption system called DES that uses 56-bit keys. "Except in some very specialized situations, it gives adequate security," said council chairman Kenneth Dam, a law professor at the University of Chicago. The report also urges the administration to abandon efforts to force businesses and individuals to use "key escrowed" encryption software. Under this plan, companies could use encryption, keys of any length, but only if the keys were held in escrow, and could be made available to the government. The council urges the federal government to adopt key escrow to prove that the system is trustworthy. The report argues that many businesses will voluntarily adopt such a plan to guard against the loss of its encryption keys. A prominent critic of encryption policy was less than thrilled by-the council report. "It doesn't go far enough," said Philip Zimmermann, inventor of the Pretty Good Privacy encryption program. Zimmermann scoffed at the idea that DES encryption is secure enough for use by businesses. "It can be broken in seconds by the NSA [National Security Agency]," Zimmermann said. "All major governments can break DES. In fact, any Fortune 500 company can afford a machine that can break DES." But even if DES were secure enough, Zimmermann said he opposes any restrictions on the export of encryption software. [End]