Here is what I told Markey's telecommunications committee last Wednesday about the business impact of key escrot. What follows has been corrected for a major error for which I apologize to CPSR. I had carelessly cited EFF as the extractor of some documents under FOIA. It also makes some minor corrections; the changes are shown at the end. Whit TESTIMONY BEFORE THE HOUSE SUBCOMMITTEE ON TELECOMMUNICATIONS AND FINANCE 9 June 1993 The Impact of Regulating Cryptography on the Computer and Communications Industries Whitfield Diffie Distinguished Engineer Sun Microsystems, Inc. I'd like to begin by expressing my thanks to Chairman Markey, the other members of the committee, and the committee staff for giving us the opportunity to appear before the committee and express our views. We stand at a moment in history when an amazing coincidence of developments in technology and world politics is showing us opportunities in both business and personal life that no one could have anticipated. These developments rest on two closely related cornerstones: communication and internationalism. Business today is characterized by an unprecedented freedom and volume of travel by both people and goods. It is an era of rapid inexpensive transportation coupled with declining trade barriers. All this movement is made possible, however, by the reality of instant telecommunication between places thousands of miles apart, conveying voices, images, and data wherever they are needed. Ease of communication, both physical and electronic, has ushered in an era of international markets and multinational corporations. No country is large enough that its industries can concentrate on the domestic market to the exclusion of all others. When foreign sales rival or exceed domestic ones, the structure of the corporation follows suit with new divisions placed in proximity to markets, materials, or labor. The result is a world in which much of the population enjoys a standard of material wealth and freedom of action previously unknown. It is also a world in which no company, community, or country can afford not to compete in the global market. Security of communication and computing is essential to this telecommunication driven environment. The communication system must ensure that orders for goods and services are genuine, guarantee that payments are credited to the proper accounts, and protect the privacy of business plans and personal information. In the past, these diverse assurances have been provided by an ad hoc patchwork that has evolved slowly over the century and a half since the invention of the telegraph, but two factors are now making that patchwork obsolete. The first is the rise in importance of intellectual property. Much of what is now bought and sold is information that varies from computer programs to surveys of customer buying habits. Information security has become an end in itself rather than just a means for insuring the security of people and property. The second is the universal demand for mobility in communications. Traveling corporate computer users sit down at workstations they have never seen before and expect the same environment that is on the desks in their offices. They carry cellular telephones and communicate constantly by radio. They haul out portable PCs and dial their home computers from locations around the globe. With each such action they expose their information to threats of eavesdropping and falsification barely known a decade ago. It is the lack of security for these increasingly common activities that we encounter when we hear that most cellular telephone calls in major metropolitan areas are overheard or even recorded by eavesdroppers with scanners; that a new computer virus is destroying data on the disks of PCs; or that industrial spies have broken into a database half a world away. In this troubling scenario, however, there is a large ray of hope. Most of the technology to provide the needed protection is already available in the form of contemporary cryptography and its allied disciplines. Some of it has existed for nearly fifty years; some dates from the last five. It isn't in widespread use, but it does exist. Why then are proper security measures not incorporated in every cell phone, laptop, and workstation? Part of the answer is economic. Collecting intelligence by spying on information is so hard to detect that most users are unaware that they are suffering from it and unwilling to pay to protect themselves. Another lies in a unique problem of implementing security standards: security mechanisms are designed to block access to everyone who does not conform exactly to their demands. This makes them very unforgiving of that flexibility at the margins that makes much of standardization possible. Compounding these internal difficulties is one that is entirely external: a regulatory structure that goes back to the cold war and does not recognize the realities of the present situation. In the United States, export control has been the major barrier. Companies are deterred from building proper security mechanisms into their products because to do so will limit their exports and subject them to tedious administrative procedures required to comply with the law. The alternatives are to support two versions of each product, one for domestic use and one for export or to dilute the security measures in all products to a level whose export the government permits. At Sun Microsystems, approximately half our customers are outside the United States. Were we to build a workstation and an operating system embodying the best security we know how to provide and the security that we believe is needed, we would not be permitted to export them. This would present us with insuperable problems in maintaining distinct but somehow compatible domestic and foreign product lines. Not least of the consequences is that we are unable to provide security features that elements of the U.S. Government would like in the systems they buy, because that market does not come close to making up for the one we would have to forgo. I believe we are typical of computer companies in these respects. Digital Equipment after having made some outstanding contributions to network security, appears to have abandoned its lead in the field. Export issues were cited when it discontinued development of an operating system designed to achieve an National Computer Security Center A1 rating some five years back and I suspect they may have played a role in its larger retreat from security as well. We have also suffered from the government's failure to take the lead in championing security standards, both domestic and international. The first proposed federal standard in the area of public key cryptography has appeared only after such techniques had been employed for more than a decade and does not conform to the conventional practice that has evolved both in the U.S. and abroad. Some have even suggested that the government has actively worked to block standardization citing the United States failure to vote for its own national cryptographic standard (DES) in the International Standards Organization and material on the working relationship between NIST and NSA recently released to the Computer Professionals for Social Responsibility under the Freedom of Information Act. Now we are faced with the greatest challenge to our ability to secure the personal and business communications of the modern world that we have yet encountered. The administration proposes to adopt as a federal standard a system that is not only secret, but incorporates provisions for the government secretly to decode any person's communications when it deems this necessary for law enforcement or national security purposes. The effect is very much like that of the little keyhole in the back of the combination locks used on the lockers of school children. The children open the locks with the combinations, which is supposed to keep the other children out, but the teachers can always look in the lockers by using the key. The stated objective is to require the use of equipment based on these new `key escrow' chips for certain communications within the government and between the government and business. If they are successful in their objective, the latter provision could force the inclusion of these chips in all devices used, for example, to communicate with the government about contracts or taxes. What would be the effect of such broad inclusion? We have been assured by NIST that the finished chips, once their key escrow provisions have been programmed, will be available without restriction for incorporation in any piece of domestic equipment, but it is hard to see how either the security or wiretap objectives could be achieved if this were the case. It appears more likely that key escrow chips will be available only to companies that agree to employ them in approved ways. Probably this will be done by using existing regulatory machinery (called the Type II Commercial COMSEC Endorsement Program) that requires the manufacturers to submit their designs to NSA for approval. Were this to happen, the nation's computer manufacturers would be trapped in a regulatory web more confining than any we have seen so far. If we at Sun were required by customers' needs to communicate with the government to put the key escrow chip on the mother board of our machine and by regulations to have the board design approved, the government would have effective control of our development cycle. One of the requirements that would likely be imposed in these circumstances would be that we not offer any other security mechanisms that could be used to defeat the escrow provisions. This would mean we could not even maintain compatibility with our existing product line. It seems especially unlikely that customer acceptance of a chip explicitly designed to provide only partial security could ever be achieved other than by the coercive force of regulations. Nor does it seem likely that a system to which the U.S. held the keys would ever be accepted by more than a handful of other countries. They do not need it to achieve security, because an understanding of cryptography is now global and developing rapidly. Faced with a choice between secret U.S. technology known to embody a compromise and foreign systems of published function that at least claim not to, customer response seems hardly in doubt. The result may give the government a devastating choice: accept the import of foreign technology, losing both market share and the new law enforcement capability or forbid the import of foreign cryptographic systems altogether. In the latter case, the U.S., currently a leader in computers and software, seems likely to become a backwater, cut off from one of the most profitable segments of the global economy. Another problem presented by the key escrow technology is cost. No matter how essential it may be, security is still difficult to sell and extremely price sensitive. To require that cryptography not merely be isolated in hardware (by and large a good security practice) but that that hardware be a tamper resistant chip entirely dedicated to one security function will push the prices of many products and features beyond the reach of their potential markets. Cryptography can perfectly safely be embodied in microcode, implemented in cells incorporated in multi-function chips, or programmed on dedicated, but standard, microcontrollers at a tiny fraction of the tens of dollars per chip that Clipper is predicted to cost. The effect of giving the government and one or a small number of companies a monopoly control over an essential technology is also troubling to contemplate. The present key escrow chips operate in the megabit range. Can companies depend on NSA to have hundred megabit or gigabit chips available just when they are needed or might U.S. companies miss critical market windows while they wait for delivery of parts over which they have no control? Will there come a time, as occurred with DES, when NSA wants the standard changed even though industry still finds it adequate for many applications? If that occurs will industry have any recourse but to do what it is told? And if this happens who will pay for the conversion? Last month, before another committee of Congress, I discussed at some length the impact that the key escrow proposal could have on personal freedom, concluding that if it is adopted, we will take a big step toward a world in which the right of private conversation belongs only to those rich enough to travel to face to face meetings. Rather than repeat those arguments, I have attached my earlier testimony as an appendix and focus here on a few essential points. It is clear that the costs of key escrow will be monumental whether measured in dollars spent for computers, squandered business opportunities, or lost liberties. Even if these costs are accepted, there remain two questions: can the law enforcement function be achieved, and is it even necessary? In a world in which cryptographic expertise is widespread and cryptography is readily implemented on small processors, rules seem no more likely to keep security out of the hands of criminals than export controls guarantee it will not be available to hostile nations. This, however, may not matter. Despite the concern of law enforcement that advancing technology will reduce the effectiveness of wiretaps, that technology has been at least as much a blessing to the police as a curse. Even ignoring the contribution of police communication systems and databases, modern telephone switches make wiretaps more effective by supplying caller ID in real time under many circumstances. In a world in which conspiracies were conducted via conference calls on secure phones, criminals could never be sure that one of the participants was not an informer recording everything in high fidelity without the risk of being caught wearing a body wire. Corrections to First Version Given to Congress line 89 unaware of that ==> unaware that line 137 Electronic Frontiers Foundation ==> Computer Professionals for Social Responsibility line 181 design cycle ==> development cycle line 213 implemented in dedicated ==> programmed on dedicated