Newsweek, June 10, 1996, pp. 49-55. Scared Bitless The arcane world of cryptography used to be the exclusive realm of spies. Now it's everybody's business -- to the chagrin of the government. By Steven Levy [Photo] Loosen up: Sen. Conrad Burns says the United States should ease the export rules on crypto software On the face of it, the issue of cryptography -- the technology that employs secret codes to protect information -- seems more suited to math class than "The McLaughlin Group." Yet this once esoteric subject has wound up in the center of a Beltway controversy, complete with congressional infighting, lobbyists, entrenched government agencies, blue-ribbon reports and even a bit of presidential politics. This sudden spotlight on what was previously the domain of deep-black spy stuff turns out to be a good thing, because in the Information Age crypto policy is more than an abstraction: it could provide the difference between security and vulnerability, or even between life and death. Unfortunately, choosing the right policy is not a given, and there the controversy lies. Here's the problem: we're increasingly entrusting information to computers -- everything from confidential medical records to business plans to money itself. But how can we provide security so that these data will be protected from eavesdroppers, thieves and saboteurs? The answer hinges on cryptography. By scrambling the information into digital codes, it allows only those entrusted with the keys to decipher those files to see them. Some hot-shot cryptographers have developed systems that can provide all of us with unprecedented security, automatically coding and decoding in such a way that we won't have to know it's there. (We can even have our phone calls encoded something Prince Charles might have appreciated.) Silicon Valley would love to set such a system in motion. It not only would generate revenues, but would also address the main problem that's keeping the Internet from fulfilling its potential as a center of commerce: security. Problem solved? Not quite. Law-enforcement and national-security agencies view this prospect with dread. Legal eavesdroppers, like FBI wiretappers and National Security Agency snoopers, couldn't make sense of intercepted transmissions. They warn that we could miss indications of a terrorist act, like a nuke smuggled into Manhattan. In addition, drug dealers, child pornographers and garden-variety thugs could mask their activities with a mere mouse click. Even before the Clinton administration took office, the NSA and FBI presented those nightmare scenarios to the transition team. The Clintonites were scared bitless. They vowed to make sure that the worst didn't happen. They understood that cryptography should be put to general use -- but only if it were altered in such a way that the government could, if necessary, get access to secret messages, using a new technology known as "key escrow." The best-known of those schemes was the ill-fated Clipper Chip, and subsequent systems haven't caught on. (Yet another was presented two weeks ago.) Until then they would maintain the strict export controls that treat crypto software as powerful munitions. That's right -- Uncle Sam regards that copy of Netscape you downloaded as sort of a Stinger missile. But now the government position of slowing down the flow of crypto is under increasing attack. Software companies complain that regulations cost them money and hold down innovation. Privacy groups complain that the controls reek of Orwell's "1984." Congress is demanding changes. Bob Dole wants to make it an issue. And on Thursday came what Sen. Conrad Burns, a Montana Republican, called "the nail in the coffin" of the Clinton crypto policy: a report by the National Research Council that clearly rebukes the administration's position. Despite the Clinton-Gore attempt to protect us against the abuse of cryptography, says the Congress-commissioned report, our safety is at risk -- because the lack of cryptography has weakened our security. Under particular attack are the regulations that limit the strength of exported software like IBM's Lotus Notes, mostly by mandating that the keys that encode and decipher the information not exceed 40 bits (the longer the key, the stronger the protection). Often, domestic users have to settle for this crippled crypto: since software companies are loath to release two versions of their products, they simply choose to offer the weaker, approved-for-export version. Meanwhile, foreign companies have no such restrictions, and U.S. companies maintain they are losing sales. Congress has taken up their case; bills introduced by Sen. Patrick Leahy, Rep. Bob Goodlatte and Burns all would relax the export rules. "These bills are pro-privacy, pro-jobs and pro-business," says Leahy. While prospects for passage are slim, the fact that a sizable number of legislators are defying intelligence and law-enforcement agencies is itself significant. Crypto policy is even finding its way into the presidential campaign. On a visit to Silicon Valley, Bob Dole was alerted to the problem by Netscape CEO Jim Barksdale. He also saw a chance to chip away at Clinton's support in the high-tech world. Dole not only cosponsored the Senate bills but issued a neo-cypherpunk statement charging that "the administration's big brother proposal will literally destroy America's computer industry." The NRC report, entitled "Cryptography's Role in Securing the Information Society," stands as the most serious challenge to current policy. It is drenched in credibility: its 16 authors include former attorney general Benjamin Civiletti, onetime NSA deputy director Ann Caracristi, privacy expert Willis Ware and cryptographer Martin Hellman. The panel was briefed by all sides of the issue, including some classified sessions with government officials. Despite the group's diversity, it reached consensus: "Widespread commercial and private use of cryptography is inevitable in the long run and ... its advantages, on balance, outweigh its disadvantages." The NRC made some specific recommendations. The government should stop building a system around the umproven Clipper-style technology. The export regulations should be relaxed, specifically permitting free export of the well-tested Data Encryption Standard, which uses a 56-bit key. (While some argue for even bigger keys, this is a significant jump. The increase in key size alone means that theoretically it will be more than 65,000 times harder to crack a code.) Perhaps the strongest rebuke came with the rejection of the "if you only knew" defense. The committee concluded that informed decisions on crypto could be made without access to classified material. If the NRC advice was followed, would criminals hide nefarious activities behind a digital wall of gibberish? Quite possibly, admits the committee -- but without action to promote crypto, we are increasingly dependent on a computer-controlled world with insufficient protection. "We're encouraging a world that supports greater confidentiality -- but we think it's worth the risk," says panelist Ray Ozzie, creator of IBM's Lotus Notes. The committee cited security breaches like the recent raid on Citicorp by Russian hackers, and warned that without crypto, we are more vulnerable to "information warfare" threats -- endangering operations like the air-traffic-control system. The government's response? "We do care about the security of information, but we need to do it in a way that does not diminish law enforcement," says an administration official. "People writing academic reports can take chances. But when you are the policeman, you have to err on the side of protecting people." The question is, which approach provides the most protection? The NRC report undercuts the government's position at a time when many were already beginning to question it. On May 21, 11 senators sat down in a bugproof room for a classified briefing, presumably designed to make them rethink their proposals. But, said Leahy, "no one seemed to change their mind." Looks like they've cracked the code. [Two photos] 'Pro-privacy, pro-jobs, pro-business': Sen. Patrick Leahy (right) and Lotus Notes creator Ray Ozzie think strong codes will make a stronger economy _________________________________________________________ [Box] Sending Messages In Private Cryptography makes it possible to turn intelligible words into a hodgepodge of letters, numbers and symbols, keeping them out of the hands of cybersnoops. [Illustration: computer > key > encrypted message > key > computer.] To send a private message through a network, a cryptography program is used to "lock" the message -- making it unreadable to anyone who intercepts it. The program generates a secret, digital key when it scrambles the message. The receiver then uses the key to translate the message back into plain text. _________________________________________________________ [End] Thanks to SL and Newsweek.