Financial Times, March 6, 1996, IT Section, p. V. Network Security: Operating under a cloud of uncertainty Companies face a complex web of technical, legal and moral questions The IT security threat has long been depicted in terms of wild-eyed hackers hunched over terminals late into the night. But while there is real cause for concern about criminal activity over computer networks, large corporations are very worried about another threat to their use of electronic communications. Meanwhile, government restrictions on the use of data encryption codes in various countries are limiting the ability of commercial organisations to protect themselves. Cryptography is at the heart of this dilemma. Governments all over the world rely on specialist intelligence units to break down data transmissions from other nations and individuals while encrypting their own messages. The US National Security Agency and the UK's Government Communications HQ are the best-known of these agencies. The NSA is notorious for obsessive secrecy. Meanwhile, in the UK, the GCHQ has lifted its traditional reticence in recent years to offer advice to British companies concerned with data security. Mr Roger James, chairman of Cheshire-based communications software specialist Boldon James, has worked with GCHQ to define data standards for UK government departments. Mr James plays down the cloak-and-dagger imagine of GCHQ, but instead he describes his contact with its staff as "horribly technical". He also portrays the Cheltenham code-breakers as "very down-to-earth people". There are two ways of looking at security, he says "one is the practical approach, which means accepting that perfect security is impossible to obtain. The other is the Ivory Tower approach, which involves dreaming of a world in which security is absolute. There are a lot of 'practicalists' in GCHQ". Mr James, whose clients include the Britannia Building Society and the German Navy, is active in the European Electronic Messaging Association. He is concerned at the lack of a co-ordinated European policy on encryption. And he fears that effective security measures could become illegal with the advent of future legislation curbing the availability of encryption software. It is illegal at the moment to use strong cryptography techniques in France without first depositing the key to unlocking your codes with the French government. UK companies developing sophisticated security programs find their software classified as munitions and subject to tight export restrictions, even within the EC. In the US, the author of strong encryption program, called 'Pretty Good Privacy', found himself facing a Grand Jury and possible charges of exporting prohibited technology. The NSA has proposed that all personal computers made in the US contain the Clipper Chip. This security feature would give easy access to any data communications, however the user chose to encode it. The proposal is currently stalled, having met with ferocious opposition. Both suppliers of information technology and industry at large need to clear a path through this international maze. The legal structure surrounding the use of encryption technology is of particular concern to anyone working in electronic commerce. "The Clipper Chip debate raised a fundamental moral issue," says Mr James. "Software technology means that strong encryption, previously available only to the military, can now be obtained by the public. If governments then find messages hard to break, it leads immediately to a conflict of interest." One company that has confronted this apparent conflict of interest between state and commerce, with its attendant uncertainty, is the Anglo-Dutch oil giant, Shell. Mr Nick Mansfield, a Shell technical consultant specialising in information security, says the company is enthusiastic about the potential for eliminating paperwork across its sprawling global operations -- "we are committed to electronic trading," he says. "We have a vast electronic-mail network. But there is still a section of our business where we have to use paper". Contract agreements are at issue here. Until security can be absolutely guaranteed, bilateral agreements must be seen to be tamper-proofed. Shell is about to deploy technology to secure personal computers and PC servers across the world. This e-mail security system will cost around L1m in software purchasing plus L100,000 a year to run. It will have 4,000 users. Far from escalating costs, Mr Mansfield explains that expenses are falling as security improves. Shell used to run a secure telex network that cost L4m in technology and required L200,000 a year to support 120 sites. This was superseded by a secure fax network costing L1m in systems, plus L100,000 in annual maintenance for 200 sites. The latest system will expand secure messaging beyond the fax network's remit. But setting up this security system involved Shell in a long and involved process. Its chosen security software is subject to close scrutiny by the UK authorities, who worked with Shell to customise the program before it could be released for use overseas. While Mr Mansfield is pleased that Shell's security system is so strong, it required an export licence and he echoes the concerns of EEMA's Mr James -- "it's a cart and horse situation. Until governments agree on policy and relax some restrictions, industry won't be encouraged to development extreme standards of encryption". There needs to be a broad European debate on this issue. Until this complex web of technical, legal and moral questions are resolved, secure commercial data networks will be operating under a cloud of uncertainty. Michael Dempsey [End] Note: Shell's Nick Mansfield was a speaker at the OECD cryptography conference in Paris in December. This issue of FT includes a 22-page special section on Information Technology.