Clipper update

[Arthur Abraham]

From: _Electronic Engeering Times_ 22-nov-93


U.S. weights Clipper chip alternatives

by GEorge Leopold

Washington -- The clinton administration is readying a new encryption
policy that could help defuse industry opposion to introduction of the 
government developed Clipper chip by embracing commercial technologies as 
alterntives for netword security, according to government and industry
sources.

A National Security Council panel lead by George Tenet, psecial presidential
assistant for intelligence programs, is completing a broad review of 
government encryption policy with an eye toward empolying the Clipper chip,
as well as commercial alternatives, to ensure privacy and security on 
public networks.  Those would include the proposed electronic superhighway,
or National Information Infrastructure (NII).

Tenet could not be reached for comment on the review's status, but a 
U.S. official said last week the results of the seven-month National 
Security Council policy review will be announced soon.

The Clipper chip, backed by the National Security Agency and proposed by 
the Clinton administration in April as a new data-encryption standard, is 
widely viewed by industry critics as a fait accompli, since the spy agency
wants to use it to protect intelligence data.

Asked in an interview last Monday whether the policy review would result in
modification of the Clipper chip proposal, Micheal Nelson, special assistant
for information technology in the White House Office of Science and Technology
Policy, acknowledged the need to consider other encryption technologies for
network security, including software solutions.  He also said the government
should have sought greater industry participation before proposing the 
Clipper chip.

"Clipper is not a sliver bullet, it's not even a brass bullet," Nelson
said, "It's only one approach."

He added, "If we don't address these [network security] issues, people
won't use the NII."

Nelson said last week the National Security Council review was designed 
to bring industry and Congress into the process of looking for commercial
solutions, besides Clipper, to the network-security issue.  Industry groups
said last week they have contributed to the review, which began shortly
after Clipper was proposed.  The review is expected to result in a decision
on how to implement Clipper.

A decision on how to proceed with the Clipper proposal was scheduled for 
Sept. 1 but was delay in response to a recommendation from a private-sector
advisory group to the Commerce Department.

Clipper, which scrambles telephone conversatinos using an encryption 
algorithm called Skipjack, is at the heart of an adminstration initiative
annoumced in April on secure telecom networks and wireless communication
links.  Forced to balance the interests of campanies and private citizens with 
nation-security needs, President Clinton ordered a comprehensive review of
U.S. encruytion policy addressing:

* Privacy, including the need for voice and data encryption to protect
proprietary business data.

* The ability of federal law-enforcement officials to tap phones and 
computers.

* The employment of modern technology to build the NII, including encryption
technology needed to protect proprietary information transmitted over the 
information superhighway.

* The need for American companies to build and export high-technology 
products to boost U.S. competitiveness.  U.S. companies may offer encryption
as a feature in software sold in the United States, but are prohibited from
including encryption software in commercial software exports.  Proponents 
of decontrolling encrypted software argue that restrictions are useless 
because encryption technology is widely available (see Oct. 18, page 18).

Acknowledging industry's concerns, the initiative also includes creation
of a key-escrow system to ensure the Cliper chip would be used to protect
privacy. (A Commerce Department official said last week the government 
has dropped the Clipper moniker, referring to it instead as the "key-
escrow chip," out of convern for possible trademark infringement.)

Devices incorporation the chip would have two unique software keys government
investigators would need to decode encoded messages.  TWo key-escrow data
banks would be overseen by a pair of independent agencies designated by the
Justice Department and the White House.  A decision on which agencies will
oversee the detabases has not been made, Commerce spokeswoman Anne Enright 
Shepherd said last Wednesday.

According ot a White House statement announcing the encryption policy, "We
need the Clipper chip and other approaches that can both provide law-abiding
citizens with access to the encryption they need and prevent criminals from
using it to hide their illegal activities."

Despite the administration's insistence that Clipper and the rest of the 
encryption policy are voluntary efforts, many U.S. high-tech companies
have opposed it (see June 21, page 28).  Instead, they want policy makers
to retain the ubiquitous federal Data Encryption Standard (DES) and use 
other public-key encryption technologies, such as RC-2 and RC-4.  DES
uses a 56-bit key while Clipper employs an 80-bit key.

Clipper "was forced upon [the Clinton adminstration] before they had a 
chance to evaluate its impact," Bruce Heiman, a Washington attorney 
representing the Business Software Alliance, said last Tuesday.  "NSA
sold them a bill of goods."

The policy review means "they realize that Clipper has problems... but they
don't want to rule it out entirely," Heiman said, adding that industry
would accpet Clipper as one alternative to network security only if it 
is part of a truly voluntary program that includes public-key encryption.