From: anonymous-remailer@shell.portal.com
Date: Thu, 2 Nov 1995 08:42:04 +0800
To: cypherpunks@toad.com
Subject: Re: The cost of ITAR
Message-ID: <199511012336.PAA16268@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain


> Here's the problem:  Because the US government has outlawed the export of
> industrial-strength encryption, firms seeking to do business abroad find 
> themselves without trustworthy security options once they leave US 
> boundaries.  How can companies in the information and networking 
> business, such as Sun Microsystems, possibly sell a system to Alcatel in 
> France, for example, if the encryption that accompanies it can be broken 
> by a 14-year-old with too much time on his or her hands?  They can't.  So 
> Sun came up with a novel solution: buy Russian.  The Soviets may have 
> sucked at cars and strip malls, but they sure as hell knew their 
> cryptography.  "The Russians can make any kind of encryption you want" 
> says Geoffrey Baehr chief network officer at Sun.  And what can the US 
> government do about a product developed outside its borders?  Nothing.

Actually the US government and US industry generally does not follow any
coherent industrial development policy of which ITAR is but one single
part. There is almost a jingoistic belief in the "free market"  with a
concomitant commitment to a strong American individualism.  While this
may function domestically, it certainly does not function internationally. 

The US continues to cede entire industries through poor economic and trade
policy.  I guess, nothing was learned with Boeing and Airbus. 

ITAR regulations will simply lock-out US companies from foreign markets,
and this combined with "competition" rather than "co-operation" will allow
foreign firms to divide and conquer American firms.  Foreigners generally
don't trust "American" as it is. 

Historically, the US has deliberately sold inferior security products
while making representations that they were in fact secure.  While this
*might* work on unsuspecting civilians, internationally it just doesn't
pass the giggle test, and won't allow a US firm to even make the bid list 
outside their own borders in the not too distant future.

US companies will loose the entire international market, unless they begin
to think globally.  Non-legislated trade lockouts based on Nationalism are
extremely difficult to overcome. 

> In fact, Sun was so taken with Russia's computing talent that the company 
> recently hired the entire team once responsible for the next generation 
> of Soviet supercomputers (and the Russians brought along the plans for 
> the beasts).  Ask Sun chief scientist John Gage if he'd rely on 
> US-approved encryption to send those plans between Moscow and California, 
> and he'll laugh out loud.  "We can't rely on that stuff.  We're talkling 
> trade secrets here!" - John Battelle

While John Gage, may laugh out loud, it is actually a very serious matter.
Trade secrets are not for laughter.  

As an example, what value is access to Pacific Gas's LAN??  Let's suppose
that Pacific Gas could be compromised because of poor security or
encryption -- a compromise which occurs as a result of some user
installing a commercial web-browser which had a well-known "back door", a
browser like the Netscape product. 

What would be the fallout from this??

Maybe (domestically), Pacific Gas customers might not be _happy_ that
PGT's market book was given over to CAPP, and that foreign producers knew
*exactly* what Californian's Natural Gas open interest was in advance on a
real time basis.  And that CAPP, hypothetically, has used and continues to
use that information in trading on Natural Gas markets, which results in
all Californians paying a 30% premium on their utility bills. 

Would this be a laughing matter??  

Who would laugh if natural gas prices were up (as they in fact are) 
25 - 30% at the trading hub AECO-C? 

And while PGT might ignore daisy chaining, and advance the argument that
the hole was at NGX -- rather than at PGT, or maybe that the hole was
because a client of NGX installed a copy of Navigator 1.1 somewhere, how
far would the laughter carry??  Especially the laughter at the keystone
cop finger pointing?? 

Around the world, maybe?

The idea of a foreign group of producers positioning themselves through
high-tech scouting by taking advantage of the shoddy design of a "Made in
America" product so that they could indirectly tax the citizens of
California is _truly_ a laughing matter.  Trivial in fact.

The uproar of a class action suit by all the customers of PGT would be but
a small nuisance within the context of the international fallout.  

Laughter will not be on the lips of US executives when it becomes known
that the security flaw in Navigator 1.1 was "well and widely known" within
the US software, hardware and security industry, and that ALL members 
of kept quiet about and around it. 

There will be little laughter at the catastrophic trade fallout if it is
demonstrable (as it was) that a US multi-billion dollar company knowingly
distributed a program which functions as a virus delivery vehicle, and
that all US industry members decided that their "industrial policy" 
dictated that they would not step forward and speak out. 

There will be very little laughter amongst shareholders and directors 
when they become aware that not only were entire markets sacrificed to 
"keep the secret" but that the entire US economy was put at risk.
 
Good-bye international markets -- not just for the said billion dollar 
company -- but for all members of the industry who domicile in the US.  

> This looks like a striking example of regulatory arbitrage at work, and 
> if it can be confirmed in its details ought to be an extremely powerful 
> anecdote in the hands of those working against GAK and ITAR.
>
> The sucking sound is American jobs heading overseas, 
> the snorting sound is American trade-secrets being sniffed up 
>     by foriegn competitiors, 

Yep, and it's not even a question of someone else causing this.  This is 
US citizens, and US companies having a limited experience and view in 
international trade, and that very inexperience leading to their OWN 
creation of these problems.  Has anyone considered GISA in all of this?
Probably not.

As an example, I contacted AT&T, regarding the Netscape flaw which was
posted to the Internet on Friday the Thirteenth -- the flaw that Netscape
had "no comment" on.  I asked for AT&T commentary, since they were selling
the Netscape product under their own brand.  I also asked for referral to
their Security Officer, rather than their Public Relations people. 

AT&T's response??

    "...I am not sure that our security officers are up to it.  Often 
    AT&T just repackages an external product, without opening it or 
    understanding it.  My guess is that the corporation is likely to 
    simply trust the netscape folks unless an actual hole can be  
    demonstrated."

And with that, there's 'nuff said ...

> Maybe the FBI's responsibility for US counter-intelligence is meant as a 
> double-entendre?

I guess getting shot by friendly fire does sound better than saying that
you're shooting yourself in the foot.  Don't it?? 



Alice de 'nonymous ...

                                  ...just another one of those...


P.S.  This post is in the public domain.
                  C.  S.  U.  M.  O.  C.  L.  U.  N.  E.