From: jya@pipeline.com (John Young)
Date: Wed, 6 Mar 96 07:24:01 PST
To: cypherpunks@toad.com
Subject: FT on Crypto Cloud
Message-ID: <199603061523.KAA27263@pipe3.nyc.pipeline.com>
MIME-Version: 1.0
Content-Type: text/plain


   Financial Times, March 6, 1996, IT Section, p. V. 
 
 
   Network Security: Operating under a cloud of uncertainty 
 
      Companies face a complex web of technical, legal and 
      moral questions 
 
 
   The IT security threat has long been depicted in terms of 
   wild-eyed hackers hunched over terminals late into the 
   night. But while there is real cause for concern about 
   criminal activity over computer networks, large 
   corporations are very worried about another threat to their 
   use of electronic communications. 
 
   Meanwhile, government restrictions on the use of data 
   encryption codes in various countries are limiting the 
   ability of commercial organisations to protect themselves. 
 
   Cryptography is at the heart of this dilemma. Governments 
   all over the world rely on specialist intelligence units to 
   break down data transmissions from other nations and 
   individuals while encrypting their own messages. 
 
   The US National Security Agency and the UK's Government 
   Communications HQ are the best-known of these agencies. 
 
   The NSA is notorious for obsessive secrecy. Meanwhile, in 
   the UK, the GCHQ has lifted its traditional reticence in 
   recent years to offer advice to British companies concerned 
   with data security. 
 
   Mr Roger James, chairman of Cheshire-based communications 
   software specialist Boldon James, has worked with GCHQ to 
   define data standards for UK government departments. Mr 
   James plays down the cloak-and-dagger imagine of GCHQ, but 
   instead he describes his contact with its staff as 
   "horribly technical". He also portrays the Cheltenham 
   code-breakers as "very down-to-earth people". 
 
   There are two ways of looking at security, he says "one is 
   the practical approach, which means accepting that perfect 
   security is impossible to obtain. The other is the Ivory 
   Tower approach, which involves dreaming of a world in which 
   security is absolute. There are a lot of 'practicalists' in 
   GCHQ". 
 
   Mr James, whose clients include the Britannia Building 
   Society and the German Navy, is active in the European 
   Electronic Messaging Association. He is concerned at the 
   lack of a co-ordinated European policy on encryption. And 
   he fears that effective security measures could become 
   illegal with the advent of future legislation curbing the 
   availability of encryption software. 
 
   It is illegal at the moment to use strong cryptography 
   techniques in France without first depositing the key to 
   unlocking your codes with the French government. UK 
   companies developing sophisticated security programs find 
   their software classified as munitions and subject to tight 
   export restrictions, even within the EC. 
 
   In the US, the author of strong encryption program, called 
   'Pretty Good Privacy', found himself facing a Grand Jury 
   and possible charges of exporting prohibited technology. 
   The NSA has proposed that all personal computers made in 
   the US contain the Clipper Chip. This security feature 
   would give easy access to any data communications, however 
   the user chose to encode it. The proposal is currently 
   stalled, having met with ferocious opposition. 
 
   Both suppliers of information technology and industry at 
   large need to clear a path through this international maze. 
   The legal structure surrounding the use of encryption 
   technology is of particular concern to anyone working in 
   electronic commerce. 
 
   "The Clipper Chip debate raised a fundamental moral issue," 
   says Mr James. "Software technology means that strong 
   encryption, previously available only to the military, can 
   now be obtained by the public. If governments then find 
   messages hard to break, it leads immediately to a conflict 
   of interest." 
 
   One company that has confronted this apparent conflict of 
   interest between state and commerce, with its attendant 
   uncertainty, is the Anglo-Dutch oil giant, Shell. Mr Nick 
   Mansfield, a Shell technical consultant specialising in 
   information security, says the company is enthusiastic 
   about the potential for eliminating paperwork across its 
   sprawling global operations -- "we are committed to 
   electronic trading," he says. "We have a vast 
   electronic-mail network. But there is still a section of 
   our business where we have to use paper". 
 
   Contract agreements are at issue here. Until security can 
   be absolutely guaranteed, bilateral agreements must be seen 
   to be tamper-proofed. Shell is about to deploy technology 
   to secure personal computers and PC servers across the 
   world. This e-mail security system will cost around L1m in 
   software purchasing plus L100,000 a year to run. It will 
   have 4,000 users. 
 
   Far from escalating costs, Mr Mansfield explains that 
   expenses are falling as security improves. Shell used to 
   run a secure telex network that cost L4m in technology and 
   required L200,000 a year to support 120 sites. This was 
   superseded by a secure fax network costing L1m in systems, 
   plus L100,000 in annual maintenance for 200 sites. The 
   latest system will expand secure messaging beyond the fax 
   network's remit. 
 
   But setting up this security system involved Shell in a 
   long and involved process. Its chosen security software is 
   subject to close scrutiny by the UK authorities, who worked 
   with Shell to customise the program before it could be 
   released for use overseas. 
 
   While Mr Mansfield is pleased that Shell's security system 
   is so strong, it required an export licence and he echoes 
   the concerns of EEMA's Mr James -- "it's a cart and horse 
   situation. Until governments agree on policy and relax some 
   restrictions, industry won't be encouraged to development 
   extreme standards of encryption". 
 
   There needs to be a broad European debate on this issue. 
   Until this complex web of technical, legal and moral 
   questions are resolved, secure commercial data networks 
   will be operating under a cloud of uncertainty. 
 
   Michael Dempsey 
 
   [End] 
 
   Note: Shell's Nick Mansfield was a speaker at the OECD 
   cryptography conference in Paris in December. 
 
   This issue of FT includes a 22-page special section on 
   Information Technology.