From: jya@pipeline.com (John Young)
Date: Tue, 4 Jun 1996 02:23:50 +0800
To: cypherpunks@toad.com
Subject: Newsweek on Crypto
Message-ID: <199606031301.NAA29204@pipe2.t1.usa.pipeline.com>
MIME-Version: 1.0
Content-Type: text/plain


   Newsweek, June 10, 1996, pp. 49-55. 
 
 
   Scared Bitless 
 
      The arcane world of cryptography used to be the 
      exclusive realm of spies. Now it's everybody's business 
      -- to the chagrin of the government. 
 
   By Steven Levy 
 
      [Photo] Loosen up: Sen. Conrad Burns says the United 
      States should ease the export rules on crypto software 
 
 
   On the face of it, the issue of cryptography -- the 
   technology that employs secret codes to protect information 
   -- seems more suited to math class than "The McLaughlin 
   Group." Yet this once esoteric subject has wound up in the 
   center of a Beltway controversy, complete with 
   congressional infighting, lobbyists, entrenched government 
   agencies, blue-ribbon reports and even a bit of 
   presidential politics. This sudden spotlight on what was 
   previously the domain of deep-black spy stuff turns out to 
   be a good thing, because in the Information Age crypto 
   policy is more than an abstraction: it could provide the 
   difference between security and vulnerability, or even 
   between life and death. Unfortunately, choosing the right 
   policy is not a given, and there the controversy lies. 
 
   Here's the problem: we're increasingly entrusting 
   information to computers -- everything from confidential 
   medical records to business plans to money itself. But how 
   can we provide security so that these data will be 
   protected from eavesdroppers, thieves and saboteurs? The 
   answer hinges on cryptography. By scrambling the 
   information into digital codes, it allows only those 
   entrusted with the keys to decipher those files to see 
   them. Some hot-shot cryptographers have developed systems 
   that can provide all of us with unprecedented security, 
   automatically coding and decoding in such a way that we 
   won't have to know it's there. (We can even have our phone 
   calls encoded something Prince Charles might have 
   appreciated.) Silicon Valley would love to set such a 
   system in motion. It not only would generate revenues, but 
   would also address the main problem that's keeping the 
   Internet from fulfilling its potential as a center of 
   commerce: security. 
 
   Problem solved? Not quite. Law-enforcement and 
   national-security agencies view this prospect with dread. 
   Legal eavesdroppers, like FBI wiretappers and National 
   Security Agency snoopers, couldn't make sense of 
   intercepted transmissions. They warn that we could miss 
   indications of a terrorist act, like a nuke smuggled into 
   Manhattan. In addition, drug dealers, child pornographers 
   and garden-variety thugs could mask their activities with 
   a mere mouse click. 
 
   Even before the Clinton administration took office, the NSA 
   and FBI presented those nightmare scenarios to the 
   transition team. The Clintonites were scared bitless. They 
   vowed to make sure that the worst didn't happen. They 
   understood that cryptography should be put to general use 
   -- but only if it were altered in such a way that the 
   government could, if necessary, get access to secret 
   messages, using a new technology known as "key escrow." The 
   best-known of those schemes was the ill-fated Clipper Chip, 
   and subsequent systems haven't caught on. (Yet another was 
   presented two weeks ago.) Until then they would maintain 
   the strict export controls that treat crypto software as 
   powerful munitions. That's right -- Uncle Sam regards that 
   copy of Netscape you downloaded as sort of a Stinger 
   missile. 
 
   But now the government position of slowing down the flow of 
   crypto is under increasing attack. Software companies 
   complain that regulations cost them money and hold down 
   innovation. Privacy groups complain that the controls reek 
   of Orwell's "1984." Congress is demanding changes. Bob Dole 
   wants to make it an issue. And on Thursday came what Sen. 
   Conrad Burns, a Montana Republican, called "the nail in the 
   coffin" of the Clinton crypto policy: a report by the 
   National Research Council that clearly rebukes the 
   administration's position. Despite the Clinton-Gore attempt 
   to protect us against the abuse of cryptography, says the 
   Congress-commissioned report, our safety is at risk -- 
   because the lack of cryptography has weakened our security. 
 
   Under particular attack are the regulations that limit the 
   strength of exported software like IBM's Lotus Notes, 
   mostly by mandating that the keys that encode and decipher 
   the information not exceed 40 bits (the longer the key, the 
   stronger the protection). Often, domestic users have to 
   settle for this crippled crypto: since software companies 
   are loath to release two versions of their products, they 
   simply choose to offer the weaker, approved-for-export 
   version. 
 
   Meanwhile, foreign companies have no such restrictions, and 
   U.S. companies maintain they are losing sales. Congress has 
   taken up their case; bills introduced by Sen. Patrick 
   Leahy, Rep. Bob Goodlatte and Burns all would relax the 
   export rules. "These bills are pro-privacy, pro-jobs and 
   pro-business," says Leahy. While prospects for passage are 
   slim, the fact that a sizable number of legislators are 
   defying intelligence and law-enforcement agencies is itself 
   significant. 
 
   Crypto policy is even finding its way into the presidential 
   campaign. On a visit to Silicon Valley, Bob Dole was 
   alerted to the problem by Netscape CEO Jim Barksdale. He 
   also saw a chance to chip away at Clinton's support in the 
   high-tech world. Dole not only cosponsored the Senate bills 
   but issued a neo-cypherpunk statement charging that "the 
   administration's big brother proposal will literally 
   destroy America's computer industry." 
 
   The NRC report, entitled "Cryptography's Role in Securing 
   the Information Society," stands as the most serious 
   challenge to current policy. It is drenched in credibility: 
   its 16 authors include former attorney general Benjamin 
   Civiletti, onetime NSA deputy director Ann Caracristi, 
   privacy expert Willis Ware and cryptographer Martin 
   Hellman. The panel was briefed by all sides of the issue, 
   including some classified sessions with government 
   officials. Despite the group's diversity, it reached 
   consensus: "Widespread commercial and private use of 
   cryptography is inevitable in the long run and ... its 
   advantages, on balance, outweigh its disadvantages." 
 
   The NRC made some specific recommendations. The government 
   should stop building a system around the umproven 
   Clipper-style technology. The export regulations should be 
   relaxed, specifically permitting free export of the 
   well-tested Data Encryption Standard, which uses a 56-bit 
   key. (While some argue for even bigger keys, this is a 
   significant jump. The increase in key size alone means that 
   theoretically it will be more than 65,000 times harder to 
   crack a code.) Perhaps the strongest rebuke came with the 
   rejection of the "if you only knew" defense. The committee 
   concluded that informed decisions on crypto could be made 
   without access to classified material. 
 
   If the NRC advice was followed, would criminals hide 
   nefarious activities behind a digital wall of gibberish? 
   Quite possibly, admits the committee -- but without action 
   to promote crypto, we are increasingly dependent on a 
   computer-controlled world with insufficient protection. 
   "We're encouraging a world that supports greater 
   confidentiality -- but we think it's worth the risk," says 
   panelist Ray Ozzie, creator of IBM's Lotus Notes. The 
   committee cited security breaches like the recent raid on 
   Citicorp by Russian hackers, and warned that without 
   crypto, we are more vulnerable to "information warfare" 
   threats -- endangering operations like the 
   air-traffic-control system. 
 
   The government's response? "We do care about the security 
   of information, but we need to do it in a way that does not 
   diminish law enforcement," says an administration official. 
   "People writing academic reports can take chances. But when 
   you are the policeman, you have to err on the side of 
   protecting people." 
 
   The question is, which approach provides the most 
   protection? The NRC report undercuts the government's 
   position at a time when many were already beginning to 
   question it. On May 21, 11 senators sat down in a bugproof 
   room for a classified briefing, presumably designed to make 
   them rethink their proposals. But, said Leahy, "no one 
   seemed to change their mind." Looks like they've cracked 
   the code. 
 
   [Two photos] 'Pro-privacy, pro-jobs, pro-business': Sen. 
   Patrick Leahy (right) and Lotus Notes creator Ray Ozzie 
   think strong codes will make a stronger economy 
 
   _________________________________________________________ 
   [Box] 
 
   Sending Messages In Private 
 
   Cryptography makes it possible to turn intelligible words 
   into a hodgepodge of letters, numbers and symbols, keeping 
   them out of the hands of cybersnoops. 
 
   [Illustration: computer  > key > encrypted message > key > 
   computer.] 
 
   To send a private message through a network, a cryptography 
   program is used to "lock" the message -- making it 
   unreadable to anyone who intercepts it. 
 
   The program generates a secret, digital key when it 
   scrambles the message. The receiver then uses the key to 
   translate the message back into plain text. 
 
   _________________________________________________________ 
 
   [End] 
 
   Thanks to SL and Newsweek.