Back to index
Levy, Steven. Scared bitless: the arcane world of cryptography used to
     be the  exclusive realm of spies. Now its everybody's business -
     to the  chagrin of the government. In Newsweek June 10 1996,
     v127, n24, p49(3). 


The arcane world of cryptography used to be exclusive realm of spies. 
Now it's everybody's business--to the chagrin of th government.       
                                                                      
ON THE FACE OF IT, THE ISSUE of cryptography--the technology that     
employs secret codes to protect information--seems more suited to     
math class than "The McLaughlin Group." Yet this once esoteric        
subject has wound up in the center of a Beltway controversy, complete 
with congressional infighting, lobbyists, entrenched government       
agencies, blue-ribbon reports and even a bit of presidential          
politics. This sudden spotlight on what was previously the domain of  
deep-black spy stuff turns out to be a good thing, because in the     
Information Age crypto policy is more than an abstraction: it could   
provide the difference between security and vulnerability, or even    
between life and death. Unfortunately, choosing the right policy is   
not a given the controversy lies.                                     
                                                                      
Here's the problem: we're increasingly entrusting information to      
computers--everything from confidential medical records to business   
plans to money itself. But how can we provide security so that these  
data will be protected from eavesdroppers, thieves and saboteurs? The 
answer hinges on cryptography. By scrambling the information into     
digital codes, it allows only those entrusted with the keys to        
decipher those files to see them. Some hot-shot cryptographers have   
developed systems that can provide all of us with unprecedented       
security, automatically coding and decoding in such a way that we     
won't have to know it's there. (We can even have our phone calls      
encoded, something Prince Charles might have appreciated.) Silicon    
Valley would love to set such a system in motion. It not only would   
generate revenues, but would also address the main problem that's     
keeping the Internet from fulfilling its potential as a center of     
commerce: security.                                                   
                                                                      
Problem solved? Not quite. Law-enforcement and national-security      
agencies view this prospect with dread. Legal eavesdroppers, like FBI 
wiretappers and National Security Agency snoopers, couldn't make      
sense of intercepted transmissions. They warn that we could miss      
indications of a terrorist act, like a nuke smuggled into Manhattan.  
In addition, drug dealers, child pornographers and garden-variety     
thugs could mask their activities with a mere mouse click.            
                                                                      
Even before the Clinton administration took office, the NSA and FBI   
presented those nightmare scenarios to the transition team. The       
Clintonites were scared bitless. They vowed to make sure that the     
worst didn't happen. They understood that cryptography should be pout 
to general use--but only if it were altered in such a way that the    
government could, if necessary, get access to secret messages, using  
a new technology known as "key escrow." The best-known of those       
schemes was the ill-fated Clipper Chip, and subsequent systems        
haven't caught on. (Yet another was presented two weeks ago.) Until   
then they would maintain the strict export controls that treat crypto 
software as powerful munitions. That's right--Uncle Sam regards that  
copy of Netscape you downloaded as sort of a Stinger missile.         
                                                                      
But now the government position of slowing down the flow of crypto is 
under increasing attack. Software companies complain that regulations 
cost them money and hold down innovation. Privacy groups complain     
that the controls reek of Orwell's "1984." Congress is demanding      
changes. Bob Dole wants to make it an issue. And on Thursday came     
what Sen. Conrad Burns, a Montana Republican, called "the nail in the 
coffin" of the Clinton crypto policy: a report by the National        
Research Council that clearly rebukes the administration's position.  
Despite the Clinton-Gore attempt to protect us against the abuse of   
cryptography, says the Congress-commissioned report, our safety is at 
risk--because the lack of cryptography has weakened our security.     
Under particular attack are the regulations that limit the strength   
of exported software like IBM's Lotus Notes, mostly by mandating that 
the keys that encode and decipher the information not exceed 40 bits  
(the longer the key, the stronger the protection). Often, domestic    
users have to settle for this crippled crypto: since software         
companies are loath to release two versions of their products, they   
simply choose to offer the weaker, approved-for-export version.       
                                                                      
Meanwhile, foreign companies have no such restrictions, and U.S.      
companies maintain they are losing sales. Congress has taken up their 
case; bills introduced by Sen. Patrick Leahy, Rep. Bob Goodlatte and  
Burns all would relax the export rules. "These bills are pro-privacy, 
pro-jobs and pro-business," says Leahy. While prospects for passage   
are slim, the fact that a sizable number of legislators are defying   
intelligence and law-enforcement agencies is itself significant.      
                                                                      
Crypto policy is even finding its way into the presidential campaign. 
On a visit to Silicon Valley, Bob Dole was alerted to the problem by  
Netscape CEO Jim Barksdale. He also saw a chance to chip away at      
Clinton's support in the high-tech world. Dole not only cosponsored   
the Senate bills but issued a neo-cypherpunk statement charging that  
"the administration's big brother proposal will literally destroy     
America's computer industry."                                         
                                                                      
The NRC report, entitled "Cryptography's Role in Securing the         
Information Society," stands as the most serious challenge to current 
policy. It is drenched in credibility: its 16 authors include former  
attorney general Benjamin Civiletti, onetime NSA deputy director Ann  
Caracristi, privacy expert Willis Ware and cryptographer Martin       
Hellman. The panel was briefed by all sides of the issue, including   
some classified sessions with government officials. Despite the       
group's diversity, it reached consensus: "Widespread commercial and   
private use of cryptography is inevitable in the long run and ... its 
advantages, on balance, outweigh its disadvantages."                  
                                                                      
The NRC made some specific recommendations. The government should     
stop building a system around the unproven Clipper-style technology.  
The export regulations should be relaxed, specifically permitting     
free export of the well-tested Data Encryption Standard, which uses a 
56-bit key. (While some argue for even bigger keys, this is a         
significant jump. The increase in key size alone means that           
theoretically it will be more than 65,000 times harder to crack a     
code.) Perhaps the strongest rebuke came with the rejection of the    
"if you only knew" defense. The committee concluded that informed     
decisions on crypto could be made without access to classified        
material.                                                             
                                                                      
If the NRC advice was followed, would criminals hide nefarious        
activities behind a digital wall of gibberish? Quite possibly, admits 
the committee--but without action to promote crypto, we are           
increasingly dependent on a computer-controlled world with            
insufficient protection. "We're encouraging a world that supports     
greater confidentiality--but we think it's worth the risk," says      
panelist Ray Ozzie, creator of IBM's Lotus Notes. The committee cited 
security breaches like the recent raid on Citicorp by Russian         
hackers, and warned that without crypto, we are more vulnerable to    
"information warfare" threats--endangering operations like the        
air-traffic-control system.                                           
                                                                      
The government's response? "We do care about the security of          
information, but we need to do it in a way that does not diminish law 
enforcement," says an administration official. "People writing        
academic reports can take chances. But when you are the policeman,    
you have to err on the side of protection people."                    
The question is, which approach provides the most protection? The NRC 
report undercuts the government's position at a time when many were   
already beginning to question it. On May 21, 11 senators sat down in  
a bugproof room for a classified briefing, presumably designed to     
make them rethink their proposals. But, said Leahy, "no one seemed to 
change their mind." Looks like they've cracked the code.              
                                                                      
COPYRIGHT Newsweek Inc. 1996