Breaking the Code on the Encryption Debate: National Security Interests Are Being Jeopardized

(Washington, D.C.): With relatively
little fanfare, a truly momentous public
policy debate is taking place in
Washington. Unfortunately, all other
things being equal, it seems likely that
the outcome of this debate concerning the
domestic use, foreign export and
international regulation of encryption
techniques will do grievous harm to the
national security interests of the United
States.

‘You Can’t Tell the
Players…’

Such an extraordinary, and ominous,
result is in prospect due to several
factors:

• By its very nature, encryption —
  a generic name for numerous means
  of encoding computer, voice or
  other transmissions of data so as
  to conceal the contents from
  unauthorized access — is one of
  the most complex and obscure of
  sciences. Given its direct
  relevance for the protection of
  classified U.S. government
  information and for the
  penetration of foreign
  governments and other entities’
  secure communications, the U.S.
  National Security Agency (NSA)
  has jealously tried to shield
  from public view as much as
  possible about the technology and
  techniques involved in encryption
  and code-breaking.
• The necessary secretiveness
  associated with what NSA does and
  how the spread of encryption
  systems might affect the American
  ability to perform signals
  intelligence (SIGINT) by
  intercepting and monitoring
  foreign communications enormously
  complicates this debate.
• Robust encryption at home
  contributes to national security
  as well as protecting American
  industry, critical information
  networks and citizens’ privacy. But
  a national information
  infrastructure also needs
  selective transparency on call to
  support users’ needs to get at
  their encrypted data.
• U.S. law enforcement
  agencies in carrying out criminal
  investigations also need to be
  able to access voice
  communications, data records and
  data transmissions consistent
  with constitutional protections. The
  loss of this investigative
  technique, which is subject to
  strict judicial scrutiny — would
  be disastrous for law
  enforcement.
• Widespread use of unbreakable
  encryption is exactly what
  terrorists, drug lords,
  pedophiles and their ilk want to
  see. But law enforcement needs a
  controlled window into this
  encryption as part of its
  responsibility to detect, prevent
  or prosecute criminal behavior. Experience
  with court-ordered wiretaps
  suggests that, by requiring
  judicial approval of such
  electronic monitoring, this
  function critical to the rule of
  law and a civil society can be
  performed without risk of serious
  abuse.
• Due to advances in information
  techniques, the know-how
  and means for providing
  sophisticated encryption
  capabilities has proliferated
  dramatically in recent years.
  With the burgeoning use of the
  Internet and other electronic
  devices for conducting business,
  the demand for means to keep
  voice communications, data
  records and data transfers
  private has also grown
  tremendously.
• U.S. manufacturers of computer
  software and hardware — many
  of whom have been key supporters
  of and enjoy great influence with
  President Clinton and his
  Administration — are demanding
  an opportunity to meet this
  demand with encryption products
  that will be exceedingly robust,
  if not impenetrable. They
  typically point not only to the
  trade benefits such sales would
  represent but to the prospect
  that foreign manufacturers of
  encryption technologies will
  gladly supply products not
  available from American sources.
  Similar arguments have proven
  effective in obtaining
  Administration support for the
  wholesale elimination of export
  controls on powerful computers —
  even supercomputers.
• President Clinton has already
  issued an Executive Order
  substantially liberalizing the
  export of powerful encryption
  capabilities. Under its terms,
  encryption programs involving up
  to 40-bit keys (in layman’s
  terms, the number of variables
  used in combination to conceal a
  given piece of encrypted message
  traffic, one of several factors
  determining the robustness of an
  encryption program) can be
  exported without a license. The
  Executive Order also permits
  programs of any strength
  to be exported provided they have
  a “key recovery”
  capability (i.e., a code-breaking
  spare key has been created) —
  even if that key resides with the
  purchaser of such encryption.
• Civil libertarians —
  including some conservatives with
  well-deserved reputations for
  concern about U.S. national
  security — have taken the
  position that techniques which
  impede or preclude government
  monitoring of electronic
  transmissions are highly
  desirable. Their
  enthusiasm for the most
  widespread proliferation of
  encryption techniques, both
  domestically and internationally,
  provides tremendous political
  cover for others with more
  suspect motivations.
• Counter-culture opponents
  of U.S. government power,
  including some holding high
  office in the Clinton
  Administration, appear untroubled
  by the diminution of American
  capabilities to perform signals
  intelligence — historically an
  area of decisive and
  strategically vital advantage for
  the United States. href=”97-D88.html#N_1_”>⁽¹⁾
  Evidently, they are no more
  concerned by the other side of
  this coin: Thanks to the
  Clinton-approved transfer of
  American supercomputers and other
  powerful data processing systems,
  foreign governments are likely to
  have much enhanced capabilities
  to perform their own
  code-breaking operations, further
  reducing U.S. dominance in the
  field.

The Legislative Context

Against this backdrop, several bills
have been introduced reflecting two basic
approaches. The first sponsored by
Senators Conrad Burns (R-MT) and Patrick
Leahy (D-VT) in the Senate and by Rep.
Robert Goodlatte (R-VA) in the House
would essentially eliminate controls on
the export of encryption. This
legislation is favored by the computer
software and hardware industries and a
number of civil libertarians. Senate
Majority Leader Trent Lott has thrown his
support behind the Burns-Leahy bill.

A bill recently introduced by Senator
John McCain, chairman of the Senate
Commerce Committee, presents an
alternative approach. It attempts to
“split the difference,”
addressing domestic law enforcement
concerns by way of creating incentives
for U.S. manufacturers to participate in
a key management infrastructure (i.e.,
establishing means whereby federal
agencies, with appropriate court orders,
can obtain the ability to read encrypted
communications). While the incentives to
do so are significant, the companies
would be under no requirement to take
part in this arrangement.

As a sop to the encryption industry,
however, the McCain legislation
would make several concessions that could
be injurious to the national security.
First, it would raise the threshold for
unlicenced exports from 40 bits to 56
bits. This represents a dramatic increase
in the power of encryption programs that
will find their way into the hands of
hostile powers, international terrorists
and other foreign criminal elements —
and will add dramatically to the time and
computing power required by U.S.
intelligence to monitor their activities.

Second, the McCain legislation calls
for the creation of an
industry-government advisory board tasked
to consider and jointly develop
recommendations concerning future
standards for encryption exports. Such an
arrangement would put those responsive to
multinational stockholders on an
essentially equal footing with
government agencies responsible for the
national security. In addition, the bill
would mandate foreign-availability
assessments — a pretext frequently used
by industry to argue for even the most
irresponsible transfers of U.S.
technology.⁽²⁾

Parsing Out the Issues

There are, in fact, three
separate issues involved in
the present encryption debate — issues
that have, to some extent, been
commingled by the Clinton Administration,
it appears in an effort to obscure what
is at stake for a vital national security
capability.

1. Domestic Policy

Encryption products are the future for
the privacy and security of
communications and information. Americans
have a right to be secure in the
knowledge that their private
communications and information remain
private, and that they can conduct
electronic commercial transactions
reasonably safe from fraud or compromise.
Security embedded in consumer goods (as
well as in information systems) needs to
become a common part of how business
works in this country. There is
today no restriction on the use of
encryption within the United States.
Americans may import any encryption
devices and software into the U.S. There
are, however, restrictions on the export
of U.S. encryption items.

Unfortunately,
encryption in the hands of domestic
criminals can be a menace to American
business and society, enabling them to
hide illicit records and transactions. For
law enforcement today, encrypted
communications mean no electronic
surveillance. Court-ordered
wiretaps may be unenforceable. Because of
the importance of court-ordered
electronic surveillance to law
enforcement, law enforcement agencies
across the country believe the impact of
widely proliferating encryption will be
disastrous for them, unless they have a
means of lawfully and promptly decrypting
communications and information of
criminal suspects.

Accordingly, the United States
requires common standards for accessing
encrypted data and communications (known
as “key recovery”).
Importantly, such standards
are required not only by law enforcement
but in order to support commercial needs
(for example, companies need to be able
to get at their electronic records if the
person who encrypted them dies or turns
into a vindictive disgruntled employee).
Consumers also have a vested interest in
ensuring that standards exist whereby
they can be assured that encryption will
be reliable and easily interoperable
(e.g., to manage interfaces between
various network systems). A
domestic public key recovery
infrastructure is the answer to these
requirements,

A public key recovery infrastructure
is, however, particularly essential for
law enforcement. Increasingly, criminals
are utilizing techniques to encode their
phone calls, concealing their computer
transmissions and keeping their records
locked up in encrypted computer disks or
drives, rather than in file cabinets.
Subject to the limits of U.S.
constitutional guarantees, law
enforcement needs to be able to continue
to do its job in the information age.
Law enforcement does not need more
intrusive authorities or abilities than
it has now; it needs merely to be
able to continue to be able to make use
of the same investigative techniques
presently available with respect to
wiretaps.

Alternatively, if the government does
nothing but passively watch as encryption
proliferates with no standards to guide
it, law enforcement will lose
critical investigative capabilities.
In all likelihood, it will be forced to
turn to more intrusive techniques
(microphones in the room or car rather
than taps on telephones), measures that
are more invasive of privacy and which
put more police officers’ lives at risk.
Criminals (drug dealers, kidnappers,
thieves) will enjoy safe havens they do
not presently have, and more good
citizens will find themselves victims of
unsolved crimes.

Regrettably, the Clinton
Administration has been unwilling to
stand up and say, here is what needs to
be done — perhaps out of a fear of
alienating a key constituency, the
computer industry. The
Administration clearly appreciates the
need to support law enforcement (law and
order is, after all, good politics). But
when asked, its spokesmen say they are
afraid their endorsement of a domestic
policy would prejudice its chances of
enactment, citing their experience with
the public relations disaster of an
earlier encryption management initiative
known as the “Clipper Chip.”
The truth is that there is no one better
positioned than President Clinton to
provide leadership, given his well known
ties to the hardware and software
industries.

2. Export Controls

In some respects, the Clinton
Administration’s policy has been worse
than doing nothing: It has tied the
domestic encryption issue to liberalizing
export controls on encryption techniques,
ostensibly in the hopes of buying the
support of the producers of encryption
products for greater cooperation with
regard to domestic key management
arrangements. This
is most regrettable since export
controls are the single most important
tool the United States has for protecting
sensitive national security interests in
this arena.

The unavoidable
reality is that U.S. national security is
heavily dependent on being able to
collect intelligence by listening in on
what its adversaries — actual and
potential — are up to. This intelligence
saves lives, wins wars, and preserves the
peace. And in an era of
information warfare, having superior
information systems may be determinative
of military power.

This reality was reflected until last
year by treating encryption technologies
as part of the State Department’s
Munitions Control List. President
Clinton’s Executive Order, however, moved
export controls on such technology over
to the much less rigorous Commerce
Department. It also further adulterated
the export controls regime by directing
that: 40-bit encryption programs may be
exported without a license; 56-bit
encryption programs may be exported
without a license provided the exporter
is working on a public key recovery
technology base; and any product that is
part of a public key recovery system may
be exported without a license.

American products should enjoy the
lion’s share of the market (U.S. software
has 75% of the global market today), but U.S.
exporters of highly capable
“crypto” — 40-bit and above —
should be required to get a license to
minimize the likelihood that their
products will fall into the wrong hands.
Any further weakening of export controls
would have a deeply debilitating impact
on national security. With all
of the focus on domestic encryption
regime, and with no advocacy from the
Executive Branch, national security
interests are not being represented —
and are losing out.

3. International Dimension

To make matters worse, the Clinton
Administration — under the
“leadership” of a controversial
former Carter Administration official, David
Aaron, who has been designated
as its “Ambassador for
Encryption” — has come up with a
curious and dangerous gimmick:
It proposes to
“multilateralize” yet another
area of sovereign U.S. policy concern href=”97-D88.html#N_3_”>⁽³⁾
by getting OECD nations to take the lead
in an area it is reluctant to champion
domestically, namely in implementing
national key recovery regimes.

As in other issues — ranging from
environmental regulation to family
planning — the Administration appears to
hope that the creation of common
international practice and standards will
provide a basis for imposing arrangements
domestically that would otherwise be
highly controversial, and perhaps
politically costly. Not surprisingly, the
Administration has come under some
criticism from allies for the hypocrisy
of trying to make them go first with
respect to developing key recovery
infrastructures even as it declines to
step up to the issue at home.

But this is worse than simple
hypocrisy. It is flatly
inconsistent with American values for
U.S. officials to argue that foreign
governments — many of which do not
recognize the basic individual rights of
their citizens — should have unfettered
access to their private communications.
Few of these governments actually observe
the strict limitations on electronic
surveillance which pertain in the United
States. It is one thing for the U.S. to
have a domestic key recovery regime which
is subject to the rigorous and proper
constraints of its Constitution and
system of justice. It is quite another to
say that, as a foreign policy objective
of this country, Washington wants to guarantee
the ability of foreign governments to spy
on their own citizens, or (worse) on
Americans who may communicate with those
foreign citizens or travel within those
countries.

The Bottom Line

The Clinton Administration
appears once again to have gotten the
answers exactly wrong. Their
efforts have confused the debate and
helped to divide the ranks of those who
generally are concerned with national
security — even as they are jeopardizing
vital national security interests,
evidently out of a desire to avoid
antagonizing major political donors.

Domestic policy, export controls, and
international accords concerning
encryption are different concerns, each
in need of understanding and debate on
the merits. And the vital American
national security requirement for
electronic intelligence abroad must be
supported. On an even more fundamental
level, those who traditionally are
sensitive to national security concerns
must not allow differing perceptions of
domestic law enforcement to translate
into legislation that may not only
endanger the defense of the United States
but undermine its rule of law
domestically. A lawless society is no
defender of American liberties.

The undeniable fact is that U.S.
national security is dependent upon our
ability to collect intelligence in
peacetime on foreign threats,
from terrorist groups to the
proliferation of “weapons of mass
destruction” to the status of
thousands of nuclear-tipped missiles in
potentially unfriendly hands. Likewise,
success in foreign matters (from trade to
diplomacy to support for friends and
allies) requires intelligence to identify
opportunities for the U.S. officials to
act in defense of our values and
interests around the world.

The U.S. ability to gather SIGINT
therefore is not something about which
responsible Americans can afford to be
ambivalent. This is a vital national
security priority. And it is, to be sure,
one that must take precedence over the
commercial advantages of selling U.S.
software abroad.

– 30 –

1. During both
World War II and the half century of the
Cold War, SIGINT was far and away the
most important type of intelligence the
U.S. gathered. Without the ability to
collect and read enemy codes and ciphers,
the U.S. might well have lost the Second
World War. Without SIGINT, the Cold War
might have ended far differently and
might well have turned into a hot war at
critical junctures; certainly, the U.S.
would have been almost blind to many of
the Soviet Union’s malevolent activities.

2. It is unclear
on what basis other industries
selling sensitive products — for
example, the supercomputer, chemical and
biotechnology, machine tool, chip
manufacturers, etc. — would be denied
similar vehicles for demanding the
elimination of any remaining export
controls on the transfer of their
respective products. What is more, it not
self-evident that the national security
will be well served by advertising which
foreign encryption products are of
concern to the U.S. government, let alone
encouraging American manufacturers to
supply superior — i.e., less breakable
encoding techniques — in place of such
products.

3. See in this
connection, the Center’s Decision
Brief entitled Truth
or Consequences #9: C.W.C. Proponents
Dissemble About Treaty Arrangements
Likely to Disserve U.S. Interests
(No. 97-D 46,
27 March 1997).