![[LWN Logo]](/images/lwn.banner.gif)
Date: Fri, 11 Sep 1998 14:35:34 -0600 (MDT) From: mea culpa <jericho@dimensional.com> To: InfoSec News <isn@sekurity.org> Subject: [ISN] Encryption dealt a blow (9/09/1998) This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --------------7AF418AC19FF5E72B9CFFF6B Content-Type: TEXT/PLAIN; CHARSET=us-ascii Content-ID: <Pine.SUN.3.96.980911143201.5335m@flatland.dimensional.com> Forwarded From: darek milewski <darekm@cmeasures.com> http://www.sjmercury.com/business/center/encrypt0910.htm Posted at 8:23 p.m. PDT Wednesday, September 9, 1998 Encryption dealt a blow : Terrorists deal a blow to exports BY JIM PUZZANGHERA WASHINGTON -- The terrorist attacks on U.S. embassies in Africa last month that killed 263 people also might have had a less dramatic casualty: attempts by the high-tech industry to export strong encryption software anytime soon. Industry officials want permission to sell the software overseas without restrictions so they don't fall behind foreign companies that are also developing ways to encode information. Such encryption software, which allows only the sender and receiver to decode the text, is becoming crucial as more and more sensitive financial information courses through the Internet. But the U.S. government doesn't allow the export of most encryption software, and concern about terrorism is a big reason. Law enforcement and national security officials have worried aloud that terrorist networks could use encryption to mask their plans from authorities. The FBI's discovery of encrypted files in the laptop computer of Ramzi Yousef, the convicted mastermind of the 1993 bombing of the World Trade Center in New York, provided fuel for that fire. The files outlined plans to blow up 11 U.S.-owned commercial airliners. The embassy attacks in Kenya and Tanzania, and the concerns of heightened terrorist activity following the U.S. retaliatory strikes in Sudan and Afghanistan, add additional kindling to the debate: fresh, horrific images of terrorism's deadly toll and the tangible fears of more to come. The Clinton administration has been trying to broker a compromise on the issue, revolving around some sort of back door in the software that would allow access by authorities investigating crimes. High-tech industry representatives argue that such access would make financial transactions and other commercial exchanges of information on the Internet susceptible to hackers. Legislation languishing Legislation that has been languishing in the House of Representatives since last year would allow the export of strong encryption software without any backdoor access. The House returned from summer recess Tuesday, but prospects that it will act on the legislation this fall are now virtually dead. The bombing is one reason. ``In light of a renewed wave of terrorist attacks, I don't think you can cite them as being isolated incidents,'' said Mike Power, an aide to Rep. Gerald Solomon, R-N.Y. The congressman has been opposed to loosening encryption export restrictions and has used his powerful position as Rules Committee chairman to block a vote on the bill. The bombings show ``you can't just dismiss these security concerns,'' Power said. Those who support broad encryption exports said the embassy bombings could make it more difficult to overcome such opposition. ``Do I think that those who do not support the reform of encryption policy in our country would use the tragedies that occurred in Africa? You bet they would. . . . Past terrorist attacks have been used in the debate, so why not use the current one?'' said Rep. Anna Eshoo, D-Palo Alto, a co-sponsor of the House legislation. ``The detractors use this time and time again as an issue, and it's a very provocative one.'' But it's a legitimate one, according to Barry Smith, who heads up the FBI's encryption policy unit. ``U.S. law enforcement wants to see U.S. encryption products dominate the world market, but we're also very cognizant of the fact that commercially available encryption products can and will be used for criminal purposes,'' he said. In fact, in a report last year for the National Strategy Information Center's U.S. Working Group on Organized Crime, two researchers estimated there had been at least 500 cases worldwide in which criminals have used encryption in some way. The study said those numbers were growing at a rate of 50 percent to 100 percent a year. Access demanded The law enforcement community's one requirement for encryption software is that there be some way to get access to decoded, plain text of encrypted files without the cooperation or knowledge of the person under investigation, Smith said. However industry can figure out a way to do that would be fine with authorities, he said. One possible solution is known as ``key escrow'' or ``key recovery,'' in which a key to unlock encrypted messages is left with a trusted third party, such as a bank, so that law enforcement with court approval could use it when necessary. The industry and privacy advocates oppose that approach, arguing the key could be stolen or misused. Sen. Dianne Feinstein, D-Calif., a major player in the encryption debate and a supporter of strong export controls, said a delay in congressional action may be a good thing, allowing industry to find a technology that satisfies both sides. ``I really believe there is an answer to this. We may not know what it is at the moment,'' said Feinstein, who in June organized a meeting among high-tech industry leaders, Attorney General Janet Reno and FBI Director Louis Freeh. ``Delay works toward a much more beneficial solution for everyone.'' But those delays allow foreign companies to catch up, and surpass, U.S. companies, industry officials said. That's especially frustrating because it negates the major argument by opponents to encryption exports: If the software is available from companies abroad, the U.S. export policy doesn't prevent terrorists or other criminals from obtaining encryption. ``Each passing day increases the chances the U.S. will fall behind,'' said Jeffrey H. Smith, counsel for Americans for Computer Privacy, a computer industry lobbying group that has been pushing hard for a loosening of encryption export regulations. ``There are such a large number of encryption products available in the world today that it's virtually impossible to keep encryption out of the hands of terrorists and narcotics traffickers and organized crime.'' Unilateral action The Clinton administration can ease export restrictions without congressional action. It did that in a small way in July, when the Commerce Department announced it would allow encryption to be sold to financial institutions in 45 countries that have acceptable laws against money laundering. But Congress could legislate its own changes to the guidelines. The Commerce Department plans to make another policy announcement regarding encryption exports later this month. But it's highly unlikely to drop all export restrictions on encryption, as the high-tech industry wants. More likely is another limited move, such as an extension of the exception it made in July to some other business sectors. That leaves the high-tech industry still looking for solutions and trying to avoid the fears triggered by the embassy bombings. --------------7AF418AC19FF5E72B9CFFF6B-- -o- Subscribe: mail majordomo@sekurity.org with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]