New Crypto Policy to Aid U.S. Industry

The White House's new encryption-export policy should jump-start the U.S. encryption business and boost security on the emerging information superhighway. But it may also force industry consolidation over the next few years, say industry officials.

"For us now, it's time to really run," said Steven Walker, president of Trusted Information Systems Inc., an encryption firm based in Glenwood, Md.

Under the new policy, outlined Aug. 16 at a Washington meeting sponsored by the Software Publishers Association and the American Electronics Association, government officials said they will approve encryption software programs for easy export once they are reviewed by encryption experts at the Fort Meade, Md.-based National Security Agency.

To pass review, software must include a key-escrow feature that permits court-approved wiretaps of suspected criminals' data. The electronic keys are to be held by approved firms, which will hand them over to the courts once a judge signs a wiretap order. Also, the software must have an electronic key no longer than 64 bits, up from a 40-bit key now allowed for export. Encryption becomes much harder for the NSA or the FBI to decipher as its key length grows beyond 64 bits.

Once the government approves encryption software for export, companies will start bundling it with consumer and business software sold in the United States, said industry officials. "The natural incentive [for each company] will be to bring to market a single product," said Cerf. By selling the same software overseas and at home, companies can shave costs and increase revenues, he said. "It is to their advantage," said Dorothy Denning, an encryption expert at Georgetown University in Washington, D.C.

"The export market drives what [companies sell] for domestic consumption," said Lynn McNulty, an information security consultant based in McLean, Va., and a former top official at the National Institute for Standards and Technology, Gaithersburg, Md. Increased security will help companies sell more products and services via electronic networks, said the industry officials.

And once the market expands worldwide, the U.S. market may be dominated by one or a few encryption products, forcing a shakeout in the encryption industry, said McNulty.

To stay ahead of the game, Walker said his company is trying to sell encryption management software that helps companies use a variety of encryption. For example, there are many companies selling versions of the popular DES encryption software to buyers within the United States. By combining their versions of DES with his company's key-escrow technology, the companies can quickly start selling their encryption software worldwide, he said.

Also, his company is trying to develop a system that would allow a message scrambled by one brand of encryption software to be unscrambled by rival encryption software, he said. With such a system, consumers and businesses could scramble and unscramble messages -- such as sales orders or contract bids -- encrypted by several companies' different encryption software, he said.

The new rules provide the encryption needed for international commerce, said Kawika Daguio, an encryption expert with the Washington-based American Bankers Association. However, he said the ABA wants government approval for use of even tougher encryption to protect very large-scale transfers of funds through banking networks.

But the administration's new policy leaves may details undecided, threatening optimistic forecasts for the encryption industry.

According to Ray Kammer, NIST's director, government officials will meet with industry twice in September to discuss details of the new encryption policy. Issues to be decided include the development of a federal information processing standard, needed before government officials can buy key-escrow encryption software. Also, officials must decide which firms should be allowed to hold the escrowed keys to the encrypted data. Such firms must be "a truly trusted party... who won't erase the keys or sell them to the Mafia," said Mike Nelson, technology adviser to Vice President Al Gore.

Government officials said they still have only a "notion" of how these issues should be settled.

One problem facing industry is that NSA will likely lack the ability to quickly review the many new encryption products that will be developed by industry, said Cerf.

Another problem is winning international approval for the key-escrow software. This is a difficult issue, admitted government officials, partly because other countries, such as France, Russia and China, bar the use of software that their police and intelligence services cannot decipher. "This is a thorny issue," said Nelson, but it can be solved quickly, he added.

The White House's new policy will help create an international agreement on key-escrow encryption technology, said Daguio. "There must be progress on this [U.S. export policy] issue before other governments address anything," he said.

Industry officials are optimistic. "We're going to get what we want... soon," said Daguio. And according to Cerf, the banking industry is likely to win White House approval for export of software more capable than the 64-bit software approved by the new policy.