On-Line Security Emerges Slowly

P> On-line security for electronic commerce is gradually emerging from the chaos of standards, proprietary technologies and commercial networks, but don't expect easy solutions to security problems.

There are many competing solutions, few of which work together easily, said Lynn McNulty of McNulty &amp Associates, McLean, Va. There are "a lot of informal industry standards... that sprang up about a particular need," he said.

The missing elements include technology to pass encrypted data between competing security products, such as those developed by Northern Telecom Ltd., Nepean, Canada, and Security Dynamics Technologies Inc., Cambridge, Mass., said William Malik, a security consultant at The Gartner Group, Stamford, Conn. Several companies are developing technology, called certificates, that would allow encrypted information to be passed between rival security products, he said.

Also missing is a government policy that would allow companies to easily export leading-edge security products to permit communication with overseas subsidiaries or customers, he said.

Also absent are electronic identity cards that can't be forged, methods to gauge the credit worthiness of an on-line customer, and also a fund-raising tax system, which is needed to pay the overhead costs of installing reliable security gear on the nation's networks, said Malik.

However, much of the technology is gradually emerging from industry and is being integrated by companies and consortiums, said Malik.

• Security Dynamics recently bought RSA Data Security Inc., which holds critical public-key encryption patents within the United States. For RSA's price of $200 million, Security Dynamics will be better able to develop and sell used security packages, rather than components that must be put together by consumers, corporations and consultants. Northern Telecom sells its Entrust security product, which combines a variety of security components.

• The Internet Engineering Task Force is developing new security standards for the Internet, which will help corporations and consumers design and use security technology on the Internet. The task force is a voluntary organization run by Internet proponents.

• Similarly, the alliance of Microsoft Corp., Redmond, Wash., with the Visa and Mastercard banking consortiums will allow many vendors, computer makers and consumers to easily adopt a common, technical standard for on-line commerce. This alliance could become an important standard-setting body, Malik said.

To gain more ground, industry has increased its lobbying in Washington. Last month, executives united with Internet proponents in a group called the Internet Privacy Coalition to pressure the White House into relaxing controls on the export of encryption technology. "Encryption is the key to on-line commerce. Government regulations are simply keeping U.S. firms out of important markets," said Jim Bidzos, RSA's CEO.

Industry's lobbying campaign is making progress on Capitol Hill, where lawmakers have drafted three bills that would largely eliminate the government's export controls. The bills are sponsored by Sen. Conrad Burns, R-Mont., who chairs the Senate's subcommittee on Science, Technology and Space, Sen. Patrick Leahy, D-Vt., and Rep. Bob Goodlatte, R-Va. The bills won't make much progress this year, but they do demonstrate industry's growing ability to force changes, said Bidzos.

Also, the Senate and the House are drafting an industry-backed bill that would set security rules for transferring and storing patient data, easing Internet use for medical applications.

One reason for industry's growing influence is the spread of encryption technology. People can now easily purchase encryption technology, particularly overseas. Industry officials argue the U.S. government's claim that access must be limited to prevent terrorist and criminal use is losing validity.

Netscape's Navigator browser and IBM-owned Lotus Development Corp.'s Notes groupware both include strong encryption technology, while many non-U.S. companies are also selling encryption software, said Bidzos. It is becoming a question of competitiveness.

In response, government officials said the encryption argument is lame because foreign encryption software is unreliable and difficult to use correctly.

And sometimes government controls don't work. The U.S.-designed Pretty Good Privacy desktop encryption software is being distributed worldwide via the Internet, violating U.S. law. It soon will be combined with Internet e-mail software, greatly easing PGP's use, according to its designer, Phil Zimmermann.

Under industry pressure, the White House has relaxed some export controls, allowing Lotus and Trusted Information Systems, Glenwood, Md., to export tougher encryption technology after the companies agreed to include features that would aid court-approved wiretaps. Government officials still want to develop an encryption policy acceptable to the FBI and industry, but industry executives say they don't see much room for compromise.

Government officials also want to forge international agreement on encryption technology, partly because countries such as France, China and Singapore impose tight controls on imported encryption products. But Industry officials foresee little hope for quick success. "Practically every country will try to control the use of encryption," said Trusted Information Systems' Denny Branstad.

Government and industry officials have launched several programs to develop technology that would allow U.S. companies to shield their data, while obeying local encryption-control laws. One approach, called the Policy Controlled Cryptographic Key Release System, is being investigated by Trusted Information Systems under a contract from the Pentagon's Advanced Research Projects Agency. The contract may yield a technological solution in two years.

But industry is developing technology much more rapidly than government officials can create technical standards. "If government wants to use cutting-edge technology, they'll have to use commercial" standards and technology, an industry source said.