NRC Recommendations Could Enhance Security
The government should weaken its controls over encryption technology, but should also strengthen countermeasures against criminals' and terrorists' use of encryption, according to a new report by the National Research Council.
The countermeasures suggested by the report include extra research funds, laws penalizing the criminal use of encryption and government review of encryption products destined for export.
The congressionally sponsored report, "Cryptography's Role in Securing the Information Society," was released May 30. The study was directed by the 1994 defense authorization bill.
"Our recommendations would lead to enhanced protection and privacy for individuals and businesses in many areas, while also bolstering the international competitiveness of U.S. companies," said Kenneth Dam, a professor at the University of Chicago's law school and chairman of the 16-person panel that authored the report.
The inch-thick report also urged the government not to restrict domestic use of encryption technology or promote the use of key-escrow technology. Key-escrow technology, dubbed the Clipper chip, is favored by the White House and the FBI because it would allow people to use encryption measures that could only be broken once a court allowed law-enforcement officials to use a spare decryption key stored by an independent organization.
The report includes a variety of proposals and suggestions that provide ammunition for industry, libertarian groups and policy makers as they grapple over the rules governing the use of encryption technology. For example, the report was welcomed by Sen. Conrad Burns (R-Mont.), sponsor of one of three encryption-related bills awaiting action in Congress. All three bills would largely eliminate government control over encryption -- a move which industry strongly supports.
Some of the report's conclusions were backed by libertarian groups, such as the Washington-based Electronic Privacy Information Center, which oppose the government's control of encryption technology.
"Cryptography policy can be publicly debated because secret information about the use of encryption technology "is neither essential to the big picture of why cryptography policy is the way it is, nor [is it] required for the general outline of how technology will [evolve and how] policy should evolve in the future," said the report.
The Business Software Alliance, a Washington-based lobbying group of the nation's largest software companies, welcomed the report's recommendation that the government allow easy export of encryption products using keys of 56 bits in length.
"BSA has repeatedly said that this is the minimum level necessary to keep American companies internationally competitive.... The NRC panel has spoken, and we sincerely hope the administration is listening," said a statement from the BSA, whose main backer is Micro-soft Corp.
Export regulations now hinder the sales of encryption technology protected by keys of more than 40 bits. Government officials are reluctant to allow easy export of longer key-length encryption, saying that longer keys would hamper their efforts to track criminals and terrorists. Encryption experts say that every extra bit added to the key length doubles the difficulty of cracking open a criminal's encrypted message.
Industry officials did not back several other elements of the report, some of which are:
- Easy export of encryption products based on 56-bit keys should only be allowed to companies that describe their encryption technology to government officials.
- The government should "seriously consider legislation that would impose criminal penalties on the use of encrypted communication in interstate commerce with the intent to commit federal crimes," and develop new technological and operational countermeasures to criminals' use of encryption.
- The government should promote encryption by telecom companies, which may reduce the need and the market for individual encryption devices.
The report also suggested that government develop a mechanism to promote information security in the private sector, perhaps by creating a White House office of information security or a government-backed private organization.