White House Preps New Crypto Plan
Government panel expected to urge President to relax encryption export controls
White House officials are preparing a new twin-track encryption proposal that may aid large companies, but would likely arouse opposition from smaller companies and software developers, say industry officials.
One of the proposals would help large multinational companies use sophisticated data-scrambling technology to secure communications at their office locations around the world, said several industry officials.
A parallel proposal would also boost government development of key-recovery technology, the officials said.
These proposals are expected to reach President Bill Clinton's desk by the end of the month. They follow several earlier moves by the Clinton administration to relax government controls on encryption technology, which is needed to protect electronic commerce and boost growth of the Internet.
If the White House does not ease export rules for all companies, the export relaxing policy "is going to get jumped on all over" by software developers that won't benefit from the plan, said Ed Black, president of the Washington-based Computer and Communications Industry Association. "There will be a lot of people standing up and saying 'Hell, no!'"
"I'd be absolutely shocked" if government officials choose only to help large companies, said one executive from a multinational firm. "They want to do something that will help all exporters," he said.
Key-recovery technology is being promoted by the Justice Department, which wants to crack open secret messages exchanged among suspected criminals and terrorists.
Government officials say key-recovery technology can allow citizens and companies to reliably shield their conversations and data from eavesdroppers, while also allowing court-approved wiretaps.
Government officials are championing the use of key-recovery technology, partly by restricting the export of conventional, hard-to-crack encryption technology. But these restrictive export rules cripple U.S. software products, say executives from software companies such as Microsoft Corp., Redmond, Wash.
If the government does get major industry players to accept its preferred key-recovery technology, then it will have taken a big step toward the establishment of a worldwide encryption standard that could last for more than a decade, said one industry official who did not want to be identified.
Once an encryption standard is established, other companies' rival encryption technology would be marginalized, just as would a company trying to sell a new fax machine that can't send or receive letters to today's fax machines.
In July, Vice President Al Gore announced a revised government encryption policy that relaxed export rules, partly by transferring the task of processing export applications from the State Department to the Commerce Department.
Later this month, a working group will send a series of encryption-related recommendations to President Clinton, said Heidi Kukis, a spokeswoman for Vice President Gore.
The group, including senior officials from the Justice Department, the Commerce Department and the Central Intelligence Agency, has "been working with industry to develop a key-recovery system," she said. Kukis declined to discuss the group's recommendations.
"There are a lot of different options" being considered, said Clinton Brooks, a spokesman for the National Security Agency based in Fort Meade, Md.
The agency is responsible for developing the U.S. government's encryption devices, and for deciphering foreign encryption technology.
The main question is how government officials can persuade all industry, not just smaller companies, to develop and use key-recovery technology, Brooks said.
The plan to ease export rules for the multinational companies is being considered by the group. According to industry officials, the plan would allow the quick award of export licenses for companies wishing to link their international offices with encryption technology based on digital keys of 56-bit length or longer.
Current rules sharply restrict export of encryption products that use a key longer than 40 bits. For every extra bit added to the key length, the security of the encryption software is roughly doubled.
However, the working group may reject the plan, preferring instead to recommend postponement of a decision until after the presidential election in November or a relaxation of export rules for all companies, said industry officials.
The White House needs to make a decision quickly before Congress votes to relax export rules or before European officials establish a rival encryption standard, called Trust Third Party encryption, said industry officials.
If the working group recommends easier export rules for only the larger companies, "it is a big yawn," said David Morris, vice president at Cylink Corp., an encryption developer based in Sunnyvale, Calif.
"They've always allowed the larger American companies to export [sophisticated encryption]," he said.
The critical issue is whether the government will help software companies such as Lotus Development Corp., Cambridge, Mass., and Microsoft add sophisticated encryption to their consumer software, he said.
Unless the government changes its export rules, software companies will export themselves to "any country where there are no restrictions," he said.
Government officials say they are working with industry to develop a compromise on encryption policy, but "they keep narrowing who they negotiate with," said Black.
Established, multinational companies such as IBM Corp., Digital Equipment Corp., Maynard, Mass., and Unisys Corp., Blue Bell, Pa., which stand to gain from the proposed policy, "are no longer dominant businesses" in the infotech business, he said.
"They can try [to make a deal with multinationals], but to the extent that they claim they have a deal with the broader industry... that's where they would go wrong," he said.
The interagency group is also considering a plan to add funding for encryption research to a slew of federal computer programs. "They want to get some experience with [key-recovery].... It gets there quicker for less money invested," said Stephen Walker, president of Trusted Information Systems Inc., Glenwood, Md.
One candidate technology that could receive extra funding is TIS' Recoverkey technology, designed to let companies or the government recover keys to scrambled data, said Walker.
For example, TIS' Gauntlet product transmits a string of data once per day, allowing FBI wiretappers to unlock the scrambled messages, he said.