Prodded by the U.S. government, numerous security companies are trying to jump-start the market for innovative key-recovery technology, which is designed to provide top executives with spare keys for their corporations' encrypted data.
The prospective demand for the new encryption technology has drawn in giants such as IBM Corp., Armonk, N.Y., Hewlett-Packard Co., Palo Alto, Calif., and smaller specialized companies such as Trusted Information Systems Inc., Glenwood, Md.
However, industry executives say the technology's market value and reliability is tainted by the involvement of the U.S. government, which wants to be able to seize those spare keys if officials suspect it may help them identify criminals or even prevent a crime.
On March 5, Bill Gates, chief of Microsoft Corp., visited Washington along with 11 other high-tech executives to press Congress and the White House to abandon the Clinton administration's encryption policy.
The market for encryption technology is tiny but controversial because it will shape the development of encryption technology deeded vital for the growth of the Internet and for electronic commerce, experts say.
The best estimate for the U.S. encryption market is roughly $300 million, including $90 million spent on commercial encryption by the U.S. government, according to Milford Sprecher, chief of International Data Corp.'s government division, based in Falls Church, Va. This $300 million total is only a small fraction of the $186 billion expected to be spent during 1997 on information technology in the United States, he said.
A precise estimate is impossible, because the market is so new and because encryption products are frequently buried in other products, such as communications software, he said. But total encryption spending will rise rapidly during the next several years, he said.
Industry officials say spending on encryption technology - with or without key-recovery features - will grow as the technology is combined with many new products to allow legally binding digital signatures, reliable identification of online business partners, and products able to prevent tampering of online messages and intellectual property, such as electronic contracts or music videos. The technology will also be used in a much-needed key-management infrastructure, which is required to help people and companies verify each others' electronic bona fides, even when they have not dealt with each other before, or are using different encryption products.
The Business Case
In principle, most executives from encryption developers and encryption-using companies welcome the technology.
A common fear is that a critical employee may die or fall ill without revealing the only key to critical encrypted data, such as a customer list or the blueprints of a new technology. Another fear is that a disgruntled employee may deliberately encrypt company data before leaving the company or before demanding a ransom for the release of the data.
"That's really the bigger issue," said Mary Van Zand, director of marketing for Sterling Commerce Inc., Irving, Texas. The 1,300-person company has a security group of 35 people selling two encryption products, both of which will incorporate key-recovery technology, she said.
"There's a great future for key recovery. Anybody who has a far-flung, global enterprise network will need some form of key recovery for their own purposes" as part of a companywide key-management system, said Richard Power, a senior analyst at the San Francisco-based Computer Security Institute.
Those market pressures have prompted IBM to develop its SecureWay products, and Hewlett-Packard to develop its International Cryptographic Framework technology, and numerous other companies such as Trusted Information Systems with its RecoverKey technology, to band together to promote the use and development of encryption that includes key-recovery technologies. This group is dubbed the Key Recovery Alliance, and has several committees of industry officials examining businesses' needs for key recovery and legal obstacles hindering the use of the technology.
Key-recovery technology was spawned by the 1994 Clipper Chip controversy, in which companies were pressured by the federal government to split copies of their spare keys, and leave them in storage with two federal agencies. This plan was pushed by the FBI and the National Security Agency, which was established during the Cold War to eavesdrop on foreign governments and possible overseas security threats.
But the White House backed down under criticism from industry and civil libertarian groups, and last December issued a new plan that allows companies to hold their own spare keys and also ease the creation of a nationwide market for key-storage services.
To promote the development and use of key-recovery technology, the White House is easing encryption export rules for cooperative companies and the financial industry. The companies are allowed to export encryption software that uses electronic keys of up to 56 bits, without having to win approval from the Department of Commerce for every sale.
Under previous rules, companies had to get the government's approval for every sale of encryption software greater than 40 bits.
In return for waivers from the stringent export rules, which have been granted to more than 12 companies, the government is demanding that encryption developers promise to have key-recovery products available by the end of 1998.
Once those key-recovery products are reviewed for adherence to technical standards announced by the White House earlier this year, companies will be allowed to export encryption software that uses keys of any length, making them practically impossible to break, unless they contain an internal flaw, or are used badly by incompetent employees.
Companies that have applied and won easier export approval for their products include Trusted Information Systems and Netscape Communications Corp., both of which sell software equipped with encryption software. TIS says it has already developed software that meets the government's key-recovery demands, while Netscape officials promised to develop the key-recovery software as part of its export-approval deal with the Commerce Department.
The Commerce Department is also reviewing export applications from another 12 companies that have promised to incorporate key-recovery technology into their encryption products after 1998, said William Reinsch, chief of the Commerce Department's export oversight bureau.
In Congress, the White House is backing legislation, introduced May 8 by Sen. Robert Kerrey, D-Neb., that would promote the creation of a key-storage industry, and require the use of key-recovery technology in any communications system bought with federal money.
On May 29, the Commerce Department's National Institute of Standards and Technology in Gaithersburg, Md., announced that it would seek industry proposals for products and services able to demonstrate "the viability of an infrastructure for key recovery and support data encryption in federal government applications." Once completed, the government will buy government-designed key-recovery technology from commercial manufacturers, putting pressure on other U.S. information technology companies to adopt similar technology if the wish to get a share of the $22 billion directly spent on information technology and services by the U.S. government.
More information about the government's key-recovery program can be found at http://gits-sec.dyniet.com/krdp.htm and at http://csrc.nist.gov/krdp/baa.html.
However, the technology has run into sharp criticism from civil libertarians, encryption proponents and from many industry executives concerned that the government's encryption plans may hinder their international sales.
Industry officials say they want to sell key-recovery technology without interference from the government.
Thus Ira Rubinstein, a senior counsel for Redmond, Wash.-based Microsoft Corp., said his company would soon ask the Commerce Department for permission to export encryption software without offering the government any guarantees that Microsoft would eventually develop all of the key-recovery features that the government wants.
If the government would allow companies such as Microsoft to develop scaled-back versions of key-recovery technology - such as a key-recovery feature that could be switched on or off by the purchaser - then more people would end up using key recovery than under the government's existing plan, he said.
Another problem cited by industry officials is the government's insistence that communications encryption products include the key-recovery features.
FBI officials want this feature so they can wiretap criminals' communications links. But companies don't need to keep a spare copy of the key that scrambled each message, because each company will already have a spare copy of the message in its computers.
These rules will make over- seas customers suspicious about the quality of U.S software built on key-recovery software, and provide an opening for overseas firms to cut into the United States' dominance of the world software market, said Rubinstein.
To defeat the White House's key recovery demands, industry officials, including executives from Microsoft and Netscape, are lobbying hard in favor of bills sponsored by Rep. Bob Goodlatte, R-Va., and Sen. Conrad Burns, R-Mont. Both bills would sharply curb the White House's authority to restrict encryption exports, so undermining its ability to direct the development of encryption technology.
The Goodlatte bill has been approved by the House Committee on the Judiciary, and may soon be passed by the House.
However, the Senate bill has been stalled as proponents struggle with opponents such as Sen. Kerrey and Sen. John McCain, R-Ariz., chairman of the Senate's commerce committee. Kerrey and McCain are trying to broker a compromise acceptable to the White House and industry.
Civil liberties groups also oppose the key-recovery technology, saying it will ease prying by government officials into private e-mail and databases. On May 21, the Washington-based Center for Democracy and Technology helped publicize a new report that argued the government's plans would weaken the security of encryption products and cost billions to manage. The report, titled "The Risks of Key Recovery, Key Escrow, and Trusted Third Party Encryption," was prepared by several industry and academic encryption experts in cooperation with the CDT. (see sidebar on p. 30)
The critics would be right, but only if the worst case comes true, said Stephen Walker, president of Trusted Information Systems. The worst case is that the government insists key-recovery products be dependent on a larger key-management system, he said. The possible costs and risks drop dramatically if the two technologies are treated separately, Walker said.
Government officials are backing the development of key-management infrastructures, which are designed to help manage encryption devices used by citizens and smaller companies. These infrastructures would help ensure that each person's cryptographic signature was only used by that person, publish a directory to allow people to send encrypted messages to each other and also help recover lost keys.
For example, Entrust, developed by Entrust Technologies, a subsidiary of Northern Telecom, based in Ottawa, Canada, is a key management system that also includes a feature that can automatically store spare keys in the purchaser's computer, said Ian Curry, Northern Telecom's product manager for Entrust. If a customer uses the key-storage feature, Northern Telecom has no access to the keys, he said.
Entrust has applied to the Commerce Department for permission to export Entrust to overseas customers, largely because its U.S.-based resellers want to sell the technology to Fortune 100 and Fortune 1,000 companies without being hampered by red tape, he said.
Industry executives and government officials are hoping that a congressional compromise can be worked out by the end of the year that will help U.S. companies export powerful encryption, while protecting the FBI's critical mission. But industry lobbyists are not confident that a bill can be passed by the end the year, mostly because of adamant opposition to industry's demands from the FBI and the White House.
However, "this whole crypto debate has gotten to be like gun control or abortion. It is very heart-felt, and often has little to do with the business concerns at hand," said the Computer Security Institute's Power.
Perhaps that's why the likely result will be a compromise worked out behind closed doors that splits the difference between industry and the FBI.
That would leave industry freer to develop and export key-recovery software. But the FBI would perhaps be more vulnerable to the next wave of encryption technology, while the civil libertarians would be displeased that the government retained restrictions on encryption technology.