Proposed crypto limits draw broad criticism By Robert Lemos and Stefanie Olsen
Special to CNET News.com
September 26, 2001, 11:55 a.m. PT
http://news.cnet.com/news/0-1005-200-7310346.html?tag=prntfr
A new call for limits on encryption technology is finding weak political
support in the United States, despite a looming clandestine war against
terrorism that will most likely hinge on the effectiveness of police and
military intelligence.
In response to attacks this month on the World Trade Center and the
Pentagon, Sen. Judd Gregg, R-N.H., said he favored establishing mandatory
backdoors in the software used to scramble digital messages and to ensure
that only the intended recipient can read the contents.
The specter of unbreakable encryption falling into the hands of criminals,
terrorists and hostile governments has long been used to promote policies
limiting commercial data-scrambling products. Such arguments are out of
date, however, according to many experts. Critics include not only civil
libertarians and a self-interested software industry, but those concerned
with preventing terrorism as well.
Two factors have decisively changed the playing field: So-called strong
encryption technology is already widely available and can't realistically be
recalled. In addition, fear of cyberattacks hitting strategic targets such
as electrical grids and nuclear power plants has raised the stakes for
domestic security.
"The danger in weakening encryption is that our infrastructure would become
even less secure," said Bill Crowell, a former deputy director of the
National Security Agency, the organization charged with gathering electronic
intelligence for the military and protecting the United States' own
communications networks. "There is no indication that the administration is
serious about these proposals."
Already, some members of Congress are readying opposition to Gregg's
proposal.
Rep. Bob Goodlatte, R-Va., a longtime critic of anti-encryption measures,
said he is working to build Senate opposition for such a bill that equals
momentum in the House. Goodlatte belongs to a camp of lawmakers that
believes such legislation would be a threat to national security.
"It's not a matter of privacy vs. security, but security vs. security,"
Goodlatte said in an interview.
"Encryption protects our national security," he said. "It protects the
controls of everything from nuclear power plants to the New York Stock
Exchange, government communications, credit cards and the electric power
grid. Encryption plays a critical role in our entire communication system,
and to require that a backdoor be built into that system is just an
incredibly dangerous thing to do."
Former NSA Deputy Director Crowell, now president and CEO of security
software maker Cylink, said intelligence and law enforcement agencies will
have to find other ways to gather information than plucking it from the
ether.
"Yes, it's hard," he said. "But that is the world that we live in today. I
think the alternative of having banks, companies and the government use weak
encryption is not a good one."
Key to security?
Gregg stated that he would present legislation to create a "quasi-judicial
entity," appointed by the Supreme Court, that would act as an independent
third party giving authority to the lawmakers with proper warrants to crack
encrypted documents.
"This judicial element would have the ability, with absolute
search-and-seizure rights protected, to get access to security keys with
cooperation from the industry," said Brian Hart, press secretary for the
senator.
Gregg is discussing the proposal with other senators and is waiting to see
Attorney General John Ashcroft's full anti-terrorism recommendation,
expected to be released next week, Hart said.
"We want to defer to the president and the Bush administration to combat
terrorism," he said.
For law enforcement and officials of the newly formed Office of Homeland
Security, encryption holds both a promise and a threat.
Today's encryption technology allows anyone with a PC to scramble their
e-mail and files so that even the most powerful computers in the world would
take centuries, if not longer, to crack the code. Only the correct key can
decipher the original message.
On one hand, encryption has made the Internet more secure. In the past, most
information on the Internet was sent in plain text with no encryption
protecting it. Anyone listening on the line could capture passwords,
financial transactions or personal e-mails. Today, the ability to encrypt
the content of messages has heightened the security of the Internet.
However, that same ability to scramble messages has left lawful authorities
bereft of any ability to eavesdrop on suspected terrorists when encryption
is being used. Although there is no evidence yet that encryption was used by
the terrorists that attacked the World Trade Center and the Pentagon, many
consider it likely.
The dangers of giving criminals the ability to hold absolutely private
communications has been debated often in the past decade.
In the late '90s, a group of federal regulators including former FBI
Director Louis Freeh and former Attorney General Janet Reno championed
legislation that required encryption software to include government
safeguards and that restricted U.S exports.
The Clinton administration introduced a proposal for technology known as the
"Clipper Chip," or an extra key held by the government, which could with a
warrant unlock encrypted electronic messages for criminal investigations.
The proposal met with opposition from the American public, businesses and
foreign governments, and eventually failed. Critics said foreign consumers
or businesses would not buy U.S. encryption software accessible by the U.S.
government.
"Everyone gets really nervous when you start talking about backdoors because
you have to trust the other fellow a lot," said James Lewis, director for
the technology and public policy program at the Center for Strategic and
International Studies, based in Washington, D.C.
"If you put domestic restrictions on U.S. encryption use, it doesn't do any
good, because first, there are real costs to the economy--the Internet is
weakened--and second, without the cooperation of every other crypto supplier
in the world, it doesn't prevent terrorists from getting their crypto from
somewhere else," Lewis said. "None of these issues have changed."
Little political support
For now, Gregg seems unlikely to gain many adherents.
Scott Schnell, senior vice president of corporate development for encryption
technology seller RSA Data Security, argued that a backdoor could make the
Internet far more vulnerable to attack.
"The fatal flaw is that if the terrorist ends up with a key (to a backdoor),
it could be disastrous," he said. "A single key could compromise a whole
company or a large segment of the population."
Rather than preventing terrorism, argued Schnell, Gregg's proposal would
empower terrorists by allowing them to focus their attack on a single
weakness.
"The proposal not only wouldn't work, but it would force the country to pay
a huge penalty to get access to a small body of potential evidence," he
said.
Privacy advocates weighed in against the proposal as well. Richard Smith,
chief technology officer for the Denver-based Privacy Foundation,
characterized any potential encryption laws as a "total waste of time."
"It will take years to get updated forms of the software, assuming that
people will even upgrade voluntarily," Smith said. Worse, such legislation
would have little effect on terrorists who could just use the software
publicly available now. "The bad guys will keep using the old products
without the backdoors."
Steve Bellovin, a security researcher with ATT Labs, said any impression the
United States has of pre-eminence in the encryption field is wrongheaded.
The encryption algorithm to be used by the U.S. government in the future,
known as the Advanced Encryption Standard, was originally developed by two
Belgian scientists.
Terrorists outside the United States will have access to such expertise, he
said. "These people are not stupid," he said. "They will write their own
code. I know high-school students who could take the AES specification and
write a program."
Gregg hopes to head that off by enlisting other nations' help. One key to
legislation would be the cooperation of governments around the world, which
Gregg has urged in congressional hearings. Global enforcement is essential
to ensuring that terrorists and hackers are unable to obtain encryption
software without backdoors.
But opponents to encryption laws believe such cooperation to be impossible.
"Because you can download software on the Internet, people outside the
country could sell encryption without a backdoor," said the Privacy
Foundation's Smith. "To have practical value, it would have to have
worldwide enforcement, and plenty of countries wouldn't want to do this."
************************************************************************************
Distributed through Cyber-Society-Live [CSL]: CSL is a moderated discussion
list made up of people who are interested in the interdisciplinary academic
study of Cyber Society in all its manifestations.To join the list please visit:
http://www.jiscmail.ac.uk/lists/cyber-society-live.html
*************************************************************************************
|