National Cryptography Policy for the Information Age
Dam, Kenneth W., Lin, Herbert S., Issues in Science and Technology
Relaxing federal regulation will lead to enhanced information security for all.
Accelerating growth in the use of information technologies to store and communicate digital data is creating a parallel need for measures to ensure the security of this information. Unfortunately, in the critical area of cryptography (the use of mathematical formulas to scramble information into digital codes), government policy is not keeping pace with developments in the market and the technology. In fact, current federal regulations actually discourage the foreign and domestic use of this important technology.
U.S. export control laws limit the sale of strong encryption products overseas in the interest of denying to foreign countries the ability to encode information in ways that would make it more difficult for U.S. authorities to gain access to that information for national security and foreign policy uses. However, these controls also impede the efforts of U.S. companies with foreign customers and suppliers to protect their proprietary business information, and they constitute a barrier for U.S. information technology vendors who wish to market their products to security-conscious foreign buyers. Export controls also reduce the domestic availability of strong encryption because they drive many U.S. vendors to a "least common denominator" strategy of product development, marketing, and support that calls for a single and relatively weak product that can be sold domestically and abroad.
More recently, the Clinton administration has aggressively promoted the domestic use of escrowed encryption, a form of cryptography in which a copy of the key needed to decode data is stored in an ostensibly safe place by a third party. Escrowed encryption is intended to provide strong protection for legitimate uses but also to enable law enforcement officials to gain legally authorized access to the encryption key when it is necessary to decode data as part of a criminal investigation. However, many businesses and individuals do not see the value in using escrowed encryption because dependence on a government-approved product is likely to slow innovation, and they worry about the security of the extra copy of the decryption key.
What is lacking in federal policy is a market-sensitive understanding that information security is a critical concern for all sectors of society, not just the government. Businesses, especially those operating internationally, must share sensitive information with certain customers, suppliers, and strategic partners while protecting that information against competitors, criminals, foreign governments, and other suppliers and customers. Private citizens conduct sensitive conversations over cellular and cordless telephones that are easily overheard. A rapidly growing number of business and personal financial transactions are now conducted electronically. These private sector interests parallel those of the federal government in ensuring that its important and sensitive political, economic, law enforcement, and military information, both classified and unclassified, is protected from foreign governments and hostile parties.
A false dichotomy
The problem for policymakers is that cryptography that is available to the general public for legitimate uses is also available for illegitimate purposes such as organized crime and terrorism. Encryption thus could make it more difficult for law enforcement authorities to gain legally authorized access to information for the purpose of investigating and prosecuting criminal activity. Encryption also poses a threat to intelligence gathering, which depends on access to information from foreign governments and other foreign entities; such intelligence is valuable for national security and foreign policy purposes.
But information gathering, which would unquestionably be hindered by encryption, is a tool, not the ultimate goal of law enforcement and national security. …