Federal policy should promote widespread commercial use of technologies that can prevent unauthorized access to computer data, portable phone transmissions, cellular and other wireless phone communications, and other forms of electronic information, says a new report by a committee of the National Research Council.
The committee said that such a broad application of cryptography -- which is the use of mathematical formulas to encrypt electronic information so it is indecipherable without the proper digital "key" -- will benefit the nation in many ways. These include making it easier to protect from crime and terrorism such nationally critical assets as banking and telecommunications networks; providing greater privacy to individuals; and boosting the international competitiveness of U.S. companies.
The congressionally requested report says that no law should bar the manufacture, sale, or use of any form of encryption within the United States, and that export controls should be relaxed but not eliminated. The development of encryption technologies should be driven largely by market forces rather than by government-imposed requirements.
"While the use of encryption technologies is not a panacea for all information security problems, we believe that adoption of our recommendations would lead to enhanced protection and privacy for individuals and businesses in many areas, ranging from cellular and other wireless phone conversations to electronic transmission of sensitive business or financial documents," said committee chair Kenneth W. Dam, professor of American and foreign law at the University of Chicago. "It is true that the spread of encryption technologies will add to the burden of those in government who are charged with carrying out certain law enforcement and intelligence activities. But the many benefits to society of widespread commercial and private use of cryptography outweigh the disadvantages."
The committee said that the government should explore "escrowed" encryption for its own use, but should not continue to aggressively promote this unproven technology rather than aggressively promote this unproven technology to the private sector. In escrowed encryption, the decoding key would be held by a trusted third-party organization or institution. This is attractive to law enforcement agencies because with a court order, they could obtain the key and unlock even the most unbreakable code. However, many companies don't like the idea of giving a third party the key to all their secrets, even if the third party is considered trustworthy.
The U.S. government's current support of escrowed encryption as a technical pillar of its cryptography policy is inappropriate now, the report says, because there are many unresolved questions about this approach, such as the liability of third-party encryption. Even when these problems are resolved, adoption of escrowed encryption or of any other specific technology or standard by the commercial sector should be voluntary and based on business needs, not government pressure.
The report notes that until recently, cryptography was of interest chiefly to the intelligence-gathering community. However, the revolution in information technologies that has occurred over the past 10 years has resulted in much more information -- including trade secrets, research and development notes, and pricing and bidding information , and personal financial and medical records -- being sent over electronic networks. As a result, companies are seeking ways to keep these data out of unauthorized hands, such as those of competitors, criminals, and foreign governments. And in response to this demand, computer companies are developing better encryption software and hardware.
Cryptography's new popularity has created a policy dilemma for the U.S. government because the growing importance of cryptography as a tool for protecting sensitive personal and business information increasingly conflicts with the traditional interest of national security and law enforcement agencies in assuring their access to information. And even in the realms of law enforcement and national security, encryption is now the proverbial double-edged sword, the committee said. If used by crooks or others with ill intent, it can hinder criminal investigations. But its use by law-abiding individuals and businesses can help prevent crime. For example, use of cryptography to ensure confidentiality, provide reliable user authentication, and detect unauthorized tampering with electronic data to provide electronic signatures or to detect unauthorized tampering with electronic data can help to deter electronic bank fraud and many other types of illegal activity.
The report notes that current federal restrictions on the export of encryption technologies allow only the export of relatively weak cryptography that U.S. intelligence agencies can decipher readily. This is done to protect the nation's ability to gather foreign intelligence. However, these export laws not only inhibit U.S. companies from selling their best cryptographic technology overseas, but they also limit what is available in this country. Even though there are no legal limits on the kinds encryption that can be sold in the United States, many companies find it impractical to develop and market different products for both U.S. and overseas markets.
One common way to measure the power of a cryptographic product is by the number of information bits in the deciphering key: the more bits, the tighter the security. The federal government should allow the ready exportation of cryptography products that provide a level of confidentiality sufficient for most general commercial requirements, the committee said. Today, encryption products incorporating the 56-bit data encryption standard (DES) would provide this level of confidentiality and should be readily exportable. Encryption products with 56-bit keys currently would provide this level of privacy and should be readily exportable. However, under current federal law, companies cannot easily send products with a key longer than anything stronger than 40 bits products outside the country.
U.S. companies technology vendors should be allowed to export cryptography products with keys longer than 56 bits, as long as the users of these products agree to provide the U.S. government access to decoded information, the report says. In addition, the export licensing process should be streamlined.
The committee said that the U.S. government needs to foster an open public debate so that a national consensus on cryptography policy can be achieved. For several years, the stakeholders -- including law enforcement agencies, the national security community, the information technology industry, and the civil liberties community -- have been unable to come to a consensus on a national cryptography policy. Debate has been complicated, in part, by the argument position that effective public deliberations are impossible since much relevant information in this area is classified.
However, the report refutes this view. The 13 members of the committee who have security clearances examined the arguments based on relevant classified material and concluded that, although important to specific situations, classified material is not essential for understanding current cryptography policy or how the technology should evolve. "The feasibility of achieving a national consensus is demonstrated by the fact that the study committee -- which represents many different perspectives on subject -- was able to come to a strong consensus," said Dam.
The report recommends that the government take a number of additional steps to promote widespread use of encryption technologies. These include:
encouraging the use of cryptography as a way to determine whether data have been altered by unauthorized individuals, and to assure the identity of authorized users;
promoting the security of telecommunications networks more actively, starting with the encryption of cellular phone transmissions and other wireless voice communications; and
pursuing government development and use of escrowed encryption as a way of gaining working experience with this technology and making escrowed encryption more useful to the commercial sector. working out problems with this process and making it more appealing to the private sector.
In addition, the committee said that Congress should consider legislation that would impose additional penalties for using encrypted communications in the planning or execution of a federal crime.
The study was funded by the U.S. Department of Defense and Department of Commerce. The National Research Council is the principal operating agency of the National Academy of Sciences and the National Academy of Engineering. It is a private, non-profit institution that provides science and technology advice under a congressional charter. A committee roster follows.