Skip to main content

Currently Skimming:

Syntehsis, Findings, and Recommendations
Pages 293-340

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.


From page 293...
... The risks are far less obvious. As discussed in Chapter 1, one of the most significant risks of a digital information age is the potential vulnerability of important information as it is communicated and stored.
From page 294...
... The fact that the nation is moving into an information age on a large scale means that a much larger number of people are likely to have strong financial, political, or economic motivations to exploit information vulnerabilities that still exist. For example, electronic interceptions and other technical operations account for the largest portion of economic and industrial information lost by U.S.
From page 295...
... • Elements of the U.S. civilian infrastructure such as the banking system, the electric power grid, the public switched telecommunications network, and the air traffic control system are central to so many dimensions of modern life that protecting these elements must have a high priority.
From page 296...
... . Used in conjunction with other information security measures, cryptography has considerable value in helping law-abiding citizens, businesses, and the nation as a whole defend their legitimate interests against information crimes and threats such as fraud, electronic vandalism, the improper disclosure of national security information, or information warfare.
From page 297...
... Nevertheless, all of the stakes described above -- privacy for individuals, protection of sensitive or proprietary information for businesses and other organizations in the prevention of information crimes, ensuring the continuing reliability and integrity of nationally critical information systems and networks, law enforcement access to stored and communicated information for purposes of investigating and prosecuting crime, and national security access to information stored or communicated by foreign powers or other entities and organizations whose interests and intentions are relevant to the national security and the foreign policy interests of the United States -- are legitimate. Informed public discussion of the issues must begin by acknowledging the legitimacy of both infor
From page 298...
... government has aggressively promoted escrowed encryption as the technical foundation for national cryptography policy, both to serve domestic interests in providing strong protection for legitimate uses while enabling legally authorized access by law enforcement officials when warranted and also as the basis for more liberal export controls on cryptography (Chapter 5)
From page 299...
... U.S. companies in information technology today have undeniable strengths in foreign markets, but current national cryptography policy threatens to erode these advantages.
From page 300...
... Cryptography is important because when it is combined with other measures to enhance information security, it gives end users significant control over their information destinies. Even though export controls have had a nontrivial impact on the worldwide spread of cryptography in previous years, over the long term cryptography is difficult to control because the relevant technology diffuses readily through national boundaries; export controls can inhibit the diffusion of products with encryption capabilities but cannot contain the diffusion of knowledge (Chapter 4)
From page 301...
... Cryptography is an important dimension of information security, but current policy discourages the use of this important tool in both intentional and unintentional ways, as described in Chapters 4 and 6. For example, through the use of export controls, national policy has explicitly sought to limit the use of encryption abroad but has also had the effect of reducing the domestic availability of products with strong encryption capabilities to businesses and other users.
From page 302...
... , it also supports the national security of the United States. Framing national cryptography policy in this larger context would help to reduce some of the polarization among the relevant stakeholders.
From page 303...
... For technical reasons described in Chapter 7, the committee believes that a legislative ban on the use of unescrowed encryption would be largely unenforceable. Products using unescrowed encryption are in use today by millions of users, and such products are available from many difficult-to-censor Internet sites abroad.
From page 304...
... In addition, many people believe with considerable passion that government restrictions on the domestic use of cryptography would threaten basic American values such as the right to privacy and free speech. Even if the constitutional issues could be resolved in favor of some type of ban on the use of unescrowed encryption, these passions would surely result in a political controversy that could divide the nation and at the very least impede progress on the way to the full use of the nation's information infrastructure.
From page 305...
... Recommendation 3: National cryptography policy affecting the development and use of commercial cryptography should be more closely aligned with market forces. As cryptography has assumed greater importance to nongovernment interests, national cryptography policy has become increasingly disconnected from market reality and the needs of parties in the private sector.
From page 306...
... Thus, to the maximum extent possible, national cryptography policy that is more closely aligned with market forces should encourage adoption by the federal government and private parties of cryptographic standards that are consistent with prevailing industry practice. Finally, users in the private sector need confidence that products with cryptographic functionality will indeed perform as advertised.
From page 307...
... encryption technology that might reveal important characteristics of U.S. information security products and/or be used to thwart U.S.
From page 308...
... . The current export control regime on strong cryptography is an increasing impediment to the information security efforts of U.S.
From page 309...
... firms products with weak or poorly implemented cryptography. If these vendors were to gain significant market share, the information security of U.S.
From page 310...
... and multinational firms and users are able to use the same security products in the United States and abroad and thus to help promote better information security for U.S. firms operating internationally.
From page 311...
... Specifically, • Certain products with encryption capabilities are subject to a more liberal export control regime by virtue of being placed on the CCL rather than the USML; these products include those providing cryptographic confidentiality that are specially designed, developed, or modified for use
From page 312...
... export controls on cryptography may well prompt other nations to consider import controls; in such a case, U.S. vendors may be faced with the need to develop products with encryption capabilities on a nation-by-nation basis.
From page 313...
... . For secret keys used in products covered by Recommendation 4.1, public-key protection should be allowed that is at least as strong as the cryptographic protection of message or file text provided by those products, with appropriate safety margins that protect against possible attacks on these public-key algorithms.5 In addition, to accommodate vendors and users who may wish to use proprietary algorithms to provide encryption capabilities, the committee believes that products incorporating any combination of algorithm and key size whose cryptographic characteristics for confidentiality are substantially equivalent to the level allowed under Recommendation 4.1 (today, 56-bit DES)
From page 314...
... Relaxation of export controls in the manner described in Recommendation 4.1 will help the United States to maintain its worldwide market leadership in products with encryption capabilities. The committee believes that many foreign customers unwilling to overlook the perceived weaknesses of 40-bit RC2/RC4 encryption, despite superior noncryptography features in U.S.
From page 315...
... These major benefits of DES are the result of the open approach taken in its development and its long-standing presence in the industry. The brute-force decryption of a single message encrypted with a 40-bit RC4 algorithm has demonstrated to information security managers around 6In other words, the market reality is that a side-by-side comparison of two products identical except for their domestic vs.
From page 316...
... When integrated into an application, the cost of using DES in practice is relatively small, whereas the cost of cracking DES is significantly higher. Since most information security threats come from individuals within an enterprise or individuals or small organizations outside the enterprise, the use of DES to protect information will be sufficient to prevent most problems.
From page 317...
... The committee believes that such an increase in the "floor" of information security outweighs the additional problems caused to national security agencies when collecting information. Since DES has been in use for 20 years, those agencies will at least be facing a problem that has well-known and well-understood characteristics.
From page 318...
... These approved firms will determine for themselves how to ensure access to plaintext, and many of them may well choose to use escrowed encryption products. A firm that chooses to use escrowed encryption would be free to escrow the relevant keys with any agent or agents of its own choosing, including those situated within the firm itself.
From page 319...
... Potential customers objecting to Administration proposals on the export of escrowed encryption because their cryptographic keys might be compromised can be reassured that keys to products covered by Recommendation 4.2 could remain within their full control. If these customers choose to use escrowed encryption products to meet the need for access, they may use escrow agents of their own choosing, which may be the U.S.
From page 320...
... government with plaintext of encrypted information when presented with a properly authorized law enforcement request and to prove, if necessary, that the provided plaintext does indeed correspond to the encrypted information of interest. The use of escrowed encryption products would not be required, although many companies may find such products an appropriate technical way to meet this requirement.
From page 321...
... Licensing decisions involving cryptography should be presumed to be approvable unless there is a good reason to deny the license. The committee understands that foreign policy considerations may affect the granting of export licenses to particular nations, but once national security concerns have been satisfied with respect to a particular export, cryptography should not be regarded for export control purposes as differing from any other item on the CCL.
From page 322...
... Managing the damage to the collection of signals intelligence is the focus of export controls, as discussed in Chapter 4 and in the text accompanying Recommendation 4. At the same time, cryptography can help to defend vital information assets of the United States; the use of cryptography in this role is discussed in Recommendations 5.1 and 5.2 below.
From page 323...
... If law enforcement authorities are unable to gain access to the encrypted communications and stored information of criminals, some criminal prosecutions will be significantly impaired, as described in Chapter 3. The Administration's response to this law enforcement problem has been the aggressive promotion of escrowed encryption as a pillar of the technical foundation for national cryptography policy.
From page 324...
... For this reason, Recommendation 5.3, dealing with an exploration of escrowed encryption, sets into motion a prudent "hedge" strategy against this eventuality; Recommendation 5.4 begins the process of seeking to discourage criminal use of cryptography; and Recommendation 5.5 addresses the development of new technical capabilities to meet the challenge of encryption. Against this backdrop, Recommendation 5.3 is only one part of an overall strategy for dealing with the problems that encryption poses for law enforcement and national security.
From page 325...
... dimension of protecting information systems from unauthorized penetration. 8For a discussion of the patent issues involved in the decision regarding the Digital Signature Standard and the concern over confidentiality, see Office of Technology Assessment, Information Security and Privacy in Network Environments, OTA-TCT-606, U.S.
From page 326...
... The government has not fully exercised the regulatory influence it does have over certain sectors (e.g., telecommunications, air traffic control) to promote higher degrees of information security that would be met through the deployment of nonconfidentiality applications of cryptography.
From page 327...
... government should promote the link encryption of cellular communications9 and the improvement of security at telephone switches. As described in Chapter 1, the public switched telecommunications network (PSTN)
From page 328...
... Recommendation 5.3 -- To better understand how escrowed encryption might operate, the U.S. government should explore escrowed encryption for its own uses.
From page 329...
... Finally, by meeting demands for better information security emanating from legitimate business and private interests, escrowed encryption may dampen the market for unescrowed encryption products that would provide similar security but without features for government exceptional access that law enforcement and national security authorities could use for legitimate and lawfully authorized purposes. The risks of escrowed encryption are also considerable.
From page 330...
... Given the importance of market forces to the long-term success of national cryptography policy, a more prudent approach to policy would be to learn more about how in fact the market will respond before advocating a specific solution driven by the needs of government. For these reasons, the committee believes that a policy of deliberate exploration of the concept of escrowed encryption is better suited to the circumstances of today than is the current policy of aggressive promotion.
From page 331...
... condition for the growth and spread of escrowed encryption in the private sector. Parties whose needs may call for the use of escrowed encryption will need confidence in the supporting infrastructure before they will entrust encryption keys to the safekeeping of others.
From page 332...
... Under Recommendation 5.4, federal jurisdiction arises from the limitation regarding the use of communications in interstate commerce. The focus of Recommendation 5.4 on encrypted communications recognizes that private sector parties have significant incentives to escrow keys used for encrypting stored data, as described in Recommendation 5.3.
From page 333...
... Recommendation 5.5 -- High priority should be given to research, development, and deployment of additional technical capabilities for law enforcement and national security for use in coping with new technological challenges. Over the past 50 years, both law enforcement and national security authorities have had to cope with a variety of changing technological circumstances.
From page 334...
... Such development should be supported, because effective new capabilities are almost certain to have a greater impact on their future information collection efforts than will aggressive attempts to promote escrowed encryption to a resistant market. An example of such support would be the establishment of a technical center for helping federal, state, and local law enforcement authorities with technical problems associated with new information technologies.10 Such a center would of course address the use by individuals of unescrowed encryption in the commission of criminal acts, because capabilities to deal with this problem will be necessary whether or not escrowed encryption is widely deployed.
From page 335...
... Although the committee was asked to address national cryptography policy, any such policy is necessarily only one component of a national information security policy. Without a forward-looking and comprehensive national information security policy, changes in national cryptography policy may have little operational impact on U.S.
From page 336...
... Experiences in trade policy suggest the feasibility of private sector advisors, who are often needed when policy cuts across many functional and organizational boundaries and interests both inside and outside government. National policy on information security certainly falls into this cross-cutting category, and thus it might make sense for the government to appoint parties from the private sector to participate in government policy discussions relevant to export control decisions and/or decisions that affect the information security interests of the private sector.
From page 337...
... government be involved in promoting information security? One obvious category of involvement is those areas in which the secure operation of information systems is critical to the nation's welfare -- information systems that are invested with the public trust, such as those of the banking and financial system, the public switched telecommunications network, the air traffic control system, and extensively automated utilities such as the electric power grid.
From page 338...
... Finally, in describing the need for a mechanism to promote information security in the private sector, the committee does not make a recommendation on its specific form because its charter did not call for it to address the question of government organization. As discussed in Chapter 7, such a mechanism could be a new coordinating office for information security in the Executive Office of the President.
From page 339...
... Problems in these areas will become relevant in the near future, and policy makers may wish to anticipate them by commissioning additional examination. 8.4 CONCLUSION The committee believes that its recommendations will lead to enhanced confidentiality and protection of information for individuals and companies, thereby reducing economic and financial crimes and economic espionage from both domestic and foreign sources.


This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.