Strong Country, Strong Crypto

By Seth Ross

For years, US law enforcement agencies have pushed for "back door" access to encryption systems, arguing unsuccessfully that strong encryption hinders their ability to hunt down terrorists and criminals.[1] In the aftermath of the horrific September 11 terrorist attacks on US civilian and military targets, these discredited arguments are gaining new currency. Despite the terrifying rush to war and the justified rage in the face of huge civilian losses, it's vital that decision-makers not rush to judgment and needlessly damage our nation's security posture by targeting one of the most valuable tools in our domestic security arsenal: strong encryption.

Fueled by anxiety, the raw desire to "do something," and a cascading series of technical misunderstandings, the US government could decide to stiffly regulate or even ban strong encryption technologies.[2] At least one powerful US senator, Judd Gregg of New Hampshire, has advocated the inclusion of back doors in encryption products. These would theoretically allow authorized government agents covert and rapid access to the plaintext of encrypted communications. "In the area of encryption," he's argued on the floor of the US Senate, "we need to have a new regime."[3] His remarks were echoed by Senator Jon Kyl of Arizona: "With things such as encryption ... Times are a changing."[4]

According to recent poll results, 72 percent of Americans believe that anti-encryption laws would be "somewhat" or "very" helpful in preventing a repeat of last week's terrorist attacks.[5]

This potential push to impose further restrictions on the development, dissemination, and use of encryption technologies is based on three assumptions:

1. Regulation can prevent terrorists from acquiring strong encryption.
2. Regulating encryption will not harm the information security of US businesses and individuals.
3. If encryption is not strictly regulated, then US law enforcement will be powerless to stop encryption-using terrorists.[6]

None of these assumptions are valid, and the result of further encryption regulations will almost certainly be opposite of the government's intent: it could weaken our defenses against terrorism at the time we need them most.

The idea that further regulations can prevent terrorists from getting strong crypto is patently absurd. They wouldn't even make it hard. Once the almost exclusive domain of major national governments, the development and use of encryption technologies have spread worldwide. Encryption has been built into literally hundreds of millions of systems, including all ecommerce servers and almost every web browsing program. The Internet makes hundreds of encryption programs available from thousands of sites around the world. Approximately three dozen countries, including some in the Third World, produce commercial encryption products. Even if the US completely banned civilian encryption, it would still be available to terrorists from dozens of other countries. Even if all countries banned civilian encryption, it would still be available via underground Internet sites similar to the thousands that disseminate illegal images and pirated software. Even if all the underground sites were closed down, terrorists could create their own encryption software. While this would take some elementary programming knowledge, it would be entirely practicable for a determined and resourceful attacker.

Regulation can NOT prevent terrorists from acquiring strong encryption. While strong encryption is mission critical for US national security in general, it is particularly essential for the homeland protection of businesses and individuals -- the most prominent targets of last week's terrorist attacks. Encryption systems protect critical infrastructure such as telephone networks, power grids, banking networks, and air traffic control systems. Encryption is also used to protect credit card transactions, Internet sites, intellectual property, corporate computer networks, healthcare databases, personal communications, automatic teller machines, burglar alarms, postal meters, and other systems from breaches of confidentiality, fraud, and manipulation. It is widely deployed by companies to protect their information assets and secrets, especially with computing devices like laptops, which are likely to travel outside the corporate security perimeter.

It may be abhorrent, but, for a moment, think like a terrorist planning an attack. The first step is to identify your target. The second step is to find out as much about the target as possible. Steal as much information as possible about the target. You might know, for example, that a typical corporate laptop contains a treasure trove of intelligence: business locations, names and contact information, passwords to get into the corporate network, customer lists, sensitive business and product plans, etc. Strong encryption is an essential barrier that prevents terrorists and criminals from taking this step toward their targets.

Many companies rely on strong crypto to help guarantee security. On the other hand, few will want to rely on encryption burdened with back doors. How many thousands of individuals would have access to the "master key"? How would we prevent terrorists from taking control and using key recovery features against us? While appealing from a political point of view, back door solutions with key recovery or key-escrow systems are not only impossibly complex and costly, they would subvert US national security even as the country prepares for war. Any attempt to ban strong crypto or to insert systematic covert access into cryptosystems could leave huge swaths of US computing systems extremely vulnerable to a wide range of attacks both large and small.[7]

While regulation has NOT and can NOT stop terrorists from using strong encryption, and while encryption is critical to the defense of civilian systems, law enforcement is not powerless. Even without back door or key-escrow systems, law enforcement has had repeated success in being able to access criminal data protected by encryption. As part of the investigation into the 1993 World Trade Center bombing, authorities seized a computer belonging to terrorist Ramzi Yousef and were able to decrypt plans to sabotage eight commercial airplanes. As part of an investigation into the murder of US Marines by Bolivian terrorists, law enforcement was able to crack the terrorists' encryption and apprehend the guilty. In 1995, authorities in Japan found that computers used by the death cult Aun Shinri Kyo were protected with the RSA cipher. Fortunately, they also found the key on a floppy disk.[8] Just this year, the FBI deployed a classified eavesdropping technology to break documents encrypted by Nicodemo S. Scarfo, the alleged mastermind of a loan shark operation in New Jersey.[9]

Rather than fighting a losing battle against strong encryption, and passing legislation that only perpetuates a false sense of security while diminishing actual security, the US government should continue and expand its massive investments in its cryptologic capabilities. Now is the time to further develop US core competencies in code-breaking, computer forensics, and information warfare. Sustained efforts in this area will have far more impact and security value than poorly-reasoned and ineffective legislation that could very well have the secondary consequence of stripping the US of critical protection at the time it needs it most.

RESOURCES

If you're concerned about possible encryption restrictions and other threats to the freedoms enumerated in the US Constitution, check out the Electronic Frontier Foundation at http://www.eff.org/

Detailed information about legislative proposals is presented by the Center for Technology & Democracy: http://www.cdt.org/security/091101response.shtml/

If you wish to offer financial support to the victims of the September 11 terrorist attacks and their families, check out American Liberty Project, a new web site announced recently by President George W. Bush. If you're concerned about offering your credit card online, don't be: the American Liberty Project site protects visitors with strong encryption software, courtesy of the ubiquitous Secure Sockets Layer (SSL) standard: http://www.libertyunites.org/

REFERENCES

[1] The FBI has made this argument so many times it's repeated in the Frequently Asked Question section on its web site: http://www.fbi.gov/fbinbrief/faqs/faqsone.htm

[2] Calls to further regulate encryption are covered in these news stories:

"Congress Mulls Stiff Crypto Laws", Declan McCullagh http://www.wired.com/news/politics /0,1283,46816,00.html

"Senator calls for encryption crackdown", Wendy McAuliffe http://www.zdnet.com/zdnn/stories/news/0,4586,2812463,00.html?chkpt=zdnnp1tp02

"Did Encryption Empower These Terrorists? And would restricting crypto have given the authorities a change to stop these acts?", Steven Levy http://www.msnbc.com/news/627390.asp

[3] Gregg's remarks on encryption can be found in the Congressional Record: September 19, 2001 (Senate). Surf to http://www.access.gpo.gov/congress/retrcrpg.html and retrieve Page S9469.

[4] Kyl's remarks on encryption can be found in the Congressional Record: September 13, 2001 (Senate). Surf to http://www.access.gpo.gov/congress/retrcrpg.html and retrieve Page S9374.

[5] "U.S. citizens back encryption controls" http://news.cnet.com/news/0-1005-200-7215723.html

[6] These three assumptions are presented and debunked in the Pacific Research Institute for Public Policy's report "U.S. Encryption Policy: A Free-Market Primer", Justin Matlick, 1998: http://www.pacificresearch.org/fsheet/encrypt/part4.html

[7] For an overview of the risks of systematic, covert access to cryptosystems, see "The Risks of Key Recovery, Key Escrow, and Trusted Third Party Encryption -- A Report by an Ad Hoc Group of Cryptographers and Computer Scientists". PDF version: http://www.crypto.com/papers/escrowrisks98.pdf HTML version: http://www.cdt.org/crypto/risks98/

[8] Matlick 1998. http://www.pacificresearch.org/fsheet/encrypt/part4.html

[9] "Scarfo: Feds Plead for Secrecy", Declan McCullagh http://www.wired.com/news/politics/0,1283,46329,00.html