Strong Country, Strong Crypto
By Seth Ross
For years, US law enforcement agencies have pushed for "back door"
access to encryption systems, arguing unsuccessfully that strong
encryption hinders their ability to hunt down terrorists and criminals.
In the aftermath of the horrific September 11 terrorist attacks
on US civilian and military targets, these discredited arguments
are gaining new currency. Despite the terrifying rush to war and
the justified rage in the face of huge civilian losses, it's vital
that decision-makers not rush to judgment and needlessly damage
our nation's security posture by targeting one of the most valuable
tools in our domestic security arsenal: strong encryption.
Fueled by anxiety, the raw desire to "do something," and a cascading
series of technical misunderstandings, the US government could decide
to stiffly regulate or even ban strong encryption technologies.
At least one powerful US senator, Judd Gregg of New Hampshire, has
advocated the inclusion of back doors in encryption products. These
would theoretically allow authorized government agents covert and
rapid access to the plaintext of encrypted communications. "In the
area of encryption," he's argued on the floor of the US Senate,
"we need to have a new regime." His remarks
were echoed by Senator Jon Kyl of Arizona: "With things such as
encryption ... Times are a changing."
According to recent poll results, 72 percent of Americans believe
that anti-encryption laws would be "somewhat" or "very" helpful
in preventing a repeat of last week's terrorist attacks.
This potential push to impose further restrictions on the development,
dissemination, and use of encryption technologies is based on three
- Regulation can prevent terrorists from acquiring strong encryption.
- Regulating encryption will not harm the information security
of US businesses and individuals.
- If encryption is not strictly regulated, then US law enforcement
will be powerless to stop encryption-using terrorists.
None of these assumptions are valid, and the result of further
encryption regulations will almost certainly be opposite of the
government's intent: it could weaken our defenses against terrorism
at the time we need them most.
The idea that further regulations can prevent terrorists from
getting strong crypto is patently absurd. They wouldn't even make
it hard. Once the almost exclusive domain of major national governments,
the development and use of encryption technologies have spread worldwide.
Encryption has been built into literally hundreds of millions of
systems, including all ecommerce servers and almost every web browsing
program. The Internet makes hundreds of encryption programs available
from thousands of sites around the world. Approximately three dozen
countries, including some in the Third World, produce commercial
encryption products. Even if the US completely banned civilian encryption,
it would still be available to terrorists from dozens of other countries.
Even if all countries banned civilian encryption, it would still
be available via underground Internet sites similar to the thousands
that disseminate illegal images and pirated software. Even if all
the underground sites were closed down, terrorists could create
their own encryption software. While this would take some elementary
programming knowledge, it would be entirely practicable for a determined
and resourceful attacker.
Regulation can NOT prevent terrorists from acquiring strong encryption.
While strong encryption is mission critical for US national security
in general, it is particularly essential for the homeland protection
of businesses and individuals -- the most prominent targets of last
week's terrorist attacks. Encryption systems protect critical infrastructure
such as telephone networks, power grids, banking networks, and air
traffic control systems. Encryption is also used to protect credit
card transactions, Internet sites, intellectual property, corporate
computer networks, healthcare databases, personal communications,
automatic teller machines, burglar alarms, postal meters, and other
systems from breaches of confidentiality, fraud, and manipulation.
It is widely deployed by companies to protect their information
assets and secrets, especially with computing devices like laptops,
which are likely to travel outside the corporate security perimeter.
It may be abhorrent, but, for a moment, think like a terrorist
planning an attack. The first step is to identify your target. The
second step is to find out as much about the target as possible.
Steal as much information as possible about the target. You might
know, for example, that a typical corporate laptop contains a treasure
trove of intelligence: business locations, names and contact information,
passwords to get into the corporate network, customer lists, sensitive
business and product plans, etc. Strong encryption is an essential
barrier that prevents terrorists and criminals from taking this
step toward their targets.
Many companies rely on strong crypto to help guarantee security.
On the other hand, few will want to rely on encryption burdened
with back doors. How many thousands of individuals would have access
to the "master key"? How would we prevent terrorists from taking
control and using key recovery features against us? While appealing
from a political point of view, back door solutions with key recovery
or key-escrow systems are not only impossibly complex and costly,
they would subvert US national security even as the country prepares
for war. Any attempt to ban strong crypto or to insert systematic
covert access into cryptosystems could leave huge swaths of US computing
systems extremely vulnerable to a wide range of attacks both large
While regulation has NOT and can NOT stop terrorists from using
strong encryption, and while encryption is critical to the defense
of civilian systems, law enforcement is not powerless. Even without
back door or key-escrow systems, law enforcement has had repeated
success in being able to access criminal data protected by encryption.
As part of the investigation into the 1993 World Trade Center bombing,
authorities seized a computer belonging to terrorist Ramzi Yousef
and were able to decrypt plans to sabotage eight commercial airplanes.
As part of an investigation into the murder of US Marines by Bolivian
terrorists, law enforcement was able to crack the terrorists' encryption
and apprehend the guilty. In 1995, authorities in Japan found that
computers used by the death cult Aun Shinri Kyo were protected with
the RSA cipher. Fortunately, they also found the key on a floppy
disk. Just this year, the FBI deployed a classified eavesdropping
technology to break documents encrypted by Nicodemo S. Scarfo, the
alleged mastermind of a loan shark operation in New Jersey.
Rather than fighting a losing battle against strong encryption,
and passing legislation that only perpetuates a false sense of security
while diminishing actual security, the US government should continue
and expand its massive investments in its cryptologic capabilities.
Now is the time to further develop US core competencies in code-breaking,
computer forensics, and information warfare. Sustained efforts in
this area will have far more impact and security value than poorly-reasoned
and ineffective legislation that could very well have the secondary
consequence of stripping the US of critical protection at the time
it needs it most.
If you're concerned about possible encryption restrictions and
other threats to the freedoms enumerated in the US Constitution,
check out the Electronic Frontier Foundation at http://www.eff.org/
Detailed information about legislative proposals is presented by
the Center for Technology & Democracy: http://www.cdt.org/security/091101response.shtml/
If you wish to offer financial support to the victims of the September
11 terrorist attacks and their families, check out American Liberty
Project, a new web site announced recently by President George W.
Bush. If you're concerned about offering your credit card online,
don't be: the American Liberty Project site protects visitors with
strong encryption software, courtesy of the ubiquitous Secure Sockets
Layer (SSL) standard: http://www.libertyunites.org/
 The FBI has made this argument so many times
it's repeated in the Frequently Asked Question section on its web
 Calls to further regulate encryption are covered
in these news stories:
"Congress Mulls Stiff Crypto Laws", Declan McCullagh http://www.wired.com/news/politics
"Senator calls for encryption crackdown", Wendy McAuliffe http://www.zdnet.com/zdnn/stories/news/0,4586,2812463,00.html?chkpt=zdnnp1tp02
"Did Encryption Empower These Terrorists? And would restricting
crypto have given the authorities a change to stop these acts?",
Steven Levy http://www.msnbc.com/news/627390.asp
 Gregg's remarks on encryption can be found
in the Congressional Record: September 19, 2001 (Senate). Surf to
and retrieve Page S9469.
 Kyl's remarks on encryption can be found in
the Congressional Record: September 13, 2001 (Senate). Surf to http://www.access.gpo.gov/congress/retrcrpg.html
and retrieve Page S9374.
 "U.S. citizens back encryption controls" http://news.cnet.com/news/0-1005-200-7215723.html
 These three assumptions are presented and debunked
in the Pacific Research Institute for Public Policy's report "U.S.
Encryption Policy: A Free-Market Primer", Justin Matlick, 1998:
 For an overview of the risks of systematic,
covert access to cryptosystems, see "The Risks of Key Recovery,
Key Escrow, and Trusted Third Party Encryption -- A Report by an
Ad Hoc Group of Cryptographers and Computer Scientists". PDF version:
http://www.crypto.com/papers/escrowrisks98.pdf HTML version: http://www.cdt.org/crypto/risks98/
 Matlick 1998. http://www.pacificresearch.org/fsheet/encrypt/part4.html
 "Scarfo: Feds Plead for Secrecy", Declan McCullagh