Event
Summary
On January
12th, the Department of Commerce's Bureau of Export Administration announced
revisions to its encryption export control policy. The revisions allow U.S.
companies to increase the key length in exported enterprise encryption products
from 40 bits to 56 and 64 bits. The new regulations allow for "retail" encryption
products up to any key length to be exportable, except to the designated terrorist
nations: Cuba, Iran, Iraq, Libya, North Korea, Sudan or Syria.
Though
this is a step in the right direction, it does not go far enough to enable U.S.
crypto companies to compete in the global Internet marketplace. As well, it
does not give U.S. companies, research firms, and institutions of higher learning
much incentive to develop stronger encryption algorithms.
Market
and Societal Impact
Without capital incentive to innovate, U.S. companies will inevitably see lost
opportunities in the worldwide crypto market. Today U.S. encryption companies
hang their head as European counterparts relish in the fact that American encryption
products are forced to be weak by law.
The
original encryption export restrictions came about because U.S. law enforcement
agencies believed that commercially available encryption products would be exploited
by criminals and terrorists, thus endangering public safety and U.S. national
security. The FBI has been a leading advocate of export controls on encryption
products, claiming that enabling criminals and terrorists to encrypt data makes
it too difficult for law enforcement agencies to obtain and decipher the encrypted
content. Once a criminal or terrorist is on American soil, the argument becomes
moot since it is legal to purchase strong encryption products locally.
Though
the U.S. export restrictions on encryption products have been well meaning,
they inevitably do not prevent criminals and terrorists from encrypting fraudulent
or exploitive information. There are enough encryption companies in Canada and
European countries that are not subject to encryption restrictions that obtaining
strong encryption products in foreign markets has become a cakewalk.
In
the end, U.S. encryption companies pay the price by seeing millions of revenue
dollars go to foreign entrepreneurs. As well, huge tax dollars are lost to foreign
nations. These lost tax dollars could be spent equipping domestic law enforcement
agencies with proper cybercrime fighting technology tools, and offering salaries
high enough to attract some of the security mavens found in private and publicly
held domestic corporations.
Since
"retail" encryption products will be exportable to all but the T-7 terrorist
nations, this means that the strongest U.S. encryption products sold will be
available on foreign retail shelves for criminals and terrorists to purchase,
but not available on the foreign market for legitimate foreign multi-nationals
to purchase.
While
the U.S. government is rightly concerned with public safety and national security,
export controls on encryption products is not actually making the world a safer
place. These restrictions need to be abandoned and replaced with more effective
ways of protecting our national infrastructure and public safety. It would be
nice if aberrant behavior could be controlled by software products and their
distribution. History, however, has shown that restricting the sale of enterprise
encryption products has not been an effective way to deter criminal behavior.
The
current fear and associated governmental restrictions are akin to the privacy
alarms that went off when cameras first debuted as image capturing devices in
the 1890s. Just as cameras have added value to world cultures and security initiatives
based on imaging, so to can encryption technologies. We need to enable foreign
enterprises to take advantage of our encryption technologies so that they can
assist both domestic and foreign law enforcement agencies in keeping ahead of
criminal underpinnings.
Instead
of restricting and tracking software, what we need to do is restrict and track
individuals who exploit technology advancements. If approached from a different
perspective, U.S. federal agencies could harness the talent and advancements
they are hindering, by using appropriate tax dollars to enlist the assistance
of expert cryptographers towards a common goal of safety, security, and economic
prosperity. It is only after domestic law enforcement agencies learn to work
with expert cryptographers, instead of against them, that we will be better
able to thwart technology exploitive behavior .
Recommendations
The Bureau of Export Administration needs to relax the enforcement of encryption
export laws enough to allow U.S. corporations to compete in worldwide encryption
markets.
Federal
and local law enforcement agencies need to partner with cryptographic innovators
and their institutions in order to better understand the technology.
Tracking
and restricting high-risk individuals (whether foreign or domestic) who exploit
technology advancements will contribute more to safety, security, and economic
prosperity than tracking and restricting software.
Federal
agencies and local law enforcement agencies need to increase their security
budgets in order to attract expert security professionals from the private sector.
Multimillion-dollar
security corporations need to lobby legislators to market enable U.S. encryption
sales.