[2455] in cryptography@c2.net mail archive
[Cdn] Industry asks: What price security?
daemon@ATHENA.MIT.EDU (Anonymous)
Wed Apr 8 22:03:35 1998
Date: Wed, 8 Apr 1998 21:54:07 +0200 (MET DST)
To: cryptography@c2.net
From: nobody@REPLAY.COM (Anonymous)
The Ottawa Citizen
Wednesday, April 8, 1998
(High Tech Supplement)
Industry asks: What price security?
Customer confidence in having safe Internet runs up against need to control
illegal activities
When Julius Caesar sent commands to his
generals more than 2,000 years ago, he
encrypted the messages by shifting the
letters of the alphabet a set number of
characters.
This system was considered
state-of-the-art, but it was also
relatively easy to decrypt. In fact, in
wasn't until fairly recently that
computers allowed for the development of
virtually impenetrable encryption.
Last summer, 78,000 Internet computers
collaborated on a project to decode a
message encrypted with Data Encryption
Standard (DES), a mathematical formula
that uses a 56-bit decryption key. The
effort took 96 days.
Cracking a message encrypted with more
advanced 64-bit technology would take considerably longer -- an estimated
67 years, according to a recent federal document.
Such technical virtuosity is richly appreciated by individuals and
corporations that value privacy. It has also triggered huge growth in
electronic commerce, which depends heavily on customers' confidence that
their transactions will not be tampered with.
However, security for customers has a flip side. The more secure the
system, the more difficult it is for law enforcement agencies and
international electronic monitoring agencies such as the federal
government's Communications Security Establishment to track and control
illegal activities.
At the moment, the balance of power lies with the enforcement agencies. Not
only are there a variety of restrictions on the ability of encryption
software companies to export their products, but enforcement agencies,
especially in the U.S., are pressing for the right to compel all
corporations to back up their digital data and provide access to the
encryption keys that unlock it.
The burgeoning Canadian cryptography industry is naturally concerned that
such restrictions will hurt it.
The top dozen or so Canadian cryptography firms posted an estimated $125
million in sales last year, according a recent federal survey, with sales
expected to top $750 million by 2000 -- assuming the firms are reasonably
free to ply their trade.
Here's the problem: Canada is one of 33 countries that in 1995 signed the
Wassenaar Agreement, which provides a framework for dealing with security
threats in the wake of the fall of the Soviet Union. Under this agreement,
Canada has agreed to restrict exports of encryption products to most
countries. The United States, a close ally, is an exception. There is free
trade in cryptography products across the U.S.-Canada border. Not
surprisingly, the U.S. has emerged as the major market for most Canadian
firms that specialize in security products.
However, the same group of companies is trying to boost exports to Europe
and Asia in the face of the Wassenaar requirement that such sales be
accompanied by export permits. Getting rid of these restrictions would give
Canadian firms an edge over their U.S. counterparts in these markets --
which is why the U.S. would view a unilateral move by Canada very
unfavorably.
The federal government recently began trying to devise a new cryptography
policy that will allow Canada's young cryptography industry to thrive
while, at the same time, giving law enforcement officials some confidence
they'll still be able to decode electronic files in a new era of 128-bit
technology.
A working group in Industry Canada is accepting submissions from all
parties until April 21. A dozen representatives from the country's top
cryptography firms met last week in Ottawa to prepare a joint response.
The public meeting was sponsored by industry giant Entrust Technologies
Inc. and moderated by Alan Pickering, the former director-general of the
Communications Security Establishment. The Citizen's senior technology
writer, James Bagnall, attended the proceedings. The following is an edited
digest.
Alan Pickering: The federal government wants Canada to be a world leader in
electronic commerce by 2000. To achieve this, we must expand the use of
electronic commerce internally within Canada as well as globally.
Therefore, we must have global market access. Canada also has a desire to
be recognized as best in class in the electronic commerce world. Companies
around this table have gone a long way in making that happen already. On
Feb. 23, Industry Canada set out a number of possible options.
There are three topics where the government particularly asked for input:
* How should it approach the encryption of stored data?
* What controls should be in place for real time communications (such as
phone conversations)?
* What controls should exist for exports?
Brian O'Higgins, executive vice-president and chief technology officer,
Entrust Technologies: We believe the export controls should be eliminated.
We believe there should not be any mandated (system) that would give the
government automatic access to encryption keys. What law enforcement
officials would like is access to encrypted data, any time, anywhere in the
world: Effectively, they have a copy of everyone's encryption key nicely
available to them; they could just go in and get it. So that would be their
ideal.
And on the other end of the spectrum are freeware products that sit on the
Internet. One example is Pretty Good Privacy -- it will encrypt data and
there are no keys stored (which would give law officials access to the
data). If products like PGP were around everywhere, that would really
create a problem for law enforcement.
But commercial cryptographic products will start to emerge (to address this
problem). In fact, Entrust is a very good example -- we encrypt data for
storage, and the ability to recover the key is built right into the
product. If law enforcement officers need to get access to the key, they
would simply knock on the door of the company and we will give it to them.
And we believe that this meets say, 90 per cent of all the law enforcement
requirements.
Phil Deck, chief executive, Certicom Corporation: You could easily afford
to have a government mandate that says companies do have to take steps to
make information available. I don't think that's terribly different from
what Brian said, but the government shouldn't put in place a system that
tells companies how they will make information available should that
request ever come through a warrant.
The way that cryptography or information should or may be regulated in
Canada is completely separate from the way Canadian companies have to go
out and sell their products around the world. If we are going to have a
Canadian cryptography industry, 95 per cent of our product sales will come
outside of Canada, so what Canada decides to do domestically should have
very little to do with how we build and market our products. We can't build
our products in a way that is just for Canada.
But when we regulate encryption for export, that's totally different. No
one's going to buy products if the Canadian government has control over the
keys. The U.S. is the big issue (because it would like to see such a policy
implemented in Canada and the U.S.) We may not like or agree with some of
the policies in the U.S., but we have to make sure that this market remains
open for cryptography products because for all of us it's our biggest one.
So if we can liberalize (our export laws) to the extent possible without
retaliation from the U.S., then I think that's in our interest.
Ron Walker, chief executive, KyberPASS Corp: KyberPASS is in the virtual
private network software technology field, and we are exclusively dealing
with real-time data transmission encryption. The big issue right now for a
startup is that we are basically starving to death waiting, not just for
the government to make up its mind, but for us all to understand how we are
actually going to export this technology.
We're forced into uncertainty when we are dealing with new opportunities to
sell the product to a customer. My resellers in Asia and Europe explain
Canada's export policy to our potential customers and then we go through a
process of getting approval. The delays are promised to be something like
five days for a standard cryptography product; it turns into two months,
and meanwhile the leads disappear.
The other thing is, we're really selling to a commercial grade customer --
56-bit DES has to solve their requirement nine times out of ten, or they
are not going to buy the product. They'll buy something stronger. They
don't know and we don't really know for sure what the Canadian government
is going to approve after June (when the trial period allowing the export
of 56-bit encryption technology expires), so it's tough to be new in this
business when you're not really sure what the rules are going to be three
months from now.
This issue of 56-bit DES -- we would really like to see a blanket permit on
behalf of Canadian manufacturers. Then we would have a level playing field.
Right now a month's delay in getting approval can be the difference in
winning or losing a bid. That is an issue, especially when you have any
kind of bureaucracy involved with the approval process. It also introduces
unfair access in a sense that larger companies can endure a bureaucratic
delay better than smaller companies.
Alan Pickering: Comments on Ron's statements?
Brian O'Higgins: Yes, I wanted emphasize that the Canadian government tries
very hard to work with industry to eliminate delays -- export delays and so
on. Occasionally there's a rough spot if a new question comes up that is
maybe not covered by current policy. Then a delay occurs. A delay to a
small company is death. You just can't hang on.
Phil Deck: The Canadian government works very hard to try and deal with
these issues, but the policy right now is pretty subjective. And there are
a lot of different issues that have to be taken into account, and so it is
hard to get a fast response.
Ron Walker: I'm not necessarily bashing the government. They do in fact
work hard and they've always been very helpful. But the policy exists.
My point was that the export policy appears to be quite clear but there is
an awful lot of subjectiveness in how long its going to take to get an
approval for an export permit. The delays exist. We experience them. And
even if I knew it was always going to be four weeks, that would be okay. I
just don't ever know.
Alan Pickering: When you talked about wanting to have a defined time to get
an answer, a lot of heads were going up and down around the table. So it's
obviously a concern and incumbent upon the government to see what it can do
to speed up the process, or at least try to provide some defined time of
when you can get an answer. David?
David Jones, president, Electronic Frontier Canada: Electronic Frontier
Canada is a federally incorporated non-profit organization. We are firmly
opposed to any policy or legislation that would limit or prohibit the
manufacture, import, export or use of strong (i.e. 56 bit and above)
encryption for either stored data or real time communications. It's our
opinion that the most stringent policy options outlined in this framework
document would be unconstitutional, harmful to Canadian society,
detrimental to the Canadian economy, and in the end simply unenforceable.
A lot of the proposed restrictions on cryptography are based on the largely
speculative and somewhat imaginative risk of international terrorists and
organized criminals using cryptography to communicate in secret. The
greater risk to Canada is if we force Canadians, Canadian companies, and
government departments to rely upon weak encryption.
Lynn Anderson, enterprise marketing manager, Hewlett Packard Canada:
Encryption is a critical enabling technology for e-commerce. We have
reached the point in the commercial demand for encryption where continued
delay in resolving the policy issues, is becoming a serious impediment to
its deployment.
HP supports policies that depend on market drivers to facilitate the
inclusion of law enforcement access mechanisms. As a practical matter, the
cost of such features will be manageable if law enforcement finds ways to
draw on features that exist solely by the virtue of market demand.
Furthermore, regulations should be kept to an absolute minimum.
Meaningful export control relief is required now. The widespread
availability of encryption products, as well as the technical wherewithal
to create new ones, suggests the effectiveness of controls is greatly
diminished. Continuing the controls as they are, may damage Canadian
industry's competitiveness.
For most communications systems today, encryption is only used to secure
transmissions over the air. Once in the public network, the transmissions
are decrypted. So long as this remains true, no changes are required. If
more restrictive laws are chosen, they must be written to apply evenly
across all affected industries and should not specify any particular
technological approach.
Ron Koblovsky, vice-president, Marketing, Milkyway Networks: Each of us
here is motivated by the opportunity to share in a piece of the information
security pie that by all accounts will be very large. The issue is not
whether or when the market opportunities will emerge, but will Canadian
companies like MilkyWay be allowed to emerge on the world stage and reap
the benefits of the emerging market opportunities.
My plea in response to the government request for feedback is "Give us a
level playing field on which to compete."
Design and manufacturing capabilities are emerging in many nations.
Existing government policy is inconsistent, complicated and open to
interpretation. Despite good intentions, the result is often a time
consuming and barrier-ridden bureaucracy. As a result we have found
ourselves in competitive situations where time is of the essence and our
inability to respond quickly puts us at a competitive disadvantage.
Companies like Network Associates of Islandia, New York, have found ways to
get around the export issue through a Netherlands subsidiary. Sun
Microsystems tried something similar with a Russian company. In the absence
of clear policy or direction and in the face of growing revenue
opportunities, companies will find ways to circumvent or bend the rules to
their own purpose.
Brian O'Higgins: What Network Associates has done to get around U.S. export
law deserves more emphasis. In this case, it was the Pretty Good Privacy
product. It is not possible to export that since it uses 128-bit
crypto-graphy, but Network Associates published the source code in a text
book with machine-readable fonts. Printing a textbook is not illegal; it's
public domain information, so it goes around the world.
What we need is a made-in-Canada policy. We've heard a couple comments here
that while Canada probably doesn't want to annoy trading partners and the
U.S., it should follow U.S. policy. Well, there's an example of a total
workaround under U.S. regulations, and we need a made-in-Canada policy that
is good for Canadians and good for Canadian companies.
Benita Baker, manager of marketing communications for Chrysalis-ITS: This
whole notion of a level playing field affects us a great deal. Most of our
products are greater than 56-bit DES. We require export permits for just
about everything we do. We had an incident whereby a subsidiary of an
American company in Japan wanted our products and we could not get an
export permit to send it there; in order to get around it, we had to ship
our product to the U.S. company, which then shipped it to Japan.
That was kind of frustrating, to say the least. One of the things we've
come to realize is that at this point similar products to ours are
available through U.S. companies that have been able to get around the U.S.
regulations, which are at this point a bit more lenient than ours.
U.S. companies for the next two years can export greater than 56-bit DES
provided they make satisfactory commitments to develop and market
(encryption) key recovery products. That's funny, because it makes it so
easy for American companies to get around the current restrictions. There's
even one company that boasts about the fact that they've been able to get
around the U.S. policy and it will help people to do the same. So this is
the kind of issue that we're up against on a regular basis.
Alan Pickering: Thank you Benita. It's interesting. If products are
available in foreign countries, you as a Canadian company have already lost
a lead if you will, and you're now in a catch-up mode. Brian?
Brian O'Higgins: Yes, I just want to really emphasize that one. In the
Internet world, the rule is, the first company in, wins.
Paul Van Oorschot, chief scientist, Entrust Technologies: Regardless of
what ends up happening with U.S. policy, people will be able to buy
crypto-graphy elsewhere. If we're just going to follow the U.S., it might
mean that we just have to give up on trying to be number one.
Tim Hember, chief executive, TimeStep Corp: The problem here is that the
U.S. has a written policy that differs from a kind of a backdoor policy
that governs what companies do. So we can't define our policy based on
their written policy because we'll always be playing catch up.
Phil Deck: One of the problems with the whole export control debate is its
always been centred in the U.S., though export control happens everywhere.
One good thing the Canadian government could do is to work much better with
other developed countries so that at least we could have the same kind of
relationship with the U.K., Germany and Japan that we have with the U.S.,
where there's an open border. Maybe its better to make the debate a little
more specific to where the real markets are.
Alan Pickering: Okay, Dermot do you want to make a few comments?
Dermot Kavanagh, manager, regulatory standards, Nortel: Nortel recognizes
and supports the need to balance the interests of electronic commerce,
privacy and law enforcement, but we also believe that while Industry Canada
is trying to do this, there are a few other things that it needs to throw
into the equation.
The cost of managing this balance must be sustainable, and any legislation
or regulations that are introduced must be simple to understand and
implement. They must not put Canadian industry at a competitive
disadvantage and must not prevent Canada from being the world leader in
electronic commerce.
Tim Hember: I want to take a shot at this. I'm representing TimeStep in
making five recommendations.
* Number one: Do not restrict the use of export of cryptography by
strength of security. Technology advances have driven and will
continue to drive demand for stronger security. Controls that are tied
to security levels often lag behind technology and commercial need.
And they lag behind solutions that are available from other countries.
* Second, do not make any policy distinction based on type of solution.
The result of cryptography is the same whether encryption occurs in
software or hardware.
* Number three. Do not restrict export of cryptography by application
but do restrict exports by country.
* Number four. Promote the use and export of Canadian security products.
Furthermore, promoting the use of Canadian security and communications
solutions versus solutions from other countries gives the Canadian
government intelligence agencies visibility, access, understanding and
control of solutions deployed internationally.
* Number Five: Canada's government should explore all methods of access
(to encrypted data) that are permitted under existing law before
creating new laws. If lawful state access cannot be satisfied by
existing law and if this is essential for government to promote the
use and export of commercial security solutions, then TimeStep will
consider supporting the development and implementation of key recovery
methods (i.e. ways of ensuring that encryption keys can always be
found when necessary).
Paul Van Oorschot: The Wassenaar arrangement actually says that permits are
required for certain technologies, and cryptography is one of them.
However, it doesn't say that you should or should not grant an export
permit.
One of the problems with this arrangement is that some countries implement
the Wassenaar arrangement by saying, "Yes, we need a permit, send us a
letter, here's your permit."
And other countries say, "Yes, you need a permit," so you request one and
then they say, "Well no, in fact, that's not allowed to be exported." So
just requiring a permit is very vague and we need to have the details on
not only whether a permit is required, but will one be granted, and if so,
what are the conditions under which it will be granted.
Tim Hember: I agree Paul. I'm recommending liberalizing within the
framework of the Wassenaar arrangement.
Alan Pickering: OK. Do you have anything to say, Todd?
Todd Finch, president of Netscape Canada: I think a lot of people around
the table know Netscape's views. Our chief executive, Jim Barksdale, has
stated numerous times both in front of Congress and to the public that the
regulation and policy of encryption should not be managed by governments.
We think there needs to be regulatory control, but we don't think the
policies should be mandated by federal governments.
Alan Pickering: Certainly from what we've heard so far, it would appear
that the general consensus is no controls. If your view is that you simply
want to sell, then that's the easiest and the best way to go. There might
be some concern on the part of the people in the federal government who
have to deal with other countries, and they've already signed agreements on
how some of these things will be done.
Earlier, Phil had made a comment about Canada getting too far out of step
with the U.S. in particular. And it's something that I think companies
should be considering. While if Canada took an approach that no controls
were in place. How would the U.S. react?
It has been stated that the U.S. government has found ways around
regulations when it suits its purposes and those of U.S. firms. There's
evidence of that having occurred. By the same token, I think it's clear
from what we've seen and from the way the U.S. operates in the world that
they could be very tough in dealing with people to try to make them accede
to whatever objectives they have within the U.S.
And as Phil indicated, it's possible that if Canada went too contrary to
what the U.S. objectives are, it's possible that a lot of business could be
lost in the United States. So I think you should ask yourselves if you can
still survive by selling your products to countries other than the U.S.
Maybe other countries will say "If the U.S. won't buy your products, we
won't either." I'd like to hear some discussion on that concern.
Robert Koblovsky: Right now, the United States represents about 60 per cent
of the worldwide market for my products so, sure, I want to have access to
that market. It also happens to be the most competitive market in the
world. So there are pluses and minuses. Looking ahead, Europe is probably
the fastest growing market for this kind of technology. I know that doesn't
answer your question Al.
Alan Pickering: I'm not sure there is an answer. (Laughter)
Robert Koblovsky: I'd like to play in all of those market places but the
point here is really, we want an unfettered marketplace where we can freely
trade our goods. That's our first choice. In the absence of that, we'd like
to be sure that the rules and regulations are consistent.
Alan Pickering: I guess the problem the government faces in trying to
create a level playing field, in my view, is that the people who have been
involved in the past thought they were doing exactly that. What you are
saying is that the playing field is not level because of how the rules are
being interpreted or circumvented.
Phil Deck: If you think the Canadian policy or its application is
subjective, it's ten times worse in the U.S. When you're competing against
an American company, you don't know how it's going to play out because you
don't know how the company will be treated under the rules.
And my comment about the U.S. government was not that we should follow U.S.
government policy. It's that we just have to take it into account. And I
just don't know why the other developed countries don't do more to try and
co-operate to try to É counter the power of the U.S.
Clearly the computer industry is based in the U.S. There's a lot of
influence there, but we're not the only country in this position. The U.K.,
Germany and other countries are trying to battle the same issues and have
the same interests as ours. There could be more co-operation between those
countries.
Alan Pickering: Brian?
Brian O'Higgins: I'm still considering your comments about the U.S.
position. Yes, we have to consider it, but let's not get too paranoid about
it all. If the U.S. doesn't like products from Canada, one approach they
might take is to implement import restrictions. That's extremely unlikely.
Of course, the U.S. government could decide what it wants to purchase and
that, absolutely, that's a very useful tool. But the U.S. is such an open
market that people are going to buy what solves their problems and it's
very unlikely that there's going to be import restrictions.
Alan Pickering: Yes, I wasn't necessarily supporting the U.S. position, I
was being a bit of a devil's advocate, saying that people should go into
these things with their eyes open and make some assessment on what's the
likelihood of something happening and then go along with whatever you
decide.
Ralph Doran, vice-president of product development for JetForm Corp: We're
coming at this from a different perspective. We're a user of security
technology, not a provider. And what's really driving us isn't governments
or countries or the desire to get into specific territorial markets, it's
global companies.
We primarily sell to multinationals. Many of them are U.S. based and
they're driving us to put security features into our technologies because
they don't see borders. They don't want to implement special technologies
or solutions. So anything that any government is doing that slows the
adoption rate of the technology hurts everybody.
I would look to global companies like Coca-Cola and McDonald's and so on to
provide pressure on the U.S. and other governments as well as the industry
itself. We've got some allies in that field.
Phil Deck: I disagree. U.S. multinationals can buy technology and deploy it
anywhere without restriction, so it's a little harder to get their support
because Coca-Cola can put absolutely strong encryption in everywhere they
operate for their own use. So it's really in dealing with foreign companies
that are located other places that we all get into trouble.
And we have a particular problem because we are an original equipment
manufacturer (i.e. Certicom's products are embedded in other firms'
products) so a lot of our U.S. customers intend to then re-export their
product everywhere else in the world. I suspect if the US government gets
upset with us, then that would make our lives more difficult.
Alan Pickering: One of the additional topics the (Industry Canada) paper
asks us to look at is what government action could accelerate rollout of
infrastructure for secure electronic commerce? And I guess, one of the
answers that's been provided already is "Get out of the way." Is that sort
of a fair summation of the views around the table?
Tim Hember: They can also promote the proliferation of solutions by their
own use. And they are doing that.
Dermot Kavanagh: Yes, the government can stimulate the building of
infrastructure by being a role model in the use of electronic services in
its dealings with the public.
Alan Pickering: I interpret that as to get out of the way. (Laughter around
room.)
Brian O'Higgins: As Tim mentioned, I think the government has a very strong
club: its own clout and purchasing power. Government departments are huge
and if they are looking to buy an electronic messaging system or whatever,
its enough of a bulk purchase that vendors would jump through hoops to
provide what it is that they want. Their biggest club, for sure, is their
purchasing dollars rather than their legislative approach.
Alan Pickering: When I said get out of the way, I meant as far as controls
are concerned and so on. And certainly it has been the government policy
for a number of years now to provide that leadership that you've been
talking about, Tim, in the introduction of the public-key infrastructure (a
system that encrypts electronic messages across the federal government and
determines who is permitted to send and receive them). There is also the
government's commitment that it will operate and provide services to
Canadian citizens electronically certainly by the year 2000.
We're supposed to have PKI implemented by the end of 1998. It will operate
between certain departments and then outside of government. There's a lot
of discussion going on between the government and the provincial
governments and the municipal governments as well about how can they
operate together. Of course it's required that good technology and
appropriate technology is on either end of communications and distribution
of information. So there's a lot of leadership I think coming from
government along that line.
Brian O'Higgins: That's absolutely right. The Canadian activity in public
key infrastructure is world leading. I don't think the impact is really
appreciated in a lot of industry. But it's such a major, major benefit.
Electronic commerce can't happen unless you have strong security. And to
get strong security you need an infrastructure to really support that. So
Canada will be first in the world with that infrastructure.
And of course the whole world is going to implement electronic commerce for
all types of transactions. Canadian companies are going to benefit
tremendously because they are going to be the first ones to provide all
these extra applications that help people get on board.
So, Canada has done a tremendous amount and I just don't want to see
leadership squandered by a policy that says "We want to follow." We really
need this made-in-Canada policy to help keep things rolling.
Tim Hember: I'm just curious. Is what I hear from people here that we are
prepared to take the wrath of the United States and go out on a limb and
propose a policy that liberalizes it significantly within the Wasenaar
arrangement?
Alan Pickering: Well, that was basically the question I was putting to the
table: The consequences that should be faced. Looking at the three areas of
discussion, from what I've heard, this group favors a market-driven
approach to the encryption of stored data in corporations.
There should be no mandate by the government, in other words, that
companies within Canada should be required to keep digital information
backed up through key backup and all the rest of it. I believe that's what
I heard.
With respect to the encryption of real-time communications, I believe it's
the opinion of the group that current laws and procedures should remain.
However, there should be selective discussions and applications of rules
that would require communications service firms to provide access when
required for law enforcement purposes.
I guess one question that comes to my mind there. It used to be that
communications were usually on copper wires. Now communications travel all
sorts of ways.
Is it appropriate that there be one regime for the electronic commerce side
of things but something else for common carrier communication systems? Just
a question. But certainly what I heard was the status quo should be
maintained.
With respect to exports of cryptography, there should be no controls;
that's what most people seemed to favour, if not everybody.
Certainly the government should make sure there's no competitive
disadvantage to Canadian companies when they are dealing w \ldots
------------------------------------------------------------------------
Copyright © 1998 by The Ottawa Citizen. All Rights Reserved.
