Executive Summary

U.S. encryption policy has been debated as if it were a zero-sum game, pitting national security and commercial interests at odds with one another, but national security and economic interests should not be irreconcilable.

While policymakers, in response to markets, have tried making incremental modifications to U.S. encryption policy, it is now clear that the markets have undergone such radical change that a serious review of U.S. policy is necessary. In addressing that need, this study by the Economic Strategy Institute (ESI) documents how current and proposed policies fail to deliver comprehensive national security protection and, at the same time, significantly harm U.S. commercial interests.

ESI believes it is time to discontinue policies that have proved ineffective, and even detrimental, to America’s well-being, and consider a policy alternative that takes into consideration the legitimate needs of both industry and law enforcement agencies.

The Importance of Encryption

The need to protect electronic data and systems provides impetus for the development and proliferation of encryption technologies that scramble messages so that only authorized persons can gain access to the information. As demand for networking and electronic transactions has grown, so has the demand for, and production of, advanced encryption techniques.

The worldwide market for encryption products in 1996 was $2 billion. The U.S. market, representing slightly more than half the global market, topped $1 billion in 1996. Annual growth in this industry is projected to exceed 59 percent over the next five years, producing a worldwide industry that will be worth nearly $20 billion in the year 2002.

The importance of encryption goes far beyond its own revenue generation and lends itself to the growth of key sectors and industries. As an enabling technology for all digital markets and sectors, encryption is an important component of six major, current and future industries: computer software and networking equipment, telecommunications services, telecommunications equipment, computers and peripherals, electronic commerce, and financial services. In all, encryption is an indispensable part of the foundation upon which more than $938 billion in revenue is generated by the United States.

Moreover, encryption lies at the heart of the major growth markets within each of these industries: wireless communications, online banking, corporate intranets and extranets, financial smart cards, and much more. Each of these sectors is growing at a blistering pace. The computer networking industry, the fastest growing manufacturing sector in the country, is growing at 29.6 percent per annum. Telecom equipment and computer manufacturing are also among the top-ten fastest growing U.S. manufacturing industries. Each of these industries is dependent upon strong encryption for continued growth into the next century.

A Global Industry

Encryption is a global product and industry. As of September 1997, corporations and individuals could select from 1,601 encryption products from over 941 firms in thirty countries. Of this total, 653 products are made outside the United States by 472 foreign firms. Foreign encryption makers continue to outrank U.S. producers in number, to increase their product lines faster than do U.S. firms, and to market encryption products that are just as strong as those produced in the United States.

National Security Implications

Cryptography policy should certainly serve the interests of America’s national security, because that security is both threatened and bolstered by the use of strong encryption products. In the wrong hands, strong encryption can be used as a tool to hide illicit activities from law enforcement agencies. Conversely, encryption is a key component of security measures used to protect crucial national infrastructures, such as electricity grids, telephone networks, and defense-related databases, as well as sensitive financial, individual, and corporate information.

Law enforcement has been challenged by encryption technology, but not completely stymied by it. Other methods of law enforcement have been demonstrably effective in solving the majority of cases in which encryption blocked, either permanently or temporarily, the collection of some evidence. However, as encryption becomes more powerful and more available internationally, and as systems become more sophisticated and less vulnerable to attack, the collection of evidence from encrypted sources will pose increasing difficulties for law enforcement.

Current U.S. Encryption Policies

Current administration policies control the export of strong encryption. They allow exemptions only for software built with key-recovery mechanisms or for high-power, non-recoverable, encryption products designed for financial institutions. Anyone who receives a license must assist in the development and implementation of a key-management infrastructure. The goal of these policies is to prevent the widespread availability of strong encryption products outside of the financial community.

Unfortunately, current administration policies convey the worst of both worlds to the United States, jeopardizing both national and economic security. The current policy on export controls has had little-to-no discernible impact on the ability of law enforcement to act or the ability of firms to protect themselves from cyber-terrorists. Meanwhile, encryption products continue to be readily available from foreign sources and, therefore, the control of U.S. encryption does nothing to prevent a criminal from using powerful encryption to stymie law enforcement officials.

At the same time the encryption export controls fail to serve America’s national security interests, they also have damaging consequences for U.S. economic interests. Such policies exert a substantial negative impact on U.S. economic security by denying export opportunities to U.S. telecommunications, software, and computer companies and affording foreign firms an opportunity to get a foothold in the software security industry. The costs of export controls are borne by the U.S. economy in four ways: lost encryption product sales; slower growth in encryption-dependent industries; forgone cost savings and efficiency gains that otherwise could be expected from greater Internet, extranet, and intranet usage; and indirect costs.

Lost Encryption Product Sales

U.S. producers should be dominating the global market for these products. Instead, they are handcuffed by the government and forced to watch helplessly as foreign producers capture market share. ESI estimates that, if current government policies continue, U.S. encryption firms will lose between $1.78 and $8.90 billion in sales to foreign competitors over the next five years.

Slower Growth in Encryption-dependent Industries

Software that requires encryption in order to be functional will also see sales fall, as competing products offer higher levels of security. ESI estimates that general software firms stand to lose between $1.17 and $3.31 billion over the next five years, as a result of export controls.

The networking equipment market is increasingly supplying end-to-end networking products. These solutions rely on strong encryption and, without it, networking sales will go to those who can guarantee higher security. Lost sales are estimated between $4.31 and $8.01 billion through the year 2002.

High-speed Internet connections, private label ISPs, and web hosting are increasingly offered and managed by U.S.-based Internet and Online Service Providers (ISPs and OSPs.) However, they are facing problems in foreign markets, due to their inability to export strong encryption. These firms could lose as much as half of all future foreign sales, or $2.28 billion, through the year 2002. ESI’s lower range estimate of lost sales equals $1.78 billion.

The next generation of PCS, cellular, paging, and wireless local-loop systems have the ability to process financial transactions and, therefore, require financial-level-strength encryption. Under current export controls, these products can not be exported. As a result, they will not be produced in the United States, accounting for a total 1998-2002 loss between $1.75 and $3.75 billion.

Forgone Cost Savings and Efficiency Gains from Internets, Intranets, and Extranets

In the absence of consumer confidence, online shopping will not be accepted by mainstream America. In addition, the costs associated with online shopping are higher without a means of ensuring secure transmissions. Combined, the United States could lose between $2.38 and $7.10 billion in lost online sales and higher online shopping costs caused by export controls.

If American manufacturers, wholesalers, and retailers could operate secure inter-business networks with their suppliers abroad, the potential cost savings would total $40 billion per year. Without strong encryption, security concerns may delay the introduction o new systems, particularly among small and medium sized business. In all, U.S. firms could forgo between $4.41 and $10.94 billion in cost reduction savings over the next five years.

Indirect Effects of Current Administration Policy

Each of the above estimated impacts carries with it implications for the economy at large. Less activity in these sectors creates spillover effects throughout the entire economy, and these indirect impacts will be between $17.56 and $51.62 billion over the next five years.

High-end Impact Estimates, 1998-2002

Low-end Impact Estimates, 1998-2002

In total, therefore, the U.S. economy will lose between $35.16 and $95.92 billion over the next five years, as a consequence of current administration policy. Moreover, the longer the policy remains in place, the more costly it will be to the economy. Extrapolating from the high estimate, the encryption export control policy could cost the United States $50 billion in 2003 and more than $65 billion in 2004.

Policy Options

There appear to be four policy options available to reconcile national and economic security goals, but ESI finds each of them lacking in some respect and believes none of them alone will maximize both national security and economic security benefits:

Domestic Controls and Export Controls Combined (FBI)

Imposing a federally mandated key-recovery system on top of existing export controls would result in nearly $140 billion in losses to the U.S. economy over the next five years, as foreign producers took over the encryption market. It would also have a negligible impact on national security, because foreign encryption software would flood the U.S. market, skirting the mandated key-recovery system.

Domestic Controls without Export Controls

If export controls were removed and a key-recovery system established, the economic impacts would be reduced, though still substantial (approximately $64 billion). However, national security interests would still not be served, because foreign software would become more popular, both here and abroad, as a way to avoid the U.S. key-recovery requirement.

Neither Domestic Controls nor Export Controls (Software and Computer Industry)

This policy option would unburden the U.S. economy with the costs of export controls, and would have no demonstrable, detrimental impact on the ability of law enforcement to carry out its activities in the short term. However, in the long term, this policy could hinder law enforcement efforts, as encryption became more pervasive and harder to crack.

International Controls without Export Controls (White House)

International key-management has been proposed and rejected by OECD countries. While the idea would provide law enforcement access to keys and reduce the economic impact on the United States, it is fraught with technical and implementation problems.

Policy Recommendations

ESI’s review of the different policy options, and of the negative impact exerted by current policies, reveals four fundamental characteristics that should be included in any encryption policy, if both economic and national security are to be enhanced. The policy must:

• be technologically neutral,
• be market-driven and not distort the market,
• be international in scope and in design, and
• protect the privacy of individuals and corporations.

Any policy resolution on encryption must consider existing cryptography rules affecting the telecommunications industry (specifically the requirements of the Communications Assistance for Law Enforcement Act of 1994) and be technologically neutral. As communications and IT technologies begin competing in one another’s markets, it is crucial that all industries be on a level regulatory playing field.

Export controls on encryption technology should be dropped. The record shows that these controls have had no discernible impact on national security, but have demonstrably compromised America’s economic security. Foreign encryption products are present in the free international market, their competitiveness is increasing at the expense of American companies, and their products are outside U.S. regulatory authority. In this light, export controls are indefensible.

Likewise, a domestic key-recovery system provides no compelling national security benefit if other countries do not implement similar systems abroad. Given the presence of foreign, unrecoverable encryption technology, domestic key-recovery systems will neither restrict determined criminal efforts nor grant law enforcement agencies substantially increased evidence-gathering capabilities against established criminal groups. These proposals should be abandoned.

Finally, the United States should not implement its own policy in the hopes of inspiring other countries to follow. In fact, the opposite effect is likely, because foreign software companies and manufacturers would "free ride," taking advantage of U.S. restrictions without implementing similar systems themselves, and thereby earning billions at the expense of U.S. firms.