|Finding the Key : Reconciling National and Economic Security Interests in Cryptography Policy|
|by Erik R. Olbeter and Christopher Hamilton, Economic Strategy Institute (04/1998)|
While policymakers, in response to markets, have tried making incremental modifications to U.S. encryption policy, it is now clear that the markets have undergone such radical change that a serious review of U.S. policy is necessary. In addressing that need, this study by the Economic Strategy Institute (ESI) documents how current and proposed policies fail to deliver comprehensive national security protection and, at the same time, significantly harm U.S. commercial interests.
ESI believes it is time to discontinue policies that have proved ineffective, and even detrimental, to America’s well-being, and consider a policy alternative that takes into consideration the legitimate needs of both industry and law enforcement agencies.
The Importance of Encryption
The need to protect electronic data and systems provides impetus for the development and proliferation of encryption technologies that scramble messages so that only authorized persons can gain access to the information. As demand for networking and electronic transactions has grown, so has the demand for, and production of, advanced encryption techniques.
The worldwide market for encryption products in 1996 was $2 billion. The U.S. market, representing slightly more than half the global market, topped $1 billion in 1996. Annual growth in this industry is projected to exceed 59 percent over the next five years, producing a worldwide industry that will be worth nearly $20 billion in the year 2002.
The importance of encryption goes far beyond its own revenue generation and lends itself to the growth of key sectors and industries. As an enabling technology for all digital markets and sectors, encryption is an important component of six major, current and future industries: computer software and networking equipment, telecommunications services, telecommunications equipment, computers and peripherals, electronic commerce, and financial services. In all, encryption is an indispensable part of the foundation upon which more than $938 billion in revenue is generated by the United States.
Moreover, encryption lies at the heart of the major growth markets within each of these industries: wireless communications, online banking, corporate intranets and extranets, financial smart cards, and much more. Each of these sectors is growing at a blistering pace. The computer networking industry, the fastest growing manufacturing sector in the country, is growing at 29.6 percent per annum. Telecom equipment and computer manufacturing are also among the top-ten fastest growing U.S. manufacturing industries. Each of these industries is dependent upon strong encryption for continued growth into the next century.
A Global Industry
Encryption is a global product and industry. As of September 1997, corporations and individuals could select from 1,601 encryption products from over 941 firms in thirty countries. Of this total, 653 products are made outside the United States by 472 foreign firms. Foreign encryption makers continue to outrank U.S. producers in number, to increase their product lines faster than do U.S. firms, and to market encryption products that are just as strong as those produced in the United States.
National Security Implications
Cryptography policy should certainly serve the interests of America’s national security, because that security is both threatened and bolstered by the use of strong encryption products. In the wrong hands, strong encryption can be used as a tool to hide illicit activities from law enforcement agencies. Conversely, encryption is a key component of security measures used to protect crucial national infrastructures, such as electricity grids, telephone networks, and defense-related databases, as well as sensitive financial, individual, and corporate information.
Law enforcement has been challenged by encryption technology, but not completely stymied by it. Other methods of law enforcement have been demonstrably effective in solving the majority of cases in which encryption blocked, either permanently or temporarily, the collection of some evidence. However, as encryption becomes more powerful and more available internationally, and as systems become more sophisticated and less vulnerable to attack, the collection of evidence from encrypted sources will pose increasing difficulties for law enforcement.
Current U.S. Encryption Policies
Current administration policies control the export of strong encryption. They allow exemptions only for software built with key-recovery mechanisms or for high-power, non-recoverable, encryption products designed for financial institutions. Anyone who receives a license must assist in the development and implementation of a key-management infrastructure. The goal of these policies is to prevent the widespread availability of strong encryption products outside of the financial community.
Unfortunately, current administration policies convey the worst of both worlds to the United States, jeopardizing both national and economic security. The current policy on export controls has had little-to-no discernible impact on the ability of law enforcement to act or the ability of firms to protect themselves from cyber-terrorists. Meanwhile, encryption products continue to be readily available from foreign sources and, therefore, the control of U.S. encryption does nothing to prevent a criminal from using powerful encryption to stymie law enforcement officials.
At the same time the encryption export controls fail to serve America’s national security interests, they also have damaging consequences for U.S. economic interests. Such policies exert a substantial negative impact on U.S. economic security by denying export opportunities to U.S. telecommunications, software, and computer companies and affording foreign firms an opportunity to get a foothold in the software security industry. The costs of export controls are borne by the U.S. economy in four ways: lost encryption product sales; slower growth in encryption-dependent industries; forgone cost savings and efficiency gains that otherwise could be expected from greater Internet, extranet, and intranet usage; and indirect costs.
High-end Impact Estimates, 1998-2002
Low-end Impact Estimates, 1998-2002
In total, therefore, the U.S. economy will lose between $35.16 and $95.92 billion over the next five years, as a consequence of current administration policy. Moreover, the longer the policy remains in place, the more costly it will be to the economy. Extrapolating from the high estimate, the encryption export control policy could cost the United States $50 billion in 2003 and more than $65 billion in 2004.
There appear to be four policy options available to reconcile national and economic security goals, but ESI finds each of them lacking in some respect and believes none of them alone will maximize both national security and economic security benefits:
ESI’s review of the different policy options, and of the negative impact exerted by current policies, reveals four fundamental characteristics that should be included in any encryption policy, if both economic and national security are to be enhanced. The policy must:
Any policy resolution on encryption must consider existing cryptography rules affecting the telecommunications industry (specifically the requirements of the Communications Assistance for Law Enforcement Act of 1994) and be technologically neutral. As communications and IT technologies begin competing in one another’s markets, it is crucial that all industries be on a level regulatory playing field.
Export controls on encryption technology should be dropped. The record shows that these controls have had no discernible impact on national security, but have demonstrably compromised America’s economic security. Foreign encryption products are present in the free international market, their competitiveness is increasing at the expense of American companies, and their products are outside U.S. regulatory authority. In this light, export controls are indefensible.
Likewise, a domestic key-recovery system provides no compelling national security benefit if other countries do not implement similar systems abroad. Given the presence of foreign, unrecoverable encryption technology, domestic key-recovery systems will neither restrict determined criminal efforts nor grant law enforcement agencies substantially increased evidence-gathering capabilities against established criminal groups. These proposals should be abandoned.
Finally, the United States should not implement its own policy in the hopes of inspiring other countries to follow. In fact, the opposite effect is likely, because foreign software companies and manufacturers would "free ride," taking advantage of U.S. restrictions without implementing similar systems themselves, and thereby earning billions at the expense of U.S. firms.