New U.S. Government Crypto Rules Bring Good News and Bad News

Kelly Blough
Director of Government Relations

A "good first step" was the nearly unanimous response to Vice President Gore's September 16'" announcement on a new U.S. encryption policy. While the policy as announced does not come close to satisfying all of the industry objectives regarding export controls on cryptography, it is moving toward a workable crypto resolution. The new policy reflects input from key companies in the network security industry, including Network Associates. More importantly, the Administration has indicated clearly, both in public and private discussions, that the new policy is intended to be a floor, not a ceiling. The extent to which the Administration consulted with industry prior to the announcement reflects a positive trend that the government has indicated will continue throughout the coming year. In fact, key industry players û including Network Associates û have already been approached by the Administration for suggestions as to how to continue the momentum and move forward with further reform. Network Associates intends to keep working with government officials to broaden the new rules to encompass more of our customers and our markets.

So what does the new policy really mean for companies that wish to export strong encryption products from the U.S.? For most companies, the news is mixed.


Good News

Among the good news, U.S. companies will no longer have to endure the hassles of individual export licenses or encryption licensing arrangements. The new policy contains a license exception provision, a process that is much less burdensome than an export license. Under the new rules, companies will be able to deploy encryption enterprise-wide. Crypto products of any strength may be sent to foreign subsidiaries of U.S. companies. Shipments to foreign subs can come from anyone in the U.S. Most export licenses have one "exporter of record," which is the only entity allowed to ship under the license, the new rules allow for anyone to export the product. So, a U.S. company can order encryption products, configure them as needed, and ship them directly to foreign offices. Or foreign offices can order directly from the manufacturer or distributor. In short, the customer can determine how it wishes to procure strong encryption products.

The Administration is slowly broadening the list of organizations that are entitled to receive strong encryption from the U.S. The current list includes most banks worldwide. The new policy includes broader ranges of financial institutions, as well as insurance firms, health and medical organizations, and online merchants. However, as the list gets broader, so do the conditions and caveats associated with each designated end-user. This truly is a mixed blessing (see bad news below).

Among the most positive implications of the September announcement was the clear step away from a government-mandated and approved "key recovery" standard toward a more market-driven concept of "recoverability." This concept was driven in part by the so-called "Private Doorbell" alliance of companies. Network Associates, together with alliance companies, proposed the use of technologies existing in products that are currently on the market. The proposal to the Commerce Department suggests the use of technologies that provide a degree of plaintext access through, for example, network administrators. The "Doorbell" companies argued û in the end persuasively û that if certain products allow network operators to obtain access under appropriate legal authority, then the products should be exportable without having to meet some government-defined key recovery standard. The upcoming regulations are expected to define "recoverable" as these type of network-layer encryption products, and also other encryption applications such as those that enable companies to create back up recovery keys, regardless of whether use of "recovery" functionality is optional or mandatory in the product.


Bad News

There is always bad news along with the good in U.S. government crypto policy, and this announcement was no different. First, while the decontrol of 56-bit products gets rid of the burdensome and difficult requirement to maintain a "key recovery plan," it really does not give industry, or its customers, anything new. Most customers û particularly international customers û are rightly demanding 128-bit encryption.

More disturbing is the fact that the agencies involved in writing these regulations still can't agree on acceptable asymmetric key lengths. According to government insiders, the NSA wants to limit exportable asymmetric keys to "less than 1024 bits," while Commerce wants to use the language "less than or equal to." The latter was clearly implied in the September announcement, but the dispute is ongoing and could delay the release of the regulations. Publication of the regulation is not currently expected until the end of December.

As indicated above, the list of organizations approved for encryption exports is a mixed blessing. The regulations will carve out biotechnology and pharmaceutical companies from the definition of health and medical organizations, leaving out some of the industry's most important customers worldwide. Telcos and ISPs are omitted from the definition of "commercial firms" that can receive "recoverable" products û again carving into the benefits to the industry and its customers. Finally, the definition of online merchants is yet to be determined, and may be another interagency sticking point delaying the publication of the regulations. (It took over a year for agencies to agree on the definition of "financial institution" to implement the policy first announced in May of 1997, and just published last month.)

Finally, companies that wish to take advantage of the new regulations will find new challenges in implementation, particularly since now exports will be enforced differently with respect to destination. For example, the "recoverable" rules apply to exports to 42 countries, while the financial institution rules apply to 45. These changes, while they will ultimately benefit companies like Network Associates, create bureaucratic headaches in the short run while mass-market software vendors try to educate and impose export safeguards on domestic and international channel partners. As usual, the lawyers and consultants will be the first to benefit from the new rules.

á

á