May 30, 1996, Prepublication Copy
Subject to Editorial Correction

  • Note that boxes are separate files and will not be included if you print only this document. You can print box text by clicking on the hot buttons provided.
  • See the Preface for information on the context of this report and a note from the Chair of the Committee to Study National Cryptography Policy.
  • See also the Appendix with brief biographical sketches on the authoring committee members.


    Cryptography's Role in Securing

    the Information Society

    Overview and Recommendations

    Committee to Study National Cryptography Policy
    Computer Science and Telecommunications Board
    National Research Council
    National Academy of Sciences and National Academy of Engineering

    In an age of explosive worldwide growth of electronic data storage and communications, many vital national interests require the effective protection of information. When used in conjunction with other approaches to information security, cryptography is a very powerful tool for protecting information. Consequently, current U.S. policy should be changed to promote and encourage the widespread use of cryptography for the protection of the information interests of individuals, businesses, government agencies, and the nation as a whole, while respecting legitimate national needs of law enforcement and intelligence for national security and foreign policy purposes to the extent consistent with good information protection.


    The Information Security Problem

    Vital information interests are at stake in a world of ubiquitous computing and communications. These interests are highly relevant to U.S. needs and desires for international economic strength and competitiveness, individual privacy, law enforcement, national security, and world leadership.

  • U.S. business, governmental, and individual communications are targets or potential targets for intelligence organizations of foreign governments, competitors, vandals, suppliers, customers, and organized crime. Businesses send through electronic channels considerable amounts of confidential information, including items such as project and merger proposals, trade secrets, bidding information, corporate strategies for expansion in critical markets, research and development information relevant to cost reduction or new products, product specifications, and expected delivery dates. Most importantly, U.S. businesses must compete on a worldwide basis. International exposure increases the vulnerability to compromise of sensitive information (Box 1). Helping to defend U.S. business interests against such compromises of information is an important function of law enforcement.

  • American values such as personal rights to privacy are at stake. Private citizens may conduct sensitive financial transactions electronically or by telephone. Data on their medical histories, including mental illnesses, addictions, sexually transmitted diseases, and personal health habits, are compiled in the course of providing medical care. Driving records, spending patterns, credit histories, and other financial information are available from multiple sources. All such information warrants protection.

  • The ability of private citizens to function in an information economy is at risk. Even today, individuals suffer as criminals take over their identities and run up huge credit card bills in their name. Toll fraud on cellular telephones is so large that some cellular providers have simply terminated international connections in the areas that they serve. Inaccuracies as the result of incorrectly posted information ruin the credit records of some individuals. Protecting individuals against such problems warrants public concern and is again an area in which law enforcement and other government authorities have a role to play.

  • The federal government has an important stake in ensuring that its important and sensitive political, economic, law enforcement, and military information, both classified and unclassified, is protected from misuse by foreign governments or other parties whose interests are hostile to those of the United States.

  • Elements of the U.S. civilian infrastructure such as the banking system, the electric power grid, the public switched telecommunications network (PSTN), and the air traffic control system are central to so many dimensions of modern life that protecting these elements must have a high priority. Defending these assets against information warfare and crimes of theft, misappropriation, and misuse potentially conducted by hostile nations, terrorists, criminals, and electronic vandals is a matter of national security and will require high levels of information protection and strong security safeguards.

    Cryptographic Dimensions of Information Security Solutions

    Information vulnerabilities cannot be eliminated through the use of any single tool. For example, cryptography cannot prevent a party authorized to view information from improperly disclosing that information to someone else. However, as part of a comprehensive approach to addressing information vulnerabilities, cryptography (Box 2) is a powerful tool that can help to assure the confidentiality and integrity of information in transit and in storage and to authenticate the asserted identity of individuals and computer systems. Information that has been properly encrypted cannot be understood or interpreted by those lacking the appropriate cryptographic "key"; information that has been integrity-checked cannot be altered without detection. Properly authenticated identities can help to restrict access to information resources to those properly authorized individuals and to take fuller advantage of audit trails to track down parties who have abused their authorized access.

    Cryptography has limitations. Against a determined opponent that is highly motivated to gain unauthorized access to data, cryptography may lead that opponent to exploit some other vulnerability in the system or network on which the relevant data is communicated or stored, and such an exploitation may well be successful. But the use of cryptography can help to raise the cost of gaining improper access to data, may prevent a resource-poor opponent from being successful at all, and may force the opponent into a more vulnerable position. For example, trying to bribe a competitor's employee makes a spy more vulnerable to apprehension than does passive eavesdropping on unencrypted data.

    As the importance of protecting information grows in the private sector, cryptography assumes a role that goes beyond its historical roots as a tool belonging primarily to diplomatic and military establishments. Cryptography is now relevant to helping law-abiding citizens and private businesses, as well as government, defend their legitimate interests against information crimes and threats (e.g., fraud, electronic vandalism, information warfare, or the improper disclosure of national security information).

    Law Enforcement and National Security Dilemmas Posed by Cryptography

    The confidentiality of information that cryptography can provide is useful not only for the legitimate purposes of preventing information crimes (e.g., the theft of trade secrets or unauthorized disclosure of sensitive medical records) but also for illegitimate purposes (e.g., shielding from law enforcement officials a conversation between two terrorists planning to bomb a building). Although strong, automatic encryption implemented as an integral part of data processing and communications provides confidentiality for "good guys" against "bad guys" (e.g., U.S. business protecting information against economic intelligence efforts of foreign nations), it unfortunately also protects "bad guys" against "good guys" (e.g., terrorists evading law enforcement agencies). Under appropriate legal authorization such as a court order, law enforcement authorities may gain access to "bad guy" information for the purpose of investigating and prosecuting criminal activity. Similarly, intelligence gathering for national security and foreign policy purposes depends on having access to information of foreign governments and other foreign entities. Because such activities benefit our society as a whole (e.g., limiting organized crime and terrorist activities), "bad guy" use of cryptography for confidentiality poses a problem for society as a whole, not just for law enforcement and national security personnel.

    For many years, concern over foreign threats to national security has been the primary driver of a national cryptography policy that has sought to maximize the protection of U.S. military and diplomatic communications while denying the confidentiality benefits of cryptography to foreign adversaries through the use of export controls on cryptography and related technical data. More recently, the U.S. government has aggressively promoted the domestic use of a certain kind of cryptography (escrowed encryption) that would provide strong protection for legitimate uses but would permit legally authorized access by law enforcement officials when warranted.

    Both escrowed encryption and export controls have generated considerable controversy. Escrowed encryption has been controversial because its promotion by the U.S. government appears to some important constituencies to assert the primacy of information access needs of law enforcement and national security over the information security needs of businesses and individuals. Export controls on cryptography have been controversial because they pit the interests of U.S. vendors and some U.S multinational corporations against some of the needs of national security.

    Seeking a deeper understanding of the policy problem, the U.S. Congress used Public Law 103-160 (the Defense Authorization Act for Fiscal Year 1994) to request the National Research Council to "conduct a comprehensive study of cryptographic technologies and national cryptography policy . . . ," assessing "the effect of cryptographic technologies on . . . national security and law enforcement interests of the United States Government, . . . commercial interests of United States industry; and . . . privacy interests of United States citizens; and . . . the effect on commercial interests of United States industry of export controls on cryptographic technologies." The legislation also directed all appropriate agencies of the Department of Defense, including the National Security Agency, to cooperate fully with the National Research Council in its activities in carrying out the study. The committee deliberated for approximately 18 months, gathering input from a large number of unclassified and classified sources. Because the contentious public policy problem involves confidentiality, the committee focused its primary efforts there, while addressing collateral uses of cryptography such as assurance of data integrity and user or system authentication without going into detail.

    Input from these diverse sources demonstrated to the committee a considerable amount of confrontation and disconnect between interest groups (e.g., information technology vendors, businesses, law enforcement, private individuals, national security) that fail to understand or appreciate the validity of each other's policy needs and interests with respect to cryptography. Furthermore, much of the public debate has been couched in hyperbole and has tended to draw lines that divide the policy issues in an overly simplistic manner, i.e., the privacy rights of individuals and businesses against the needs of national security and law enforcement. As observed above, such a dichotomy does have a kernel of truth. But viewed in the large, the dichotomy as posed is misleading. If cryptography can protect the trade secrets and proprietary information of businesses and thereby reduce economic espionage (which it can), it also supports in a most important manner the job of law enforcement. If cryptography can help protect nationally critical information systems and networks against unauthorized penetration (which it can), it also supports the national security of the United States. Framing national cryptography policy in this larger context would help to reduce some of the polarization among the relevant stakeholders.

    The conduct of the debate regarding national cryptography policy has been complicated because certain elements of the debate have been removed from public view due to security classification. However, for reasons noted in the preface, the cleared members of the committee (13 of its 16 members) concluded that the debate over national cryptography policy can be carried out in a reasonable manner on an unclassified basis. Although many of the details relevant to policy makers are necessarily classified, these details are not central to making policy arguments one way or the other. Classified material, while important to operational matters in specific cases, is neither essential to the big picture of why policy has the shape and texture that it does today nor required for the general outline of how technology will, and policy should, evolve in the future.

    National Cryptography Policy for the Information Age

    Public debate based on hyperbole is unproductive. All of the stakes described above--privacy for individuals, protection of sensitive or proprietary information for businesses, ensuring the continuing reliability and integrity of nationally critical information systems and networks, law enforcement access to stored and communicated information for purposes of investigating and prosecuting crime, and national security access to information stored or communicated by foreign powers or other entities and organizations whose interests and intentions are relevant to the national security and the foreign policy interests of the United States--are legitimate; informed public discussion of the issues must begin by acknowledging the legitimacy both of information security for law-abiding individuals and businesses and of information gathering for law enforcement and national security purposes.

    The problems of information vulnerability, the legitimacy of various national interests in individual privacy, international economic competitiveness, law enforcement, national security and world leadership, and the trends described in Box 3 all point to the need for a concerted effort to protect vital information assets of the United States in a world of ubiquitous computing and communications. Cryptography is an important element of a comprehensive approach to information security. Since the committee was charged with focusing on national cryptography policy rather than national policy for information security, the committee adopted the following statement of its guiding principle:

    Basic Principle: U.S. national policy should be changed to support the broad use of cryptography in ways that take into account competing U.S. needs and desires for individual privacy, international economic competitiveness, law enforcement, national security, and world leadership.

    The committee concluded that cryptography is one important tool for protecting information and that it is very difficult for governments to control. Although cryptography cannot solve all problems, for those information security problems to which it is well suited, cryptography provides a number of capabilities that few other technologies can provide as effectively. Furthermore, the knowledge underlying good cryptography easily diffuses through national boundaries, and the United States does not have a monopoly on cryptographic technologies. The committee thus believes that the widespread nongovernment use of cryptography in the United States and abroad is inevitable in the long run. If this is true, the role of national cryptography policy should be to facilitate a judicious transition between today's world of high information vulnerability and a future world of greater information security, while to the extent possible meeting the legitimate needs of law enforcement and information gathering for national security and foreign policy purposes. National policy can have a profound effect on the rate and nature of the transition from today's world to that of the long-term future.

    The committee found that current national cryptography policy is not adequate to support the information security requirements of an information society. (The purposes and tools of national cryptography policy are summarized in Box 4.) Indeed, current policy discourages the use of cryptography, whether intentionally or not, and in so doing impedes the ability of the nation to use cryptographic tools that would help to remediate certain important vulnerabilities. For example, through the use of export controls, national policy has explicitly sought to limit the use of encryption abroad but has also had the effect of reducing the domestic availability to businesses and other users of products with strong encryption capabilities.

    The committee believes that national cryptography policy must recognize trends in other aspects of information technology such as the speed with which such technology evolves. The committee understands that trade-offs are inevitable and that no stakeholder will be fully satisfied with the result. Moreover, national cryptography policy is inherently situated internationally, and no policy will gain domestic acceptance unless it meshes with policies of other nations.

    National cryptography policy should support three objectives:

    1. Broad availability of cryptography to all legitimate elements of U.S. society. Cryptography supports the confidentiality and integrity of digitally represented information (e.g., computer data, software, video) and the authentication of individuals and computer systems communicating with other computer systems; these capabilities are important in varying degrees to protecting the information security interests of many different private and public stakeholders, including law enforcement and national security. Furthermore, cryptography can help to support law enforcement objectives in preventing information crimes such as economic espionage.

    2. Continued economic growth and leadership of key U.S. industries and businesses in an increasingly global economy, including but not limited to U.S. computer, software, and communications companies. Such leadership is an integral element of national security. U.S. companies in information technology today have undeniable strengths in foreign markets, but current national cryptography policy threatens to erode these advantages. The largest economic opportunities for U.S. firms in all industries lie in using cryptography to support their critical domestic and international business activities, including international intrafirm and interfirm communications with strategic partners, cooperative efforts with foreign collaborators and researchers in joint business ventures, and real-time connections to suppliers and customers, rather than in selling information technology.

    3. Public safety and protection against foreign and domestic threats. Insofar as possible, communications and stored information of foreign parties whose interests are hostile to those of the United States should be accessible to U.S. intelligence agencies. Similarly, the communications and stored information of criminal elements that are a part of U.S. and global society should be available to law enforcement authorities as provided by law.

    Objectives 1 and 2 argue for a policy that actively promotes the use of strong cryptography on a broad front and that places few restrictions on the use of cryptography. Objective 3 argues that some kind of government role in the deployment and use of cryptography may continue to be necessary for public safety and national security reasons. The committee believes that these three objectives can be met within a framework recognizing that on balance, the advantages of more widespread use of cryptography outweigh the disadvantages.

    The recommendations below address several critical policy areas. Each recommendation is cast in broad terms, with specifically actionable items identified for each when appropriate. In accordance with the committee's judgment that the broad picture of cryptography policy can be understood on an unclassified basis, no findings or recommendations were held back on the basis of classification, and this report is unclassified in its entirety.

    In the interests of brevity, only short rationales for the recommendations are given here. Readers are urged to read the full description of rationales for these recommendations in Chapter 8 of the full report. For the reader's convenience, the text of the recommendations (without any discussion) is reprinted at the end of this executive summary.


    The framework for national cryptography policy should provide coherent structure and reduce uncertainty for potential vendors and nongovernment and government users of cryptography in ways that it does not do today. Recommendations 1, 2, and 3 support this basic framework.

    Recommendation 1: No law should bar the manufacture, sale, or use of any form of encryption within the United States.

    This recommendation is consistent with the position of the Clinton Administration that legal prohibitions on the domestic use of any kind of cryptography are inappropriate, and the committee endorses this aspect of the Administration's policy position without reservation.

    The committee believes that a legislative ban on the use of unescrowed encryption would raise both technical and legal or constitutional issues. Technically, many methods are available to circumvent such a ban, such as the use of data storage at easily reachable remote sites accessible to the data owner but inaccessible to anyone else lacking knowledge of that site. Legally, constitutional issues, especially those related to free speech, would be almost certain to arise, issues that are not trivial to resolve.

    Finally, a ban on the use of any form of encryption would directly challenge the principle that users should be responsible for assessing and determining their own approaches to meeting their security needs. This principle is discussed in greater detail in Recommendation 3.

    Recommendation 2: National cryptography policy should be developed by the executive and legislative branches on the basis of open public discussion and governed by the rule of law.

    Cryptography policy is an issue in which many segments of the population are stakeholders, and the invocation of official government secrecy in this area has led to considerable public distrust and resistance. If a broadly acceptable social consensus that satisfies the interests of all legitimate stakeholders is to be found regarding the nation's cryptographic future, a national discussion of the issue must occur. The nation's best forum for the airing of multiple views across the entire spectrum is the U.S. Congress, and only comprehensive congressional deliberation and discussion conducted in the open can generate the public acceptance that is necessary for policy in this area to succeed. In turn, a consensus derived from such deliberations, backed by explicit legislation when necessary, will lead to greater degrees of public acceptance and trust, a more certain planning environment, and better connections between policy makers and the private sector on which the nation's economy and social fabric rest. For these reasons, congressional involvement in the debate over cryptography policy is an asset rather than a liability.

    Instances in which legislation may be needed are found in Recommendations 4, 5.3, and 5.4.

    Recommendation 3: National cryptography policy affecting the development and use of commercial cryptography should be more closely aligned with market forces.

    As cryptography has assumed greater importance to nongovernment interests, national cryptography policy has become increasingly disconnected from market reality and the needs of parties in the private sector. Many decades of experience with technology deployment suggest that reliance on user choices and market forces is generally the most rapid and effective way to promote the widespread utilization of any new and useful technology. Since the committee believes that the widespread deployment and use of cryptography will be in the national interest, it believes that national cryptography policy should align itself with user needs and market forces to the maximum feasible extent.

    The committee recognizes that considerations of public safety and national security make it undesirable to maintain an entirely laissez-faire approach to national cryptography policy. But it believes that government intervention in the market should be carefully tailored to specific circumstances. The committee describes a set of appropriate government interventions in Recommendations 4, 5, and 6.

    A national cryptography policy that is aligned with market forces would emphasize the freedom of domestic users to determine cryptographic functionality, protection, and implementations according to their security needs as they see fit. Innovation in technologies such as escrowed encryption would be examined by customers for their business fitness of purpose. Diverse user needs would be accommodated; some users will find it useful to adopt some form of escrowed encryption to protect their access to encrypted data, while others will find that the risks of escrowed encryption (e.g., the dangers of compromising sensitive information through a failure of the escrowing system) are not worth the benefits.

    Standards are another dimension of national cryptography policy with a significant impact on commercial cryptography and the market. Cryptographic standards that are inconsistent with prevailing or emerging industry practice are likely to encounter significant market resistance. Thus, to the maximum extent possible, national cryptography policy that is more closely aligned with market forces should encourage adoption by the federal government and private parties of cryptographic standards that are consistent with prevailing industry practice.

    Finally, users in the private sector need confidence that products with cryptographic functionality will indeed perform as advertised. To the maximum degree possible, national cryptography policy should support the use of algorithms, product designs, and product implementations that are open to public scrutiny. Information security mechanisms for widespread use that depend on a secret algorithm or a secret implementation invite a loss of public confidence, because they do not allow open testing of the security, they increase the cost of hardware implementations, and they may prevent the use of software implementations as described below. Technical work in cryptography conducted in the open can expose flaws through peer review and assure the private sector user community about the quality and integrity of the work underlying its cryptographic protection.



    For many years, the United States has controlled the export of cryptographic technologies, products, and related technical information as munitions (on the U.S. Munitions List (USML) administered by the State Department). These controls have been used to deny potential adversaries access to U.S. encryption technology that might reveal important characteristics of U.S. information security products and/or be used to thwart U.S. attempts at collecting signals intelligence information [1]. To date, these controls have been reasonably effective in containing the export of U.S. hardware-based products with encryption capabilities. However, software-based products with encryption capabilities and cryptographic algorithms present a more difficult challenge because they can more easily bypass controls and be transmitted across national borders. In the long term, as the use of encryption grows worldwide, it is probable that national capability to conduct traditional signals intelligence against foreign parties will be diminished.

    The current export control regime on strong cryptography is an increasing impediment to the information security efforts of U.S. firms competing and operating in world markets, developing strategic alliances internationally, and forming closer ties with foreign customers and suppliers. Some businesses rely on global networks to tie together branch offices and service centers across international boundaries. Other businesses are moving from a concept of operations that relies on high degrees of vertical integration to one that relies on the "outsourcing" of many business functions and activities. Consistent with rising emphasis on the international dimensions of business (for both business operations and markets), many U.S. companies must exchange important and sensitive information with an often-changing array of foreign partners, customers, and suppliers. Under such circumstances, the stronger level of cryptographic protection available in the United States is not meaningful when an adversary can simply attack the protected information through foreign channels.

    Export controls also have had the effect of reducing the domestic availability of products with strong encryption capabilities. The need for U.S. vendors (especially software vendors) to market their products to an international audience leads many of them to weaken the encryption capabilities of products available to the domestic market, even though no statutory restrictions are imposed on that market. Thus, domestic users face a more limited range of options for strong encryption than they would in the absence of export controls.

    Looking to the future, both U.S. and foreign companies have the technical capability to integrate high-quality cryptographic features into their products and services. As demand for products with encryption capabilities grows worldwide, foreign competition could emerge at a level significant enough to damage the present U.S. world leadership in this critical industry. Today, U.S. information technology products are widely used in foreign markets because foreign customers find the package of features offered by those products to be superior to packages available from other non-U.S. vendors, even though encryption capabilities of U.S. products sold abroad are known to be relatively weak. However, for growing numbers of foreign customers with high security needs, the incremental advantage of superior nonencryption features offered by U.S. products may not be adequate to offset perceived deficiencies in encryption capability. Under such circumstances, foreign customers may well turn to non-U.S. sources that offer significantly better encryption capabilities in their products.

    Overly restrictive export controls thus increase the likelihood that significant foreign competition will step into a vacuum left by the inability of U.S. vendors to fill a demand for stronger encryption capabilities integrated into general-purpose products. The emergence of significant foreign competition for the U.S. information technology industry has a number of possible long-term negative effects on U.S. national and economic security that policy makers would have to weigh against the contribution these controls have made to date in facilitating the collection of signals intelligence in support of U.S. national security interests (a contribution that will probably decline over time). Stimulating the growth of important foreign competitors would undermine a number of important national interests:

  • The national economic interest, which is supported by continuing and even expanding U.S. world leadership in information technology supports. Today, U.S. information technology vendors have a window of opportunity to set important standards and deploy an installed base of technology worldwide, an opportunity that should be exploited to the maximum degree possible. Conversely, strong foreign competition would not be in the U.S. economic self-interest.

  • Traditional national security interests, which are supported by leadership by U.S. vendors in supplying products with encryption capabilities to the world market. For example, it is desirable for the U.S. government to keep abreast of the current state of commercially deployed encryption technology, a task that is much more difficult to accomplish when the primary suppliers of such technology are foreign vendors rather than U.S. vendors.

  • U.S. business needs for trustworthy information protection, which are supported by U.S. encryption products. Foreign vendors could be influenced by their governments to offer for sale to U.S. firms products with weak or poorly implemented cryptography. If these vendors were to gain significant market share, the information security of U.S. firms could be adversely affected.

  • Influence over the deployment of cryptography abroad, which is supported by the significant impact of U.S. export controls on cryptography as the result of the strength of the U.S. information technology industry abroad. To the extent that the products of foreign competitors are available on the world market, the United States loses influence over cryptography deployments worldwide.

    The committee believes that the importance of the U.S. information technology industry to U.S. economic interests and national security is large enough that some prudent risks can be taken to hedge against the potential damage to that industry, and some relaxation of export controls on cryptography is warranted. In the long term, U.S. signals intelligence capability is likely to decrease in any case. Consequently, the committee believes that the benefits of relaxation--namely helping to promote better information security for U.S. companies operating internationally and to extend U.S. leadership in this critical industry--are worth the short-term risk that the greater availability of U.S. products with stronger encryption capabilities will further impede U.S. signals intelligence capability.

    Relaxation of export controls on cryptography is consistent with the basic principle of encouraging the use of cryptography in an information society for several reasons. First, relaxation would encourage the use of cryptography by creating an environment in which U.S. and multinational firms and users are able to use the same security products in the United States and abroad and thus help promote better information security for U.S. firms operating internationally. Second, it would increase the availability of good cryptography products in the United States. Third, it would expand U.S. business opportunities overseas for information technology sales incorporating stronger cryptography for confidentiality by allowing U.S. vendors to compete with foreign vendors on a more equal footing, thereby helping to maintain U.S. leadership in fields critical to national security and economic competitiveness.

    At the same time, cryptography is inherently dual-use in character (more so than most other items on the USML), with important applications to both civilian and military purposes. While this fact suggests to some that the export of all cryptography should be regulated under the Commerce Control List (CCL), the fact remains that cryptography is a particularly critical military application for which few technical alternatives are available. The USML is designed to regulate technologies with such applications for reasons of national security; retention of some controls will mitigate the loss to U.S. national security interests in the short term, allow the United States to evaluate the impact of relaxation on national security interests before making further changes, and "buy time" for U.S. national security authorities to adjust to a new technical reality.

    Specific Recommendations

    Recommendation 4: Export controls on cryptography should be progressively relaxed but not eliminated.

    Recommendations 4.1 and 4.2 below describe the committee's judgments about expeditious changes to the present export control regime that would result in a better alignment with technological and market trends. Recommendation 4.3 is intended to promote other important changes in the export control regime that would reduce uncertainty about the export control licensing process and eliminate unnecessary friction between the export control regime and those affected by it.

    Recommendations 4.1 and 4.2 describe changes to the current export control regime, and unless stated explicitly, leave current regulations and proposals in place. Two features of the current export regime are sufficiently desirable to warrant special attention here. The first is that the current liberal export control treatment for certain classes of products should be continued: these products are (1) products that provide confidentiality only for use in banking or money transactions and (2) products that are limited in functionality to providing capabilities for authentication, access control, and data integrity without capabilities for confidentiality. The second feature of the current export regime that should be continued is that the United States should maintain its embargo on exports of all products with encryption capabilities to rogue nations, even when these products are controlled by the CCL.

    Finally, relaxation of U.S. export controls is only the first step on the road to greater use of cryptography around the world. If foreign nations decide that their national interests are threatened by cryptography, they may choose to apply import controls on products with encryption capabilities; if they do so, U.S. vendors may be faced with the need to develop products with encryption capabilities on a nation-by-nation basis.

    Recommendation 4.1--Products providing confidentiality at a level that meets most general commercial requirements should be easily exportable [2]. Today, products with encryption capabilities that incorporate the 56-bit DES algorithm provide this level of confidentiality and should be easily exportable.

    Recommendation 4.1 is made subject to a number of collateral conditions:

  • Products covered under Recommendation 4.1 must be designed in a way that would preclude their repeated use to increase confidentiality beyond the acceptable level.

  • Vendors of products covered under Recommendation 4.1 (and 4.2 below) must provide to the U.S. government full technical specifications of their product and reasonable technical assistance upon request in order to assist the U.S. government in understanding the product's internal operations, thereby providing assurance that the product complies with conditions required for export jurisdiction under the CCL; appropriate nondisclosure agreements would protect vendors' interests in proprietary information embedded in their products. This requirement would also allow more cost-effective use of intelligence budgets for understanding the design of exported cryptographic systems.

  • The level of cryptographic strength that determines the threshold of easy exportability should be set at a level that promotes the broad use of cryptography and should be adjusted upward periodically as technology evolves.

  • Public-key protection of secret keys used by products covered by Recommendation 4.1 should be allowed that is at least as strong as the cryptographic protection of message or file text provided by those products, with appropriate safety margins that protect against possible attacks on these public-key algorithms.

    The committee believes that today, products that incorporate 56-bit DES for confidentiality meet most general commercial requirements and thus should be easily exportable. The ability to use 56-bit DES abroad will significantly enhance the confidentiality available to U.S. multinational corporations conducting business overseas with foreign partners, suppliers, and customers and improve the choice of products with encryption capabilities available to domestic users. Furthermore, Recommendation 4.1 will help the United States to maintain its worldwide market leadership in products with encryption capabilities. The committee believes that many foreign customers unwilling to overlook the perceived weaknesses of 40-bit RC2/RC4 encryption, despite superior noncryptography features in U.S. information technology products, are likely to accept DES-based encryption as being adequate. Global market acceptance of U.S. products incorporating DES-based encryption is more conducive to U.S. national security interests in intelligence collection than is market acceptance of foreign products incorporating even stronger algorithm and key size combinations that might emerge to fill the vacuum if U.S. export controls were not relaxed.

    The committee believes that DES is appropriate because it has gained widespread acceptance as a standard for secret-key cryptography within the United States and throughout the world. DES provides many benefits, including a significantly higher level of confidentiality protection than that of 40-bit RC2/RC4 encryption, certification by the U.S. government as a high-quality solution for nonclassified security problems, the unavailability of practical methods to undertake cryptanalytic attacks on it other than exhaustive key search, freedom from intellectual property concerns and royalty arrangements, and high name recognition among both product vendors and users. The bottom line for the committee is that DES is "good enough" for most information security applications and is likely to be good enough for the next decade, because only the most highly motivated and well-funded organizations will be capable of sustaining brute-force attacks on DES during that time.

    The committee recognizes that a replacement for DES will eventually be needed in the not-so-distant future. Thus, product designers and users would be well advised to anticipate the need for future products using a DES replacement to be compatible with the products they develop today. However, for today, only DES has the record of public scrutiny and practical experience that is necessary to engender public confidence, and waiting for a replacement to achieve such a record will leave many of today's information vulnerabilities without a viable remedy. Adopting DES as today's standard will do much to relieve pressures on the export control regime stemming from commercial users needing to improve security, and will give the United States and other nations time to formulate a long-term global solution.

    The committee recognizes that the adoption of Recommendation 4.1 may have a negative impact on the collection of signals intelligence. Much of the general intelligence produced today depends heavily on the ability to monitor and select items of interest from the large volumes of communications sent in the clear. If most of this traffic were encrypted, even at the levels allowed for liberal export today, the selection process would become vastly more difficult. Increasing the threshold of liberal exportability from 40-bit RC2/RC4 to 56-bit DES will not, in itself, add substantially to the difficulties of message selection. Foreign users of selected channels of high-interest communications would, in many cases, not be expected to purchase and use U.S. encryption products under any circumstances and thus in these cases would not be affected by a change in the U.S. export control regime. However, it is likely that the general use of 56-bit DES abroad will reduce the probability that potentially significant messages can be successfully decrypted. Recommendation 5 addresses measures that will help national security authorities to develop capabilities necessary to deal with the negative impact that Recommendation 4.1 may have on the collection of signals intelligence.

    Recommendation 4.2--Products providing stronger confidentiality should be exportable on an expedited basis to a list of approved companies if the proposed product user is willing to provide access to decrypted information upon legally authorized request.

    Recommendation 4.1 addresses the needs of most general commercial users. Recognizing the need for encryption stronger than is currently available under the CCL, the Administration has proposed to give liberal export consideration to software products with 64-bit encryption provided that those products are escrowed with a qualified escrow agent. The philosophy underlying this proposal is that the wide foreign availability of strong encryption will not significantly damage U.S. intelligence gathering and law enforcement efforts if the United States can be assured of access to plaintext when necessary. Recommendation 4.2 builds on this philosophy to permit liberal export consideration of products with encryption capabilities stronger than that provided by 56-bit DES to users that are likely to be "trustworthy," i.e., willing to cooperate in providing access to plaintext for U.S. law enforcement authorities when a legally authorized request is made to those companies. Firms on the list of approved companies will determine for themselves how to assure access to plaintext; many of them may well choose to use escrowed encryption products, and they would be free to escrow the relevant keys with agents situated within the firm itself.

    From the standpoint of U.S. law enforcement interests, continued inclusion on the list of approved firms is a powerful incentive for a company to abide by its agreement to provide access to plaintext under the proper circumstances. Recommendation 4.2 also helps to promote escrowed encryption in foreign nations by facilitating the deployment in those nations of a base of products on which the governments of the relevant nations may build policy regimes supporting escrowed encryption. Finally, it hastens the deployment of escrowed encryption in other countries because the shipment of escrowed encryption products need not be delayed until the completion of formal agreements regarding the transfer of escrowed keys across international boundaries.

    U.S. vendors benefit from Recommendation 4.2 because the foreign customers on the list of approved companies need not wait for the successful negotiation of formal agreements. Furthermore, a potential customer of U.S. products that objects to Administration proposals on export of escrowed encryption on the grounds that its cryptographic keys might be compromised can be reassured that keys to products covered by Recommendation 4.2 could remain within its full control; indeed, these customers benefit because they retain the choice about how they will provide access to decrypted information.

    What firms constitute the list of approved companies? Under current practice, it is generally the case that a U.S.-controlled firm (i.e., a U.S. firm operating abroad, a U.S.-controlled foreign firm, or a foreign subsidiary of a U.S. firm) will be granted a USML license to acquire and export for its own use products with encryption capabilities stronger than that provided by 40-bit RC2/RC4 encryption. Banks and financial institutions (including stock brokerages and insurance companies), whether U.S.-controlled/owned or foreign-owned, are also generally granted USML licenses for stronger cryptography for use in internal communications and communications with other banks even if these communications are not limited strictly to banking or money transactions. Such licenses are granted on the basis of an individual review rather than through a categorical exemption from the USML.

    Building on this practice, the committee believes that this category should be expanded so that a U.S.-controlled firm is able to acquire and export products covered under Recommendation 4.2 to its foreign suppliers and customers for the purpose of regular communications with the U.S.-controlled firm. A number of USML licenses for cryptography have implemented just such an arrangement, but the purpose of Recommendation 4.2 is to make these arrangements far more systematic and routine.

    In addition, foreign firms specifically determined by U.S. authorities to be major and trustworthy firms should qualify for the list of approved companies. To minimize delay for U.S. information technology vendors and to help assure their competitiveness with foreign vendors, a list of these firms eligible for purchasing U.S. products with encryption capabilities and/or the criteria for inclusion on the list should be made available upon request. Over time, it would be expected that the criteria would grow to be more inclusive so that more companies would qualify.

    Recommendation 4.2 is silent on whether companies must periodically requalify for the list; however, a refusal or inability to cooperate when required might well result in a company being dropped from the list and publicly identified as a noncooperating company, and subject the parties involved to the full range of sanctions that are available today to enforce compliance of product recipients with end-use restrictions.

    The firms on the list of approved companies are likely to have needs for information security products of the highest strength possible for the environment in which they operate, because they are more likely to be the targets of the major concerted cryptanalytic effort described above in connection with Recommendation 4.1. All firms on the list of approved companies would agree to provide an end-user certification that the exported products will be used only for intrafirm business or by foreign parties in regular communications with the U.S. firms involved, to take specific measures to prevent the transfer of the exported products to other parties, and to provide the U.S. government with plaintext of encrypted information when presented with a properly authorized law enforcement request and to prove, if necessary, that the provided plaintext does indeed correspond to the encrypted information of interest. Compliance with these requirements is intended to be a reasonable precaution that protects against possible risks of diversion to unintended purposes. Furthermore, firms on the list of approved companies are defined in such a way as to increase the likelihood that they will be responsible corporate citizens, and as such responsive to relevant legal processes that may be invoked if access to plaintext data is sought.

    Recommendation 4.3--The U.S. government should streamline and increase the transparency of the export licensing process for cryptography.

    The committee found a great deal of uncertainty regarding rules, time lines, and the criteria used in making decisions about the exportability of particular products. To reduce such uncertainty, as well as to promote the use of cryptography by legitimate users, a number of changes in the export licensing process should occur. For example, the presumptive decision for cryptography submitted to the State Department for export licensing should be for approval rather than disapproval. Efforts undertaken in recent years (1994 and 1995) to streamline the State Department's licensing process for cryptography exports should continue and be strengthened. Finally, the U.S. government should take steps to increase vendor and user understanding of the export control regime with the intent of bridging the profound gap in the perceptions of national security authorities and the private sector (including both technology vendors and users of cryptography).



    For both law enforcement and national security, cryptography is a two-edged sword. From the standpoint of law enforcement, cryptography provides tools to help prevent crime (e.g., by helping law-abiding businesses and individuals defend themselves against information crimes, such as the theft of proprietary information and the impersonation of legitimate parties by illegitimate ones). Crime prevention is particularly important when the crimes prevented are difficult to detect, as is the case for many kinds of information crime. On the other hand, cryptography's use by criminals can damage the law enforcement mission of investigating and prosecuting individuals who have committed crimes (by increasing the difficulty of obtaining information relevant to investigation and prosecution).

    Although crime prevention is an important dimension of law enforcement, the public debate to date has focused primarily on the impact of cryptography on criminal prosecutions and investigations. The committee accepts that the onset of an information age is likely to create many new challenges for public safety, among them the greater use of cryptography by criminal elements of society. If law enforcement authorities are unable to gain access to the encrypted communications and stored information of criminals, some criminal investigations and prosecutions will be significantly impaired. For these reasons, specific steps should be taken to mitigate these difficulties, as outlined in Recommendations 5.3, 5.4, and 5.5; Recommendation 5.2 is also expected to have a positive, though indirect, impact on this problem.

    In the realm of national security, cryptography can help to defend vital information assets of the United States (Recommendations 5.1 and 5.2). But cryptography can also impede the collection of signals intelligence. Apart from maintaining some USML export controls on cryptography, other steps can be taken to mitigate potential problems in this area (Recommendation 5.5).

    Since 1993, the approach of the U.S. government to the problems that can arise from the use of encryption has been an aggressive promotion of escrowed encryption as a pillar of the technical foundation for national cryptography policy, primarily in response to the law enforcement concerns described above (see Chapter 5 of the full report). The U.S. government's promotion initiatives include the Escrowed Encryption Standard (a voluntary Federal Information Processing Standard (FIPS) for secure voice telephony), the Capstone/Fortezza initiative that provides escrowed encryption capabilities for secure data storage and communications, and a recent proposal to liberalize export controls on certain encryption products if the keys are "properly escrowed."

    The committee understands the Administration's rationale for promoting escrowed encryption but believes that escrowed encryption should be only one part of an overall strategy for dealing with the problems that encryption poses for law enforcement and national security.

    Specific Recommendations

    Recommendation 5: The U.S. government should take steps to assist law enforcement and national security to adjust to new technical realities of the information age.

    Over the past 50 years, both law enforcement and national security authorities have had to cope with a variety of changing technological circumstances. For the most part, they have coped with these changes quite well. Today, however, an explosion of advanced information technologies is creating new challenges to law enforcement and national security. "Business as usual" will not suffice to bring agencies responsible for law enforcement and national security into the information age. At the same time, both law enforcement and national security have demonstrated considerable adaptability to new environments; this record of adaptability provides considerable confidence that they can adapt to a future of digital communications and stored data as well, and the specific subrecommendations that follow attempt to build on this adaptability.

    Recommendation 5.1--The U.S. government should actively encourage the use of cryptography in nonconfidentiality applications such as user authentication and integrity checks.

    The nonconfidentiality applications of cryptography (e.g., digital signatures, authentication and access controls, nonrepudiation, secure time/date stamps, integrity checks) do not directly threaten law enforcement or national security interests and do not in general pose the same policy dilemma as confidentiality does. Since the deployment of infrastructures for the nonconfidentiality uses of cryptography is a necessary (though not sufficient) condition for the use of cryptography for confidentiality, the nation may take large steps in this area without having to resolve the policy dilemmas over confidentiality, confident that those steps will be beneficial to the nation in their own right. Policy can and should promote nonconfidentiality applications of cryptography in all relevant areas.

    One of the most important of these areas concerns protection against systemic national vulnerabilities. Indeed, in areas in which confidence in and availability of a national information network are most critical, nonconfidentiality uses of cryptography are even more important than are capabilities for confidentiality. For example, ensuring the integrity of data that circulates in the air traffic control system is almost certainly more important than ensuring its confidentiality; ensuring the integrity (accuracy) of data in the banking system is often more important than ensuring its confidentiality. (This is not to say that confidentiality plays no role in protecting national information systems from unauthorized penetration. Cryptographically provided confidentiality can be one important (though secondary) dimension of protecting information systems from unauthorized penetration.)

    Nonconfidentiality applications of cryptography support reliable user authentication. Authentication of users is an important crime-fighting measure, because authentication is the antithesis of anonymity. Nonconfidentiality applications of cryptography support reliable integrity checks on data; used properly, they can help to reduce crimes that result from the alteration of data (such as changing the payable amount on a check). To date, national cryptography policy has not fully supported such nonconfidentiality uses. Some actions have been taken in this area, but these actions have sometimes conflicted with government concerns about confidentiality. As importantly, government has expressed considerably more concern in the public debate regarding the deleterious impact of widespread use of cryptography for confidentiality than over the deleterious impact of not deploying cryptographic capabilities for user authentication and data integrity.

    A final dimension of this issue is that keys used in nonconfidentiality applications of cryptography, especially ones that support established and essential business practices or legal constructs (e.g., digital signatures, authentication, integrity checks), must be controlled solely by the immediate and intended parties to those applications. Without such assurances, outside access to such keys could undermine the legal basis and threaten the integrity of these practices carried out in the electronic domain. Whatever benefits might accrue to government authorities acting in the interests of public safety or national security from being able to forge digital signatures or alter digital data clandestinely would pale by comparison to the loss of trust in such mechanisms that would result from even a hint that such activities were possible.

    Recommendation 5.2--The U.S. government should promote the security of the telecommunications networks more actively. At a minimum, the U.S. government should promote the link encryption of cellular communications[3] and the improvement of security at telephone switches.

    The public switched telecommunications network (PSTN) is both critical to many sectors of the national economy and is undergoing rapid evolution. While the U.S. government has taken some steps to improve the security of the PSTN, much more could be done based on the regulatory authority that the U.S. government has in this area.

    The encryption of wireless voice communications would prevent eavesdropping that is all too easy in today's largely analog cellular telephone market. As wireless communications shift from analog to digital modes of transport, encryption will become easier even as the traffic itself becomes harder to understand. A requirement to encrypt wireless communications may also accelerate the shift to wireless modes of digital transport. However, because of the cost of retrofitting existing cellular services, this recommendation is intended to apply only to the deployment of future cellular services.

    Security in telephone switches could be improved in many ways. For example, a requirement for adequate authentication to access such switches would prevent unauthorized access from maintenance ports; such ports often provide remote access to all switch functions, a level of access equal to what could be obtained by an individual standing in the control center. Yet such ports are often protected with nothing more than a single password. Telecommunications service providers could also provide services for link encryption of traffic on wired landlines.

    By addressing through the telecommunications service providers public demands for greater security in voice communications (especially those such as cellular telephone traffic) that are widely known to be nonsecure, government would maintain law enforcement access for lawfully authorized wiretaps through the requirements imposed on carriers today to cooperate with law enforcement in such matters. For example, a cellular telephone connects to the PSTN through a ground station; since, in general, the cellular telephone service provider must feed its traffic to the PSTN in unencrypted form, encrypted cellular telephone traffic from the mobile handset would be decrypted at the ground station, at which point law enforcement could gain authorized access. Thus, legitimate law enforcement access would not, in general, be impeded by link encryption of cellular traffic until communications systems that bypass the PSTN entirely become common.

    Recommendation 5.2 is an instance of a general philosophy that link (or node) security provided by a service provider offers more opportunities for providing law enforcement with legally authorized access than does security provided by the end user. In the case of voice communications, improved security over the telecommunications network used for voice communications and provided by the owners and operators of that network--a good thing in its own right and consistent with the basic principle of this report--would also reduce the demand for (and thus the availability of) devices used to provide end-to-end encryption of voice communications. Without a ready supply of such devices, a criminal user would have to go to considerable trouble to obtain a device that could thwart a lawfully authorized wiretap.

    Recommendation 5.2 focuses on voice communications given that for the foreseeable future, voice is likely to be the most common form of communication used by the general public (and hence by criminals as well). The committee recognizes that data communications will pose certain problems for law enforcement, and this is the focus of Recommendation 5.3.

    Recommendation 5.3--To better understand how escrowed encryption might operate, the U.S. government should explore escrowed encryption for its own uses. To address the critical international dimensions of escrowed communications, the U.S. government should work with other nations on this topic.

    As noted above, the U.S. government has aggressively promoted escrowed encryption as a pillar of the technical foundation for national cryptography policy. Escrowed encryption has both benefits and risks from a public policy standpoint (Box 5). The committee believes that many policy benefits can be gained by an operational exploration of escrowed encryption by the U.S. government, but also that aggressive promotion of the concept is not appropriate at this time for several reasons:

  • The operational complexities of a large-scale infrastructure are significant (especially in an international context of cross-border communications), and a prudent approach to policy would be to develop a base of experience that would guide policy decisions on how escrowed encryption might work on a large scale in practice.

  • It is not at all clear that escrowed encryption will be a real solution to the most serious problems that law enforcement authorities will face, because those most likely to have information to conceal will be motivated to exploit technical circumventions of escrowed encryption.

  • Imposing a particular solution to the encryption dilemma at this time is likely to have a significant negative impact on the natural market development of applications made possible by new information services and technologies. While the nation may choose to bear these costs in the future, it is particularly unwise to bear them in the absence of a large-scale need that may not arise and in light of the operational uncertainties described in the first bulleted item above.

  • Given the importance of market forces to the long-term success of national cryptography policy, policy makers should learn more about how the market will respond before adopting a specific solution driven by the needs of government. For example, if Administration advocates of escrowed encryption are correct that the private sector needs exceptional access to encrypted data for sound business reasons, the law enforcement need for access to encrypted records could be substantially met by the exercise of the government's compulsory process authority (including search warrants and subpoenas) for information relevant to the investigation and prosecution of criminal activity against both the encrypted records and any relevant cryptographic keys, whether held by outside escrow agents or by the targets of the compulsory process.

  • For these reasons, the committee believes that a policy of deliberate exploration of the concept of escrowed encryption is better suited to the circumstances of today than is the current policy of aggressive promotion. The most appropriate vehicle for such an exploration is, quite naturally, government applications. Such exploration would enable the U.S. government to develop and document the base of experience on which to build a more aggressive promotion of escrowed encryption should circumstances develop in such a way that encrypted communications come to pose a significant problem for law enforcement.

    In the future, when experience has been developed, the U.S. government, by legislation and associated regulation, will have to clearly specify the responsibilities, obligations, and liabilities of escrow agents. Such action is a necessary (but not sufficient) condition for the growth and spread of escrowed encryption in the private sector. Parties whose needs may call for the use of escrowed encryption will need confidence in the supporting infrastructure before they will entrust sensitive information to the safekeeping of others. Moreover, if the government is to actively promote the voluntary use of escrowed encryption in the future, it will need to convince users that it has taken into account their concerns about compromise and abuse of escrowed information. The best way to convince users that these agents will be able to live up to their responsibilities is to point to a body of experience that demonstrates their ability to do so.

    The committee recognizes that communications (i.e., digital information in transit) pose a special problem for government. Neither private individuals nor businesses have substantial needs for exceptional access to the plaintext of encrypted communications. Thus, it is unlikely that users would voluntarily adopt on a large scale measures intended to assure exceptional access to such communications. Law enforcement authorities are understandably concerned that they will be denied information vital for the investigation and prosecution of criminal activity. At the same time, it is not clear that encrypted digital communications will in fact be the most important problem for law enforcement authorities seeking to gain access to digital information.

    The short-term problem for law enforcement is almost certainly more related to voice communications than to data communications, a problem addressed through Recommendation 5.2. Over the longer term, the challenge from data communications is likely to grow as data communications become more ubiquitous and as the technical distinction between voice and data blurs. To cope with this challenge, Recommendation 5.3 sets into motion a prudent "hedge" strategy against this eventuality; Recommendation 5.4 begins the process of seeking to discourage criminal use of cryptography; Recommendation 5.5 addresses new technical capabilities to meet the challenge of encryption. (Note that advanced information technologies are likely to lead to explosive increases in the amount of electronic information being transmitted (e.g., e-mail); given the likelihood that the spread of encryption capabilities will be much slower than the rate at which the volume of electronic communications increases, the opportunities for authorized law enforcement exploitation of larger amounts of unprotected computer-readable information will also increase.)

    Finally, the U.S. government should pursue discussions with other nations on how escrowed encryption might operate internationally. Given that the developed nations of the world share a number of interests (e.g., in preserving authorized law enforcement access to communications, in protecting information assets of their domestic businesses), the process begun at the Organization for Economic Cooperation and Development (OECD) in December 1995 is a promising forum in which these nations can bring together representatives from business, law enforcement, and national security to discuss matters related to cryptography policy over national borders.

    Recommendation 5.4--Congress should seriously consider legislation that would impose criminal penalties on the use of encrypted communications in interstate commerce with the intent to commit a federal crime.

    The purpose of such a statute would be to discourage the use of cryptography for illegitimate purposes. Criminalizing the use of cryptography in this manner would provide sanctions analogous to the existing mail fraud statutes, which add penalties to perpetrators of fraud who use the mail to commit their criminal acts. Such a law would focus the weight of the criminal justice system on individuals who were in fact guilty of criminal activity, whereas a mandatory prohibition on the use of cryptography would have an impact on law-abiding citizens and criminals alike.

    A concern raised about the imposition of penalties based on a peripheral aspect of a criminal act is that it may be used to secure a conviction even when the underlying criminal act has not been accomplished. The statute proposed for consideration in Recommendation 5.4 is not intended for this purpose, although the committee understands that it is largely the integrity of the judicial and criminal justice process that will be the ultimate check on preventing its use for such purposes.

    Any statute that criminalizes the use of encryption in the manner described in Recommendation 5.4 should be drawn narrowly. The statute envisioned by Recommendation 5.4 would be limited to federal crimes only and would focus on encrypted communications (in recognition of the fact that private parties have significant incentives to escrow keys used for encrypting stored data). Drafters of the statute would also have to anticipate other potential ambiguities such as the use of data compression techniques that also obscure the true content of a communication and lack of a common understanding about what it means to "use encrypted communications" when encryption may be a ubiquitous and automatic feature in a communications product.

    Finally, the committee notes the fundamental difference between Recommendation 5.4 and Recommendation 1. Recommendation 1 says that the use of any type of encryption within the United States should be legal, but not that any use of encryption should be legal. Recommendation 5.4 says that the nation should consider legislation that would make illegal a specific use of encryption (of whatever type), namely the use of encrypted communications in interstate commerce when the intent is to commit a federal crime.

    Recommendation 5.5--High priority should be given to research, development, and deployment of additional technical capabilities for law enforcement and national security to cope with new technological challenges.

    While the committee's basic thrust is toward a wider use of cryptography throughout society, considerable time can be expected to elapse before cryptography is truly ubiquitous. Thus, law enforcement and national security authorities have a window in which to develop new capabilities for addressing future challenges. Such development should be supported, because these capabilities are almost certain to have a greater impact on their future information collection efforts than will aggressive attempts to promote escrowed encryption to a resistant market.

    An example of such support would be the establishment of a technical center for helping federal, state, and local law enforcement authorities with technical problems associated with new information technologies. This recommendation is consistent with the FBI proposal for a technical support center (TSC) to serve as a central national law enforcement resource to address problems related to encryption and to technological problems with an impact on access to electronic communications and stored information [4]. Such a center would of course address individuals' use of unescrowed encryption in the commission of criminal acts; capabilities usable in open court to deal with this problem will be necessary whether or not escrowed encryption is widely deployed. A second problem of concern to law enforcement authorities is obtaining the digital stream carrying the targeted communications, a task that will grow more complex as the sophistication of applications and technology increases. Law enforcement authorities will need access to considerable technical skill to extract useful information out of the digital streams involved. Such a center could be quite useful to state and local law enforcement authorities who currently lack the level of access to National Security Agency (NSA) expertise accorded the FBI.

    National security authorities recognize quite clearly that future capabilities to undertake traditional signals intelligence will be severely challenged by the spread of encryption and the introduction of new communications media. In the absence of improved cryptanalytic methods, cooperative arrangements with foreign governments, and new ways of approaching the information collection problem, losses in traditional signals intelligence capability would likely result in diminished effectiveness of the U.S. intelligence community. To help assure the continuing availability of strategic and tactical intelligence, efforts to develop alternatives to traditional signals intelligence collection techniques should be given high priority in the allocation of financial and personnel resources before products covered by Recommendation 4.1 become widely used.



    Although the committee was asked to address national cryptography policy, any such policy is necessarily only one component of a national information security policy. Without a forward-looking and comprehensive national information security policy, changes in national cryptography policy may have little operational impact on U.S. information security. Thus, the committee believes it cannot leave unaddressed the question of a national information security policy, although it recognizes that it was not specifically chartered with such a broad issue in mind.

    Recommendation 6: The U.S. government should develop a mechanism to promote information security in the private sector.

    The committee makes Recommendation 6 based on the observation that the U.S. government itself is not well organized to meet the challenges posed by an information society. Indeed, no government agency has the responsibility to promote information security in the private sector. The information security interests of most of the private sector have no formal place at the policy-making table: the National Security Agency represents the classified government community, while the charter of the National Institute of Standards and Technology directs it to focus on the unclassified needs of the government (and its budget is inadequate to do more than that). Other organizations such as the Information Infrastructure Task Force and the Office of Management and Budget have broad influence but few operational responsibilities. As a result, business and individual stakeholders do not have adequate representation in the development of information security standards and export regimes.

    For these reasons, the nation requires a mechanism that will provide accountability and focus for efforts to promote information security in the private sector. The need for information security cuts across many dimensions of the economy and the national interest, suggesting that absent a coordinated approach to promoting information security, the needs of many stakeholders may well be given inadequate attention and notice.

    The importance of close cooperation with the private sector cannot be overemphasized. While the U.S. government has played an important role in promoting information security in the past, information security needs in the private sector in the information age will be larger than ever before (as argued in Recommendation 3). Thus, close consultations between government and the private sector are needed before policy decisions are made that affect how those needs can be addressed. Many stakeholders outside government have criticized what they believe to be an inadequate representation of the private sector at the decision-making table. The committee believes that the policy-making process requires better ways for representing broadly both government and nongovernment interests in cryptography policy. Those who are pursuing enhanced information security and those who have a need for legal access to stored or communicated information must both be included in a robust process for managing the often-competing issues and interests that will inevitably arise over time.

    How might the policy-making process include better representation of nongovernment interests? Private sector advisors or representatives are often used when policy cuts across many functional and organizational boundaries and interests both inside and outside government, and information security certainly falls into this "cross-cutting" category. The government might consider the appointment of fully cleared parties from the private sector who could participate in government policy discussions relevant to export control decisions and/or decisions that affect the information security interests of the private sector. (Despite the committee's conclusion that the broad outlines of national cryptography policy can be argued on an unclassified basis, classified information may nevertheless be invoked in such discussions and uncleared participants would be unable to contribute. Clearances for these individuals are necessary to preclude this possibility.)

    In those areas in which the secure operation of information systems is critical to the nation's welfare--information systems that are invested with the public trust, such as those of the banking and financial system, the public switched telecommunications network, the air traffic control system, and the electric power grid--government has an important role in actively promoting security. In other sectors of the economy, the role of the U.S. government should be limited to providing information and expertise. Building on existing private-public partnerships and private sector efforts in disseminating information, the government should take a vigorous and proactive role in collecting and disseminating information to promote awareness of the information security threat.

    The committee does not make a recommendation on its specific form because its charter did not call for it to address the question of government organization. Such a mechanism could be a new coordinating office for information security in the Executive Office of the President. It could be one or more existing agencies or organizations with a new charter or set of responsibilities. It could be a new government agency or organization, although in the current political climate such an agency would demand the most compelling justification. It could be a quasi-governmental body or a governmentally chartered private organization, examples of which are described in Chapter 6. Because of the NSA's role within the defense and intelligence communities and its consequent concern about defense and intelligence threats and systems, the committee believes that the NSA is not the proper agency to assume primary responsibility for a mission that is primarily oriented toward the needs of the private sector. At the same time, experts from all parts of the U.S. government should be encouraged to assist in analyzing vulnerabilities; if such assistance requires new legislative authority, such authority should be sought from Congress.


    The committee believes that its recommendations will lead to enhanced confidentiality and protection of information for individuals and companies, thereby reducing economic and financial crimes and economic espionage from both domestic and foreign sources. While the recommendations will to that extent contribute to the prevention of crime and enhance national security, the committee recognizes that the spread of cryptography will increase the burden of those in government charged with carrying out certain specific law enforcement and intelligence activities. It believes that widespread commercial and private use of cryptography in the United States and abroad is inevitable in the long run and that its advantages, on balance, outweigh its disadvantages. The committee concluded that the overall interests of the government and the nation would best be served by a policy that fosters a judicious transition toward the broad use of cryptography.


    Recommendation 1: No law should bar the manufacture, sale, or use of any form of encryption within the United States.

    Recommendation 2: National cryptography policy should be developed by the executive and legislative branches on the basis of open public discussion and governed by the rule of law.

    Recommendation 3: National cryptography policy affecting the development and use of commercial cryptography should be more closely aligned with market forces.

    Recommendation 4: Export controls on cryptography should be progressively relaxed but not eliminated.

    4.1--Products providing confidentiality at a level that meets most general commercial requirements should be easily exportable. Today, products with encryption capabilities that incorporate 56-bit DES provide this level of confidentiality and should be easily exportable.

    4.2--Products providing stronger confidentiality should be exportable on an expedited basis to a list of approved companies if the proposed product user is willing to provide access to decrypted information upon legally authorized request.

    4.3--The U.S. government should streamline and increase the transparency of the export licensing process for cryptography.

    Recommendation 5: The U.S. government should take steps to assist law enforcement and national security to adjust to new technical realities of the information age.

    5.1--The U.S. government should actively encourage the use of cryptography in nonconfidentiality applications such as user authentication and integrity checks.

    5.2--The U.S. government should promote the security of the telecommunications networks more actively. At a minimum, the U.S. government should promote the link encryption of cellular communications and the improvement of security at telephone switches.

    5.3--To better understand how escrowed encryption might operate, the U.S. government should explore escrowed encryption for its own uses. To address the critical international dimensions of escrowed communications, the U.S. government should work with other nations on this topic.

    5.4--Congress should seriously consider legislation that would impose criminal penalties on the use of encrypted communications in interstate commerce with the intent to commit a federal crime.

    5.5--High priority should be given to research, development, and deployment of additional technical capabilities for law enforcement and national security to cope with new technological challenges.

    Recommendation 6: The U.S. government should develop a mechanism to promote information security in the private sector.


    [1] Signals intelligence (SIGINT) in general involves the collection for intelligence purposes of communications information and information on electronic emissions. However, for purposes of this report, signals intelligence is used to refer only to those aspects of SIGINT referring to communications intelligence.
    [2] For purposes of Recommendation 4.1, a product that is "easily exportable" will automatically qualify for treatment and consideration (i.e., commodity jurisdiction, or CJ) under the CCL. Automatic qualification refers to the same procedure under which software products using RC2 or RC4 algorithms for confidentiality with 40-bit key sizes currently qualify for the CCL.
    [3] "Link encryption" refers to the practice of encrypting information being communicated in such a way that it is encrypted only in between the node from which it is sent and the node where it is received; while the information is at the nodes themselves, it is unencrypted. In the context of link encryption for cellular communications, a cellular call would be encrypted between the mobile handset and the ground station. When carried on the landlines of the telephone network, the call would be unencrypted.
    [4] The FBI proposes that a TSC would provide law enforcement with capabilities in signals analysis (e.g., protocol recognition), mass media analysis (e.g., analysis of seized computer media), and cryptanalysis on encrypted data communications or files.

    Address questions/comments to
    Last Updated on 05/30/96

    NAS Home Page
    This Site's Home Page